Merge pull request #74 from jupyter/2024-meeting-notes-catchup

Adding notes from previous meetings

Author: Carreau

meetings/2023-08-15.md

@@ -0,0 +1,31 @@
+# Jupyter Security Bi-weekly Meeting
+
+## Auguest 15, 2023
+
+| Name               | affiliation    | username         |
+| -------------------| ---------------|------------------|
+| Matthias Bussonnier| Quansight      | @Carreau         |
+| Jason Weill        | @AWS           | @JasonWeill      |
+| Joe Lucas          | NVIDIA         | @josephtlucas    |
+| Michał Krassowski | Quansight | @krassowski |
+| Eric Gentry | Anaconda | @ericsnekbytes |
+
+
+* Intigrity – Some security bugs, and a few difficulties to sync with GitHub
+    * How to increase email volume?
+    * Permissions not sync'ed across GitHub organizations (requires GH Enterprise?)
+    * How can we handle this better.
+    * Mike pointed out security managers:
+        https://docs.github.com/en/rest/orgs/security-managers?apiVersion=2022-11-28
+        https://docs.github.com/en/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization
+        https://github.blog/changelog/2021-10-21-introducing-the-organization-level-security-manager-role/
+    * Matthias opened an issue about it : https://github.com/jupyter/security/issues/68
+
+* Numfocus tidelift money
+    * Still waiting to make sure we do recive it and have regular update on the ammount.
+* Numfocus summit in amsterdam
+    * speak about security.
+
+* confusion between [email protected] and [email protected]
+    * Turn on moderation ?
+        * Seem we have agreement.

meetings/2023-09-05.md

@@ -0,0 +1,45 @@
+# Jupyter Security Bi-weekly Meeting
+
+## September 5, 2023
+
+| Name               | affiliation    | username      |
+| -------------------| ---------------|---------------|
+| Matthias Bussonnier| Quansight      | @Carreau      |
+| Jason Weill        | @AWS           | @JasonWeill   |
+| Joe Lucas          | NVIDIA         | @josephtlucas |
+| Rick Wagner        | UCSD           | @rpwagner     |
+| Rollin Thomas      | NERSC          | @rcthomas     |
+
+* TrustedCI Summit Plans
+    * Jupyter security tutorial, Monday, October 23
+    * Jupyter network monitoring workshop, Tuesday, October 24
+
+
+6 out of 13 vuln accepted on Integrity. Small to large.
+Should we say how much it cost ? Would other Bug BOunty
+
+- Should there be a Numfocus BugBounty program ?
+- $14000 left in the project
+- Foobar 7/13
+
+## Tidelift Money
+
+|Date| project| amount (USD)
+|----| -------|---------
+|10/06/22|conda/ipython	|250.00
+|10/06/22|pypi/ipython	|250.00
+|10/06/22|conda/traitlets	|250.00
+|10/06/22|pypi/traitlets	|100.00
+|12/21/22|Tidelift Payout Nov & Dec 2022 (iPython)	|1,000.00
+|12/21/22|Tidelift Payout Nov & Dec 2022 (Traitlets)	|700.00
+|3/08/2023|Traitlets February 2023	|350.00
+|3/08/2023|iPython February 2023	|500.00
+|3/08/2023|Traitlets January 2023	|350.00
+|3/08/2023|iPython January 2023	|500.00
+|4/21/2023|Traitlets March 2023	|350.00
+|4/21/2023|iPython March 2023	|500.00
+|5/15/2023|Traitlets April 2023	|350.00
+|5/15/2023|iPython April 2023	|500.00
+|6/13/2023|iPython May 2023	|500.00
+|6/13/2023|Traitlets May 2023	|350.00
+|$ 6,800.00  

meetings/2023-09-19.md

@@ -0,0 +1,21 @@
+# Jupyter Security Bi-weekly Meeting
+
+## September 19, 2023
+
+| Name               | affiliation | username     |
+| -------------------| ------------|--------------|
+| Matthias Bussonnier| Quansight   | @Carreau     |
+| Joe Lucas          | NVIDIA      | @josephtlucas|
+| Rick Wagner        | UCSD        | @rpwagner    |
+| Jason Weill        | @AWS        | @JasonWeill  |
+| Rosio Reyes        | Anaconda    | @RRosio      |
+
+* Matthias may see if Juanita can attend the TrustedCI workshop
+    * She says yes, she is interested, she live in Santa Cruz, can drive, and can figure out lodging. Just need to get her a ticket.
+* Rosio wants to learn more about vulnerability reporting/handling process
+    * Issue opened up a couple of weeks ago when someone wants to report a vuln
+* Revised TrustedCI blog post
+* Intigriti
+    * Will probably close it out with a blog post
+    * With a quote from Charlotte (Jason W to follow up w/Charlotte)
+    * Should we involve NF ?

