Merge branch 'main' into cdts

README.md

@@ -26,11 +26,41 @@ If you have questions or need help, please check out our documentation for a [li
 4.  Make and commit your changes.
 5.  Submit a [pull request](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests) to the main repository proposing your changes.
 
+## Code of conduct
+
+We at conda-forge adhere to the [NumFOCUS Code of Conduct](https://numfocus.org/code-of-conduct):
+
+> * Be kind to others. Do not insult or put down others. Behave professionally. Remember that harassment and sexist, racist, or exclusionary jokes are not appropriate for conda-forge.
+> 
+> * All communication should be appropriate for a professional audience, including people of many different backgrounds. Sexual language and imagery is not appropriate.
+> 
+> * conda-forge is dedicated to providing a harassment-free community for everyone, regardless of gender, sexual orientation, gender identity and expression, disability, physical appearance, body size, race, or religion. We do not tolerate harassment of community members in any form.
+
+Thank you for helping make this a welcoming, friendly community for all.
+
+### Reporting guidelines
+
+If you believe someone is violating the code of conduct, please report this in a timely manner. Code of conduct violations reduce the value of the community for everyone. The team at conda-forge takes reports of misconduct very seriously and is committed to preserving and maintaining the welcoming nature of our community.
+
+All reports will be kept confidential. Please have a look at the [Reporting guidelines](https://numfocus.org/code-of-conduct#reporting-guidelines).
+
+### Enforcement: What happens after a report is filed?
+
+conda-forge's team and/or our event staff will try to ensure your safety and help with any immediate needs, particularly at an in-person event. Once we have received the report through the relevant authorities, conda-forge will make every effort to acknowledge the receipt and take action. Have a look at the process of [What Happens After a Report is Filed?](https://numfocus.org/code-of-conduct#enforcement).
+
 ## conda-forge dev meetings
 
-Our documentation contains a section with [minutes from previous dev meetings]([https://conda-forge.org/docs/minutes/00_intro.html]). These meetings occur every two weeks on Wednesday from 17:00-18:00 UTC.
-A link to the google calendar item can be found [here](https://calendar.google.com/event?action=TEMPLATE&tmeid=bTk5ZzBoMDEzaW11cmZiNWJnNmNkbThocDRfMjAyMjA1MThUMTcwMDAwWiBlcmljQHZvbHRyb25kYXRhLmNvbQ&tmsrc=eric%40voltrondata.com&scp=ALL).
+We hold biweekly meetings every second Wednesday from 17:00-18:00 (UTC). Feel free to stop by!
+Up-to-date invites are always available in the [conda.org community calendar](https://conda.org/community/calendar). Look for the `[conda-forge] core meeting` events!
+
+Our [meeting notes](https://conda-forge.org/docs/orga/minutes/00_intro.html) record important points discussed during the meetings and serve as a record for upcoming meetings. We make use of [HackMd](https://hackmd.io/) and a [template](https://github.com/conda-forge/conda-forge.github.io/blob/main/misc/DEV_MEETING_TEMPLATE.md) to create the meeting notes.
+
+We use a Github Actions [workflow][gha-workflow] to create an automated PR with the meeting notes
+template for each session, which is automatically published to our HackMD team account. During the
+meeting, attendees will edit the HackMD document. After the meeting, the document is saved and the
+PR is synced with the changes by adding the `sync-hackmd-notes` label. Once satisfied, the PR is
+merged and the website will be updated with the new meeting notes.
 
-We use https://hackmd.io/ for taking meeting minutes and will (eventually) upload the resultant markdown file after the meeting has concluded.
+We encourage contributors to join the meetings and learn more about and from the community.
 
-There is a template provided in [`misc/DEV_MEETING_TEMPLATE.md`](https://github.com/conda-forge/conda-forge.github.io/tree/main/misc/DEV_MEETING_TEMPLATE.md) that you should use to create a new hackmd document.
+[gha-workflow]: https://github.com/conda-forge/conda-forge.github.io/actions/workflows/meeting-notes.yml

