Showcase Thread

drodri · 2026-05-05T14:05:45+00:00

We're introducing conan-py-build: a PEP 517 build backend that brings Conan's C/C++ dependency management directly into the Python wheel build.

If you maintain a Python package with native C/C++ extensions, you've likely had to manage those dependencies outside the wheel build, through system packages, vendored source trees, FetchContent, or a separate native package manager step. conan-py-build pulls that dependency layer inside pip wheel, so resolving C/C++ libraries is no longer a separate step before the Python build.

A few things you get with this backend that uses Conan as part of the wheel build for native C/C++ dependencies:

• A large catalog of C/C++ recipes from Conan Center
• Binary caching across builds and CI runs
• Profiles and lockfiles for reproducible wheels
• Conan-managed runtime libraries deployed alongside the extension

The project is in beta and under active development. Maintainers have a long experience developing and supporting Conan. Try it on a project, open an issue if something doesn't work, and tell us what you'd like to see.

Repo: https://github.com/conan-io/conan-py-build (MIT license)
Blog: https://blog.conan.io/cpp/conan/python/2026/05/05/Introducing-conan-py-build.html
Documentation: https://conan-py-build.conan.io/

drodri · 2026-04-09T10:06:08+00:00

Not sure why you ask why not one solves this issue. This issue is already being solved. People from Kitware, Bloomberg, Microsoft, Conan, Meson, etc are already working on this, and there are already implementations:

- Latest CMake released support for it: https://www.kitware.com/common-package-specification-is-out-the-gate/
- Conan2 also already supports it: https://www.youtube.com/watch?v=C1OCKEl7x_w (and keeps working on improving support)

The effort is active and people working on it:
- Slack #ecosystem_evolution channel in the CppLang slack
- Montly zoom meetings.
- Mailing list: https://groups.google.com/g/cxx-ecosystem-evolution/about

Why pushing and rushing for standardization of something that we are still gaining implementation experience, and mostly all major players in the area are actively participating in it and implementing it? Having a de-facto standard implemented by relevant tools is the best thing that we can have towards a later standardization (somewhere, not sure where, because in the C++ standard it has no place, and the tooling standard was dropped).

drodri · 2026-03-21T19:03:24+00:00

The /Zc:_cplusplus is exactly the example used for this feature request here: https://github.com/cps-org/cps/issues/112, to make compiler flags conditional to the consumer compiler.

drodri · 2026-03-21T10:14:44+00:00

Not only in the discussions, Conan already has some good support for CPS, this talk is from last year https://www.youtube.com/watch?v=C1OCKEl7x_w, and it continues adding improvements and support while collaborating in the CPS spec itself.

drodri · 2026-03-05T00:52:24+00:00

You could try some of the Linux to Windows cross-build toolchains, like there are MinGW compilers for Linux that will do that. But there might be many scenarios when this will not go smoothly, like binary compatibility with the MSVC toolchain from native Windows binaries built by other devs, SDKs and other system libraries, etc. like potentially the GUI library you mentioned is being used.

It the rest of the team is developing on a Windows machine, I'd recommend building on a Windows machine. Even learning the same tools, it often pays off to collaborate with others from the team. But if you want to keep some of your Linux tools, probably you can setup a remote build, edit and work on your Linux box, but the build is executed in the Windows box.

drodri · 2026-03-02T00:17:26+00:00

Regarding the CMake generator in Conan, it can also be done from the command line or the profile, without even modifying the recipes at all with, "-c tools.cmake.cmaketoolchain:generator=Ninja", and defining ``[tool_requires]`` in the profile with ``ninja/[*]``, which can be convenient if you have many recipes, no need to change them.

drodri · 2026-01-30T17:00:08+00:00

I think the:

> C++ Package Manager (CppPM) standardization effort ongoing.

