We wanted to reach out and let you know that there has been a recent security incident involving PyTorch, a popular open-source machine-learning library. We can assure you that this situation does not impact our customers.
On December 31, 2022, Pytorch released a statement detailing a supply chain-related security incident. In this specific case, our Software Supply Chain Security Team was able to determine based on the nature of the issue that our packages were not at risk. Conda users installing packages from Anaconda’s “main” channel are not impacted. This is because Anaconda’s official channels (the location where all our packages are stored) only contain packages built from stable upstream releases, while the affected PyTorch releases were nightly, development builds.
At Anaconda, we take the security of our software and the packages in our repository very seriously. Further, we have strong measures in place to prevent the specific type of attack described above. We ensure unauthorized third-party packages cannot impersonate official packages built by Anaconda’s package builders.
We want to assure our customers that when using the Anaconda repository, you can have confidence that the packages you are receiving are secure.
We plan to explore this and other supply chain-related attacks in a future series of blog posts.
Update: we have confirmed with the conda-forge maintainers that their PyTorch packages are also built from stable upstream releases and are similarly not impacted.
How to see if you are using the impacted Pytorch version
If you have installed PyTorch in an environment using Anaconda’s main channel, no action is needed. However, if you have used pip to install a nightly version of PyTorch, or you are not sure, it is worth following the steps described here to check if your environment is affected.
Further, conda allows you to see where your PyTorch package came from using the following command:
conda list --show-channel-urls
`pytorch` packages from repo.anaconda.com and repo.anaconda.cloud are not impacted by this incident. If your `pytorch` package comes from some other channel, please consult with the maintainers of that channel.
Further reading:
To read the official announcement see this link.
