2025-10-29 - HackMD

--- tags: [meeting-notes] title: '2025-10-29' --- # conda-forge core meeting 2025-10-29 Add new agenda items under the `Your __new__() agenda items` heading - [Zoom link](https://zoom.us/j/9138593505?pwd=SWh3dE1IK05LV01Qa0FJZ1ZpMzJLZz09) - [What time is the meeting in my time zone](https://dateful.com/convert/utc?t=5pm) - [Previous meetings](https://conda-forge.org/community/minutes/) ## Attendees | Name | Initials | GitHub ID | Affiliation | | ----------------------- | -------- | --------------- | --------------------------- | | Cheng H. Lee | CHL | chenghlee | Anaconda/cf | | Jaime Rodríguez-Guerra | JRG | jaimergp | Quansight/cf | | Mark Allen | MHA | markhallen | GitHub/Dependabot | | Sylvain Corlay | SC | QuantStack | | | Rob Aiken | RA | robaiken | Github/Dependabot | | Daniel Ching | DJC | carterbox | NVIDIA/cf | | | | | | | | | | | | | | | | X people total ### Standing items - [ ] ### From previous meeting(s) - [ ] ### Active votes - [ ] ### Your __new__() agenda items - [x] CHL/MHA/RA: GitHub/Dependabot team - (MHA) Have a plan to version updates using dependabot, independent of vulnerability feed - Queries the conda API for package versions - How to gather & provide CVE/vulnerability data for conda-forge packages? - (RA) Get information from GH Advisory database; do have support for Python security advisories - (RA) Unsure of how to add new ecosystem to advisory database - (MHA) Dependabot running within GHA runner; not feasible because of large download size - Could we consdier tapping into the PyPI data feed and find matches in conda-forge? - (JRG) Add upstream PURLs into recipes; current name mapping is heuristic and subject to error - (JRG) complexities: not all versions available; multi-output packages; package renames (need to annotate which versions we switched) - (SC) Been looking into integrating conda-forge into repology. - XREF: https://conda-forge.org/community/minutes/2025-06-11/ - (JRG) Need to be careful about burdening volunteer maintainers - (CHL) Will invite the GitHub/Dependabot team to Zulip; create GitHub issue - [X] JRG: `zlib` -> `zlib-ng` migration: https://github.com/conda-forge/zlib-ng-feedstock/issues/10 - CPython 3.14 upstream ships zlibg-ng for Windows, with compatiblity mode; Pillow, various Linux distros switched to zlib-ng - Currently not building compat mode on c-f because it would create conflicts with existing `zlib` - (DJC) Continue to support non-compat mode and ask maintainers to explicitly enable zlib-ng - Could make compat-mode a `zlib` variant, using `blas` as a reference model - (CHL) Does zlib-ng support dynamic dispatch for vector instructions? If not, could break on older systems. - [X] DJC: Tegra support (demanded in robotics) - CTK 12.9 packages for Tegra sm87,sm101 devices are now live - Third-party packages may start building for Tegra - arm-variant not required for CUDA 13 (newer devices are SBSA), but we're not ready yet. - Once CUDA 12 is dropped, arm-variant can be retired. (No other packages are known to use `arm-variant`.) - [x] DJC: nvidia-virtual-packages - A conda virtual package plugin which detects the minimum CUDA architecture available on the system - Source: https://github.com/NVIDIA/nvidia-virtual-packages - RFC: https://github.com/conda-forge/conda-forge.github.io/issues/2623 - Motivation: Deep learning packages often have minimum supported CUDA archs which don't align with the CTK - https://github.com/conda-forge/cudnn-feedstock/issues/124 - https://github.com/conda-forge/flash-attn-feedstock/blob/b6e3742a7343268a33a285c593753fd49b46d268/recipe/meta.yaml#L23 - Motivation: Would be possible to break large binaries into smaller variants along CUDA arch - CHL: Apply for conda incubator - CHL: CUDA virtual packages should all live in the same place; though we can decide later exactly where. - JRG: There is a draft CEP about standard names for virtual packages - How to address bootstrap problem - conda-forge and Anaconda could just make `conda` depend on this/these plugins - pixi doesn't have a plug-in system, but could integrate virtual packages directly into pixi - [x] CHL: continued support for Windows 10? - [Regular security support](https://endoflife.date/windows) ended on 14-Oct-2025 - Took a quick look for `main` and `conda-forge` download data; as of 15-Oct, 25%-ish of downloads from `conda ... Windows/*` user agents are still on Window 10. Roughly matches what [Firefox reports](https://data.firefox.com/dashboard/hardware#operating-system-metric-overview-1) - Will open an issue on conda-forge.github.io to further discuss - [X] WV: Huge refactor of the `cache` output in rattler-build. More versatile, experiments with the staging output idea. ### Pushed to next meeting - [ ] ### CFEPs - [ ]