Paving the way for Community Innovation with Security Features for Signed Packages

At Anaconda, we believe that open-source software (OSS) is a gateway for our customers and users to unlock and leverage innovation from the community and benefit from the latest and greatest in software development. However, with a recent uptick of cyberattacks, the “new normal” includes increased security measures to counteract the risks of malicious actors in the open-source ecosystem.

Anaconda wants to play its part in sustaining the adoption and innovation in the open-source community. In light of these recent attacks, and the Executive Order from the Biden Administration seeking improved cybersecurity, we released conda signature verification earlier this year as a part of our ongoing effort to secure OSS adoption.

Our framework for signed packages was adapted from The Update Framework, and is a security mechanism that safeguards conda packages for practitioners and businesses; the conda signature verification feature allows users to trust that the Anaconda signed packages they’re installing are from a reliable source and are exactly as they were when they were built on Anaconda’s secure networks.

Anaconda is only one part of the larger open-source ecosystem, and as such, we believe that the challenges of open-source packaging can only be solved through collaboration with the larger community. We have been working closely with the Mamba and conda-forge teams to adopt the trust and verification features of conda signature verification in open-source repositories. Last month, a mamba compatible implementation for package signatures was released, which you can learn more about here. We are excited to help this security feature become available in conda’s open-source repository, conda-forge, in the coming months.

We are also investing additional time and commitment toward a continued effort to support others in the open-source packaging space with the security features. We will have more information coming in early 2022 that will explain our work with collaborators in the open-source community to make the experience for end users streamlined, faster, and more secure. For more information on signed packages and how we are securing the open-source pipeline, visit our blog and our webinar introducing conda signature verification via our AnacondaCON event portal.

Talk to an Expert

Talk to one of our experts to find solutions for your AI journey.

Talk to an Expert