Release notes#
The following notes are provided to help you understand the major changes made between releases, and therefore may not include minor bug fixes and updates.
Package Security Manager (On-prem) 6.7.0#
Released October 23, 2024
What’s new
The UI has undergone a complete refresh to provide a more modern look and feel for a better experience.
Policies have been added to the application as a replacement feature for mirror filters.
Note
Existing mirror filters are automatically converted to policies when you upgrade!
Bug Fixes
Fixed a bug that prevented users from creating subchannels with identical names in different channels via the UI.
Fixed a bug that prevented system history search results from filtering properly.
Known Issues
Upgrading to Package Security Manager (On-prem)
6.7.0
from6.6.1
or6.6.2
requires administrators to manually addmanage
permissions for the policy-engine attribute to any existing roles in Keycloak (such asadmin
) that should have access to policies.
Package Security Manager (On-prem) 6.6.5#
Released September 26, 2024
What’s New
Channel service accounts are now available, enabling programmatic interaction with your channels via CLI or API.
Channels now support the upload and storage of general artifact files.
Package Security Manager (On-prem) 6.6.4#
Released May 21, 2024
Improvements
Notifications shown when a user generates a token now display until dismissed.
Fixed an issue where the display limit on the groups page was capped at 100 groups, causing unintended problems when working with channels assigned to groups that exceeded this limit.
Fixed an issue where the keycloak PUT api calls were removing optional user fields (firstName, lastName, email) if not specified in the call.
Package Security Manager (On-prem) 6.6.3#
Released April 10, 2024
What’s New
Audit reports for user package actions are now only generated if actions occurred within the reporting period.
Improvements
The base image has been updated from ubi 9.3-1552 to 9.3-1610 for the repo and repo-proxy containers.
The base image of NGINX has been updated to the latest version 1.25.4.
Keycloak has been updated to version 24.0.1.
Cryptography has been updated to version 42.0.5.
Orjson has been updated to version 3.9.15.
Aiohttp has been updated to version 3.9.3.
Package Security Manager (On-prem) 6.6.2#
Released February 13, 2024
What’s New
The ability to view system metrics in Prometheus is now reserved to a specific user account that is established during installation or upgrade.
A background job can now be established to automatically export all system events in either
.json
or.csv
format.
Improvements
You can now filter channel CVEs by CVE Status and Score.
If an OS-specific package has a noarch dependency, mirrors will now automatically include them.
Postgres has been updated to version 14.9.
A badge has been added alongside all package files that facilitates the download of a Software Bill Of Materials (SBOM) for the file, if one is available.
Fixed several security vulnerabilities identified during penetration testing, increasing the overall security of the application.
Package Security Manager now supports artifact types over 3GB in size.
Anaconda Server 6.6.1#
Released November 3, 2023
Improvements
Keycloak has been updated to version 22.0.5.
Anaconda Server 6.6.0#
Released October 27, 2023
What’s new
An audit trail has been added to channels so you can see which users are downloading packages from a channel, what those packages are, and if any vulnerabilities have been included along with them!
A channel change log has been provided so you can see which packages are being added and removed from your channels and why.
CVE Notifications are now available so you can stay on top of changes to CVEs that affect packages in your channel.
New mirroring filters for CVE Status and CVE ID have been added. You can now allowlist CVEs by ID.
A new option has been added to the mirror form that automatically includes dependencies for packages you have specified by name in the mirror filter.
New UI has been implemented to improve the overall look and experience of Anaconda Server.
Documentation has been refreshed.
Improvements
CVE status now displays in the package CVEs view.
Bug Fixes
Fixed a bug that would cause artifact report downloads to error.
Anaconda Server 6.5.3#
Released September 12, 2023
Improvements
Keycloak has been upgraded to version 22.0.1.
Bug fixes
Fixed a bug that was affecting the Anaconda Server helm chart.
Anaconda Server 6.5.2#
Released August 21, 2023
What’s new
Support for external postgres and redis has been included in the Anaconda Server helm chart.
Anaconda Server 6.5.1#
Released August 9, 2023
What’s new
Grafana has been removed from the installer bundle. It is still optionally available for users who want to include it for their installation.
Anaconda Server 6.5.0#
Released July 24, 2023
What’s new
Admin users can now download user audit reports to view information about what packages their users are downloading, which channel they were downloaded from, and any CVEs that are associated with downloaded packages.
Signature information is now available for packages that are sourced from Anaconda’s curated repository.
Grafana dashboards are now available for end users to monitor the health of their Server installation.
CVE metadata is now available for packages. A new tab is available on the packages page to display CVEs associated with files in the package.
Notebooks can now be uploaded to a channel and downloaded by colleagues.
Improvements
You can now create full and partial mirrors of PyPI. Full PyPI mirrors must be passive, and you must freeze your channel prior to starting your mirror.
CVE matching information is now available for packages mirrored from conda-forge.
CVE information is available for a package’s dependencies as well as its dependents.
UI improvements have been made to CVE information. A metadata view has been added and includes reviews of the CVE as well as references for the information presented in the CVE reviews.
Loading times for CVEs has been improved by 100%.
The base image has been updated to ubi 9 for the repo and repo-proxy containers.
Keycloak has been updated to version 20.0.3 and has a new UI!
Two new endpoints have been added to the API to provide more fine-grained control over blob cleanup and to diagnose issues with package blobs being removed in error.
An event has been added to the history to note when a channel unfreeze is complete.
Some documentation topics have been refreshed.
Bug Fixes
Fixed a bug that allowed the blob cleanup script to incorrectly clear blobs that were associated with multiple channels and mirrors.
Anaconda Server 6.4.0#
Released February 15, 2023
What’s new
Stop and restart a mirror that is currently in progress from the Mirrors tab of a channel’s page or from the All Mirrors page.
Conserve your CPU usage during mirroring by freezing your channel.
View your software version by hovering your mouse over the Anaconda logo in the upper left corner of the dashboard.
Improvements
The SBOM mirror is now created as a passive mirror by default to reduce required storage space and improve overall performance. If you currently have an active SBOM mirror and want the improved performance of a passive SBOM mirror, you can delete your SBOM channel and mirror, navigate to your License page, and re-enter your license.
Mirrors are now set to passive by default when being created.
Instructions have been added to the documentation for viewing user login events using the Keycloak API.
Bug Fixes
Fixed various minor bugs affecting the creation and editing of mirrors.
Fixed a bug preventing the platform filter from being applied to mirror forms.
Fixed a bug preventing a package’s Actions dropdown menu from correctly appearing.
Fixed a bug that would cause edited conda mirrors to always filter out uncurated CVEs.
Anaconda Server 6.3.1#
Released November 23, 2022
What’s new
Test files that were being recognized as threats by third party security programs have been removed.
The mirror time out duration has been increased to make mirroring of very large sources such as
conda-forge
possible.
Improvements
Minor bug fixes have been made to improve performance.
Known Issues
On the Create mirror form, the delta between your current time zone and UTC is applied to the mirror’s scheduled run time. For example, if your time zone is UTC +2, you must set the frequency to occur at 03:00 if you want to run the mirror at 05:00.
Anaconda Server 6.3.0#
Released October 19, 2022
What’s new
The option to view or download a software bill of materials (SBOM) is now available for most packages.
A Podman installer version is available for Anaconda Server for RHEL 8 users.
You can now rebuild a channel’s package index from the Channel View.
Improvements
Keycloak has been upgraded to version 18.0.
Documentation for installing Anaconda Server has been refreshed.
Documentation for upgrading your version of Anaconda Server has been refreshed.
Instructions for externalizing your instance of Postgres and Redis on Docker installations have been added.
Setting the
no_proxy
environment variable now allows Anaconda Server mirrors to bypass the proxy for specified repo URLs.CVE loading times have been improved and now load up to 4x faster.
Bug Fixes
Fixed a bug that hid the actions button on the subchannel view.
Fixed a bug that prevented PyPI channels from migrating after enabling SSL.
Fixed a bug that removed previously configured mirror filters when upgrading to a newer version of Anaconda Server.
Known Issues
The SBOM mirror is interfering with CRAN package downloads.
Anaconda Server 6.2.0#
Released June 28, 2022
What’s new
Download CVE reports to learn about security exposures, vulnerabilities, and security compliance within your repository. The report downloads in
.csv
file format.Filter your channel’s associated CVEs to locate and view specific CVE data.
Use
conda-audit
to scan your conda environment and show the vulnerabilities associated with your projects.
Known Issues
There is a known issue with the CVE package filter that causes it to intermittently time out.
The CVE filters are not properly restricting packages by score or name.
Running a CVE report from the channel or subchannel view with filters applied does not apply set filters to your report.
These problems are expected to be fixed in version 6.2.1 or 6.2.2.
Improvements
Instructions for the blob cleanup tool have been included to help you remove artifacts associated with deleted channels and free disc space.
Anaconda Server will now notify you when you approach or exceed the limits of your license, or when your license is approaching or past its expiration date.
The My Account dropdown menu now contains a scrollbar.
CVEs are now listed in descending order of severity under the CVE tab of the My Channel view.
The Mirroring Details view now shows percentage complete, has a visual indicator that a mirror is running, shows the full file path when mirroring from a subchannel, and accurately reflects the number of packages in the mirror source and in the channel.
Users are now automatically logged out after 10 hours of inactivity.
- New commands have been added to the
conda repo
CLI tool! Use
conda repo cves --list
to get a list of the latest CVEs.Use
conda repo show --<CVE-name>
to view details of a specific CVE.
