-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vendor-Neutral Channel Registry CEP #91
Open
wolfv
wants to merge
2
commits into
conda:main
Choose a base branch
from
wolfv:channel-registry
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
<table> | ||
<tr><td> Title </td><td> Define a vendor-neutral channel registry</td> | ||
<tr><td> Status </td><td> Discussion</td></tr> | ||
<tr><td> Author(s) </td><td> Wolf Vollprecht</td></tr> | ||
<tr><td> Created </td><td> Sep 20, 2024</td></tr> | ||
<tr><td> Updated </td><td> Sep 20, 2024</td></tr> | ||
<!-- <tr><td> Discussion </td><td> <a href="https://github.com/conda-incubator/ceps/pull/8" target="_blank">conda-incubator/ceps#8</a> </td></tr> --> | ||
<!-- <tr><td> Implementation </td><td> <a href="https://github.com/conda/menuinst/tree/cep-devel" target="_blank"><code>conda/menuinst</code>@<code>cep-devel</code></a> </td></tr> --> | ||
</table> | ||
|
||
# Conda Enhancement Proposal: Vendor-Independent Channel Registry | ||
|
||
## Problem Statement | ||
|
||
Currently, conda channels are typically tied to specific vendors or platforms, leading to potential vendor lock-in and limiting the flexibility of the conda ecosystem. This situation can create challenges for users and organizations who want to switch between different mirrors or providers. | ||
|
||
Additionally it is currently impossible to attach certain metadata to channels, such as inter-channel dependencies, license (Terms of Service) information and other metadata. | ||
|
||
The proposal would thus also help to: | ||
|
||
- Understand the dependencies between channels | ||
- Easily access metadata about channels (license, homepage, etc.) | ||
- Ensure the authenticity and integrity of channel content by adding trust roots | ||
|
||
### Proposed Solution | ||
|
||
We propose creating a community-maintained channel registry hosted on a platform such as GitHub. This registry will serve as a centralized resource that maps _channel names_ to their associated information. | ||
|
||
The registry will be hand-curated by trusted users who wish to have a channel-name resolve to a specific set of mirrors. Commits will _have_ to be signed. | ||
|
||
## Key Benefits | ||
|
||
- Reduced Vendor Lock-in: Users can easily switch between different mirrors or providers for a given channel. | ||
- Increased Transparency: Channel metadata, including license information and dependencies, will be readily available. | ||
- Enhanced Security: Inclusion of cryptographic trust roots enables better verification of channel content. | ||
- Improved Discoverability: A centralized registry makes it easier for users to find and compare available channels. | ||
- Community-Driven: Hosting on GitHub allows for community contributions and maintenance. | ||
|
||
## Implementation Details | ||
|
||
The registry will be implemented as a JSON file in a public GitHub repository. It will include the following information for each channel: | ||
|
||
- List of mirrors | ||
- Cryptographic trust root for The Update Framework (TUF) | ||
- License information | ||
- Description | ||
- Channel dependencies, that link a given channel to other channels | ||
- Homepage and GitHub URL, Logo, etc. | ||
- Whether the channel is commercial, and where the Terms of Service are located | ||
|
||
The JSON file would look like the following: | ||
|
||
```js | ||
{ | ||
"channels": { | ||
"conda-forge": { | ||
"mirrors": [ | ||
"https://conda.anaconda.org/conda-forge", | ||
"oci://ghcr.io/channel-mirrors/conda-forge", | ||
"https://prefix.dev/conda-forge", | ||
"https://mirrors.tuna.tsinghua.edu.cn/anaconda/cloud/conda-forge" | ||
], | ||
"trust_root": "sha256:a1b2c3d4e5f6...", | ||
"license": "BSD-3-Clause", | ||
"description": "Community-led collection of recipes, build infrastructure and distributions for the conda package manager.", | ||
"dependencies": [], | ||
"homepage": "https://conda-forge.org", | ||
"github_url": "https://github.com/conda-forge", | ||
"logo_url": "https://conda-forge.org/assets/img/logo.png", | ||
"commercial": false, | ||
}, | ||
"bioconda": { | ||
"mirrors": [ | ||
"https://conda.anaconda.org/bioconda", | ||
"oci://ghcr.io/channel-mirrors/bioconda", | ||
"https://prefix.dev/bioconda", | ||
"https://mirrors.tuna.tsinghua.edu.cn/anaconda/cloud/bioconda" | ||
], | ||
"trust_root": "sha256:g7h8i9j0k1l2...", | ||
"license": "MIT", | ||
"description": "Bioinformatics packages for conda.", | ||
"dependencies": ["conda-forge"], | ||
"homepage": "https://bioconda.github.io", | ||
"github_url": "https://github.com/bioconda", | ||
"logo_url": "https://bioconda.github.io/assets/img/logo.png", | ||
"commercial": false, | ||
}, | ||
... | ||
}, | ||
"last_updated": "2024-09-02T12:00:00Z" | ||
} | ||
``` | ||
|
||
A conda client would try to resolve the name of a channel from this public location. The file should be served under `https://conda.org/channels.json`. When the channel name cannot be resolved from the public registry, the client should fall back to a configured default host such as `https://conda.anaconda.org`. | ||
|
||
We encourage clients to make use of additional metadata to display to their users, such as the logo of the channel, the description, and the license information. Most importantly, clients can give hints if a channel relies on another channel that is not part of the configuration (for example, if someone uses the `bioconda` channel but forgets to add `conda-forge`). | ||
|
||
## Impact and Adoption | ||
|
||
This proposal aims to benefit the entire conda ecosystem: | ||
|
||
- Users will have more flexibility in choosing and verifying channels. | ||
- Channel Maintainers can more easily publicize their channels and provide critical metadata. | ||
- Tool Developers can leverage the registry to build more robust and flexible conda-related tools. |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"commercial" might not be enough to elaborate the complexity of terms of services, I'd suggest to instead add a
legal
field, that would be an optional field to enable to describe what it is. Also, aterms_url
to point to the specific terms that are currently valid?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternatively,
legal
could be a mapping withlicense
,description
,terms_url
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the idea of
legal
being a dictionary with some information, although there should probably still be a boolean that indicates whether runningconda install
could make you owe money to the people operating that channel.