Jupyter Security Best Practices Workshop

This is a continuation of an initial discussion on the Jupyter Security mailing list to evaluate the interest in a workshop focused on security in for Jupyter. Based on the response in the mailing list, it’s clear that there’s interest and the question now is how myself and one or more motivated individuals should organize one. This is also the time to broaden the participants in the discussion. (Thanks Yuvi and Brian.)

(For those of you on the security list, the content below is very similar to my original email to the list.)

Idea & Questions

An outcome of the recent Jupyter Community Workshop hosted by NERSC and BIDS is the idea to hold another workshop focused on Jupyter security, particularly best practices for deploying and managing JupyterHub. As part of my work supporting data services for ALCF projects, I can lead the organization of the workshop. To me, this would be an initial event to bring more focus on security within the Jupyter community.

To motivate us further, there is funding available for hosting and travel from the Argonne Leadership Computing Facility (ALCF) and we could look for additional funding from the Jupyter Community Workshops effort by Bloomberg. A caveat to the ALCF support is that the event would need to occur by October 1, 2019.

Another topic for this workshop is diversity. I understand this can be a challenge within IT generally, and security especially, but we will get farther putting some effort towards improving representation. So whatever we can do within the bounds of our funding guidelines, let’s try.

Here are some questions for this group to gauge the level of interest
and support for a “Jupyter Security Best Practices Community
Workshop”:

  • Does this sound meaningful and worthwhile?
  • What are reasonable outcomes for this workshop?
  • Who should attend?
  • How long should it be?
  • When are the critical attendees available?

Below are some of my thoughts based on the discussions last week.

Potential outcomes for the workshop:

  • Updated Jupyter documentation on security.
  • A white paper on “Jupyter Security Best Practices”, scoped to various levels like DOE supercomputing centers, campus research computing centers, and workshops.
  • Summarizing Jupyter development practices that target security (e.g., code reviews, auth modules, CVE tracking, etc.).
  • Submit engagement proposal to Trusted CI to improve security in the Jupyter ecosystem, including development, operation, and usage of Jupyter.

Potential dates:

  • August 27-29, 2019
  • September 24-26, 2019

I appreciate any feedback and insight you all have.

Sincerely,

Rick Wagner

Globus
University of Chicago
Argonne National Laboratory
rick@globus.org

1 Like

Slightly off topic: do you know where I can subscribe to this list? A quick google didn’t find anything :frowning:

I think that’s intentional (since a lot of security exploits get posted there it is treated as an invite-only list).

@rpwagner I bet a lot of the folks at the HPC workshop, as well as many people in companies and government facilities would be interested in this topic.

1 Like