- New commands have been added to the
Bug fixes
Fixed a bug that caused the search bar to return an error.
The search bar no longer caches searches.
Fixed a bug that returned CVEs when searching for packages using the search bar.
Mirrors can now be successfully generated in a subchannel.
Mirrors from deleted channels and subchannels no longer appear in the All Mirrors view.
Deleting a mirror from the All Mirrors view now removes it from the list.
Channels and subchannels now redirect properly when navigating from the All Mirrors view.
Fixed a bug that prevented the User Interface (UI) from loading when the channel list is empty. Now the dashboard will load and show an empty channel column.
The CVE loading indicator on the dashboard now properly shows in the CVE column only.
The CVE channel no longer appears in the Anaconda Navigator interface.
Subchannel mirrors now show their own privacy setting, not their parent channel’s privacy setting.
The Mirroring Details view now shows the full file path when mirroring from a subchannel.
Fixed a bug that caused the All Mirrors view to jump to the top of the screen every few seconds.
Fixed a bug that caused the mirrors Settings view to disappear after a few seconds.
Tooltips shown by hovering with the mouse no longer remain when the mouse moves away.
Fixed a bug that restricted naming for new channels based on the names of channels that have been deleted. Now you can delete a channel and create another channel with the same name as the deleted channel.
Non-administrator users who are promoted to administrator now have their updated permissions correctly reflected.
Fixed a bug that forced you to refresh the Token Management view to receive tokens for a newly-uploaded environment or project.
Notifications properly appear when a token is deleted to verify that the deletion process completed.
Subchannel count in the My Channel view now updates as subchannels are created and deleted.
Uploading packages to and moving packages between channels/subchannels now correctly modifies the file count shown on the Packages tab.
Anaconda Server 6.1.9#
Released May 25, 2022
Bug Fixes
Nginx has been moved to the unprivileged version of the 1.21.6 official image to allow non-root users to install Anaconda Server.
Anaconda Server 6.1.8#
Released April 27, 2022
Improvements
Nginx has been updated to version 1.21.6 (mainline) to close critical security vulnerabilities.
Anaconda Server 6.1.7#
Released March 31, 2022
What’s new
Anaconda Team Edition is now Anaconda Server!
- See mirror progress and results globally for all users from the new All Repository Mirrors view.
This view is available to users whose role in Keycloak has the mirror attribute set to manage.
View mirror status, which step is currently being performed, how long the mirror has been running, when it will complete, and the last time the state was updated.
Get statistics about packages as your mirror populates; view which packages are active or passive and how many packages are being filtered out of your repositories due to license or CVE score restrictions.
Commercial users and administrators can now access hosted miniconda client installers directly through Anaconda Server.
Improvements
Group permissions can now be changed directly from the group page.
Bug Fixes
Fixed an issue that caused the disk usage by artifact value on the system page to report inaccurately.
The CRAN mirror configuration page no longer contains duplicate fields for packages.
Fixed an issue that killed the dispatcher container by consuming more than 8GB of RAM.
Fixed an issue that caused all CVE artifacts to display the most recent update date when you upload or update any one CVE.
Fixed an issue that caused the passive mirror counter to remain at 0 while synchronized.
Fixed a bug that caused some packages to not be deleted if the mirror was deleted while in the running state.
Anaconda Team Edition 6.1.6#
Released February 24, 2022
What’s new
Updated Anaconda Team Edition to meet Accessibility compliance
Enabled an end-user to mirror, install, and upload CRAN packages in Windows environments
Provided additional airgap functionality
Improved the user experience with LDAP
Refactored and Improved integration with Keycloak
Ability to add certificates to Keycloak truststore for LDAP
Improvements
Added new platforms - Linux-ppc64, Linux-s390x, and osx-arm64
Azure AD integration with Anaconda Team Edition
Changed the wording from PyPI to standard python and CRAN to standard r
Added type to mirror dropdown of standard python and standard r
The user is now able to install packages from a sub-channel
- Airgap:
Documentation on pulling down the package tarball on a schedule
Automate the process for updating artifacts
- LDAP:
Ability to link users that are assigned a group in Keycloak to the group in Anaconda Team Edition
Admins can now grant channel access to groups to which they do not subscribe
Admins can now increase or decrease permissions in a group
Admins can now manage user access using LDAP groups
Ability for a user to distinguish between an Anaconda Team Edition group and a group defined in Keycloak
- conda-repo-cli:
Added conda-repo-cli
whoami
commandAbility to set a certificate file post-install:
conda repo config --set ssl_verify cert.cer
Cleaner error messages
Ability to display CVEs via CLI
Improvements to help channel:
conda repo channel --help
Keycloak: Store and manage users, groups, roles, and user-group relations directly in Keycloak
Bug fixes
Updated the ability to scroll on dependents and metadata tabs
CVE score now displays a 0.0 when the CVE has a cleared or mitigated status
Updated sorting on CVE tab to allow end-user to sort by channel and package
The edit button is now enabled when a token name is edited
Removed the need to refresh the page after adding a channel or subchannel to a group
Checking the “select all” checkbox in a channel allows you to modify the channel’s packages rather than the channel itself
Fixed package search latency issue and refresh problems
- CRAN:
Licensing filtering - user can now use the exclude filter for license restriction
Mirror to include binaries so that users can install libraries without each user having to (re)compile libraries
CRAN mirror configuration page no longer duplicates package filter information
LDAP: User count licensing limits user access
Anaconda Team Edition 6.1.5#
Released October 1, 2021
What’s new
- Customer’s now have the ability to install an airgapped instance of Anaconda Team Edition
Updated install preparation instructions
Easy to self install
Centralized location to pull updated packages and associated CVE metadata
Updated the upgrade and restore path
Improvements
Improved the warning message when setting a future date in the mirror scheduling tool
Deleted artifacts wiill no longer show up when customer is performing a search
Improved CVE filtering
Updated group role mapping with Active Directory integration for the admin role
Improved the ability to add or update a license
- Improved mirror performance:
Default to monthly schedule
Default to active mirror
Updated edit function to ensure all current fields are available when editing
Corrected the double package format of .conda and .tar.bz2
Bug fixes
Group create button is now active when initiating a group
Notification now appears when you delete a token
No longer receive multiple notifications on mirror deletion
Searching for a package now displays current package information
Tokens now grant only specific access
Mirror event history is displaying current status
conda-repo cli help now display correct help instructions
Anaconda Team Edition 6.1.4#
Released February 4, 2021
What’s new
Ability to mirror from another installation of Team Edition via https.
Ability to upgrade Team Edition and maintain current settings and filters.
Role Mapping: when additional roles are added to User Management, Admin is able to restrict or add additional permissions to the end user.
Ability to mirror from repo.anaconda.cloud.
Ability to move, copy, and delete artifacts within a package.
Easily upgrade a license key from the Admin user’s UI dashboard
Improvements
Improved the support and documentation for custom certificates.
Mirror frequency and performance issues.
When you remove a subdirectory, it is removed from the package artifact list upon updating the mirror.
Added notification that frequency is in UTC time.
- CVE improvements:
CVEs are now updating in Team Edition every 4 hours to align with NIST.
All CVEs have the correct status for reporting (Reported or Anaconda Curated: Active, Cleared, Mitigated, or Disputed).
Ability to filter by CVE status (Reported or Anaconda Curated: Active, Cleared, Mitigated, or Disputed).
Display the CVE date as shown by NIST for Published and Modified.
Display the date Anaconda curated the CVE.
Bug fixes
Dashboard now displays the correct package count for a channel.
An error duing customer logout experience with Team Edition was caused by a miscommunication between web socket and callback endpoint API.
Sorting in channels not working as expected.
Ability to sort all pages of package artifacts by Size, Version, Last Updated, and Platform.
Ability to sort packages based on Name.
Issues with conda repo functionality for conda repo channel copy and conda repo upload options have been fixed.
Index of cache on Team Edition related to If-Modified-Since header has been fixed.
API to trigger on channel index refresh lead to displaying inconsistent information between the channel and actual artifacts in the channel.
Anaconda Team Edition 6.1.3#
Released August 10, 2020
What’s New
CVEs will be automatically fed to and updated on the Team Edition dashboard, so you no longer have to mirror them.
CVEs will now be pulled down from NIST and listed as Reported (not curated).
CVEs that are curated by Anaconda will now be designated with a checkmark and a label defining the stage of curation.
You can now search for CVEs in the search bar at the top of Team Edition (Admin only).
CVEs are displayed using an algorithm. When one or more CVEs are associated with a package, the score that is displayed is based on the highest score and risk state of a CVE for each file.
Clicking on the number of CVEs related to a package file will show a CVE listing view.
The number of unique CVEs for a package is displayed at the package level.
When viewing files in a package, the appropriate CVE score (or N/A) will be displayed based on the number of CVEs and severity.
The metadata will now display all the CVEs score information.
All the packages affected by a CVE will be associated with that CVE.
Improvements
Each CVE status can be seen by clicking on “info” icons and viewing meta information.
It is now more clear that the CVE number is a clickable link.
There is greater distinction between Anaconda curated and non-curated CVEs via a checkbox selection.
More than two mirrors can now be run at the same time.
Bug fixes
The hierarchy for mirroring filters has been corrected; now, if a package is added to both “include” and “exclude,” the package will be excluded.
System metering (Prometheus) is now showing up properly.
Admins can now update user roles and create custom roles.