conda-forge core meeting 2025-02-19
Add new agenda items under the Your __new__() agenda items heading
Attendees
| Name | Initials | GitHub ID | Affiliation |
|---|---|---|---|
X people total
Standing items
- [ ]
From previous meeting(s)
- [ ]
Active votes
- [ ]
Your new() agenda items
- (JRG): Code of conduct working group at NumFOCUS.
- Opt-in or not?
- If yes, choose between "Recommend" or "Response".
- Discuss at "The new Code of Conduct working group in NF" thread in Zulip/core
- (JRG) Inactive core to emeritus process starting soon.
- (WV) Run-exports "attach" mode from cache output to outputs
- (WV) Add sigstore support to the ecosystem: what to have in the predicate field?
- Default contents added by Github, but we can also add info in a free-form field.
- PyPI doesn't add any, but for now we could add the channel+label.
- In touch with Anaconda security folks.
- MRB: What if people move the channel? Does it invalidate the signature?
- The blob itself doesn't change. It's a matter of checking whether the claim matches or not with the source channel. This way you can identify copies from "original" uploads. To make it extra secure, the channel also needs to countersign it and "validate" the initial claim.
- MRB: If we, conda-forge, sign a package with "Our keys", then it's a pretty strong claim: "We, conda-forge, generated this package".
- IF: Certificates to sign conda-launchers?
- Currently signed by Anaconda, blocking win-arm64 deployment
- We could sign them with Azure-provisioned NumFOCUS-owned certificates ($10/mo)
- Clone repo to conda-forge, build binaries in CI and repackage them.
- Wolf to get in touch with NF.
Pushed to next meeting
- [ ]
CFEPs
- [ ]