From 6524dadb0ef02af461afe3ef2a5a7f1dc76f0d18 Mon Sep 17 00:00:00 2001
From: jaimergp <jaimergp@users.noreply.github.com>
Date: Tue, 30 Sep 2025 13:47:10 +0200
Subject: [PATCH 01/12] Standardize repodata.json and friends

---
 cep-XXXX.md | 127 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 127 insertions(+)
 create mode 100644 cep-XXXX.md

diff --git a/cep-XXXX.md b/cep-XXXX.md
new file mode 100644
index 00000000..aa9846b3
--- /dev/null
+++ b/cep-XXXX.md
@@ -0,0 +1,127 @@
+# CEP XXXX - Metadata files served by conda channels
+
+<table>
+<tr><td> Title </td><td> CEP XXXX - Metadata files served by conda channels </td>
+<tr><td> Status </td><td> Draft </td></tr>
+<tr><td> Author(s) </td><td> Jaime Rodríguez-Guerra &lt;jaime.rogue@gmail.com&gt;</td></tr>
+<tr><td> Created </td><td> Sep 30, 2025 </td></tr>
+<tr><td> Updated </td><td> Sep 30, 2025 </td></tr>
+<tr><td> Discussion </td><td> N/A </td></tr>
+<tr><td> Implementation </td><td> N/A </td></tr>
+</table>
+
+## Abstract
+
+This CEP standardizes the schema for the metadata files served in conda channels. Namely, `repodata.json` (and its variants) and `channeldata.json`.
+
+> Channels may also serve `run_exports.json`, which is described in [CEP 12](./cep-0012.md).
+
+## Motivation
+
+The motivation of this CEP is merely informative. It describes the schema of existing metadata files already in wide use.
+
+## Specification
+
+As per [CEP 26](./cep-0026.md), a conda channel MUST include a `noarch/repodata.json` file. It MAY also serve additional, platform-specific `repodata.json` files under subdirectories, which MUST follow [CEP 26](./cep-0026.md) naming conventions for `subdirs`.
+
+A conda channel MAY also serve a `channeldata.json` file in the top-level directory.
+
+### `repodata.json`
+
+`repodata.json` files are subdir-specific JSON documents that aggregate the `index.json` metadata of the included conda artifacts (see [CEP PR#133](https://github.com/conda/ceps/pull/133)), and extend them with details only known when the compressed artifact has been generated (such as size, timestamp, or checksums).
+
+Each `repodata.json` MUST represent a dictionary with the keys listed below. All of them are optional. Additional top-level keys MUST be allowed but they MUST be ignored if not recognized.
+
+- `info: dict[str, dict]`. Metadata about the `repodata.json` itself. See [info metadata](#info-metadata).
+- `packages: dict[str, dict]`. This entry maps `*.tar.bz2` filenames to their [package record metadata](#package-record-metadata).
+- `packages.conda: dict[str, dict]`. This entry maps `*.conda` filenames to [package record metadata](#package-record-metadata).
+- `removed: list[str]`. List of filenames that were once included in either `packages` or `packages.conda`, but they were removed. See [repodata patching](#repodata-patching) for more information.
+
+#### `info` metadata
+
+This dictionary stores information about the repodata file. It MUST follow this schema:
+
+- `subdir: str`. Recommended. The channel subdirectory this `repodata.json` belongs to.
+- "... TODO"
+
+#### Package record metadata
+
+Each entry in `packages` and `packages.conda` MUST follow the `index.json` schema (see [CEP PR#133](https://github.com/conda/ceps/pull/133)), augmented with these keys:
+
+- `md5: str | None`. Hexadecimal string of the MD5 checksum of the compressed artifact.
+- `sha256: str | None`. Hexadecimal string of the SHA256 checksum of the compressed artifact.
+- `size: int`. Size, in bytes, of the compressed artifact.
+
+#### Repodata variants
+
+... TODO. `current_repodata.json` and timebased snapshots.
+
+#### Repodata patching
+
+... TODO.
+
+### `channeldata.json`
+
+Deprecated.
+
+This JSON document MAY be served at the root of the conda channel. It aggregates some packaging metadata across all the channel subdirectories. It MUST follow this schema:
+
+- `channeldata_version: int`. Version of the `channeldata` schema. Currently `1`.
+- `subdirs: list[str]`: List of subdirectories supported by the channel.
+- `packages: dict[str, dict]`. Mapping of package names to a dictionary with the following metadata:
+  - `activate.d: bool`. Whether the packages feature activation scripts.
+  - `binary_prefix: bool`. Whether the package files contain a prefix placeholder that must be replaced in binary mode.
+  - `deactivate.d: bool`. Whether the packages feature deactivation scripts.
+  - `dev_url: str`. URL to the main website of the project.
+  - `doc_url: str`. URL to the documentation website of the project.
+  - `home: str`. URL to the main website of the project.
+  - `license: str`. License of the project, preferably a SPDX expression.
+  - `post_link: bool`. Whether the packages feature post-link scripts.
+  - `pre_link: bool`. Whether the packages feature pre-link scripts.
+  - `pre_unlink: bool`. Whether the packages feature pre-unlink scripts.
+  - `run_exports: dict[str, dict]`. Mapping of versions to their `run_exports` metadata. See [CEP 12](./cep-0012.md) for the valid keys.
+  - `source_url: str | list[str]`. URL (or URLs) of the sources that were fetched to build the package.
+  - `subdirs: list[str]`. Channel subdirectories under which this package is available.
+  - `summary: str`. Short description of the project.
+  - `text_prefix: bool`. Whether the package files contain a prefix placeholder that must be replaced in text mode.
+  - `timestamp: int`. Upload date of the most recently published artifact, as a POSIX timestamp in milliseconds.
+  - `version: str`. Most recent version published in the channel.
+
+## Examples
+
+A minimal conda channel only needs a single, empty file:
+
+```text
+./noarch/repodata.json
+```
+
+A conda channel with a Linux x64 specific subdirectory:
+
+```text
+./noarch/repodata.json
+./linux-64/repodata.json
+```
+
+Optionally serving `channeldata.json`:
+
+```text
+./noarch/repodata.json
+./linux-64/repodata.json
+./channeldata.json
+```
+
+## Rationale
+
+The `channeldata.json` file is considered deprecated because the listed metadata may be unreliable. It assumes that all the artifacts for a given package name will always have a homogeneous composition, but this is not necessarily true. Some examples:
+
+- Some artifacts may contain activation scripts on some platforms, but not on others.
+- Prefix replacement may only be needed from a certain point in the lifetime of the project (e.g. the maintainers add a compiled extension for performance).
+- The website or license may change during the project lifetime.
+
+## References
+
+- <https://docs.conda.io/projects/conda-build/en/stable/concepts/generating-index.html>
+
+## Copyright
+
+All CEPs are explicitly [CC0 1.0 Universal](https://creativecommons.org/publicdomain/zero/1.0/).

