{"id":22685827,"url":"https://github.com/hellodword/misgo","last_synced_at":"2026-01-05T18:39:05.239Z","repository":{"id":265801509,"uuid":"853762788","full_name":"hellodword/misgo","owner":"hellodword","description":null,"archived":false,"fork":false,"pushed_at":"2024-09-24T12:46:19.000Z","size":34,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2024-12-09T09:43:19.412Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hellodword.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-09-07T13:20:05.000Z","updated_at":"2024-09-24T12:46:23.000Z","dependencies_parsed_at":"2024-12-01T01:43:19.104Z","dependency_job_id":null,"html_url":"https://github.com/hellodword/misgo","commit_stats":null,"previous_names":["hellodword/misgo"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hellodword%2Fmisgo","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hellodword%2Fmisgo/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hellodword%2Fmisgo/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hellodword%2Fmisgo/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hellodword","download_url":"https://codeload.github.com/hellodword/misgo/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228971293,"owners_count":17999859,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-09T22:17:46.243Z","updated_at":"2026-01-05T18:39:05.194Z","avatar_url":"https://github.com/hellodword.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# misgo\n\n## Motivation\n\nAlthough some Go modules are open-sourced, they use custom domain names for their module paths. `GOSUMDB` ensures that the provided sum is untampered, but when running `go get foo` for the first time, it appears there's still an implicit trust that the code fetched is identical to the source code hosted on GitHub/GitLab and hasn't been altered. I hope there’s a way to verify this.\n\n## How it works?\n\n- find the repository: `document.querySelector('.UnitMeta-repo a').getAttribute('href')` in `https://pkg.go.dev/foo@bar`\n  - https://pkg.go.dev/about#source-links\n  - https://github.com/golang/gddo/wiki/Source-Code-Links\n- checksum: https://github.com/golang/go/blob/807e01db4840e25e4d98911b28a8fa54244b8dfa/src/cmd/go/internal/modfetch/cache.go#L429\n- gomodsum: https://github.com/golang/go/blob/807e01db4840e25e4d98911b28a8fa54244b8dfa/src/cmd/go/internal/modfetch/fetch.go#L647-L652\n- gosumdb: https://github.com/ProjectSerenity/firefly/blob/0effba12f4ea172166e098e955c0f5ecca29932f/tools/gomodproxy/gosumdb.go\n\n## TODO\n\n- [x] parse go.mod\n- [x] parse go.sum\n- [ ] recursively parse dependencies\n- [ ] deal with pseudo version[^1]\n- [ ] enhance fetchers: `https://github.com/FiloSottile/edwards25519/archive/\u003ctag or commit\u003e.zip` , see nixpkgs' fetchers https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/fetchgithub/default.nix\n- [ ] PoCs\n  - [x] [normal tag](./evil-normal-tag): host a git http server, response evil things for goproxy only\n  - [ ] pseudo version as tag name: generate a pseudo version and use it as tag name\n  - [ ] fake pseudo version: generate same pseudo version with vanity hash\n\n[^1]: https://github.com/prasmussen/git-vanity-hash\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhellodword%2Fmisgo","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhellodword%2Fmisgo","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhellodword%2Fmisgo/lists"}