conda-forge core meeting 2025-03-19
Add new agenda items under the Your __new__() agenda items
heading
Attendees
Name | Initials | GitHub ID | Affiliation |
---|---|---|---|
Daniel Ching | DJC | @carterbox | cf / NVIDIA |
Jaime Rodríguez-Guerra | JRG | @jaimergp | Quansight |
Marius van Niekerk | MvN | @mariusvniekerk | cf / Voltron Data |
Uwe Korn | UK | @xhochy | cf / QuantCo |
Wolf Vollprecht | WV | @wolfv | |
Isuru Fernando | IF | @isuruf | |
X people total
Standing items
- [ ]
From previous meeting(s)
- [ ]
Active votes
- IF: Vote for adding Daniel Nachun to staged-recipes ends in ~6 days
- Only 13 votes yet. Need one more vote (quorum needs 27 * 0.5)
- Go to Helios voting platform and log in with Github to see vote
Your new() agenda items
- WV: CVE mapping
- Use PURLs?
- JRG interested in adding PURLs to. See https://github.com/conda/ceps/pull/114
- MvN suggests identifying canonical sources
- UK has been using automated scan tools to identify CVEs in Go packages
- MvN: approach tricky for C/C++, probably better for Rust because they contain enough metadata
- MvN Integrated command could be interested to launch the analysis upon env creation
- UK: these analysis are costly though, in the order of minutes
- UK: Run them on cronjobs on top of small number of known lockfiles
- UK: These analysis lead to discovery of weird dependencies in the tree (terraform > openai > weights and biases)
- UK expressed concerns about Dependabot and Github analysis creating noise with false positives
- DJC: CI restart behavior has changed?
- DJC Close and reopen PRs do not retrigger the CI.
- IF no changes, just flaky Azure.
- WV: Latest tinyxml release was ABI incompatible and broke a few packages. More tests?
- DJC: ABI laboratory dead, but tools appear to have moved to the "Linux Hardware Project". Packaged in conda-forge now.
- WV: Could a tool run the ABILaboratory logic to detect ABI breakage across releases?
- MvN: Create two envs with release and release-1 and diff the results?
- DJC: Library has two methods available: compile with debug symbols, or binary+headers.
- UK: Probably because they also show symbol renames, not just ABI incompatibilities. Might just work for us to run the ABI checks only.
- IF: We should just pull tinyxml2 10.1 version, 11.0 is available
- WV: Agreed for this particular problem
- WV: conda-forge 10th anniversary soon right?
- JRG: Apr 11th. Let's do something fun about it! At the very least a blog post.
Pushed to next meeting
- [ ]
CFEPs
- [ ]