From 766303b4d1c602434ac8585b133e8fd30729507d Mon Sep 17 00:00:00 2001
From: jaimergp <jaimergp@users.noreply.github.com>
Date: Tue, 30 Sep 2025 19:08:09 +0200
Subject: [PATCH 02/12] Do not assume filesystem

---
 cep-XXXX.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/cep-XXXX.md b/cep-XXXX.md
index aa9846b3..57704b20 100644
--- a/cep-XXXX.md
+++ b/cep-XXXX.md
@@ -22,13 +22,17 @@ The motivation of this CEP is merely informative. It describes the schema of exi
 
 ## Specification
 
-As per [CEP 26](./cep-0026.md), a conda channel MUST include a `noarch/repodata.json` file. It MAY also serve additional, platform-specific `repodata.json` files under subdirectories, which MUST follow [CEP 26](./cep-0026.md) naming conventions for `subdirs`.
+As per [CEP 26](./cep-0026.md), a conda channel is defined as a location that MUST serve a `noarch/repodata.json` path. It MAY also serve additional, platform-specific `repodata.json` paths under other subdirectories of the same depth, which MUST follow the `subdir` naming conventions described in [CEP 26](./cep-0026.md).
 
-A conda channel MAY also serve a `channeldata.json` file in the top-level directory.
+A conda channel MAY also serve a `channeldata.json` path in its root level.
+
+Note that there are no requirements for these paths to be backed by a proper filesystem; the contents of these locations can also be provided by API endpoints.
+
+The contents of the `repodata.json` and `channeldata.json` documents MUST follow the schemas described below.
 
 ### `repodata.json`
 
-`repodata.json` files are subdir-specific JSON documents that aggregate the `index.json` metadata of the included conda artifacts (see [CEP PR#133](https://github.com/conda/ceps/pull/133)), and extend them with details only known when the compressed artifact has been generated (such as size, timestamp, or checksums).
+`repodata.json` documents are subdir-specific JSON dictionaries that aggregate the `index.json` metadata of the included conda artifacts (see [CEP PR#133](https://github.com/conda/ceps/pull/133)), and extend them with details only known when the compressed artifact has been generated (such as size, timestamp, or checksums).
 
