Zachary Sailer
    • Create new note
    • Create a note from template
      • Sharing URL Link copied
      • /edit
      • View mode
        • Edit mode
        • View mode
        • Book mode
        • Slide mode
        Edit mode View mode Book mode Slide mode
      • Customize slides
      • Note Permission
      • Read
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Write
        • Only me
        • Signed-in users
        • Everyone
        Only me Signed-in users Everyone
      • Engagement control Commenting, Suggest edit, Emoji Reply
      • Invitee
    • Publish Note

      Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

      Your note will be visible on your profile and discoverable by anyone.
      Your note is now live.
      This note is visible on your profile and discoverable online.
      Everyone on the web can find and read all notes of this public team.
      See published notes
      Unpublish note
      Please check the box to agree to the Community Guidelines.
      View profile
    • Commenting
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
      • Everyone
    • Suggest edit
      Permission
      Disabled Forbidden Owners Signed-in users Everyone
    • Enable
    • Permission
      • Forbidden
      • Owners
      • Signed-in users
    • Emoji Reply
    • Enable
    • Versions and GitHub Sync
    • Note settings
    • Engagement control
    • Transfer ownership
    • Delete this note
    • Save as template
    • Insert from template
    • Import from
      • Dropbox
      • Google Drive
      • Gist
      • Clipboard
    • Export to
      • Dropbox
      • Google Drive
      • Gist
    • Download
      • Markdown
      • HTML
      • Raw HTML
Menu Note settings Sharing URL Create Help
Create Create new note Create a note from template
Menu
Options
Versions and GitHub Sync Engagement control Transfer ownership Delete this note
Import from
Dropbox Google Drive Gist Clipboard
Export to
Dropbox Google Drive Gist
Download
Markdown HTML Raw HTML
Back
Sharing URL Link copied
/edit
View mode
  • Edit mode
  • View mode
  • Book mode
  • Slide mode
Edit mode View mode Book mode Slide mode
Customize slides
Note Permission
Read
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Write
Only me
  • Only me
  • Signed-in users
  • Everyone
Only me Signed-in users Everyone
Engagement control Commenting, Suggest edit, Emoji Reply
Invitee
Publish Note

Share your work with the world Congratulations! 🎉 Your note is out in the world Publish Note

