Provenance

Provenance is the ability to prove that packages, images, containers, and other artifacts are what they say they are, that they originate from the correct source, and that they have not been falsified or adulterated along the way. Provenance brings the auditability to packaging that version control brings to cryptographically verifiable source code commits.

The goal of provenance is an unbroken chain of traceability, all the way back to the host machine that built the package. Package metadata provides information such as the version, code contributors, scan results, license information, and build environment. This information is auditable, making it possible to integrate with other security tools.

Automated continuous packaging processes use checksums, cryptographic signatures, and other metadata to verify the identity and integrity of assets and establish that every package is genuine, signed, and matches the original. This helps keep software more secure, reducing vulnerabilities and exploits that could affect the code during the build process.

Not only does the chain of metadata help guarantee that packages are genuine, it can also provide information to developers, managers, and other stakeholders about how and why a feature or component came to be where it is. If a library or package version is involved in an unusually large number of problems, the provenance of the code in question can reveal how old it is, who has been working on it recently, and which features or fixes it implements.

Isolation

Much of the software built in a CI/CD pipeline depends on external packages, which can pose a security risk. Continuous packaging reduces attack vectors by isolating the software development pipeline from upstream package repositories, maintaining copies of the external packages in the private universal repository so that developers don’t access the external packages directly.

By caching packages from public upstream repositories and other external sources, you can protect yourself from issues with package availability, license changes, and emerging vulnerabilities. Package isolation provides a quarantine area where you can ensure that your code only accesses clean, known assets. One isolation approach is to maintain two private repositories: an unsafe repository that caches packages from a public upstream repository, and a safe repository with upstream proxying and caching disabled.

When the unsafe repository pulls packages from the upstream repository, continuous packaging automation uses a private repository management API to obtain package checksums and signatures. If the packages are genuine and pass vulnerability scans, they can be promoted to the safe repository, ready for use by development teams and for integration into the software build and deployment processes.

Internal build processes and development teams never connect directly to a public upstream repository. This closes off an important attack vector and provides the additional benefit of version and license control on all packages used by the software development life cycle. When an upstream repository releases a package with an undesirable change, you can freeze the version in the internal safe repository to prevent impact on the code in development.

Universality

To secure a DevOps pipeline, you must be able to manage packages together consistently, regardless of their formats and languages. This ensures transparency, visibility, and control across the entire inventory of assets. Continuous packaging provides a universal private repository that handles the protocols for different types of packages natively. The universal repository acts as a single source of truth, making assets available to different teams and for different deployments consistently from one place.

By ensuring that all packages pass through this single checkpoint, continuous packaging controls both the ingress and egress of the entire inventory, letting you see exactly what you’re consuming and what you’re building.

Benefits of Continuous Packaging

Continuous packaging adds security, control, visibility, and performance to the management of software packages, whether they are external dependencies, build artifacts, or deployable releases. By managing packages of all types in a single repository, continuous packaging gives you visibility into all assets, helping reduce redundancy and discrepancies between package versions.

Isolating the repository from its upstream sources helps prevent vulnerabilities and attacks by providing an opportunity to test and scan incoming packages before making them available to developers and to the software build pipeline. Automatic scanning, checksums, and signatures ensure that the packages are genuine and unadulterated before you promote them through your development and testing environments or deploy them to production.

You can limit access to specific authorized clients and users inside or outside the company, without sharing packages to the world. Providing a single source of truth also reduces the complexity of the interaction between the CI and CD parts of the software supply chain. Maintaining fewer versions simplifies dependency resolution by constraining choice, thereby helping alleviate problems such as package conflicts or mutually incompatible versions.

The ability to keep specific versions of all packages in a single universal repository helps teams collaborate more easily and with less confusion. At the same time, because the repository handles the package management protocol for each asset type, it still works as expected with your existing package management tooling. This means you can combine packages of different types in any way that makes sense for the team.

You can use the same repository to distribute software to customers in different formats as well, which makes the publishing process simpler.

Caching packages at the edge gives development teams all over the world an optimal experience with low latency, without giving up control. Today, teams of developers distributed around the world must work together remotely. Every person needs to be able to communicate, collaborate, and work in the same environment in real time. Package management protocols exchange high volumes of metadata and other information, requiring the minimization of latency and network transmission time where possible. Requiring centralized access via a corporate LAN or a specific cloud region would create a bottleneck for globally dispersed teams through increased latency or high network load on specific servers.

Implementing continuous packaging as a method of managing packages globally can help mitigate these challenges by providing every team member with the same experience while distributing the load geographically. A single central repository with vetted, scanned packages becomes the center of a package delivery network that caches copies of all artifacts at edge servers located near each team.

This delivery network is similar to a standard content delivery network, but built specifically for software assets. The central repository and all edge caches are context aware and understand the package management protocols necessary for all the different package types. The edge handles authentication for private packages directly, further reducing the burden on the central repository. Bringing the packages closer to distributed teams helps ensure low latency for everyone as they collaborate on large software projects, no matter where in the world they’re located.

Costs of Continuous Packaging

The additional costs of continuous packaging are similar to the tooling costs for CI.

Mainly, you’ll need a place to host a universal package repository, preferably as a service so that you don’t have to take on management tasks. If you aren’t already using CI/CD as the foundation of your software development process, you’ll need to build some additional infrastructure to support a DevOps pipeline. You’ll need a CI server that can monitor your code in source control, running automated tests on every new commit. The team will need to write automated tests for every feature or bug fix. Developers will need to get in the habit of merging their changes at least once a day, more often if possible.

By managing the complexity between the CI and CD parts of the DevOps development pipeline, continuous packaging helps provide security to the software supply chain through source and build integrity.