Release notes
The following notes are provided to help you understand the major changes made between releases, and therefore may not include minor bug fixes and updates.
Improvements
- Internal and cross-instance mirroring support has been enhanced, allowing for more flexible package management and distribution.
- Fixed a bug that caused pip installations to fail on packages containing underscores, dots, or uppercase letters by normalizing artifact names per PEP 503.
What’s new
- Introduced support for embedding real-time metadata about your packages in other applications using package badges.
- Added user interface controls for managing service accounts. This feature is now enabled by default, eliminating the need for administrators to configure it manually.
- Updated the CLI to include new commands for managing policies efficiently.
What’s newBug Fixes
- The UI has undergone a complete refresh to provide a more modern look and feel for a better experience.
- Policies have been added to the application as a replacement feature for mirror filters.
Existing mirror filters are automatically converted to policies when you upgrade!
- Fixed a bug that prevented users from creating subchannels with identical names in different channels via the UI.
- Fixed a bug that prevented system history search results from filtering properly.
- Upgrading to Package Security Manager (On-prem)
6.7.0from6.6.1or6.6.2requires administrators to manually addmanagepermissions for the policy-engine attribute to any existing roles in Keycloak (such asadmin) that should have access to policies.
What’s New
- Channel service accounts are now available, enabling programmatic interaction with your channels via CLI or API.
- Channels now support the upload and storage of general artifact files.
Improvements
- Notifications shown when a user generates a token now display until dismissed.
- Fixed an issue where the display limit on the groups page was capped at 100 groups, causing unintended problems when working with channels assigned to groups that exceeded this limit.
- Fixed an issue where the keycloak PUT api calls were removing optional user fields (firstName, lastName, email) if not specified in the call.
What’s New
- Audit reports for user package actions are now only generated if actions occurred within the reporting period.
- The base image has been updated from ubi 9.3-1552 to 9.3-1610 for the repo and repo-proxy containers.
- The base image of NGINX has been updated to the latest version 1.25.4.
- Keycloak has been updated to version 24.0.1.
- Cryptography has been updated to version 42.0.5.
- Orjson has been updated to version 3.9.15.
- Aiohttp has been updated to version 3.9.3.
What’s New
- The ability to view system metrics in Prometheus is now reserved to a specific user account that is established during installation or upgrade.
- A background job can now be established to automatically export all system events in either
.jsonor.csvformat.
- You can now filter channel CVEs by CVE Status and Score.
- If an OS-specific package has a noarch dependency, mirrors will now automatically include them.
- Postgres has been updated to version 14.9.
- A badge has been added alongside all package files that facilitates the download of a Software Bill Of Materials (SBOM) for the file, if one is available.
- Fixed several security vulnerabilities identified during penetration testing, increasing the overall security of the application.
- Package Security Manager now supports artifact types over 3GB in size.
Improvements
- Keycloak has been updated to version 22.0.5.
What’s new
- An audit trail has been added to channels so you can see which users are downloading packages from a channel, what those packages are, and if any vulnerabilities have been included along with them!
- A channel change log has been provided so you can see which packages are being added and removed from your channels and why.
- CVE Notifications are now available so you can stay on top of changes to CVEs that affect packages in your channel.
- New mirroring filters for CVE Status and CVE ID have been added. You can now allowlist CVEs by ID.
- A new option has been added to the mirror form that automatically includes dependencies for packages you have specified by name in the mirror filter.
- New UI has been implemented to improve the overall look and experience of Anaconda Server.
- Documentation has been refreshed.
- CVE status now displays in the package CVEs view.
- Fixed a bug that would cause artifact report downloads to error.
Improvements
- Keycloak has been upgraded to version 22.0.1.
- Fixed a bug that was affecting the Anaconda Server helm chart.
What’s new
- Support for external postgres and redis has been included in the Anaconda Server helm chart.
What’s new
- Grafana has been removed from the installer bundle. It is still optionally available for users who want to include it for their installation.
What’s new
- Admin users can now download user audit reports to view information about what packages their users are downloading, which channel they were downloaded from, and any CVEs that are associated with downloaded packages.
- Signature information is now available for packages that are sourced from Anaconda’s curated repository.
- Grafana dashboards are now available for end users to monitor the health of their Server installation.
- CVE metadata is now available for packages. A new tab is available on the packages page to display CVEs associated with files in the package.
- Notebooks can now be uploaded to a channel and downloaded by colleagues.
- You can now create full and partial mirrors of PyPI. Full PyPI mirrors must be passive, and you must freeze your channel prior to starting your mirror.
- CVE matching information is now available for packages mirrored from conda-forge.
