Some of you may have heard of the Spack package manager, which has
similar objectives to conda but is source-based and allows for very
granular build and load-time config. One interesting design choice is
the ability to use OS-provided packages in specific cases e.g. use the
system OpenSSL rather than a Spack-built one:
http://spack.readthedocs.io/en/latest/getting_started.html#openssl
Has there been talk of allowing conda to pick up whitelisted OS
packages in cases like this, where the package perhaps has a
security-related component and its API is fairly stable?
More generally, do others have concerns re stagnant user-instantiated
conda envs containing old openssl packages?
Cheers,
Will