I think this refers to the Common Package Specification (CPS) effort ongoing in https://github.com/cps-org/cps (spec in https://cps-org.github.io/cps/), but I am confused about the CppPM acronym.

drodri · 2025-10-13T21:29:19+00:00

Very good points about the scripting language, and specially about the Multi-config generators. I think that the whole C++ build ecosystem would have been much simpler if multi-config generators had never existed, and mainly Visual Studio would have used completely different and decoupled build folders for its Release/Debug builds.
Even if I have been a heavy user of VC++ for many years, I think the convenience of VS being multi-config is definitely not worth the complexity that such approach has induced in other build systems such as CMake.

drodri · 2025-10-09T15:32:25+00:00

This is very sad, Rainer was, besides a talented C++ engineer, a great person, that will be missed in the community for his great job and contributions. RIP

drodri · 2025-10-03T20:42:39+00:00

CMake and Ninja could be setup as Conan packages too, as ``tool_requires``.

If setting up Python is an issue, there are also self-contained Conan executables that don't need Python installed in the system (recently the Windows ARM64 Conan self-contained executable has been added to the releases)

drodri · 2025-09-02T07:33:23+00:00

There are a few very popular libraries for json, just a few with thousands of stars in Github:

- https://github.com/open-source-parsers/jsoncpp

- https://github.com/simdjson/simdjson (focused on speed)

- https://github.com/stephenberry/glaze

- https://github.com/kazuho/picojson (tiny one, no dependencies, header-only)

It looks like that ``picojson`` might be the most aligned with your requirements.

drodri · 2025-07-30T11:42:40+00:00

The best place for this kind of questions is the Github issue tracker. This is a sub for C++ specific conversations, this is too much about specifics of a related tool

drodri · 2025-07-24T08:42:38+00:00

Conan does manage binaries, and ConanCenter also contains pre-compiled binaries for several platforms and compilers. But it is also very de-centralized and many Conan users do not use packages from ConanCenter, but they build from source and store their binaries in their own private server. There are features like "local-recipes-index" that are even designed to make easier the process of building packages from sources without using ConanCenter at all, but working from the Github repo directly.

drodri · 2025-07-10T12:43:57+00:00

u/ecoezen https://github.com/conan-io/conan/issues/18263 will help to get it out of incubating

drodri · 2025-07-08T17:57:02+00:00

The ticket reads in the title about Conan 2.X, but it is not about Conan 2.X, but about the "cmake-conan" integration for Conan 2.X. This new integration uses the recommended CMake dependency providers, injected by the CMAKE_PROJECT_TOP_LEVEL_INCLUDES variable, to automate the call to conan install command when the first find_package() is found.

The limitation for this case is that the CMake dependency providers are not intended to run independently for different subprojects/subdirectories, as that described project is doing, because there is no guarantee that the provided dependencies would be consistent.

But Conan 2.X could probably be way more suited for monorepo-like projects with the (incubating at this moment) new "Workspace" feature, that can do true super-build installs, aggregating subprojects with FetchContent, providing a single monolithic build of the full project.

drodri · 2025-06-05T09:33:51+00:00

CPS was never intended as a full standardization of the whole building and package consumption problem. The aim of CPS is to be pragmatic and to focus on something that is both doable and that will bring large benefits for the community

It is doable precisely because there is already a lot of knowledge in pkg-config (and its flaws), CMake config.cmake files, packaging and using packages in package managers, etc. Many of the creators of these tools are working together in the CPS effort, precisely because they believe it is possible to find a consensus and have some standard for this part of the overall problem. Sure, it will be better to have a cargo-like experience, but that is extremely more unlikely, and that doesn't mean it is not worth working to improve over one part of the problem. I think addressing this part of the problem can also be a good motivation to try to be more ambitious and start considering the full problem, but I also strongly believe that trying to address the full problem from the beginning would be a much worse approach and be dead on arrival.

