First, thank you for the answer, Florian, and your time.
Occasionally we also replace specific releases from pypi with ones we build ourselves. Mostly to prevent buggy releases that have not been fixed on pypi to be installed. We would typically merge a bugfix that was not yet applied by the maintainers or fix it ourself, then build the package and upload it. Say the buggy version is 1.2, we replace it by our version 1.2 on our index. Then later along the line, when 1.3 is uploaded to pypi, we want our index to installed the now officially fixed version 1.3 from pypi. I might be mistaking, but an empty whitelist would prevent that, correct? In that case our fixed version 1.2 would always be installe, even though pypi had a version 1.3. Is there a solution for that?