• What Kaseya and REvil ransomware gang teach us about Software Supply Chain Attacks

    What Kaseya and REvil ransomware gang teach us about Software Supply Chain Attacks Gone are the days where criminals storm banks with automatic weapons, taking hostages and shouting ransom demands. These days, sophisticated software supply chain attacks allow criminals to infiltrate multiple billion-dollar corporations simultaneously demanding huge ransoms, all from the comfort of their homes....

  • Dependency confusion and substitution attacks

    Dependency Confusion and Substitution attacks Introduction Package managers make the life of programmers easy by simplifying the process of exploiting reusable libraries for development. These libraries may be developed internally by other teams or downloaded from public repositories. A side effect of this simplified process is that in most cases developers are oblivious to the...

  • How to prevent package dependency confusion attacks

    How to prevent package dependency confusion attacks This article will discuss two key software security concepts: What is package dependency confusion How to prevent package dependency confusion attacks Before we start, check out packagecloud. This package management platform helps users to avoid package dependency confusion and resolve other vulnerabilities caused in the software supply chain...

  • How to Secure your Software Supply Chain

    How to Secure your Software Supply Chain A supply chain is a series of operations necessary for product supply. It includes each stage of the product’s lifecycle, from idea to customer. It covers distributors, producers, and retailers involved in developing and distributing the final product. Thus, a traditional supply chain begins with the necessary raw...

  • Packagecloud is building the industry’s first platform to implement the SBOM framework

    Packagecloud is building the industry’s first platform to implement the SBOM framework It all started with the SolarWinds breach The recent SolarWinds breach compromised around 18,000 of SolarWinds’ 33,000 customers, including multiple U.S. military and federal agencies. The attackers first compromised the SolarWinds’ systems, enabling them to modify parts of the SolarWinds code. The attackers...

  • What are the best Fedora Spins?

    What is Fedora? Fedora is a Linux distribution created by the Fedora Project funded directly by Red Hat, an IBM affiliate, with additional funding from other organizations. Fedora includes applications licensed under various free and open-source licenses and strives to remain at the forefront of free technology. Fedora is the root source for the commercial...

  • The 7 best Ubuntu Flavors, and Why They Exist

    The 7 best Ubuntu Flavors, and Why They Exist Ubuntu Linux is a popular, free open-source operating system available under the GPL or General Public License. In simple terms, the GPL is a “series of widely-used free software licenses that guarantee end-users the freedom to run, study, share, and modify the software.” As described above,...

  • Is Ubuntu better for desktops or servers?

    What is Ubuntu Ubuntu is an operating system based on Debian GNU/Linux distribution. It is completely free and open-source. The main developer and sponsor is Canonical. Currently, Ubuntu is also developed and maintained by the community. History of Ubuntu Ubuntu started as a temporary fork from Debian. Debian is still a widely respected operating system...

  • Upcoming Scheduled Maintenance on Jan 25, 2019

    UPDATE, Schedule Maintenance has been postponed! We’ve decided to postpone scheduled maintenance for 1 week. Scheduled maintenance will occur on: January 25, 2019 from 12pm to 3pm Pacific Standard Time (20:00 - 23:00 UTC). The original maitenance window has been canceled and the service will remain available as normal until the maintenance scheduled on January...

  • GPG Key Migration

    packagecloud is changing the way certain older repositories have their metadata signed with GPG keys. Only a small set of repositories on packagecloud with Debian and RPM packages are affected. All other repositories do not need migration. Any unmigrated repositories will be automatically migrated by our system on January 7, 2019. You can see...

  • Announcing packagecloud:enterprise 2.0!

    We’re excited to announce the release of our on-premises software packagecloud:enterprise 2.0! This new release includes a complete UI makeover, numerous performance improvements, support for Node.js packages and NPM registries, improved support for Android packages and much, much more. packagecloud:enterprise is run and managed by you, on your existing infrastructure, within your existing security...

  • Attacks against GPG signed APT repositories

    Updated January 22, 2019 to include a new remote code execution exploit. This blog post takes a closer look at some attacks against APT repositories outlined in the academic paper A Look In the Mirror: Attacks on Package Managers and how they apply to recent versions of APT software. It is a common misconception...

  • NPM registry internals

    This blog post dives in to the NPM registry metadata format and core APIs. We’ll cover the different metadata files that make up an NPM registry, what the files mean, and show how a user can inspect metadata using command lines tools. What is an NPM registry? An NPM registry is a collection of...

  • HOWTO: Inspect, Download and Extract NPM Packages

    This post outlines how to inspect the registry information of an NPM package using the npm view command, download an NPM package directly from a registry using the npm pack command, and extract the contents of the package tarball.

  • Announcing NPM registry support

    We are thrilled to announce that you can now upload Node.js packages to your packagecloud repositories! You can upload using npm publish, the packagecloud CLI or the packagecloud API. The NPM registry support added to packagecloud includes support for scoped Node.JS packages and the Yarn package manager right out of the box, with no...

  • Announcing Package Signing GPG Key Support

    You can now upload package signing GPG keys to packagecloud.io! Adding package signing keys will cause them to be automatically installed and prepared for use by users of your repositories. Your users will benefit from this feature because the package management system will now verify GPG signatures on the packages themselves using keys that...

