All Posts
CircleCI Security Incident
- 2023-03-12
In early January 2023, CircleCI informed us that they had a large
security breach where a third party had
gained access to all the environment secrets stored in the service.
For conda-forge
, these secrets are the API token used to upload built packages to our staging area on anaconda.org
and
the unique token we generate for each feedstock. The feedstock tokens are used as part of our artifact staging process to ensure
that only the maintainers of a given feedstock can upload packages built by that feedstock. Later in January, we were informed
by CircleCI that their security breach started on December 19, 2022, with the bulk of the secrets being exfiltrated in plain
text from their servers a few days later. A malicious third-party with access to these secrets could potentially upload
compromised versions of any package on conda-forge
in a so-called “supply chain” attack.
Outreachy 2022 Wrap-up Blog
- 2022-08-26
This blog is about my work during my Outreachy internship with conda-forge. Before that a little about me - I am Surbhi, an Outreachy intern with conda-forge for the May-August 2022 cohort and I worked on documenting the conda-forge ecosystem.
GPU enabled TensorFlow builds on conda-forge
- 2021-11-03
Recently we’ve been able to add GPU-enabled TensorFlow builds to conda-forge! This was quite a journey, with multiple contributors trying different ways to convince the Bazel-based build system of TensorFlow to build CUDA-enabled packages. But we managed, and the pull request got merged.
Travis CI Security Incident
- 2021-09-24
On September 9, 2021 one of our core devs discovered that artifacts building on Travis CI were being uploaded to our conda channel from PRs running on forked repositories. A quick investigation revealed that Travis CI was passing encrypted secrets to PR builds on forks. Further examination of our logs and artifacts indicated that this had been happening since about September 3, 2021. This security bug was subsequently confirmed by Travis CI. See this CVE for more details on this incident. As far as we know, there were no actual exploits against conda-forge which used this vulnerability.
Contributing Packages To conda-forge Using Grayskull
- 2021-06-16
When contributing packages to conda-forge, Grayskull can make your life much easier. Grayskull generates recipes for Python packages hosted on PyPI.
Conda-forge Outreachy
- 2021-02-02
Conda-forge is participating in the upcoming round of Outreachy i.e May 2021 to August 2021. The goal of this program is to increase participation from under-represented groups in free and open-source software. Outreachy is organized by Software Freedom Conservancy.
2020 in Review
- 2020-12-26
As 2020 winds down, the Core team thought it’d be fun to review some of the big accomplishments our community has made this year.
Package Distribution and the anaconda.com Terms of Service
- 2020-11-20
Various members of the community have raised questions publicly and privately about the implications of Anaconda’s
new Terms of Service (TOS) on anaconda.com
. First of all, we understand your concerns. We would like to explain
a bit how conda-forge
works, how the TOS change affects us and conda-forge
users, and what our plans
as a community are for the future.
macOS ARM builds on conda-forge
- 2020-10-29
A new platform osx-arm64
has been added to the build matrix of conda-forge.
osx-arm64
packages are built to run on upcoming macOS arm64 processors marketed
as Apple Silicon
. An installer for this platform can be found
here.
The API Territory and Version Number Map
- 2020-10-02
tl;dr Depending on specific version numbers of underlying libraries may be too inaccurate and cause headaches as upstream libraries evolve and change. A more detailed approach is needed. In this post I outline current and potential work on a path towards a more complete inspection of requirements based on APIs and dynamic pinning of libraries.
R 4.0 Migration Retrospective
- 2020-07-11
While the R 4.0 migration has been functionally complete for quite a while, the recent migration of r-java
and
its dependents gives a good opportunity to write a retrospective on the technical issues with large-scale migrations
in conda-forge
and how we solved them.
Scipy 2020 Packaging BOF
- 2020-07-02
Have some thoughts about conda-forge and how it can be expanded in a way that is sustainable? Join us in this virtual Birds of a Feather discussion where we’ll discuss maintenance, pain points, opportunities within conda-forge. Any and all are welcome, and we especially are seeking new viewpoints and opinions!
Conda-Forge Operational Risk
- 2020-07-02
Recently I’ve been thinking about operational risk (op. risk). Operational risks arise from failures of processes, for instance a missing email, or an automated software system not running properly. Many commercial institutions are interested in minimizing op. risk, since it is risk that produces no value, as opposed to risks associated with investing. This is also something I think about in my job at Lab49, where I’m a software engineering consultant focusing on financial institutions. I think there is also a good analogy for Conda-Forge, even though we are not a commercial outfit. In this case the risk we incur isn’t the potential for lost earnings but frustration for our users and maintainers in the form of bugs and lackluster user experience. In this post I explore three main sources of operational risk for Conda-Forge: Automation, Top-Down Control, and Self-Service Structure.
PyPy builds on conda-forge
- 2020-03-10
conda-forge now supports PyPy3.6 as the python interpreter in a conda environment
Google Summer of Code 2020 improved automatic maintenance of conda-forge
- 2020-02-04
The conda-forge
“autotick” bot is a crucial part of conda-forge
’s infrastructure.
It enables automatic maintenance of conda-forge
packages by pushing version updates to the
underlying software and enabling large migrations of packages from one dependency to another
(e.g., Python 3.7 to Python 3.8). As conda-forg
grows in size, with over 9,000 packages to date,
automatic maintenance of the conda-forge
ecosystem will become even more important.
By the power of Grayskull… I have the Conda recipe!
- 2020-02-04
The main goal of the Skeletonr is to conquer Grayskull.
Automatically Deployed ABI Migrations
- 2019-12-06
Handling application binary interface (ABI) migrations has always been a hassle for Conda-Forge.
Maintaining ABI consistency helps enable the “just use conda-forge” experience for many of our users,
making certain that numpy’s blas is the same as scipy’s.
As libraries update their code, the new versions may be ABI incompatible, as function signatures and other symbols
may have changed, leading to the dreaded SegmentationFault
and other errors.