- CVE information is available for a package’s dependencies as well as its dependents.
- UI improvements have been made to CVE information. A metadata view has been added and includes reviews of the CVE as well as references for the information presented in the CVE reviews.
- Loading times for CVEs has been improved by 100%.
- The base image has been updated to ubi 9 for the repo and repo-proxy containers.
- Keycloak has been updated to version 20.0.3 and has a new UI!
- Two new endpoints have been added to the API to provide more fine-grained control over blob cleanup and to diagnose issues with package blobs being removed in error.
- An event has been added to the history to note when a channel unfreeze is complete.
- Some documentation topics have been refreshed.
- Fixed a bug that allowed the blob cleanup script to incorrectly clear blobs that were associated with multiple channels and mirrors.
What’s new
- Stop and restart a mirror that is currently in progress from the Mirrors tab of a channel’s page or from the All Mirrors page.
- Conserve your CPU usage during mirroring by freezing your channel.
- View your software version by hovering your mouse over the Anaconda logo in the upper left corner of the dashboard.
- The SBOM mirror is now created as a passive mirror by default to reduce required storage space and improve overall performance. If you currently have an active SBOM mirror and want the improved performance of a passive SBOM mirror, you can delete your SBOM channel and mirror, navigate to your License page, and re-enter your license.
- Mirrors are now set to passive by default when being created.
- Instructions have been added to the documentation for viewing user login events using the Keycloak API.
- Fixed various minor bugs affecting the creation and editing of mirrors.
- Fixed a bug preventing the platform filter from being applied to mirror forms.
- Fixed a bug preventing a package’s Actions dropdown menu from correctly appearing.
- Fixed a bug that would cause edited conda mirrors to always filter out uncurated CVEs.
What’s new
- Test files that were being recognized as threats by third party security programs have been removed.
- The mirror time out duration has been increased to make mirroring of very large sources such as
conda-forgepossible.
- Minor bug fixes have been made to improve performance.
- On the Create mirror form, the delta between your current time zone and UTC is applied to the mirror’s scheduled run time. For example, if your time zone is UTC +2, you must set the frequency to occur at 03:00 if you want to run the mirror at 05:00.
What’s new
- The option to view or download a software bill of materials (SBOM) is now available for most packages.
- A Podman installer version is available for Anaconda Server for RHEL 8 users.
- You can now rebuild a channel’s package index from the Channel View.
- Keycloak has been upgraded to version 18.0.
- Documentation for installing Anaconda Server has been refreshed.
- Documentation for upgrading your version of Anaconda Server has been refreshed.
- Instructions for externalizing your instance of Postgres and Redis on Docker installations have been added.
- Setting the
no_proxyenvironment variable now allows Anaconda Server mirrors to bypass the proxy for specified repo URLs. - CVE loading times have been improved and now load up to 4x faster.
- Fixed a bug that hid the actions button on the subchannel view.
- Fixed a bug that prevented PyPI channels from migrating after enabling SSL.
- Fixed a bug that removed previously configured mirror filters when upgrading to a newer version of Anaconda Server.
- The SBOM mirror is interfering with CRAN package downloads.
What’s new
- Download CVE reports to learn about security exposures, vulnerabilities, and security compliance within your repository. The report downloads in
.csvfile format. - Filter your channel’s associated CVEs to locate and view specific CVE data.
- Use
conda-auditto scan your conda environment and show the vulnerabilities associated with your projects.
- There is a known issue with the CVE package filter that causes it to intermittently time out.
- The CVE filters are not properly restricting packages by score or name.
- Running a CVE report from the channel or subchannel view with filters applied does not apply set filters to your report.
- These problems are expected to be fixed in version 6.2.1 or 6.2.2.
- Instructions for the blob cleanup tool have been included to help you remove artifacts associated with deleted channels and free disc space.
- Anaconda Server will now notify you when you approach or exceed the limits of your license, or when your license is approaching or past its expiration date.
- The My Account dropdown menu now contains a scrollbar.
- CVEs are now listed in descending order of severity under the CVE tab of the My Channel view.
- The Mirroring Details view now shows percentage complete, has a visual indicator that a mirror is running, shows the full file path when mirroring from a subchannel, and accurately reflects the number of packages in the mirror source and in the channel.
- Users are now automatically logged out after 10 hours of inactivity.
- New commands have been added to the
conda repoCLI tool!- Use
conda repo cves --listto get a list of the latest CVEs. - Use
conda repo show --<CVE-name>to view details of a specific CVE.
- Use
- Fixed a bug that caused the search bar to return an error.
