owned this note
owned this note
Published
Linked with GitHub
# Jupyter Security Bi-weekly Meeting
Zoom: https://ucsd.zoom.us/j/99742018697
## April 16th, 2024
| Name | affiliation | username |
| --------------------| ------------|--------------|
| Matthias Bussonnier | Quansight | @carreau |
| Rick Wagner | UCSD | @rpwagner |
| Joe Lucas | NVIDIA | @josephtlucas |
| Rosio Reyes | Anaconda | @RRosio |
- How do we manage security managers?
- Reviewing https://github.com/jupyter/security/issues/76
- Rick shares: https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md
- Rick shares: Jupyter Security Strategic Plan
## April 2nd, 2024
| Name | affiliation| username |
| --------------------| -----------|--------------|
| Matthias Bussonnier | Quansight | @carreau |
| Rick Wagner | UCSD | @rpwagner |
| R Ely | Bloomberg | @ohrely |
| Rosio Reyes | Anaconda | @RRosio |
Review orgs where we do/do not have ability to open GitHub advisory.
Ely: Jupyter Open Studio Day NYC Monday April 29 [Registration link](https://go.bloomberg.com/attend/invite/jupyter-open-studio-day-2024/)
Matthias: I'm Seattle June 3-5, it's close, but not close enough I think for me to stay 2 weeks. –– miss read I read end of May, so no I can't come for just a day.
## March 19th, 2024
| Name | affiliation| username |
| -------------------| -----------|--------------|
| Matthias Bussonnier| Quansight | @carreau |
- 4 minute past the top of the hour: Only 1 person in the meeting, I'm going to guess something went wrong with the change dailight saving time change last week, and calendar don't match up. The meeting is 1h earlier than usual for me, so I guess it should not have change time for attendees in the US. I'll try to be present in 1h just in case.
## March 5th, 2024
| Name | affiliation| username |
| -------------------| -----------|--------------|
| Matthias Bussonnier| Quansight | @carreau |
| Rosio Reyes | Anaconda | @RRosio |
Rick cannot make it, and so far there is only Matthias and Rosio, so we may just cancell if nobody join at 10min past.
## Feb 20th, 2024
| Name | affiliation | username |
| ------------------- | ----------- | ------------- |
| Joe Lucas | NVIDIA | @josephtlucas |
| Rick Wagner | UCSD | @rpwagner |
| Matthias Bussonnier | Quansight | @carreau |
| Mike Krassowski | Quansight | @krassowski |
| David Qiu | AWS | @dlqqq |
[Jupyter Security Ops](https://hackmd.io/kjwZRMUxSDSl90loO2Md-A)
## Feb 6th, 2024
| Name | affiliation| username |
| -------------------| -----------|--------------|
| Joe Lucas | NVIDIA | @josephtlucas|
| Rick Wagner | UCSD | @rpwagner |
| David Qiu | AWS | @dlqqq |
| Rollin Thomas | NERSC | @rcthomas |
Agenda:
- (Joe) NumFOCUS Security Survey
- (Joe) Proposal: draft a Jupyter[Lab/Hub] incident response runbook. For IT departments, if they think there's a security issue with their deployment, what artifacts should they preserve for digital forensics? Where should they look for indicators of compromise?
- (Rollin) Downstream project notifications?
- (David) Maybe build a tool that maintains a security group across multiple orgs?
- (Joe) Maybe implement this as a GitHub action
- The group will use the stock "security manager" role: https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization
- Initial security goals for the strategic plan
- Define the scope of security within Project Jupyter
- Project Jupyter GitHub repos in scope should use the [Open Source Security Foundation (OpenSSF) Best Practices badge](https://www.bestpractices.dev/)
- Adopt the [Concise Guide for Developing More Secure Software](https://best.openssf.org/Concise-Guide-for-Developing-More-Secure-Software) as a base set of practices for all Jupyter Subprojects
- Publish documentation on Project Jupyter security using the questions in the [Concise Guide for Evaluating Open Source Software](https://best.openssf.org/Concise-Guide-for-Evaluating-Open-Source-Software) as a reference.
## Jan 16th, 2024
| Name | affiliation| username |
| -------------------| -----------|--------------|
| Joe Lucas | NVIDIA | @josephtlucas|
| Rick Wagner | UCSD | @rpwagner |
| Matthias Bussonnier| Quansight | @carreau |
| David Qiu | AWS | @dlqqq |
| Rosio Reyes | Anaconda | @RRosio |
| Rollin Thomas | NERSC | @rcthomas |
- Joe will try and call in from the road
Agenda:
- Deal with LSP security report and jupyter-lsp org.
- Receive a security vuln for jupyter-lsp, but it's hosted on a jupyter-lsp jupyter org, which is not technically official.
- https://github.com/jupyter-governance/ec-team-compass/issues/25
- David: Agree with Matthias here. Collaborated w/ him to write this issue.
- Jupyter + Zeek proposal
- Not progressing due to lack of cycles from collaborators
## Jan 2th, 2024
| Name | affiliation| username |
| -------------------| -----------|--------------|
| Joe Lucas | NVIDIA | @josephtlucas|
| Rosio Reyes | Anaconda | @RRosio |
| Dor Sarig | Pillar Security ||
| Ziv | Pillar Security ||
- Rosio to continue working on Threat Modeling for Rosio but has priority conflicts currently.
- Dor/Ziv were following up on a vulnerability reported to security@ipython.org
## Dec 19th, 2023
| Name | affiliation| username |
| -------------------| -----------|--------------|
| David Qiu | AWS | @dlqqq |
| Rick Wagner | UCSD | @rpwagner |
- David: Rick proposed refining and outlining the existing security vulnerability process. It would involve a stakeholder from each subproject.
- I suggest that we also have a triage group for this to avoid generating noise. That is, if you receive a notification, it will be very likely that this vulnerability affects your project, and that this demands your attention.
