Then again, i'll check the pypi api's documentation. Hopefully, it's explained somewhere ;)

In T421#21696, @zack wrote:

Still, we should probably have a "master" branch, to ease navigation, shouldn't we? (What do we do for Debian packages on this?)

So, having one branch in the snapshot per distribution format (tar/zip/etc.) is a nice and clean way of handling this.

In T421#21693, @olasd wrote:

• Unpack all the sdist formats
• If things are well, the contents are identical. In that case, the revision objects would end up with the same id; we can ignore that there ever was multiple formats, and just have a single branch pointing to a single revision for that version of the package in the snapshot
• If the contents are different, load both and make the snapshot have a branch pointing to each format.

The Debian loader doesn't create release objects. Our data model doesn't allow to attach arbitrary structured metadata to release objects (as Git doesn't either), so we've shortcut this level of indirection.

In T421#21639, @zack wrote:

The basic loader will be the tarball loader, yes. In addition to that there are two aspects to be defined:

1. the stack of objects to be added to the DAG
2. the metadata to extract

For (1), I think what we currently do for Debian packages is as you said, i.e., snapshot -> release -> revision -> tarball root dir. Maybe you can check for comparison (or @olasd can chime in?). We should do the same here.

There remains 3 actions to do for the current implementation to be complete:

As far as I can tell from those examples, the metadata that PyPI gives you are the most recent ones, probably the ones extracted from the most recent version, so it would be incorrect to associate them to other releases.

In T421#21642, @ardumont wrote:

The pypi api provides already quite the information (P288, P289 for examples).
For now, the current implementation leverages it.

For (1), I think what we currently do for Debian packages is as you said, i.e., snapshot -> release -> revision -> tarball root dir. Maybe you can check for comparison (or @olasd can chime in?). We should do the same here.

The basic loader will be the tarball loader, yes. In addition to that there are two aspects to be defined:

1. the stack of objects to be added to the DAG
2. the metadata to extract

capable of extracting upstream metadata that are meaningful (and specific to) PyPI.

In T422#21473, @ardumont wrote:

If your consumer is actually an organization or service that will be downloading a lot of packages from PyPI, consider using your own index mirror or cache.

That's not a sustainable way. If we choose that path for all the forges we need to archive... that will be difficult in terms of infrastructure and maintenance.

They have multiple apis:

• basic json one [1] which permits to request information on a per project basis (no listing) [1] (~> foresee the use of this one for the loader)
• xmlrpc deprecated one [2] (this one lists ~> that would be for the lister use)
• html page (listing all packages)
• rss feed (update events)