Your note will be visible on your profile and discoverable by anyone.
Your note is now live.
This note is visible on your profile and discoverable online.
Everyone on the web can find and read all notes of this public team.
See published notes
Unpublish note
Please check the box to agree to the Community Guidelines.
View profile
Engagement control
Commenting
Permission
Disabled Forbidden Owners Signed-in users Everyone
Enable
Permission
  • Forbidden
  • Owners
  • Signed-in users
  • Everyone
Suggest edit
Permission
Disabled Forbidden Owners Signed-in users Everyone
Enable
Permission
  • Forbidden
  • Owners
  • Signed-in users
Emoji Reply
Enable
Import from Dropbox Google Drive Gist Clipboard
   owned this note    owned this note      
Published Linked with GitHub
1
Subscribed
  • Any changes
    Be notified of any changes
  • Mention me
    Be notified of mention me
  • Unsubscribe
Subscribe
# Jupyter Security Bi-weekly Meeting Zoom: https://ucsd.zoom.us/j/99742018697 # Oct 1st | Name | Affiliation | username | | --------------------| ------------|---------------| | Rosio Reyes | Anaconda | @RRosio | | R Ely | Bloomberg | @ohrely | | David Qiu | AWS | @dlqqq | Ely: - Jupyter Open Studio Day in San Francisco on Monday, November 10th.  Register at https://go.bloomberg.com/attend/invite/jupyter-open-studio-day-november-10-2025/ Matthias: Send a Pr to Jupyter.org that adds the events in a banner if you wish, I'm happy to merge it. Also have you posted it in the Zulip ? Feel free to also submit a blog post on Jupyter.org to announce (thout I don't have the rights on medium) Matthias: Can the Jupyter Calendar be re-updated with meetings (at least I don't see them). And is the UCSD Zoom link still valid ? Also I likely can't join today, but I'm back from parental leave. # Aug 1st | Name | Affiliation | username | | --------------------| ------------|---------------| | David Qiu | AWS | @dlqqq | | Rosio Reyes | Anaconda | @RRosio | | Mike Krassowski | Quansight | @krassowski | - Discussed password vault options for Project Jupyter. - 1Password Pro : $8/user/month - Given 50 users, this would be $400/month. - What are the drawbacks of the free plan? - Let's continue offline in https://github.com/jupyter/cve/issues/13 - :thumbsup: > Whos is responsible for enterprise gateway ? None of the attendees have access. > More generally how do we monotitor Security issue submission on each repo and if they are replied to ? - It looks like it's under Jupyter Server but it is not being maintained as much as it was before 2024. Matthias, could you share more details about why? - Right now, at least for me (David), I put all security emails in a folder and check that folder every week or so to make sure there's movement. # Next Meeting Matthias: Whos is responsible for enterprise gateway ? More generally how do we monotitor Security issue submission on each repo and if they are replied to ? # July 1st | Name | Affiliation | username | | --------------------| ------------|---------------| | David Qiu | AWS | @dlqqq | | Rosio Reyes | Anaconda | @RRosio | | Mike Krassowski | Quansight | @krassowski | - Discussed Jupyter Security funding ideas 1. snyk.io - open source security management: https://snyk.io/product/open-source-security-management/ 2. bug bounty program (e.g. huntr.com , but there are transparency issues w/ this) 3. Jupyter Security retreat? 4. Tidelift - dedicated funding is used to pay people to patch issue - Mike: Let's also look into other large open source projects & how they are investing in security to get inspiration # May 20th | Name | Affiliation | username | | --------------------| ------------|---------------| | Rick Wagner | SDSC. | @rpwagner | | Joe Lucas | NVIDIA | @josephtlucas | | Rosio Reyes | Anaconda | @RRosio | | David Qiu | AWS | @dlqqq | - Review charter: https://github.com/jupyter/security/pull/110 - Request for content creation ideas from Jake: https://docs.google.com/document/d/1u80WE68S1jZJdSrGl11DgTcMD_7c8vTh13EVlkT_KDI/edit?tab=t.0 - # May 6th | Name | Affiliation | username | | --------------------| ------------|---------------| | Rick Wagner | SDSC. | @rpwagner | | Joe Lucas | NVIDIA | @josephtlucas | | Erik Sundell | | @consideRatio | | Matthias Bussonnier | Quansight | @carreau | | Mike Krassowski | Quansight | @krassowski | | Rosio Reyes | Anaconda | @RRosio | | David Qiu | AWS | @dlqqq | - Rick has perms to create security@jupyter google group - Push for privat security reporting - need to be able to audit en-masse, - which repo should/have private security - what are all the opened security issues opened and are they replied to. - https://otterdog.readthedocs.io/en/latest/ - Succinct Charter for Security Group - take action/implement policy/know when to pass to SSC/EC - Update meeting link to not use zoom UCSD ? - Jupyter Media Strategy sub-group - charter - # April 29 | Name | Affiliation | username | | --------------------| ------------|---------------| | Matthias Bussonnier | Quansight | @carreau | - 6min past, No-one, i'll leave # April 22 | Name | Affiliation | username | | --------------------| ------------|---------------| | Rosio Reyes | Anaconda | @RRosio | | Eric Sundell | | @consideRatio | | Matthias Bussonnier | Quansight | @carreau | # April 15 | Name | Affiliation | username | | --------------------| ------------|---------------| | Rick Wagner. | SDSC. | @rpwagner | | David Qiu | AWS | @dlqqq | | Rosio Reyes | Anaconda | @RRosio | | Joe Lucas | NVIDIA | @josephtlucas | | Erik Sundell | | @consideRatio | | Mike Krassowski | Quansight | @krassowski | - Review PyPI email - Rosio member audit(https://github.com/jupyter/security/pull/100/files) - Review of Jupyter Security Google group(ipython-security@google) - Was this made obsolete by GitHub based vuln reporting? - Consensus: move to an @jupyter domain and get off @ - How to define inactivity- Rosio will update documentation to reflect auditing membership levels - JupyterHub adopting GitHub recommended defaults but concerned about vendor lock with CodeQL # Feb 25 - Matthias: I think there is a non-replied email on the security ML about JupyterLite. # Feb 18 | Name | Affiliation | username | | --------------------| ------------|---------------| | Rick Wagner. | SDSC. | @rpwagner | | David Qiu | AWS | @dlqqq | | Rosio Reyes | Anaconda | @RRosio | | | | | Matthias: - I will not make it this week. - Review innactive users – i've removed a few, but I think we need a more active help from subproject to clean the list. - security emails/mailing list. David Q: - Discuss handling of new security issues. - Rick: Open draft GHSAs for potential security risks. - What is the process for patching security issues? - We probably want to use private fork. - Do we need a new CVE ID for CVEs in our dependencies? - Rick: There needs to be a standard for this. "Duplicate" CVEs occur frequently in the open source ecosystem. We don't have a consensus on this yet. - How far do we backport patches? - Based on discussion, we think the last 3 minor releases including the latest minor release is OK. - Should we allow public discussion of non-embargoed / publicly-known CVEs in our dependencies? - https://www.redhat.com/en/blog/security-embargoes-red-hat - Consensus: Probably yes since they are already public. Should check w/ other security resources to confirm. # Feb 11 | Name | Affiliation | username | | --------------------| ------------|---------------| | David L. Qiu | AWS | @dlqqq | | Rosio Reyes | Anaconda | @RRosio | | Matthias Bussonnier | Quansight | @carreau | | Mike Krassowski | Quansight | @krassowski | | Rick Wagner. | SDSC. | @rpwagner | - Met with Greg Cochran, program manager at GitHub. Discussed GitHub Secure Open Source Fund. - How will the fund be paid? - The fund will be paid through GitHub Sponsors. - Matthias: GitHub Sponsors is still routed to NumFOCUS instead of Jupyter Foundation right now. - David: Do we need to raise this to the EC? - What is the time commitment? - 4 hours per week (2 on Tues & Thurs), for 3 weeks. 12 hours total. - Maximum of 3 for the training program. - Can other contributors (>3) join office hours / other events that aren't strictly part of the security training program? - Yes. # Feb 4th | Name | Affiliation | username | | --------------------| ------------|---------------| | David L. Qiu | AWS | @dlqqq | - Room was empty at 8:08am, cancelling today's occurrence. # Jan 28 Private call, sec discussion. # Jan 21 | Name | Affiliation | username | | --------------------| ------------|---------------| | Afshin T. Darian | QuantStack | @afshin | | David L. Qiu | AWS | @dlqqq | | Rosio Reyes | Anaconda | @RRosio | | Matthias Bussonnier | Quansight | @carreau | | Jeremy Tuloup | QuantStack | @jtpio | - [name=Matthias] Won't be here today. - Security council asked to look at https://github.com/jupyterlab/jupyterlab/pull/16794 and decide whether it is a security problem. - # Next: - [name=Matthias] What is https://huntr.com/repos/jupyter/jupyter ? Who has access ? # Jan 7th 2025 | Name | Affiliation | username | | --------------------| ------------|---------------| | Joe Lucas | NVIDIA | @josephtlucas | | Robert Beverly | SDSU | | | Rosio Reyes | Anaconda | @RRosio | | Rick Wagner | UCSD | @rpwagner | - [name=Matthias] Will likely miss the meeting, or at least the start of it. - [name=Matthias] See some questions on the security private repo - Rick starts off by introducing Rob and talking about the upcoming submission and potential letters of collaboration. - Team works through security advisory # Dec 31st 2024 – no meeting bump to Jan 7th I doubt anyone would meet then; and the calendar appear to have bumped next meeting to Jan 7th anyway. See you next year. # Dec 17th, 2024 No meetings. # Dec 3rd, 2024 | Name | Affiliation | username | | --------------------| ------------|---------------| | M Bussonnier | Quanight | @Carreau | | Rick Wagner | UCSD | @rpwagner | | David Qiu | AWS | @dlqqq | https://github.com/jupyter/jupyter.github.io/pull/774 - Matthias: Maybe write a script that loops through all orgs of Jupyter enterprise and then all repos, user and owners activities. - David Q: It seems like 1) if there does not exist a tool to do this, and 2) if we don't want to do this manually, then we have to build a tool for this. - David Q: We could host a regular biweekly *private* call to build & run security audits using JupyterLab RTC. - Should get last activity of org owners - Should get security settings per repo - We could use Jupyter Scheduler - Starts on Jan 14 :wave: - David Q: will add myself to Jupyter Security council via PR later - Rick: It would be great if there were a graph viz tool that showed our packages, the dependencies between them, and all external dependencies. # Nov 19th, 2024 | Name | Affiliation | username | | --------------------| ------------|---------------| | M Bussonnier | Quanight | @Carreau | Rick unable to attend. We should review the repos that have (or do not have), private vulnerability reporting. No-one there 6 min past, so closing meeting. # Nov 5th, 2024 | Name | Affiliation | username | | --------------------| ------------|---------------| | M Bussonnier | Quanight | @Carreau | | Joe Lucas | NVIDIA | @josephtlucas | | Rick Wagner | UCSD | @rpwagner | | David Qiu | AWS | @dlqqq | # October 29th, 2024 Matthias: Well, one more Calendar quack; 15+14 = 29, but the next meeting appear to be next week... # October 15st, 2024 | Name | Affiliation | username | | --------------------| ------------|---------------| | Rosio Reyes | Anaconda | @RRosio | Since only 1 person is in the meeting 15 minutes past the hour. Likely no meeting will be held this week. - [ ] Review and iterate on the Security Manager FAQ merged in [First draft security manager faq](https://github.com/jupyter/security/pull/77/) - Rosio: I can take a look at some of the suggestions and other improvements to be made on this document Matthias: sick today will likely not make it. Some exchange with Ana wrt to tidelift, moving forward slowly # October 1st, 2024 | Name | Affiliation | username | | --------------------| ------------|---------------| | M Bussonnier | Quanight | @Carreau | | Rick Wagner | UCSD | @rpwagner | Check on https://github.com/jupyter-governance/ec-team-compass/issues/51, via https://github.com/jupyter/software-steering-council-team-compass/issues/24 - [x] Followup on mail to trademark commitee about ai, llc. - This will likely wait the move to the LF - [x] No news from tidelift, beyond back and forth about who should write to LF tidelift. I (Matthias) was asked to set it up, and said no, I never had a contact with the LF, and don't have access to the banking informations to tell tidelift where to send the fund and dont want to be an intermediary. - [ ] # September 17th, 2024 | Name | Affiliation | username | | --------------------| ------------|---------------| | M Bussonnier | Quanight | Carreau | | Joe Lucas | NVIDIA | @josephtlucas | | David Qiu | AWS | @dlqqq | Rick, likely not here. Check on https://github.com/jupyter-governance/ec-team-compass/issues/51 This is moving forward. Postponing review to next meeting Security statement. - https://github.com/jupyter/security/discussions/78 - David: `jupyter.ai` is infringing on Jupyter trademarks; what action can be taken? - Matthias: The trademark committee has been less active due to frustration with NumFOCUS's legal process. Perhaps we can leverage legal resources from the Linux Foundation? - David: How can we revive the trademark committee? Maybe merge its responsibilities with the security WG? # September 3rd, 2024 | Name | Affiliation | username | | --------------------| ------------|---------------| | Matthias Bussonnier | Quansight | @carreau | | Rick Wagner | UCSD | @rpwagner | Some traffic arround security. - Some summary of tidelift and moving to the linux foundation. ## July 2cd, 2024 | Name | affiliation | username | | --------------------| ------------|---------------| | Matthias Bussonnier | Quansight | @carreau | I'm assuming noone will show up with 4th of july that close. See you in two weeks. Non-claimed Tidelif packages with income, about $100/month each. 1. https://tidelift.com/lifter/search/pypi/comm 1. https://tidelift.com/lifter/search/pypi/ipykernel 1. https://tidelift.com/lifter/search/pypi/ipywidgets 1. https://tidelift.com/lifter/search/pypi/jupyter-client 1. https://tidelift.com/lifter/search/pypi/jupyter-core 1. https://tidelift.com/lifter/search/pypi/jupyter-events 1. https://tidelift.com/lifter/search/pypi/jupyter-server 1. https://tidelift.com/lifter/search/pypi/jupyter-server-terminals 1. https://tidelift.com/lifter/search/pypi/jupyterlab 1. https://tidelift.com/lifter/search/pypi/jupyterlab-pygments 1. https://tidelift.com/lifter/search/pypi/jupyterlab-server 1. https://tidelift.com/lifter/search/pypi/nbclassic 1. https://tidelift.com/lifter/search/pypi/nbclient 1. https://tidelift.com/lifter/search/pypi/nbconvert 1. https://tidelift.com/lifter/search/pypi/nbformat 1. https://tidelift.com/lifter/search/pypi/notebook 1. https://tidelift.com/lifter/search/pypi/notebook-shim 1. https://tidelift.com/lifter/search/pypi/terminado ## June 18th, 2024 | Name | affiliation | username | | --------------------| ------------|---------------| | Matthias Bussonnier | Quansight | @carreau | | Rosio Reyes | Anaconda | @RRosio | ## May 21th, 2024 | Name | affiliation | username | | --------------------| ------------|---------------| | Rick Wagner | UCSD | @rpwagner | | Joe Lucas | NVIDIA | @josephtlucas | | Matthias Bussonnier | Quansight | @carreau | | Rosio Reyes | Anaconda | @RRosio | - Rick explores GitHub enterprise settings - Rick invited a bunch of organizations into the enterprise ## May 7th, 2024 | Name | affiliation | username | | --------------------| ------------|--------------| | Rosio Reyes | Anaconda | @RRosio | | Matthias Bussonnier | Quansight | @carreau | - Rosio - I opened, https://github.com/jupyter/security/pull/77. Hoping to gather feedback! - Matthias & Rosio: - I thinkthe meetings are not every two weeks but are the the first and third tuesday of every month, We don't know if we wan to fix that on the calendar or keep it. Anyway it's just the two of us, so we can cut the meeting short, and sync offline. ## April 16th, 2024 | Name | affiliation | username | | --------------------| ------------|--------------| | Matthias Bussonnier | Quansight | @carreau | | Rick Wagner | UCSD | @rpwagner | | Joe Lucas | NVIDIA | @josephtlucas | | Rosio Reyes | Anaconda | @RRosio | - How do we manage security managers? - Reviewing https://github.com/jupyter/security/issues/76 - Rick shares: https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md - Rick shares: Jupyter Security Strategic Plan ## April 2nd, 2024 | Name | affiliation| username | | --------------------| -----------|--------------| | Matthias Bussonnier | Quansight | @carreau | | Rick Wagner | UCSD | @rpwagner | | R Ely | Bloomberg | @ohrely | | Rosio Reyes | Anaconda | @RRosio | Review orgs where we do/do not have ability to open GitHub advisory. Ely: Jupyter Open Studio Day NYC Monday April 29 [Registration link](https://go.bloomberg.com/attend/invite/jupyter-open-studio-day-2024/) Matthias: I'm Seattle June 3-5, it's close, but not close enough I think for me to stay 2 weeks. –– miss read I read end of May, so no I can't come for just a day. ## March 19th, 2024 | Name | affiliation| username | | -------------------| -----------|--------------| | Matthias Bussonnier| Quansight | @carreau | - 4 minute past the top of the hour: Only 1 person in the meeting, I'm going to guess something went wrong with the change dailight saving time change last week, and calendar don't match up. The meeting is 1h earlier than usual for me, so I guess it should not have change time for attendees in the US. I'll try to be present in 1h just in case. ## March 5th, 2024 | Name | affiliation| username | | -------------------| -----------|--------------| | Matthias Bussonnier| Quansight | @carreau | | Rosio Reyes | Anaconda | @RRosio | Rick cannot make it, and so far there is only Matthias and Rosio, so we may just cancell if nobody join at 10min past. ## Feb 20th, 2024 | Name | affiliation | username | | ------------------- | ----------- | ------------- | | Joe Lucas | NVIDIA | @josephtlucas | | Rick Wagner | UCSD | @rpwagner | | Matthias Bussonnier | Quansight | @carreau | | Mike Krassowski | Quansight | @krassowski | | David Qiu | AWS | @dlqqq | [Jupyter Security Ops](https://hackmd.io/kjwZRMUxSDSl90loO2Md-A) ## Feb 6th, 2024 | Name | affiliation| username | | -------------------| -----------|--------------| | Joe Lucas | NVIDIA | @josephtlucas| | Rick Wagner | UCSD | @rpwagner | | David Qiu | AWS | @dlqqq | | Rollin Thomas | NERSC | @rcthomas | Agenda: - (Joe) NumFOCUS Security Survey - (Joe) Proposal: draft a Jupyter[Lab/Hub] incident response runbook. For IT departments, if they think there's a security issue with their deployment, what artifacts should they preserve for digital forensics? Where should they look for indicators of compromise? - (Rollin) Downstream project notifications? - (David) Maybe build a tool that maintains a security group across multiple orgs? - (Joe) Maybe implement this as a GitHub action - The group will use the stock "security manager" role: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization - Initial security goals for the strategic plan - Define the scope of security within Project Jupyter - Project Jupyter GitHub repos in scope should use the [Open Source Security Foundation (OpenSSF) Best Practices badge](https://www.bestpractices.dev/) - Adopt the [Concise Guide for Developing More Secure Software](https://best.openssf.org/Concise-Guide-for-Developing-More-Secure-Software) as a base set of practices for all Jupyter Subprojects - Publish documentation on Project Jupyter security using the questions in the [Concise Guide for Evaluating Open Source Software](https://best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software) as a reference. ## Jan 16th, 2024 | Name | affiliation| username | | -------------------| -----------|--------------| | Joe Lucas | NVIDIA | @josephtlucas| | Rick Wagner | UCSD | @rpwagner | | Matthias Bussonnier| Quansight | @carreau | | David Qiu | AWS | @dlqqq | | Rosio Reyes | Anaconda | @RRosio | | Rollin Thomas | NERSC | @rcthomas | - Joe will try and call in from the road Agenda: - Deal with LSP security report and jupyter-lsp org. - Receive a security vuln for jupyter-lsp, but it's hosted on a jupyter-lsp jupyter org, which is not technically official. - https://github.com/jupyter-governance/ec-team-compass/issues/25 - David: Agree with Matthias here. Collaborated w/ him to write this issue. - Jupyter + Zeek proposal - Not progressing due to lack of cycles from collaborators ## Jan 2th, 2024 | Name | affiliation| username | | -------------------| -----------|--------------| | Joe Lucas | NVIDIA | @josephtlucas| | Rosio Reyes | Anaconda | @RRosio | | Dor Sarig | Pillar Security || | Ziv | Pillar Security || - Rosio to continue working on Threat Modeling for Rosio but has priority conflicts currently. - Dor/Ziv were following up on a vulnerability reported to security@ipython.org ## Dec 19th, 2023 | Name | affiliation| username | | -------------------| -----------|--------------| | David Qiu | AWS | @dlqqq | | Rick Wagner | UCSD | @rpwagner | - David: Rick proposed refining and outlining the existing security vulnerability process. It would involve a stakeholder from each subproject. - I suggest that we also have a triage group for this to avoid generating noise. That is, if you receive a notification, it will be very likely that this vulnerability affects your project, and that this demands your attention. - Rick suggests using GitHub's security vulnerability reporting process. We should investigate 1) when this sends notifications, and 2) who is notified in this process. - I can help with another draft of the vulnerability reporting process. - https://github.com/jupyter/security/blob/main/docs/vulnerability-handling.md - Mike: https://github.com/jupyter/notebook/pull/7153/files - Cross-linked in security repo: https://github.com/jupyter/security/issues/72 - David: I agree that GH Actions are sort of dangerous by default. But the real problem isn't that we need to hashpin, but that I'm not aware of any tool that helps with this. - Mike: Perhaps we should invite https://github.com/diogoteles08 to one or our meetings in the future. - David: I agree with this; let's build a bridge if possible. ## Dec 5th, 2023 | Name | affiliation| username | | -------------------| -----------|--------------| | Matthias Bussonnier| Quansight | @Carreau | | Joe Lucas | NVIDIA | @josephtlucas| | Rosio Reyes | Anaconda | @RRosio | | Rick Wagner | UCSD | @rpwagner | | David Qiu | AWS | @dlqqq | | Rollin Thomas | NERSC | @rcthomas | The amount of money in the Tidelift account for Jupyter is close to ~7900 USD. Some funds weere used to reimburse for travel expenses to NSF security Summit. Some people were sick in the previous week. Numfocus Security council slowly progressing with a data-baked process. - Juanita in contact with Open SSF. - Writing Guides - Credentials; - Matthias: https://github.com/scientific-python/specs/pull/168#pullrequestreview-1557436109 - David: Quick update on the labextension documentation that Rick had requested. Hoping to start on this sometime this week, should have something ready by the end of the month. Rather busy right now. - Matthias, Tidelift: https://github.com/jupyterlab/team-compass/discussions/224 - David: I'll bring this up in the JupyterLab call tomorrow. - [ ] TODO: Matthias said hw would reach out to NF with list of request for hecvat and similarm but forgot. ## November 21, 2023 | Name | affiliation| username | | -------------------| -----------|--------------| | Matthias Bussonnier| Quansight | @Carreau | | Joe Lucas | NVIDIA | @josephtlucas| | Rosio Reyes | Anaconda | @RRosio | Tasks: - [ ] Reply to "Pilot: Security Committee Introduction and Survey" and fill in the form. - Where: [`jovyan` Zoom](https://ucsd.zoom.us/j/99742018697) ## November 7, 2023 | Name | affiliation| username | | -------------------| -----------|--------------| | Rick Wagner | UCSD | @rpwagner | | Joe Lucas | NVIDIA | @josephtlucas| | Rosio Reyes | Anaconda | @RRosio | | Matthias Bussonnier| Quansight | @Carreau | | David Qiu | AWS | @dlqqq | | Rollin Thomas | NERSC | @rcthomas | - Security reports directly on Jupyter/Security - HECVAT and alike report: - See https://github.com/jupyter/jupyter.github.io/pull/743/files#commit-suggestions - URL: https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit - Attorneys at the NSF summit - who is the legal entity, do they have attorneys. - Have both an FAQ, and a Document (pdf) signed by numfocus. - Opened an [issue (docs-team-compass#22)](https://github.com/jupyter/docs-team-compass/issues/22) for security documentation in the Documentation repo - David to contribute JupyterLab documentation on developing JupyterLab extensions. - David: I can get started on this in a few weeks, with a draft PR by early December. - Security documentation to be added to jupyter.org/security - Source: https://github.com/jupyter/jupyter.github.io - Can we have exclusive permissions to edit the "Security" page? - David's proposed process: We open changes as a draft PR, get feedback from everybody security, then open for review and ping somebody to merge the PR Matthias suggest a small read later: http://thecodelesscode.com/case/215 ## October 17, 2023 | Name | affiliation| username | | -------------------| -----------|-------------| | Rick Wagner | UCSD | @rpwagner | | Jason Weill | @AWS | @JasonWeill | | Joe Lucas | NVIDIA | @josephtlucas| | Rollin Thomas | NERSC | @rcthomas | | Rosio Reyes | Anaconda | @RRosio | * Review vulnerability handling process. * [Workshop agenda](https://docs.google.com/document/d/1hl1qe72s1CZc7Z3QOh1apANRi--qkupcnWEyH4VNOiQ/edit?usp=sharing) * Jupyter Maint lost devices. Process to remove all access ? * I (matthias) re-asked to decrease the number of GitHub orgs: [executive-council-team-compass#12](https://github.com/jupyter/executive-council-team-compass/issues/12) FYI WRT security, matthias suggested a change to handler in Jupyter-Server. - [jupyter-server/jupyter_server#1332](https://github.com/jupyter-server/jupyter_server/pull/1332) David not able to attend the community survey this Thursday due to a personal conflict Charlotte requests that we close accepted submissions in the bug bounty program * Rick to capture information from submissions, then close [Trusted CI engagement documentation](https://github.com/jupyter/security/tree/main/docs) Please add David Qiu to the Jupyter Security (ipython-security) mailing list * Done (Rick, 10/17/23) ## October 3, 2023 | Name | affiliation| username | | -------------------| -----------|-------------| | Matthias Bussonnier| Quansight | @Carreau | | Rick Wagner | UCSD | @rpwagner | | Jason Weill | @AWS | @JasonWeill | | David Qiu | @AWS | @dlqqq | | Rollin Thomas | NERSC | @rcthomas | | Rosio Reyes | Anaconda | @RRosio | Agenda: * Email from the Community Building Group: - Process to source input from subprojects to identify area were help is needed to maintain a robust community. Identifi Commmunity building practices. There are interview scripts, and invite to join calls on thursday. - Some of us are going to attend on October 19th. * We know have an Jupyter Security Sandbox environment. * It will likely be used for the Jupyter/Zeek workshop on Octover 223rd * The NSF has a program called [CloudBank](https://www.cloudbank.org/). Targetted for cyberinfra and DS. But also grants for training activities. * It does allow federated logging. * currently $2k * Suggest to have this as public information, * And let the SSC know. * See https://github.com/jupyter/executive-council-team-compass/issues/13 Sorry I think I ended the meeting for all... not sure how as I should not have been admin ... ## September 19, 2023 | Name | affiliation | username | | -------------------| ------------|--------------| | Matthias Bussonnier| Quansight | @Carreau | | Joe Lucas | NVIDIA | @josephtlucas| | Rick Wagner | UCSD | @rpwagner | | Jason Weill | @AWS | @JasonWeill | | Rosio Reyes | Anaconda | @RRosio | * Matthias may see if Juanita can attend the TrustedCI workshop * She says yes, she is interested, she live in Santa Cruz, can drive, and can figure out lodging. Just need to get her a ticket. * Rosio wants to learn more about vulnerability reporting/handling process * Issue opened up a couple of weeks ago when someone wants to report a vuln * Revised TrustedCI blog post * Intigriti * Will probably close it out with a blog post * With a quote from Charlotte (Jason W to follow up w/Charlotte) * Should we involve NF ? ## September 5, 2023 | Name | affiliation | username | | -------------------| ---------------|---------------| | Matthias Bussonnier| Quansight | @Carreau | | Jason Weill | @AWS | @JasonWeill | | Joe Lucas | NVIDIA | @josephtlucas | | Rick Wagner | UCSD | @rpwagner | | Rollin Thomas | NERSC | @rcthomas | * TrustedCI Summit Plans * Jupyter security tutorial, Monday, October 23 * Jupyter network monitoring workshop, Tuesday, October 24 6 out of 13 vuln accepted on Integrity. Small to large. Should we say how much it cost ? Would other Bug BOunty - Should there be a Numfocus BugBounty program ? - $14000 left in the project - Foobar 7/13 ## Tidelift Money |Date| project| amount (USD) |----| -------|--------- |10/06/22|conda/ipython |250.00 |10/06/22|pypi/ipython |250.00 |10/06/22|conda/traitlets |250.00 |10/06/22|pypi/traitlets |100.00 |12/21/22|Tidelift Payout Nov & Dec 2022 (iPython) |1,000.00 |12/21/22|Tidelift Payout Nov & Dec 2022 (Traitlets) |700.00 |3/08/2023|Traitlets February 2023 |350.00 |3/08/2023|iPython February 2023 |500.00 |3/08/2023|Traitlets January 2023 |350.00 |3/08/2023|iPython January 2023 |500.00 |4/21/2023|Traitlets March 2023 |350.00 |4/21/2023|iPython March 2023 |500.00 |5/15/2023|Traitlets April 2023 |350.00 |5/15/2023|iPython April 2023 |500.00 |6/13/2023|iPython May 2023 |500.00 |6/13/2023|Traitlets May 2023 |350.00 |$ 6,800.00 ## Auguest 15, 2023 | Name | affiliation | username | | -------------------| ---------------|------------------| | Matthias Bussonnier| Quansight | @Carreau | | Jason Weill | @AWS | @JasonWeill | | Joe Lucas | NVIDIA | @josephtlucas | | Michał Krassowski | Quansight | @krassowski | | Eric Gentry | Anaconda | @ericsnekbytes | |||| * Intigrity – Some security bugs, and a few difficulties to sync with GitHub * How to increase email volume? * Permissions not sync'ed across GitHub organizations (requires GH Enterprise?) * How can we handle this better. * Mike pointed out security managers: https://docs.github.com/en/rest/orgs/security-managers?apiVersion=2022-11-28 https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization https://github.blog/changelog/2021-10-21-introducing-the-organization-level-security-manager-role/ * Matthias opened an issue about it : https://github.com/jupyter/security/issues/68 * Numfocus tidelift money * Still waiting to make sure we do recive it and have regular update on the ammount. * Numfocus summit in amsterdam * speak about security. * confusion between security@ipython.org and ipython-security@googlegroup.com * Turn on moderation ? * Seem we have agreement. * ## August 1, 2023 | Name | affiliation | username | | -------------------| ---------------|------------------| | Rollin Thomas | NERSC | @rcthomas | | Jason Weill | @AWS | @JasonWeill | | Rick Wagner | UCSD | @rpwagner | * Joe has conflict today (final sync before BlackHatUSA) * PEARC debrief by Rick * Not too much Jupyter discussion / talks * Saw poster by Mike Milligan * Not too much security-related stuff * Would like to see more NSF sec involvement * Security workshop planning * AI... do users know what they're doing? * ... do we know what they're doing doing? * Promotion of bug bounty * Bots? Some generic-looking submissions * Discourse, Twitter (still), LinkedIn * Summary for Community Building Working Group * Activities accepted * Rick plans to prepare request ## July 18, 2023 | Name | affiliation | username | | -------------------| ---------------|------------------| | Jason Weill | @AWS | @JasonWeill | | Joe Lucas | NVIDIA | @josephtlucas | | Rick Wagner | UCSD | @rpwagner | | Rollin Thomas | NERSC | @rcthomas | | Matthias Bussonnier| Quansight | @carreau | Workshop planning for october. Mostly Jupyter Focused, but having other projects to participate woudl be great. ## July 11, 2023 | Name | affiliation | username | | -------------------| ---------------|------------------| | Jason Weill | @AWS | @JasonWeill | | Rollin Thomas | NERSC | @rcthomas | | Rick Wagner | UCSD | @rpwagner | * Joe has a conflict (will read over the notes later today for any action items) * ## June 20, 2023 | Name | affiliation | username | | -------------------| ---------------|------------------| | Rick Wagner | UCSD | @rpwagner | | Jason Weill | @AWS | @JasonWeill | | Joe Lucas | NVIDIA | @josephtlucas | | Matthias Bussonnier| Quansight | @carreau | * Zeek submissions complete * Rick: Maybe we define some canonical deployment scenarios (on the desktop, JupyterLab on a server, Hub, Zero to JupyterHub) * Jason: Is jupyter.org being updated? If so, maybe we use this to update the [security page](https://jupyter.org/security) * Produce resources for the NSF summit and post to the website * Jason: Anna and Steven putting together a policy for posting to official social media * How do we follow what EC and SSC are doing? * nontransparent * Zoom conflict with other Jupyter committees again. * Matthias recommends restructuring governance page to make meeting notes and schedules more discoverable * Intigriti * Will finish draft and get to the Jupyter projects for review this week * OpenSSF * Should we be involved at the free tier? * https://ostif.org/ contacted NumFOCUS about a completing a Pandas audit. Might be a resource for us later. Workshop TODOs: - [ ] Marketing - Twitter (some people have requested that it be deleted) - Discourse - We don't have mastadon - [ ] Making it an official community workshop (maybe ask Community Building Committee) ## June 13, 2023 (Zeek/TrustedCI Call) | Name | affiliation | username | | -------------------| ---------------|------------------| | Rick Wagner | UCSD | @rpwagner | | Jason Weill | @AWS | @JasonWeill | | Joe Lucas | NVIDIA | @josephtlucas | | Rollin Thomas | NERSC | @rcthomas | | Aaron Scantlin | NERSC |. | | Fatema Bannat Wala | Zeek |. | | Christian Kreibich | Zeek |. | | James Marsteller | NSF |. | | Keith Lehigh |. |. | * Zeek has been experimenting with OpenSSF tooling (CI, static code analysis) * Historically approached network monitoring by protocol * If you write the analyzer, you signature events * Script writer taps into these logs * People want to use this to identify applications * What would it look like for Jupyter? what's encrypted? * Could discuss / do during a working session: * installations * recorded network traffic * what visibility exists today? * what visibility could exist if there's further development? * Jupyter should be able to build zeek instrumentation framework relatively independently * Hackathon is feasible. * If there's a range of familiarity with zeek, we could start with an "intro to zeek" talk leading into * "what could be built" * followed by "here's jupyter" (on the network) * into hackathon * Will be more productive if there's "homework" * packet captures * Instrumenting jupyter with agents may open up options * Rick proposes: * Zeek and Jupyter each have their own separate, independent "full day" (maybe monday?) * but come together for a half-day collaboration on another day (maybe tuesday?) * James and Christian agree * Christian will work with Rich on the join submission * Submissions: * Full day from jupyter security workshop * Joint half day workshop from jupyter and zeek * Zeek (intro + advanced) * Room capacity in the 50-80 people range * Christian wants to see our threat model ## June 6, 2023 | Name | affiliation | username | | -------------------| ---------------|------------------| | Matthias Bussonnier| Quansight | @carreau | | Rick Wagner | UCSD | @rpwagner | | Jason Weill | @AWS | @JasonWeill | | Joe Lucas | NVIDIA | @josephtlucas | | Rollin Thomas | NERSC | @rcthomas | | Cory Sherman | U of Wisconsin |. | * Thoughts from JupyterCon (10 minutes) * Security tutorial * Joe's excellent demo talk on security * - Have helpers do a time check - 30 -> 15 -> 10 decrease Attendees. - Notebook trust - OAuth OIDC with pyiodide. - Stack of the interpreter persistence state timeline ? * Asset inventory and documenting privileged accounts (30 minutes) * Related topics: * [Domain name management](https://github.com/jupyter/security/issues/64) for both `mybinder.org` and [`jupyter.org` subdomains](https://github.com/jupyter/enhancement-proposals/blob/master/jupyter-subdomain-for-schemas/proposal.md) (and ipython.org cf cve for mail?) * [PyPI org](https://github.com/jupyter/security/issues/61#issuecomment-1526251886) * Matthias: Multiple small issues with orgs that might need to likely eb resolved first. * Suggested process (Rick): * Draft asset table in private repo * Host a series of short office hours and invite various subprojects, asset owners and managers to contribute * Define who should have 1Password accounts to help be a known resource, designees from the Security Subproject, designees from the SSC or EC? * Another world tour to share encourage participation? * Jupyter Security Community Meeting, **Oct 24-26** (10 minutes) * [2023 NSF Cybersecurity Summit CFP](https://www.trustedci.org/2023-cfp) is out * Email from Jim Marsteller: * The deadline for submitting proposals is **Friday June 16, 2023.** * We hope to have the Jupyter project participating at the summit this year. * I believe a full day of training was discussed earlier with a possible collaboration with Zeek on interoperability between the two projects. * I just sent a similar email to the Zeek folks to make them aware. * Possibly straightforward to get a day * Current schedule unclear (will it be Monday, Friday?) * Hoping for a not Monday or Friday * Proposal: * Security workshop proposal from Rick independently * For the summit itself or Jupyter workshop * Who'd be at the summit anyway to draw in Jupyter folks? * NSF encourages hybrid workshops * "Workshop and training organizers may choose to offer either in-person or a hybrid model to include attendees joining remotely via Zoom. Workshop/training organizers are encouraged to offer hybrid sessions to maximize participation. This includes running the Zoom (e.g., monitoring the chat, unmuting remote participants, etc.). " * ipython.org SPF vulnerability - name.com point to DNS on cloudflare. I modified ~all to -all waiting for DNS propagating. - DNS has propagated for me. * Other topics (10 minutes) * Draft a security FAQ based on recent emails? * Intigriti Bug Bounty: project descriptions need to be updated * Follow up with Charlotte ## May 2, 2023 | Name | affiliation| username | | -------------------| -----------| -----------------| | Jason Weill | AWS | @JasonWeill | | Rick Wagner | UCSD | @rpwagner | | Matthias Bussonnier| Quansight | @Carreau | | Jason Grout | Databricks | @jasongrout | | Rollin Thomas | NERSC | @rcthomas | | Steve Silvester | MongoDB | @blink1073 | * Joe Lucas OOTO for this meeting. See you in Paris. * https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect * PyPI Organizations ([ticket](https://github.com/jupyter/security/issues/61)) * Key: Delegation to subprojects and keeping subprojects from hitting barriers to prevent fracture? * 4 teams set up as 1 per GitHub org plus JupyterHub * Experiment, on JupyterLab made Federic an owner, moved hatch-jupyter under that * RBAC, OIDC could allow trusted publishers and bots go away * PyPI vs GitHub * Jupyter is subprojects in GitHub but not a perfect mapping * PyPI packages are tied to repos, not GitHub orgs * Flexibility in delegating who can manage releases, doesn't have to be SSC rep * New feature: PyPI products can be linked to GitHub on PyPI `/manage/project/{repo}/settings/publishing` * On GitHub required reviewers provide additional gating to publish * Yanking from PyPI? Needs PyPI account? * Who should be top-level owners? EC * May be a good choice for now until an official delegation * Q on asset inventory and privileged roles; is there an audit / sec team to be able to see into things? * Rick doesn't want that at the moment * Related: NPM provenance * Security Subproject Update during SSC/EC meeting * Intigriti Bug Bounty * Vulnerability handling across projects * 2FA requirement * Security workshop * Auditing privileged access for Jupyter assets (github orgs/repos, pypi, DNS, etc. See notes from last time) * ## April 18, 2023 | Name | affiliation| username | | -------------------| -----------| -----------------| | Jason Weill | AWS | @JasonWeill | | Joe Lucas | NVIDIA | @josephtlucas | | Rick Wagner | UCSD | @rpwagner | | Matthias Bussonnier| Quansight | @Carreau | * Package Repositories (NPM, PyPI, docker, conda) * What are the things that people from Jupyter manage? * Who are the maintainers? * Should we inventory these assets? * Can this be scripted (along with who has access)? * Draft Asset List (places important things are hosted, done, processed, etc.) * Semi-prioritized * Priority * GitHub * PyPI * Conda * NPM * ReadTheDocs * DockerHub * Namecheap (DNS) * Jupyterlab.io (Google Domain) * 1Password * Next * Twitter * Facebook * LinkedIn * Mastodon * CloudFlare * Google Drive * GMail * Google Groups * YouTube * Zoom * Discourse.jupyter.org (hosted by Discourse) * nbviewer.org * binderhub.org * fast.ly (nbviewer.org) * RackSpace (nbviewer.org, mail??) * OpenCollective * Medium (blog) * Tidelift * Gitter * Next: Review access to priority assets, track in private repo * Share list of assets with Governance ## April 4, 2023 | Name | affiliation| username | | -------------------| -----------| -----------------| | Jason Weill | AWS | @JasonWeill | | Joe Lucas | NVIDIA | @josephtlucas | | Rollin Thomas | NERSC | @rcthomas | | Rick Wagner | UCSD | @rpwagner | | | | | | | | | * Workshop: * What do we want to get out of it? * Should we require best practices of other Jupyter subprojects * Would discussing this at the workshop be a good use of the opportunity? * Socialize and get feedback on this * Do the subprojects want guidance on this? * Dependency analysis vs actual issues with Jupyter code? * Logging and auditing w/Zeek? * What is there even for web HTTP/websockets applications? * Instrumentation at various levels of the stack * Different situations and their corresponding security best practices: * On my laptop * Dashboards (voila) * Multi-user w/JupyterHub etc * OWASP: https://owasp.org/ * What is the calendar and schedule? * Summit Tuesday, Wednesday, Thursday, plenaries Wednesday * From the TrustedCI perspective, things still in flux, more content than previously thought * Possibility that we wind up on Friday, or Monday ## March 21, 2023 | Name | affiliation| username | | -------------------| -----------| -----------------| | Rick Wagner | UCSD | @rpwagner | | Matthias Bussonnier| Quansight | @Carreau | | Jason Grout | Databricks | @jasongrout | | Rollin Thomas | NERSC | @rcthomas | * Maybe use the JupyterCon room during the setup day for SSC/EC meeting. * Joe Lucas will be driving, but will try to call in * [TrustedCI Summit and Workshop in October 24-26](https://www.trustedci.org/2023-cybersecurity-summit) at LBNL * Recap: * Met w/Deputy Director of TrustedCI, Sean Peisert, on possibility to have Jupyter-related events at TrustedCI summit * First day is half-day, full day workshop/tutorial type things * Then main summit conent, 3 days * Then last day has more workshop type things * Time is good for for some kind of Jupyter security get-together * Suggested plan is something on * Reviving the Jupyter security training done at PEARC etc for first day * Then Jupyter security workshop on the last day * Having a story by the time of JupyterCon would be good * Enabling folks coming for Jupyter content maybe also to go to the TrustedCI summit itself * Contributions of travel/registration funding from other sources to enable this, e.g. Anaconda * Example: Zeek (intrusion detection) + Jupyter conversation, connecting Jupyter + security community * Do we have a way for people from either side to participate in the other? * Longer term topic, relationship is workshop/tutorials angle: * JupyterCon 2024 * Expanding to 5 days, having workshops and tutorials as part of that? * This year it's 3 days because that's what we could get more. * Depends on budget outcome of 2023 * For this JupyterCon (2023): * May be possible to have some space/time for talking security/building momentum for the TrustedCI * There's an existing tutorial room possibly on Wednesday for a day... could use that? * Yes for some structured discussion (more than a BoF, less than a tutorial/workshop)? * Have the security training in shape by then? * Seems tempting to Rick since he has such positive feedback from the Jupyter community * Rick favors Wednesday morning 2.5h * => Folks need to respond to the doodle poll (first dates as early as tomorrow or next week) * An async update about bug bounty: * JupyterHub, JupyterLab, and Jupyter Server accepted * Jason to send email to those not accepted leting them know * Jason to send a scheduling email * Interaction with TideLift from Matthias * What TideLift brings us * How money is handled ## March 7, 2023 | Name | affiliation| username | | -------------------| -----------| -----------------| | Jason Weill | AWS | @JasonWeill | | Joe Lucas | NVIDIA | @josephtlucas | | Rollin Thomas | NERSC | @rcthomas | | Jason Grout | Databricks | @jasongrout | | Rick Wagner | UCSD | @rpwagner | * Jason W: Add Joe Lucas to Security Council (https://github.com/jupyter/security/pull/56) — also added to Google Group * Rollin: TrustedCI Summit October 2023, opportunity for Jupyter security training and workshop * Met with the 2 leads from [TrustedCI](https://www.trustedci.org/about) (NSF Center of Excellence for Cybersecurity) * Supports major NSF facilities that deploy infrastructure for research * TrustedCI hosts an annual cybersecurity summit * E.g. a few years ago, Rick and Matthias gave a security training on Jupyter there * Discussion was some kind of Jupyter-focused workshop/activity at 2023 event (October) * Could be an opportunity to update the Jupyter security training tutorial (1/2 day) * Rick would update this, he also gave the same tutorial at the same conference before with Matthias * Rick will get started on this sooner rather than later * Then, a 1/2 day or full day Jupyter security workshop * Potential for overlap with some other cohosted workshops * E.g. [Zeek](https://zeek.org/) workshop: Monitoring and instrumenting Jupyter to work w/Zeek? * Questions: * Is the security council broadly in favor of pursuing a workshop? **Answer: Yes** * Participants (Berkeley location is "central")? * What gaps are there in funding for the logistics? * When is TrustedCI going to put up website, etc? => sooner helps people get approvals * Industry partners (Anaconda, AWS, NVIDIA, ...): 2 for 1? Send a person and seed a scholarship? * Jason G: Intigriti * Had meeting w/Charlotte De Vleeschouwer, Customer Success Manager, on Feb. 23 * Discussed scope of the program * Scope was larger than Intigriti expected * Wanted to start with jupyter-server, JupyterLab, JupyterHub * Start small and iterate * Enlarge scope a little more if that works * Program created, three groups * One for each w/a contact * Each group can have multiple packages * Wants another call w/POCs for each to kick off * Jason to close the loop w/other projects that won't be included in first round and help set up this kickoff meeting * Rick: What do we want people looking at? * Example: Recent git CLI vulnerabilities * Git is provided in Docker images * Should we have advised people to ensure Git was updated? * Not Jupyter-specific code, but part of the "packaging" * Should that figure into the vulnerability reporting process? * With respect to conda and PyPI what is the dependency chain? * What other repos are important? * Install instructions based on meta-packages or "top" packages that get installed? * Older packages and repos? Maybe recommend dependabot is working for all these * What leverages GitHub automation to get a handle on all the packages? * Next policy recommendation would be something like: * Be running dependabot wherever we can * Here are the list of packages of greatest concern/interest * Node-based stuff? * Do the npm repos have 2FA, etc. * PyPI likewise * Security sprints? * Maybe start with dependency graphing * Example open source vuln management policies * https://github.com/ossf/oss-vulnerability-guide * https://about.gitlab.com/handbook/security/security-engineering/application-security/vulnerability-management.html * ## February 14, 2023 | Name | affiliation| username | | -------------------| -----------| -----------------| | Rick Wagner | UCSD | @rpwagner | | Jason Weill | AWS | @JasonWeill | | Joe Lucas | NVIDIA | @josephtlucas | | Sritej Attaluri | Bloomberg | @attaluris | | Rollin Thomas | NERSC | @rcthomas | * Email thread about "country of origin" for Jupyter QTConsole * SSC convergence, reporting structure * Review of JEPs to get quality software to community * EC wants to push day-to-day down to SSC * SSC will have regular meetings and office hours * Conversation about scope to be had w/SSC * Production stuff * But also experimental stuff * Critical components * More functional vulnerability process * Come up with a strawperson proposal * Socialize within SSC and then office hours * Want input from other subprojects * Single org? * Plan: Work on this in 2 weeks * Meeting times, proposed change: * 1st and 3rd Tuesday starting in March * Allows Community meeting to take the 8AM slot * Jason W has updated this on Google Calendar: 2/28 meeting is cancelled, 3/7 is our next security meeting * Prevent collision with Jupyter Community Call * Next Jupyter Community Call is at 07:00 PST on Feb. 28; this can now be moved to 08:00 PST * Jupyter Community Call is always on the last Tuesday of the month * Folks going to JupyterCon? * Rollin, maybe (approvals) * Jason W, possibly (depending on approval, budget) * Rick if there's funding ## January 31, 2023 | Name | affiliation| username | | -------------------| -----------| -----------------| | Rick Wagner | UCSD | @rpwagner | | A. T. Darian | QuantStack | @afshin | | Sritej Attaluri | Bloomberg | @attaluris | | Piyush Jain | AWS | @3coins | | Rollin Thomas | NERSC | @rcthomas | | Joe Lucas | NVIDIA | @josephtlucas | * EC and SSC meeting this Friday * Conversation with TrustedCI / Workshop in October * Rollin and Rick will talk to TrustedCI about scope, logistics, etc * There may be good reasons for Jupyter community members to attend TrustedCI summit generally * Software supply chain affects everyone * Security affects everyone * Hello Joe Lucas * A JupyterLab extension to evaluate the security of your Jupyter environment * https://github.com/JosephTLucas/jupysec * Bug bounty program questions for discussion * jupyterlab, jupyterlab-server and jupyter-server proposed so far w/contacts for each * Jason G. proposed to use the Github CVE process for reporting bugs. Is this the process that should be followed by the Intigriti Team/Bug reporters? * Is any one familiar with Intigriti? * Should we have security.jupyter.org (or sec.jupyter.org)? * Hub is moving forward on hub.jupyter.org as precedent * https://github.com/jupyterhub/team-compass/issues/444 ## January 17, 2023 | Name | affiliation| username | | -------------------| -----------| -----------------| | Jason Weill | AWS | @JasonWeill | | Matthias Bussonnier| Quansight | @carreau | | Rollin Thomas | NERSC | @rcthomas | | Jason Grout | Databricks | @jasongrout | - Security email addresses - ipython-security@groups.google.com — Google Group, limited membership. - This is a limited-membership list, if someone ask to be put on it, we do a cursory check they are a real person and add them it is mostly meant for advance warning we are going to publish a release that fix a CVE and minor sec discussion. - 75 members now - security@ipython.org - This is a forward email maintained by XXXX, that only allow up to 10 members, it is meant for security reports. - Action items: - Formalize policy around who gets on these lists - Maybe set up new security@jupyter.org reporting email? - widen the security@ipython.org receivers to spread the load - Bug bounty recommendation (intigrity, etc) - Jupyter as a software may not be a good fit for Intigrity. What Intigrity is offering is that if you have a service you sell with an API, we ask our researchers to pentest your service. If it's software that you install on your machine, it doesn't really fit the Intigriti model, which seems to - What