ConanCenter is a fantastic resource that contains reference implementations ofrecipes for over 1500 libraries and applications contributed by the community.As such, it is a great knowledge base on how to create and build Conan packagesfor open source dependencies.
ConanCenter also builds and provides binary packages for a wide range ofconfigurations: multiple operating systems (Windows, Linux, macOS), compilers,compiler versions, and library variants (shared, static). On top of this,for a lot of libraries community contributors ensure that recipes are compatiblefor additional operating systems (Android, iOS, FreeBSD, QNX) and CPU architectures.The recipes in Conan Center are the greatest example of Conan’s universality promise.
Unlike other package managers or repositories, ConanCenter does not maintain afixed snapshot of versions. On the contrary, for a given library (e.g. OpenCV),multiple versions are actively maintained at the same time. This gives usersgreater control of which versions to use, rather than having to remain fixedto an older version, or pushing them to always be on the latest version.
In order to support this ecosystem, ConanCenter recipes are updated veryfrequently. Recipes themselves may be updated to support a new platform,bug fixes, or to require newer versions of their dependencies.On the other hand, each user of ConanCenter may have a different combinationof versions in their requirements. This means that given the same inputlist of requirements, Conan may resolve the graph differently at differentpoints in time - resolving to different recipe revisions, versions, or packages.This is similar to the default behavior of package managers in other languages(pip/PyPi, npm, cargo, etc). In production environments where reproducibilityis important, it is therefore discouraged to depend directly on Conan Centerin an unconstrained manner.
The following guidelines contain a series of recommendations to ensure repeatability,reliability, compliance and, where applicable, control to enable customization.As a summary, it is highly recommended to follow these approaches when using packages from ConanCenter:
Lock the versions and revisions you depend on using lockfiles
Host your own copy of ConanCenter recipes and package binaries in a server under your control
Repeatability and reproducibility¶
As mentioned earlier - given a set of requirements, changes in ConanCentercan cause the Conan dependency solver to resolve different graphs over time.This does not only apply to the actual versions of libraries (e.g. opencv/4.5.0instead opencv/4.2.1) - but also the recipes themselves. That is,there may exist multiple revisions of the opencv/4.5.0 recipe, which canhave side effects for consumers. Changes in recipes typically address a problem(bugfixes), target functionality (e.g. adding a conditional option, support fora new platform), or change versions of dependencies.
In order to ensure repeatability, the use of lockfiles on the consumer sideis greatly encouraged: please check the lockfile docsfor more information.
Lockfiles ensure that Conan will resolve the same graph in a repeatable andconsistent manner - thus making sure the same versions are used across multiplesystems (CI, developers, etc).
Lockfiles are also used in other package managers like Python pip, Rust Cargo, npm -these recommendations are in line with the practices of these other technologies.
Additionally, it is highly recommended to host your recipes and packages in yourown server (see below). Both of these approaches help you achieve having controlon when upstream changes from ConanCenter are propagated across your team and systems.
Service reliability¶
Consuming recipes and packages from the ConanCenter remote can be impacted duringperiods of downtime (scheduled or otherwise). While every effort is made to ensurethat the ConanCenter is always available, and unscheduled downtime is rare andtreated with urgency - this can impact users that depend on ConanCenter directly.Additionally, when building recipes from source, this requires retrieving the sourcepackages (typically zip or tar files) from remote servers outside of the control ofConanCenter. Occasionally, these too can suffer from unscheduled downtime.
In enterprise production environments with strong uptime is required, it is stronglyrecommended to host recipes and binary packages in a server under your control.
Read more: creating and hosting your own Conan Center binaries
This can also protect against transient network issues, and issues caused by transferof binary data from external sources. These recommendations also apply when consumingpackages from external sources in any package manager.
Compliance and security¶
Some industries such as finance, robotics and embedded, have stronger requirementsaround change management, open source licenses and reproducibility. For example,changes in recipes could result in a new version being resolved for a dependency,in a way that the license for that version has changed and needs to be validatedand audited by your organization.In some industries like medical or automotive, you may be required to ensure allyour dependencies can be built from source in a repeatable way, and thus usingbinaries provided by Conan Center may not be advisable. In these instances,we recommend building your own binary packages from source:
Read more: creating and hosting your own Conan Center binaries
Control and customization¶
It is very common for users of dependencies to require custom changes to externallibraries - typically to support specific platform configurations not consideredby either ConanCenter or the original library authors, backport bug fixes, etc.Some of these changes may not be suitable to be merged in ConanCenter,and it may not happen until this has been reviewed and validated by ConanCenter maintainers.For this reason, if you need tight control over the changes in recipes,it is highly recommended to host not only a Conan remote, but your own fork of theconan-center-index recipe repository.
Read more: creating and hosting your own Conan Center binaries
The following subsections describe in more details the above strategies:
- Creating and hosting your own ConanCenter binaries