- Rick suggests using GitHub's security vulnerability reporting process. We should investigate 1) when this sends notifications, and 2) who is notified in this process.
- I can help with another draft of the vulnerability reporting process.
- https://github.com/jupyter/security/blob/main/docs/vulnerability-handling.md
- Mike: https://github.com/jupyter/notebook/pull/7153/files
- Cross-linked in security repo: https://github.com/jupyter/security/issues/72
- David: I agree that GH Actions are sort of dangerous by default. But the real problem isn't that we need to hashpin, but that I'm not aware of any tool that helps with this.
- Mike: Perhaps we should invite https://github.com/diogoteles08 to one or our meetings in the future.
- David: I agree with this; let's build a bridge if possible.
## Dec 5th, 2023
| Name | affiliation| username |
| -------------------| -----------|--------------|
| Matthias Bussonnier| Quansight | @Carreau |
| Joe Lucas | NVIDIA | @josephtlucas|
| Rosio Reyes | Anaconda | @RRosio |
| Rick Wagner | UCSD | @rpwagner |
| David Qiu | AWS | @dlqqq |
| Rollin Thomas | NERSC | @rcthomas |
The amount of money in the Tidelift account for Jupyter is close to ~7900 USD. Some funds weere used to reimburse for travel expenses to NSF security Summit.
Some people were sick in the previous week.
Numfocus Security council slowly progressing with a data-baked process.
- Juanita in contact with Open SSF.
- Writing Guides
- Credentials;
- Matthias: https://github.com/scientific-python/specs/pull/168#pullrequestreview-1557436109
- David: Quick update on the labextension documentation that Rick had requested. Hoping to start on this sometime this week, should have something ready by the end of the month. Rather busy right now.
- Matthias, Tidelift: https://github.com/jupyterlab/team-compass/discussions/224
- David: I'll bring this up in the JupyterLab call tomorrow.
- [ ] TODO: Matthias said hw would reach out to NF with list of request for hecvat and similarm but forgot.
## November 21, 2023
| Name | affiliation| username |
| -------------------| -----------|--------------|
| Matthias Bussonnier| Quansight | @Carreau |
| Joe Lucas | NVIDIA | @josephtlucas|
| Rosio Reyes | Anaconda | @RRosio |
Tasks:
- [ ] Reply to "Pilot: Security Committee Introduction and Survey" and fill in the form.
- Where: [`jovyan` Zoom](https://ucsd.zoom.us/j/99742018697)
## November 7, 2023
| Name | affiliation| username |
| -------------------| -----------|--------------|
| Rick Wagner | UCSD | @rpwagner |
| Joe Lucas | NVIDIA | @josephtlucas|
| Rosio Reyes | Anaconda | @RRosio |
| Matthias Bussonnier| Quansight | @Carreau |
| David Qiu | AWS | @dlqqq |
| Rollin Thomas | NERSC | @rcthomas |
- Security reports directly on Jupyter/Security
- HECVAT and alike report:
- See
https://github.com/jupyter/jupyter.github.io/pull/743/files#commit-suggestions
- URL: https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
- Attorneys at the NSF summit
- who is the legal entity, do they have attorneys.
- Have both an FAQ, and a Document (pdf) signed by numfocus.
- Opened an [issue (docs-team-compass#22)](https://github.com/jupyter/docs-team-compass/issues/22) for security documentation in the Documentation repo
- David to contribute JupyterLab documentation on developing JupyterLab extensions.
- David: I can get started on this in a few weeks, with a draft PR by early December.
- Security documentation to be added to jupyter.org/security
- Source: https://github.com/jupyter/jupyter.github.io
- Can we have exclusive permissions to edit the "Security" page?
- David's proposed process: We open changes as a draft PR, get feedback from everybody security, then open for review and ping somebody to merge the PR
Matthias suggest a small read later: http://thecodelesscode.com/case/215
## October 17, 2023
| Name | affiliation| username |
| -------------------| -----------|-------------|
| Rick Wagner | UCSD | @rpwagner |
| Jason Weill | @AWS | @JasonWeill |
| Joe Lucas | NVIDIA | @josephtlucas|
| Rollin Thomas | NERSC | @rcthomas |
| Rosio Reyes | Anaconda | @RRosio |
* Review vulnerability handling process.
* [Workshop agenda](https://docs.google.com/document/d/1hl1qe72s1CZc7Z3QOh1apANRi--qkupcnWEyH4VNOiQ/edit?usp=sharing)
* Jupyter Maint lost devices. Process to remove all access ?
* I (matthias) re-asked to decrease the number of GitHub orgs: [executive-council-team-compass#12](https://github.com/jupyter/executive-council-team-compass/issues/12)
FYI WRT security, matthias suggested a change to handler in Jupyter-Server.
- [jupyter-server/jupyter_server#1332](https://github.com/jupyter-server/jupyter_server/pull/1332)
David not able to attend the community survey this Thursday due to a personal conflict
Charlotte requests that we close accepted submissions in the bug bounty program
* Rick to capture information from submissions, then close
[Trusted CI engagement documentation](https://github.com/jupyter/security/tree/main/docs)
Please add David Qiu to the Jupyter Security (ipython-security) mailing list
* Done (Rick, 10/17/23)
## October 3, 2023
| Name | affiliation| username |
| -------------------| -----------|-------------|
| Matthias Bussonnier| Quansight | @Carreau |
| Rick Wagner | UCSD | @rpwagner |
| Jason Weill | @AWS | @JasonWeill |
| David Qiu | @AWS | @dlqqq |
| Rollin Thomas | NERSC | @rcthomas |
| Rosio Reyes | Anaconda | @RRosio |
Agenda:
* Email from the Community Building Group:
- Process to source input from subprojects to identify area were help is needed to maintain a robust community. Identifi Commmunity building practices. There are interview scripts, and invite to join calls on thursday.
- Some of us are going to attend on October 19th.
* We know have an Jupyter Security Sandbox environment.