SECURITY.md

@@ -0,0 +1,123 @@
+# conda-forge vulnerability handling process
+
+This document summarizes and proposes guidelines for handling vulnerabilities reported in
+conda-forge's infrastructure.
+
+Security issues and vulnerabilities have expectations and processes that are differ from typical
+open source practices:
+
+- Private discussions
+- Obfuscation
+- Short timeline
+
+This makes it quite hard to be able to understand, learn, or know what to expect from a security
+point of view. This document will give you a glimpse on what's happening on the inside, and what
+timeline to expect when you report a security vulnerability. It will also serve as a guideline and
+task list for conda-forge members on how to handle security related issues.
+
+## Scope
+
+This process applies to *all projects* governed by conda-forge. This includes:
+
+- conda-forge feedstock machinery
+- conda-forge infrastructure and bots
+- conda-forge website and documentation
+
+Conversely, this process does NOT apply to the software packaged by conda-forge itself. Please contact the upstream maintainers directly.
+
+## Reporting Vulnerabilities
+
+If you believe you’ve found a security vulnerability in a conda-forge project, please responsibly report it to [email protected]. conda-forge will try to will respond within 7 days to all new reports.
+
+We are also testing GitHub Private vulnerability reporting, you can try to submit a security advisory on [conda-forge/conda-forge.github.io using this link](https://github.com/conda-forge/conda-forge.github.io/security/advisories/new).
+
+## Coordinated Disclosures
+
+conda-forge follows a [coordinated disclosure][coordinated-disclosure] model where the initial
+report and remediation are handled privately, but the completion description is made public once a
+patch is available. conda-forge will disclose known vulnerabilities within 90 days by default,
+whether a patch is available or not.
+
+## Acknowledgement
+
+conda-forge will work to ensure that security researchers, developers, users, or others who
+identify and report vulnerabilities within conda-forge projects receive acknowledgement for their
+contribution.
+
+## Vulnerability Triage & Remediation Process
+
+This section describes an example process used by conda-forge to track, remediate, and disclose a
+reported vulnerability. This description is both a reference for the conda-forge community and a
+guideline for contributors. The actual process may vary depending on the nature of the
+vulnerability.
+
+### Roles
+
+This process defines these roles:
+- **Reporter** The individual(s) who report the vulnerability
+- **Coordinator** A conda-forge core member who facilitates the tracking of the vulnerability
+  through this process
+- **Developer** One or more developers who work on remediating the vulnerability
+
+For the purpose of this document these roles are distinct, in practice, some of these roles may be handled by the same individual. However, the roles should be covered by a minimum of two separate individuals. For example, a Reporter may also fill the Developer role and create the remediation, in this case the Coordinator should be a separate individual.
+
+### Process
+
+The role responsible for each step is noted at the beginning.
+
+- Upon receipt of the initial report:
+  - **Coordinator**: Respond to the reported and acknowledge receipt of the report in the timeframe
+    given in the "Reporting Vulnerabilities" section.
+  - **Coordinator**: Open an issue in the private GitHub repository used for tracking
+    vulnerabilities across projects
+  - **Coordinator**: Review the issue for completeness and suitability (triage). If more
+    information is needed, follow up with the Reporter.
+- If the vulnerability is not accepted:
+  - **Coordinator**: Close the issue
+  - **Coordinator**: Notify the reporter
+- If the vulnerability is accepted, within the relevant repositories:
+  - **Coordinator**: Open a draft [GitHub Security
+    Advisory](https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories#about-github-security-advisories)
+    - Include relevant but sanitized details in the top level comment, which will become public
+    - Sensitive details and reproductions go in the comments on the draft advisory, which are not
+      public
+    - **Coordinator**: Add relevant people to the advisory
+    - **Developer**: Attempt to replicate the reported vulnerability. Request more information from
+      the **Reporter** if necessary.
+    - **Developer**: Work on the [vulnerability fix
+      PR](https://docs.github.com/en/code-security/repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability#creating-a-temporary-private-fork).
+    - **Coordinator**/**Developer**: If appliccable, request a
+      [CVE](https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories#cve-identification-numbers)
+      from GitHub. The CVE Number will be private until the advisory is published.
+    - **Developer & Coordinator**: Decide on release and announcement dates and post them the draft
+      advisory.
+  - **Coordinator**: Post the release and announcement dates on the conda-forge core chat room and
+    mailing list.
+  - **Developer**: Merge the security fix PR
+  - **Developer**: Release the package and/or deploy the fix as appropriate
+  - **Developer & Coordinator**: Draft a [blog post](https://github.com/conda-forge/blog) and other
+    announcement texts. This can be done in parallel with the previous steps, but consider using a
+    [private advisory](https://github.com/conda-forge/blog/security/advisories) for the text.
+  - **Coordinator**: Publish the security advisory on the announcement date. If applicable, GitHub
+    will post the CVE to the MITRE database.
+  - **Coordinator**: Publish the blog post and other announcements (Element chat room, Twitter,
+    etc) as necessary.
+- **Coordinator**: Notify the **Reporter** of the releases
+- **Coordinator**: Close the issue in the tracking repository
+
+> Notes to Developers
+>
+> - Be aware that GitHub CI workflows won't run on security forks, so reviewers must test manually
+>   to avoid a broken CI when the patch is merged to the public repo.
+> - Also, vulnerabilities may involve multiple private security forks across different GitHub
+>   organizations.
+> - This may require additional manual steps to include those private forks.
+
+[coordinated-disclosure]: https://cheatsheetseries.owasp.org/cheatsheets/Vulnerability_Disclosure_Cheat_Sheet.html#responsible-or-coordinated-disclosure
+
+---
+
+> This document is based on the excellent [write-up](https://github.com/jupyter/security/blob/86ec517/docs/vulnerability-handling.md) used by the Jupyter community, [BSD-3 licensed](https://github.com/jupyter/security/blob/86ec517/LICENSE).
+
+
+

