|
| 1 | +--- |
| 2 | +tags: [meeting-notes] |
| 3 | +title: '2025-03-19' |
| 4 | +--- |
| 5 | +# conda-forge core meeting 2025-03-19 |
| 6 | + |
| 7 | +Add new agenda items under the `Your __new__() agenda items` heading |
| 8 | + |
| 9 | +- [Zoom link](https://zoom.us/j/9138593505?pwd=SWh3dE1IK05LV01Qa0FJZ1ZpMzJLZz09) |
| 10 | +- [What time is the meeting in my time zone](https://dateful.com/convert/utc?t=5pm) |
| 11 | +- [Previous meetings](https://conda-forge.org/community/minutes/) |
| 12 | + |
| 13 | +## Attendees |
| 14 | + |
| 15 | +| Name | Initials | GitHub ID | Affiliation | |
| 16 | +| ----------------------- | -------- | --------------- | --------------------------- | |
| 17 | +| Daniel Ching | DJC | @carterbox | cf / NVIDIA | |
| 18 | +| Jaime Rodríguez-Guerra | JRG | @jaimergp | Quansight | |
| 19 | +| Marius van Niekerk | MvN | @mariusvniekerk | cf / Voltron Data | |
| 20 | +| Uwe Korn | UK | @xhochy | cf / QuantCo | |
| 21 | +| Wolf Vollprecht | WV | @wolfv | | |
| 22 | +| Isuru Fernando | IF | @isuruf | | |
| 23 | +| | | | | |
| 24 | +| | | | | |
| 25 | +| | | | | |
| 26 | + |
| 27 | +X people total |
| 28 | + |
| 29 | +### Standing items |
| 30 | + |
| 31 | +- [ ] |
| 32 | + |
| 33 | +### From previous meeting(s) |
| 34 | + |
| 35 | +- [ ] |
| 36 | + |
| 37 | +### Active votes |
| 38 | + |
| 39 | +- [X] IF: Vote for adding Daniel Nachun to staged-recipes ends in ~6 days |
| 40 | + - Only 13 votes yet. Need one more vote (quorum needs 27 * 0.5) |
| 41 | + - Go to Helios voting platform and log in with Github to see vote |
| 42 | + |
| 43 | +### Your __new__() agenda items |
| 44 | + |
| 45 | +- [X] WV: CVE mapping |
| 46 | + - Use PURLs? |
| 47 | + - JRG interested in adding PURLs to. See https://github.com/conda/ceps/pull/114 |
| 48 | + - MvN suggests identifying canonical sources |
| 49 | + - UK has been using automated scan tools to identify CVEs in Go packages |
| 50 | + - MvN: approach tricky for C/C++, probably better for Rust because they contain enough metadata |
| 51 | + - MvN Integrated command could be interested to launch the analysis upon env creation |
| 52 | + - UK: these analysis are costly though, in the order of minutes |
| 53 | + - UK: Run them on cronjobs on top of small number of known lockfiles |
| 54 | + - UK: These analysis lead to discovery of weird dependencies in the tree (terraform > openai > weights and biases) |
| 55 | + - UK expressed concerns about Dependabot and Github analysis creating noise with false positives |
| 56 | +- [x] DJC: CI restart behavior has changed? |
| 57 | + - DJC Close and reopen PRs do not retrigger the CI. |
| 58 | + - IF no changes, just flaky Azure. |
| 59 | +- [X] WV: Latest tinyxml release was ABI incompatible and broke a few packages. More tests? |
| 60 | + - DJC: ABI laboratory dead, but tools appear to have moved to the "Linux Hardware Project". Packaged in conda-forge now. |
| 61 | + - DJC: https://github.com/lvc/abi-dumper |
| 62 | + - WV: Could a tool run the ABILaboratory logic to detect ABI breakage across releases? |
| 63 | + - MvN: Create two envs with release and release-1 and diff the results? |
| 64 | + - DJC: Library has two methods available: compile with debug symbols, or binary+headers. |
| 65 | + - UK: Probably because they also show symbol renames, not just ABI incompatibilities. Might just work for us to run the ABI checks only. |
| 66 | + - IF: We should just pull tinyxml2 10.1 version, 11.0 is available |
| 67 | + - WV: Agreed for this particular problem |
| 68 | + - [X] WV: conda-forge 10th anniversary soon right? |
| 69 | + - JRG: Apr 11th. Let's do something fun about it! At the very least a blog post. |
| 70 | + |
| 71 | + |
| 72 | + |
| 73 | +### Pushed to next meeting |
| 74 | + |
| 75 | +- [ ] |
| 76 | + |
| 77 | +### CFEPs |
| 78 | + |
| 79 | +- [ ] |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments