Root directory has the following hierarchy:
root +-- public-package | +- .metadata.rec | +- public-package-0.1.tar.gz.md5 | +- public-package-0.1.tar.gz.blake2_256 | +- public-package-0.1.1.tar.gz.blake2_256 | +- public-package-0.2.tar.gz | +- public-package-0.2.tar.gz.asc | +- public-package-0.2.tar.gz.sha256 | +- public-package-0.2.tar.gz.blake2_256 +-- private-package | +- .internal | +- .metadata.rec | +- private-package-0.1.tar.gz | +- private-package-0.1.tar.gz.asc | +- private-package-0.1.tar.gz.sha256 | +- private-package-0.1.tar.gz.blake2_256 |...
Each directory is a normalized package name. When you try to list non existent directory contents (you are downloading package you have not seen before), then GoCheese will download information about package’s versions with checksums and write them in corresponding .sha256, .blake2_256, .sha512, .md5 files. However no package package tarball is downloaded.
When you request for particular package version, then its tarball is downloaded and verified against the stored checksum. But SHA256 is then forcefully used later.
For example public-package has
0.1 version, downloaded a
long time ago with MD5 checksum.
0.1.1 version is downloaded more
recently with BLAKE2b-256 checksum, also storing that checksum for
0.2 version is downloaded tarball, having forced
SHA256 and BLAKE2b-256 recalculated checksums. Also upstream has
corresponding .asc signature file.
private-package is private package, because it contains .internal file. It can be uploaded and queries to it are not proxied to upstream PyPI. You have to create it manually.
Each packages release file has
mtime set to its upload time.
Package’s serial is a sum of
mtimes of the directory and
.metadata.rec (if it exists).