Go Module Mirror, Index, and Checksum Database

The Go team is providing the following services run by Google: a module mirror for accelerating Go module downloads, an index for discovering new modules, and a global go.sum database for authenticating module content.

As of Go 1.13, the go command by default downloads and authenticates modules using the Go module mirror and Go checksum database. See proxy.golang.org/privacy for privacy information about these services and the go command documentation for configuration details including how to disable the use of these servers or use different ones. If you depend on non-public modules, see the documentation for configuring your environment.

Services

proxy.golang.org - a module mirror which meets the spec provided at go help goproxy.

sum.golang.org - an auditable checksum database which will be used by the go command to authenticate modules. Check out the Secure the Public Go Module Ecosystem Proposal for more details.

index.golang.org - an index which serves a feed of new module versions that become available by proxy.golang.org. The feed can be viewed at https://index.golang.org/index. The feed is served as new line delimited JSON, providing the module path (as Path), the module version (as Version), and the time it was first cached by proxy.golang.org (as Timestamp). The list is sorted in chronological order. There are two optional parameters:

Status: Launched

These services are ready for production use. Please file issues if you spot them, with the title prefix "proxy.golang.org": (or index.golang.org, or sum.golang.org).

Environment setup

These services can only access publicly available source code. If you depend on private modules, set GOPRIVATE to a glob pattern that covers them. See Module configuration for non-public modules in the go command documentation for more details.

For versions earlier than Go 1.13, you can configure the go command to download modules using this module mirror by setting GOPROXY=https://proxy.golang.org.

To opt-out of this module mirror, you can turn it off by setting GOPROXY=direct

See the go command documentation for other configuration details.

Checksum database

Older versions of the go command cannot directly use the checksum database. If you are using Go 1.12 or earlier, you can manually check a go.sum file against the checksum database with gosumcheck:

go get golang.org/x/mod/gosumcheck

gosumcheck /path/to/go.sum

FAQ

I committed a new change (or released a new version) to a repository, why isn't it showing up when I run go get -u or go list -m --versions?

In order to improve our services' caching and serving latencies, new versions may not show up right away. If you want new code to be immediately available in the mirror, then first make sure there is a semantically versioned tag for this revision in the underlying source repository. Then explicitly request that version via go get module@version. After one minute for caches to expire, the go command will see that tagged version. If this doesn't work for you, please file an issue.

I removed a bad release from my repository but it still appears in the mirror, what should I do?

Whenever possible, the mirror aims to cache content in order to avoid breaking builds for people that depend on your package, so this bad release may still be available in the mirror even if it is not available at the origin. The same situation applies if you delete your entire repository. We suggest creating a new version and encouraging people to use that one instead.

I'm running the go command in an environment that can't use the mirror.

The go command documentation describes the configuration details including how to disable the use of these servers or use different ones.

If I don't set GOPRIVATE and request a private module from these services, what leaks?

The proxy and checksum database protocols only send module paths and versions to the remote server. If you request a private module, the mirror will try to download it just as any Go user would and fail in the same way. Information about failed requests isn't published anywhere. The only trace of the request will be in internal logs, which are governed by the privacy policy.

Why did a previously available module become unavailable in the mirror?

proxy.golang.org does not save all modules forever. There are a number of reasons for this, but one reason is if proxy.golang.org is not able to detect a suitable license. In this case, only a temporarily cached copy of the module will be made available, and may become unavailable if it is removed from the original source and becomes outdated. The checksums will still remain in the checksum database regardless of whether or not they have become unavailable in the mirror.