Considering engineering my own package server, in a non-Python language (to learn that language). If I do go ahead, will open-source the end result.
What do I need to know?Currently I'm thinking I'll just copy pypiserver's logic, in particular:
https://github.com/pypiserver/pypiserver/blob/master/pypiserver/_app.pyFor package signing:
- pkg_server will store the maintainers public keys
- They should sign their package archive with their private key before sending it over to pkg_server.
- Then pkg_server will confirm their public key matches what's stored in pkg_server
- If it does, then pkg_server will sign it
- Finally the verified package will be available for any to download (hopefully you've installed certificates and are forcing TLS 1.2 [or even 1.3!])
Does that sound right, anything I'm missing? - E.g.: a new pip standard making pypiserver's stuff all backwards compliant. - I'm only interested in supporting the latest versions of pip on the latest versions of Python 2 & 3.
Thanks for all information :)