Create a high-level landing page for Jupyter security

Question

Create a high-level landing page for Jupyter security

rcthomas opened this issue 3 years ago · comments

As a first issue I thought I'd suggest we follow through with a suggestion from @fperez during last week's Governance office hours, and create a high-level landing page such as "jupyter.org/security," similar to how ASF has a landing page at www.apache.org/security/ (thanks Sharan for the link). That page

Explains there is a team that provides help and advice to their projects and coordination on handling issues
Describes how vulnerabilities are reported (Jupyter projects have a few places where this is discussed)
Provides information on published vulnerabilities
Description of vulnerability handling process

The security landing page could provide links to resources on subprojects beyond that, or links to documentation about securing Jupyter deployments, or maybe reference a document that pulls these links together. Some great examples highlighted at the jupyter-server meeting last week include (probably not an exhaustive list):

Rick Wagner · Answer 1 · Fri Aug 13 2021 13:41:57 GMT+0800 (China Standard Time)

@rcthomas I've drafted a barebones page in a fork of Jupyter repo.
https://github.com/rpwagner/jupyter.github.io/blob/master/security.md

M Bussonnier · Answer 2 · Fri Aug 13 2021 23:40:07 GMT+0800 (China Standard Time)

+1,

I'm unsure about the PGP key, I've never used it and don't know who has access to it. Maybe @ivanov does ?

Maybe we should also list security vul, reporters in a hall of fame later on this page.

We should also mention the ipython-security google group for semi-private security discussion and advanced notice.

Zachary Sailer · Answer 3 · Sat Aug 28 2021 00:26:08 GMT+0800 (China Standard Time)

@Carreau, maybe people on the steering council have access to this key? Would you mind sending an email to the SC to see if anyone does and if they can work with this group to find a good home for it?

M Bussonnier · Answer 4 · Sat Aug 28 2021 02:09:45 GMT+0800 (China Standard Time)

Would you mind sending an email to the SC to see if anyone does and if they can work with this group to find a good home for it?

From diggin in archives it looks like @minrk and @takluyver also have the key, so might help with sharing it.
Even with the key i'm unsure how I would decrypt. And with my understanding of crypto I would prefer to have something else than a single key where we share the master.
Can we have a master key that list multiple subkey so that each person on the security mailing list can decrypt independently and be revoked ?

R. C. Thomas · Answer 5 · Mon Aug 30 2021 23:37:28 GMT+0800 (China Standard Time)

At the Friday meeting we decided @rpwagner would finish this up and submit a PR hopefully this week to get the basic page in place and then we can start working on new issues for it

R. C. Thomas · Answer 6 · Sat Sep 11 2021 01:23:04 GMT+0800 (China Standard Time)

It's live: https://jupyter.org/security. Thanks @rpwagner for setting this up and @choldgraf and @Carreau for review/merge!