Possible topics for discussion:
TOPIC: How much security complexity can JupyterLite solve for in moving computation to a tab in the client’s browser? What about remote data?
Methods for remotely accessing/paging data in from a client when a complete download of the dataset is unnecessary:
TOPIC: Launching remote notebooks within my org’s Jupyter resources
-
Should it be easy
- Should there be a warning about untrusted code
-
Jupyter-book has buttons to launch a remote instance with the current content and/or make code cells live:
-
Would something like the ideas proposed in nbhandler (for launching remote repos locally with repo2docker instead of in a free cloud instance) be a security regression or enabling for science?
#1 · Issue #1 · westurner/nbhandler · GitHub
FWIU, JupyterLite bundles in jupyter extensions with the static archive build. How is this best done with repo2docker? Will repo2docker always install the latest jupyterlab and dependencies (in a container layer) after the user installs whichever jupyter extensions are specified in e.g. a REES-compatible repo with a requirements.txt, environment.yml, and/or postInstall? Should there be a warning about things being out of date; like pip warns when pip is out of date?
If I deploy notebooks and their dependencies to WASM with JupyterLite like this, how will people then open this repo outside of a browser tab? With repo2docker locally? With a binderhub and/or a jupyterhub and/or locally (possibly with e.g. nbhandler)? With a Rocket Ship launch icon like jupyter-book? With a ‘launch in notebook platform _____’ badge? With a button on {github, gitlab, } that lets users select from various hosted notebook platforms? And then that then trusted code runs in a cloud instance or in a browser tab or locally as a local user with or without monitoring, logging, and [per-opcode] accounting.
pip install --pre jupyterlite
jupyter lite init
jupyter lite build
jupyter lite archive
An action for jupyter-lite just could build archives on GitHub’s resources using your GitHub Actions user/org quotas just like GitHub - jupyterhub/repo2docker-action: A GitHub action to build data science environment images with repo2docker and push them to registries. builds containers on resource-constrained cloud server vm container instances.
TOPIC: Realtime collaboration and Jupyter Security
TOPIC: Jupyter, Capabilities, and free VMs and/or Containers
e.g. WASM (and thus Jupyter-Lite) does not include raw socket network access (but does support WebSockets and WebRTC). Hosted Jupyter solutions have various policies for free resource quotas and maybe network access. Which of these tasks are realistic needs for Jupyter containers?:
What does Falco check for?
Falco ships with a default set of rules that check the kernel for unusual behavior such as:
- Privilege escalation using privileged containers
- Namespace changes using tools like
setns
- Read/Writes to well-known directories such as
/etc , /usr/bin , /usr/sbin , etc
- Creating symlinks
- Ownership and Mode changes
- Unexpected network connections or socket mutations
- Spawned processes using
execve
- Executing shell binaries such as
sh , bash , csh , zsh , etc
- Executing SSH binaries such as
ssh , scp , sftp , etc
- Mutating Linux
coreutils executables
- Mutating login binaries
- Mutating
shadowutil or passwd executables such as shadowconfig , pwck , chpasswd , getpasswd , change , useradd , etc , and others.