allow downloading yanked sdists for pip dependencies

[slimreaper35]

Maintainers will complete the following section

• [x] Commit messages are descriptive enough
• [x] Code coverage from testing does not decrease and new code is covered
• [n/a] Docs updated (if applicable)
• [n/a] Docs links in the code are still valid (if docs were updated)

Note: if the contribution is external (not from an organization member), the CI pipeline will not run automatically. After verifying that the CI is safe to run:

• approve GitHub Actions workflows by clicking a button
• approve the Red Hat Trusted App Pipeline container build by commenting /ok-to-test (as is the standard for Pipelines as Code)

[slimreaper35]

This is just a small update on @ben-alkov recent pull request. It was "hidden" deep in the backlog.

[ben-alkov]

The original story is a little weird, because I have definitely seen pip refuse to install anything at all if the only matching download has been yanked.

It's possible that the deps in question weren't pinned, though (e.g. '==' or '==='), which seems to be prereq according to the applicable PEP.

[ben-alkov]

@slimreaper35; Overall, LGTM, but I feel like we should have a little more warning info for end-users.

[ben-alkov]

LGTM, but do we want to have integration test coverage for this too?

Yes