Skip to main content
Anaconda Platform 7.0.0 is available through a limited early access program. Contact your Anaconda Technical Account Manager (TAM) if you’re interested in adopting the latest version.

Searching for packages

If you want to know if a package is available in one of your , you can search for it in multiple ways.

Viewing package details

Selecting a package displays its details. The Files tab contains general information about each package file.
aiohttp package details files tab
Filter the table contents by using the filters at the top of the table columns.
Name
The package’s identifier, typically in the format:
<PACKAGE_NAME>-<VERSION>-<HASH>.<FILE_TYPE>
The file’s size is listed below its name.
Version number
The package’s release version.
Platform architecture
The system architecture that the package file was built for.
CVE score
The CVE score associated with the package file, if any.
If more than one CVE is associated with a package file, the highest CVE score is displayed.
Number of associated CVEs
The total count of known vulnerabilities linked to the package file.
CVE status
The CVE status assigned by Anaconda’s CVE curation process.
If more than one CVE is associated with a package file, the most severe CVE status is displayed.
Indexing status
Indicates whether the package file is in an active or passive state.
Active files install slightly faster than passive ones, because passive files must be downloaded and indexed prior to installation.
Software Bill of Materials (SBOM)
Download a .json formatted SBOM for the package file, if available. For more information, see Downloading an SBOM.
An error message appears if you try to download an SBOM for a package that does not have one.
Metadata
Select the information icon to view detailed metadata about the package file.

Dependencies and dependants

Dependencies are packages that a specific package requires to function properly. Dependants are packages that rely on a specific package to function properly.
Conda automatically installs a package’s dependencies along with the package itself when that package is requested from the channel. If a package dependency is not available due to an applied policy filter, you will not be able to build a working environment with the packages from the current channel.

Package CVEs

The CVEs tab displays details regarding the package’s associated CVEs.
CVE Score
The CVE Score column shows the highest CVE score of the associated active and reported CVEs. If no active or reported CVEs are found, the highest score for cleared, disputed, or mitigated CVEs are displayed.
Select the filter icon to open the filter menu and select the operator you want to use for the CVE Score. You can select either greater than or equal to, or less than or equal to.
Hover over the CVE score to view the various CVSS version scores for the CVE.
CVE Name
If you know the name of the CVE you want to filter by, enter it in the search bar. Only one CVE name can be entered at a time.
CVE Status
You can filter CVEs by their Status using the # Packages column filter. Open the dropdown and select a CVE Status to view the number of packages associated with the CVE that have the currently selected status.
Anaconda Curated Date
Select a start and end date to filter CVEs by the date they were curated by Anaconda.
Last Modified Date
Select a start and end date to filter CVEs by the date they were last modified.
Last Published Date
Select a start and end date to filter CVEs by the date they were last published.

Package badges

Package badges are a visually intuitive way to display real-time metadata about a package in other applications. Badge images can be embedded into package documentation, repository README files, websites, dashboards, and so on, and can be dynamically generated to show the following information:
Package version
Displays the current release number of the package as published in the channel.
Download count
Shows the total number of times the package has been downloaded from the channel.
License
Indicates the software license under which the package is distributed.
Platforms
Lists the system architectures supported by the package build.
Last updated
Displays the date and time when the package was most recently updated.
Updated ago
Shows how much time has passed since the package was last updated.

Embedding package badges

From a package’s details page:
  1. Select the Badges tab.
  2. Open the dropdown for the badge that you want to embed.
  3. Click Copy beside the language you’re working in.
    To embed a badge from an authenticated or private channel, you must include a service account token at the end of the URL as indicated. The service account token must provide access to the channel the package is stored in.
  4. You can now take this link and embed it elsewhere.

Downloading an SBOM

  1. Select Channels from the left-hand navigation.
  2. Open the channel or subchannel that contains the package you want an SBOM for.
  3. Find the package you need an SBOM for.
  4. Select SBOM beside a package file to download an SBOM for that file version.
    SBOM download button

Uploading packages

Packages must be properly prepared before uploading them to a channel. The process for preparing a package for upload differs depending on the package type. Please follow the relevant guide to prepare your package for upload: Once the package is prepared, upload it to a channel.

Downloading a package file

From a package’s details view, select a package file’s name to download it.

Managing packages

You can move, copy, or delete packages directly from the Packages tab of any channel, or manage the individual files within a package.
  • Managing packages
  • Managing package files
  1. Select Channels from the left-hand navigation.
  2. Select a channel you need to manage packages for.
  3. Select the Packages tab.
  4. Select checkboxes beside packages you want to manage. Management options appear above the table.
    Package management options
  5. Choose the action you want to take for the selected packages.
Move
Moves the selected packages or package files from one channel to another. Packages that are moved are no longer in the source channel.
Copy
Copies the selected packages or package files from one channel to another. Packages that are copied remain in the source channel.
Delete
Deletes the selected packages or package files from a channel.

Package signatures

Anaconda’s package curation process associates packages with security signatures to ensure package integrity and authenticity. Packages in Anaconda’s repository come with a security signature: a special key value that proves that the package hasn’t been tampered with since going through Anaconda’s curation process. Files within a package that have a signature display a signed tag in the signature column. The actual signature value can be viewed at the bottom of the metadata file.
You must mirror your packages using an Anaconda Platform (Cloud) channel as a source to view package signatures.

