Posts by Matthew R. Becker

Travis CI Security Incident

On September 9, 2021 one of our core devs discovered that artifacts building on Travis CI were being uploaded to our conda channel from PRs running on forked repositories. A quick investigation revealed that Travis CI was passing encrypted secrets to PR builds on forks. Further examination of our logs and artifacts indicated that this had been happening since about September 3, 2021. This security bug was subsequently confirmed by Travis CI. See this CVE for more details on this incident. As far as we know, there were no actual exploits against conda-forge which used this vulnerability.

Read more ...


R 4.0 Migration Retrospective

While the R 4.0 migration has been functionally complete for quite a while, the recent migration of r-java and its dependents gives a good opportunity to write a retrospective on the technical issues with large-scale migrations in conda-forge and how we solved them.

Read more ...