 Each `repodata.json` MUST represent a dictionary with the keys listed below. All of them are optional. Additional top-level keys MUST be allowed but they MUST be ignored if not recognized.
 

From 4b3d47b800d201c889a5be3819d0b30488411347 Mon Sep 17 00:00:00 2001
From: jaimergp <jaimergp@users.noreply.github.com>
Date: Tue, 30 Sep 2025 19:31:12 +0200
Subject: [PATCH 03/12] Finish `info` schema, repodata subsets and patching

---
 cep-XXXX.md | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/cep-XXXX.md b/cep-XXXX.md
index 57704b20..f8c486b3 100644
--- a/cep-XXXX.md
+++ b/cep-XXXX.md
@@ -39,30 +39,32 @@ Each `repodata.json` MUST represent a dictionary with the keys listed below. All
 - `info: dict[str, dict]`. Metadata about the `repodata.json` itself. See [info metadata](#info-metadata).
 - `packages: dict[str, dict]`. This entry maps `*.tar.bz2` filenames to their [package record metadata](#package-record-metadata).
 - `packages.conda: dict[str, dict]`. This entry maps `*.conda` filenames to [package record metadata](#package-record-metadata).
-- `removed: list[str]`. List of filenames that were once included in either `packages` or `packages.conda`, but they were removed. See [repodata patching](#repodata-patching) for more information.
+- `removed: list[str]`. List of filenames that were once included in either `packages` or `packages.conda`, but are now removed. The corresponding artifacts SHOULD still be accessible via their direct URL.
 
 #### `info` metadata
 
 This dictionary stores information about the repodata file. It MUST follow this schema:
 
-- `subdir: str`. Recommended. The channel subdirectory this `repodata.json` belongs to.
-- "... TODO"
+- `arch: str`. Deprecated. Same meaning as in [CEP PR#133](https://github.com/conda/ceps/pull/133)'s `index.json` key.
+- `base_url: str`. Optional. See [CEP 15](./cep-0015.md).
+- `platform: str`. Deprecated. Same meaning as in [CEP PR#133](https://github.com/conda/ceps/pull/133)'s `index.json` key.
+- `repodata_version: int`. Optional. Version of the `repodata.json` schema. In its absence, tools MUST assume its value is `1`. See [CEP 15](./cep-0015.md) for `repodata_version = 2`.
+- `subdir: str`. Recommended. The channel subdirectory this `repodata.json` belongs to. If its absence, its value MAY be inferred from the parent component of the `repodata.json` path.
 
 #### Package record metadata
 
-Each entry in `packages` and `packages.conda` MUST follow the `index.json` schema (see [CEP PR#133](https://github.com/conda/ceps/pull/133)), augmented with these keys:
+Each entry in `packages` and `packages.conda`:
 
-- `md5: str | None`. Hexadecimal string of the MD5 checksum of the compressed artifact.
-- `sha256: str | None`. Hexadecimal string of the SHA256 checksum of the compressed artifact.
-- `size: int`. Size, in bytes, of the compressed artifact.
+- MUST follow the `index.json` schema (see [CEP PR#133](https://github.com/conda/ceps/pull/133)).
+- SHOULD report the same values as the artifact's `info/index.json` metadata. Small modifications MAY be introduced to apply metadata fixes (e.g. correct the constraints of a requirement in the `depends` field) without needing to rebuild the artifact.
+- MUST additionally include the following keys:
+  - `md5: str | None`. Hexadecimal string of the MD5 checksum of the compressed artifact.
+  - `sha256: str | None`. Hexadecimal string of the SHA256 checksum of the compressed artifact.
+  - `size: int`. Size, in bytes, of the compressed artifact.
 
 #### Repodata variants
 
-... TODO. `current_repodata.json` and timebased snapshots.
-
-#### Repodata patching
-
-... TODO.
+A conda channel MAY serve additional `repodata.json` paths in each subdir. Their name SHOULD match the glob `*repodata*.json`, and their contents MUST follow the `repodata.json` schema.
 
 ### `channeldata.json`
 

From 64053cf06919fc9d12725dfe1821a6f2e3d5b04b Mon Sep 17 00:00:00 2001
From: jaimergp <jaimergp@users.noreply.github.com>
Date: Tue, 30 Sep 2025 20:29:39 +0200
Subject: [PATCH 04/12] Document the `legacy_bz2_*` keys, cover additional keys

---
 cep-XXXX.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/cep-XXXX.md b/cep-XXXX.md
index f8c486b3..a60b5a14 100644
--- a/cep-XXXX.md
+++ b/cep-XXXX.md
@@ -41,6 +41,8 @@ Each `repodata.json` MUST represent a dictionary with the keys listed below. All
 - `packages.conda: dict[str, dict]`. This entry maps `*.conda` filenames to [package record metadata](#package-record-metadata).
 - `removed: list[str]`. List of filenames that were once included in either `packages` or `packages.conda`, but are now removed. The corresponding artifacts SHOULD still be accessible via their direct URL.
 
