Merge branch 'main' into 2023-07-12-meeting-notes

jakirkham · web-flow · commit fa0126dd6f35 · 2023-07-18T18:25:05.000-07:00
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,123 @@
+# conda-forge vulnerability handling process
+
+This document summarizes and proposes guidelines for handling vulnerabilities reported in
+conda-forge's infrastructure.
+
+Security issues and vulnerabilities have expectations and processes that are differ from typical
+open source practices:
+
+- Private discussions
+- Obfuscation
+- Short timeline
+
+This makes it quite hard to be able to understand, learn, or know what to expect from a security
+point of view. This document will give you a glimpse on what's happening on the inside, and what
+timeline to expect when you report a security vulnerability. It will also serve as a guideline and
+task list for conda-forge members on how to handle security related issues.
+
+## Scope
+
+This process applies to *all projects* governed by conda-forge. This includes:
+
+- conda-forge feedstock machinery
+- conda-forge infrastructure and bots
+- conda-forge website and documentation
+
+Conversely, this process does NOT apply to the software packaged by conda-forge itself. Please contact the upstream maintainers directly.
+
+## Reporting Vulnerabilities
+
+If you believe you’ve found a security vulnerability in a conda-forge project, please responsibly report it to condaforge+security@gmail.com. conda-forge will try to will respond within 7 days to all new reports.
+
+We are also testing GitHub Private vulnerability reporting, you can try to submit a security advisory on [conda-forge/conda-forge.github.io using this link](https://github.com/conda-forge/conda-forge.github.io/security/advisories/new).
+
+## Coordinated Disclosures
+
+conda-forge follows a [coordinated disclosure][coordinated-disclosure] model where the initial
+report and remediation are handled privately, but the completion description is made public once a
+patch is available. conda-forge will disclose known vulnerabilities within 90 days by default,
+whether a patch is available or not.
+
+## Acknowledgement
+
+conda-forge will work to ensure that security researchers, developers, users, or others who
+identify and report vulnerabilities within conda-forge projects receive acknowledgement for their
+contribution.
+
+## Vulnerability Triage & Remediation Process
+
+This section describes an example process used by conda-forge to track, remediate, and disclose a
+reported vulnerability. This description is both a reference for the conda-forge community and a
+guideline for contributors. The actual process may vary depending on the nature of the
+vulnerability.
+
+### Roles
+
+This process defines these roles:
+- **Reporter** The individual(s) who report the vulnerability
+- **Coordinator** A conda-forge core member who facilitates the tracking of the vulnerability
+  through this process
+- **Developer** One or more developers who work on remediating the vulnerability
+
+For the purpose of this document these roles are distinct, in practice, some of these roles may be handled by the same individual. However, the roles should be covered by a minimum of two separate individuals. For example, a Reporter may also fill the Developer role and create the remediation, in this case the Coordinator should be a separate individual.
+
+### Process
+
+The role responsible for each step is noted at the beginning.
+
+- Upon receipt of the initial report:
+  - **Coordinator**: Respond to the reported and acknowledge receipt of the report in the timeframe
+    given in the "Reporting Vulnerabilities" section.
+  - **Coordinator**: Open an issue in the private GitHub repository used for tracking
+    vulnerabilities across projects
+  - **Coordinator**: Review the issue for completeness and suitability (triage). If more
+    information is needed, follow up with the Reporter.
+- If the vulnerability is not accepted:
+  - **Coordinator**: Close the issue
