X-Git-Url: http://www.git.cypherpunks.ru/?p=gocheese.git;a=blobdiff_plain;f=gocheese.texi;h=8bb6b9cdbbcd7a95a8041d45662ca053317460df;hp=6cff768e01837465f7d286933e420789d2c3f759;hb=11d218004e3a2668985a6d9b2628cb4b3fdc0051;hpb=984e32455cd547f697b93fea7d88b5adb160513b diff --git a/gocheese.texi b/gocheese.texi index 6cff768..8bb6b9c 100644 --- a/gocheese.texi +++ b/gocheese.texi @@ -25,13 +25,14 @@ but nearly all the code was rewritten. It has huge differences: @itemize @item proxying and caching of missing packages, including GPG signatures @item @url{https://pythonwheels.com/, Wheel} uploading support -@item atomic packages store on filesystem -@item SHA256-checksummed packages: storing checksums, giving them back, - verifying stored files integrity, verifying checksum of uploaded - packaged -@item graceful HTTP-server shutdown +@item integrity check of proxied packages: MD5, SHA256, SHA512, BLAKE2b-256 +@item SHA256 checksums for stored packages +@item verifying of SHA256 checksum for uploaded packages +@item storing of uploaded GPG signatures @item no YAML configuration, just command-line arguments @item no package overwriting ability (as PyPI does too) +@item atomic packages store on filesystem +@item graceful HTTP-server shutdown @end itemize Also it contains @file{pyshop2packages.sh} migration script for @@ -91,7 +92,7 @@ file is checked against it. Pay attention that you have to manually create corresponding private package directory! You are not allowed to upload anything explicitly -flagged as private. +flagged as internal package. @node Passwords @unnumbered Password authentication @@ -184,31 +185,40 @@ Root directory has the following hierarchy: root +-- public-package | +- public-package-0.1.tar.gz.md5 - | +- public-package-0.1.1.tar.gz.sha256 + | +- public-package-0.1.tar.gz.blake2_256 + | +- public-package-0.1.1.tar.gz.blake2_256 | +- public-package-0.2.tar.gz | +- public-package-0.2.tar.gz.asc | +- public-package-0.2.tar.gz.sha256 +-- private-package | +- .internal | +- private-package-0.1.tar.gz + | +- private-package-0.1.tar.gz.asc | +- private-package-0.1.tar.gz.sha256 |... @end verbatim -Each directory is a package name. When you try to list non existent -directory contents (you are downloading package you have not seen -before), then GoCheese will download information about package's -versions with checksums and write them in corresponding @file{.sha256} -files. However no package package tarball is downloaded. +Each directory is a normalized package name. When you try to list non +existent directory contents (you are downloading package you have not +seen before), then GoCheese will download information about package's +versions with checksums and write them in corresponding +@file{.sha256}, @file{.blake2_256}, @file{.sha512}, @file{.md5} files. +However no package package tarball is downloaded. When you request for particular package version, then its tarball is -downloaded and verified against the checksum. For example in the root -directory above we have downloaded only @file{public-package-0.2}. -If upstream has corresponding @file{.asc} file, then it also will be -downloaded. - -Private packages contain @file{.internal} file, indicating that it must -not be asked in PyPI if required version is missing. You have to create -it manually. +downloaded and verified against the stored checksum. But SHA256 is +forced to be stored and used later. + +For example @file{public-package} has @code{0.1} version, downloaded a +long time ago with MD5 checksum. @code{0.1.1} version is downloaded more +recently with BLAKE2b-256 checksum, also storing that checksum for +@code{0.1}. @code{0.2} version is downloaded tarball, having forced +SHA256 recalculated checksum. Also upstream has corresponding +@file{.asc} signature file. + +@file{private-package} is private package, because it contains +@file{.internal} file. It can be uploaded and queries to it are not +proxied to upstream PyPI. You have to create it manually. If you upload +GPG signature, then it will be also stored. @bye