Go's Checksum Database ensures all clients use identical module sources through cryptographic verification, but code hosts like GitHub can display different code than what's actually used. A new tool, pkg.geomys.dev, provides a verified viewer that shows the authentic source of Go modules by fetching directly from the modules proxy, with features like syntax highlighting, line linking, and a browser extension that replaces pkg.go.dev links. The service addresses security concerns like the BoltDB typosquatting attack where malicious code was hidden by force-pushing innocent code to GitHub after publication.
Sort: