Golang's package manager has a rather elegant shared checksum database (a merkle tree), making it easy to trust mirrors: https://blog.golang.org/module-mirror-launch