New governance model: Jupyter Security subproject

[rpwagner]

Based on discussions and encouragement (particularly from @afshin and @blink1073) during the jupyter-server call today, @rcthomas, Tiffany Connors, and I (@rpwagner) would like to establish the Jupyter Security Subproject. Our work planning the Jupyter Community Workshop on security best practices has broadened, and includes an engagement with TrustedCI. With the additional support from TrustedCI, we can begin working on security-related activities ahead of the workshop, such as policy recommendations, or secure development practices.

During today's call, the jupyter_security repo was set up under the jupyter-server org as a starting point to capture this work. Later, this could become the team-compass repo for the Subproject. It was also recommended that we create a post on Discourse to let the community know about the Subproject. What should be included in the announcement? E.g., meeting times and location? We want to ensure we have the minimum structure needed to work with the rest of community.

We're looking forward to any feedback on this idea. I will try to attend the July 30, 2021, governance call to see if there is any discussion around it.

[minrk]

I think this would be great! My only questions would be about organization, GitHub-wise. GitHub orgs can have teams, e.g. a 'security' team, which I think is useful when drafting security advisories via github's tools. This can be tedious to coordinate across our growing number of GitHub orgs, but jupyter-server definitely isn't the only org with security issues. My inclination would be to put the repo on the base jupyter org as an indicator that it is a place to discuss general security issues, and can be referenced from subprojects everywhere. Certainly no harm prototyping on jupyter-server first, though.

[echarles]

This can be tedious to coordinate across our growing number of GitHub orgs, but jupyter-server definitely isn't the only org with security issues

I remember it has been mentioned yesterday that the wording used in the current WIP governance model (working-group vs project ?) for the security aspects should/could be revisited. Beyond the wording, I am interested to learn more how Jupyter envisions the definition and handling of security issues.

[fperez]

I fully agree with @minrk's take, that was also my immediate reaction.

[fperez]

For reference, there's now a post on discourse about this to announce it to the community, so they can start rallying around the new repo.

I'm going to close this issue as I think this job is done, and we now have the necessary scaffolding in place for further work. Thanks @rpwagner @minrk @rcthomas @afshin !