Governance document moved to conda-forge/governance
Following a change in our governance, this document lives now in conda-forge/governance
, along with the CSV files that list the core
and emeritus
members.
Following a change in our governance, this document lives now in conda-forge/governance
, along with the CSV files that list the core
and emeritus
members.
The base image for our Ubuntu Dockerfiles has been upgraded from Ubuntu 20.04 (focal) to Ubuntu 24.04 (noble) in PR #145. This change ensures continued support and access to newer packages and system libraries.
Downstream users building on top of the Ubuntu variant of our containers should verify compatibility with the updated environment.
Thanks to @rpanai for the contribution and to the reviewers for their input.
Yesterday, conda-forge
was notified of a security incident reporting that the anaconda.org
upload token
for the conda-forge
channel had been accidentally leaked between on or about 2025-02-10 to 2025-04-01. Our
investigation resulted in the temporary artifact upload shutdown you observed yesterday (2025-04-01). The results
of our analysis show that, as best as can reasonably be determined, the token was not used by any 3rd party to
upload malicious artifacts.
More details in the corresponding blog post.
TL;DR: We have made some updates to our Docker images and build time GLIBC selection.
c_stdlib_version
(especially for CUDA-enabled feedstocks), though our baseline of 2.17 hasn't changed.os_version: ...
(see below).linux-anvil-{x86_64,aarch64,ppc64le}:{cos7,alma8,alma9}
In general, it won't be necessary in the vast majority of cases to override the
docker-image, but if you need to do so, you can add the following to conda-forge.yml
os_version: # just to demo different values;
linux_64: cos7 # whenever possible, please use
linux_aarch64: alma8 # homogeneous distro versions
linux_ppc64le: alma9 # across platforms
We will be slowly migrating conda-forge
to use unique feedstock tokens per provider. The feedstock token is used to allow maintainers to copy packages from our staging area to the main conda-forge
channel. This change will improve our security posture and help us limit the impact of any leaked tokens. During this migration we will also be using newly implemented feedstock token expiration times to avoid race conditions between token changes and running builds.
The core team has decided to change the time when core meetings happen to accommodate more attendees across different timezones. It will still happen every two Wednesdays, but starting next Wednesday, November 13th 2024, it will alternate between 17:00-18:00 UTC and 14:00-15:00 UTC.
For clarity, these are the next dates:
A new calendar is now available in the Community > Meetings section to help find the dates.
Two weeks ago we called a vote on CFEP-23 to decide whether we move our Element/Matrix chat rooms to Zulip.
This vote has passed and now we are opening the doors to our Zulip instance: https://conda-forge.zulipchat.com/. Please sign up to stay in touch!
As per CFEP-23 (read it for more details), this means that we will stop using our Element chat rooms. Instead all chat activity will continue in Zulip.
We have changed our feedstock output validation procedure. Instead of automatically
adding new packages to existing feedstocks (e.g., when a new output is added), we will now
require that maintainers submit a PR to add the new output via our
admin-requests repository.
New feedstocks created via staged-recipes
will have their outputs added automatically. If you maintain a feedstock
that regularly adds new outputs (e.g., llvmdev
has libllvm18
, libllvm19
, etc.), you can use the admin-requsts
repo
to add a glob pattern that matches the pattern of your new outputs. We test these patterns aginst new outputs from the feedstock
using the Python fnmatch
module. Outputs from the feedstock that match a glob pattern will added automatically. Further
details on package output validation can be found in our documentation.
For nearly two years now, we have favored the use python-build
as the package name for the PyPA build
project over build
. In fact, the build
feedstock on conda-forge
is archived and has not had its version
updated. To complete this transition, we are going to mark all existing build
packages as broken, provide
a more detailed linter hint, and turn off the migration infrastructure we've been using to help move feedstocks.
Any questions or comments can be directed to the GitHub issue on this work.
Starting with Python 3.13, pip
will no longer have setuptools
and wheel
as dependencies
by default. While this default made sense at the time conda-forge
was started (over 8 years ago!),
with the advent of Python packaging build backends (e.g., flit
, poetry
, hatchling
, etc.),
this default is no longer correct. Instead, you will need to specify wheel
and/or setuptools
explicitly in the host
section of your recipe if you need them. At first, pip
for versions of Python before 3.13 will be unaffected.
However, after the completion of the Python 3.13 migration, we will remove these dependencies from pip
for all
versions of Python. Follow GitHub issue #2252
for more information and updates.