GoCheese is Python private package repository and caching proxy.

It serves two purposes:

• proxying and caching of missing packages from upstream PyPI, conforming to PEP-0503 (Simple Repository API)
• hosting of private locally uploaded packages, conforming to Warehouse Legacy API

Why could you like it and how it can be better to fit your needs?

• No database required. Only filesystem storage with few simple files per package. Package deletion, renaming, making it uploadable (private) is done with simple mkdir, touch, etc commands
• Just single statically compiled Go binary
• No configuration file, but several simple command line arguments
• Consistency (because of atomic synced operations) and integrity (because of SHA256 checksums stored nearby)

Initially it was created as a fork of cheeseshop, but nearly all the code was rewritten. It has huge differences:

• Proxying and caching of missing packages, including GPG signatures
• Wheel uploading support
• Integrity check of proxied packages: MD5, SHA256, SHA512, BLAKE2b-256
• SHA256 checksums for stored packages
• Verifying of SHA256 checksum for uploaded packages
• Ability to authenticate upstream PyPI with its X.509 certificate’s hash
• Storing of uploaded GPG signatures
• Secure Argon2i (or SHA256) stored passwords hashing
• No YAML configuration, just command-line arguments
• No package overwriting ability (as PyPI does too)
• Graceful HTTP-server shutdown
• Atomic packages store on filesystem

Also it contains contrib/pyshop2packages.sh migration script for converting Pyshop database into GoCheese one, including private packages.

GoCheese is copylefted free software licenced under GNU GPLv3.

Please send questions, bug reports and patches to gocheese@cypherpunks.ru.

Copyright © 2019-2021 Sergey Matveev