* It will likely be used for the Jupyter/Zeek workshop on Octover 223rd
* The NSF has a program called [CloudBank](https://www.cloudbank.org/). Targetted for cyberinfra and DS. But also grants for training activities.
* It does allow federated logging.
* currently $2k
* Suggest to have this as public information,
* And let the SSC know.
* See https://github.com/jupyter/executive-council-team-compass/issues/13
Sorry I think I ended the meeting for all... not sure how as I should not have been admin ...
## September 19, 2023
| Name | affiliation | username |
| -------------------| ------------|--------------|
| Matthias Bussonnier| Quansight | @Carreau |
| Joe Lucas | NVIDIA | @josephtlucas|
| Rick Wagner | UCSD | @rpwagner |
| Jason Weill | @AWS | @JasonWeill |
| Rosio Reyes | Anaconda | @RRosio |
* Matthias may see if Juanita can attend the TrustedCI workshop
* She says yes, she is interested, she live in Santa Cruz, can drive, and can figure out lodging. Just need to get her a ticket.
* Rosio wants to learn more about vulnerability reporting/handling process
* Issue opened up a couple of weeks ago when someone wants to report a vuln
* Revised TrustedCI blog post
* Intigriti
* Will probably close it out with a blog post
* With a quote from Charlotte (Jason W to follow up w/Charlotte)
* Should we involve NF ?
## September 5, 2023
| Name | affiliation | username |
| -------------------| ---------------|---------------|
| Matthias Bussonnier| Quansight | @Carreau |
| Jason Weill | @AWS | @JasonWeill |
| Joe Lucas | NVIDIA | @josephtlucas |
| Rick Wagner | UCSD | @rpwagner |
| Rollin Thomas | NERSC | @rcthomas |
* TrustedCI Summit Plans
* Jupyter security tutorial, Monday, October 23
* Jupyter network monitoring workshop, Tuesday, October 24
6 out of 13 vuln accepted on Integrity. Small to large.
Should we say how much it cost ? Would other Bug BOunty
- Should there be a Numfocus BugBounty program ?
- $14000 left in the project
- Foobar 7/13
## Tidelift Money
|Date| project| amount (USD)
|----| -------|---------
|10/06/22|conda/ipython |250.00
|10/06/22|pypi/ipython |250.00
|10/06/22|conda/traitlets |250.00
|10/06/22|pypi/traitlets |100.00
|12/21/22|Tidelift Payout Nov & Dec 2022 (iPython) |1,000.00
|12/21/22|Tidelift Payout Nov & Dec 2022 (Traitlets) |700.00
|3/08/2023|Traitlets February 2023 |350.00
|3/08/2023|iPython February 2023 |500.00
|3/08/2023|Traitlets January 2023 |350.00
|3/08/2023|iPython January 2023 |500.00
|4/21/2023|Traitlets March 2023 |350.00
|4/21/2023|iPython March 2023 |500.00
|5/15/2023|Traitlets April 2023 |350.00
|5/15/2023|iPython April 2023 |500.00
|6/13/2023|iPython May 2023 |500.00
|6/13/2023|Traitlets May 2023 |350.00
|$ 6,800.00
## Auguest 15, 2023
| Name | affiliation | username |
| -------------------| ---------------|------------------|
| Matthias Bussonnier| Quansight | @Carreau |
| Jason Weill | @AWS | @JasonWeill |
| Joe Lucas | NVIDIA | @josephtlucas |
| Michał Krassowski | Quansight | @krassowski |
| Eric Gentry | Anaconda | @ericsnekbytes |
||||
* Intigrity – Some security bugs, and a few difficulties to sync with GitHub
* How to increase email volume?
* Permissions not sync'ed across GitHub organizations (requires GH Enterprise?)
* How can we handle this better.
* Mike pointed out security managers:
https://docs.github.com/en/rest/orgs/security-managers?apiVersion=2022-11-28
https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization
https://github.blog/changelog/2021-10-21-introducing-the-organization-level-security-manager-role/
* Matthias opened an issue about it : https://github.com/jupyter/security/issues/68
* Numfocus tidelift money
* Still waiting to make sure we do recive it and have regular update on the ammount.
* Numfocus summit in amsterdam
* speak about security.
* confusion between security@ipython.org and ipython-security@googlegroup.com
* Turn on moderation ?
* Seem we have agreement.
*
## August 1, 2023
| Name | affiliation | username |
| -------------------| ---------------|------------------|
| Rollin Thomas | NERSC | @rcthomas |
| Jason Weill | @AWS | @JasonWeill |
| Rick Wagner | UCSD | @rpwagner |
* Joe has conflict today (final sync before BlackHatUSA)
* PEARC debrief by Rick
* Not too much Jupyter discussion / talks
* Saw poster by Mike Milligan
* Not too much security-related stuff
* Would like to see more NSF sec involvement
* Security workshop planning
* AI... do users know what they're doing?
* ... do we know what they're doing doing?
* Promotion of bug bounty
* Bots? Some generic-looking submissions
* Discourse, Twitter (still), LinkedIn
* Summary for Community Building Working Group
* Activities accepted
* Rick plans to prepare request
## July 18, 2023
| Name | affiliation | username |
| -------------------| ---------------|------------------|
| Jason Weill | @AWS | @JasonWeill |
| Joe Lucas | NVIDIA | @josephtlucas |
| Rick Wagner | UCSD | @rpwagner |
| Rollin Thomas | NERSC | @rcthomas |
| Matthias Bussonnier| Quansight | @carreau |
Workshop planning for october.
Mostly Jupyter Focused, but having other projects to participate woudl be great.
