Skip to main content

conda-forge core meeting 2025-10-29

Add new agenda items under the Your __new__() agenda items heading

Attendees

NameInitialsGitHub IDAffiliation
Cheng H. LeeCHLchenghleeAnaconda/cf
Jaime Rodríguez-GuerraJRGjaimergpQuansight/cf
Mark AllenMHAmarkhallenGitHub/Dependabot
Sylvain CorlaySCQuantStack
Rob AikenRArobaikenGithub/Dependabot
Daniel ChingDJCcarterboxNVIDIA/cf

X people total

Standing items

  • [ ]

From previous meeting(s)

  • [ ]

Active votes

  • [ ]

Your new() agenda items

  • CHL/MHA/RA: GitHub/Dependabot team
    • (MHA) Have a plan to version updates using dependabot, independent of vulnerability feed
      • Queries the conda API for package versions
    • How to gather & provide CVE/vulnerability data for conda-forge packages?
      • (RA) Get information from GH Advisory database; do have support for Python security advisories
      • (RA) Unsure of how to add new ecosystem to advisory database
      • (MHA) Dependabot running within GHA runner; not feasible because of large download size
      • Could we consider tapping into the PyPI data feed and find matches in conda-forge?
      • (JRG) Add upstream PURLs into recipes; current name mapping is heuristic and subject to error
      • (JRG) complexities: not all versions available; multi-output packages; package renames (need to annotate which versions we switched)
      • (SC) Been looking into integrating conda-forge into repology.
      • XREF: https://conda-forge.org/community/minutes/2025-06-11/
      • (JRG) Need to be careful about burdening volunteer maintainers
    • (CHL) Will invite the GitHub/Dependabot team to Zulip; create GitHub issue
  • JRG: zlib -> zlib-ng migration: https://github.com/conda-forge/zlib-ng-feedstock/issues/10
    • CPython 3.14 upstream ships zlibg-ng for Windows, with compatiblity mode; Pillow, various Linux distros switched to zlib-ng
    • Currently not building compat mode on c-f because it would create conflicts with existing zlib
    • (DJC) Continue to support non-compat mode and ask maintainers to explicitly enable zlib-ng
    • Could make compat-mode a zlib variant, using blas as a reference model
    • (CHL) Does zlib-ng support dynamic dispatch for vector instructions? If not, could break on older systems.
  • DJC: Tegra support (demanded in robotics)
    • CTK 12.9 packages for Tegra sm87,sm101 devices are now live
    • Third-party packages may start building for Tegra
    • arm-variant not required for CUDA 13 (newer devices are SBSA), but we're not ready yet.
      • Once CUDA 12 is dropped, arm-variant can be retired. (No other packages are known to use arm-variant.)
  • DJC: nvidia-virtual-packages
  • CHL: continued support for Windows 10?
    • Regular security support ended on 14-Oct-2025
    • Took a quick look for main and conda-forge download data; as of 15-Oct, 25%-ish of downloads from conda ... Windows/* user agents are still on Window 10. Roughly matches what Firefox reports
    • Will open an issue on conda-forge.github.io to further discuss
  • WV: Huge refactor of the cache output in rattler-build. More versatile, experiments with the staging output idea.

Pushed to next meeting

  • [ ]

CFEPs

  • [ ]