+Additional keys SHOULD NOT be present and SHOULD be ignored.
+
 #### `info` metadata
 
 This dictionary stores information about the repodata file. It MUST follow this schema:
@@ -51,6 +53,8 @@ This dictionary stores information about the repodata file. It MUST follow this
 - `repodata_version: int`. Optional. Version of the `repodata.json` schema. In its absence, tools MUST assume its value is `1`. See [CEP 15](./cep-0015.md) for `repodata_version = 2`.
 - `subdir: str`. Recommended. The channel subdirectory this `repodata.json` belongs to. If its absence, its value MAY be inferred from the parent component of the `repodata.json` path.
 
+Additional keys SHOULD NOT be present and SHOULD be ignored.
+
 #### Package record metadata
 
 Each entry in `packages` and `packages.conda`:
@@ -61,6 +65,11 @@ Each entry in `packages` and `packages.conda`:
   - `md5: str | None`. Hexadecimal string of the MD5 checksum of the compressed artifact.
   - `sha256: str | None`. Hexadecimal string of the SHA256 checksum of the compressed artifact.
   - `size: int`. Size, in bytes, of the compressed artifact.
+- If the entry corresponds to a `.tar.bz2` package that was transmuted to `.conda`, it SHOULD include these keys:
+  - `legacy_bz2_md5: str`: Hexadecimal string of the SHA256 checksum of the original `.tar.bz2` artifact.
+  - `legacy_bz2_size: int`: Size, in bytes, of the original `.tar.bz2` artifact.
+
+Additional keys SHOULD NOT be present and SHOULD be ignored.
 
 #### Repodata variants
 

From 845a03fea2d2e03937155e622c1c691db0fad4aa Mon Sep 17 00:00:00 2001
From: jaimergp <jaimergp@users.noreply.github.com>
Date: Fri, 24 Oct 2025 14:31:36 +0200
Subject: [PATCH 05/12] Add Requires

---
 cep-XXXX.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cep-XXXX.md b/cep-XXXX.md
index a60b5a14..594273e9 100644
--- a/cep-XXXX.md
+++ b/cep-XXXX.md
@@ -8,6 +8,7 @@
 <tr><td> Updated </td><td> Sep 30, 2025 </td></tr>
 <tr><td> Discussion </td><td> N/A </td></tr>
 <tr><td> Implementation </td><td> N/A </td></tr>
+<tr><td> Requires </td><td> https://github.com/conda/ceps/pull/133 </td></tr>
 </table>
 
 ## Abstract

From 4543d605c133049791db35686d0a2b9178eb5c74 Mon Sep 17 00:00:00 2001
From: jaimergp <jaimergp@users.noreply.github.com>
Date: Thu, 30 Oct 2025 10:53:58 +0100
Subject: [PATCH 06/12] Comment on current_repodata and supported compression
 schemes

---
 cep-XXXX.md | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cep-XXXX.md b/cep-XXXX.md
index 594273e9..e127f249 100644
--- a/cep-XXXX.md
+++ b/cep-XXXX.md
@@ -74,7 +74,12 @@ Additional keys SHOULD NOT be present and SHOULD be ignored.
 
 #### Repodata variants
 
-A conda channel MAY serve additional `repodata.json` paths in each subdir. Their name SHOULD match the glob `*repodata*.json`, and their contents MUST follow the `repodata.json` schema.
+A conda channel MAY serve additional `repodata.json` documents in each subdir. Their name SHOULD match the glob `*repodata*.json`, and their contents MUST follow the `repodata.json` schema. Common variants include `current_repodata.json`.
+
+Channels SHOULD serve compressed versions of every repodata file. The following compression schemes are recognized:
+
+- BZ2: MUST append the `.bz2` extension; e.g. `repodata.json.bz2`.
+- ZSTD: MUST append the `.zst` extension; e.g. `repodata.json.zst`. Recommended.
 