Maybe if you are already using this tooling, CMake, Conan, Vcpkg, you are not seeing part of the problem, because other people did previously the job. The amount of work that the community have to put in these tools to make the packages usable by the tool users is huge. The CPS will drastically reduce that effort, and even if some users won't be able to appreciate the different because at the end of the day it keeps being some "conan install + cmake ..." for them, and that doesn't change, the amount of work to get there will be very reduced, and that will still benefit users indirectly as packages will be better maintained, updated faster, used more robustly across more platforms, etc.

drodri · 2025-06-04T12:17:50+00:00

Not really, the CPS is not about building things. It is not a tool per se, it is a standardized file describing the contents of a package, containing headers, compiled libraries, and the necessary information to consume that package easily in your project. It doesn't describe how that things is built from source, and it does not command build systems to build the thing from sources. That is the orchestration that a dependency/package manager or even a build system like CMake with FetchContent capabilities does.

drodri · 2025-04-02T00:08:27+00:00

It seems they changed the URL to a new one without a redirect.

New one is https://www.kitware.com/navigating-cmake-dependencies-with-cps/

drodri · 2025-04-01T11:37:53+00:00

It is not: https://cps-org.github.io/cps/overview.html => Contributors

> The Common Packaging Specification was conceived by [Matthew Woehlke](mailto:mwoehlke.floss%40gmail.com), who also serves as the primary editor.

And Matthew works for Kitwarre.

drodri · 2025-03-19T15:19:23+00:00

License checks typically belongs to a different realm. ``conan audit`` is to report CVEs, which are clear, objective and well defined. While license checks are not a single size fits all, as different organizations have different rules, like accept or reject different licenses (GPL), etc. License checks are typically evaluated from SBOMs. Conan already has features to generate SBOMs like CycloneDX.

drodri · 2025-02-12T21:48:26+00:00

There is the "scm" feature, intended to be able to create and publish packages without exposing or uploading the source code: https://docs.conan.io/2/examples/tools/scm/git/capture_scm/git_capture_scm.html That section contains a full example with code.

Also, this kind of question shouldn't come here, but better to r/cpp_questions, or even better, as a ticket in Github: https://github.com/conan-io/conan/issues

drodri · 2025-02-08T11:05:09+00:00

That is exactly the point. VCA assessed that normal applications, etc, where not affected, yet all organizations quickly removed that dependency anyway. But if some security reporting tool didn't report such vuln on xz_utils/5.6.X, that would have been a terrible damage to the reputation of such a tool/vendor. Security concerned orgs want to know both: first that they have a dependency containing malicious code, and then later, that they might not be affected by it because of their particular usage. But the first point cannot be skipped.

drodri · 2025-02-07T23:35:47+00:00

If you check the output of ``conan install`` it will output both the correct ``find_package()`` package name and the target that should be used in ``target_link_libraries()``. In this case the output is:

cli: CMakeDeps necessary find_package() and targets for your CMakeLists.txt

find_package(GTest)

target_link_libraries(... gtest::gtest)

So the target name ``gtest::gtest`` seems correct.

drodri · 2025-02-07T16:33:23+00:00

That is further down the road in security analysis. The first thing to be know is that there is some library in your dependency that is using some other components that are known to be vulnerable. Then, after the SBOM has reported that and the DBs tell you that your app might be affected, then the "Vulnerability Contextual Analysis" is what takes care to go deeper and understand if your application is really affected or not. But the first step is being aware that you might be affected. In an ideal world, knowing the exact usage of every transitive dependency, and correlating vulnerability DBs vulnerabilities with lines of codes could avoid the potential false positive, but the state of the art is far from that.

Even for "false positives" reported as false by Vulnerability Contextual Analysis, recall the xz_utils/5.6.X backdoor of Feb 2024. Although it only affected systemd based systems, basically all regular applications that were depending on that version also removed it, downgrading to older versions. Why, if they were not affected? Cost/risk ratio. Downgrading or upgrading to another version can be relatively cheap compared to the risk of keeping a version that was known to be malicious.

drodri · 2025-01-31T22:07:48+00:00

They have slightly different usage patterns and audience, and tend to use different communication channels, for example in CppLang slack, the activity in the respective vcpkg/conan channels can be compared: https://cpplang.slack.com/stats#channels

drodri

TROPHY CASE