Merge pull request #54 from jupyter/notes-2023-01

Notes from late January

Author: rcthomas

meetings/2023-01-17.md

@@ -0,0 +1,36 @@
+## January 17, 2023
+
+| Name               | affiliation| username         |
+| -------------------| -----------| -----------------|
+| Jason Weill        | AWS        | @JasonWeill      |
+| Matthias Bussonnier| Quansight  | @carreau         |
+| Rollin Thomas      | NERSC      | @rcthomas        |
+| Jason Grout        | Databricks | @jasongrout      |
+
+- Security email addresses
+	- [email protected] — Google Group, limited membership.
+	    - This is a limited-membership list, if someone ask to be put on it, we do a cursory check they are a real person and add them it is mostly meant for advance warning we are going to publish a release that fix a CVE and minor sec discussion.
+	    - 75 members now
+	- [email protected]
+	    - This is a forward email maintained by XXXX, that only allow up to 10 members, it is meant for security reports.
+	- Action items:
+		- Formalize policy around who gets on these lists
+		- Maybe set up new [email protected] reporting email?
+		- widen the [email protected] receivers to spread the load
+
+- Bug bounty recommendation (intigrity, etc)
+	- Jupyter as a software may not be a good fit for Intigrity. What Intigrity is offering is that if you have a service you sell with an API, we ask our researchers to pentest your service. If it's software that you install on your machine, it doesn't really fit the Intigriti model, which seems to 
+	- What services do we actually run?
+		- nbviewer - no authentication, purely displays content, so not really applicable
+		- binder
+	- A difficulty is that some people we are talking with are in the European Union, others are from Intigriti
+	- Action item:
+		- Jason G to email Intigriti, to confirm whether this is a good fit, based on previous conversations
+		- If it is a good fit, Jason G to email SSC to see what subprojects are interested, then forward that on to Intigriti
+
+- Recent reports
+	- How do we manage security reports coming in?
+	- Several options:
+		- Security reports per subproject
+		- Security reports in a centralized Project Jupyter repo
+		- Security reports in a repo per subproject

meetings/2023-01-31.md

@@ -0,0 +1,27 @@
+## January 31, 2023
+
+| Name               | affiliation| username         |
+| -------------------| -----------| -----------------|
+| Rick Wagner        | UCSD       | @rpwagner        |
+| A. T. Darian       | QuantStack | @afshin          |
+| Sritej Attaluri    | Bloomberg  | @attaluris       |
+| Piyush Jain        | AWS        | @3coins          |
+| Rollin Thomas      | NERSC      | @rcthomas        |
+| Joe Lucas          | NVIDIA     | @josephtlucas    |
+
+* EC and SSC meeting this Friday
+* Conversation with TrustedCI / Workshop in October
+    * Rollin and Rick will talk to TrustedCI about scope, logistics, etc
+    * There may be good reasons for Jupyter community members to attend TrustedCI summit generally
+        * Software supply chain affects everyone
+        * Security affects everyone
+* Hello Joe Lucas
+    * A JupyterLab extension to evaluate the security of your Jupyter environment
+    * https://github.com/JosephTLucas/jupysec
+* Bug bounty program questions for discussion
+    * jupyterlab, jupyterlab-server and jupyter-server proposed so far w/contacts for each
+    * Jason G. proposed to use the Github CVE process for reporting bugs. Is this the process that should be followed by the Intigriti Team/Bug reporters?
+    * Is any one familiar with Intigriti?
+* Should we have security.jupyter.org (or sec.jupyter.org)?
+    * Hub is moving forward on hub.jupyter.org as precedent
+    * https://github.com/jupyterhub/team-compass/issues/444

meetings/README.md

@@ -17,6 +17,8 @@ What this meeting is about:
 
 ## Meeting Minutes
 
+* [2023-01-31](2023-01-31.md)
+* [2023-01-17](2023-01-17.md)
 * [2023-01-03](2023-01-03.md)
 * [2022-12-06](2022-12-06.md)
 * [2022-10-11](2022-10-11.md)