 ### `channeldata.json`
 

From c99fb5ad712d831e37521c613d7a3a9276e33df9 Mon Sep 17 00:00:00 2001
From: jaimergp <jaimergp@users.noreply.github.com>
Date: Wed, 5 Nov 2025 11:45:58 +0100
Subject: [PATCH 07/12] Split channeldata.json

---
 cep-XXXX.md | 61 ++++++-----------------------------------------------
 1 file changed, 6 insertions(+), 55 deletions(-)

diff --git a/cep-XXXX.md b/cep-XXXX.md
index e127f249..a9552846 100644
--- a/cep-XXXX.md
+++ b/cep-XXXX.md
@@ -1,4 +1,4 @@
-# CEP XXXX - Metadata files served by conda channels
+# CEP XXXX - Package metadata files served by conda channels
 
 <table>
 <tr><td> Title </td><td> CEP XXXX - Metadata files served by conda channels </td>
@@ -13,9 +13,7 @@
 
 ## Abstract
 
-This CEP standardizes the schema for the metadata files served in conda channels. Namely, `repodata.json` (and its variants) and `channeldata.json`.
-
-> Channels may also serve `run_exports.json`, which is described in [CEP 12](./cep-0012.md).
+This CEP standardizes the schema for the package metadata (repodata) files served in conda channels. Namely, `repodata.json` and its variants.
 
 ## Motivation
 
@@ -25,16 +23,12 @@ The motivation of this CEP is merely informative. It describes the schema of exi
 
 As per [CEP 26](./cep-0026.md), a conda channel is defined as a location that MUST serve a `noarch/repodata.json` path. It MAY also serve additional, platform-specific `repodata.json` paths under other subdirectories of the same depth, which MUST follow the `subdir` naming conventions described in [CEP 26](./cep-0026.md).
 
-A conda channel MAY also serve a `channeldata.json` path in its root level.
-
-Note that there are no requirements for these paths to be backed by a proper filesystem; the contents of these locations can also be provided by API endpoints.
-
-The contents of the `repodata.json` and `channeldata.json` documents MUST follow the schemas described below.
-
-### `repodata.json`
+> Note that there are no requirements for these paths to be backed by a proper filesystem; the contents of these locations can also be provided by API endpoints.
 
 `repodata.json` documents are subdir-specific JSON dictionaries that aggregate the `index.json` metadata of the included conda artifacts (see [CEP PR#133](https://github.com/conda/ceps/pull/133)), and extend them with details only known when the compressed artifact has been generated (such as size, timestamp, or checksums).
 
+### Schema
+
 Each `repodata.json` MUST represent a dictionary with the keys listed below. All of them are optional. Additional top-level keys MUST be allowed but they MUST be ignored if not recognized.
 
 - `info: dict[str, dict]`. Metadata about the `repodata.json` itself. See [info metadata](#info-metadata).
@@ -72,7 +66,7 @@ Each entry in `packages` and `packages.conda`:
 
 Additional keys SHOULD NOT be present and SHOULD be ignored.
 
-#### Repodata variants
+### Repodata variants
 
 A conda channel MAY serve additional `repodata.json` documents in each subdir. Their name SHOULD match the glob `*repodata*.json`, and their contents MUST follow the `repodata.json` schema. Common variants include `current_repodata.json`.
 
@@ -81,33 +75,6 @@ Channels SHOULD serve compressed versions of every repodata file. The following
 - BZ2: MUST append the `.bz2` extension; e.g. `repodata.json.bz2`.
 - ZSTD: MUST append the `.zst` extension; e.g. `repodata.json.zst`. Recommended.
 
-### `channeldata.json`
-
-Deprecated.
-
-This JSON document MAY be served at the root of the conda channel. It aggregates some packaging metadata across all the channel subdirectories. It MUST follow this schema:
-
-- `channeldata_version: int`. Version of the `channeldata` schema. Currently `1`.
-- `subdirs: list[str]`: List of subdirectories supported by the channel.
-- `packages: dict[str, dict]`. Mapping of package names to a dictionary with the following metadata:
-  - `activate.d: bool`. Whether the packages feature activation scripts.
-  - `binary_prefix: bool`. Whether the package files contain a prefix placeholder that must be replaced in binary mode.
-  - `deactivate.d: bool`. Whether the packages feature deactivation scripts.
-  - `dev_url: str`. URL to the main website of the project.
-  - `doc_url: str`. URL to the documentation website of the project.
-  - `home: str`. URL to the main website of the project.
-  - `license: str`. License of the project, preferably a SPDX expression.
-  - `post_link: bool`. Whether the packages feature post-link scripts.
-  - `pre_link: bool`. Whether the packages feature pre-link scripts.
-  - `pre_unlink: bool`. Whether the packages feature pre-unlink scripts.
-  - `run_exports: dict[str, dict]`. Mapping of versions to their `run_exports` metadata. See [CEP 12](./cep-0012.md) for the valid keys.
-  - `source_url: str | list[str]`. URL (or URLs) of the sources that were fetched to build the package.
-  - `subdirs: list[str]`. Channel subdirectories under which this package is available.
-  - `summary: str`. Short description of the project.
-  - `text_prefix: bool`. Whether the package files contain a prefix placeholder that must be replaced in text mode.
-  - `timestamp: int`. Upload date of the most recently published artifact, as a POSIX timestamp in milliseconds.
-  - `version: str`. Most recent version published in the channel.
-
 ## Examples
 
