Frequently asked questions#
How is Package Security Manager (On-prem) different from other software repositories?#
Package Security Manager is built with the data scientist in mind! It is designed to manage data science and machine learning packages within channels, and outperforms other repositories in terms of secure data science due to its conda-native platform, which is maintained by the builders of conda packages. Anaconda scans each package for malware, then works the package through an exstensive and well established curation process. This means Anaconda knows exactly what’s inside our packages, so we can more accurately match common vulnerability and exposure (CVE) data to build artifacts than anyone else. Our CVE score information is also more up to date. We know when patches are implemented between releases. Anaconda also links dependency trees to CVE scores, and provides package metadata you can trust.
How do I manage security and control access to packages?#
Access to Package Security Manager, channels, and packages is controlled through groups and roles. User access and identity management is controlled via Keycloak.
Control the risk level of packages available to your users by applying mirror filters to remove unsafe or undesired packages. Filter packages based on their CVE score, license type, platform type, version, package name, and more! Filter exceptions are also available for mirrors, so you can still get packages that would otherwise be removed by a filter.
How do I find a package once it’s uploaded to my organization’s repository?#
Package Security Manager’s search feature looks for occurrences of your package across the entire system, for every channel you have access to. Once your package is uploaded, type its name into the search feature to find it.
Can Anaconda ensure that my packages are always available?#
Because Package Security Manager is an on-premise repository, the maintenance and uptime of your Package Security Manager is completely dependent upon your IT infrastructure and system administrators.
What are the minimum requirements for installation?#
For information on minimum installation requirements, see environment preparation.
What is a standard network?#
A standard network is any network that can connect to another network (such as the Internet).
What is an air-gapped network?#
An air-gapped network is any network that is physically isolated from any other networks. You can still use Package Security Manager on an air-gapped network.
How do I update my packages and CVEs on an air-gapped network?#
Anaconda provides .zip
files through Amazon Simple Storage Service (S3) buckets. You can download the files you need on a workstation that has access to the Internet, place the .zip
files on a portable storage device, and then move them to a workstation on the air-gapped network.
Once the files are on your air-gapped network, run the following commands to move them into the correct location:
Note
The file path here uses the default path of anaconda/repo/airgap
as the storage location for CVEs. It is possible that your file path may be different, but the concept is the same. Use the mv
command to place the files in the correct directory.
mv conda_main_airgap.zip /opt/anaconda/repo/airgap/
mv cve.zip /opt/anaconda/repo/airgap/
Your network will synchronize the next time your mirror runs. You can run a mirror at any time to force a synchronization.
How do I access the AWS S3 bucket to get updates for my packages?#
You must first provide Anaconda with the IP address of the machine you are going to use to download files. Anaconda allowlists that IP address, granting it access to download files whenever you need.
How often are Packages and CVEs updated?#
For standard networks, packages are updated every time your mirror runs, and CVEs are automatically brought into the system and updated hourly.
For air-gapped networks, Anaconda provides updated .zip
files for packages monthly, and CVE .zip
files are updated daily.
How are CVEs monitored?#
For standard network implementations of Package Security Manager, a CVE mirror is created and automatically brought into your system when you enter your license. This mirror pulls from the Anaconda repository and updates itself every hour, ensuring your CVE information is current.
For air-gapped network implementations of Package Security Manager, you’ll need to download the CVE tarball on a nightly basis and apply the updated information to your repository. See How do I update my packages and CVEs on an air-gapped network?.
For more information about CVEs, see Common Vulnerabilities and Exposures (CVEs).
Does Package Security Manager update its own software?#
Package Security Manager requires manual updates. For more information, see Upgrading Package Security Manager (On-prem).
Can I integrate my Active Directory or LDAP identity server?#
Yes! You can connect your instance of Package Security Manager to your external identity server and import a federated user base for Package Security Manager. For more information, see Establishing an LDAP connection.
How does Package Security Manager track which users are accessing the repository?#
Anaconda is currently developing a tool to assist administrators in tracking who is accessing their repositories and what is being downloaded from them.
Does Package Security Manager include signed packages?#
You can mirror the Anaconda channels from your Anaconda Business organization to include the package signature information in your Package Security Manager repository.
Can I mirror conda-forge into Package Security Manager?#
Speak with your implementation engineer if you are thinking about mirroring conda-forge into Package Security Manager. While this is technically possible, it requires a more robust hardware setup.