@node Storage
@unnumbered Storage format

Root directory has the following hierarchy:

@verbatim
root
  +-- public-package
  |     +- public-package-0.1.tar.gz.md5
  |     +- public-package-0.1.tar.gz.blake2_256
  |     +- public-package-0.1.1.tar.gz.blake2_256
  |     +- public-package-0.2.tar.gz
  |     +- public-package-0.2.tar.gz.asc
  |     +- public-package-0.2.tar.gz.sha256
  +-- private-package
  |     +- .internal
  |     +- private-package-0.1.tar.gz
  |     +- private-package-0.1.tar.gz.asc
  |     +- private-package-0.1.tar.gz.sha256
  |...
@end verbatim

Each directory is a normalized package name. When you try to list non
existent directory contents (you are downloading package you have not
seen before), then GoCheese will download information about package's
versions with checksums and write them in corresponding
@file{.sha256}, @file{.blake2_256}, @file{.sha512}, @file{.md5} files.
However no package package tarball is downloaded.

When you request for particular package version, then its tarball is
downloaded and verified against the stored checksum. But SHA256 is
forced to be stored and used later.

For example @file{public-package} has @code{0.1} version, downloaded a
long time ago with MD5 checksum. @code{0.1.1} version is downloaded more
recently with BLAKE2b-256 checksum, also storing that checksum for
@code{0.1}. @code{0.2} version is downloaded tarball, having forced
SHA256 recalculated checksum. Also upstream has corresponding
@file{.asc} signature file.

@file{private-package} is private package, because it contains
@file{.internal} file. It can be uploaded and queries to it are not
proxied to upstream PyPI. You have to create it manually. If you upload
GPG signature, then it will be also stored.