1. Security and Trust You can designate a private repository as exclusive for all internal packages. This ensures that no malicious or outdated version accidentally slips in from a public remote. For regulated industries (automotive, medical, finance), exclusive repos are audit requirements. 2. Build Reproducibility Exclusive mappings freeze the supply chain. If a package is marked exclusive to corp-jfrog , Conan will never query conan-center for that package. This guarantees that the binary artifact built today is identical to the one built six months ago. 3. Performance Optimization Searching through multiple remotes for a package that only exists in one location is wasteful. Exclusivity eliminates unnecessary HTTP requests to public remotes, speeding up conan install commands significantly in large monorepos. How to Configure a Conan Repository Exclusive There are two primary methods to enforce exclusivity: using the allowed_packages attribute in the repository configuration or leveraging the conan create command with exclusive flags. Method 1: The allowed_packages List (Server-Side & Client-Side) Modern Conan (v2.x) introduces a robust way to define which packages a repository is allowed to serve.
conan upload "OpenSSL/3.0.0" --remote=my-private --require-remote The --require-remote flag adds metadata to the package recipe that says: "This package's canonical source is my-private ." If another developer tries to upload OpenSSL/3.0.0 to conan-center , Conan will reject the operation unless they force override (which requires admin privileges). The Conan repository exclusive truly shines when combined with lockfiles . A conan.lock file records the exact revisions and origins of every package in your dependency graph. conan repository exclusive
conan remote list Output:
When you generate a lockfile in a repository-exclusive environment, Conan writes the exclusive remote name into the lockfile. Later, when another developer runs conan install --lockfile=conan.lock , Conan will and fetch exclusively from the remotes listed in the lockfile. If a package is marked exclusive to corp-jfrog
Conan operates on a "first-found, first-used" principle. By default, if you have multiple remotes (e.g., conan-center , my-company-private , dev-local ), Conan will search them in order. However, the feature overrides this behavior. Conan operates on a "first-found
When you mark a reference as exclusive to a repository, you are making a declaration: "This package (e.g., OpenSSL/3.0.0 ) exists only here. Do not look elsewhere. Do not upload elsewhere."
// In ~/.conan2/settings.yml or conan.conf remotes_exclusive: my-private: - boost/* - openssl/* conan-center: - * # All other packages come from center (if not exclusive) Alternatively, use the command line to modify a remote’s allowed_packages :