1 GoCheese is Python private package repository and caching proxy.
3 It serves two purposes:
5 * hosting of private locally uploaded packages
6 (conforming to PEP-0503 (Simple Repository API))
7 * proxying and caching of missing packages from upstream PyPI
9 To use it, just configure your pip.conf:
12 index-url = http://gocheese.host:8080/simple/
14 You can upload packages to it with twine:
17 --repository-url http://gocheese.host:8080/simple/ \
19 --passwd foo dist/tarball.tar.gz
21 -refresh URL behaves the same way as -simple one, but is always
22 refreshes package versions from PyPI when listing it. You can use it to
23 forcefully update package version.
25 Initially it was created as a fork of https://github.com/c4s4/cheeseshop,
26 but nearly all the code was rewritten. It has huge differences:
29 * no YAML configuration, just command-line arguments
30 * no package overwriting ability
31 * atomic packages store on filesystem
32 * proxying and caching of missing packages
33 * SHA256-checksummed packages (both uploaded and proxied one)
35 GoCheese is free software: see the file COPYING for copying conditions.
37 Password authentication
38 =======================
40 You have to store your authentication data in a file (specified
41 with -passwd option) with following format:
43 username:hashed-password
45 Supported hashing algorithms are SHA256 and Argon2i.
46 It's recommended to use Argon2i.
48 To get Argon2i hashed-password you can use any of following tools:
50 https://github.com/balakhonova/argon2i (Go)
51 https://github.com/p-h-c/phc-winner-argon2 (C)
53 To get SHA256 hashed-password you can use your operating system tools:
56 $ echo -n 'password' | sha256
57 # GNU/Linux-based systems
58 $ echo -n 'password' | sha256sum
60 For example user "foo" with password "bar" can have the following
63 foo:$sha256$fcde2b2edba56bf408601fb721fe9b5c338d10ee429ea04fae5511b68fbf8fb9
64 foo:$argon2i$v=19$m=32768,t=3,p=4$OGU5MTM3YjVlYzQwZjhkZA$rVn53v6Ckpf7WH0676ZQLr9Hbm6VH3YnL6I9ONJcIIU
66 On-disk storage format
67 ======================
69 Root directory has the following hierarchy:
73 | +- public-package-0.1.tar.gz.sha256
74 | +- public-package-0.2.tar.gz
75 | +- public-package-0.2.tar.gz.sha256
78 | +- private-package-0.1.tar.gz
79 | +- private-package-0.1.tar.gz.sha256
82 Each directory is a package name. When you trie to list unexistent
83 directory contents (you are downloading package you have not seen
84 before), then GoCheese will download all its package versions with
85 checksums and write then in .sha256 files. So you know what versions are
86 available at the moment. When you asks for particular package, then its
87 tarball is really downloaded and verified against the checksum. For
88 example in the root directory above we have downloaded only
89 public-package-0.2. Private packages contain .private file, indicating
90 that it must not be asked in PyPI if required version is missing.