Anaconda maintains the following security and provenance/chain-of-custody practices:
- The engineers whose purpose is to build and maintain the Anaconda Distribution have curated the packages contained within based on their relevance to the data science community. These open-source packages are vetted for their widespread adoption and community support, which allows any security vulnerabilities to be addressed quickly and completely in a transparent manner.
- Source code and built artifacts are maintained with strict chain-of-control and are built, scanned, and hashed on a separate secure network within Anaconda. Only a small number of developers and IT team members have access to this network and the associated servers.
- All versions of the Anaconda Distribution and all packages that are made available at https://repo.anaconda.com/ have published SHA256 checksums. We recommend you verify your install.
- A Quality Assurance team performs exhaustive testing on each release of Anaconda and Miniconda, including all installers and packages. This includes the use of multiple commercial anti-malware products, as well as custom in-house security tools, for all supported operating systems - Windows, macOS, and Linux. When there are issues, they are followed up on for remediation or noted in the documentation.
- Anaconda maintains a team of IT leaders that works with software engineers to monitor all active security events through various channels of information, which results in fast response times and, whenever necessary, direct communication to our customers through Customer Support.
- Developers use controlled machines with the latest security patches.
- Especially security-minded customers may implement the functionality of the Anaconda Repository as part of an Anaconda Enterprise subscription to only allow a small set of packages to come onto their site at their control and block all others from entering their network. Due to the open-source nature of the enclosed packages, they may perform advanced code reviews or other associated activities to ensure their desired level of risk management and/or compliance.