Go Module Mirror, Index, and Checksum Database

The Go team is providing the following services run by Google: a module mirror for accelerating Go module downloads, an index for discovering new modules, and a global go.sum database for authenticating module content.

As of Go 1.13, the go command by default downloads and authenticates modules using the Go module mirror and Go checksum database. See proxy.golang.org/privacy for privacy information about these services and the go command documentation for configuration details including how to disable the use of these servers or use different ones.

Services

proxy.golang.org - a module mirror which meets the spec provided at go help goproxy.

sum.golang.org - an auditable checksum database which will be used by the go command to authenticate modules. Check out the Secure the Public Go Module Ecosystem Proposal for more details.

index.golang.org - an index which serves a feed of new module versions that become available by proxy.golang.org. The feed can be viewed at https://index.golang.org/index. The feed is served as new line delimited JSON, providing the module path (as Path), the module version (as Version), and the time it was first cached by proxy.golang.org (as Timestamp). The list is sorted in chronological order. There are two optional parameters:

Status: Beta

We'll be actively working through issues, and improving our services and support. Please file issues if you spot them, with the title prefix "proxy.golang.org": (or index.golang.org, or sum.golang.org).

Environment setup

To make earlier versions of the go command use this module mirror (when in module mode), set GOPROXY=https://proxy.golang.org

To opt-out of this proxy, you can turn it off by setting GOPROXY=direct

See the go command documentation for other configuration details.

Checksum database

Older versions of the go command cannot directly use the checksum database. If you are using Go 1.12 or earlier, you can manually check a go.sum file against the checksum database with gosumcheck:

go get golang.org/x/mod/gosumcheck

gosumcheck /path/to/go.sum

FAQ

I committed a new change (or released a new version) to a repository, why isn't it showing up when I run go get -u or go list -m --versions?

In order to improve our services' caching and serving latencies, new versions may not show up right away. If you want new code to be immediately available in the mirror, then first make sure there is a semantically versioned tag for this revision in the underlying source repository. Then explicitly request that version via go get module@version. After one minute for caches to expire, the go command will see that tagged version. If this doesn't work for you, please file an issue.

I removed a bad release from my repository but it still appears in the mirror, what should I do?

Whenever possible, the mirror aims to cache content in order to avoid breaking builds for people that depend on your package, so this bad release may still be available in the mirror even if it is not available at the origin. The same situation applies if you delete your entire repository. We suggest creating a new version and encouraging people to use that one instead.

I'm running the go command in an environment that can't use the mirror.

The go command documentation describes the configuration details including how to disable the use of these servers or use different ones.