conda-forge core meeting 2023-01-25

Add new agenda items under the Your __new__() agenda items heading

last weeks meeting What time is the meeting in my time zone Meeting info:

  • To join the video meeting, click this link: https://zoom.us/j/9138593505?pwd=SWh3dE1IK05LV01Qa0FJZ1ZpMzJLZz09

  • Otherwise, to join by phone, dial +1 347-384-8597 and enter this PIN: 828 997 153#

  • To view more phone numbers, click this link: https://tel.meet/ijv-qsvm-tvn?hs=5

Attendees

Name

Initials

GitHub ID

Affiliation

Jaime Rodríguez-Guerra

JRG

jaimergp

Quansight / cf

John Kirkham

JK

jakirkham

NVIDIA / cf

Dave Clements

DPC

tnabtaf

Anaconda

Cheng H. Lee

CHL

chenghlee

Anaconda / cf

Jannis Leidel

JL

jezdez

Anaconda / cf

9 people total

Standing items

  • [ ] intros for new folks on the call

  • [ ] open votes

From previous meeting(s)

  • [ ] (MRB) updates on bots and secrets

    • we’ve centralized most of what we use in 1password

    • i’ve removed some of the keybase files that are old or misleading

    • we use github apps for everything where we can

    • will develop notes

  • [X] (HV) OpenSSL 3: https://github.com/conda-forge/conda-forge-pinning-feedstock/issues/3838

    • JRG: Decision was made to close the migration.

Active votes

Your new() agenda items

  • [x] (JRG) GSoC applications: my ideas

    • Application time is open.

    • For CZI grant building infrastructure

      • Using Docusaurs web site

      • Use this momemtum to refactor conda-forge website?

      • Example:

        • https://czi-cf-docs.netlify.app

        • https://github.com/quansight-labs/czi-cf-docs

      • No pushback at all.

  • [x] (JRG) NumFOCUS SDG for opt-in CI

    • Small Development Grant

    • https://numfocus.org/programs/small-development-grants

    • Applications start … soon (Feb 15?)

    • Build access control for CI.

    • They have cycles and out of cycle grant submission.

      • out of cycle are less likely to be approved.

      • This is not urgent.

    • Larger issue

      • Do we need to vote on approving grant submissions?

      • Feeling is no. We notify this group so we don’t collide and to see if there are objections, but no formal vote.

    • Aligning on Travis?

      • Travis has been a little unstable lately.

      • https://github.com/conda-forge/conda-forge.github.io/issues/1875

      • Could make travis opt in.

      • Requires access controls.

  • [x] (JRG) Certificates for signed installers

    • Miniforge

    • Sign installers that miniforge produces.

    • Have a certificate from NumFOCUS for apple, but not windows

    • https://github.com/conda-forge/miniforge/issues/201

    • Talking to Steve Dower @ Microsoft ( https://github.com/zooba ) for advice

    • Could do this for the whole community (?) (see point by Jannis below)

    • Need to look up if an EV cert is required and possibly other things (e.g., timestamping)

    • Concern about security/access to tokens/passwords on CI by non-core

      • Disolve miniforge team?

      • Promote them to core?

      • Some other way to do signing that avoids this issue?

      • ???

      • JRG: Minimized in a way with AzureSignTool, which relies on an Azure Vault instead of passing raw certificates.

      • CHL: Can get Anaconda supply chain security team to take a look, since that’s work we are doing anyways.

  • [x] (JL) Conda Installer Team

    • [ ] future conda community governance team to handle underlying code/proceses to build conda installers

    • [ ] interest into joining miniforge and mambaforge into the team/repo?

    • [ ] still in the aligning/team charter writing phase

  • [x] (DPC) conda-forge tutorial proposal accepted at PyCon US 2023

    • Schedule is not published yet.

    • One output is updated docs for conda-forge/staged-recipes

    • (JRG) Could create an element room for tutorial q&a

    • FF: Seek help from the community. Tweet about possible help room for participants

  • [x] (JK) OpenSSL

    • TensorFlow was a blocker. Has already been rebuilt.

    • Couple others with unknown status.

    • With Ruby you need a current version of Ruby

    • Same with NodeJS.

    • Is this done enough?

    • We talked about it in this call. There was no opposition. In fact there was outright support for closing it!

    • so: Yes let’s close.

    • Who will do this? JRG will do this.

Pushed to next meeting

CFEPs

  • cfep-12 Removing packages that violate the terms of the source package

    • Stalled since May 26, 2020

    • Active debate about moving to “broken” vs deleting from conda-forge channel

    • Active vote, ends on 2020-03-11

    • What were the results of the vote?

    • Did we hear back from NumFOCUS? they did the legal seminar which is recorded

    • And, see above too.