Move/Extend security subproject to the numfocus level. #6
Comments
|
See #7 for a draft. |
|
I think this could be a nice pooling of resources across the community. I'd bet that many security vulnerabilities would be relevant to the stakeholders across many projects, and in addition I suspect that things like "watch the security email listserv" is a thankless job that is hard to do equitably with limited resources. For that reason, finding ways to pool resources across NumFocus projects could be helpful. A few things that I think should be included in a suggestion:
|
Yes, that is in #7,
So far in #7 to keep things simple, I assume that reports are acted upon, and if not this group can report the board of director of Numfocus. My expectation is that people care and the the community is small enough with NF holding contact info that anybody can be reached. I hope to extend that later if the groups originally work.
That's a good thing to add thanks, I also receive the default charter for NF from leah and will adapt #7 to it. Main question so far is can we find 5 people ok with serving on it in a first pass. |
|
@Carreau I've been unable to review the PR due to time constraints but hope to take a look and give feedback in the next several days. |
No worries, I've also received the NF official charter, so I might need to adapt it to it. It's really a draft, and I guess the harder would be to find 5 people to start. |
This conversation was started a bit on the meeting 8 days ago.
It appear to me that beyond the scope of Securing Jupyter, there are security aspect that could be tackled at the NumFOCUS level.
Indeed, security in a Jupyter environment is not limited to how Jupyter is deployed, but can also be affected by all the packages installed. And if to the core contributors it might be obvious who to contact and which projects are impacted, questions about security or vulnerability disclosure, the point of contact might be unclear.
In practice, there is also monitoring and configuration issue at the Jupyter Level where
security(at)ipython.org, mails can go to spam, be ignored, or bounce. And the key management is imperfect.I would like to suggest the following to the NumFOCUS board:
[email protected]mailing address.To be clear I don't expect people from this committee to decide the best practices about security, or work on fixing the security issue, but to make sure security that there is a single unified point of contact across the PyData ecosystem, and a guaranteed fast acknowledgement of reports.
If we want an actual proposal to numfocus then we need a better document that list exactly what we are asking for, and who would serve on this committee.
The text was updated successfully, but these errors were encountered: