Installing from public github archive asks for username

[d-huck]

Description

When attempting to install a package from a public github archive, (i.e. https://github.com/<user>/<project>/archive/package.tar.gz), pip asks for a github username, though one is not required. This results in a skippable prompt in an interactive environment, and failure in other environments. This does not seem to happen on older versions of Python/pip. I have experienced and verified this bug in Python 3.12.4, 3.12.7, and 3.13.0, as well as pip 24.2.0 and 24.3.1.

Expected behavior

If the archive is publicly available, pip should download and install the package without authentication.

pip version

24.3.1

Python version

3.12.4

OS

macOS,Arch Linux

How to Reproduce

1. Create virtual environment
2. Install package from github archive (pip install std2@https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz)
   2a. Install package with --no-input (pip install --no-input std2@https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz)

Output

With interactive environments:

Collecting std2@ https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz
User for github.com:

With non-interactive environments:

pip install --no-input std2@https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz
Collecting std2@ https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz
  ERROR: HTTP error 401 while getting https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz
ERROR: Could not install requirement std2@ https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz from https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz because of HTTP error 401 Client Error: Unauthorized for url: https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz for URL https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz

Code of Conduct

• I agree to follow the PSF Code of Conduct.

[notatallshaw]

I can't reproduce:

$ python -V
Python 3.13.0

$ python -m pip install --dry-run std2@https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz
Collecting std2@ https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz
  Using cached https://github.com/ms-jpq/std2/archive/297f2376f2fcc6c6d7f342bcd09f6e26fbb6ba7f.tar.gz
  Installing build dependencies ... done
  Getting requirements to build wheel ... done
  Preparing metadata (pyproject.toml) ... done
Would install std2-0.1.10

Do you have a proxy or something else that could be intercepting your HTTP traffic?

[d-huck]

I have looked into this further, and I have been unable to reproduce it in a few other contexts:

1. My raspberry pi running Raspbian on the same network is able to install as expected without a user/pass prompt
2. A remote machine running Gentoo is also able to install as expected.

I've taken the further steps on my macbook to no avail:

1. Attempt more versions of python using pyenv-virtualenv, none of which work.
2. Ensured I have no proxies running, disabled my VPN and network monitoring software, and watched the exchange using wireshark. Wireshark shows direct communication from my machine to IP addresses within the Github CIDR range.

Interestingly, the installation also fails when I enter my credentials in, giving a 401 Unauthorized error. If my account starts spouting crypto scams, then I guess we'll know what how that happened.