Requiring keyring authentication when repository returns 403

[ffissore]

This fixes #9870

[sbidoul]

At first sight, I'd say that handling 401 and 403 in the same way is not the correct thing to do for pip.

It is surprising that a package index would return a 403 when accessed without credentials which is what pip should be doing as a first try (if I understand correctly the discussion in #8687).

[ffissore]

I'm very new to pip, so I don't have an opinion on this matter. I've also contacted google, asking them to review the status code they return when anonymous users attempt to access a private repo.
Maybe they'll fix the problem on their end.

Still, folks like me are currently forced to stick to an older version of pip to keep on working, and I think that one way or the other this must be fixed

[sbidoul]

Thanks @ffissore !

Pinging @hroncok, @zooba, @chrahunt who were involved in #8687 and might have an advice.

[hroncok]

I don't have an opinion. Looks reasonable to me, but my knowledge of indexes with limited access is nonexistent.

[pfmoore]

I agree with @sbidoul this seems wrong to me. I guess "403 forbidden" could mean "you're not allowed to access this anonymously", but surely that's what "401 needs auth" is for?

I can see this as working around buggy index servers, but is it going to cause false keyring requests on index servers that use 403 correctly?

I'm willing to let the people involved in the implementation make the decision, though.

[sbidoul]

Closing, as discussed in the related issue.