Operations | Monitoring | ITSM | DevOps | Cloud

Reproducible Builds, Fedora 43, and What It Means for the Software Supply Chain

April 2025 has brought some important news in the world of open source and software supply chain security: Fedora has announced a change proposal to make 99% of its package builds reproducible in its upcoming Fedora 43 release. At first glance, this might seem like a low-level Linux packaging detail. But in reality, this is part of a much bigger shift that touches anyone who builds, ships, or consumes software - including us at Cloudsmith and the developers and enterprises who rely on us.

Kubernetes 1.33 - What you need to know

Kubernetes 1.33 is right around the corner, and there are quite a lot of changes to unpack! Removing enhancements with the status of “Deferred” or “Removed from Milestone” we have 64 Enhancements in all listed within the official tracker. So, what’s new in 1.33? Kubernetes 1.33 brings a whole bunch of useful enhancements, including 35 changes tracked as ‘Graduating’ in this Kubernetes release.

SLSA: A Route to Tamper-Proof Builds and Secure Software Provenance

SLSA (Supply-chain Levels for Software Artifacts, pronounced ‘salsa’) is a progressive, industry-backed software security framework that safeguards software integrity throughout the development and delivery lifecycle. SLSA adoption is ramping up in industries where trust isn’t optional. As dependencies proliferate and threats multiply, SLSA provides a solid, structured path to prove that software is secure by design.

Cloudsmith introduces EPSS Scoring in Enterprise Policy Management (EPM)

Cloudsmith’s Enterprise Policy Management (EPM) now supports the Exploit Prediction Scoring System (EPSS), a data-driven metric designed to estimate the probability of a software vulnerability being exploited in the wild. Using EPM in Cloudsmith, you can now use a package’s EPSS score to inform your package workflows, including those around Package Promotion and Package Quarantine.

Native Signing Support In Cloudsmith Extended To Docker, Nuget, And Swift

Breaches in software artifact integrity can have severe consequences. Bad actors poison artifacts by injecting malicious code into software packages, libraries, or container images, tricking developers and users into downloading compromised artifacts. These attacks can lead to data breaches, system takeovers, and widespread supply chain disruptions. Continued artifact poisoning incidents highlight the increasing risk to software supply chains.

Putting Your Data to Work to Protect Your Software Supply Chain Final

In today’s complex software ecosystem, ensuring security and reliability is more challenging than ever. Dependency trees are growing deeper, third-party contributions are increasing, and the risks - from vulnerabilities and misconfigurations to malicious attacks - are at an all-time high. Organizations must find ways to secure their software supply chains without compromising agility.

Enterprise-Grade Software Security: Mastering Control Over Your Software IP

Enterprises should prioritize securing their software artifacts to protect intellectual property (IP), maintain compliance, and mitigate supply chain risks. A strong security posture requires a deep understanding of access management, distribution controls, compliance enforcement, and software lifecycle governance.

Streamlining CI/CD Pipelines with Automated Policy Checks

Continuous Integration and Continuous Deployment (CI/CD) pipelines power modern DevOps. They enable teams to deliver software faster, with greater reliability and confidence. However, as development accelerates, ensuring security, compliance, and quality becomes increasingly complex. Automated policy checks streamline CI/CD pipelines by addressing these challenges directly.

Secure and Compliant Software Delivery with Cloudsmith Policy Management

Managing software artifacts across distributed teams and complex infrastructures securely demands proactive measures. Robust policy management is the best way to ensure compliance in your software supply chain. Cloudsmith, the leading cloud-native package management platform, can streamline policy management and strengthen security. Let’s explore why policy management matters and how we can simplify it for you.