On networks that use fake root certificates for TLS MitM ALG proxies (such as corporate firewalls or certain antivirus software), pip version 23.3* or newer is required because it allows the user to prefer the system-wide configuration over a hard-coded CA bundle.

I have the upgraded pip installed in my user packages; it's the only site package I have. But version 1.0.3 of pypa build has hard-coded that there's no way to pass system_site_packages=True to the EnvBuilder, for users who "really know what they're doing" and want to "contaminate" the venv.

Of course, the "upgrade" logic currently in there will not work for this use-case, since you can't use a non-functioning version of pip to install a functioning version.

*Technically, the feature was "added" in version 22.2, but it doesn't actually function in that version due to a catch-22 of requiring a 3rd-party package to be installed before any 3rd-party packages can be installed.