 A minimal conda channel only needs a single, empty file:
@@ -123,22 +90,6 @@ A conda channel with a Linux x64 specific subdirectory:
 ./linux-64/repodata.json
 ```
 
-Optionally serving `channeldata.json`:
-
-```text
-./noarch/repodata.json
-./linux-64/repodata.json
-./channeldata.json
-```
-
-## Rationale
-
-The `channeldata.json` file is considered deprecated because the listed metadata may be unreliable. It assumes that all the artifacts for a given package name will always have a homogeneous composition, but this is not necessarily true. Some examples:
-
-- Some artifacts may contain activation scripts on some platforms, but not on others.
-- Prefix replacement may only be needed from a certain point in the lifetime of the project (e.g. the maintainers add a compiled extension for performance).
-- The website or license may change during the project lifetime.
-
 ## References
 
 - <https://docs.conda.io/projects/conda-build/en/stable/concepts/generating-index.html>

From f9398a242a5b3fffe2f90a69c9eede2c7360ab15 Mon Sep 17 00:00:00 2001
From: jaimergp <jaimergp@users.noreply.github.com>
Date: Wed, 5 Nov 2025 11:48:40 +0100
Subject: [PATCH 08/12] Some more details for current_repodata

---
 cep-XXXX.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cep-XXXX.md b/cep-XXXX.md
index a9552846..a9666c75 100644
--- a/cep-XXXX.md
+++ b/cep-XXXX.md
@@ -68,7 +68,8 @@ Additional keys SHOULD NOT be present and SHOULD be ignored.
 
 ### Repodata variants
 
-A conda channel MAY serve additional `repodata.json` documents in each subdir. Their name SHOULD match the glob `*repodata*.json`, and their contents MUST follow the `repodata.json` schema. Common variants include `current_repodata.json`.
+A conda channel MAY serve additional `repodata.json` documents in each subdir. Their name SHOULD match the glob `*repodata*.json`, and their contents MUST follow the `repodata.json` schema.
+Common variants include `current_repodata.json`, which aggregates a subset of the full repodata document, focusing on the latest versions of each package plus their necessary dependencies.
 
 Channels SHOULD serve compressed versions of every repodata file. The following compression schemes are recognized:
 

From 03278dd2f17ad56b5974a2f5c7107093348b8b4b Mon Sep 17 00:00:00 2001
From: jaimergp <jaimergp@users.noreply.github.com>
Date: Wed, 5 Nov 2025 12:03:02 +0100
Subject: [PATCH 09/12] Update title

---
 cep-XXXX.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cep-XXXX.md b/cep-XXXX.md
index a9666c75..73a94a9a 100644
--- a/cep-XXXX.md
+++ b/cep-XXXX.md
@@ -1,7 +1,7 @@
 # CEP XXXX - Package metadata files served by conda channels
 
 <table>
-<tr><td> Title </td><td> CEP XXXX - Metadata files served by conda channels </td>
+<tr><td> Title </td><td> CEP XXXX - Package metadata files served by conda channels </td>
 <tr><td> Status </td><td> Draft </td></tr>
 <tr><td> Author(s) </td><td> Jaime Rodríguez-Guerra &lt;jaime.rogue@gmail.com&gt;</td></tr>
 <tr><td> Created </td><td> Sep 30, 2025 </td></tr>

From e2307a63275ab239dd53a23ff15a718bfbd0f7d5 Mon Sep 17 00:00:00 2001
From: jaimergp <jaimergp@users.noreply.github.com>
Date: Wed, 5 Nov 2025 16:55:00 +0100
Subject: [PATCH 10/12] Add a bit of info about `signatures` metadata

---
 cep-XXXX.md | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/cep-XXXX.md b/cep-XXXX.md
index 73a94a9a..693b7220 100644
--- a/cep-XXXX.md
+++ b/cep-XXXX.md
@@ -35,6 +35,7 @@ Each `repodata.json` MUST represent a dictionary with the keys listed below. All
 - `packages: dict[str, dict]`. This entry maps `*.tar.bz2` filenames to their [package record metadata](#package-record-metadata).
