astropod get on the waiting list book a demo

Introducing Gastropod

2026-06-20 00:38:55 · Gastropod · admin

Gastropod is an artifact registry that treats identity as the foundation, not an afterthought. Every package — whatever ecosystem it came from — is named by its Package URL: pkg:golang/rsc.io/quote@v1.5.2, pkg:npm/left-pad@1.3.0. One scheme, one relational spine, one place to ask who pulled what.

A proxy you can stand in front of

Point your toolchain at Gastropod and keep working. It speaks the protocols your clients already use:

  • Go modules. A full GOPROXY implementation — list, info, .mod, .zip — with the checksum database proxied through to sum.golang.org so the go command still verifies every download.
  • npm. A registry proxy that rewrites packument tarball URLs to flow through Gastropod, preserving the SRI sha512 integrity strings npm checks on install.
export GOPROXY=https://gastropod.example/go
go get ./...

Nothing is mirrored blindly. The first pull of a version fetches it upstream, stores it once, and serves every pull after from content-addressed storage keyed by SHA-256.

Storage that can't lie about itself

Blobs are addressed by their own hash. The same artifact pulled through two ecosystems is stored once; a corrupted byte changes the address. Verification isn't a feature bolted on — it's how the store is indexed.

The audit log is the product

Every pull is a row: which consumer, which package version, when. From that flat spine of access events Gastropod reconstructs an SBOM for any consumer on demand — not from a manifest someone remembered to commit, but from what was actually fetched.

That makes the boring questions answerable. Did anything here ever pull that compromised version? Which builds depend on this package? What is the real dependency surface of this service?

Access, scoped

Repositories carry roles and permissions; API tokens are issued per principal and hashed at rest. Sign-in is SSO over generic OIDC — we hold your identity's metadata, never its password. Organizations let people publish together; that includes these notes.

This is early. The shape is here — PURL-native identity, proxied Go and npm, content-addressed blobs, an audit log that doubles as an SBOM source — and we'll be writing here as it grows.

← news