## July 11, 2023
| Name | affiliation | username |
| -------------------| ---------------|------------------|
| Jason Weill | @AWS | @JasonWeill |
| Rollin Thomas | NERSC | @rcthomas |
| Rick Wagner | UCSD | @rpwagner |
* Joe has a conflict (will read over the notes later today for any action items)
*
## June 20, 2023
| Name | affiliation | username |
| -------------------| ---------------|------------------|
| Rick Wagner | UCSD | @rpwagner |
| Jason Weill | @AWS | @JasonWeill |
| Joe Lucas | NVIDIA | @josephtlucas |
| Matthias Bussonnier| Quansight | @carreau |
* Zeek submissions complete
* Rick: Maybe we define some canonical deployment scenarios (on the desktop, JupyterLab on a server, Hub, Zero to JupyterHub)
* Jason: Is jupyter.org being updated? If so, maybe we use this to update the [security page](https://jupyter.org/security)
* Produce resources for the NSF summit and post to the website
* Jason: Anna and Steven putting together a policy for posting to official social media
* How do we follow what EC and SSC are doing?
* nontransparent
* Zoom conflict with other Jupyter committees again.
* Matthias recommends restructuring governance page to make meeting notes and schedules more discoverable
* Intigriti
* Will finish draft and get to the Jupyter projects for review this week
* OpenSSF
* Should we be involved at the free tier?
* https://ostif.org/ contacted NumFOCUS about a completing a Pandas audit. Might be a resource for us later.
Workshop TODOs:
- [ ] Marketing
- Twitter (some people have requested that it be deleted)
- Discourse
- We don't have mastadon
- [ ] Making it an official community workshop (maybe ask Community Building Committee)
## June 13, 2023 (Zeek/TrustedCI Call)
| Name | affiliation | username |
| -------------------| ---------------|------------------|
| Rick Wagner | UCSD | @rpwagner |
| Jason Weill | @AWS | @JasonWeill |
| Joe Lucas | NVIDIA | @josephtlucas |
| Rollin Thomas | NERSC | @rcthomas |
| Aaron Scantlin | NERSC |. |
| Fatema Bannat Wala | Zeek |. |
| Christian Kreibich | Zeek |. |
| James Marsteller | NSF |. |
| Keith Lehigh |. |. |
* Zeek has been experimenting with OpenSSF tooling (CI, static code analysis)
* Historically approached network monitoring by protocol
* If you write the analyzer, you signature events
* Script writer taps into these logs
* People want to use this to identify applications
* What would it look like for Jupyter? what's encrypted?
* Could discuss / do during a working session:
* installations
* recorded network traffic
* what visibility exists today?
* what visibility could exist if there's further development?
* Jupyter should be able to build zeek instrumentation framework relatively independently
* Hackathon is feasible.
* If there's a range of familiarity with zeek, we could start with an "intro to zeek" talk leading into
* "what could be built"
* followed by "here's jupyter" (on the network)
* into hackathon
* Will be more productive if there's "homework"
* packet captures
* Instrumenting jupyter with agents may open up options
* Rick proposes:
* Zeek and Jupyter each have their own separate, independent "full day" (maybe monday?)
* but come together for a half-day collaboration on another day (maybe tuesday?)
* James and Christian agree
* Christian will work with Rich on the join submission
* Submissions:
* Full day from jupyter security workshop
* Joint half day workshop from jupyter and zeek
* Zeek (intro + advanced)
* Room capacity in the 50-80 people range
* Christian wants to see our threat model
## June 6, 2023
| Name | affiliation | username |
| -------------------| ---------------|------------------|
| Matthias Bussonnier| Quansight | @carreau |
| Rick Wagner | UCSD | @rpwagner |
| Jason Weill | @AWS | @JasonWeill |
| Joe Lucas | NVIDIA | @josephtlucas |
| Rollin Thomas | NERSC | @rcthomas |
| Cory Sherman | U of Wisconsin |. |
* Thoughts from JupyterCon (10 minutes)
* Security tutorial
* Joe's excellent demo talk on security
* - Have helpers do a time check
- 30 -> 15 -> 10 decrease Attendees.
- Notebook trust
- OAuth OIDC with pyiodide.
- Stack of the interpreter persistence state timeline ?
* Asset inventory and documenting privileged accounts (30 minutes)
* Related topics:
* [Domain name management](https://github.com/jupyter/security/issues/64) for both `mybinder.org` and [`jupyter.org` subdomains](https://github.com/jupyter/enhancement-proposals/blob/master/jupyter-subdomain-for-schemas/proposal.md) (and ipython.org cf cve for mail?)
* [PyPI org](https://github.com/jupyter/security/issues/61#issuecomment-1526251886)
* Matthias: Multiple small issues with orgs that might need to likely eb resolved first.
* Suggested process (Rick):
* Draft asset table in private repo
* Host a series of short office hours and invite various subprojects, asset owners and managers to contribute
* Define who should have 1Password accounts to help be a known resource, designees from the Security Subproject, designees from the SSC or EC?
* Another world tour to share encourage participation?
* Jupyter Security Community Meeting, **Oct 24-26** (10 minutes)
* [2023 NSF Cybersecurity Summit CFP](https://www.trustedci.org/2023-cfp) is out
* Email from Jim Marsteller:
* The deadline for submitting proposals is **Friday June 16, 2023.**
* We hope to have the Jupyter project participating at the summit this year.
* I believe a full day of training was discussed earlier with a possible collaboration with Zeek on interoperability between the two projects.
* I just sent a similar email to the Zeek folks to make them aware.
* Possibly straightforward to get a day
* Current schedule unclear (will it be Monday, Friday?)
* Hoping for a not Monday or Friday
* Proposal:
* Security workshop proposal from Rick independently
* For the summit itself or Jupyter workshop
* Who'd be at the summit anyway to draw in Jupyter folks?
* NSF encourages hybrid workshops
* "Workshop and training organizers may choose to offer either in-person or a hybrid model to include attendees joining remotely via Zoom. Workshop/training organizers are encouraged to offer hybrid sessions to maximize participation. This includes running the Zoom (e.g., monitoring the chat, unmuting remote participants, etc.). "
* ipython.org SPF vulnerability
- name.com point to DNS on cloudflare. I modified ~all to -all waiting for DNS propagating.