+  - **Coordinator**: Notify the reporter
+- If the vulnerability is accepted, within the relevant repositories:
+  - **Coordinator**: Open a draft [GitHub Security
+    Advisory](https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories#about-github-security-advisories)
+    - Include relevant but sanitized details in the top level comment, which will become public
+    - Sensitive details and reproductions go in the comments on the draft advisory, which are not
+      public
+    - **Coordinator**: Add relevant people to the advisory
+    - **Developer**: Attempt to replicate the reported vulnerability. Request more information from
+      the **Reporter** if necessary.
+    - **Developer**: Work on the [vulnerability fix
+      PR](https://docs.github.com/en/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability#creating-a-temporary-private-fork).
+    - **Coordinator**/**Developer**: If appliccable, request a
+      [CVE](https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories#cve-identification-numbers)
+      from GitHub. The CVE Number will be private until the advisory is published.
+    - **Developer & Coordinator**: Decide on release and announcement dates and post them the draft
+      advisory.
+  - **Coordinator**: Post the release and announcement dates on the conda-forge core chat room and
+    mailing list.
+  - **Developer**: Merge the security fix PR
+  - **Developer**: Release the package and/or deploy the fix as appropriate
+  - **Developer & Coordinator**: Draft a [blog post](https://github.com/conda-forge/blog) and other
+    announcement texts. This can be done in parallel with the previous steps, but consider using a
+    [private advisory](https://github.com/conda-forge/blog/security/advisories) for the text.
+  - **Coordinator**: Publish the security advisory on the announcement date. If applicable, GitHub
+    will post the CVE to the MITRE database.
+  - **Coordinator**: Publish the blog post and other announcements (Element chat room, Twitter,
+    etc) as necessary.
+- **Coordinator**: Notify the **Reporter** of the releases
+- **Coordinator**: Close the issue in the tracking repository
+
+> Notes to Developers
+>
+> - Be aware that GitHub CI workflows won't run on security forks, so reviewers must test manually
+>   to avoid a broken CI when the patch is merged to the public repo.
+> - Also, vulnerabilities may involve multiple private security forks across different GitHub
+>   organizations.
+> - This may require additional manual steps to include those private forks.
+
+[coordinated-disclosure]: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#responsible-or-coordinated-disclosure
+
+---
+
+> This document is based on the excellent [write-up](https://github.com/jupyter/security/blob/86ec517/docs/vulnerability-handling.md) used by the Jupyter community, [BSD-3 licensed](https://github.com/jupyter/security/blob/86ec517/LICENSE).
+
+
+
diff --git a/src/conf.py b/src/conf.py
@@ -118,6 +118,7 @@
     r'https://conda-forge.org/status/#armosxaddition$',
     r'https://github.com/conda-forge/conda-smithy/blob/main/CHANGELOG.rst#v3130$',
     r'https://github.com/.*#L\d+-L\d+$',
+    r'https://github.com/.*#L\d+$',
     r'https://github.com/conda-forge/miniforge/#download$',
     r'https://github.com/conda-incubator/grayskull#introduction$',
 ]
diff --git a/src/core.csv b/src/core.csv
@@ -5,6 +5,7 @@ chrisburr,christopher.burr@cern.ch,Chris Burr
 cj-wright,cjwright4242@gmail.com,Christopher J. 'CJ' Wright
 dopplershift,rmay@ucar.edu,Ryan May
 ericdill,ericdill@pm.me,Eric Dill
+h-vetinari,h.vetinari@gmx.com,Axel Obermeier
 isuruf,isuruf@gmail.com,Isuru Fernando
 jakirkham,jkirkham@nvidia.com,John Kirkham
 jezdez,jleidel@anaconda.com,Jannis Leidel
diff --git a/src/maintainer/knowledge_base.rst b/src/maintainer/knowledge_base.rst
@@ -1132,7 +1132,7 @@ In order to qualify as a noarch python package, all of the following criteria mu
   ``dataclasses``.
 
