Diátaxis: Security: General considerations#2801
Open
mgorny wants to merge 5 commits intoconda-forge:mainfrom
Open
Diátaxis: Security: General considerations#2801mgorny wants to merge 5 commits intoconda-forge:mainfrom
mgorny wants to merge 5 commits intoconda-forge:mainfrom
Conversation
Signed-off-by: Michał Górny <mgorny@quansight.com>
Update, make the language a bit more formal. Note that in v1 recipes we're also protecting against downloading during build. Remove obsolete `artifact-validation` link (TODO: do we still do that?). Signed-off-by: Michał Górny <mgorny@quansight.com>
✅ Deploy Preview for conda-forge-previews ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
mgorny
commented
Apr 7, 2026
| This is enforced by using a cf-staging channel where builds are first sent. | ||
| A bot then assesses that the submitting feedstock has permission to build the package it has submitted, and only then will it relay the build to the `conda-forge` channel. | ||
| This helps mitigate against a bad actor gaining access to an inconspicuous feedstock and then trying to push a build with malicious code into essential infrastructure packages (e.g., OpenSSL or Python). | ||
| 5. Conda-forge artifacts uploaded to `anaconda.org` are scanned for various security-related issues, such as artifacts that overwrite key pieces of certain packages. |
Contributor
Author
There was a problem hiding this comment.
I see that the artifact-validation repo has been archived, and I couldn't find anything clearly resembling what's described here. That said, this is quite vague, so I think we should replace it with something more specific. I'd appreciate pointers.
Comment on lines
+27
to
+28
| If you have found a security-related issue with conda-forge, please check our [Security Policy](https://github.com/conda-forge/conda-forge.github.io/security/policy) | ||
| to learn how to report it responsibly. |
Contributor
Author
There was a problem hiding this comment.
Should we mention here explicitly that this is only for conda-forge stuff and not feedstocks?
So far I wasn't able to find any code beyond what was already stated -- i.e. allowlisting outputs. Signed-off-by: Michał Górny <mgorny@quansight.com>
Signed-off-by: Michał Górny <mgorny@quansight.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR Checklist:
docs/orcommunity/, you have added it to the sidebar in the corresponding_sidebar.jsonfileFixes Quansight-Labs/conda-ecosystem-sta-mgmt#77