Aurélien Gâteau

Preparing support for cooldown in Clyde

written on Sunday, May 3, 2026

Supply chain attacks are becoming more and more widespread these days. Since Clyde lets you install apps freshly published by their original authors, it could propagate a rogue release.

A simple way to mitigate this risk is to implement dependency cooldowns: a period of time (usually a few days) between the time a new version of a package is published and the time it can be installed via the package manager. The idea is that if something is wrong with the published package, it is going to be spotted by security researchers before the end of the cooldown period and the package won't be available for download by the time package manager users have access to it.

It's not a perfect solution, but it's another layer of protection.

File format changes

To implement this, the "releases" part of Clyde package file format must evolve to store the date the package has been published. The V1 release format looked like this:

releases:
  1.24.0:
    x86_64-linux:
      url: https://example.com/download/foo-1.24.0-x86_64-linux.tar.gz
      sha256: cf040cd539f017b4eb5(...)
    aarch64-macos:
      url: https://example.com/download/foo-1.24.0-aarch64-macos.tar.gz
      sha256: cf040cd539f017b4eb5(...)

The V2 release format looks like this instead:

releases:
  1.24.0:
    published_at: 2026-05-03T12:34:56
    assets:
      x86_64-linux:
        url: https://example.com/download/foo-1.24.0-x86_64-linux.tar.gz
        sha256: cf040cd539f017b4eb5(...)
      aarch64-macos:
        url: https://example.com/download/foo-1.24.0-aarch64-macos.tar.gz
        sha256: cf040cd539f017b4eb5(...)

This change is not backward compatible: Clyde 0.8.0 cannot parse the V2 file format, so I first needed to release a version of Clyde that supports both formats before I could start using the new format when updating packages.

I released Clyde 0.9.0 on April 23 with support for this new format, among other minor changes.

Today I just merged the changes to start using the new format for updates. This means that if you run clyde update then clyde install somepackage and get an error like that:

Error: releases.0.36.0.published_at: invalid type: unit value, expected struct Asset at line 7 column 19

Then your Clyde version is older than 0.9.0 and you must update it, for example with clyde install clyde or clyde upgrade.

Next steps

Now that Clyde can read this release format, I can proceed to the next steps:

  • Make clydetools fetch actually fill this published_at field (It sets the field to null at the moment)
  • Decide a default cooldown duration (I am thinking 7 days)
  • Make clyde install and clyde upgrade enforce the cooldown durations

This is the minimal version. Ideally, the cooldown duration should be configurable, and at least clyde install should provide a flag to bypass it: sometimes it's critical to get a new version in.

That's basically the plan for Clyde 0.10.0, stay tuned for it!

Discuss on Mastodon
This post was tagged clyde