Aurélien Gâteau

Clyde 0.10.0 released

written on Thursday, May 28, 2026

Cool down days

Weather is quite hot these days in France. The perfect timing to release Clyde 0.10.0 because the main new feature is about cooling down!

Clyde is cooling down

Sorry for the dad joke, Clyde cool down is not about keeping you fresh but rather about not installing hot new rogue package releases. As I explained in my previous post about Clyde, cool down is a security protection to mitigate supply chain attacks: it imposes a delay between the moment a package has been published and when it can be installed, leaving time for security researchers to detect rogue releases. The hope is that by the time the cool down delay has passed, any rogue release has been detected and taken down so it can no longer be downloaded.

It's not a perfect solution, but it's another layer of security. Since Clyde installs binary packages published directly by their authors without any rebuild step, it's good to at least have this cool down feature as a minimum barrier.

The way it works is as follow: when the CI adds a new package release to the Clyde Store, it records the time it was added. clyde install and clyde upgrade won't install this release until 7 days have passed. This 7-day cool down can be changed by defining the CLYDE_COOLDOWN_DAYS environment variable.

Note that the time recorded is the time the CI noticed the new release and added it to the store. It is not the time the release was published by its author, because the publication time could be faked.

Stricter tar unpacking

Another security change to protect from rogue releases is stricter tar unpacking. Clyde now refuses to unpack a release tar archive if it contains files that would extract outside of the package root directory, or symbolic links that would point outside of the package root directory.

This has not happened so far, but better safe than sorry.

Changed clyde show behavior

The syntax of the clyde show command has changed:

  • Releases are no longer listed by default: it was often too verbose. Use -r,--release` to list them.
  • The -l,--list option has been renamed to -f,--files, but the old option still works.
  • The --json output now always includes all information, and the key listing the releases has been renamed from available_versions to releases.

I hope these changes do not break too much your workflow, I think it's worth it because they make the command output much more readable.

Other minor changes

clyde --help output now uses colors!

Colored --help output

It's now possible to run read-only commands (doc, show, list and search) while another Clyde command is running.

Get it!

That's all for this release, if you already use Clyde, it's going to update itself next time you run clyde upgrade. If you want to give it a try, head over to Clyde project page!

Discuss on Mastodon
This post was tagged clyde