- The search bar no longer caches searches.
- Fixed a bug that returned CVEs when searching for packages using the search bar.
- Mirrors can now be successfully generated in a subchannel.
- Mirrors from deleted channels and subchannels no longer appear in the All Mirrors view.
- Deleting a mirror from the All Mirrors view now removes it from the list.
- Channels and subchannels now redirect properly when navigating from the All Mirrors view.
- Fixed a bug that prevented the User Interface (UI) from loading when the channel list is empty. Now the dashboard will load and show an empty channel column.
- The CVE loading indicator on the dashboard now properly shows in the CVE column only.
- The CVE channel no longer appears in the Anaconda Navigator interface.
- Subchannel mirrors now show their own privacy setting, not their parent channel’s privacy setting.
- The Mirroring Details view now shows the full file path when mirroring from a subchannel.
- Fixed a bug that caused the All Mirrors view to jump to the top of the screen every few seconds.
- Fixed a bug that caused the mirrors Settings view to disappear after a few seconds.
- Tooltips shown by hovering with the mouse no longer remain when the mouse moves away.
- Fixed a bug that restricted naming for new channels based on the names of channels that have been deleted. Now you can delete a channel and create another channel with the same name as the deleted channel.
- Non-administrator users who are promoted to administrator now have their updated permissions correctly reflected.
- Fixed a bug that forced you to refresh the Token Management view to receive tokens for a newly-uploaded environment or project.
- Notifications properly appear when a token is deleted to verify that the deletion process completed.
- Subchannel count in the My Channel view now updates as subchannels are created and deleted.
- Uploading packages to and moving packages between channels/subchannels now correctly modifies the file count shown on the Packages tab.
Bug Fixes
- Nginx has been moved to the unprivileged version of the 1.21.6 official image to allow non-root users to install Anaconda Server.
Improvements
- Nginx has been updated to version 1.21.6 (mainline) to close critical security vulnerabilities.
What’s new
- Anaconda Team Edition is now Anaconda Server!
- See mirror progress and results globally for all users from the new All Repository Mirrors view.
- This view is available to users whose role in Keycloak has the mirror attribute set to manage.
- View mirror status, which step is currently being performed, how long the mirror has been running, when it will complete, and the last time the state was updated.
- Get statistics about packages as your mirror populates; view which packages are active or passive and how many packages are being filtered out of your repositories due to license or CVE score restrictions.
- Commercial users and administrators can now access hosted miniconda client installers directly through Anaconda Server.
- Group permissions can now be changed directly from the group page.
- Fixed an issue that caused the disk usage by artifact value on the system page to report inaccurately.
- The CRAN mirror configuration page no longer contains duplicate fields for packages.
- Fixed an issue that killed the dispatcher container by consuming more than 8GB of RAM.
- Fixed an issue that caused all CVE artifacts to display the most recent update date when you upload or update any one CVE.
- Fixed an issue that caused the passive mirror counter to remain at 0 while synchronized.
- Fixed a bug that caused some packages to not be deleted if the mirror was deleted while in the running state.
What’s new
- Updated Anaconda Team Edition to meet Accessibility compliance
- Enabled an end-user to mirror, install, and upload CRAN packages in Windows environments
- Provided additional airgap functionality
- Improved the user experience with LDAP
- Refactored and Improved integration with Keycloak
- Ability to add certificates to Keycloak truststore for LDAP
- Added new platforms - Linux-ppc64, Linux-s390x, and osx-arm64
- Azure AD integration with Anaconda Team Edition
- Changed the wording from PyPI to standard python and CRAN to standard r
- Added type to mirror dropdown of standard python and standard r
- The user is now able to install packages from a sub-channel
- Airgap:
- Documentation on pulling down the package tarball on a schedule
- Automate the process for updating artifacts
- LDAP:
- Ability to link users that are assigned a group in Keycloak to the group in Anaconda Team Edition
- Admins can now grant channel access to groups to which they do not subscribe
- Admins can now increase or decrease permissions in a group
- Admins can now manage user access using LDAP groups
- Ability for a user to distinguish between an Anaconda Team Edition group and a group defined in Keycloak
- conda-repo-cli:
- Added conda-repo-cli
whoamicommand - Ability to set a certificate file post-install:
conda repo config --set ssl_verify cert.cer - Cleaner error messages
- Ability to display CVEs via CLI
- Improvements to help channel:
conda repo channel --help
- Added conda-repo-cli
- Keycloak: Store and manage users, groups, roles, and user-group relations directly in Keycloak
- Updated the ability to scroll on dependents and metadata tabs
- CVE score now displays a 0.0 when the CVE has a cleared or mitigated status