- DNS has propagated for me.
* Other topics (10 minutes)
* Draft a security FAQ based on recent emails?
* Intigriti Bug Bounty: project descriptions need to be updated
* Follow up with Charlotte
## May 2, 2023
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Jason Weill | AWS | @JasonWeill |
| Rick Wagner | UCSD | @rpwagner |
| Matthias Bussonnier| Quansight | @Carreau |
| Jason Grout | Databricks | @jasongrout |
| Rollin Thomas | NERSC | @rcthomas |
| Steve Silvester | MongoDB | @blink1073 |
* Joe Lucas OOTO for this meeting. See you in Paris.
* https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
* PyPI Organizations ([ticket](https://github.com/jupyter/security/issues/61))
* Key: Delegation to subprojects and keeping subprojects from hitting barriers to prevent fracture?
* 4 teams set up as 1 per GitHub org plus JupyterHub
* Experiment, on JupyterLab made Federic an owner, moved hatch-jupyter under that
* RBAC, OIDC could allow trusted publishers and bots go away
* PyPI vs GitHub
* Jupyter is subprojects in GitHub but not a perfect mapping
* PyPI packages are tied to repos, not GitHub orgs
* Flexibility in delegating who can manage releases, doesn't have to be SSC rep
* New feature: PyPI products can be linked to GitHub on PyPI `/manage/project/{repo}/settings/publishing`
* On GitHub required reviewers provide additional gating to publish
* Yanking from PyPI? Needs PyPI account?
* Who should be top-level owners? EC
* May be a good choice for now until an official delegation
* Q on asset inventory and privileged roles; is there an audit / sec team to be able to see into things?
* Rick doesn't want that at the moment
* Related: NPM provenance
* Security Subproject Update during SSC/EC meeting
* Intigriti Bug Bounty
* Vulnerability handling across projects
* 2FA requirement
* Security workshop
* Auditing privileged access for Jupyter assets (github orgs/repos, pypi, DNS, etc. See notes from last time)
*
## April 18, 2023
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Jason Weill | AWS | @JasonWeill |
| Joe Lucas | NVIDIA | @josephtlucas |
| Rick Wagner | UCSD | @rpwagner |
| Matthias Bussonnier| Quansight | @Carreau |
* Package Repositories (NPM, PyPI, docker, conda)
* What are the things that people from Jupyter manage?
* Who are the maintainers?
* Should we inventory these assets?
* Can this be scripted (along with who has access)?
* Draft Asset List (places important things are hosted, done, processed, etc.)
* Semi-prioritized
* Priority
* GitHub
* PyPI
* Conda
* NPM
* ReadTheDocs
* DockerHub
* Namecheap (DNS)
* Jupyterlab.io (Google Domain)
* 1Password
* Next
* Twitter
* Facebook
* LinkedIn
* Mastodon
* CloudFlare
* Google Drive
* GMail
* Google Groups
* YouTube
* Zoom
* Discourse.jupyter.org (hosted by Discourse)
* nbviewer.org
* binderhub.org
* fast.ly (nbviewer.org)
* RackSpace (nbviewer.org, mail??)
* OpenCollective
* Medium (blog)
* Tidelift
* Gitter
* Next: Review access to priority assets, track in private repo
* Share list of assets with Governance
## April 4, 2023
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Jason Weill | AWS | @JasonWeill |
| Joe Lucas | NVIDIA | @josephtlucas |
| Rollin Thomas | NERSC | @rcthomas |
| Rick Wagner | UCSD | @rpwagner |
| | | |
| | | |
* Workshop:
* What do we want to get out of it?
* Should we require best practices of other Jupyter subprojects
* Would discussing this at the workshop be a good use of the opportunity?
* Socialize and get feedback on this
* Do the subprojects want guidance on this?
* Dependency analysis vs actual issues with Jupyter code?
* Logging and auditing w/Zeek?
* What is there even for web HTTP/websockets applications?
* Instrumentation at various levels of the stack
* Different situations and their corresponding security best practices:
* On my laptop
* Dashboards (voila)
* Multi-user w/JupyterHub etc
* OWASP: https://owasp.org/
* What is the calendar and schedule?
* Summit Tuesday, Wednesday, Thursday, plenaries Wednesday
* From the TrustedCI perspective, things still in flux, more content than previously thought
* Possibility that we wind up on Friday, or Monday
## March 21, 2023
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Rick Wagner | UCSD | @rpwagner |
| Matthias Bussonnier| Quansight | @Carreau |
| Jason Grout | Databricks | @jasongrout |
| Rollin Thomas | NERSC | @rcthomas |
* Maybe use the JupyterCon room during the setup day for SSC/EC meeting.
* Joe Lucas will be driving, but will try to call in
* [TrustedCI Summit and Workshop in October 24-26](https://www.trustedci.org/2023-cybersecurity-summit) at LBNL
* Recap:
* Met w/Deputy Director of TrustedCI, Sean Peisert, on possibility to have Jupyter-related events at TrustedCI summit
* First day is half-day, full day workshop/tutorial type things
* Then main summit conent, 3 days
* Then last day has more workshop type things
* Time is good for for some kind of Jupyter security get-together
* Suggested plan is something on
* Reviving the Jupyter security training done at PEARC etc for first day
* Then Jupyter security workshop on the last day
* Having a story by the time of JupyterCon would be good
* Enabling folks coming for Jupyter content maybe also to go to the TrustedCI summit itself
* Contributions of travel/registration funding from other sources to enable this, e.g. Anaconda
* Example: Zeek (intrusion detection) + Jupyter conversation, connecting Jupyter + security community
* Do we have a way for people from either side to participate in the other?
* Longer term topic, relationship is workshop/tutorials angle:
* JupyterCon 2024
* Expanding to 5 days, having workshops and tutorials as part of that?
