Skip to main content

conda-forge core meeting 2025-03-19

Add new agenda items under the Your __new__() agenda items heading

Attendees

NameInitialsGitHub IDAffiliation
Daniel ChingDJC@carterboxcf / NVIDIA
Jaime Rodríguez-GuerraJRG@jaimergpQuansight
Marius van NiekerkMvN@mariusvniekerkcf / Voltron Data
Uwe KornUK@xhochycf / QuantCo
Wolf VollprechtWV@wolfv
Isuru FernandoIF@isuruf

X people total

Standing items

  • [ ]

From previous meeting(s)

  • [ ]

Active votes

  • IF: Vote for adding Daniel Nachun to staged-recipes ends in ~6 days
    • Only 13 votes yet. Need one more vote (quorum needs 27 * 0.5)
    • Go to Helios voting platform and log in with Github to see vote

Your new() agenda items

  • WV: CVE mapping
    • Use PURLs?
    • JRG interested in adding PURLs to. See https://github.com/conda/ceps/pull/114
    • MvN suggests identifying canonical sources
    • UK has been using automated scan tools to identify CVEs in Go packages
      • MvN: approach tricky for C/C++, probably better for Rust because they contain enough metadata
    • MvN Integrated command could be interested to launch the analysis upon env creation
      • UK: these analysis are costly though, in the order of minutes
      • UK: Run them on cronjobs on top of small number of known lockfiles
      • UK: These analysis lead to discovery of weird dependencies in the tree (terraform > openai > weights and biases)
    • UK expressed concerns about Dependabot and Github analysis creating noise with false positives
  • DJC: CI restart behavior has changed?
    • DJC Close and reopen PRs do not retrigger the CI.
    • IF no changes, just flaky Azure.
  • WV: Latest tinyxml release was ABI incompatible and broke a few packages. More tests?
    • DJC: ABI laboratory dead, but tools appear to have moved to the "Linux Hardware Project". Packaged in conda-forge now.
    • WV: Could a tool run the ABILaboratory logic to detect ABI breakage across releases?
      • MvN: Create two envs with release and release-1 and diff the results?
      • DJC: Library has two methods available: compile with debug symbols, or binary+headers.
      • UK: Probably because they also show symbol renames, not just ABI incompatibilities. Might just work for us to run the ABI checks only.
    • IF: We should just pull tinyxml2 10.1 version, 11.0 is available
      • WV: Agreed for this particular problem
  • WV: conda-forge 10th anniversary soon right?
    • JRG: Apr 11th. Let's do something fun about it! At the very least a blog post.

Pushed to next meeting

  • [ ]

CFEPs

  • [ ]