Root directory has the following hierarchy:

    root
      +-- public-package
      |     +- .metadata.rec
      |     +- public-package-0.1.tar.gz.md5
      |     +- public-package-0.1.tar.gz.blake2b_256
      |     +- public-package-0.1.1.tar.gz.blake2b_256
      |     +- public-package-0.2.tar.gz
      |     +- public-package-0.2.tar.gz.sha256
      |     +- public-package-0.2.tar.gz.blake2b_256
      +-- private-package
      |     +- .internal
      |     +- .metadata.rec
      |     +- private-package-0.1.tar.gz
      |     +- private-package-0.1.tar.gz.sha256
      |     +- private-package-0.1.tar.gz.blake2b_256
      |...

Each directory is a normalized package name. When you try to list non
existent directory contents (you are downloading package you have not
seen before), then GoCheese will download information about package's
versions with checksums and write them in corresponding
.sha256, .blake2b_256, .sha512, .md5 files.
However no package package tarball is downloaded.

If JSON API is enabled, then metadata is also downloaded and stored in
.metadata.rec
=> recfile
It fully resembles structure of
=> Core Metadata

When you request for particular package version, then its tarball is
downloaded and verified against the stored checksum. But BLAKE2b-256
is then forcefully used later.

For example "public-package" has 0.1 version, downloaded a long time
ago with MD5 checksum. 0.1.1 version is downloaded more recently with
BLAKE2b-256 checksum, also storing that checksum for 0.1. 0.2 version is
downloaded tarball, having forced SHA256 and BLAKE2b-256 recalculated
checksums.

"private-package" is private package, because it contains .internal
file. It can be uploaded and queries to it are not proxied to upstream
PyPI. You have to create it manually.

Each packages release file has mtime set to its upload time. Package's
serial is a sum of mtime's of the directory and .metadata.rec (if it exists).