Bundle pip 23.3 or newer with ensurepip

Currently, CPython is shipping pip 23.2 with ensurepip.

On systems behind TLS MitM ALG proxies that use a rotating fake root certificate, this means basically that pip is just broken — even if the system is properly configured to keep the current fake root in its trust store! — and that it can not be fixed by simply creating a config file.

--trusted-host is a bad practice, and if you manually download the wheels with a web browser (either truststore or just the updated version of pip that vendors it) and install them from a local file, those fixes will get masked away the moment a venv is entered, since the venv will bootstrap the new environment off ensurepip, which uses that outdated version of pip that shipped with Python.

(I know that pip nominally added truststore support in version 22.2, but of course that formed a catch-22 since it requires a package to be installed before any package can be installed. If you try creating a pip.ini to enable truststore, you’ll just brick pip in all fresh venvs that have pip ≤23.3; pip won’t even launch, even if you’re only trying to use it to install the truststore wheel you downloaded to a local file. They thankfully fixed that awful bind starting in pip 23.3, which is why I’m requesting at least that version.)

What are the considerations to getting that version of pip shipped with ensurepip, so that venv doesn’t produce broken venvs on systems behind “fake root” proxy servers?

Good timing!

Python 3.11.8 and 3.12.2 are due for release today (or as soon as any last-minute blockers are cleared) and will ship the latest pip 24.0.

Generally, when pip is released, it will also be added to the CPython repo and included in the next CPython release. See step 9 of the pip release process.