| Title | More Secure Package Name Approval Process |
| Status | Accepted |
| Author(s) | Matthew R. Becker <[email protected]> |
| Created | Oct 12, 2024 |
| Updated | Nov 3, 2024 |
| Discussion | #55 |
| Implementation | conda-forge/core-notes/issues/30 |
Our current package upload process allows current members of conda-forge to upload a package with any name not currently used by another feedstock. This policy is insecure since it allows for malicious activity like typo squatting. This CFEP proposes a more secure package name approval process.
The new package name approval process will be as follows:
- New packages submitted to
staged-recipesare reviewed by a human and so have their names automatically approved when the recipe is merged. Note thatstaged-recipesalready lints for name conflicts, but we rely on ourstaged-recipesreviewers to catch any issues. - New packages created by adding outputs to an existing feedstock will go through an approval process whereby a member of
conda-forge/coreapproves the package name. - For feedstocks that generate new names in a programmatic way (e.g., a compiler), an allow-list of acceptable name patterns will be maintained. A new package name from a feedstock that in the allow-list that matches one of its name patterns will be automatically approved.
The process above always has a human approve new package names or patterns of names. The allow-list of acceptable name patterns will reduce the burden on feedstock maintainers and reviewers for feedstocks that generate new names in a programmatic way.
- The rules above are fully implemented in
conda-forge/admin-requestsvia itsadd a package outputrequest-type. - The allow-list of acceptable name patterns is located in the
conda-forge/feedstock-outputsrepository. - Our package upload infrastructure has been updated to enforce the rules above if the
auto_register_allsetting in theconfig.jsonfile inconda-forge/feedstock-outputsis set tofalse.
All CFEPs are explicitly CC0 1.0 Universal.