Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security FAQ on the main page? #10

Open
fperez opened this issue Sep 29, 2021 · 3 comments
Open

Security FAQ on the main page? #10

fperez opened this issue Sep 29, 2021 · 3 comments

Comments

@fperez
Copy link
Member

fperez commented Sep 29, 2021

Just today there was a nice question sent to the disclosures email address about binder, which @Carreau kindly responded to (thanks!!!) It occurred to me that it would be helpful for the community perhaps to have an easy to find list of these common questions. I know we always have the question of "where does the info go" - for example in this case, should it be in binder itself, or in a central location? But while I know duplication runs the risk of staleness, there's also something to be said for these things being very easy to find in expected locations, which points towards some necessary duplication.

My starting suggestion would be to add to Jupyter Security a FAQ section that starts simply with easy, top-level stuff. If it does grow, we can simply break it down by sub-project, and suggest that in each project's security docs, they simply link back to this page (or the reverse - the FAQ could be links to each project's FAQ section, all identically formatted, I have no strong opinions here).

For reference, the question was, in case we do want to seed this with it -

Q: What happens to the data you can upload when using the try-out version of Jupyter Lab online via Binder?

A: When using binder we do our best to destroy all the data as soon as your session expires. It might stay in the server memory for a few minutes after you close the page in case this is just a temporary drop in the connection but we do not attempt to keep it and do not send it somewhere else. We also do our best to make sure users of binder cannot infer information about each other while connected.

Though if you are working with sensitive data, we do recommend working with caution, and either host your own binder or a different service.

Keep also in mind that binder can also run images that are not provided by the Jupyter team, and that for those images we cannot make guarantees about their behavior.

@rcthomas
Copy link
Contributor

@fperez have you had a look at the document linked from this post:

https://discourse.jupyter.org/t/jupyter-security-related-documentation/10921

it's not about a FAQ but it does provide all by itself (even just because of its length) a sense of how much documentation there is and how it's distributed across various projects. What to do with it? Some thing (a FAQ, or primary clearinghouse, not sure what) that gives people answers to high level questions then a way to delve into details would be great. Trusted CI are taking that security docs census and putting together a synthesis document we'll be taking a look at in the next few weeks, maybe a FAQ can be an aspect of that?

Attaching (or including) something like that to the top-level security page seems like a good idea. But for a FAQ we need to know: What are the actual most frequently asked questions?

@fperez
Copy link
Member Author

fperez commented Sep 29, 2021

Ah, hadn't seen that! It's excellent, albeit a bit overwhelming (in a good way :)...

My approach with FAQ-building is to take a more, shall we say, subjective view of the word "frequently" :) I grab any question that I can imagine a user asking, even if it comes up only once, but as long as it illustrates an important point well, I put it in. I do that each semester for my big courses, you can see an example here. In a sense the point of the FAQ is that those questions don't get asked too frequently! By having them in one single, easy to find/search/read location, they prevent the questions from coming up at all.

So the FAQ is a bit more of an editorial art than a frequency-collection statistical act, IMO...

@Carreau
Copy link
Member

Carreau commented Sep 29, 2021

As you are active on GitHub, can I get your thoughts on #7 (and #6 which is the corresponding issue) ?

I think that extending the jupyter.org/security page makes a lot of sens, with potentially listing previous security vulnerability and also recognition of all the security researcher that contributed. You know like take Apple as an example and do the opposite.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants