For a full list of bug fixes and changes that occurred as part of this release, see the changelog for this release in the Pulpcore documentation.

New in Pulp 3.11

Let’s take a look at the main features of this release.

New Artifacts Checksum Reports #7986

You can now evaluate how many content units are affected by a checksum type change by using the ‘pulpcore-manager handle-artifact-checksums –report’ command.

You can simply run this command, or run it with the --checksums and include a comma-sseparated list of the checksums that you want to use.

With this report, you can preview the impact of any change you want to make before you change the setting.

This new feature is currently a tech preview.

Proxy Authorization Updates #8167

In previous versions of Pulp, the only way to specify a proxy username and password was to append them in the proxy_url fields.

With this release, there are two new fields: proxy_username and proxy_password for remotes that you can use to enter your credentials. As a result of this change, you can no longer specify credentials as part of the proxy_url field. A data migration will move the proxy authentication information on existing remotes to the new fields.

Worker timeout is now configurable #8291

In previous versions of Pulp, worker timeout was hardcoded as 30 seconds. Depending on the system, and the I/O of Postgresql, this hardcoded value caused problems.

As part of this release, a new setting WORKER_TTL has been added. You can specify the interval, in seconds, that you consider a worker as missing after its last heartbeat. The default value is 30 seconds.

You can edit the WORKER_TTL setting in

QueryExistingArtifacts now enforces ALLOWED_CONTENT_CHECKSUMS #7854

An error will now occur if you sync content that includes a checksum that is not part of ALLOWED_CONTENT_CHECKSUMS.

handle-artifact-checksums - now fully supported #7928

The handle-artifact-checksums, command, which was introduced as a tech preview is now a fully-supported part of Pulp 3.

Update to /pulp/api/v3/status/

In earlier versions of Pulp plugins, /pulp/api/v3/status/ listed Python package names instead of Django app names.

With this release, the component field of the versions section of the status API /pulp/api/v3/status/ now lists the Django app name, not the Python package name. Similarly the OpenAPI schema at /pulp/api/v3 does also. To support this change, plugins are required to supply their label and version in the PulpPluginAppConfig since 3.10. #8198


The following items have been removed from Pulpcore as part of this release:

Sensitive data removed from Remote responses #8202

Removed sensitive fields username, password, and client_key from Remote responses. You can still set and update these fields, but they will no longer be readable.

Removed md5 and sha1 from ALLOWED_CONTENT_CHECKSUMS #8246

The md5 and sha1 checksums have been removed from theALLOWED_CONTENT_CHECKSUMS setting because they are insecure.

With this release, the default ALLOWED_CONTENT_CHECKSUMS contain sha224, sha256,sha384, and sha512.

Systems with existing Artifacts will undergo an automatic update as part of this release #8322

Due to the removal of md5 and sha1 from the ALLOWED_CONTENT_CHECKSUMS setting, every system that had any Artifacts synced prior to Pulpcore 3.11 will have to run the pulpcore-manager handle-content-checksums command. This release provides an automatic data migration that will run the command automatically as part of the pulpcore-manager migrate command all upgrades must run anyway.

The key field of SigningService #8398

The key field from the SigningService response has been removed. The SigningService contains the key information in the public_key field already.

Addressing AccessPolicy via the viewset’s classname#8397

The ability to address AccessPolicy using the viewset’s classname. Use the Viewset’s urlpattern instead.

Plugin developer updates #7815

This release includes the following updates to the plugin API.

Plugin developers now have the flexibility to use more than one WorkingDirectory() within a task, which includes nested calls. Tasks will also now use a temporary working directory by default.

Use instead of #7984

A new module has been added, which provides the new function and ensures that only allowed hashes listed in ALLOWED_CONTENT_CHECKSUMS can be instantiated. Plugin writers should use this instead of to generate checksum hashers.

New method for querying content #8375

Add a get_content method to pulpcore.plugin.models.RepositoryVersion that accepts a queryset and returns a list of content in that repository using the given queryset. This allows for specific content type to be returned by executing repo_version.get_content(content_qs=MyContentType.objects).

Plugin API Removals

  • Adjusted the ALLOWED_CONTENT_CHECKSUMS setting to remove md5 and sha1 because they are insecure. Now, by default, the ALLOWED_CONTENT_CHECKSUMS contain sha224, sha256, sha384, and sha512. #8246
  • Removed the unused get_plugin_storage_path method. #8343

Plugin API Deprecations

The pulpcore.plugin.tasking.WorkingDirectory has been deprecated. #8231

If you have any questions or comments about anything in this release, don’t hesitate to write to us at