Writing a pip-standard-compliant package server?

[Alec Taylor]

Considering engineering my own package server, in a non-Python language (to learn that language). If I do go ahead, will open-source the end result.

What do I need to know?

Currently I'm thinking I'll just copy pypiserver's logic, in particular: https://github.com/pypiserver/pypiserver/blob/master/pypiserver/_app.py

For package signing:

1. pkg_server will store the maintainers public keys
2. They should sign their package archive with their private key before sending it over to pkg_server.
3. Then pkg_server will confirm their public key matches what's stored in pkg_server
4. If it does, then pkg_server will sign it
5. Finally the verified package will be available for any to download (hopefully you've installed certificates and are forcing TLS 1.2 [or even 1.3!])

Does that sound right, anything I'm missing? - E.g.: a new pip standard making pypiserver's stuff all backwards compliant. - I'm only interested in supporting the latest versions of pip on the latest versions of Python 2 & 3.

Thanks for all information :)