diff --git a/docs/user/guides/_SUMMARY.md b/docs/user/guides/_SUMMARY.md index b92c4aca..eef7b0a0 100644 --- a/docs/user/guides/_SUMMARY.md +++ b/docs/user/guides/_SUMMARY.md @@ -1,7 +1,8 @@ +* [Attestation Hosting](attestation.md) +* [Host Python Content](host.md) +* [Package Blocklist](blocklist.md) +* [Package Substitution](package_substitution.md) * [Set up your own PyPI](pypi.md) * [Sync from Remote Repositories](sync.md) * [Upload and Manage Content](upload.md) -* [Host Python Content](host.md) * [Vulnerability Report](vulnerability_report.md) -* [Attestation Hosting](attestation.md) -* [Package Blocklist](blocklist.md) diff --git a/docs/user/guides/package_substitution.md b/docs/user/guides/package_substitution.md new file mode 100644 index 00000000..bfb2bca7 --- /dev/null +++ b/docs/user/guides/package_substitution.md @@ -0,0 +1,43 @@ +# Package Substitution + +By default, Python repositories allow package substitution: uploading, syncing, or adding a package +with the same filename as an existing package but a different checksum will silently replace it. + +This behavior is controlled by the `allow_package_substitution` field on a Python repository. +When set to `False`, any operation (upload, sync, or modify) that would replace an existing package with a different checksum is rejected. +Re-adding a package with the same filename *and* the same checksum is always accepted (idempotent). + +## Setup + +If you do not already have a repository, create one: + +```bash +pulp python repository create --name foo +``` + +Set the API base URL and repository HREF for use in the subsequent commands: + +```bash +PULP_API="http://localhost:5001" +REPO_HREF=$(pulp python repository show --name foo | jq -r ".pulp_href") +``` + +## Disable package substitution + +```bash +http PATCH "${PULP_API}${REPO_HREF}" allow_package_substitution=false +``` + +You can also set this when creating a repository: + +```bash +http POST "${PULP_API}/pulp/api/v3/repositories/python/python/" name="bar" allow_package_substitution=false +``` + +## Re-enable package substitution + +```bash +http PATCH "${PULP_API}${REPO_HREF}" allow_package_substitution=true +``` + +Once re-enabled, packages with duplicate filenames can replace existing content again.