In early January 2023, CircleCI informed us that they had a large security breach where a third party had gained access to all the environment secrets stored in the service. For conda-forge, these secrets are the API token used to upload built packages to our staging area on anaconda.org and the unique token we generate for each feedstock. The feedstock tokens are used as part of our artifact staging process to ensure that only the maintainers of a given feedstock can upload packages built by that feedstock. Later in January, we were informed by CircleCI that their security breach started on December 19, 2022, with the bulk of the secrets being exfiltrated in plain text from their servers a few days later. A malicious third-party with access to these secrets could potentially upload compromised versions of any package on conda-forge in a so-called "supply chain" attack.

This blog is about my work during my Outreachy internship with conda-forge. Before that a little about me - I am Surbhi, an Outreachy intern with conda-forge for the May-August 2022 cohort and I worked on documenting the conda-forge ecosystem.

Recently we've been able to add GPU-enabled TensorFlow builds to conda-forge! This was quite a journey, with multiple contributors trying different ways to convince the Bazel-based build system of TensorFlow to build CUDA-enabled packages. But we managed, and the pull request got merged.

On September 9, 2021 one of our core devs discovered that artifacts building on Travis CI were being uploaded to our conda channel from PRs running on forked repositories. A quick investigation revealed that Travis CI was passing encrypted secrets to PR builds on forks. Further examination of our logs and artifacts indicated that this had been happening since about September 3, 2021. This security bug was subsequently confirmed by Travis CI. See this CVE for more details on this incident. As far as we know, there were no actual exploits against conda-forge which used this vulnerability.

When contributing packages to conda-forge, Grayskull can make your life much easier. Grayskull generates recipes for Python packages hosted on PyPI.

Conda-forge is participating in the upcoming round of Outreachy i.e May 2021 to August 2021. The goal of this program is to increase participation from under-represented groups in free and open-source software. Outreachy is organized by Software Freedom Conservancy.

As 2020 winds down, the Core team thought it'd be fun to review some of the big accomplishments our community has made this year.

Various members of the community have raised questions publicly and privately about the implications of Anaconda's new Terms of Service (TOS) on anaconda.com. First of all, we understand your concerns. We would like to explain a bit how conda-forge works, how the TOS change affects us and conda-forge users, and what our plans as a community are for the future.

A new platform osx-arm64 has been added to the build matrix of conda-forge. osx-arm64 packages are built to run on upcoming macOS arm64 processors marketed as Apple Silicon. An installer for this platform can be found here.

tl;dr Depending on specific version numbers of underlying libraries may be too inaccurate and cause headaches as upstream libraries evolve and change. A more detailed approach is needed. In this post I outline current and potential work on a path towards a more complete inspection of requirements based on APIs and dynamic pinning of libraries.