Wednesday, December 15, 2021

Trusted CI Wraps Up Engagement with Jupyter Security Coordinators

Project Jupyter is an open-source project consisting of several products, including Jupyter Notebook/Server, Jupyter Hub, and JupyterLab, which are used throughout the NSF community. This Trusted CI engagement was originally motivated by a Jupyter Security Best Practices Workshop tentatively scheduled for April 2022. Due to the ongoing pandemic, the workshop has been canceled, and alternative avenues for discussion of Jupyter security topics are being pursued. 

Regardless, the engagees agreed that there was value in continuing the original engagement tasks, which include the following.

  • Perform a high-level survey of existing Jupyter documentation with a focus on the security aspects of installation and configuration. Identify gaps and suggest recommendations for improvement.
  • Identify common Jupyter deployment use-cases as targets for Jupyter Security Best Practices documentation.
  • Write security documentation for as many of these use-cases as time permits.

Three documents were produced from these engagement tasks.

  • A summary of all existing Jupyter documentation focused on security aspects of deployment and configuration. This survey was presented to the Jupyter community via Jupyter's Discourse.
  • Suggestions for revisions to Jupyter Notebook documentation related to security of a single-user (e.g., laptop) installation.
  • Suggestions for revisions to JupyterHub documentation related to security of a single-server / multi-user (e.g., small scientific project) installation.

All documentation produced during this engagement has been published to a GitHub repository

Concurrent with this Trusted CI engagement, the Jupyter Security Coordination Team began working with the Jupyter Steering Council to address security issues across the Jupyter project as a whole. This effort led to the following milestones.

This engagement represents the start of a bigger conversation focused on Jupyter security concerns. It is our hope that the documentation produced by this engagement will be incorporated by Jupyter developers into their project documentation to assist administrators and users in securing their deployments.