If you’ve ever watched a pipeline crawl while it re-downloads the same dependencies (again), or had a build fail because a public registry rate-limited your runners, you know that modern CI/CD is fast…until it isn’t.

This week we had a banger one-two punch community webinar & article from Thijs Feryn, and Adrian Herrera from Varnish on this exact problem, and how they’re approaching it.

Delivery paths today are a massive mix of language packages, OS dependencies, container images, and charts pulled from multiple public and private registries, across clouds, regions, and toolchains, with increasingly shaky trustworthiness.

There are 3 compounding problems with this sprawl.

• Performance drag: Dependency pulls quietly consume a massive share of pipeline time, and costs explode. Plus longer feedback loops, more compute waste, and higher egress bills.
• Reliability nightmare: Public registries have outages. Cloud platforms have outages. Rate limits happen at exactly the wrong time. When artifact access is a hard dependency for build & deploy, that external instability (which seems to be getting worse every year) is your problem. Massively.
• SECURITY: Repo-centric security is getting better but it mostly looks at artifacts while they’re sitting in a repo…scans, metadata, remediation notes etc. Supply chain attacks don’t give a f* about that boundary. The real damage happens when something gets pulled and run in CI/CD. Which with super messy sprawling toolchains is increasingly likely.

So what do Adrian and Thijs think is a solution? In the community webinar and article, they break down shifting control from “where artifacts are stored” to “where artifacts are accessed.” Because the real risk shows up when artifacts are pulled into CI/CD.

Take a look. And let me know what you think. Because things are changing fast.