Merge pull request #62 from jupyter/notes-2023-04-18-and-05-02

As always, thanks @rcthomas!

Author: rpwagner

meetings/2023-04-18.md

@@ -0,0 +1,50 @@
+# Jupyter Security Bi-weekly Meeting
+
+## April 18, 2023
+
+| Name               | affiliation| username         |
+| -------------------| -----------| -----------------|
+| Jason Weill        | AWS        | @JasonWeill      |
+| Joe Lucas          | NVIDIA     | @josephtlucas    |
+| Rick Wagner        | UCSD       | @rpwagner        |
+| Matthias Bussonnier| Quansight  | @Carreau         |
+
+* Package Repositories (NPM, PyPI, docker, conda)
+    * What are the things that people from Jupyter manage?
+    * Who are the maintainers?
+    * Should we inventory these assets?
+        * Can this be scripted (along with who has access)?
+    * Draft Asset List (places important things are hosted, done, processed, etc.)
+    * Semi-prioritized
+        * Priority
+            * GitHub
+            * PyPI
+            * Conda
+            * NPM
+            * ReadTheDocs
+            * DockerHub
+            * Namecheap (DNS)
+            * Jupyterlab.io (Google Domain)
+            * 1Password
+        * Next
+            * Twitter
+            * Facebook
+            * LinkedIn
+            * Mastodon
+            * CloudFlare
+            * Google Drive
+            * GMail
+            * Google Groups
+            * YouTube
+            * Zoom
+            * Discourse.jupyter.org (hosted by Discourse)
+            * nbviewer.org
+            * binderhub.org
+            * fast.ly (nbviewer.org)
+            * RackSpace (nbviewer.org, mail??)
+            * OpenCollective
+            * Medium (blog)
+            * Tidelift
+            * Gitter
+    * Next: Review access to priority assets, track in private repo
+    * Share list of assets with Governance

meetings/2023-05-02.md

@@ -0,0 +1,39 @@
+# Jupyter Security Bi-weekly Meeting
+
+## May 2, 2023
+
+| Name               | affiliation| username         |
+| -------------------| -----------| -----------------|
+| Jason Weill        | AWS        | @JasonWeill      |
+| Rick Wagner        | UCSD       | @rpwagner        |
+| Matthias Bussonnier| Quansight  | @Carreau         |
+| Jason Grout        | Databricks | @jasongrout      |
+| Rollin Thomas      | NERSC      | @rcthomas        |
+| Steve Silvester    | MongoDB    | @blink1073       |
+
+
+* Joe Lucas OOTO for this meeting. See you in Paris.
+* https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
+* PyPI Organizations ([ticket](https://github.com/jupyter/security/issues/61))
+    * Key: Delegation to subprojects and keeping subprojects from hitting barriers to prevent fracture?
+    * 4 teams set up as 1 per GitHub org plus JupyterHub
+    * Experiment, on JupyterLab made Federic an owner, moved hatch-jupyter under that
+    * RBAC, OIDC could allow trusted publishers and bots go away
+    * PyPI vs GitHub
+        * Jupyter is subprojects in GitHub but not a perfect mapping
+        * PyPI packages are tied to repos, not GitHub orgs
+        * Flexibility in delegating who can manage releases, doesn't have to be SSC rep
+        * New feature: PyPI products can be linked to GitHub on PyPI `/manage/project/{repo}/settings/publishing`
+        * On GitHub required reviewers provide additional gating to publish
+        * Yanking from PyPI?  Needs PyPI account?
+    * Who should be top-level owners?  EC
+        * May be a good choice for now until an official delegation
+        * Q on asset inventory and privileged roles; is there an audit / sec team to be able to see into things?
+            * Rick doesn't want that at the moment
+    * Related: NPM provenance
+* Security Subproject Update during SSC/EC meeting
+    * Intigriti Bug Bounty
+        * Vulnerability handling across projects
+    * 2FA requirement
+    * Security workshop
+    * Auditing privileged access for Jupyter assets (github orgs/repos, pypi, DNS, etc. See notes from last time)

meetings/README.md

@@ -17,6 +17,8 @@ What this meeting is about:
 
 ## Meeting Minutes
 
+* [2023-05-02](2023-05-02.md)
+* [2023-04-18](2023-04-18.md)
 * [2023-04-04](2023-04-04.md)
 * [2023-03-21](2023-03-21.md)
 * [2023-03-07](2023-03-07.md)