* This year it's 3 days because that's what we could get more.
* Depends on budget outcome of 2023
* For this JupyterCon (2023):
* May be possible to have some space/time for talking security/building momentum for the TrustedCI
* There's an existing tutorial room possibly on Wednesday for a day... could use that?
* Yes for some structured discussion (more than a BoF, less than a tutorial/workshop)?
* Have the security training in shape by then?
* Seems tempting to Rick since he has such positive feedback from the Jupyter community
* Rick favors Wednesday morning 2.5h
* => Folks need to respond to the doodle poll (first dates as early as tomorrow or next week)
* An async update about bug bounty:
* JupyterHub, JupyterLab, and Jupyter Server accepted
* Jason to send email to those not accepted leting them know
* Jason to send a scheduling email
* Interaction with TideLift from Matthias
* What TideLift brings us
* How money is handled
## March 7, 2023
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Jason Weill | AWS | @JasonWeill |
| Joe Lucas | NVIDIA | @josephtlucas |
| Rollin Thomas | NERSC | @rcthomas |
| Jason Grout | Databricks | @jasongrout |
| Rick Wagner | UCSD | @rpwagner |
* Jason W: Add Joe Lucas to Security Council (https://github.com/jupyter/security/pull/56) — also added to Google Group
* Rollin: TrustedCI Summit October 2023, opportunity for Jupyter security training and workshop
* Met with the 2 leads from [TrustedCI](https://www.trustedci.org/about) (NSF Center of Excellence for Cybersecurity)
* Supports major NSF facilities that deploy infrastructure for research
* TrustedCI hosts an annual cybersecurity summit
* E.g. a few years ago, Rick and Matthias gave a security training on Jupyter there
* Discussion was some kind of Jupyter-focused workshop/activity at 2023 event (October)
* Could be an opportunity to update the Jupyter security training tutorial (1/2 day)
* Rick would update this, he also gave the same tutorial at the same conference before with Matthias
* Rick will get started on this sooner rather than later
* Then, a 1/2 day or full day Jupyter security workshop
* Potential for overlap with some other cohosted workshops
* E.g. [Zeek](https://zeek.org/) workshop: Monitoring and instrumenting Jupyter to work w/Zeek?
* Questions:
* Is the security council broadly in favor of pursuing a workshop? **Answer: Yes**
* Participants (Berkeley location is "central")?
* What gaps are there in funding for the logistics?
* When is TrustedCI going to put up website, etc? => sooner helps people get approvals
* Industry partners (Anaconda, AWS, NVIDIA, ...): 2 for 1? Send a person and seed a scholarship?
* Jason G: Intigriti
* Had meeting w/Charlotte De Vleeschouwer, Customer Success Manager, on Feb. 23
* Discussed scope of the program
* Scope was larger than Intigriti expected
* Wanted to start with jupyter-server, JupyterLab, JupyterHub
* Start small and iterate
* Enlarge scope a little more if that works
* Program created, three groups
* One for each w/a contact
* Each group can have multiple packages
* Wants another call w/POCs for each to kick off
* Jason to close the loop w/other projects that won't be included in first round and help set up this kickoff meeting
* Rick: What do we want people looking at?
* Example: Recent git CLI vulnerabilities
* Git is provided in Docker images
* Should we have advised people to ensure Git was updated?
* Not Jupyter-specific code, but part of the "packaging"
* Should that figure into the vulnerability reporting process?
* With respect to conda and PyPI what is the dependency chain?
* What other repos are important?
* Install instructions based on meta-packages or "top" packages that get installed?
* Older packages and repos? Maybe recommend dependabot is working for all these
* What leverages GitHub automation to get a handle on all the packages?
* Next policy recommendation would be something like:
* Be running dependabot wherever we can
* Here are the list of packages of greatest concern/interest
* Node-based stuff?
* Do the npm repos have 2FA, etc.
* PyPI likewise
* Security sprints?
* Maybe start with dependency graphing
* Example open source vuln management policies
* https://github.com/ossf/oss-vulnerability-guide
* https://about.gitlab.com/handbook/security/security-engineering/application-security/vulnerability-management.html
*
## February 14, 2023
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Rick Wagner | UCSD | @rpwagner |
| Jason Weill | AWS | @JasonWeill |
| Joe Lucas | NVIDIA | @josephtlucas |
| Sritej Attaluri | Bloomberg | @attaluris |
| Rollin Thomas | NERSC | @rcthomas |
* Email thread about "country of origin" for Jupyter QTConsole
* SSC convergence, reporting structure
* Review of JEPs to get quality software to community
* EC wants to push day-to-day down to SSC
* SSC will have regular meetings and office hours
* Conversation about scope to be had w/SSC
* Production stuff
* But also experimental stuff
* Critical components
* More functional vulnerability process
* Come up with a strawperson proposal
* Socialize within SSC and then office hours
* Want input from other subprojects
* Single org?
* Plan: Work on this in 2 weeks
* Meeting times, proposed change:
* 1st and 3rd Tuesday starting in March
* Allows Community meeting to take the 8AM slot
* Jason W has updated this on Google Calendar: 2/28 meeting is cancelled, 3/7 is our next security meeting
* Prevent collision with Jupyter Community Call
* Next Jupyter Community Call is at 07:00 PST on Feb. 28; this can now be moved to 08:00 PST
* Jupyter Community Call is always on the last Tuesday of the month
* Folks going to JupyterCon?