src/conf.py

@@ -118,6 +118,7 @@
     r'https://conda-forge.org/status/#armosxaddition$',
     r'https://github.com/conda-forge/conda-smithy/blob/main/CHANGELOG.rst#v3130$',
     r'https://github.com/.*#L\d+-L\d+$',
+    r'https://github.com/.*#L\d+$',
     r'https://github.com/conda-forge/miniforge/#download$',
     r'https://github.com/conda-incubator/grayskull#introduction$',
 ]

src/contracting/00_intro.rst

@@ -1,9 +1,9 @@
 Contracting Information
 #######################
 
-If you are interested in a contractual engagement to solve a specific problem that you're facing, this page details the kinds of services that are available to you. Conda-forge, as an entity, does not have the ability to engage in a contractual arrangement as of now.
+If you are interested in a contractual engagement to solve a specific problem that you're facing, this page details the kinds of services that are available to you. conda-forge, as an entity, does not have the ability to engage in a contractual arrangement as of now.
 However, there are a number of community members that you may engage with. 
-Conda-forge does not endorse anyone (individuals or companies) listed on this page.
+conda-forge does not endorse anyone (individuals or companies) listed on this page.
 
 
 If you are interested in a service that is not listed on this page, please reach out to us on our `issue tracker <https://github.com/conda-forge/conda-forge.github.io/issues>`__, on  `Element <https://app.element.io/#/room/#conda-forge:matrix.org>`__  or via emailing the core team directly at [email protected] and we will help to circulate your request more broadly within the community.

src/core.csv

@@ -5,6 +5,7 @@ chrisburr,[email protected],Chris Burr
 cj-wright,[email protected],Christopher J. 'CJ' Wright
 dopplershift,[email protected],Ryan May
 ericdill,[email protected],Eric Dill
+h-vetinari,[email protected],Axel Obermeier
 isuruf,[email protected],Isuru Fernando
 jakirkham,[email protected],John Kirkham
 jezdez,[email protected],Jannis Leidel

src/index.rst

@@ -3,6 +3,7 @@ conda-forge documentation
 
 What is conda-forge?
 --------------------
+
 conda-forge is a community effort and a GitHub organization which contains repositories of conda recipes and thus provides conda packages for a wide range of software. 
 The built distributions are uploaded to `anaconda.org/conda-forge <https://anaconda.org/conda-forge>`__ and can be installed with `conda <https://conda.pydata.org/docs/intro.html>`_. 
 
@@ -12,7 +13,13 @@ Chances are we have already packaged it for you. You can `search <https://anacon
 
 **Cannot find a package or only outdated versions of a package?** - Everybody is welcome to contribute to our package stack!
 
-- To get started contributing packages, see :ref:`becoming_involved`.
+- We value all kinds of contributions — not just code. A few recommended ways to start contributing to conda-forge are:
+
+ - `Contribute new packages <https://conda-forge.org/docs/maintainer/adding_pkgs.html>`__
+ - Help update and `maintain packages <https://conda-forge.org/docs/maintainer/updating_pkgs.html#maintaining-pkgs>`__
+ - Suggest or implement improvements for our `infrastructure <https://conda-forge.org/docs/maintainer/infrastructure.html#infrastructure>`__
+ - Help `improve the documentation <https://conda-forge.org/docs/user/contributing.html#improve-docs>`__
+ - For a detailed overview please refer to :ref:`becoming_involved`.
 