  • Great Indian Developer Summit 2017 (GIDS 2017)

    These are the slides from Joe Damato’s talks at the Great Indian Developer Summit 2017 (GIDS 2017) titled: “Infrastructure as code might be literally impossible” and “All your network monitoring is (probably) wrong”. The talks cover: C, assembly, package managers, puppet, chef, scary stories, network monitoring, Linux and more!

  • All programmers MUST learn C and Assembly

    These are the slides from Joe Damato’s talk at Deconstruct 2017, titled “All programmers must learn C and Assembly.” This talk covers: C, assembly, system calls, operating systems, kernels, and more! Video Once Deconstruct posts videos, we’ll update this blog post! Slides

  • HOWTO: Private Maven Repositories

    This post will detail how to setup a private Maven repository in order to easily share Java, Scala, Clojure, and Android libraries with internal teams. Our example will use Jenkins CI to push an example library that will be used by an internal using Maven and an external team using Gradle. Overview As microservice...

  • HOWTO: Create debian repositories with reprepro

    This blog post will explain the steps needed for creating a Debian APT repository using command line tools. Quick start The fastest, easiest, and most secure way to create a Debian repository is to sign up at packagecloud.io. You will take advantage of numerous features like SSL and consistent APT repositories without needing to...

  • Extract python egg and python wheel

    This post covers how to extract and list the contents of python eggs and python wheels on the command line. Extract python egg A python egg is a simple Zip file, so you can extract it using any program that reads Zip files: $ unzip /path/to/file.egg NOTE: You may need to rename the file...

  • Inspecting and extracting JAR files from the command line

    This post covers how to extract and list the contents of JAR files using the command line. Extract JAR file $ jar xvf /path/to/file.jar Easy to use Maven repositories, free. Sign up! Extract JAR file without jar command line tool JAR files are Zip files but with a different name. You can use any...

  • Using strace to understand a 10x Java performance improvement

    In this blog post, we’ll examine the UseLinuxPosixThreadCPUClocks command line flag to the JVM. Starting in a patch update of the Sun JVM 1.6, the default value of this switch was changed to true, yielding a nice performance boost, roughly 10x in our test. Users of more recent JVMs get this behavior by default,...

  • How does a maven repository work?

    Similar to our APT Repository Internals and YUM Repository Internals posts, this post aims to illustrate the inner workings of a Maven repository. Read on if you have ever been curious as to how mvn compile figures out which dependencies to download and how to retrieve them in order to build your project.

  • Two frequently used system calls are ~77% slower on AWS EC2

    This blog post dives into an interesting finding: two frequently used system calls (gettimeofday, clock_gettime) are much slower on AWS EC2. Linux provides a mechanism for speeding up those two frequently used system calls by implementing the system call code in userland and avoiding the switch to the kernel entirely. This is done via...

  • Micro-optimizations matter: preventing 20 million system calls

    This blog post is a followup on our previous post How setting the TZ environment variable avoids thousands of system calls. In this post, we’ll explore a particularly prominent case where a micro-optimization (like removing a system call in a hot path) had a drastic effect on software performance.

  • Announcing Android AAR Support

    You can now upload your Android projects (AAR files) to packagecloud.io! Easily share them publicly or privately. Read on to find out the different ways to upload, download, and depend on AAR files. How to upload AAR files There are various ways to upload your Android project files to packagecloud.io. You can use Gradle/Maven...

  • How setting the TZ environment variable avoids thousands of system calls

    This blog post explains how setting an environment variable can save thousands (or in some cases, tens of thousands) of unnecessary system calls that can be generated by glibc over small periods of time. This has been tested on Ubuntu Precise (12.04) and Ubuntu Xenial (16.04). It likely applies to other flavors of Linux,...

  • Monitoring and Tuning the Linux Networking Stack: Sending Data

    This blog post explains how computers running the Linux kernel send packets, as well as how to monitor and tune each component of the networking stack as packets flow from user programs to network hardware.

  • Continuous Delivery of Python Applications using Travis CI and packagecloud

    This post will go through the steps needed to implement an automated software pipeline for Python packages. On every tagged commit pushed to Github, Travis CI will automatically build this project and push it to packagecloud.

  • HOWTO: Build debian packages for simple shell scripts

    This post goes over the creation of a debian package containing shell scripts using dh_make and debuild. Starting from structuring the packaging directory to building the final debian package, this tutorial covers the process of creating a debian package with just a few simple steps.

  • Announcing package promotion: easily move packages between repositories

    We’re excited to announce that we’ve added support for package promotion, which allows repository owners and collaborators to easily move packages between repositories! This feature can be used via the package promote API or via the package_cloud command line tool.

  • Debugging SSL in Java using mitmproxy

    In this post we’ll go over setting up the popular mitmproxy tool on an external host and configuring your Java programs to proxy traffic through it, allowing you to debug misbehaving HTTP clients and libraries.

  • Announcing official support for zypper

    Summary We’re excited to announce that we’ve added official support for zypper, the package manager that is widely used on openSUSE and SUSE Enterprise Linux Server (SLES)! Create a package repository in less than 10 seconds, free. Sign up! Uploading packages To upload a package for openSUSE or SLES you can either upload via our...