* Rollin, maybe (approvals)
* Jason W, possibly (depending on approval, budget)
* Rick if there's funding
## January 31, 2023
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Rick Wagner | UCSD | @rpwagner |
| A. T. Darian | QuantStack | @afshin |
| Sritej Attaluri | Bloomberg | @attaluris |
| Piyush Jain | AWS | @3coins |
| Rollin Thomas | NERSC | @rcthomas |
| Joe Lucas | NVIDIA | @josephtlucas |
* EC and SSC meeting this Friday
* Conversation with TrustedCI / Workshop in October
* Rollin and Rick will talk to TrustedCI about scope, logistics, etc
* There may be good reasons for Jupyter community members to attend TrustedCI summit generally
* Software supply chain affects everyone
* Security affects everyone
* Hello Joe Lucas
* A JupyterLab extension to evaluate the security of your Jupyter environment
* https://github.com/JosephTLucas/jupysec
* Bug bounty program questions for discussion
* jupyterlab, jupyterlab-server and jupyter-server proposed so far w/contacts for each
* Jason G. proposed to use the Github CVE process for reporting bugs. Is this the process that should be followed by the Intigriti Team/Bug reporters?
* Is any one familiar with Intigriti?
* Should we have security.jupyter.org (or sec.jupyter.org)?
* Hub is moving forward on hub.jupyter.org as precedent
* https://github.com/jupyterhub/team-compass/issues/444
## January 17, 2023
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Jason Weill | AWS | @JasonWeill |
| Matthias Bussonnier| Quansight | @carreau |
| Rollin Thomas | NERSC | @rcthomas |
| Jason Grout | Databricks | @jasongrout |
- Security email addresses
- ipython-security@groups.google.com — Google Group, limited membership.
- This is a limited-membership list, if someone ask to be put on it, we do a cursory check they are a real person and add them it is mostly meant for advance warning we are going to publish a release that fix a CVE and minor sec discussion.
- 75 members now
- security@ipython.org
- This is a forward email maintained by XXXX, that only allow up to 10 members, it is meant for security reports.
- Action items:
- Formalize policy around who gets on these lists
- Maybe set up new security@jupyter.org reporting email?
- widen the security@ipython.org receivers to spread the load
- Bug bounty recommendation (intigrity, etc)
- Jupyter as a software may not be a good fit for Intigrity. What Intigrity is offering is that if you have a service you sell with an API, we ask our researchers to pentest your service. If it's software that you install on your machine, it doesn't really fit the Intigriti model, which seems to
- What services do we actually run?
- nbviewer - no authentication, purely displays content, so not really applicable
- binder
- A difficulty is that some people we are talking with are in the European Union, others are from Intigriti
- Action item:
- Jason G to email Intigriti, to confirm whether this is a good fit, based on previous conversations
- If it is a good fit, Jason G to email SSC to see what subprojects are interested, then forward that on to Intigriti
- Recent reports
- How do we manage security reports coming in?
- Several options:
- Security reports per subproject
- Security reports in a centralized Project Jupyter repo
- Security reports in a repo per subproject
## January 3, 2023
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Jason Weill | AWS | @JasonWeill |
| Matthias Bussonnier| Quansight | @carreau |
| Rollin Thomas | NERSC | @rcthomas |
| Sritej Attaluri | Bloomberg | @attaluris |
| Rick Wagner | UCSD | @rpwagner |
| Jason Grout | Databricks | @jasongrout |
Note: Jason still works at AWS, but per corporate social media policy, I changed my GitHub username to not have `aws` in it anymore
- Vulnerability reporting
- We've turned on public reporting of vulnerabilities in IPython and [Jupyter Security](https://github.com/jupyter/security/security/advisories/new)
- Workflow is: person submits a report, an admin accepts the report and creates a "draft"
- Reports are per-repo. It doesn't seem like there is a way to consolidate at the org level
- It appears that only admin permissions can see the draft vuln reports
- How to track reports?
- We can have a single place where reports are done, so the security team can track it and open appropriate reports in subprojects
- We can have a per-repo or per-subproject place to report, with a reporting structure in place between projects to track vulnerabilities
- This process decision should be made at the SSC level in cooperation with other subprojects
- Even if we have per-subproject reporting, we can have a catch-all reporting place in jupyter/security
- SSC formation
- SSC reps are known at this point, and needs to self-organize at this point
- EC meetings are on Monday. Perhaps the SSC members can be invited so we can all discuss how to launch these councils
- https://deploy-preview-712--jupyter-github-io.netlify.app/ - preview of website update listing the SSC in the About page
-
## December 6, 2022
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Jason Weill | AWS | @jweill-aws |
| Sritej Attaluri | Bloomberg | @attaluris |
| Rick Wagner | UCSD | @rpwagner |
| Rollin Thomas | NERSC | @rcthomas |
| Rosio Reyes | Anaconda | @RRosio |
- Triage
- Email list status?
- https://github.com/jupyter/security/issues/50
- Appears to be a permissions issue with the ipython-security mailing list not accepting external messages (from non-group members)
- Issues
- Review request: https://github.com/jupyter/security/issues/49
- Haven't done this review before, need to discuss process
- nbclassic (jupyter-notebook subproject)
- Confirm w/developers
- Respond to reporter
- Above could be shortened by ensuring developers are looped into sec reports
- Can we document guidelines about when we do backports/sec updates for existing releases vs telling people to wait for next major version
- Funding & Involvement
- Onboarding newcomers interested in helping with security
- What steps are there?
- Maybe fleshing out the README with onboarding details would be a good idea
- Integriti
- PEARC23 CfP?
- Thought:
- Subprojects should have a designated security contact
- Designated security contact is subscribed to appropriate mailing lists, etc
## November 8, 2022
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Jason Weill | AWS | @jweill-aws |
| Matthias Bussonnier| QuanSight | @carreau |
| | | |
| | | |
| | | |
- Blog post for 2FA
- Respond to [Intigriti](https://www.intigriti.com/)
## October 25, 2022
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Rollin Thomas | NERSC | rcthomas |
| Jason Weill | AWS | @jweill-aws |
- Follow up with Intigriti in early November?
## October 11, 2022
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Rick Wagner | UCSD | @rpwagner |
| Rollin | NERSC | @rcthomas |
| Matthias Bussonnier| QuanSight | @carreau |
||||
||||
- Meeting w/Intigriti
- Customers
- Researchers
- How is Intigriti interfacing with Jupyter ?