- Updated sorting on CVE tab to allow end-user to sort by channel and package
- The edit button is now enabled when a token name is edited
- Removed the need to refresh the page after adding a channel or subchannel to a group
- Checking the “select all” checkbox in a channel allows you to modify the channel’s packages rather than the channel itself
- Fixed package search latency issue and refresh problems
- CRAN:
- Licensing filtering - user can now use the exclude filter for license restriction
- Mirror to include binaries so that users can install libraries without each user having to (re)compile libraries
- CRAN mirror configuration page no longer duplicates package filter information
- LDAP: User count licensing limits user access
What’s new
- Customer’s now have the ability to install an air-gapped instance of Anaconda Team Edition
- Updated install preparation instructions
- Easy to self install
- Centralized location to pull updated packages and associated CVE metadata
- Updated the upgrade and restore path
- Improved the warning message when setting a future date in the mirror scheduling tool
- Deleted artifacts wiill no longer show up when customer is performing a search
- Improved CVE filtering
- Updated group role mapping with Active Directory integration for the admin role
- Improved the ability to add or update a license
- Improved mirror performance:
- Default to monthly schedule
- Default to active mirror
- Updated edit function to ensure all current fields are available when editing
- Corrected the double package format of .conda and .tar.bz2
- Group create button is now active when initiating a group
- Notification now appears when you delete a token
- No longer receive multiple notifications on mirror deletion
- Searching for a package now displays current package information
- Tokens now grant only specific access
- Mirror event history is displaying current status
- conda-repo cli help now display correct help instructions
What’s new
- Ability to mirror from another installation of Team Edition via https.
- Ability to upgrade Team Edition and maintain current settings and filters.
- Role Mapping: when additional roles are added to User Management, Admin is able to restrict or add additional permissions to the end user.
- Ability to mirror from repo.anaconda.cloud.
- Ability to move, copy, and delete artifacts within a package.
- Easily upgrade a license key from the Admin user’s UI dashboard
- Improved the support and documentation for custom certificates.
- Mirror frequency and performance issues.
- When you remove a subdirectory, it is removed from the package artifact list upon updating the mirror.
- Added notification that frequency is in UTC time.
- CVE improvements:
- CVEs are now updating in Team Edition every 4 hours to align with NIST.
- All CVEs have the correct status for reporting (Reported or Anaconda Curated: Active, Cleared, Mitigated, or Disputed).
- Ability to filter by CVE status (Reported or Anaconda Curated: Active, Cleared, Mitigated, or Disputed).
- Display the CVE date as shown by NIST for Published and Modified.
- Display the date Anaconda curated the CVE.
- Dashboard now displays the correct package count for a channel.
- An error duing customer logout experience with Team Edition was caused by a miscommunication between web socket and callback endpoint API.
- Sorting in channels not working as expected.
- Ability to sort all pages of package artifacts by Size, Version, Last Updated, and Platform.
- Ability to sort packages based on Name.
- Issues with conda repo functionality for conda repo channel copy and conda repo upload options have been fixed.
- Index of cache on Team Edition related to If-Modified-Since header has been fixed.
- API to trigger on channel index refresh lead to displaying inconsistent information between the channel and actual artifacts in the channel.
What’s New
- CVEs will be automatically fed to and updated on the Team Edition dashboard, so you no longer have to mirror them.
- CVEs will now be pulled down from NIST and listed as Reported (not curated).
- CVEs that are curated by Anaconda will now be designated with a checkmark and a label defining the stage of curation.
- You can now search for CVEs in the search bar at the top of Team Edition (Admin only).
- CVEs are displayed using an algorithm. When one or more CVEs are associated with a package, the score that is displayed is based on the highest score and risk state of a CVE for each file.
- Clicking on the number of CVEs related to a package file will show a CVE listing view.
- The number of unique CVEs for a package is displayed at the package level.
- When viewing files in a package, the appropriate CVE score (or N/A) will be displayed based on the number of CVEs and severity.
- The metadata will now display all the CVEs score information.
- All the packages affected by a CVE will be associated with that CVE.
- Each CVE status can be seen by clicking on “info” icons and viewing meta information.
- It is now more clear that the CVE number is a clickable link.
- There is greater distinction between Anaconda curated and non-curated CVEs via a checkbox selection.
- More than two mirrors can now be run at the same time.
- The hierarchy for mirroring filters has been corrected; now, if a package is added to both “include” and “exclude,” the package will be excluded.
- System metering (Prometheus) is now showing up properly.
- Admins can now update user roles and create custom roles.