 - To see our governance policies, see `here <https://conda-forge.org/docs/orga/governance.html>`_.
 

src/maintainer/adding_pkgs.rst

@@ -3,10 +3,22 @@
 Contributing packages
 *********************
 
-To submit a package to the ``conda-forge`` channel, add its ``recipe`` and licence to the ``staged-recipes`` repository and create a pull request. Once the pull request is merged, the package becomes available on the ``conda-forge`` channel.
+The contribution process can be broken down into three steps:
 
-The sections below provide detailed instructions on contributing packages to conda-forge.
+* Step 1. Staging process (add recipe and license).
 
+  With the help of :ref:`the staging process <creating_recipes>`, add a package's recipe and license to the `staged-recipes repository <https://github.com/conda-forge/staged-recipes>`__ and create a PR.
+
+* Step 2. Post staging process.
+
+  Once your PR, has been merged, take a look at our :ref:`post_staging_process` to know what follows.
+
+* Step 3. Maintaining the package.
+
+  Contributing a package to ``conda-forge`` makes you the maintainer of that package. 
+  Learn more about the :ref:`roles of a maintainer <maintainer_role>`. 
+
+The sections below will add more details about each step.
 
 .. _creating_recipes:
 
@@ -115,9 +127,10 @@ After merging the :term:`PR`, our :term:`CI` infrastructure will build the packa
 
   If you have questions or have not heard back for a while, you can notify us by including ``@conda-forge/staged-recipes`` in your GitHub message.
 
+.. _post_staging_process:
 
 Post staging process
---------------------
+====================
 
 * After the PR is merged, our :term:`CI` services will create a new git repo automatically. For example, the recipe for a package named ``pydstool`` will be moved to a new repository `https://github.com/conda-forge/pydstool-feedstock <https://github.com/conda-forge/pydstool-feedstock>`_. This process is automated through a CI job on the ``conda-forge/staged-recipes`` repo. It sometimes fails due to API rate limits and will automatically retry itself. If your feedstock has not been created after a day or so, please get in touch with the ``conda-forge/core`` team for help.
 * CI services will be enabled automatically and a build will be triggered automatically which will build the conda package and upload to `https://anaconda.org/conda-forge <https://anaconda.org/conda-forge>`_
@@ -153,10 +166,12 @@ These are the CI configuration files for service providers like Azure and Travis
 conda-forge.yml
 ................
 
-This file is used to configure how the feedstock is set up and built. Making any changes in this file usually requires `rerendering the feedstock <https://conda-forge.org/docs/maintainer/updating_pkgs.html#dev-update-rerender>`__.
+This file is used to configure how the feedstock is set up and built. Making any changes in this file usually requires :ref:`dev_update_rerender`.
+
+.. _maintainer_role:
 
 Maintainer role
----------------
+===============
 
 The maintainer's job is to:
 
@@ -180,7 +195,7 @@ the other packages being added as a requirement), the build script will be able
 locate the dependencies that are only present within staged-recipes as long as
 the builds finish in the dependencies order. Using a single pull request
 allows you to quickly get packages set up without waiting for each package in a
-dependency chain to be reviewed, built, and added to the conda-forge channel
+dependency chain to be reviewed, built, and added to the ``conda-forge`` channel
 before starting the process over with the next recipe in the chain.
 
 .. note::
@@ -841,12 +856,12 @@ Recipe Maintainer
 A maintainer is an individual who is responsible for maintaining and updating one or more feedstock repositories and packages as well as their future versions. They have push access to the feedstock repositories of only the packages they maintain and can merge pull requests into it.
 
 Contributing a recipe for package makes you the ``maintainer`` of that package automatically.
-See `Maintainers Role <https://conda-forge.org/docs/maintainer/adding_pkgs.html#maintainer-role>`__ and `Maintaining Packages <https://conda-forge.org/docs/maintainer/updating_pkgs.html#maintaining-packages>`__ to learn more about what are the things that maintainers do.
+See :ref:`maintainer_role` and :ref:`maintaining_pkgs` to learn more about what are the things that maintainers do.
 If you wish to be a maintainer of a certain package, you should contact current maintainers and open an issue in that package's feedstock with the following command:
 
 ``@conda-forge-admin, please add user @username``
 
-where username is the GitHub username of the new maintainer to be added. Please refer to `Becoming a maintainer <https://conda-forge.org/docs/orga/guidelines.html#becoming-a-maintainer>`__ and `Updating the maintainer <https://conda-forge.org/docs/maintainer/updating_pkgs.html#updating-the-maintainer-list>`__ for detailed instructions.
+where username is the GitHub username of the new maintainer to be added. Please refer to :ref:`becoming_a_maintainer` and :ref:`maint_updating_maintainers` for detailed instructions.
 
 .. _feedstock_name: