Matthew R. Becker

If the signature on the attestation is from conda-forge or a github job controlled by conda-forge, then having the target channel in the predicates is duplicate information or simply not...

I think we should make the validation of the predicate within the attestation optional since it is unclear what one does with it. Suppose I get a package with an...

I wish we had added a version number of the format to the CEP before the vote started. Maybe I missed it? We can vote again to do that later....

I think we allow prs w/ review required, but at any time a steering-council can request a vote on a pr, even after it is merged.

One comment here is that in the context of the github conda support rollout and then deprecation, I think we discovered that the mappings between ecosystems, if constructed without oversight,...

The design of repodata patches, while it has warts, might help us here. We could designate a specially named conda package that holds the authoritative set of PURLS for that...

One simple path forward is to add purls to the repodata, source it from about, and also support patching it. Then conda-forge can override everything as needed using its patching...

We should write only what we want in the CEP now. The deprecation of unsupported syntax is a separate issue to manage directly on conda.

I think we should specify the minimum python in the global pinnings and let people override if they want. This will simplify migration logic in the bot and will allow...

I think logic like python {{ min_noarch_python_version }} should work and let us embed the same constraint in the test section.