It serves two purposes:
@itemize
-@item hosting of private locally uploaded packages
- (conforming to @url{https://www.python.org/dev/peps/pep-0503/, PEP-0503}
- (Simple Repository API))
@item proxying and caching of missing packages from upstream
- @url{https://pypi.org/, PyPI}
+ @url{https://pypi.org/, PyPI}, conforming to
+ @url{https://www.python.org/dev/peps/pep-0503/, PEP-0503}
+ (Simple Repository API)
+@item hosting of private locally uploaded packages, conforming to
+ @url{https://warehouse.pypa.io/api-reference/legacy/, Warehouse Legacy API}
@end itemize
Initially it was created as a fork of
but nearly all the code was rewritten. It has huge differences:
@itemize
-@item proxying and caching of missing packages
+@item proxying and caching of missing packages, including GPG signatures
+@item @url{https://pythonwheels.com/, Wheel} uploading support
@item atomic packages store on filesystem
@item SHA256-checksummed packages: storing checksums, giving them back,
verifying stored files integrity, verifying checksum of uploaded
packaged
@item graceful HTTP-server shutdown
@item no YAML configuration, just command-line arguments
-@item no package overwriting ability (as PyPI does)
+@item no package overwriting ability (as PyPI does too)
@end itemize
Also it contains @file{pyshop2packages.sh} migration script for
index-url = http://gocheese.host:8080/simple/
@end verbatim
-@option{-refresh} URL behaves the same way as @option{-simple} one, but
-is always refreshes package versions from PyPI when listing it. You can
-use it to forcefully update known package versions.
+@option{-refresh} URL (@code{/simple/} by default) automatically
+refreshes metainformation (available versions and their checksums)
+from the upstream, when queried for package directory listing.
+@option{-norefresh} prevents upstream queries.
-You can upload packages to it with
-@url{https://pypi.org/project/twine/, twine}:
+@option{-gpgupdate} is useful mainly for migrated for Pyshop migrated
+repositories. It forces GPG signature files downloading for all existing
+package files.
+
+You can upload packages to it with @url{https://pypi.org/project/twine/, twine}:
@verbatim
twine upload
--password foo dist/tarball.tar.gz
@end verbatim
+Or you can store it permanently in @file{.pypirc}:
+
+@verbatim
+[pypi]
+repository: https://gocheese.host/simple/
+username: spam
+password: foo
+@end verbatim
+
If @command{twine} sends SHA256 checksum in the request, then uploaded
file is checked against it.
+Pay attention that you have to manually create corresponding private
+package directory! You are not allowed to upload anything explicitly
+flagged as private.
+
@node Passwords
@unnumbered Password authentication
+-- public-package
| +- public-package-0.1.tar.gz.sha256
| +- public-package-0.2.tar.gz
+ | +- public-package-0.2.tar.gz.asc
| +- public-package-0.2.tar.gz.sha256
+-- private-package
- | +- .private
+ | +- .internal
| +- private-package-0.1.tar.gz
| +- private-package-0.1.tar.gz.sha256
|...
When you request for particular package version, then its tarball is
downloaded and verified against the checksum. For example in the root
directory above we have downloaded only @file{public-package-0.2}.
+If upstream has corresponding @file{.asc} file, then it also will be
+downloaded.
-Private packages contain @file{.private} file, indicating that it must
+Private packages contain @file{.internal} file, indicating that it must
not be asked in PyPI if required version is missing. You have to create
it manually.