// on execution infrastructure

Public packages only need to be downloaded once

Gustavo Schneiter · 2026

Every day, the world’s CI fleet re-downloads the same immutable bytes: the same numpy wheel, the same lodash tarball, on every fresh runner and every cache-evicted container. PyPI alone served 136.7 billion downloads in March 2026 — about 4.4 billion a day. You don’t get to that number with humans typing pip install; the overwhelming majority is CI runners and automated builds re-fetching bytes somebody else already fetched an hour earlier. (That last inference is mine; the download count is the report’s.) The cost lands as redundancy and latency everywhere, and on some surfaces — Docker Hub most famously — as rate-limit ceilings.

CoreLink — the content-addressed cache platform I’m building (closed source; this post is the design and its exact current state, with code references I can show) — treats this as a storage-identity problem: if an artifact is addressed by what it is, a byte that never changes only needs to enter the system once. The interesting part is what happens when “once” means once across every customer — and where that idea stops being safe.

Prior art, first

None of the ingredients are new; the combination is the design.

The narrow thing I wanted, which I couldn’t find: cross-tenant dedup of public, immutable bytes, co-located with private artifacts in one addressing scheme — on the same content-addressed store that already serves the build cache. A public wheel and a private Bazel action result become two entries in one keyspace, shared and isolated by namespace rather than by living in different systems.

The design: access is gated, content is shared

CoreLink exposes each ecosystem through an adapter that speaks its native protocol — npm registry (tarballs + metadata), the PyPI simple index (wheels/sdists), Homebrew bottles, and the OCI Distribution Spec v1.1 pull/push surface (blobs, manifests, tag lists; no referrers API yet, and push/pull only — no public read-through mirror yet, so it’s not the answer to Docker Hub’s rate limits today) — so docker, podman, containerd and Helm are designed to talk to it with nothing more than a registry config change.

Under the adapters there is one rule: the token gates access; the content is shared. It is live end-to-end on brew today — with HOMEBREW_ARTIFACT_DOMAIN and a HOMEBREW_DOCKER_REGISTRY_TOKEN bearer, a stock brew client pulls real bottles through the mirror — and the exact state of every other surface is below. Public upstream bytes are stored once, under a shared _public namespace, and served to any authenticated tenant. Tenant identity never comes from the URL — the tenant segment in the path is routing-only, and the real tenant is derived from the verified PAT on every request to these surfaces (PipPatResolver::resolve, BrewPatResolver::resolve; on OCI, from the bearer minted by the two-leg token exchange). On the package surfaces, a request without a valid token gets nothing; a request with one gets bytes some other tenant may have caused to be fetched last month.

The first time any tenant’s brew asks for a given bottle, the service fetches it from upstream (read-through), verifies it against the digest in its URL, stores it content-addressed, and serves it. Every request after that — from any tenant — is served from the store: fetched from upstream once, modulo two asides (concurrent first requests can race and fetch twice — both store identical bytes — and a damaged or missing blob is deliberately treated as a miss and re-fetched). Today nothing is evicted; what eviction should even mean for a namespace whose value is being permanently warm is an open question below.

Private artifacts live in the same system but never in _public: npm @scoped metadata stays per-tenant by construction (namespace_for_meta_key), and tarball bytes are per-tenant for everything — more on why in a moment. The public/private split is enforced in the keyspace, not in a review process.

That shared namespace is also the economics: each tenant’s ordinary traffic warms the cache for the next one — that’s the whole mechanism; there is no step two. And because the store is Cloudflare R2, which (as of current pricing) charges no egress, serving a cached bottle costs storage and a read, not a transfer fee. Per-org mirrors structurally can’t compound like this; every one of them starts cold.

Where “once” stops being safe

The part worth a post: cross-tenant sharing is tempting to justify with two properties — the artifact is immutable, and the client verifies it independently. But the second property doesn’t always hold: it does for lockfile and --require-hashes workflows, while a hashless pip install trusts the mirror for the index it serves and — once the wheel client path closes — the bytes too, exactly as it would trust any proxy.

So the rule I can actually defend is narrower, and it is about artifact bytes: share only artifact bytes that are immutable and digest-verified — verified by the mirror always, before they enter the store, and by the client wherever its workflow does. Where even that floor can’t be established, don’t share. That rule, one boundary that is pure engineering debt, and one surface not yet built at all are how the implementation is split today:

Cross-tenant byte sharing means a bug in the mirror’s write path is a supply-chain incident multiplied by your customer count, so the population rules deserve exact language. Tenants don’t write _public — population happens only through the service’s own upstream fetch.

Brew’s fetch path is the strict one: a pinned first-hop origin (redirects after it follow the same internal-IP-literal guard as pip’s), an allowlist of homebrew/core and homebrew/cask, a digest-in-the-URL requirement for anything cached, verification against that digest before the put, and re-verification of the content hash on read.

Pip’s path is close behind, with one structural difference. The index host is pinned, and the second hop — the wheel URL the index supplies — is checked against a two-host allowlist (the index origin plus files.pythonhosted.org), with redirects refused when they point at internal IP literals (hostnames aren’t resolved and checked — a narrower guard than it sounds). The stored key is the wheel’s own sha256, verified against the bytes before the put — so the attack surface is that verification step, not the keyspace. What pip lacks, structurally, is brew’s digest-in-the-URL: the sha256 the mirror verifies comes from the same index the mirror fetched — the trust-the-mirror problem above, now in structural form.

Sharing the bytes is half the failure surface; who pays to serve them is the other half. Pulls are governed like the work they are: on the OCI surface every method including GET is charged against a per-tenant monthly dollar ceiling that fails closed — for a resolved tenant, over-ceiling or unable-to-cost-check is rejected rather than silently eaten. An adversarial pass I ran against my own gate flagged unlimited authenticated pulls as a cost hole, and that carve-out is closed. The gap that remains is earlier in the pipeline, and flagged in the source: a request with no resolvable bearer at all passes the meter uncounted, pending a trust-path review.

And one comparison I owe the reader: on auditability, this is strictly weaker today than Go’s proxy + sumdb — there is no transparency log of what _public contains. That is the most important open question below, and I consider it roadmap.

Limitations

Open questions

The one-sentence version: the token gates access, the content is shared — and knowing exactly where that stops being safe is the product.


CoreLink is the platform behind the site’s journey demo.