services do we actually run? - nbviewer - no authentication, purely displays content, so not really applicable - binder - A difficulty is that some people we are talking with are in the European Union, others are from Intigriti - Action item: - Jason G to email Intigriti, to confirm whether this is a good fit, based on previous conversations - If it is a good fit, Jason G to email SSC to see what subprojects are interested, then forward that on to Intigriti - Recent reports - How do we manage security reports coming in? - Several options: - Security reports per subproject - Security reports in a centralized Project Jupyter repo - Security reports in a repo per subproject ## January 3, 2023 | Name | affiliation| username | | -------------------| -----------| -----------------| | Jason Weill | AWS | @JasonWeill | | Matthias Bussonnier| Quansight | @carreau | | Rollin Thomas | NERSC | @rcthomas | | Sritej Attaluri | Bloomberg | @attaluris | | Rick Wagner | UCSD | @rpwagner | | Jason Grout | Databricks | @jasongrout | Note: Jason still works at AWS, but per corporate social media policy, I changed my GitHub username to not have `aws` in it anymore - Vulnerability reporting - We've turned on public reporting of vulnerabilities in IPython and [Jupyter Security](https://github.com/jupyter/security/security/advisories/new) - Workflow is: person submits a report, an admin accepts the report and creates a "draft" - Reports are per-repo. It doesn't seem like there is a way to consolidate at the org level - It appears that only admin permissions can see the draft vuln reports - How to track reports? - We can have a single place where reports are done, so the security team can track it and open appropriate reports in subprojects - We can have a per-repo or per-subproject place to report, with a reporting structure in place between projects to track vulnerabilities - This process decision should be made at the SSC level in cooperation with other subprojects - Even if we have per-subproject reporting, we can have a catch-all reporting place in jupyter/security - SSC formation - SSC reps are known at this point, and needs to self-organize at this point - EC meetings are on Monday. Perhaps the SSC members can be invited so we can all discuss how to launch these councils - https://deploy-preview-712--jupyter-github-io.netlify.app/ - preview of website update listing the SSC in the About page - ## December 6, 2022 | Name | affiliation| username | | -------------------| -----------| -----------------| | Jason Weill | AWS | @jweill-aws | | Sritej Attaluri | Bloomberg | @attaluris | | Rick Wagner | UCSD | @rpwagner | | Rollin Thomas | NERSC | @rcthomas | | Rosio Reyes | Anaconda | @RRosio | - Triage - Email list status? - https://github.com/jupyter/security/issues/50 - Appears to be a permissions issue with the ipython-security mailing list not accepting external messages (from non-group members) - Issues - Review request: https://github.com/jupyter/security/issues/49 - Haven't done this review before, need to discuss process - nbclassic (jupyter-notebook subproject) - Confirm w/developers - Respond to reporter - Above could be shortened by ensuring developers are looped into sec reports - Can we document guidelines about when we do backports/sec updates for existing releases vs telling people to wait for next major version - Funding & Involvement - Onboarding newcomers interested in helping with security - What steps are there? - Maybe fleshing out the README with onboarding details would be a good idea - Integriti - PEARC23 CfP? - Thought: - Subprojects should have a designated security contact - Designated security contact is subscribed to appropriate mailing lists, etc ## November 8, 2022 | Name | affiliation| username | | -------------------| -----------| -----------------| | Jason Weill | AWS | @jweill-aws | | Matthias Bussonnier| QuanSight | @carreau | | | | | | | | | | | | | - Blog post for 2FA - Respond to [Intigriti](https://www.intigriti.com/) ## October 25, 2022 | Name | affiliation| username | | -------------------| -----------| -----------------| | Rollin Thomas | NERSC | rcthomas | | Jason Weill | AWS | @jweill-aws | - Follow up with Intigriti in early November? ## October 11, 2022 | Name | affiliation| username | | -------------------| -----------| -----------------| | Rick Wagner | UCSD | @rpwagner | | Rollin | NERSC | @rcthomas | | Matthias Bussonnier| QuanSight | @carreau | |||| |||| - Meeting w/Intigriti - Customers - Researchers - How is Intigriti interfacing with Jupyter ? - 2 months ... trial period w/EC - Multiple programs, one from the EC. - Would Jupyter be a good fit. - What can be tested, will be tested will determine if we can be tested. - Sounds like issues identified external to their researchers they fund are not covered. - Cross communication between researchers - Would need to be a bit organized on putting CVE publications - Post meeting - Rick's suggestion - Start small with a set of limited repos that are released - Communicates what key initial packages are - Matthias suggests - to scope even further to types of vulnerabilities and specific package - further more might be too vague - ## September 27, 2022 | Name | affiliation| username | | -------------------| -----------| -----------------| | Rick Wagner | UCSD | @rpwagner | | Jason Weill | AWS | @jweill-aws | | Rollin | NERSC | @rcthomas | - [Security roadmap](https://github.com/rpwagner/security/blob/roadmap/docs/roadmap.md) - 2FA: Needs to be enabled in JupyterLab - Security workshop ## September 13, 2022 | Name | affiliation| username | | -------------------| -----------| -----------------| | Rick Wagner | UCSD | @rpwagner | | Jason Weill | AWS | @jweill-aws | | Matthias Bussonnier| QuanSight | @carreau | | Rollin | NERSC | @rcthomas | - Security questionnaire - Establish process for how to answer a security questionnaire from a potential user (e.g., FSRA Ontario) - Matthias to attend NumFOCUS summit next week; can discuss security questions there - Software Steering Council (SSC) rep - We need to name and submit an SSC rep by October 3 - Update our team-compass - Rick W to serve for one year - 2FA - Should be enforced in JupyterLab by our next meeting (Sep 27) - Jason W to bring up at JupyterLab meeting tomorrow ## August 30, 2022 | Name | affiliation| username | | -------------------| -----------| -----------------| | Jason Weill | AWS | @jweill-aws | | Matthias Bussonnier| QuanSight | @carreau | | Rollin Thomas | NERSC | @rcthomas | | Rick Wagner | UCSD | @rpwagner | | Maxime Jublou | naas.ai | @Dr0p42 | | Isabela Presedo-Floyd | Quansight Labs | @isabela-pf | - Bootstrapping official council — Jason W - See docs: https://github.com/jupyter/governance/blob/master/bootstrapping_decision_making.md - We should have a list of members provided for Jupyter governance within the next month (see [Google Sheet](https://docs.google.com/spreadsheets/d/1RdqRp1CIM9t-sy8xz9f_tu6BFfmrzwCM663d2p4e99U/edit#gid=1859802494)) - We also need to select one member to represent us at the Software Steering Council (SSC) - Action item: We will nominate our SSC rep at our next meeting, on Sep 13 - 2FA follow-up (due Oct 1) - For future, push 2FA outward toward scientific python stack, etc - Periodic review to ensure it doesn't get disabled, new projects have it turned on - ## August 16, 2022 | Name | affiliation| username | | -------------------| -----------| -----------------| | Rollin | NERSC | @rcthomas | | Matthias |Quansight | @Carreau | | Jason Weill | AWS | @jweill-aws | | Charlie Bedard ||| | Munawar Hafiz | OpenRefactory || - 2FA progress - Proceeding OK - Minor issue with some cartoonist - Cal Poly interns - Brian OK with removing them - But he needs to do it to be sure who's intern - **Jason** is pinging Brian to do that - We could get a list and check across all orgs - **Matthias**: Tweeting about orgs that have 2FA turned on - Aside: Should we get the Jupyter Twitter account verified? - Pain, requires fixing Wikipedia entries - There are more important things maybe - Aside++: Trademark problem with another Jupyter? - Matthias was talking to the Jupyter Trademark Committee - They should follow up with NumFocus probably - OpenRefactory update - pypi.openrefactory.com - This has filtering, not everything - POC, scans ~100 repos from PyPI, some top projects - Collaboration done with OpenSSF - Alpha-Omega project - Critical OS repos to secure - Identifying partners (devs/vendors) - Will staff people to do mitigations - Developers have gone through some repos and filed bugs - Some are actual vulnerabilities in process of mitigation - Feedback, thinking about people with 10000 dependencies: - Don't want certain reports (volume) - Want only new vulnerabilities and issues - Scale is difficult - Sample project: Ansible (RedHat) - Identified ~200 - Zeroed in on the most important ones w/OpenSSF - OpenSSF did the filtering: e.g. injection etc - 40 of interest - Next step - For Jupyter - Shared some initial reports - Want a more formal engagement - Want developers to use the product - How many repos? - Possible engagement models: - Integration/installation to pipelines for critical projects (would need triage), license in CI/CD pipelines - They could use one of their cloud machines, Jupyter devs could come run interactively on demand - Would allow developers to see more issues than at pypi.openrefactory.com - Could be "jupyter.openrefactory.com", they do the scan and share results - Feedback from Jupyter sec: - Would like to try it on the most active repo - Get user and dev feedback from a lot of people - UI, feedback on false positives, etc - jupyter-server or JupyterHub? - Jason has notebooks that monitors activity across the project - OpenRefactory: Add JupyterHub to pypi.openrefactory.com - The page there is really good publicity and Jupyter depends on those other projects too - Suggest not to add another domain just for Jupyter - Ask JupyterHub developers to take a look and give feedback - Expand to other projects? - UI feedback, on each project's individual page: - When were the scans done? - What commit hash? - Milestone? - Get report out, try to fix some issues - Work together to publish (or dual publication) on Jupyter Blog about experience - Invite folks to sec meeting, point folks to OpenRefactory tool to try it - Items for discussion outlined last time: - Can we automatically crawl developer accounts for signs of inactivity - Reproducible package builds - Migrating to PyPI deploy tokens - Will be some coding - Lots of assumptions like one user one password - Static analysis and source vulnerability scanning -