 .. hint::
-  
+
   You can build platform-specific ``noarch`` packages to include runtime requirements depending on the target OS.
   See mini-tutorial below.
 
@@ -1148,7 +1148,7 @@ It is possible to build ``noarch`` packages with runtime requirements that depen
 (Linux, Windows, MacOS), regardless the architecture (amd64, ARM, PowerPC, etc). This approach
 relies on three concepts:
 
-1.  `Virtual packages <https://docs.conda.io/projects/conda/en/latest/user-guide/tasks/manage-virtual.html>`__. 
+1.  `Virtual packages <https://docs.conda.io/projects/conda/en/latest/user-guide/tasks/manage-virtual.html>`__.
     Prefixed with a double underscore, they are used by conda to represent system properties as
     constraints for the solver at install-time. We will use ``__linux``, ``__win`` or ``__osx``,
     which are only present when the running platform is Linux, Windows, or MacOS, respectively.
@@ -1826,7 +1826,7 @@ If you close the PR, it makes the bot think that another PR implementing the mig
 Another reason why it is good to keep the PR open or in draft status is that people might help with it if they want in the future.
 
 In some cases a migration PR may not get opened. Please look for
-`the migration on our status page <https://conda-forge.org/status/#current_migrations>`_
+`the migration on our status page <https://conda-forge.org/status/#big_migrations>`_
 to see if there are any issues. This may show there are still dependencies
 needing migration, in which case the best approach is to wait (or if possible
 offer to help migrate those dependencies). If there is a bot error, there will
@@ -1860,6 +1860,9 @@ You are also free to download recipes and rebuild them yourself, if you would li
 3. We have `artifact-validation <https://github.com/conda-forge/artifact-validation>`__ for validating all the conda-forge artifacts uploaded to ``anaconda.org``. This validation scans for various security-related items, such as artifacts that overwrite key pieces of certain packages.
 4. We have a dedicated `Security and Systems Sub-Team <https://conda-forge.org/docs/orga/subteams.html?highlight=security+team#security-and-systems-sub-team>`__ who works hard towards making sure to secure and maintain appropriate access to the credentials and services/systems used by conda-forge.
 
+If you have found a security-related issue with conda-forge, please check our `Security Policy <https://github.com/conda-forge/conda-forge.github.io/security/policy>`__
+to learn how to report it responsibly.
+
 Significant Changes To Upstream Projects
 ========================================
 
diff --git a/src/maintainer/updating_pkgs.rst b/src/maintainer/updating_pkgs.rst
@@ -68,7 +68,7 @@ When a new version of a package is released on PyPI/CRAN/.., we have a bot that
 The `regro-cf-autotick-bot <https://github.com/regro/autotick-bot>`__ continuously searches on a loop for any PyPI releases, GitHub releases, and any other sources of versions when any updates are released. The source code that gets executed in the loop comes from the `cf-scripts repository <https://github.com/regro/cf-scripts>`__, which contains the code to detect versions and submit PRs. Visit `cf-scripts <https://regro.github.io/cf-scripts/index.html>`__ to read more about it.
 
 The bot creates updates via inspection of the upstream release and will always update the ``source`` section and build version in the `recipe metadata <https://docs.conda.io/projects/conda-build/en/stable/resources/define-metadata.html#>`_.
-As an experimental feature, the autotick bot can also be configured to verify or update the recipe's requirements for `Grayskull <https://github.com/conda-incubator/grayskull>`_-compatible recipes. 
+As an experimental feature, the autotick bot can also be configured to verify or update the recipe's requirements for `Grayskull <https://github.com/conda-incubator/grayskull>`_-compatible recipes.
 This may help maintain packages with frequent requirements changes or specific requirements version pins, however this feature is not as extensively verified and proposed updates should be reviewed.
 (See the :ref:`bot` section in ``conda-forge.yml``)
 
@@ -174,7 +174,7 @@ Updating for newly released Python version
 ==========================================
 
 When a new Python version is released (e.g. ``3.11``), an automatic migration process is triggered that will have ``@regro-cf-autotick-bot`` eventually automatically open pull requests to all feedstocks, updating their CI setup to include the new Python version in the build matrix. After veryfing that the PR build passes, that automatic PR can simply be merged to roll out packages for new Python version.
-This process takes time, though, and pull requests will not be opened to all feedstocks at the same time to not overload CI. The current status of the migration can be tracked on the `migration status page <https://conda-forge.org/status/#current_migrations>`_ and there maintainers can verify that their feedstock is listed under the ``AWAITING-PR`` dropdown list.
+This process takes time, though, and pull requests will not be opened to all feedstocks at the same time to not overload CI. The current status of the migration can be tracked on the `migration status page <https://conda-forge.org/status/#big_migrations>`_ and there maintainers can verify that their feedstock is listed under the ``AWAITING-PR`` dropdown list.
 
 Testing changes locally
 =======================
@@ -247,7 +247,7 @@ the `repo data patches feedstock <https://github.com/conda-forge/conda-forge-rep
 If this is the case, the following general guidelines should be followed:
 1. Update the feedstocks recipe to ensure future builds do not propagate the issue with a new build number.
 2. Please make a PR there to add a patch. The patch should specify as much has possible the versions and times when the packages were generated. It may use the following information
-   
+
    - The current timestamp, you may generate it with ``python -c "import time; print(f'{time.time():.0f}000')"``.
    - The problematic version and build numbers of the packages to affect.
 
