top | item 44746189

(no title)

If you are in a commercial environment, I can only warn to think that using alternative conda clients will be safe. Condaforge for instance will happily download from the main channel if the recipe requires it. It's pretty hard to make sure this does not happen, best solution is to block access on a network level.

discuss

matrss|7 months ago

Do you have an example for a package on conda-forge that actually does this? I can only find a vague announcement from 2021 that the "defaults channel is now dropped when building conda-forge packages", as well as statements that the conda-forge repositories are considered incompatible with the defaults channel and having both enabled is an unsupported configuration. Access is blocked on the network level anyway.

legobmw99|7 months ago

That can only happen if you as a user have the 'defaults' channel still configured as available, and conda-forge considers it a user error whenever this happens (the official line is `conda-forge is incompatible with the packages provided in defaults`). Many bug reports are closed simply by telling the user to fix their channel priorities and stop mixing the two

throwaway3646|7 months ago

Correct, it's a user error, but in a corporate environment, this happens. Many scientists have their own recipes and you can't catch them all.

igortg|7 months ago

I use Miniforge in a commercial environment and never found a package downloading from the main channel. I'm pretty sure a recipe that does that would be blocked by conda-forge reviewers.