Skip to main content

2026-05-27 Conda Ecosystem Meeting

Zoom link · What time is the meeting in my time zone: 5pm, 2pm

Various parts of the conda ecosystem gather on a regular basis. This meeting brings together all of these sub-communities for a community wide call.

Attendees

  1. DJC: Daniel J. Ching (@carterbox), NVIDIA, cf
  2. JRG: Jaime Rodríguez-Guerra (@jaimergp), Quansight, CF/C, C/SC
  3. SM: Schuyler Martin (@schuylermartin45), Anaconda
  4. CHL: Cheng H. Lee (@chenghlee), Anaconda, CF/C, C/SC
  5. TH: Travis Hathaway (@travishathaway), Anaconda
  6. JS: Jakov Smolic (@jsmolic), Quansight
  7. MRB: Matthew Becker (@beckermr), CF/C
  8. JL: Jannis Leidel (@jezdez), Anaconda, CF/C, C/SC
  9. SG: Shahaf Golan, JFrog Artifactory
  10. JK: John Kirkham (@jakirkham), NVIDIA/CF/CFC

Introductions

  • Shahaf Golan joins from JFrog, as the tech lead of the team that works on conda integrations in artifactory

Announcements

From previous meetings

(see CHL's item below)

New agenda items

  • WV: Status of https://github.com/conda/ceps/pull/146? What's needed to call a vote?
    • Action items:
      • add free form field too in repodata_revisions, all optional
      • defer url inclusion after security concerns with mirrors were raised (SG from JFrog was present, thanks!)
      • MRB also mentioned that we need to prevent packages from injecting url from index.json; indexers need to validate and reject keys not covered by the schema (especially if they are optional at the indexing level)
      • call a vote
  • TH: Staged recipe dashboard MVP
    • Demo time 🎉
      • Overview page
      • Scoreboard page
    • Roadmap: https://hackmd.io/@thath/Hy9iAvbeMg
    • What else would be useful? What does GitHub not do well that we can compensate for?
    • How do we measure when something is "ready for review"
    • Further statistics to track (average review time, time to first response, more?)
    • Summary of comments: Response was positive, received concrete feedback by DJC, MRB suggested it could be part of conda-forge.org website (JRG agrees but that comes with questions about database size and how to deploy it in production). TH to iterate on prototype phase for a bit before tackling that challenge.
  • SM: GHA CLA 404: https://github.com/conda/conda-recipe-manager-test-data/pull/8
    • GitHub API updated on 2026-03-10 | Endpoint Docs
    • Token problem as 404 instead of 403?
  • CHL: (About hardcoded activation paths in conda, in the context of "more unixy Cpython for Windows" CFEP) Did we write CEPs for all the other magic strings inside conda?. Thing about making these sort of issues into CEPs is that it would force what are essentially conda-forge's and Anaconda's conventions on all channels, which is something we as an ecosystem could do, but we should be deliberate about it. (Might not make that big a difference practically speaking, since such conventions are already hard-coded into conda & friends in various ways.)
  • JL: Feedback on https://github.com/conda/ceps/pull/154?
    • I'd like to get back to implementation for conda and mamba
    • Any major concerns, especially from prefix.dev given their implementation?
  • WV: PURL & CVE dashboard for conda-forge: https://prefix-dev.github.io/purl-associator/
    • JRG: sig-purls repo for everything PURL in conda ecosystem!
    • JL (in chat): [...] that’s in prefix-dev right now, any plans to move that into conda-forge org?
      • consensus: fine to have it in prefix-dev while prototyping, eventually needs to move to a channel controlled and CEP approved metadata source (e.g. repodata.json via https://github.com/conda/ceps/pull/63)
  • WV: quarantine for conda-forge on prefix.dev mirror [to be able to deal with potential ongoing supply chain attacks]
  • WV: Sovereign Tech Agency application submitted for security improvements to conda-forge; shared in conda-forge/core chat for details.