February 15, 2026
Checksum soap opera
Inspecting the Source of Go Modules
Go’s new “trust the checksum” viewer sparks blame game: Is GitHub the villain or is Go
TLDR: A new viewer (pkg.geomys.dev) shows Go module code straight from the official archives to avoid misleading GitHub pages, after a past fake-module incident. Commenters are split: some blame Go for relying on GitHub’s UI, others say GitHub was never a package manager—either way, software supply-chain safety is the prize.
Go devs rolled out a safer way to peek at module source—think “view the real code, not the pretty screenshots”—and the comments lit up. The new site, pkg.geomys.dev, rewires links from Go’s docs to show code straight from the official module zip, the same files your computer actually installs. It’s a response to last year’s bait‑and‑switch prank where a fake module looked harmless on GitHub because tags were rewritten, but the real downloaded code was nasty.
Cue the drama. One camp is furious that anyone’s pointing fingers at GitHub at all. As user delusional blasted, “That’s a load of crap… it can never be a GitHub issue,” arguing Go built a world where packages seem to come from GitHub, so don’t blame the host for not being a package manager. Another chorus, led by philipwhiuk, said the quiet part loud: GitHub is not your app store, and expecting it to be “perfect” is “lunacy.” Meanwhile, others posted receipts with links like this Go issue, pushing for tighter verification everywhere.
Between jokes about “checksum or bust” and memes of a referee holding up a go.sum file, the vibe is clear: everyone wants the supply chain locked down, but no one agrees who should hold the keys. Geomys is the short‑term fix; the long‑term fight is over whether Go, GitHub, or both should own the guardrails.
Key Points
- •The Go Checksum Database records a module version’s hash and enforces it across all clients, acting as a transparency log for integrity.
- •Unverified code host views (e.g., GitHub’s mutable tag displays) can mislead reviewers and were exploited in a fake BoltDB module incident.
- •Developers can locally inspect verified source using go mod download -json; a go mod verify -tag command is in development.
- •pkg.go.dev still links to unverified hosts; new viewers (go-mod-viewer.appspot.com, pkg.geomys.dev) provide safer, direct source views from module zips.
- •pkg.geomys.dev uses HTTP Range requests against proxy.golang.org; optional transparency proof checking is planned once CORS is fixed, though it requires full zip downloads.