Import from clipboard

Paste your markdown or webpage here...

Advanced permission required

Your current role can only read. Ask the system administrator to acquire write and comment permission.

This team is disabled

Sorry, this team is disabled. You can't edit this note.

This note is locked

Sorry, only owner can edit this note.

Reach the limit

Sorry, you've reached the max length this note can be.
Please reduce the content or divide it to more notes, thank you!

Import from Gist

Import from Snippet

or

Export to Snippet

Are you sure?

Do you really want to delete this note?
All users will lose their connection.

Create a note from template

Create a note from template

Oops...
This template has been removed or transferred.
Upgrade
All
  • All
  • Team
No template.

Create a template

Upgrade

Delete template

Do you really want to delete this template?
Turn this template into a regular note and keep its content, versions, and comments.

This page need refresh

You have an incompatible client version.
Refresh to update.
New version available!
See releases notes here
Refresh to enjoy new features.
Your user state has changed.
Refresh to load new user state.

Sign in

Forgot password

or

By clicking below, you agree to our terms of service.

Sign in via Facebook Sign in via Twitter Sign in via GitHub Sign in via Dropbox Sign in with Wallet
Wallet ( )
Connect another wallet

New to HackMD? Sign up

Help

  • English
  • 中文
  • Français
  • Deutsch
  • 日本語
  • Español
  • Català
  • Ελληνικά
  • Português
  • italiano
  • Türkçe
  • Русский
  • Nederlands
  • hrvatski jezik
  • język polski
  • Українська
  • हिन्दी
  • svenska
  • Esperanto
  • dansk

Documents

Help & Tutorial

How to use Book mode

Slide Example

API Docs

Edit in VSCode

Install browser extension

Contacts

Feedback

Discord

Send us email

Resources

Releases

Pricing

Blog

Policy

Terms

Privacy

Cheatsheet

Syntax Example Reference
# Header Header 基本排版
- Unordered List
  • Unordered List
1. Ordered List
  1. Ordered List
- [ ] Todo List
  • Todo List
> Blockquote
Blockquote
**Bold font** Bold font
*Italics font* Italics font
~~Strikethrough~~ Strikethrough
19^th^ 19th
H~2~O H2O
++Inserted text++ Inserted text
==Marked text== Marked text
[link text](https:// "title") Link
![image alt](https:// "title") Image
`Code` Code 在筆記中貼入程式碼
```javascript
var i = 0;
```		 
var i = 0;
:smile: :smile: Emoji list
{%youtube youtube_id %} Externals
$L^aT_eX$ LaTeX
:::info
This is a alert area.
:::

This is a alert area.
Versions and GitHub Sync
Get Full History Access

  • Edit version name
  • Delete

revision author avatar     named on  

More Less

Note content is identical to the latest version.
Compare
    Choose a version
    No search result
    Version not found
Sign in to link this note to GitHub
Learn more
This note is not linked with GitHub
 

Feedback

Submission failed, please try again

Thanks for your support.

On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?

Please give us some advice and help us improve HackMD.

 

Thanks for your feedback

Remove version name

Do you want to remove this version name and description?

Transfer ownership

Transfer to
    Warning: is a public team. If you transfer note to this team, everyone on the web can find and read this note.

      Link with GitHub

      Please authorize HackMD on GitHub
      • Please sign in to GitHub and install the HackMD app on your GitHub repo.
      • HackMD links with GitHub through a GitHub App. You can choose which repo to install our App.
      Learn more  Sign in to GitHub

      Push the note to GitHub Push to GitHub Pull a file from GitHub

        Authorize again
       

      Choose which file to push to

      Select repo
      Refresh Authorize more repos
      Select branch
      Select file
      Select branch
      Choose version(s) to push
      • Save a new version and push
      • Choose from existing versions
      Include title and tags
      Available push count

      Pull from GitHub

       
      File from GitHub
      File from HackMD

      GitHub Link Settings

      File linked

      Linked by
      File path
      Last synced branch
      Available push count

      Danger Zone

      Unlink
      You will no longer receive notification when GitHub file changes after unlink.

      Syncing

      Push failed

      Push successfully