You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I propose that we remove the meta-manifest generation, as conda-lock's new lockfile format now includes all of the necessary information we use to vendor dependencies into a local channel.
Remove intermediary step of generating a meta-manifest in favor of conda-lock's 1.0.x new API
Add in vendor command as the primary
Add a subcommand to generate formatted output for IronBank's hardening_manifest.yamlresources block, using conda-lock's 1.0.x FetchAction object.
conda-lock now has compound specification for lockfile generation, where you can create a conda-lock.yaml from one or more environment files.
Remove intermediary step of generating a meta-manifest in favor of using conda-lock's 1.0.x compound-specification API NOTE: this would be best tracked as it's own issue
Signing and Verification
I propose that we introduce signing and verification of the vendored dependencies within a local channel (and/or the local channel itself), and generate a SLSA compliantin-toto spec attestation. NOTE: this would be best tracked as it's own issue
# use conda as the solver for linux-64
conda-vendor vendor --file environment.yaml --solver conda --platform linux-64
# use mamba as the solver for osx-64
conda-vendor vendor --file environment.yaml --solver mamba --platform osx-64
# use micromamba as the solver for the host platform
conda-vendor vendor --file environment.yaml --solver micromamba
Now supports conda, mamba, and micromamba solvers.
Edit: Closed #32 in favor of tracking progress here as this is a much bigger refactor.
Background
conda-lock has some awesome improvements in 1.x 🔭 that will allow us to reduce duplicated functionality in conda-vendor's implementation.
Example conda-lock usage for 1.x:
Given an
environment.yaml
:Generating a lockfile (conda-lock supports multiple solvers such as mamba and micromamba):
conda lock --file environment.yaml -p linux-64 --mamba
Produces the following
conda-lock.yml
:Proposed conda-vendor changes + improvements:
Remove conda-vendor's meta-manifest generation
I propose that we remove the meta-manifest generation, as conda-lock's new lockfile format now includes all of the necessary information we use to vendor dependencies into a local channel.
vendor
command as the primaryhardening_manifest.yaml
resources
block, using conda-lock's 1.0.x FetchAction object.Remove conda-vendor's combined manifest functionality
conda-lock now has compound specification for lockfile generation, where you can create a
conda-lock.yaml
from one or more environment files.NOTE: this would be best tracked as it's own issue
Signing and Verification
I propose that we introduce signing and verification of the vendored dependencies within a local channel (and/or the local channel itself), and generate a SLSA compliant in-toto spec attestation.
NOTE: this would be best tracked as it's own issue
sigstore
digital signingThe text was updated successfully, but these errors were encountered: