|
| 1 | +# Jupyter Security Bi-weekly Meeting |
| 2 | + |
| 3 | +- Where: [`jovyan` Zoom](https://zoom.us/my/jovyan?pwd=c0JZTHlNdS9Sek9vdzR3aTJ4SzFTQT09) (pwd: c0JZTHlNdS9Sek9vdzR3aTJ4SzFTQT09) |
| 4 | + |
| 5 | +## August 16, 2022 |
| 6 | + |
| 7 | +| Name | affiliation| username | |
| 8 | +| -------------------| -----------| -----------------| |
| 9 | +| Rollin | NERSC | @rcthomas | |
| 10 | +| Matthias |Quansight | @Carreau | |
| 11 | +| Jason Weill | AWS | @jweill-aws | |
| 12 | +| Charlie Bedard ||| |
| 13 | +| Munawar Hafiz | OpenRefactory || |
| 14 | + |
| 15 | +- 2FA progress |
| 16 | + - Proceeding OK |
| 17 | + - Minor issue with some cartoonist |
| 18 | + - Cal Poly interns |
| 19 | + - Brian OK with removing them |
| 20 | + - But he needs to do it to be sure who's intern |
| 21 | + - **Jason** is pinging Brian to do that |
| 22 | + - We could get a list and check across all orgs |
| 23 | + - **Matthias**: Tweeting about orgs that have 2FA turned on |
| 24 | + |
| 25 | +- Aside: Should we get the Jupyter Twitter account verified? |
| 26 | + - Pain, requires fixing Wikipedia entries |
| 27 | + - There are more important things maybe |
| 28 | + - Aside++: Trademark problem with another Jupyter? |
| 29 | + - Matthias was talking to the Jupyter Trademark Committee |
| 30 | + - They should follow up with NumFocus probably |
| 31 | + |
| 32 | +- OpenRefactory update |
| 33 | + - pypi.openrefactory.com |
| 34 | + - This has filtering, not everything |
| 35 | + - POC, scans ~100 repos from PyPI, some top projects |
| 36 | + - Collaboration done with OpenSSF |
| 37 | + - Alpha-Omega project |
| 38 | + - Critical OS repos to secure |
| 39 | + - Identifying partners (devs/vendors) |
| 40 | + - Will staff people to do mitigations |
| 41 | + - Developers have gone through some repos and filed bugs |
| 42 | + - Some are actual vulnerabilities in process of mitigation |
| 43 | + - Feedback, thinking about people with 10000 dependencies: |
| 44 | + - Don't want certain reports (volume) |
| 45 | + - Want only new vulnerabilities and issues |
| 46 | + - Scale is difficult |
| 47 | + - Sample project: Ansible (RedHat) |
| 48 | + - Identified ~200 |
| 49 | + - Zeroed in on the most important ones w/OpenSSF |
| 50 | + - OpenSSF did the filtering: e.g. injection etc |
| 51 | + - 40 of interest |
| 52 | + - Next step |
| 53 | + - For Jupyter |
| 54 | + - Shared some initial reports |
| 55 | + - Want a more formal engagement |
| 56 | + - Want developers to use the product |
| 57 | + - How many repos? |
| 58 | + - Possible engagement models: |
| 59 | + - Integration/installation to pipelines for critical projects (would need triage), license in CI/CD pipelines |
| 60 | + - They could use one of their cloud machines, Jupyter devs could come run interactively on demand |
| 61 | + - Would allow developers to see more issues than at pypi.openrefactory.com |
| 62 | + - Could be "jupyter.openrefactory.com", they do the scan and share results |
| 63 | + - Feedback from Jupyter sec: |
| 64 | + - Would like to try it on the most active repo |
| 65 | + - Get user and dev feedback from a lot of people |
| 66 | + - UI, feedback on false positives, etc |
| 67 | + - jupyter-server or JupyterHub? |
| 68 | + - Jason has notebooks that monitors activity across the project |
| 69 | + - OpenRefactory: Add JupyterHub to pypi.openrefactory.com |
| 70 | + - The page there is really good publicity and Jupyter depends on those other projects too |
| 71 | + - Suggest not to add another domain just for Jupyter |
| 72 | + - Ask JupyterHub developers to take a look and give feedback |
| 73 | + - Expand to other projects? |
| 74 | + - UI feedback, on each project's individual page: |
| 75 | + - When were the scans done? |
| 76 | + - What commit hash? |
| 77 | + - Milestone? |
| 78 | + - Get report out, try to fix some issues |
| 79 | + - Work together to publish (or dual publication) on Jupyter Blog about experience |
| 80 | + - Invite folks to sec meeting, point folks to OpenRefactory tool to try it |
| 81 | + |
| 82 | +- Items for discussion outlined last time: |
| 83 | + - Can we automatically crawl developer accounts for signs of inactivity |
| 84 | + - Reproducible package builds |
| 85 | + - Migrating to PyPI deploy tokens |
| 86 | + - Will be some coding |
| 87 | + - Lots of assumptions like one user one password |
| 88 | + - Static analysis and source vulnerability scanning |
0 commit comments