X-Git-Url: http://www.git.cypherpunks.ru/?p=gocheese.git;a=blobdiff_plain;f=gocheese.texi;h=26ab1789dd4a75f1daa548d93789738c5b8cd103;hp=fac8df0e4c564c3652a1e4043224be30c5dc4f38;hb=14a6f9c7e18e3698ecf7e0c8b28680d6615db3bd;hpb=508cad6b690c7057c98b5f4c3dabaa9fa55e9219 diff --git a/gocheese.texi b/gocheese.texi index fac8df0..26ab178 100644 --- a/gocheese.texi +++ b/gocheese.texi @@ -10,11 +10,12 @@ GoCheese is Python private package repository and caching proxy. It serves two purposes: @itemize -@item hosting of private locally uploaded packages (conforming to - @url{https://www.python.org/dev/peps/pep-0503/, PEP-0503} (Simple - Repository API)) @item proxying and caching of missing packages from upstream - @url{https://pypi.org/, PyPI} + @url{https://pypi.org/, PyPI}, conforming to + @url{https://www.python.org/dev/peps/pep-0503/, PEP-0503} + (Simple Repository API) +@item hosting of private locally uploaded packages, conforming to + @url{https://warehouse.pypa.io/api-reference/legacy/, Warehouse Legacy API} @end itemize Initially it was created as a fork of @@ -22,14 +23,21 @@ Initially it was created as a fork of but nearly all the code was rewritten. It has huge differences: @itemize -@item proxying and caching of missing packages +@item proxying and caching of missing packages, including GPG signatures +@item @url{https://pythonwheels.com/, Wheel} uploading support @item atomic packages store on filesystem -@item SHA256-checksummed packages (both uploaded and proxied one) +@item SHA256-checksummed packages: storing checksums, giving them back, + verifying stored files integrity, verifying checksum of uploaded + packaged @item graceful HTTP-server shutdown @item no YAML configuration, just command-line arguments -@item no package overwriting ability (as PyPI does) +@item no package overwriting ability (as PyPI does too) @end itemize +Also it contains @file{pyshop2packages.sh} migration script for +converting @url{https://pypi.org/project/pyshop/, Pyshop} database into +GoCheese one, including private packages. + GoCheese is free software, licenced under @url{https://www.gnu.org/licenses/gpl-3.0.html, GNU GPLv3}: see the file COPYING for copying conditions. @@ -51,12 +59,16 @@ To use it for download purposes, just configure your @file{pip.conf}: index-url = http://gocheese.host:8080/simple/ @end verbatim -@option{-refresh} URL behaves the same way as @option{-simple} one, but -is always refreshes package versions from PyPI when listing it. You can -use it to forcefully update known package versions. +@option{-refresh} URL (@code{/simple/} by default) automatically +refreshes metainformation (available versions and their checksums) +from the upstream, when queried for package directory listing. +@option{-norefresh} prevents upstream queries. + +@option{-gpgupdate} is useful mainly for migrated for Pyshop migrated +repositories. It forces GPG signature files downloading for all existing +package files. -You can upload packages to it with -@url{https://pypi.org/project/twine/, twine}: +You can upload packages to it with @url{https://pypi.org/project/twine/, twine}: @verbatim twine upload @@ -65,6 +77,22 @@ twine upload --password foo dist/tarball.tar.gz @end verbatim +Or you can store it permanently in @file{.pypirc}: + +@verbatim +[pypi] +repository: https://gocheese.host/simple/ +username: spam +password: foo +@end verbatim + +If @command{twine} sends SHA256 checksum in the request, then uploaded +file is checked against it. + +Pay attention that you have to manually create corresponding private +package directory! You are not allowed to upload anything explicitly +flagged as private. + @node Passwords @unnumbered Password authentication @@ -157,9 +185,10 @@ root +-- public-package | +- public-package-0.1.tar.gz.sha256 | +- public-package-0.2.tar.gz + | +- public-package-0.2.tar.gz.asc | +- public-package-0.2.tar.gz.sha256 +-- private-package - | +- .private + | +- .internal | +- private-package-0.1.tar.gz | +- private-package-0.1.tar.gz.sha256 |... @@ -174,8 +203,10 @@ files. However no package package tarball is downloaded. When you request for particular package version, then its tarball is downloaded and verified against the checksum. For example in the root directory above we have downloaded only @file{public-package-0.2}. +If upstream has corresponding @file{.asc} file, then it also will be +downloaded. -Private packages contain @file{.private} file, indicating that it must +Private packages contain @file{.internal} file, indicating that it must not be asked in PyPI if required version is missing. You have to create it manually.