Paving the way for Community Innovation with Security Features for Signed Packages
Dec 06, 2021By Team Anaconda
At Anaconda, we believe that open-source software (OSS) is a gateway for our customers and users to unlock and leverage innovation from the community and benefit from the latest and greatest in software development. However, with a recent uptick of cyberattacks, the "new normal" includes increased security measures to counteract the risks of malicious actors in the open-source ecosystem.
Anaconda wants to play its part in sustaining the adoption and innovation in the open-source community. In light of these recent attacks, and the Executive Order from the Biden Administration seeking improved cybersecurity, we released conda signature verification earlier this year as a part of our ongoing effort to secure OSS adoption.
Our framework for signed packages was adapted from The Update Framework, and is a security mechanism that safeguards conda packages for practitioners and businesses; the conda signature verification feature allows users to trust that the Anaconda signed packages they’re installing are from a reliable source and are exactly as they were when they were built on Anaconda’s secure networks.
Anaconda is only one part of the larger open-source ecosystem, and as such, we believe that the challenges of open-source packaging can only be solved through collaboration with the larger community. We have been working closely with the Mamba and conda-forge teams to adopt the trust and verification features of conda signature verification in open-source repositories. Last month, a mamba compatible implementation for package signatures was released, which you can learn more about here. We are excited to help this security feature become available in conda’s open-source repository, conda-forge, in the coming months.
We are also investing additional time and commitment toward a continued effort to support others in the open-source packaging space with the security features. We will have more information coming in early 2022 that will explain our work with collaborators in the open-source community to make the experience for end users streamlined, faster, and more secure. For more information on signed packages and how we are securing the open-source pipeline, visit our blog and our webinar introducing conda signature verification via our AnacondaCON event portal.