 - `packages.conda: dict[str, dict]`. This entry maps `*.conda` filenames to [package record metadata](#package-record-metadata).
 - `removed: list[str]`. List of filenames that were once included in either `packages` or `packages.conda`, but are now removed. The corresponding artifacts SHOULD still be accessible via their direct URL.
+- `signatures: dict[str, dict[str, [dict[Literal['signature'], str]]]]`. A dictionary that maps package filenames to their signature metadata.
 
 Additional keys SHOULD NOT be present and SHOULD be ignored.
 
@@ -66,6 +67,31 @@ Each entry in `packages` and `packages.conda`:
 
 Additional keys SHOULD NOT be present and SHOULD be ignored.
 
+### `signatures` metadata
+
+This dictionary MUST map conda package filenames (with extension) to dictionary that SHOULD map a hash key to another dictionary whose only key is `signature` and the value is the hexadecimal string of the signature value.
+
+<!-- TODO: What's the first hash? -->
+
+```json
+"signatures": {
+  "_anaconda_depends-2018.12-py27_0.tar.bz2": {
+    "4a044c3445b9d8bc5429a2b1d7d42bdb4d8404285b76322e8eacdfdae8b0e4cd": {
+      "signature": "a0ffab3f954c3dc64373ba16bee5e9ba9683a625fa3e4a6c4263d9de550bcafd233c2522789c9b31b40c35a87775d6f8fa2498a3bec3647c36c0a2f5cd2eb10c"
+    }
+  },
+  "zstd-1.3.7-h0b5b093_0.conda": {
+    "4a044c3445b9d8bc5429a2b1d7d42bdb4d8404285b76322e8eacdfdae8b0e4cd": {
+      "signature": "ea1f11a74c081298fe243c6982f676d9838bfee81e74a24bef6474f3be1243b4624f6d12dc8196f8db909cf049e9e344151e44c5b950cbab8583641c7b661a0d"
+    }
+  },
+  "zstd-1.4.4-h0b5b093_3.conda": {
+    "4a044c3445b9d8bc5429a2b1d7d42bdb4d8404285b76322e8eacdfdae8b0e4cd": {
+      "signature": "db7b2fe5f9d48fe60bb7da5d1eaca15d300a00787df8ca1098b7093ceb9942ea9fb350f92e8ff14f4df13ad66899c2b8f4efe86fe7897e820ed20f1765021803"
+    }
+  }
+```
+
 ### Repodata variants
 
 A conda channel MAY serve additional `repodata.json` documents in each subdir. Their name SHOULD match the glob `*repodata*.json`, and their contents MUST follow the `repodata.json` schema.

From 12edd25ba0ad1528e25230334f00dca11920bce0 Mon Sep 17 00:00:00 2001
From: jaimergp <jaimergp@users.noreply.github.com>
Date: Wed, 5 Nov 2025 18:51:54 +0100
Subject: [PATCH 11/12] Move `signatures` to appendix

---
 cep-XXXX.md | 56 +++++++++++++++++++++++++++--------------------------
 1 file changed, 29 insertions(+), 27 deletions(-)

diff --git a/cep-XXXX.md b/cep-XXXX.md
index 693b7220..296ed2be 100644
--- a/cep-XXXX.md
+++ b/cep-XXXX.md
@@ -35,9 +35,8 @@ Each `repodata.json` MUST represent a dictionary with the keys listed below. All
 - `packages: dict[str, dict]`. This entry maps `*.tar.bz2` filenames to their [package record metadata](#package-record-metadata).
 - `packages.conda: dict[str, dict]`. This entry maps `*.conda` filenames to [package record metadata](#package-record-metadata).
 - `removed: list[str]`. List of filenames that were once included in either `packages` or `packages.conda`, but are now removed. The corresponding artifacts SHOULD still be accessible via their direct URL.
-- `signatures: dict[str, dict[str, [dict[Literal['signature'], str]]]]`. A dictionary that maps package filenames to their signature metadata.
 
-Additional keys SHOULD NOT be present and SHOULD be ignored.
+A `signatures: dict[str, dict]` key MAY be present, but SHOULD be ignored. This key was introduced as a proprietary extension by Anaconda, but it is not part of the repodata v1 specification.
 
 #### `info` metadata
 
@@ -67,31 +66,6 @@ Each entry in `packages` and `packages.conda`:
 
