Loggin' Hysteria: Login History
More account-based good news! We've surfaced the history of logins for your account:
You can find the new information on your account security page, underneath the Session Management, as described previously. In addition to seeing the current sessions, the historical view of logins includes context such as the login method, Geo/IP location and details about the browser, operating system and device that logged into and accessed your account. You can hover over the data for additional details.
Let us know if you've got any feedback or if you like the new feature. Enjoy!
Note: The login history only extends to your first login from the release of this feature today, but we'll keep track of and display the history for up to and including the 50 most recent logins.
A Wild Sesh: Session Management Controls
Good news! Take back some control and easily manage logged-in sessions for your account:
You can find the new controls on your account security page, along with some context for the session, such as when the session was last active, the Geo/IP location, and details about the browser, operating system and device that logged into and accessed your account. You can hover over the data for additional details.
These will give you extra insight into where the sessions occurred and perhaps by whom. If you don't recognise a session, or you want to end one remotely, you can utilise the Logout Other Sessions button to terminate them quickly. Now you can sleep with peace of mind, perhaps after changing your password.
You may also notice another section, but we'll talk more about that tomorrow. :-)
Until then, let us know if you've got any feedback or if you like the new feature. Enjoy!
Now Testing: Access Log Exports to S3
We're now rolling out Early Access to the "Access Log Exports to S3" feature:
With our automated S3 export, you'll be able to get the access logs for your repositories delivered to you periodically. You pick the frequency and the output format, and we'll make the drop hassle-free. You can then import your logs into your favourite Business Intelligence tools to slice dice and analyse your data at scale.
The exports are available in three flavours (formats), from least to most verbose:
- Apache-style: Logs in the "Apache-style" (i.e. web server) format, with the bare essentials for tracking.
- CSV: Comma-Separated Values, with a header line to indicate the available fields.
- JSON (Single): Detailed records as an array in a single JSON object, with additional header fields.
- JSON (Stream): As above, but newline-delimited records and no header, as described on ndjson.org.
- JSON (Stream+TS): As above, but each line contains a timestamped prefix, for tools like SumoLogic.
You'll be able to authenticate to your S3 logs bucket with least-privilege permissions via either Role Assumption to Pre-Shared Keys; that means we only need to write, but not read, the access logs.
We're configuring the exports to be once-per-day for the testing period, but beyond that, we'll be offering different configurable frequencies, such as once-per-month, once-per-week, once-per-hour, etc.
Sound like something you'd be interested in? Please contact us to get exporting today!
Note: This feature is available to Ultra-tier customers, but we'd be happy to let anyone try before committing. Also, with this release, we've removed the deprecated feature of generating raw access logs via the UI, due to performance reasons. The replacement coming up is a Downloads API in the near future.
John Hancocks at the Ready: Signatures for All
Cloudsmith has always performed signature and checksum validation at the core of the service - and today, we're introducing three awesome new ways to surface this information!
User Interface
The package information page now includes a link to retrieve the raw GPG signature for a package, using all of the same authentication schemes we support for packages.
Packages API
The package resource in the Cloudsmith API now provides a URL to retrieve the raw signature for a package and package file via the attribute signature_url.
Raw Format Indexes / URLs
Last (but by no means least) - our raw format has been updated to provide signature URLs on both our HTML and JSON indexes (where enabled within your repository). You can also append .asc to any raw file URL to retrieve the package signature directly.
These changes (and more upcoming) aim to give more visibility into the provenance of your software.
Ping? Ping! Your package was delivered successfully.
We are very pleased to announce that Cloudsmith now supports a 'Package Downloaded' webhook at request from our users.
This new webhook will be triggered upon each package file fetch across all the formats that Cloudsmith supports; and provides data on the entitlement token, location, and user who accessed a package file.
Some great use cases for this webhook:
- For vendors - Inform your CRM service that a user has downloaded a licensed product.
- For teams - Be alerted that a CI/CD pipeline has successfully pulled a newer package version.
- For everyone - Extend Cloudsmith actions into your observability pipelines; did we mention, ChatOps?
These are some ideas to get started, but we're excited to see what you all come up with.
Happy Pinging!
Docker: Such Wow, Much Improve
Good news! Three major improvements for Docker support at Cloudsmith have been released.
1. Assuming that you've been assigning semantic version tags to your Docker images, which is highly recommended, you can now sort Docker images by version. We'll also "elevate" the version tag to display as the main version for the Docker image, rather than just the hashref shown previously (see image).
2. When examining access logs, we previously provided Docker layers that were downloaded but were unable to link to specific Docker images. Based on improvements here, pulls (downloads) for Docker images are now properly tracked, and the exact image will be linked in the access logs.
3. Alongside many other platform improvements recently, tackling some of the service views where clients spend the most time, Docker requests should now be several times faster.
The p95 (95th Percentile) for Docker manifest pulls went from 2 seconds to 200ms; a 10x speed increase.
What else is on the horizon for Docker support? Two things that we'd like to implement next:
1. Support for ORAS: OCI Registry As Storage. This may be of interest to users looking to store and version artifacts efficiently by leveraging all of the benefits that the Docker (OCI) ecosystem provides.
2. Support for Cosign: Docker Signing. This may be of interest to users looking to establish and verify image integrity but utilising the same storage mechanism as the registry itself.
If either of these would be of interest to you, please let us know!