|
| 1 | +# Jupyter Security Bi-weekly Meeting |
| 2 | + |
| 3 | +## March 7, 2023 |
| 4 | + |
| 5 | +| Name | affiliation| username | |
| 6 | +| -------------------| -----------| -----------------| |
| 7 | +| Jason Weill | AWS | @JasonWeill | |
| 8 | +| Joe Lucas | NVIDIA | @josephtlucas | |
| 9 | +| Rollin Thomas | NERSC | @rcthomas | |
| 10 | +| Jason Grout | Databricks | @jasongrout | |
| 11 | +| Rick Wagner | UCSD | @rpwagner | |
| 12 | + |
| 13 | +* Jason W: Add Joe Lucas to Security Council (https://github.com/jupyter/security/pull/56) — also added to Google Group |
| 14 | +* Rollin: TrustedCI Summit October 2023, opportunity for Jupyter security training and workshop |
| 15 | + * Met with the 2 leads from [TrustedCI](https://www.trustedci.org/about) (NSF Center of Excellence for Cybersecurity) |
| 16 | + * Supports major NSF facilities that deploy infrastructure for research |
| 17 | + * TrustedCI hosts an annual cybersecurity summit |
| 18 | + * E.g. a few years ago, Rick and Matthias gave a security training on Jupyter there |
| 19 | + * Discussion was some kind of Jupyter-focused workshop/activity at 2023 event (October) |
| 20 | + * Could be an opportunity to update the Jupyter security training tutorial (1/2 day) |
| 21 | + * Rick would update this, he also gave the same tutorial at the same conference before with Matthias |
| 22 | + * Rick will get started on this sooner rather than later |
| 23 | + * Then, a 1/2 day or full day Jupyter security workshop |
| 24 | + * Potential for overlap with some other cohosted workshops |
| 25 | + * E.g. [Zeek](https://zeek.org/) workshop: Monitoring and instrumenting Jupyter to work w/Zeek? |
| 26 | + * Questions: |
| 27 | + * Is the security council broadly in favor of pursuing a workshop? **Answer: Yes** |
| 28 | + * Participants (Berkeley location is "central")? |
| 29 | + * What gaps are there in funding for the logistics? |
| 30 | + * When is TrustedCI going to put up website, etc? => sooner helps people get approvals |
| 31 | + * Industry partners (Anaconda, AWS, NVIDIA, ...): 2 for 1? Send a person and seed a scholarship? |
| 32 | +* Jason G: Intigriti |
| 33 | + * Had meeting w/Charlotte De Vleeschouwer, Customer Success Manager, on Feb. 23 |
| 34 | + * Discussed scope of the program |
| 35 | + * Scope was larger than Intigriti expected |
| 36 | + * Wanted to start with jupyter-server, JupyterLab, JupyterHub |
| 37 | + * Start small and iterate |
| 38 | + * Enlarge scope a little more if that works |
| 39 | + * Program created, three groups |
| 40 | + * One for each w/a contact |
| 41 | + * Each group can have multiple packages |
| 42 | + * Wants another call w/POCs for each to kick off |
| 43 | + * Jason to close the loop w/other projects that won't be included in first round and help set up this kickoff meeting |
| 44 | +* Rick: What do we want people looking at? |
| 45 | + * Example: Recent git CLI vulnerabilities |
| 46 | + * Git is provided in Docker images |
| 47 | + * Should we have advised people to ensure Git was updated? |
| 48 | + * Not Jupyter-specific code, but part of the "packaging" |
| 49 | + * Should that figure into the vulnerability reporting process? |
| 50 | + * With respect to conda and PyPI what is the dependency chain? |
| 51 | + * What other repos are important? |
| 52 | + * Install instructions based on meta-packages or "top" packages that get installed? |
| 53 | + * Older packages and repos? Maybe recommend dependabot is working for all these |
| 54 | + * What leverages GitHub automation to get a handle on all the packages? |
| 55 | + * Next policy recommendation would be something like: |
| 56 | + * Be running dependabot wherever we can |
| 57 | + * Here are the list of packages of greatest concern/interest |
| 58 | + * Node-based stuff? |
| 59 | + * Do the npm repos have 2FA, etc. |
| 60 | + * PyPI likewise |
| 61 | + * Security sprints? |
| 62 | + * Maybe start with dependency graphing |
| 63 | + * Example open source vuln management policies |
| 64 | + * https://github.com/ossf/oss-vulnerability-guide |
| 65 | + * https://about.gitlab.com/handbook/security/security-engineering/application-security/vulnerability-management.html |
0 commit comments