@verbatim
root
+-- public-package
+ | +- .metadata.rec
| +- public-package-0.1.tar.gz.md5
| +- public-package-0.1.tar.gz.blake2_256
| +- public-package-0.1.1.tar.gz.blake2_256
| +- public-package-0.2.tar.gz.sha256
+-- private-package
| +- .internal
+ | +- .metadata.rec
| +- private-package-0.1.tar.gz
| +- private-package-0.1.tar.gz.asc
| +- private-package-0.1.tar.gz.sha256
@file{.sha256}, @file{.blake2_256}, @file{.sha512}, @file{.md5} files.
However no package package tarball is downloaded.
+If JSON API is enabled, them metadata is also downloaded and stored in
+@file{.metadata.rec} @url{https://www.gnu.org/software/recutils/, recfile}.
+It fully resembles Core Metadata structure.
+
When you request for particular package version, then its tarball is
-downloaded and verified against the stored checksum. But SHA256 is
-forced to be stored and used later.
+downloaded and verified against the stored checksum. But SHA256 is then
+forcefully used later.
For example @file{public-package} has @code{0.1} version, downloaded a
long time ago with MD5 checksum. @code{0.1.1} version is downloaded more
@file{.internal} file. It can be uploaded and queries to it are not
proxied to upstream PyPI. You have to create it manually. If you upload
GPG signature, then it will be also stored.
+
+Each packages release file has @code{mtime} set to its upload time.