Create 2023-05-02.md

rcthomas · web-flow · commit f66799d0d9dc · 2023-05-03T08:15:49.000-07:00
Notes for May 2
diff --git a/meetings/2023-05-02.md b/meetings/2023-05-02.md
@@ -0,0 +1,39 @@
+# Jupyter Security Bi-weekly Meeting
+
+## May 2, 2023
+
+| Name               | affiliation| username         |
+| -------------------| -----------| -----------------|
+| Jason Weill        | AWS        | @JasonWeill      |
+| Rick Wagner        | UCSD       | @rpwagner        |
+| Matthias Bussonnier| Quansight  | @Carreau         |
+| Jason Grout        | Databricks | @jasongrout      |
+| Rollin Thomas      | NERSC      | @rcthomas        |
+| Steve Silvester    | MongoDB    | @blink1073       |
+
+
+* Joe Lucas OOTO for this meeting. See you in Paris.
+* https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
+* PyPI Organizations ([ticket](https://github.com/jupyter/security/issues/61))
+    * Key: Delegation to subprojects and keeping subprojects from hitting barriers to prevent fracture?
+    * 4 teams set up as 1 per GitHub org plus JupyterHub
+    * Experiment, on JupyterLab made Federic an owner, moved hatch-jupyter under that
+    * RBAC, OIDC could allow trusted publishers and bots go away
+    * PyPI vs GitHub
+        * Jupyter is subprojects in GitHub but not a perfect mapping
+        * PyPI packages are tied to repos, not GitHub orgs
+        * Flexibility in delegating who can manage releases, doesn't have to be SSC rep
+        * New feature: PyPI products can be linked to GitHub on PyPI `/manage/project/{repo}/settings/publishing`
+        * On GitHub required reviewers provide additional gating to publish
+        * Yanking from PyPI?  Needs PyPI account?
+    * Who should be top-level owners?  EC
+        * May be a good choice for now until an official delegation
+        * Q on asset inventory and privileged roles; is there an audit / sec team to be able to see into things?
+            * Rick doesn't want that at the moment
+    * Related: NPM provenance
+* Security Subproject Update during SSC/EC meeting
+    * Intigriti Bug Bounty
+        * Vulnerability handling across projects
+    * 2FA requirement
+    * Security workshop
+    * Auditing privileged access for Jupyter assets (github orgs/repos, pypi, DNS, etc. See notes from last time)
