Posts by Matthew R. Becker
Travis CI Security Incident
- 2021-09-24
On September 9, 2021 one of our core devs discovered that artifacts building on Travis CI were being uploaded to our conda channel from PRs running on forked repositories. A quick investigation revealed that Travis CI was passing encrypted secrets to PR builds on forks. Further examination of our logs and artifacts indicated that this had been happening since about September 3, 2021. This security bug was subsequently confirmed by Travis CI. See this CVE for more details on this incident. As far as we know, there were no actual exploits against conda-forge which used this vulnerability.
R 4.0 Migration Retrospective
- 2020-07-11
While the R 4.0 migration has been functionally complete for quite a while, the recent migration of r-java
and
its dependents gives a good opportunity to write a retrospective on the technical issues with large-scale migrations
in conda-forge
and how we solved them.