Supply Chain Security for Go

Source Spotter is a project for upholding supply chain security in the Go ecosystem.

Source Spotter is...

• A sumdb auditor - Source Spotter verifies that the Go Module Mirror and Checksum Database is behaving honestly, and has not presented inconsistent information to clients.
• A toolchain reproducer - Source Spotter verifies that the Go toolchains published in the Go Module Mirror can be reproduced from source code, making it difficult to hide backdoors in the binaries downloaded by the go command.
• A telemetry config tracker - Source Spotter tracks the names of telemetry counters uploaded by the Go toolchain, to ensure that Go telemetry is not violating users' privacy.

Source Spotter was developed by Andrew Ayer and the installation at sourcespotter.com is operated by SSLMate as a public service to the Go community. sourcespotter.com does not use any Google infrastructure. Source Spotter is open source.