I have a package that I maintain in PyPi that I also placed on conda-forge for those who prefer to install with conda rather than pip.
In the past, when I would update the version and SHA in the feedstock it would automatically feed the new version into the conda-forge channel. However my most recent update appears to have been propagated into a channel called cf-staging.
I am trying to figure out why it propagated into cf-staging instead of conda-forge and what I have to do to get it to move from cf-staging to conda-forge. Any ideas?
It's part of the pipeline. It should eventually transfer, but if it goes more than a day, contact the admins or hop on the Gitter chat.
As explained in the documentation, Anaconda Cloud only allows one API token per channel, so in order to prevent maintainers of one feedstock from pushing builds of other packages, the Conda Forge team uses an intermediate channel (
cf-staging) from where the CI tooling will run validation on submitted packages before sending them off to theconda-forgechannel proper.Among other things, this strategy helps mitigate against malicious users who might gain feedstock maintenance rights on an inconspicuous package, from later on rebuilding a popular package (like
pythonornumpy) to include some malicious code and trying to push it from their feedstock onto the Conda Forge channel where it might deploy to tens of thousands of users.