Conda-Forge vs. conda-forge repo and security

Question

So I use miniconda and was trying to install pyperclip from conda-forge but by mistake I capitalized the name so I run:

conda install -c Conda-Forge pyperclip

(Note the capital letters). The output was:

Collecting package metadata (current_repodata.json): done
Solving environment: done

## Package Plan ##

  environment location: C:\Users\USUARIO\miniconda3

  added / updated specs:
    - pyperclip


The following packages will be downloaded:

    package                    |            build
    ---------------------------|-----------------
    ca-certificates-2021.10.8  |       h5b45459_0         176 KB  Conda-Forge
    certifi-2021.10.8          |   py39hcbf5309_1         145 KB  Conda-Forge
    conda-4.11.0               |   py39hcbf5309_0        16.8 MB  Conda-Forge
    openssl-1.1.1l             |       h8ffe710_0         5.7 MB  Conda-Forge
    pyperclip-1.8.2            |     pyhd8ed1ab_2          14 KB  Conda-Forge
    ------------------------------------------------------------
                                           Total:        22.9 MB

The following NEW packages will be INSTALLED:

  pyperclip          Conda-Forge/noarch::pyperclip-1.8.2-pyhd8ed1ab_2

The following packages will be SUPERSEDED by a higher-priority channel:

  ca-certificates                               conda-forge --> Conda-Forge
  certifi                                       conda-forge --> Conda-Forge
  conda                                         conda-forge --> Conda-Forge
  openssl                                       conda-forge --> Conda-Forge

I was suspicious that it was trying to install openssl so I canceled and retyped the command with correct capitalization:

conda install -c conda-forge pyperclip

And got the following:

Collecting package metadata (current_repodata.json): done
Solving environment: done

## Package Plan ##

  environment location: C:\Users\USUARIO\miniconda3

  added / updated specs:
    - pyperclip


The following packages will be downloaded:

    package                    |            build
    ---------------------------|-----------------
    pyperclip-1.8.2            |     pyhd8ed1ab_2          14 KB  conda-forge
    ------------------------------------------------------------
                                           Total:          14 KB

The following NEW packages will be INSTALLED:

  pyperclip          conda-forge/noarch::pyperclip-1.8.2-pyhd8ed1ab_2

Can anybody explain this? What is the difference between conda-forge and Conda-Forge ?

Answer 1

As @MattThompson pointed out in the comments, they both go to the same place in the end, so not a security issue.

As to why it makes this switch for these specific packages, it has to do with the aggressive_update_packages configuration setting. That is partially discussed in this answer . Briefly, whenever the user requests to mutate the environment, Conda will attempt to update these packages. Additionally, whenever one uses the -c flag, they are declaring the specified channel to have the highest priority. Here that is Conda-forge , but if one had put -c defaults -c Conda-forge , it would've tried to install those same packages from defaults instead.

In this specific case, the effect would just be a matter of some bookkeeping that is done in the conda-meta/history file, which appears to be case-sensitive. While it would track it internally as a change in the channel, it wouldn't actually change the package.