Private Registry seems to allows unauthenticated access


We came across an interesting although a little concerning issue: we have a private registry on where we put Python packages.

In attempting to access it from an external machine, we managed to access a .whl file without actually authenticating.

We used a crafted URL based on its SHA reference.

I’d be happy to put together a new issue for this although I might need assistance, selecting the right template for instance.