Anaconda maintains the following security and provenance/chain-of-custody practices:
- The engineers whose purpose is to build and maintain the Anaconda Distribution have curated the packages contained within based on their relevance to the data science community. These open source packages are vetted for their widespread adoption and community support, which allows any security vulnerabilities to be addressed quickly and completely in a transparent manner.
- Source code and built artifacts are maintained with strict chain-of-control and are built and stored on a separate secure network within Anaconda. Only a small number of developers and IT team members have access to this network and the associated servers.
- All versions of the Anaconda Distribution and packages that are made available at http://repo.continuum.io have published MD5 and SHA256 checksums for installers.
- A Quality Assurance team performs exhaustive testing on each release of the Anaconda and Miniconda including all installers and packages which includes scanning with at least three anti-malware products for the supported Operating Systems - Windows, macOS, and Linux. When there are issues, they are remediated or mentioned in the documentation.
- Anaconda maintains a team of IT leaders that work with software engineers to monitor all active security events through various channels of information, which results in fast response times and, whenever necessary, direct communication to our customers through Customer Support.
- All developers that have access to the secure network run macOS machines, which has a high level of default security due to its origin in the UNIX world. Each machine is controlled to ensure the latest security patches and has up-to-date anti-virus/malware software running at all times.
- Especially security-minded customers may implement the functionality of the Anaconda Repository as part of an Anaconda Enterprise subscription to only allow a small set of packages to come onto their site at their control, and block all others from entering their network. Due to the open source nature of the enclosed packages, they may perform advanced code reviews or other associated activities to ensure their desired level of risk management and/or compliance.