Enabling package signature verification

Package signature verification requires conda version 4.10.1 or later. Signature verification is not enabled by default.
  1. Install the necessary packages: 
    conda install "conda>=4.10.1" "conda-token>=0.3.0" conda-content-trust
  2. Use conda-token to configure access, turn on signature verification, and empty the index cache: 
    conda token set --enable-signature-verification <TOKEN>
    Replace <TOKEN> with your organization access token.
Conda signature verification is now enabled. When using conda to install packages from your platform channels, conda informs you of the signature status of the proposed packages by appending the following to trusted packages: 
(INFO: package metadata is signed by Anaconda and trusted)
If the signatures do not match, tampering may have occurred, and conda appends a warning to the package instead: 
(WARNING: metadata signature verification failed)
If no signatures are currently provided for a package (for example, if you are installing from third-party channels), the signature status message is not provided.
Example install command with signature verification enabled
(environment)   ~ conda install django

## Package Plan ##
    environment location: /home/s/miniconda3-av2
    added / updated specs:
        - django


The following packages will be downloaded:

    package                    |            build
    ---------------------------|-----------------
    asgiref-3.3.4              |     pyhd3eb1b0_0          24 KB
    django-3.2                 |     pyhd3eb1b0_0         3.1 MB
    krb5-1.17.1                |       h173b8e3_0         1.3 MB
    libpq-12.2                 |       h20c2e04_0         2.1 MB
    psycopg2-2.8.6             |   py38h3c74f83_1         160 KB
    pytz-2021.1                |     pyhd3eb1b0_0         181 KB
    sqlparse-0.4.1             |             py_0          35 KB
    ------------------------------------------------------------
                                        Total:         6.9 MB

The following NEW packages will be INSTALLED:

    asgiref       repo/main/noarch::asgiref-3.3.4-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
    django        repo/main/noarch::django-3.2-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
    krb5          repo/main/linux-64::krb5-1.17.1-h173b8e3_0 (INFO: package metadata is signed by Anaconda and trusted)
    libpq         repo/main/linux-64::libpq-12.2-h20c2e04_0 (INFO: package metadata is signed by Anaconda and trusted)
    psycopg2      repo/main/linux-64::psycopg2-2.8.6-py38h3c74f83_1 (INFO: package metadata is signed by Anaconda and trusted)
    pytz          repo/main/noarch::pytz-2021.1-pyhd3eb1b0_0 (INFO: package metadata is signed by Anaconda and trusted)
    sqlparse      repo/main/noarch::sqlparse-0.4.1-py_0 (INFO: package metadata is signed by Anaconda and trusted)

Disabling conda signature verification

To turn the feature off, you can adjust your conda configuration: 
conda config --set extra_safety_checks false

Package license information

Open-source licenses specify how packages can be used. While many licenses allow a broad range of usage, some are more restrictive, especially with respect to production environments. The following is a list of OSS licenses and links to further details:
Filter packages by license type when creating a channel policy to help govern package availability before license issues cause production issues. For more information, see Creating a policy.

Managing packages with the CLI

If you want to manage your packages using the CLI, see Anaconda Platform CLI.

Managing packages with the API

You can also use the API to perform various functions regarding package management. Access the API interface and view the API documentation by logging in as an administrator user, opening a new tab, and then navigating to http(s)://<FQDN>/swagger/ui, replacing <FQDN> with your Anaconda Platform fully qualified domain name. ​​The following is a list of available endpoints you can use to manage your packages in Anaconda Platform:

Viewing package details

GET /api/channels/<CHANNEL_NAME>/artifacts/<ARTIFACT_TYPE>/<ARTIFACT_NAME>
GET /api/channels/<CHANNEL_NAME>/artifacts/<ARTIFACT_TYPE>/<ARTIFACT_NAME>/readme
GET /api/channels/<CHANNEL_NAME>/artifacts/<ARTIFACT_TYPE>/<ARTIFACT_NAME>/cves
GET /api/channels/<CHANNEL_NAME>/artifacts/<ARTIFACT_TYPE>/<ARTIFACT_NAME>/files
GET /api/channels/<CHANNEL_NAME>/artifacts/<ARTIFACT_TYPE>/<ARTIFACT_NAME>/dependencies
GET /api/channels/<CHANNEL_NAME>/subchannels/<SUBCHANNEL_NAME>/artifacts/<ARTIFACT_TYPE>/<ARTIFACT_NAME>
GET /api/channels/<CHANNEL_NAME>/subchannels/<SUBCHANNEL_NAME>/artifacts/<ARTIFACT_TYPE>/<ARTIFACT_NAME>/readme
GET /api/channels/<CHANNEL_NAME>/subchannels/<SUBCHANNEL_NAME>/artifacts/<ARTIFACT_TYPE>/<ARTIFACT_NAME>/cves
GET /api/channels/<CHANNEL_NAME>/subchannels/<SUBCHANNEL_NAME>/artifacts/<ARTIFACT_TYPE>/<ARTIFACT_NAME>/files
GET /api/channels/<CHANNEL_NAME>/subchannels/<SUBCHANNEL_NAME>/artifacts/<ARTIFACT_TYPE>/<ARTIFACT_NAME>/dependencies

Deleting a package

DELETE /api/channels/<CHANNEL_NAME>/artifacts/<ARTIFACT_TYPE>/<ARTIFACT_NAME>
DELETE /api/channels/<CHANNEL_NAME>/subchannels/<SUBCHANNEL_NAME>/artifacts/<ARTIFACT_TYPE>/<ARTIFACT_NAME>