On 19 Sep 2019, at 12:07, firstname.lastname@example.org wrote:
We have an internal package that unfortunately has the same name as one on pypi. Generally, we want our index to install packages from pypi, except for the one with the name collision. The colliding package should be save from higher version "attacks" (it's not really an attack since the one on pypi is not malicious).
That is the default operation if mirror_whitelist is empty and the package in question is uploaded in your index.
Regards, Florian Schulze