class: title, smokescreen, shelf, no-footer background-image: url(athens.jpg)

Athens: The Center of Knowledge

About Me

  • Microsoft Azure - Cloud Developer Advocate
  • Using Go since 2010
  • Twitter: @bketelsen
  • Github: bketelsen
  • Podcast:
  • Email:

This Talk

class: img-caption Athens


Athens Is

Umbrella Project Name

Athens Is

Caching Proxy Server

Athens Is

That YOU Can Run

Athens Is Also

A Specification

Athens Is Also

About Trust

Athens Is Also

And Decentralized Verification

Athens Is Also

Just a project codename

What’s In It For You?

  • Repeatable Builds
  • Every Time
  • Even when Github/Gitlab/Bitbucket is down
  • Local or closer caching proxies


  • API for the go command
  • Specification for module validation
  • Specification for trust protocol

Go Command

Module Validation

  • Hash of module contents stored in go.sum file
  • Future-proof design to allow multiple hash algorithms
  • Modules downloaded, validated and signed by Notaries


  • Notaries download, verify hash, then sign modules
  • Notaries are completely independent
  • A signed module will contain a certificate


  • Publishers will collect certificates from Notaries
  • Certificates will be published at a /log API endpoint
  • Interested Subscribers may query the /log API
  • The /log API will support after= and match= for filtering

Notaries + Publishers


Authenticated Proxies

  • Signed modules verified by public keys YOU choose to trust

Authenticated Proxies

  • The go command will support authenticated proxies
  • Trusted keys will be stored locally
  • $GOPATH/go.key and/or $GOROOT/go.key
  • Keys will be weighted, with a 1.0 score required for acceptance

Example go.key file


	key 0.5 MyCompany s1:YXJaDOW...7IFlc=
	key 0.5 Google s1:pTFZ+webXa...f7SvSU=
	key 0.5 Microsoft s1:XEGD...eQQkkshI=

Public Proxies

  • Geographically distributed proxy servers
  • Public servers, dependable infrastructure

Run Your Own Proxy

  • Run proxy locally, inside your firewall
  • Include/Exclude listing for modules
  • Prevent undesired modules from being used
  • Like exclude*
  • Or exclude*


Decentralized, Federated, Independent

  • Services are decentralized, independent
  • Signed packages mean no worries about MITM
  • All Open Source
  • Protocols are open
  • External services are interfaces, use your favorites

Protocols Will Be Published

  • Proposal to the golang repo soon
  • Open specification means anyone can participate
  • What will YOU build on top of the protocol?

Protocol Is Important

  • Building block for future tools

Future Ideas - Code Provenance

  • Verified, signed commits are proven
  • Ability to require provenance at the proxy server

Your Ideas On Top

  • Code Quality
  • Code Metrics
  • Vanity Domain Server + Proxy

What’s Next?

  • Public proxies available soon
  • Proposal for spec submitted soon

Open Source

Gratitude and Credit

  • Russ Cox
  • Aaron Schlesinger
  • Paul Jolly
  • Go Dependency projects (dep/govendor/glide, etc)
  • Athens project contributors
  • Buffalo / Mark Bates


twitter: @bketelsen

github: bketelsen

github: gomods

class: img-caption Thank You

Thank You