- 2 months ... trial period w/EC
- Multiple programs, one from the EC.
- Would Jupyter be a good fit.
- What can be tested, will be tested will determine if we can be tested.
- Sounds like issues identified external to their researchers they fund are not covered.
- Cross communication between researchers
- Would need to be a bit organized on putting CVE publications
- Post meeting
- Rick's suggestion
- Start small with a set of limited repos that are released
- Communicates what key initial packages are
- Matthias suggests
- to scope even further to types of vulnerabilities and specific package
- further more might be too vague
-
## September 27, 2022
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Rick Wagner | UCSD | @rpwagner |
| Jason Weill | AWS | @jweill-aws |
| Rollin | NERSC | @rcthomas |
- [Security roadmap](https://github.com/rpwagner/security/blob/roadmap/docs/roadmap.md)
- 2FA: Needs to be enabled in JupyterLab
- Security workshop
## September 13, 2022
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Rick Wagner | UCSD | @rpwagner |
| Jason Weill | AWS | @jweill-aws |
| Matthias Bussonnier| QuanSight | @carreau |
| Rollin | NERSC | @rcthomas |
- Security questionnaire
- Establish process for how to answer a security questionnaire from a potential user (e.g., FSRA Ontario)
- Matthias to attend NumFOCUS summit next week; can discuss security questions there
- Software Steering Council (SSC) rep
- We need to name and submit an SSC rep by October 3
- Update our team-compass
- Rick W to serve for one year
- 2FA
- Should be enforced in JupyterLab by our next meeting (Sep 27)
- Jason W to bring up at JupyterLab meeting tomorrow
## August 30, 2022
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Jason Weill | AWS | @jweill-aws |
| Matthias Bussonnier| QuanSight | @carreau |
| Rollin Thomas | NERSC | @rcthomas |
| Rick Wagner | UCSD | @rpwagner |
| Maxime Jublou | naas.ai | @Dr0p42 |
| Isabela Presedo-Floyd | Quansight Labs | @isabela-pf |
- Bootstrapping official council — Jason W
- See docs: https://github.com/jupyter/governance/blob/master/bootstrapping_decision_making.md
- We should have a list of members provided for Jupyter governance within the next month (see [Google Sheet](https://docs.google.com/spreadsheets/d/1RdqRp1CIM9t-sy8xz9f_tu6BFfmrzwCM663d2p4e99U/edit#gid=1859802494))
- We also need to select one member to represent us at the Software Steering Council (SSC)
- Action item: We will nominate our SSC rep at our next meeting, on Sep 13
- 2FA follow-up (due Oct 1)
- For future, push 2FA outward toward scientific python stack, etc
- Periodic review to ensure it doesn't get disabled, new projects have it turned on
-
## August 16, 2022
| Name | affiliation| username |
| -------------------| -----------| -----------------|
| Rollin | NERSC | @rcthomas |
| Matthias |Quansight | @Carreau |
| Jason Weill | AWS | @jweill-aws |
| Charlie Bedard |||
| Munawar Hafiz | OpenRefactory ||
- 2FA progress
- Proceeding OK
- Minor issue with some cartoonist
- Cal Poly interns
- Brian OK with removing them
- But he needs to do it to be sure who's intern
- **Jason** is pinging Brian to do that
- We could get a list and check across all orgs
- **Matthias**: Tweeting about orgs that have 2FA turned on
- Aside: Should we get the Jupyter Twitter account verified?
- Pain, requires fixing Wikipedia entries
- There are more important things maybe
- Aside++: Trademark problem with another Jupyter?
- Matthias was talking to the Jupyter Trademark Committee
- They should follow up with NumFocus probably
- OpenRefactory update
- pypi.openrefactory.com
- This has filtering, not everything
- POC, scans ~100 repos from PyPI, some top projects
- Collaboration done with OpenSSF
- Alpha-Omega project
- Critical OS repos to secure
- Identifying partners (devs/vendors)
- Will staff people to do mitigations
- Developers have gone through some repos and filed bugs
- Some are actual vulnerabilities in process of mitigation
- Feedback, thinking about people with 10000 dependencies:
- Don't want certain reports (volume)
- Want only new vulnerabilities and issues
- Scale is difficult
- Sample project: Ansible (RedHat)
- Identified ~200
- Zeroed in on the most important ones w/OpenSSF
- OpenSSF did the filtering: e.g. injection etc
- 40 of interest
- Next step
- For Jupyter
- Shared some initial reports
- Want a more formal engagement
- Want developers to use the product
- How many repos?
- Possible engagement models:
- Integration/installation to pipelines for critical projects (would need triage), license in CI/CD pipelines
- They could use one of their cloud machines, Jupyter devs could come run interactively on demand
- Would allow developers to see more issues than at pypi.openrefactory.com
- Could be "jupyter.openrefactory.com", they do the scan and share results
- Feedback from Jupyter sec:
- Would like to try it on the most active repo
- Get user and dev feedback from a lot of people
- UI, feedback on false positives, etc
- jupyter-server or JupyterHub?
- Jason has notebooks that monitors activity across the project
- OpenRefactory: Add JupyterHub to pypi.openrefactory.com
- The page there is really good publicity and Jupyter depends on those other projects too
- Suggest not to add another domain just for Jupyter
- Ask JupyterHub developers to take a look and give feedback
- Expand to other projects?
- UI feedback, on each project's individual page:
- When were the scans done?
- What commit hash?
- Milestone?
- Get report out, try to fix some issues
- Work together to publish (or dual publication) on Jupyter Blog about experience
- Invite folks to sec meeting, point folks to OpenRefactory tool to try it
- Items for discussion outlined last time:
- Can we automatically crawl developer accounts for signs of inactivity
- Reproducible package builds
- Migrating to PyPI deploy tokens
- Will be some coding
- Lots of assumptions like one user one password
- Static analysis and source vulnerability scanning
-