Skip to main content

conda-forge core meeting 2023-02-22

Add new agenda items under the Your __new__() agenda items heading

last weeks meeting What time is the meeting in my time zone Meeting info:

Attendees

NameInitialsGitHub IDAffiliation
Matthew BeckerMRBbeckermrcf
Cheng H. LeeCHLchenghleeAnaconda/cf
Eric DillEDericdillAnaconda/cf
Dave ClementsDPCtnabtafAnaconda
John KirkhamJKjakirkhamNVIDIA/cf
Daniel ChingDJCcarterboxArgonne National Laboratory
Jaime Rodríguez-GuerraJRGjaimergpQuansight/cf

10 people total

Standing items

  • intros for new folks on the call

  • open votes

From previous meeting(s)

Active votes

Your new() agenda items

  • (DPC) PyCon US 2023 community booth

    • Proposal will be submitted on Friday.
    • Please signup if you will be there and are interested.

  • (MRB) bot updates

    • As conda-forge grows, the bot gets slower and slower.
      • We should use events but not yet
    • I started putting in changes to reduce latency from hours to ~15-20 minutes hopefully.
    • Due to that, you will see a longer than average queue of version updates.
    • Bot rerun labels should be more responsive though.
    • The actual bot won't be more responsive until some internal refactoring of the data model to support more parallelism (https://github.com/regro/cf-scripts/issues/1610).
    • Steps to move to event-based?
      • Parsing YAML to get JSON that goes into bots DBs (for event-ba)
      • Also need event driven metadata update based on PRs

  • (MRB) old security stuff I never got to

    • I cleaned up the bots only 1 or 2 have admin access to the org now.
    • staged-recipes now runs out of the admin requests repo, meaning staged-recipes has no keys in it.
    • we are almost fully on 1password
    • smithy changes for per CI-service keys and key expiration dates have been made or merged
      • these will make token rotations faster, more focused, and eliminate a race condition in the system

  • scipy talks, sprints, etc.?

    • (CHL) Will be proposing conda/conda-forge sprint when that opens (April-ish)
    • (DPC) will have a new how to package with conda-forge tutorial for pycon 2023
    • (WV) was going to propose a talk but could also help out with tutorial
    • (CHL) Mugs? (Or other schwag)
    • (JK) going to submit a talk for cuda package updates
    • (ED) State of Conda (Ecosystem) 2023 talk?

  • (DJC) libpam CDT or regular package?

    • https://github.com/conda-forge/staged-recipes/pull/21955
    • https://github.com/conda-forge/cdt-builds/pull/55
    • CL: what are they building this for? use cases: talk to existing PAM config. or cdt, allows you to reconfig system pw policy. if we're shipping software that allows to bypass system security config that's not great. in all likelihood, for most ocnda installs that wont work. need escalated priveleges to load stuff. running conda as root might exploit this vulnerability.
    • DJC: naive opinion would be this is the same as shipping other low level security libs. openssh, openssl. if someone's running with user priveleges, this wont escalate their ability to damage the system.
    • CL: is there a way for us to get a list of what gets built by the recipe before we approve it?
    • potential for poor UX if a user accidentally pulls this in
    • CL: links to selinux, so might not work properly on ubuntu. wont work properly across all linux distros

  • (JK) NSIS stable links

  • (DPC) US Research Software Engineer (US RSE) Conference

    • Late 2022 conda survey (which will be published soon) says these are our people.
    • Tutorials are virtual in the weeks before meeting
    • Any interest in presenting a "Publish your software in conda-forge" tutorial
    • An updated tutorial will be available (from our PyCon US presentation.)
    • Proposals due March 20

  • (DPC) PyCon US 2023 Conda & Friends Sprint?

    • Thinking about doing this. Any reason not to?

  • (JRG) Python Talk podcast :)

Pushed to next meeting

  • (JK) CUDA 12 Packages

CFEPs

  • cfep-12 Removing packages that violate the terms of the source package
    • Stalled since May 26, 2020
    • Active debate about moving to "broken" vs deleting from conda-forge channel
    • Active vote, ends on 2020-03-11
    • What were the results of the vote?
    • Did we hear back from NumFOCUS? they did the legal seminar which is recorded