2025-03-19 - HackMD

--- tags: [meeting-notes] title: '2025-03-19' --- # conda-forge core meeting 2025-03-19 Add new agenda items under the `Your __new__() agenda items` heading - [Zoom link](https://zoom.us/j/9138593505?pwd=SWh3dE1IK05LV01Qa0FJZ1ZpMzJLZz09) - [What time is the meeting in my time zone](https://dateful.com/convert/utc?t=5pm) - [Previous meetings](https://conda-forge.org/community/minutes/) ## Attendees | Name | Initials | GitHub ID | Affiliation | | ----------------------- | -------- | --------------- | --------------------------- | | Daniel Ching | DJC | @carterbox | cf / NVIDIA | | Jaime Rodríguez-Guerra | JRG | @jaimergp | Quansight | | Marius van Niekerk | MvN | @mariusvniekerk | cf / Voltron Data | | Uwe Korn | UK | @xhochy | cf / QuantCo | | Wolf Vollprecht | WV | @wolfv | | | Isuru Fernando | IF | @isuruf | | | | | | | | | | | | | | | | | X people total ### Standing items - [ ] ### From previous meeting(s) - [ ] ### Active votes - [X] IF: Vote for adding Daniel Nachun to staged-recipes ends in ~6 days - Only 13 votes yet. Need one more vote (quorum needs 27 * 0.5) - Go to Helios voting platform and log in with Github to see vote ### Your __new__() agenda items - [X] WV: CVE mapping - Use PURLs? - JRG interested in adding PURLs to. See https://github.com/conda/ceps/pull/114 - MvN suggests identifying canonical sources - UK has been using automated scan tools to identify CVEs in Go packages - MvN: approach tricky for C/C++, probably better for Rust because they contain enough metadata - MvN Integrated command could be interested to launch the analysis upon env creation - UK: these analysis are costly though, in the order of minutes - UK: Run them on cronjobs on top of small number of known lockfiles - UK: These analysis lead to discovery of weird dependencies in the tree (terraform > openai > weights and biases) - UK expressed concerns about Dependabot and Github analysis creating noise with false positives - [x] DJC: CI restart behavior has changed? - DJC Close and reopen PRs do not retrigger the CI. - IF no changes, just flaky Azure. - [X] WV: Latest tinyxml release was ABI incompatible and broke a few packages. More tests? - DJC: ABI laboratory dead, but tools appear to have moved to the "Linux Hardware Project". Packaged in conda-forge now. - DJC: https://github.com/lvc/abi-dumper - WV: Could a tool run the ABILaboratory logic to detect ABI breakage across releases? - MvN: Create two envs with release and release-1 and diff the results? - DJC: Library has two methods available: compile with debug symbols, or binary+headers. - UK: Probably because they also show symbol renames, not just ABI incompatibilities. Might just work for us to run the ABI checks only. - IF: We should just pull tinyxml2 10.1 version, 11.0 is available - WV: Agreed for this particular problem - [X] WV: conda-forge 10th anniversary soon right? - JRG: Apr 11th. Let's do something fun about it! At the very least a blog post. ### Pushed to next meeting - [ ] ### CFEPs - [ ]