@@ -285,7 +285,7 @@ an issue in the feedstock repository with the following title:
 ``@conda-forge-admin, please add user @username``
 
 where ``username`` is the username of the new maintainer to be added.
-A PR will be automatically created and a maintainer or a member of the ``core`` team, in case no maintainer is active anymore, can then merge this PR to add the user. 
+A PR will be automatically created and a maintainer or a member of the ``core`` team, in case no maintainer is active anymore, can then merge this PR to add the user.
 To contact core, ping them by mentioning @conda-forge/core in a comment or, if you haven't heard back in a while or are new to conda-forge, contact them through the community `Element <https://app.element.io/#/room/#conda-forge:matrix.org>`__.
 
 .. note::
diff --git a/src/orga/subteams.rst b/src/orga/subteams.rst
@@ -200,7 +200,7 @@ Members
 - Anthony Scopatz <scopatz@gmail.com>
 - Christian Roth <ch.m.roth@gmail.com>
 - Lori A. Burns <lori.burns@gmail.com>
-
+- Jaime Rodríguez-guerra <jrodriguez@quansight.com>
 
 Staging Sub-Team
 ================
diff --git a/src/user/announcements.rst b/src/user/announcements.rst
@@ -8,20 +8,31 @@ Our announcements are published to an RSS feed `here <https://conda-forge.org/do
 2023
 ----
 
+2023-07-12: End-of-life for CentOS 6
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+As you may be aware, we have delayed the deprecation of our CentOS 6 build
+system the ``linux64`` platform several times. We have now set a formal deprecation
+date to be June 30, 2024. This date matches the
+`end of extended life-cycle support <https://endoflife.software/operating-systems/linux/red-hat-enterprise-linux-rhel>`_
+from RedHat for RHEL 6. After this date, we build packages against
+CentOS 7 by default for ``linux64``.
+
+
 2023-01-09: conda-forge Google Group is Now Read-only - Move to Discourse
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-We have made the conda-forge Google Group read-only. Please use the new 
-conda-forge `discourse forum <https://conda.discourse.group/c/pkg-building/conda-forge/25>`_, 
-our `Gitter room <https://gitter.im/conda-forge/conda-forge.github.io>`_, or it's `Matrix/Element 
+We have made the conda-forge Google Group read-only. Please use the new
+conda-forge `discourse forum <https://conda.discourse.group/c/pkg-building/conda-forge/25>`_,
+our `Gitter room <https://gitter.im/conda-forge/conda-forge.github.io>`_, or it's `Matrix/Element
 counterpart <https://app.element.io/#/room/#conda-forge-space:matrix.org>`_ instead.
 
 
 2023-01-08: ``conda-forge/staged-recipes`` Feedstock Creation Job Moved
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-We have moved the CI job that makes new feedstocks to our 
-`conda-forge/admin-requests <https://github.com/conda-forge/admin-requests>`_ 
+We have moved the CI job that makes new feedstocks to our
+`conda-forge/admin-requests <https://github.com/conda-forge/admin-requests>`_
 repo. The new location is reflected in the various links on repos and our status page.
 
 2022

Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,7 @@`
`118`	`118`	`r'https://conda-forge.org/status/#armosxaddition$',`
`119`	`119`	`r'https://github.com/conda-forge/conda-smithy/blob/main/CHANGELOG.rst#v3130$',`
`120`	`120`	`r'https://github.com/.*#L\d+-L\d+$',`
	`121`	`+ r'https://github.com/.*#L\d+$',`
`121`	`122`	`r'https://github.com/conda-forge/miniforge/#download$',`
`122`	`123`	`r'https://github.com/conda-incubator/grayskull#introduction$',`
`123`	`124`	`]`
-Original file line number
+Diff line change
 cj-wright,[email protected],Christopher J. 'CJ' Wright
 dopplershift,[email protected],Ryan May
 ericdill,[email protected],Eric Dill
 +h-vetinari,[email protected],Axel Obermeier
 isuruf,[email protected],Isuru Fernando
 jakirkham,[email protected],John Kirkham
 jezdez,[email protected],Jannis Leidel