Release notes

What’s new

• Test files that were being recognized as threats by third party security programs have been removed.
• The mirror time out duration has been increased to make mirroring of very large sources such as conda-forge possible.

Improvements

• Minor bug fixes have been made to improve performance.

Known Issues

• On the Create mirror form, the delta between your current time zone and UTC is applied to the mirror’s scheduled run time. For example, if your time zone is UTC +2, you must set the frequency to occur at 03:00 if you want to run the mirror at 05:00.

What’s new

• The option to view or download a software bill of materials (SBOM) is now available for most packages.
• A Podman installer version is available for Anaconda Server for RHEL 8 users.
• You can now rebuild a channel’s package index from the Channel View.

Improvements

• Keycloak has been upgraded to version 18.0.
• Documentation for installing Anaconda Server has been refreshed.
• Documentation for upgrading your version of Anaconda Server has been refreshed.
• Instructions for externalizing your instance of Postgres and Redis on Docker installations have been added.
• Setting the no_proxy environment variable now allows Anaconda Server mirrors to bypass the proxy for specified repo URLs.
• CVE loading times have been improved and now load up to 4x faster.

Bug Fixes

• Fixed a bug that hid the actions button on the subchannel view.
• Fixed a bug that prevented PyPI channels from migrating after enabling SSL.
• Fixed a bug that removed previously configured mirror filters when upgrading to a newer version of Anaconda Server.

Known Issues

• The SBOM mirror is interfering with CRAN package downloads.

What’s new

• Download CVE reports to learn about security exposures, vulnerabilities, and security compliance within your repository. The report downloads in .csv file format.
• Filter your channel’s associated CVEs to locate and view specific CVE data.
• Use conda-audit to scan your conda environment and show the vulnerabilities associated with your projects.

Known Issues

• There is a known issue with the CVE package filter that causes it to intermittently time out.
• The CVE filters are not properly restricting packages by score or name.
• Running a CVE report from the channel or subchannel view with filters applied does not apply set filters to your report.
• These problems are expected to be fixed in version 6.2.1 or 6.2.2.

Improvements

• Instructions for the blob cleanup tool have been included to help you remove artifacts associated with deleted channels and free disc space.
• Anaconda Server will now notify you when you approach or exceed the limits of your license, or when your license is approaching or past its expiration date.
• The My Account dropdown menu now contains a scrollbar.
• CVEs are now listed in descending order of severity under the CVE tab of the My Channel view.
• The Mirroring Details view now shows percentage complete, has a visual indicator that a mirror is running, shows the full file path when mirroring from a subchannel, and accurately reflects the number of packages in the mirror source and in the channel.
• Users are now automatically logged out after 10 hours of inactivity.
• New commands have been added to the conda repo CLI tool!
  • Use conda repo cves --list to get a list of the latest CVEs.
  • Use conda repo show --<CVE-name> to view details of a specific CVE.

Bug fixes

• Fixed a bug that caused the search bar to return an error.
• The search bar no longer caches searches.
• Fixed a bug that returned CVEs when searching for packages using the search bar.
• Mirrors can now be successfully generated in a subchannel.
• Mirrors from deleted channels and subchannels no longer appear in the All Mirrors view.
• Deleting a mirror from the All Mirrors view now removes it from the list.
• Channels and subchannels now redirect properly when navigating from the All Mirrors view.
• Fixed a bug that prevented the User Interface (UI) from loading when the channel list is empty. Now the dashboard will load and show an empty channel column.
• The CVE loading indicator on the dashboard now properly shows in the CVE column only.
• The CVE channel no longer appears in the Anaconda Navigator interface.
• Subchannel mirrors now show their own privacy setting, not their parent channel’s privacy setting.
• The Mirroring Details view now shows the full file path when mirroring from a subchannel.
• Fixed a bug that caused the All Mirrors view to jump to the top of the screen every few seconds.
• Fixed a bug that caused the mirrors Settings view to disappear after a few seconds.
• Tooltips shown by hovering with the mouse no longer remain when the mouse moves away.
• Fixed a bug that restricted naming for new channels based on the names of channels that have been deleted. Now you can delete a channel and create another channel with the same name as the deleted channel.
• Non-administrator users who are promoted to administrator now have their updated permissions correctly reflected.
• Fixed a bug that forced you to refresh the Token Management view to receive tokens for a newly-uploaded environment or project.
• Notifications properly appear when a token is deleted to verify that the deletion process completed.
• Subchannel count in the My Channel view now updates as subchannels are created and deleted.
• Uploading packages to and moving packages between channels/subchannels now correctly modifies the file count shown on the Packages tab.

Bug Fixes

• Nginx has been moved to the unprivileged version of the 1.21.6 official image to allow non-root users to install Anaconda Server.

Improvements

• Nginx has been updated to version 1.21.6 (mainline) to close critical security vulnerabilities.

What’s new

• Anaconda Team Edition is now Anaconda Server!
• See mirror progress and results globally for all users from the new All Repository Mirrors view.
  • This view is available to users whose role in Keycloak has the mirror attribute set to manage.
  • View mirror status, which step is currently being performed, how long the mirror has been running, when it will complete, and the last time the state was updated.
  • Get statistics about packages as your mirror populates; view which packages are active or passive and how many packages are being filtered out of your repositories due to license or CVE score restrictions.
• Commercial users and administrators can now access hosted miniconda client installers directly through Anaconda Server.

Improvements

• Group permissions can now be changed directly from the group page.

Bug Fixes

• Fixed an issue that caused the disk usage by artifact value on the system page to report inaccurately.
• The CRAN mirror configuration page no longer contains duplicate fields for packages.
• Fixed an issue that killed the dispatcher container by consuming more than 8GB of RAM.
• Fixed an issue that caused all CVE artifacts to display the most recent update date when you upload or update any one CVE.
• Fixed an issue that caused the passive mirror counter to remain at 0 while synchronized.
• Fixed a bug that caused some packages to not be deleted if the mirror was deleted while in the running state.

What’s new

• Updated Anaconda Team Edition to meet Accessibility compliance
• Enabled an end-user to mirror, install, and upload CRAN packages in Windows environments
• Provided additional airgap functionality
• Improved the user experience with LDAP
• Refactored and Improved integration with Keycloak
• Ability to add certificates to Keycloak truststore for LDAP

Improvements

• Added new platforms - Linux-ppc64, Linux-s390x, and osx-arm64
• Azure AD integration with Anaconda Team Edition
• Changed the wording from PyPI to standard python and CRAN to standard r
• Added type to mirror dropdown of standard python and standard r
• The user is now able to install packages from a sub-channel
• Airgap:
  • Documentation on pulling down the package tarball on a schedule
  • Automate the process for updating artifacts
• LDAP:
  • Ability to link users that are assigned a group in Keycloak to the group in Anaconda Team Edition
  • Admins can now grant channel access to groups to which they do not subscribe
  • Admins can now increase or decrease permissions in a group
  • Admins can now manage user access using LDAP groups
  • Ability for a user to distinguish between an Anaconda Team Edition group and a group defined in Keycloak
• conda-repo-cli:
  • Added conda-repo-cli whoami command
  • Ability to set a certificate file post-install: conda repo config --set ssl_verify cert.cer
  • Cleaner error messages
  • Ability to display CVEs via CLI
  • Improvements to help channel: conda repo channel --help
• Keycloak: Store and manage users, groups, roles, and user-group relations directly in Keycloak

Bug fixes

• Updated the ability to scroll on dependents and metadata tabs
• CVE score now displays a 0.0 when the CVE has a cleared or mitigated status
• Updated sorting on CVE tab to allow end-user to sort by channel and package
• The edit button is now enabled when a token name is edited
• Removed the need to refresh the page after adding a channel or subchannel to a group
• Checking the “select all” checkbox in a channel allows you to modify the channel’s packages rather than the channel itself
• Fixed package search latency issue and refresh problems
• CRAN:
  • Licensing filtering - user can now use the exclude filter for license restriction
  • Mirror to include binaries so that users can install libraries without each user having to (re)compile libraries
  • CRAN mirror configuration page no longer duplicates package filter information
• LDAP: User count licensing limits user access

What’s new

• Customer’s now have the ability to install an airgapped instance of Anaconda Team Edition
  • Updated install preparation instructions
  • Easy to self install
  • Centralized location to pull updated packages and associated CVE metadata
• Updated the upgrade and restore path

Improvements

• Improved the warning message when setting a future date in the mirror scheduling tool
• Deleted artifacts wiill no longer show up when customer is performing a search
• Improved CVE filtering
• Updated group role mapping with Active Directory integration for the admin role
• Improved the ability to add or update a license
• Improved mirror performance:
  • Default to monthly schedule
  • Default to active mirror
  • Updated edit function to ensure all current fields are available when editing
  • Corrected the double package format of .conda and .tar.bz2

Bug fixes

• Group create button is now active when intiating a group
• Notification now appears when you delete a token
• No longer recieve multiple notifications on mirror deletion
• Searching for a package now displays current package information
• Tokens now grant only specific access
• Mirror event history is displaying current status
• conda-repo cli help now display correct help instructions

What’s new

• Ability to mirror from another installation of Team Edition via https.
• Ability to upgrade Team Edition and maintain current settings and filters.
• Role Mapping: when additional roles are added to User Management, Admin is able to restrict or add additional permissions to the end user.
• Ability to mirror from repo.anaconda.cloud.
• Ability to move, copy, and delete artifacts within a package.
• Easily upgrade a license key from the Admin user’s UI dashboard

Improvements

• Improved the support and documentation for custom certificates.
• Mirror frequency and performance issues.
• When you remove a subdirectory, it is removed from the package artifact list upon updating the mirror.
• Added notification that frequency is in UTC time.
• CVE improvements:
  • CVEs are now updating in Team Edition every 4 hours to align with NIST.
  • All CVEs have the correct status for reporting (Reported or Anaconda Curated: Active, Cleared, Mitigated, or Disputed).
  • Ability to filter by CVE status (Reported or Anaconda Curated: Active, Cleared, Mitigated, or Disputed).
  • Display the CVE date as shown by NIST for Published and Modified.
  • Display the date Anaconda curated the CVE.

Bug fixes

• Dashboard now displays the correct package count for a channel.
• An error duing customer logout experience with Team Edition was caused by a miscommunication between web socket and callback endpoint API.
• Sorting in channels not working as expected.
• Ability to sort all pages of package artifacts by Size, Version, Last Updated, and Platform.
• Ability to sort packages based on Name.
• Issues with conda repo functionality for conda repo channel copy and conda repo upload options have been fixed.
• Index of cache on Team Edition related to If-Modified-Since header has been fixed.
• API to trigger on channel index refresh lead to displaying inconsistent information between the channel and actual artifacts in the channel.

What’s New

• CVEs will be automatically fed to and updated on the Team Edition dashboard, so you no longer have to mirror them.
• CVEs will now be pulled down from NIST and listed as Reported (not curated).
• CVEs that are curated by Anaconda will now be designated with a checkmark and a label defining the stage of curation.
• You can now search for CVEs in the search bar at the top of Team Edition (Admin only).
• CVEs are displayed using an algorithm. When one or more CVEs are associated with a package, the score that is displayed is based on the highest score and risk state of a CVE for each file.
• Clicking on the number of CVEs related to a package file will show a CVE listing view.
• The number of unique CVEs for a package is displayed at the package level.
• When viewing files in a package, the appropriate CVE score (or N/A) will be displayed based on the number of CVEs and severity.
• The metadata will now display all the CVEs score information.
• All the packages affected by a CVE will be associated with that CVE.

Improvements

• Each CVE status can be seen by clicking on “info” icons and viewing meta information.
• It is now more clear that the CVE number is a clickable link.
• There is greater distinction between Anaconda curated and non-curated CVEs via a checkbox selection.
• More than two mirrors can now be run at the same time.

Bug fixes

• The heirarchy for mirroring filters has been corrected; now, if a package is added to both “include” and “exclude,” the package will be excluded.

• System metering (Prometheus) is now showing up properly.

• Admins can now update user roles and create custom roles.