Conan.Io – Lessons Learned from Securing 40,000 C++ Packages - Diego Rodriguez

Diego Rodriguez shares how Conan.io, an open-source package manager for C and C++, has managed to maintain supply chain security despite its wide reception.

• Conan.io is an open-source package manager for C and C++ that has over 11 million binaries built by user-submitted recipes.
• Despite its wide reception, Conan.io has had 0 security incidents since its inception.
• Conan.io utilizes automated quality checks, compiler security mitigations, package signing, a secure build pipeline, and an extremely strict and efficient review process to maintain supply chain security.
• Diego Rodriguez and his team have received over 9000 pull requests in the last two years and have a dedicated team of 10 people sponsored by jfrog as maintainers of the Conan project.
• Conan.io is becoming an important piece in the C++ ecosystem and needs to be secure.

Diego Rodriguez explains that Conan.io is a missing link in the C++ language that has been missing for decades. It is an open-source, decentralized, multi-platform package manager that works with any build system and is very mature, reliable, and stable. Conan.io has become increasingly important in the C++ ecosystem and has been designated as one of the one percent critical IPI projects. It has been downloaded a ton of times and is consistently ranked among the top most active channels in the C++ language Slack team. There are many thousands of companies using Conan.io in production, and the Conan team has received a lot of feedback from users.

Supply chain security needs are at an all-time peak, since attackers are now massively targeting developers through their use of package repositories such as npm and PyPI. Conan.io, the open-source package manager for C and C++, currently houses more than 11 million binaries built by user-submitted recipes, but managed to have 0 security incidents since its inception, despite its extremely wide reception (15TB of monthly transfers). In this session, Diego (Conan's co-creator) will share how he and his team has managed this incredible feat by utilizing automated quality checks, compiler security mitigations, package signing, a secure build pipeline and an extremely strict and efficient review process, even when faced with more than 9000 pull requests in the last two years.