Skip to main content

CircleCI Security Incident

· 5 min read
The conda-forge core team

In early January 2023, CircleCI informed us that they had a large security breach where a third party had gained access to all the environment secrets stored in the service. For conda-forge, these secrets are the API token used to upload built packages to our staging area on and the unique token we generate for each feedstock. The feedstock tokens are used as part of our artifact staging process to ensure that only the maintainers of a given feedstock can upload packages built by that feedstock. Later in January, we were informed by CircleCI that their security breach started on December 19, 2022, with the bulk of the secrets being exfiltrated in plain text from their servers a few days later. A malicious third-party with access to these secrets could potentially upload compromised versions of any package on conda-forge in a so-called "supply chain" attack.

Travis CI Security Incident

· 2 min read
Matthew R. Becker
Member of conda-forge/core

On September 9, 2021 one of our core devs discovered that artifacts building on Travis CI were being uploaded to our conda channel from PRs running on forked repositories. A quick investigation revealed that Travis CI was passing encrypted secrets to PR builds on forks. Further examination of our logs and artifacts indicated that this had been happening since about September 3, 2021. This security bug was subsequently confirmed by Travis CI. See this CVE for more details on this incident. As far as we know, there were no actual exploits against conda-forge which used this vulnerability.

2020 in Review

· 3 min read
The conda-forge core team

As 2020 winds down, the Core team thought it'd be fun to review some of the big accomplishments our community has made this year.

Strong Growth

The conda-forge community has grown immensely this year. Here are some numbers to help give you an idea of the scale of our growth.

  • The community has added 3,751 new, unique conda packages this year, along with a corresponding number of new feedstocks.
  • For the majority of 2020, the conda-forge channel on exceeded 100 million downloads per month.
  • In July of 2020, the conda-forge channel passed 2 billion total, all-time downloads.
  • We've grown our core developer community, adding seven new members to the conda-forge Core team and at least two members to the staged-recipes team.
  • We now have over 2,500 recipe maintainers in the conda-forge GitHub organization.

Big New Features

We've also shipped a ton of big updates to our core infrastructure this year. These updates include

  • PyPy support: We added support for PyPy 3.6 and now supply one of the biggest stacks of PyPy-enabled packages in the PyPy ecosystem.
  • automerge: We now support the automatic merging of PRs on feedstocks using the automerge label or through an opt-in setting in the conda-forge.yml.
  • R 4.0 migration: This migration was the first one to use our automerge infrastructure at scale. With it, we completed a complete rebuild/upgrade of the R ecosystem in about a week.
  • Python updates: We deprecated Python 2.7, completed the Python 3.8 migration, and got about 75% of the way through the Python 3.9 migration.
  • compiler upgrades: We upgraded our compiler infrastructure to GCC 9 and clang 11.
  • CentOS 7 and CentOS 6 EOL: We shipped an option to enable our compilers to use the CentOS 7 sysroot in preparation for the CentOS 6 EOL. We hope to complete the move to CentOS 7 early next year.
  • miniforge: We built our own standalone, miniconda-like installers. These support a broad range of platforms, including osx-arm64 and linux-aarch64.
  • standalone Windows stack: We fully decoupled our Windows recipes from the defaults channel by rebuilding the msys2 recipes.
  • Apple silicon support: We added support for Apple silicon with our osx-arm64 platform. This platform is our first one to use a fully cross-compiled infrastructure.
  • CUDA support: We added support for building CUDA packages on windows and added CUDA 11.0 support.

We know that this year has been extremely difficult for so many of our community members and that the fantastic success of conda-forge would not have been possible without the active participation and support of our community. Thank you everyone so much for the work you put into conda-forge this year, making it the wonderful, community-led resource that it is.

We wish everyone a happy, healthy, and peaceful new year!

Package Distribution and the Terms of Service

· 2 min read
The conda-forge core team

Various members of the community have raised questions publicly and privately about the implications of Anaconda's new Terms of Service (TOS) on First of all, we understand your concerns. We would like to explain a bit how conda-forge works, how the TOS change affects us and conda-forge users, and what our plans as a community are for the future.