🍫 Zartbitter

An easy to use artifact repository that allows you to have a centralized deployment of things, with version support

Concept

• Provide artifacts (files) via static storage (filesystem)
  • Serve files via HTTP(S), Gemini, …
  • Files are stored in reasonable paths in the file system, either via links or as physical files
  • Artifacts should be accessible in a nice and human-friendly way.
    • Example: download.random-projects.net/files/kristall-windows-x86_64-1.3.1-alpha.zip
• Artifacts and their paths are managed by the system
  • User can create new artifacts, but versions are determined by the upload
  • System uses SemVer 2.0 for artifacts
    • The newest artifact will be served without a version appendix, making it easy to provide stable download links for the latest version
    • Nightly/prerelease versions can also be shared as "the latest prerelease"
  • Each artifact will be accompanied by a set of common hashes (md5, sha1, sha256)
  • Artifacts are immutable, no changes after an upload
• Upload of artifacts happens via API tokens
  • Each upload token can update exactly a single artifact
  • Each upload token has an associated security token that is used to authenticate the upload
    • upload token can be PUBLIC
    • security token must be SECRET
  • Upload via HTTPS only, accompanied by a hash of the file for integrity verification as well as the mime type for the artifact
    • If the file version is uploaded the first time, the hashes will be computed and stored
    • Second upload will have its hash checked and verified. On mismatch, will return a HTTP 409 Conflict
• Artifacts can be accessed either publicly or can be hidden behind an access token
• Artifact metadata can be queried (same rules apply as accessing the artifact itself)
  • artifact name (without version)
  • canonical name (with version)
  • version
  • description
  • date of upload
  • hashes/checksums
  • size
  • mime type
• Minimal requirement for uploading/updating artifacts should be a relatively simple curl request, to make deployment from basically any platform trivial
• Allow creation of artifact indices
  • This should be designed as a plugin
  • Artifacts can be put into an "index", which is just a group of artifacts
  • Each index has a specialized rendering surface, so tools like npm, NuGet or others can use the index to get a list of all available artifacts (mostly packages in that case)

Implementation

• As this is a pretty high-level application, an implementation in dotnet or go might be the right choice.
• Uploads should be interlocked against each other, so they don't accidently override themselves
• Data should be stored hybrid in a regular database (sqlite, mysql, …) and the file system (blobs)
• Artifact declaration should be easy, but doesn't require a "nice" frontend
  • Artifact declaration can be done with a "bad" web frontend, a regular yaml-like config file + diff might be the right choice here (example see below)
  • Alternative would be a very basic web frontend, doesn't even need special styling. This would require some kind of authentication.
  • Alternative would be a "EDITOR" styled CLI frontend, where user can use their text editor to edit a single artifact

Example for yaml file

- name:        "kristall-windows-x86_64.zip"
  description: "Windows-x64 standalone installation of the Kristall Small Internet Browser"
  access tokens:
    - "MVMOo7bOFSUeQhOcC2Dlhp2GhwazBfYIjaO0Vx4Vn/d1"
    - "fHIQ38OvQ2rvDcsU91vBvknTscZDePPDPnP9/5JoGgm6"
  uploaders:
    - public:   "adN2sVOZgFwZ0DjDxrZ1MkRTovCsHZIQ+YRrajNNLr7v"
      security: "AjgCbq2LY/pe2JMJZ9Y2MsQflK2XUVQaWHxOurda7iKU"
    - public:   "qvS4EsjvihTGAFsJt95NQ7H2hT2vKHhvWOy68f8UB02i"
      security: "IBCW4/O8FFPHW8UFex0zap+MMjmJX9eaRnCoNC4ersjW"
- name:        "pkgs/zig/zig-opengl.tar.gz"
  description: "Zig package for the zig-opengl repository."
  uploaders:
    - public:   "2og5PyOjdh4+rpS9C3fGjwfTwckiEaTT5d7A+wPAfCkG"
      security: "8Jb1FVHmrVWnGRDxq7m2DTJCoZ1/WQkfMIx1gytvXXXQ"