Hello,
We came across an interesting although a little concerning issue: we have a private registry on gitlab.com where we put Python packages.
In attempting to access it from an external machine, we managed to access a .whl
file without actually authenticating.
We used a crafted URL based on its SHA reference.
I’d be happy to put together a new issue for this although I might need assistance, selecting the right template for instance.