 Additional keys SHOULD NOT be present and SHOULD be ignored.
 
-### `signatures` metadata
-
-This dictionary MUST map conda package filenames (with extension) to dictionary that SHOULD map a hash key to another dictionary whose only key is `signature` and the value is the hexadecimal string of the signature value.
-
-<!-- TODO: What's the first hash? -->
-
-```json
-"signatures": {
-  "_anaconda_depends-2018.12-py27_0.tar.bz2": {
-    "4a044c3445b9d8bc5429a2b1d7d42bdb4d8404285b76322e8eacdfdae8b0e4cd": {
-      "signature": "a0ffab3f954c3dc64373ba16bee5e9ba9683a625fa3e4a6c4263d9de550bcafd233c2522789c9b31b40c35a87775d6f8fa2498a3bec3647c36c0a2f5cd2eb10c"
-    }
-  },
-  "zstd-1.3.7-h0b5b093_0.conda": {
-    "4a044c3445b9d8bc5429a2b1d7d42bdb4d8404285b76322e8eacdfdae8b0e4cd": {
-      "signature": "ea1f11a74c081298fe243c6982f676d9838bfee81e74a24bef6474f3be1243b4624f6d12dc8196f8db909cf049e9e344151e44c5b950cbab8583641c7b661a0d"
-    }
-  },
-  "zstd-1.4.4-h0b5b093_3.conda": {
-    "4a044c3445b9d8bc5429a2b1d7d42bdb4d8404285b76322e8eacdfdae8b0e4cd": {
-      "signature": "db7b2fe5f9d48fe60bb7da5d1eaca15d300a00787df8ca1098b7093ceb9942ea9fb350f92e8ff14f4df13ad66899c2b8f4efe86fe7897e820ed20f1765021803"
-    }
-  }
-```
-
 ### Repodata variants
 
 A conda channel MAY serve additional `repodata.json` documents in each subdir. Their name SHOULD match the glob `*repodata*.json`, and their contents MUST follow the `repodata.json` schema.
@@ -121,6 +95,34 @@ A conda channel with a Linux x64 specific subdirectory:
 
 - <https://docs.conda.io/projects/conda-build/en/stable/concepts/generating-index.html>
 
+## Appendices
+
+### Appendix A: `signatures` section
+
+This dictionary maps conda package filenames (with extension) to a signature metadata dictionary. Each subdictionary then maps the signing key identifier to the signature value. This value is expressed as a dictionary with a key `signature` that maps to the actual signature of the corresponding package record. See example:
+
+
+```js
+"packages": {
+  ...
+},
+"packages.conda": {
+  ...
+},
+"signatures": {
+  "_anaconda_depends-2018.12-py27_0.tar.bz2": {
+    "4a044c3445b9d8bc5429a2b1d7d42bdb4d8404285b76322e8eacdfdae8b0e4cd": {  // signing key id
+      "signature": "a0ffab3f954c3dc64373ba16bee5e9ba9683a625fa3e4a6c4263d9de550bcafd233c2522789c9b31b40c35a87775d6f8fa2498a3bec3647c36c0a2f5cd2eb10c" // signature value
+    }
+  },
+  "zstd-1.3.7-h0b5b093_0.conda": {
+    "4a044c3445b9d8bc5429a2b1d7d42bdb4d8404285b76322e8eacdfdae8b0e4cd": {
+      "signature": "ea1f11a74c081298fe243c6982f676d9838bfee81e74a24bef6474f3be1243b4624f6d12dc8196f8db909cf049e9e344151e44c5b950cbab8583641c7b661a0d"
+    }
+  }
+}
+```
+
 ## Copyright
 
 All CEPs are explicitly [CC0 1.0 Universal](https://creativecommons.org/publicdomain/zero/1.0/).

From 1e8f5bb49cf2c4765706857162350bc28e0806c9 Mon Sep 17 00:00:00 2001
From: jaimergp <jaimergp@users.noreply.github.com>
Date: Wed, 5 Nov 2025 19:25:11 +0100
Subject: [PATCH 12/12] pre-commit

---
 cep-XXXX.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cep-XXXX.md b/cep-XXXX.md
index 296ed2be..1e13ae93 100644
--- a/cep-XXXX.md
+++ b/cep-XXXX.md
@@ -101,7 +101,6 @@ A conda channel with a Linux x64 specific subdirectory:
 
 This dictionary maps conda package filenames (with extension) to a signature metadata dictionary. Each subdictionary then maps the signing key identifier to the signature value. This value is expressed as a dictionary with a key `signature` that maps to the actual signature of the corresponding package record. See example:
 
-
 ```js
 "packages": {
   ...