Conan: Choosing Desired Package From Right publisher

Hi @solvingJ ,

Yes, this is a legitimate concern. Regarding this we already started addressing it with the conan manifest validation utilities, but we are doing more:

• We are planning for the next release "package signing". We might not meet the deadline, because it can be a difficult task, but at least we will start working on it. This will allow to install only trusted packages from trusted sources.

• We agree that the trust of binaries from unknown users is analogous to torrents, or basically as any other source: recently even sourceforge had terrible problems with their hosted binaries containing malware/adware. You could even download pre-built releases from github that can contain malware, especially if the project is not very popular and thus not frequently reviewed.

• But we don't feel that making more difficult to contribute packages to conan.io would be the way to go, so we still allow to any user to upload contents.

• We also like the idea and probably go for it, about implementing "verified users". So users will be able to distinguish package recipes in conan.io that comes from verified users and those who come from non-verified ones. The client might also provide functionality to warn or to block packages from non-verified users.

With those things, conan will be much safer. In any case, please remember that we haven't prioritized those features yet, because actually the heavy usage of conan is in-house. Most users in production they don't use conan.io, but their own conan_server. With that approach, all those security concerns are not an issue.

Thanks very much for your feedback, I think it is very useful. Now, I'd prefer that we open specific issues for specific solutions, and start addressing them one by one:

• Package signing: https://github.com/conan-io/conan/issues/773
• Verified users: I think it would be basically this one (https://github.com/conan-io/conan/issues/780), though I might rename it to "Verified users in conan.io"

That's all really great to hear! Good luck and thanks again for all your hard work on the project. Just want to re-iterate once more than JFrog's Bintray and JCenter() (for Java) service has proven to be a VERY effective model for secure OSS-integrated binary hosting. The way they link developers, organizations, and projects has been a dream for me and everyone I know so far. I recommend you leverage their model and wisdom in the future. That way you can focus on improving the handling of complexities native to C++ binaries, not trying to re-invent secure-package-publishing, which is very well solved already by JFrog.

I'm hoping that as Conan becomes more popular, that maintainers of popular packages will upload "official" versions of their packages to Conan.io. One of the issues that @SolvingJ is concerned with with confusion about which package to choose. The way Dockerhub approaches it is by indicating "Official" packages prominently and ranking Official packages ahead of others in search results. I think "verified" is a good idea but may be orthogonal to "official".

Thanks @solvingJ and @sourcedelica for the feedback:

• Yes, the Bintray and JCenter models are awesome, and certainly conan will converge towards them, maybe even fully integrate. Just we are prioritizing the integration with Artifactory which is much more requested by the users right now.

• The thing with "official" vs "verified" in conan.io packages is a matter of target. Maintaining "official" packages, let`s say for Boost, Poco, and other libraries is not something that conan should address, but they should be maintained by the community, the best would be by the original developers. In the same way the github repos are maintained by them. The way libraries evolve is much different on how OS distros evolve, and then the model would be different from the dockerhub one. The best we could do, is to "verify" that the conan account/username "boostorg" is actually owned by the Boost project, so users will get a green check for "Boost/1.63@boostorg/stable". Does this make sense?

Yes - If it's obvious from the UI that the boostorg/stable package is the one that I should choose then that sounds good to me.

I'd also like to see "certified" packages before using this system. I'd like to use those by default, and probably have to accept manually if a package isn't trusted from a certified user. I understand you want to get as many libs on the service as possible (and fast), but I feel this is quite important.

@Socapex agree. There are differents views about it, like "certified" = "account verified", or "certified" = "moderated/reviewed for quality and maintenance package". We are considering both, keep tuned.

bintray conan-center addresses this issue, now conan-center will be the reference place to get "official" or at least "verified" packages. I think we can close this issue, and if something specific for the new model is needed, open a new issue. Thanks!

I wanted to congratulate you on the launch of conan-center! I think this will propel conan at the forefront of C/C++ package management. Good times :)

Many thanks!