meetings/2023-10-03.md

@@ -0,0 +1,29 @@
+# Jupyter Security Bi-weekly Meeting
+
+## October 3, 2023
+
+| Name               | affiliation| username    |
+| -------------------| -----------|-------------|
+| Matthias Bussonnier| Quansight  | @Carreau    |
+| Rick Wagner        | UCSD       | @rpwagner   |
+| Jason Weill        | @AWS       | @JasonWeill |
+| David Qiu          | @AWS       | @dlqqq      |
+| Rollin Thomas      | NERSC      | @rcthomas   |
+| Rosio Reyes        | Anaconda   | @RRosio     |
+
+Agenda:
+
+* Email from the Community Building Group: 
+   - Process to source input from subprojects to identify area were help is needed to maintain a robust community. Identifi Commmunity building practices. There are interview scripts, and invite to join calls on thursday.
+   - Some of us are going to attend on October 19th.
+
+* We know have an Jupyter Security Sandbox environment.
+    * It will likely be used for the Jupyter/Zeek workshop on Octover 223rd
+    * The NSF has a program called [CloudBank](https://www.cloudbank.org/). Targetted for cyberinfra and DS. But also grants for training activities.
+    * It does allow federated logging.
+    * currently $2k
+        * Suggest to have this as public information, 
+        * And let the SSC know.
+            * See https://github.com/jupyter/executive-council-team-compass/issues/13
+
+Sorry I think I ended the meeting for all... not sure how as I should not have been admin ...

meetings/2023-10-17.md

@@ -0,0 +1,31 @@
+# Jupyter Security Bi-weekly Meeting
+
+## October 17, 2023
+
+| Name               | affiliation| username    |
+| -------------------| -----------|-------------|
+| Rick Wagner        | UCSD       | @rpwagner   |
+| Jason Weill        | @AWS       | @JasonWeill |
+| Joe Lucas          | NVIDIA     | @josephtlucas|
+| Rollin Thomas      | NERSC      | @rcthomas   |
+| Rosio Reyes        | Anaconda   | @RRosio     |
+
+* Review vulnerability handling process.
+
+* [Workshop agenda](https://docs.google.com/document/d/1hl1qe72s1CZc7Z3QOh1apANRi--qkupcnWEyH4VNOiQ/edit?usp=sharing)
+
+* Jupyter Maint lost devices. Process to remove all access ?
+  * I (matthias) re-asked to decrease the number of GitHub orgs: [executive-council-team-compass#12](https://github.com/jupyter/executive-council-team-compass/issues/12)
+
+FYI WRT security, matthias suggested a change to handler in Jupyter-Server.
+  - [jupyter-server/jupyter_server#1332](https://github.com/jupyter-server/jupyter_server/pull/1332)
+
+David not able to attend the community survey this Thursday due to a personal conflict
+
+Charlotte requests that we close accepted submissions in the bug bounty program
+* Rick to capture information from submissions, then close
+
+[Trusted CI engagement documentation](https://github.com/jupyter/security/tree/main/docs)
+
+Please add David Qiu to the Jupyter Security (ipython-security) mailing list
+* Done (Rick, 10/17/23)

meetings/2023-11-07.md

@@ -0,0 +1,35 @@
+# Jupyter Security Bi-weekly Meeting
+
+## November 7, 2023
+
+| Name               | affiliation| username     |
+| -------------------| -----------|--------------|
+| Rick Wagner        | UCSD       | @rpwagner    |
+| Joe Lucas          | NVIDIA     | @josephtlucas|
+| Rosio Reyes        | Anaconda   | @RRosio      |
+| Matthias Bussonnier| Quansight  | @Carreau     |
+| David Qiu          | AWS        | @dlqqq       |
+| Rollin Thomas      | NERSC      | @rcthomas   |
+
+
+- Security reports directly on Jupyter/Security
+- HECVAT and alike report:
+    - See
+    https://github.com/jupyter/jupyter.github.io/pull/743/files#commit-suggestions
+    - URL: https://library.educause.edu/resources/2020/4/higher-education-community-vendor-assessment-toolkit
+    - Attorneys at the NSF summit 
+        - who is the legal entity, do they have attorneys.
+    - Have both an FAQ, and a Document (pdf) signed by numfocus. 
+
+- Opened an [issue (docs-team-compass#22)](https://github.com/jupyter/docs-team-compass/issues/22) for security documentation in the Documentation repo
+
+- David to contribute JupyterLab documentation on developing JupyterLab extensions.
+  - David: I can get started on this in a few weeks, with a draft PR by early December.
+  
+- Security documentation to be added to jupyter.org/security
+  - Source: https://github.com/jupyter/jupyter.github.io
+  - Can we have exclusive permissions to edit the "Security" page?
+  - David's proposed process: We open changes as a draft PR, get feedback from everybody security, then open for review and ping somebody to merge the PR
+  
+  
+Matthias suggest a small read later: http://thecodelesscode.com/case/215

meetings/2023-11-21.md

@@ -0,0 +1,12 @@
+# Jupyter Security Bi-weekly Meeting
+
+## November 21, 2023
+
+| Name               | affiliation| username     |
+| -------------------| -----------|--------------|
+| Matthias Bussonnier| Quansight  | @Carreau     |
+| Joe Lucas          | NVIDIA     | @josephtlucas|
+| Rosio Reyes        | Anaconda   | @RRosio      |
+
+Tasks:
+  - [ ] Reply to "Pilot: Security Committee Introduction and Survey" and fill in the form.

meetings/2023-12-05.md

@@ -0,0 +1,31 @@
+# Jupyter Security Bi-weekly Meeting
+
+## Dec 5th, 2023
+
+| Name               | affiliation| username     |
+| -------------------| -----------|--------------|
+| Matthias Bussonnier| Quansight  | @Carreau     |
+| Joe Lucas          | NVIDIA     | @josephtlucas|
+| Rosio Reyes        | Anaconda   | @RRosio      |
+| Rick Wagner        | UCSD       | @rpwagner    |
+| David Qiu          | AWS        | @dlqqq       |
+| Rollin Thomas      | NERSC      | @rcthomas    |
+
+
+The amount of money in the Tidelift  account for Jupyter is close to ~7900 USD. Some funds weere used to reimburse for travel expenses to NSF security Summit.
+
+Some people were sick in the previous week. 
+
+Numfocus Security council slowly progressing with a data-baked process.
+
+  - Juanita in contact with Open SSF.
+  - Writing Guides
+  - Credentials;
+     - Matthias: https://github.com/scientific-python/specs/pull/168#pullrequestreview-1557436109
+
+- David: Quick update on the labextension documentation that Rick had requested. Hoping to start on this sometime this week, should have something ready by the end of the month. Rather busy right now.
+
+- Matthias, Tidelift: https://github.com/jupyterlab/team-compass/discussions/224
+    - David: I'll bring this up in the JupyterLab call tomorrow.
+
+ - [ ] TODO: Matthias said hw would reach out to NF with list of request for hecvat and similarm but forgot.

meetings/2023-12-19.md

@@ -0,0 +1,21 @@
+# Jupyter Security Bi-weekly Meeting
+
+## Dec 19th, 2023
+
+| Name               | affiliation| username     |
+| -------------------| -----------|--------------|
+| David Qiu          | AWS        | @dlqqq       |
+| Rick Wagner        | UCSD       | @rpwagner    |
+
+- David: Rick proposed refining and outlining the existing security vulnerability process. It would involve a stakeholder from each subproject.
+    - I suggest that we also have a triage group for this to avoid generating noise. That is, if you receive a notification, it will be very likely that this vulnerability affects your project, and that this demands your attention.
+    - Rick suggests using GitHub's security vulnerability reporting process. We should investigate 1) when this sends notifications, and 2) who is notified in this process.
+    - I can help with another draft of the vulnerability reporting process.
+    - https://github.com/jupyter/security/blob/main/docs/vulnerability-handling.md
+
+- Mike: https://github.com/jupyter/notebook/pull/7153/files
+    - Cross-linked in security repo: https://github.com/jupyter/security/issues/72
+  - David: I agree that GH Actions are sort of dangerous by default. But the real problem isn't that we need to hashpin, but that I'm not aware of any tool that helps with this.
+ 
+- Mike: Perhaps we should invite https://github.com/diogoteles08 to one or our meetings in the future.
+    - David: I agree with this; let's build a bridge if possible.

meetings/2024-01-02.md

@@ -0,0 +1,13 @@
+# Jupyter Security Bi-weekly Meeting
+
+## Jan 2th, 2024
+
+| Name               | affiliation| username     |
+| -------------------| -----------|--------------|
+| Joe Lucas          | NVIDIA     | @josephtlucas|
+| Rosio Reyes        | Anaconda   | @RRosio      |
+| Dor Sarig          | Pillar Security   ||
+| Ziv                | Pillar Security   ||
+
+- Rosio to continue working on Threat Modeling for Rosio but has priority conflicts currently.
+- Dor/Ziv were following up on a vulnerability reported to [email protected]