Hey security team,

We plan to roll an announcement feature in the next minor JupyterLab version (3.6.0). The goal is to get a more direct channel to the users.

At the JupyterLab meeting, we discuss some security concerns and we will appreciate if you could have a review of it.

On the technical side, the news to be announced are fetched from an Atom feed generated by a Jekyll blog hosted as GitHub page website.

The process to publish a post is described there.

On the JupyterLab side, the feature was added in that PR and in a follow-up PR aggressive sanitation was added to the message.

In JupyterLab, the frontend calls the backend for news notifications. And the backend fetches the news feed from a customizable URL (that fallback to our GitHub page website).

Hi @fcollonval would you be interested in attending the next security meeting to discuss, December 6, 8 AM PST? The meeting is on the Jupyter community calendar also, with connection details. Thanks.

Thanks @rcthomas for reaching out. I'm unfortunately traveling during that time tomorrow. But I can connect next week (December 13th).

The meetings are every other week, so the next one scheduled is Dec 20.

Oh thanks for the heads up

Hi, just following up to see if there was a discussion as I cannot find meeting notes from 20th Dec. Of note this feature has shipped in JupyterLab 3.6 and we got some questions about privacy policy and security (I think the security aspect was limited to questions about external network traffic already described in the privacy policy).

I was unfortunately not able to attend a security meeting to discuss that point.

Closing as the feature is now shipped with JupyterLab. If the security team thinks some changes are required please let us know.