You may have heard about the recent security breach that affected CircleCI, a container-based continuous integration service that conda-forge uses to build packages in Linux and sometimes, OSX packages.
We want to take this opportunity to reassure you that Anaconda’s packages are not impacted by this incident, and that our customers are safe from this issue.
In this blog post, we will explain what happened, how conda-forge responded, and why Anaconda’s packages are unaffected by this incident.
What happened?
In January 2023, CircleCI disclosed a security breach that exposed all of the environment secrets stored in the service. These secrets include the tokens that could potentially allow an attacker to modify or publish packages on behalf of conda-forge.
Conda-forge is a community-led project that provides a large number of packages for the conda package manager. While Anaconda provides conda-forge with hosting infrastructure, conda-forge and Anaconda are separate entities who share a common goal of providing access to high-quality packages for the Python community.
How did conda-forge respond?
Conda-forge acted quickly and transparently to mitigate the risk and inform the users and the community.
As soon as they learned about the breach, they rotated all the compromised tokens and audited the packages built during the breach period. Afterwards, they notified users and the community appropriately.
We commend conda-forge for their prompt and professional response, and we appreciate their contribution to the open-source ecosystem.
Why are Anaconda’s packages unaffected?
While we support conda-forge and their efforts, we want to emphasize that Anaconda’s packages are not affected by this incident, and that our customers are safe from this issue.
This is because Anaconda and conda-forge use two entirely separate build infrastructures. Anaconda’s package build infrastructure does not depend in any way on CircleCI.
Additionally, Anaconda’s package build processes include various safeguards that make it significantly harder to publish compromised packages to our standard and premium repositories. Anaconda’s package build and distribution process is privately managed and published only by Anaconda, Inc.
We understand the importance of maintaining software supply chain security for our customers and the Python community. We will continue to prioritize security and transparency in our services, and we encourage you to reach out to our support team with any questions or concerns.
Thank you for your continued trust in Anaconda.
