Packagecloud logo

The Packagecloud Roadmap: Protecting Open Source Software Supply Chains

We wanted to reach out to our community and share some updates which will affect you. This email outlines some big changes to Packagecloud over the past few months, but more importantly where we are going, and what this means for you. Packagecloud was founded in 2014, as a simple and straightforward way to manage all your repositories in one place. We’d continued to grow over the past 7 years, gaining some great customers (like you!) and continually listing as a high performer in the package repository management space

In the last year Software Supply Chains have increasingly come under attack. Whether from questionably intentioned researchers that introduced vulnerabilities into the Linux kernel, white hats who found a way to cause dependency confusion, or more serious malicious incursions like the CodeCov breach and the SolarWinds attack.

As we’ve come to terms with our role in this ecosystem, we have had a choice to continue to be a trusted provider for package distribution and stop there--or to roll up our sleeves and contribute directly to creating a robust and end-to-end solution software supply chain security. We chose the latter.

This year, we’ve grown the team--including a new executive team with deep cybersecurity expertise, and a our security advisory panel including professionals with masters in cybersecurity, and credentials that include CISM™, CREST CRT™, and CISSP™. In total, the team has more than doubled from the beginning of the year. During this time we have been discussing what the future software supply chain looks like to protect from current and yet-to-occur attacks. We have spent time with leading customers as well as folks that are taking leadership in the community. Google, in particular, is leading a framework-oriented approach called SLSA. We are active in the SLSA community and want to speak with you or your security team if you have a passion for influencing the next generation of software distribution. 

Here’s some of the steps we’ve taken in the past six months:

  • Expanded the team, bringing in an experienced Director of Operations, a CTO, Senior Developer, two software/solutions engineers, an expanded cybersecurity team,  along with additional marketing, sales and support staff.
  • Closed out all support tickets and are averaging a response time under 5 minutes during working hours.
  • Expanded customer outreach to learn more about your use cases and inform our roadmap for 2022.
  • Rolled out SSO support for our Enterprise customers (reach out if you’d like us to help you get your team registered).
  • Rebuilt our secure storage system
  • Added additional backend security enhancements for your repositories
  • We’re working with Google and the Open Source Software Foundation to develop Supply-Chain Levels for Software Artifacts, or SLSA framework.
  • Started development on two major security features that we believe will be game changers in software supply chain visibility and security.

We’re especially excited about the last bullet. Like you, we’ve been deeply concerned about the increasing occurrence and complexity of software supply chain attacks. We’ve identified things we can do on our side to help ensure your repositories are held and deployed securely, but that’s only part of the solution. We recognize that it's critical to address the whole supply chain from source to build to deployment, and know that your customers want to know they can trust you when they click to download your software. 

In the coming year we will be rolling out two features we’re calling Heimdall and Arête. Fans of Norse Mythology or Marvel will recognize Heimdall, as the watchman of the gods who guarded Bifrost, the rainbow bridge to Asgard. Like its inspiration, this feature will scan repositories for unworthy code providing software composition, dependency and vulnerability analysis. 

To take that even further and help our customers ensure that they know where their code came from, we’re proud to announce the upcoming Arête Code Ancestry feature, named for the Greek goddess of excellence and valor. This feature will allow our customers to quickly see which lines of their code are verified and unverified, both for their repositories and the dependencies they rely on. If you’d like to see how these will work or sign up for the beta version, please reach out to us.

We’ve accepted that our role must become more than “a CDN for package binaries” in order to provide the quality of security service that you expect from us. You are already seeing our investment in the product being delivered today--and there’s much more that we are rolling out over the coming year. Accept / Deny lists and IP alerting are already on tap for our enterprise customers and the same monitoring has rolled out to our standard plans. If you are on a plan today and do not exceed your bandwidth, then you will receive these features at no extra cost. However, if you exceed your bandwidth, we have updated this fee. We surveyed the providers in the market and our pricing has been updated to the market level of 80 cents per GB. 

We’ve also had to make additional adjustments to our plans and pricing as a result of customer demand for features that lay outside of pure storage and bandwidth needs. As a result, you’ll see a new set of plans that offer a range of features suitable to different user groups. For instance, with the sunsetting of Bintray, we had a flood of interest around custom domains and have now delivered on that capability. We have released SSO for a set of enterprise customers, delivered Alpine support for another set of customers and, as mentioned previously, have been working to incorporate cutting edge features to secure your software supply chain. 

For customers with high usage rates, we will be reaching out over the next few months to upgrade and right-size your plan that aligns to the current market. If you find yourself consistently exceeding your storage and transfer allotment, let us know and we can build a custom plan to help you minimize monthly cost swings which helps us both out! As a current customer, when you decide to update or change your plan, you’ll only have access to the new features and tiers. Like us, many of you are small businesses, and we are sensitive to this. If these changes materially impact your business, please let us know and we’ll work with you and your team to determine a solution that will work for you.

We know this is a lot of news, but we’re excited to continue being your repository manager of choice. We love to hear from you about the good, bad, and the ugly of Packagecloud and are always happy to hear about your use cases and how we can better support you and your customers. You can reach out to our customer success team by email or schedule a call here anytime. 

Thank you for your continued business as a part of the Packagecloud community. 

Team Packagecloud

You might also like other posts...