pip 20.1b1 installs INSTALLER, RECORD and direct_url.json unreadable by other users (mod 0600)

[hroncok]

Environment

• pip version: 20.1b1
• Python version: 3.8.2
• OS: Fedora 32, Fedora 33

Description

When installing pip and possibly other packages with pip 20.1b, several metadata files are install unreadable by other users (mod 0600). I've noticed INSTALLER, RECORD and direct_url.json, but the simple reproducer here doesn't have direct_url.json because I don't now where did that come from in the Fedora build system.

Expected behavior

INSTALLER, RECORD and direct_url.json are readbale by others (mod 664).

How to Reproduce and Output

$ python3.8 -m venv __venv__
$ . __venv__/bin/activate
(__venv__) $ pip install --pre -U pip
Collecting pip
  Downloading https://files.pythonhosted.org/packages/ec/05/82d3fababbf462d876883ebc36f030f4fa057a563a80f5a26ee63679d9ea/pip-20.1b1-py2.py3-none-any.whl (1.5MB)
     |████████████████████████████████| 1.5MB 1.6MB/s 
Installing collected packages: pip
  Found existing installation: pip 19.3.1
    Uninstalling pip-19.3.1:
      Successfully uninstalled pip-19.3.1
Successfully installed pip-20.1b1
(__venv__) $ ll __venv__/lib/python3.8/site-packages/pip-20.1b1.dist-info/
.rw-rw-r--@  125 ... 27 apr 17:35 entry_points.txt
.rw-rw-r--@    4 ... 27 apr 17:35 INSTALLER
.rw-rw-r--@ 1,1k ... 27 apr 17:35 LICENSE.txt
.rw-rw-r--@ 3,6k ... 27 apr 17:35 METADATA
.rw-rw-r--@  57k ... 27 apr 17:35 RECORD
.rw-rw-r--@    4 ... 27 apr 17:35 top_level.txt
.rw-rw-r--@  110 ... 27 apr 17:35 WHEEL
(__venv__) $ pip install -U 'pip<20.1'
Collecting pip<20.1
  Using cached pip-20.0.2-py2.py3-none-any.whl (1.4 MB)
Installing collected packages: pip
  Attempting uninstall: pip
    Found existing installation: pip 20.1b1
    Uninstalling pip-20.1b1:
      Successfully uninstalled pip-20.1b1
Successfully installed pip-20.0.2
(__venv__) $ ll __venv__/lib/python3.8/site-packages/pip-20.0.2.dist-info/
.rw-rw-r--@  125 ... 27 apr 17:36 entry_points.txt
.rw-------@    4 ... 27 apr 17:36 INSTALLER
.rw-rw-r--@ 1,1k ... 27 apr 17:36 LICENSE.txt
.rw-rw-r--@ 3,4k ... 27 apr 17:36 METADATA
.rw-------@  54k ... 27 apr 17:36 RECORD
.rw-rw-r--@    4 ... 27 apr 17:36 top_level.txt
.rw-rw-r--@  110 ... 27 apr 17:36 WHEEL

If installed as root, other tools can later blow up when run as regular users:

  File "/usr/lib/python3.8/site-packages/pip/_internal/cli/base_command.py", line 188, in _main
    status = self.run(options, args)
  File "/usr/lib/python3.8/site-packages/pip/_internal/commands/freeze.py", line 98, in run
    for line in freeze(**freeze_kwargs):
  File "/usr/lib/python3.8/site-packages/pip/_internal/operations/freeze.py", line 68, in freeze
    req = FrozenRequirement.from_dist(dist)
  File "/usr/lib/python3.8/site-packages/pip/_internal/operations/freeze.py", line 256, in from_dist
    direct_url = dist_get_direct_url(dist)
  File "/usr/lib/python3.8/site-packages/pip/_internal/utils/direct_url_helpers.py", line 118, in dist_get_direct_url
    return DirectUrl.from_json(dist.get_metadata(DIRECT_URL_METADATA_NAME))
  File "/usr/lib/python3.8/site-packages/pip/_vendor/pkg_resources/__init__.py", line 1420, in get_metadata
    value = self._get(path)
  File "/usr/lib/python3.8/site-packages/pip/_vendor/pkg_resources/__init__.py", line 1616, in _get
    with open(path, 'rb') as stream:
PermissionError: [Errno 13] Permission denied: '/usr/lib/python3.8/site-packages/pip-20.1b1.dist-info/direct_url.json'

[hroncok]

Duplicate of #8139