Merge pull request #51 from jupyter/notes-catchup

Notes catchup

Author: rcthomas

meetings/2022-08-30.md

@@ -0,0 +1,22 @@
+# Jupyter Security Bi-weekly Meeting
+
+## August 30, 2022
+
+| Name               | affiliation| username         |
+| -------------------| -----------| -----------------|
+| Jason Weill        | AWS        | @jweill-aws      |
+| Matthias Bussonnier| QuanSight  | @carreau |
+| Rollin Thomas      | NERSC      | @rcthomas        |
+| Rick Wagner | UCSD | @rpwagner |
+| Maxime Jublou | naas.ai | @Dr0p42 |
+| Isabela Presedo-Floyd | Quansight Labs | @isabela-pf |
+
+- Bootstrapping official council — Jason W
+    - See docs: https://github.com/jupyter/governance/blob/master/bootstrapping_decision_making.md
+    - We should have a list of members provided for Jupyter governance within the next month (see [Google Sheet](https://docs.google.com/spreadsheets/d/1RdqRp1CIM9t-sy8xz9f_tu6BFfmrzwCM663d2p4e99U/edit#gid=1859802494))
+    - We also need to select one member to represent us at the Software Steering Council (SSC)
+    - Action item: We will nominate our SSC rep at our next meeting, on Sep 13
+- 2FA follow-up (due Oct 1)
+    - For future, push 2FA outward toward scientific python stack, etc
+    - Periodic review to ensure it doesn't get disabled, new projects have it turned on
+    - 

meetings/2022-09-13.md

@@ -0,0 +1,21 @@
+# Jupyter Security Bi-weekly Meeting
+
+## September 13, 2022
+
+| Name               | affiliation| username         |
+| -------------------| -----------| -----------------|
+| Rick Wagner | UCSD | @rpwagner |
+| Jason Weill        | AWS        | @jweill-aws      |
+| Matthias Bussonnier| QuanSight  | @carreau |
+| Rollin | NERSC | @rcthomas |
+
+- Security questionnaire
+    - Establish process for how to answer a security questionnaire from a potential user (e.g., FSRA Ontario)
+        - Matthias to attend NumFOCUS summit next week; can discuss security questions there
+- Software Steering Council (SSC) rep
+    - We need to name and submit an SSC rep by October 3
+    - Update our team-compass
+    - Rick W to serve for one year
+- 2FA
+    - Should be enforced in JupyterLab by our next meeting (Sep 27)
+    - Jason W to bring up at JupyterLab meeting tomorrow

meetings/2022-09-27.md

@@ -0,0 +1,13 @@
+# Jupyter Security Bi-weekly Meeting
+
+## September 27, 2022
+
+| Name               | affiliation| username         |
+| -------------------| -----------| -----------------|
+| Rick Wagner | UCSD | @rpwagner |
+| Jason Weill        | AWS        | @jweill-aws      |
+| Rollin | NERSC | @rcthomas |
+
+- [Security roadmap](https://github.com/rpwagner/security/blob/roadmap/docs/roadmap.md)
+- 2FA: Needs to be enabled in JupyterLab
+- Security workshop

meetings/2022-10-11.md

@@ -0,0 +1,33 @@
+# Jupyter Security Bi-weekly Meeting
+
+## October 11, 2022
+
+| Name               | affiliation| username         |
+| -------------------| -----------| -----------------|
+| Rick Wagner        | UCSD       | @rpwagner        |
+| Rollin             | NERSC      | @rcthomas        |
+| Matthias Bussonnier| QuanSight  | @carreau         |
+||||
+||||
+
+- Meeting w/Intigriti
+    - Customers
+    - Researchers
+
+- How is Intigriti interfacing with Jupyter ? 
+    - 2 months ... trial period w/EC
+    - Multiple programs, one from the EC. 
+    - Would Jupyter be a good fit. 
+    - What can be tested, will be tested will determine if we can be tested.
+    - Sounds like issues identified external to their researchers they fund are not covered.
+    - Cross communication between researchers
+        - Would need to be a bit organized on putting CVE publications
+
+- Post meeting
+    - Rick's suggestion
+        - Start small with a set of limited repos that are released
+        - Communicates what key initial packages are 
+    - Matthias suggests 
+        - to scope even further to types of vulnerabilities and specific package
+        - further more might be too vague
+    - 

meetings/2022-12-06.md

@@ -0,0 +1,34 @@
+# Jupyter Security Bi-weekly Meeting
+
+## December 6, 2022
+
+| Name               | affiliation| username         |
+| -------------------| -----------| -----------------|
+| Jason Weill        | AWS        | @jweill-aws      |
+| Sritej Attaluri    | Bloomberg  |                  |
+| Rick Wagner        | UCSD       | @rpwagner        |
+| Rollin Thomas      | NERSC      | @rcthomas        |
+| Rosio Reyes        | Anaconda   | @RRosio          |
+
+- Triage
+    - Email list status?
+        - https://github.com/jupyter/security/issues/50
+        - Appears to be a permissions issue with the ipython-security mailing list not accepting external messages (from non-group members)
+    - Issues
+- Review request: https://github.com/jupyter/security/issues/49
+    - Haven't done this review before, need to discuss process
+- nbclassic (jupyter-notebook subproject)
+    - Confirm w/developers
+    - Respond to reporter
+        - Above could be shortened by ensuring developers are looped into sec reports
+    - Can we document guidelines about when we do backports/sec updates for existing releases vs telling people to wait for next major version
+- Funding & Involvement
+    - Onboarding newcomers interested in helping with security
+        - What steps are there?
+        - Maybe fleshing out the README with onboarding details would be a good idea
+
+- Integriti
+- PEARC23 CfP?
+- Thought:
+    - Subprojects should have a designated security contact
+    - Designated security contact is subscribed to appropriate mailing lists, etc

meetings/README.md

@@ -17,6 +17,11 @@ What this meeting is about:
 
 ## Meeting Minutes
 
+* [2022-12-06](2022-12-06.md)
+* [2022-10-11](2022-10-11.md)
+* [2022-09-27](2022-09-27.md)
+* [2022-09-13](2022-09-13.md)
+* [2022-08-30](2022-08-30.md)
 * [2022-08-16](2022-08-16.md)
 * [2022-08-02](2022-08-02.md)
 * [2022-07-05](2022-07-05.md)