pre-commit.ci autofix

CodSpeed Performance Report

Merging #14401 will not alter performance

_{Comparing jaimergp:add-win-arm64-launcher (3c962fa) with main (475e6ac)}

Summary

✅ 21 untouched benchmarks

I first want to review how the binaries were created in detail

Any updates @jezdez? I'd be happy to guide you through the repository and origin of the binaries, or show how to build these locally.

Happy new year! 🥳

Jaime, maybe it would be good to share the steps you used to build these in a PR comment?

That could help multiple people test the process out (plus documenting it publicly would be of great value to our future selves 🙂)

It's all coming from conda/conda-launchers CI, as described (perhaps too tersely?) in the opening message. This is not using the experimental Zig builds, but the (fat) MSVC builds that Isuru contributed.

Anything we can do to help unblock this? Or do we just need @jezdez to free up time for review and approval?

@zooba lemme get back to you on this (no eta)

@jaimergp do you think we should start shipping this in rattler? https://github.com/conda/rattler/blob/803543b2f7f3a945fb83c54b5213f40c7381f592/crates/rattler/src/install/entry_point.rs#L15-L17

@zooba do you have infrastructure to sign binaries like this? The conda binaries that we are currently distributing are signed with an Anaconda key. If Microsoft or the Python team at Microsoft could sign these binaries for us, that would be pretty great.

We do, but we're not allowed to just put a "Microsoft" signature on these. There'd be more chance of using the PSF's certificate, but I'm not sure how to get that kind of use approved - the PSF is pretty protective of the trademark, and putting it on Conda may concern them.

If you want to enable your own signing, Azure Trusted Signing is what we're using for the PSF cert these days. It's cheap ($10/month) and pretty easy to do individual verification (uses personal ID, like a passport) or you may be able to get NumFOCUS to authorise it. The cert is recognised by default on all Windows machines, and there are tasks for GitHub (and pretty sure it supports OIDC now, though I haven't set it up).

We do, but we're not allowed to just put a "Microsoft" signature on these. There'd be more chance of using the PSF's certificate, but I'm not sure how to get that kind of use approved - the PSF is pretty protective of the trademark, and putting it on Conda may concern them.

With my PSF hat on, I will absolutely not support this idea. Mixing these ecosystems legally this way, in the times of CRA and related legislation, is something we shouldn't do. The conda OSS project is a fiscally sponsored project by NumFOCUS, and not a PSF funded effort, so I always expected that we'd get the needed certs from NF. Logistically, I think this is a topic that requires a CEP, to make sure the conda steering council is aware as representatives of the fiscally sponsored project. In other project this would be expedited by a security focused subteam, but alas we don't have one (yet).

If you want to enable your own signing, Azure Trusted Signing is what we're using for the PSF cert these days. It's cheap ($10/month) and pretty easy to do individual verification (uses personal ID, like a passport) or you may be able to get NumFOCUS to authorise it. The cert is recognised by default on all Windows machines, and there are tasks for GitHub (and pretty sure it supports OIDC now, though I haven't set it up).

NumFOCUS is the way to attain the certificate in my opinion, Anaconda staff has experience setting ATS up, and I think I could make the case to help (not me) if needed. Whether Anaconda would accept the binaries for their distributions is a different question, I don't have an answer currently, as I'm not a lawyer. But that's kind of out of scope of this PR IMO.

With my PSF hat on, I will absolutely not support this idea.

That's what I hoped, I just wasn't sure who'd claim the authority to say it 😄

Whether Anaconda would accept the binaries for their distributions is a different question

No harm in Anaconda re-signing or rebuilding the binaries, but as you say, out of scope here.