Root directory has the following hierarchy:
root +-- public-package | +- public-package-0.1.tar.gz.md5 | +- public-package-0.1.tar.gz.blake2_256 | +- public-package-0.1.1.tar.gz.blake2_256 | +- public-package-0.2.tar.gz | +- public-package-0.2.tar.gz.asc | +- public-package-0.2.tar.gz.sha256 +-- private-package | +- .internal | +- private-package-0.1.tar.gz | +- private-package-0.1.tar.gz.asc | +- private-package-0.1.tar.gz.sha256 |...
Each directory is a normalized package name. When you try to list non existent directory contents (you are downloading package you have not seen before), then GoCheese will download information about package’s versions with checksums and write them in corresponding .sha256, .blake2_256, .sha512, .md5 files. However no package package tarball is downloaded.
When you request for particular package version, then its tarball is downloaded and verified against the stored checksum. But SHA256 is forced to be stored and used later.
For example public-package has
0.1 version, downloaded a
long time ago with MD5 checksum.
0.1.1 version is downloaded more
recently with BLAKE2b-256 checksum, also storing that checksum for
0.2 version is downloaded tarball, having forced
SHA256 recalculated checksum. Also upstream has corresponding
.asc signature file.
private-package is private package, because it contains .internal file. It can be uploaded and queries to it are not proxied to upstream PyPI. You have to create it manually. If you upload GPG signature, then it will be also stored.