Add meeting notes 2025-10-29 (#2636)

github-actions[bot] · jakirkham · jaimergp · web-flow · commit ae1a125745f6 · 2025-10-31T12:45:49.000+01:00
Co-authored-by: jakirkham &lt;jakirkham@gmail.com&gt;
Co-authored-by: github-actions[bot] &lt;41898282+github-actions[bot]@users.noreply.github.com&gt;
Co-authored-by: jaimergp &lt;jaimergp@users.noreply.github.com&gt;
diff --git a/community/minutes/2025-10-29.md b/community/minutes/2025-10-29.md
@@ -0,0 +1,94 @@
+---
+tags: [meeting-notes]
+title: '2025-10-29'
+---
+# conda-forge core meeting 2025-10-29
+
+Add new agenda items under the `Your __new__() agenda items` heading
+
+- [Zoom link](https://zoom.us/j/9138593505?pwd=SWh3dE1IK05LV01Qa0FJZ1ZpMzJLZz09)
+- [What time is the meeting in my time zone](https://dateful.com/convert/utc?t=5pm)
+- [Previous meetings](https://conda-forge.org/community/minutes/)
+
+## Attendees
+
+| Name                    | Initials | GitHub ID        | Affiliation                 |
+| ----------------------- | -------- | ---------------  | --------------------------- |
+| Cheng H. Lee            | CHL      | chenghlee        | Anaconda/cf                 |
+| Jaime Rodríguez-Guerra  | JRG      | jaimergp         | Quansight/cf                |
+| Mark Allen              | MHA      | markhallen       | GitHub/Dependabot           |
+| Sylvain Corlay          | SC       | QuantStack       |                             |
+| Rob Aiken               | RA       | robaiken         | Github/Dependabot           |
+| Daniel Ching            | DJC      | carterbox        | NVIDIA/cf                   |
+|                         |          |                  |                             |
+|                         |          |                  |                             |
+|                         |          |                  |                             |
+
+X people total
+
+### Standing items
+
+- [ ]
+
+### From previous meeting(s)
+
+- [ ]
+
+### Active votes
+
+- [ ]
+
+### Your __new__() agenda items
+
+- [x] CHL/MHA/RA: GitHub/Dependabot team
+    - (MHA) Have a plan to version updates using dependabot, independent of vulnerability feed
+        - Queries the conda API for package versions
+    - How to gather & provide CVE/vulnerability data for conda-forge packages?
+        - (RA) Get information from GH Advisory database; do have support for Python security advisories
+        - (RA) Unsure of how to add new ecosystem to advisory database
+        - (MHA) Dependabot running within GHA runner; not feasible because of large download size
+        - Could we consider tapping into the PyPI data feed and find matches in conda-forge?
+        - (JRG) Add upstream PURLs into recipes; current name mapping is heuristic and subject to error
+        - (JRG) complexities: not all versions available; multi-output packages; package renames (need to annotate which versions we switched)
+        - (SC) Been looking into integrating conda-forge into repology.
+        - XREF: https://conda-forge.org/community/minutes/2025-06-11/
+        - (JRG) Need to be careful about burdening volunteer maintainers
+    - (CHL) Will invite the GitHub/Dependabot team to Zulip; create GitHub issue
+- [X] JRG: `zlib` -> `zlib-ng` migration: https://github.com/conda-forge/zlib-ng-feedstock/issues/10
+    - CPython 3.14 upstream ships zlibg-ng for Windows, with compatiblity mode; Pillow, various Linux distros switched to zlib-ng
+    - Currently not building compat mode on c-f because it would create conflicts with existing `zlib`
+    - (DJC) Continue to support non-compat mode and ask maintainers to explicitly enable zlib-ng
+    - Could make compat-mode a `zlib` variant, using `blas` as a reference model
+    - (CHL) Does zlib-ng support dynamic dispatch for vector instructions? If not, could break on older systems.
+- [X] DJC: Tegra support (demanded in robotics)
+    - CTK 12.9 packages for Tegra sm87,sm101 devices are now live
+    - Third-party packages may start building for Tegra
+    - arm-variant not required for CUDA 13 (newer devices are SBSA), but we're not ready yet. 
+        - Once CUDA 12 is dropped, arm-variant can be retired. (No other packages are known to use `arm-variant`.)
+- [x] DJC: nvidia-virtual-packages
+    - A conda virtual package plugin which detects the minimum CUDA architecture available on the system
+    - Source: https://github.com/NVIDIA/nvidia-virtual-packages
+    - RFC: https://github.com/conda-forge/conda-forge.github.io/issues/2623
+    - Motivation: Deep learning packages often have minimum supported CUDA archs which don't align with the CTK
+        - https://github.com/conda-forge/cudnn-feedstock/issues/124
+        - https://github.com/conda-forge/flash-attn-feedstock/blob/b6e3742a7343268a33a285c593753fd49b46d268/recipe/meta.yaml#L23
+    - Motivation: Would be possible to break large binaries into smaller variants along CUDA arch
+    - CHL: Apply for conda incubator
+    - CHL: CUDA virtual packages should all live in the same place; though we can decide later exactly where.
+    - JRG: There is a draft CEP about standard names for virtual packages
+    - How to address bootstrap problem
+        - conda-forge and Anaconda could just make `conda` depend on this/these plugins
+        - pixi doesn't have a plug-in system, but could integrate virtual packages directly into pixi
+- [x] CHL: continued support for Windows 10?
+    - [Regular security support](https://endoflife.date/windows) ended on 14-Oct-2025
+    - Took a quick look for `main` and `conda-forge` download data; as of 15-Oct, 25%-ish of downloads from `conda ... Windows/*` user agents are still on Window 10.  Roughly matches what [Firefox reports](https://data.firefox.com/dashboard/hardware#operating-system-metric-overview-1)
+    - Will open an issue on conda-forge.github.io to further discuss
+- [X] WV: Huge refactor of the `cache` output in rattler-build. More versatile, experiments with the staging output idea.
+ 
+### Pushed to next meeting
+
+- [ ]
+
+### CFEPs
+
+- [ ]
