westurner
commented
3 months ago - /? sbom conda
- conda envs can contain Conda and also Python packages.
- mamba is faster than conda.
- the miniforge installer ships conda and mamba with
-c conda-forgeas the default channel - pixi is faster than pip and IIRC mamba and thus conda, too
- https://prefix.dev/
- pixi
- src: https://github.com/prefix-dev/pixi
- docs: https://pixi.sh/latest/
- docs: https://pixi.sh/latest/features/environment/#structure
- https://github.com/prefix-dev/rip
- "UV in Pixi" > "Benchmarking rip and uv"
https://prefix.dev/blog/uv_in_pixi#benchmarking-rip-and-uv
- https://github.com/astral-sh/uv/issues/1572#issuecomment-1949979306
- pixi is replacing rip with uv
- https://github.com/astral-sh/uv/issues/888
- uv
- conda/conda-lock: https://github.com/conda/conda-lock/issues/615
- conda/conda-content-trust:
- src: https://github.com/conda/conda-content-trust
- docs:
- docs: https://docs.anaconda.com/pro/security/
- TUF package signatures for conda packages
verify_signature()https://github.com/conda/conda-content-trust/blob/main/conda_content_trust/authentication.py#L253 Conda Security Practices >
- "Enabling conda signature verification"
https://docs.anaconda.com/pro/security/#enabling-conda-signature-verification
-
conda install "conda>=4.10.1" "conda-token>=0.3.0" conda-content-trust conda token set --enable-signature-verification <YOUR_PRODUCT_TOKEN>Conda version 23.10+ uses libmamba as the default solver, which bypasses signature verification. If you are using conda 23.10 or later, you must configure your .condarc file to use the classic environment solver by running the following command:
conda config --set solver classic - https://github.com/mamba-org/mamba/issues/3283
- https://github.com/conda/conda-content-trust/issues/123
-
docker buildbuilds containers from Dockerfiles with BuildKit.docker scout sbom: https://docs.docker.com/reference/cli/docker/scout/sbom/- builtkit supports build-time SBOMs:
https://github.com/moby/buildkit/blob/master/docs/attestations/sbom.md :
By default, only the final build result is scanned - because of this, the resulting SBOM will not include build-time dependencies that may be installed in separate stages or the build context. This could cause you to miss vulnerabilities in those dependencies, which could impact the security of your final build artifacts.
To include these build-time dependencies from your Dockerfile, you can set the build arguments BUILDKIT_SBOM_SCAN_CONTEXT and BUILDKIT_SBOM_SCAN_STAGE to additionally scan the build context and other build stages respectively.
- podman also supports build-time SBOMs:
podman build --sbomhttps://docs.podman.io/en/stable/markdown/podman-build.1.html#sbom-preset- “syft-cyclonedx”, “trivy-cyclonedx” [|| spdx]
- CycloneDX SBOM specs
- "CycloneDX Python SBOM Generation Tool"
https://github.com/CycloneDX/cyclonedx-python?#cyclonedx-python-sbom-generation-tool :
Conda as a package manager is no longer supported since version 4. However, conda's Python environments are fully supported via the methods listed above. See the docs for an example.
- [ ] DOC: what does this mean?
jkowalleck
This project is currently looking for contributors.
Drop a note, or ping, if you are interested.