From 5d62f798fbe0b81404b69983c18caa36e33500d4 Mon Sep 17 00:00:00 2001 From: RRosio Date: Tue, 25 Mar 2025 11:05:05 -0700 Subject: [PATCH 1/5] initial writeup --- docs/member-auditing.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 docs/member-auditing.md diff --git a/docs/member-auditing.md b/docs/member-auditing.md new file mode 100644 index 0000000..7b510e5 --- /dev/null +++ b/docs/member-auditing.md @@ -0,0 +1,28 @@ +# Jupyter Organization Member Auditing + +This document proposes a new security policy concerning member activity within our Github organizations. +The Jupyter Security Council aims to routinely review the activity levels of members across our Github organizations. +Members who have not engaged in any activity for a specific period will have their privileges adjusted or may be removed from the organization. This process aims to to enhance security by ensuring that only active contributors retain access. + +## Scope + +This process applies to *all projects* governed by Jupyter (including those under other organizations) such as: JupyterLab, Jupyter Notebook, Jupyter Server and JupyterHub. + +## Defining Inactivity + +A member is considered inactive if they have not performed any *public* [Github events](https://docs.github.com/en/rest/activity/events?apiVersion=2022-11-28#list-public-events-for-a-user) within the last [365] days. Some examples of those public activities include: + +- Commits to public repositories +- Pull requests to public repositoryies +- Participating in issues or pull requests + - Applying or managing labels on issues or pull requests + +## Communication and Feedback + +We understand that contributors may have varying levels of engagement due to numerous factors. Our goal is to implement this policy without disrupting workflows or discouraging contributions. +We will reach out to maintainers and members identified as inactive to discuss their status before making any changes. This ensures that we only adjust privileges for those who have truly been inactive. +We invite all maintainers, contributors and users to [share your thoughts or concerns](https://jupyter.org/security#community-reshttps://github.com/jupyter/security/issues/99) regarding this policy. Your feedback is valuable as we refine our approach to best support the Jupyter community. + +## Reinstatement of Access + +If a member's privileges are adjusted due to inactivity, they can be reinstated upon request. Our goal is to maintain security without hindering future contributions. \ No newline at end of file From a93f8cb6e3df9949012349d58e2a07d1f3541966 Mon Sep 17 00:00:00 2001 From: RRosio Date: Tue, 1 Apr 2025 08:51:17 -0700 Subject: [PATCH 2/5] update GitHub name uppercase --- docs/member-auditing.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/member-auditing.md b/docs/member-auditing.md index 7b510e5..14f3807 100644 --- a/docs/member-auditing.md +++ b/docs/member-auditing.md @@ -1,7 +1,7 @@ # Jupyter Organization Member Auditing -This document proposes a new security policy concerning member activity within our Github organizations. -The Jupyter Security Council aims to routinely review the activity levels of members across our Github organizations. +This document proposes a new security policy concerning member activity within our GitHub organizations. +The Jupyter Security Council aims to routinely review the activity levels of members across our GitHub organizations. Members who have not engaged in any activity for a specific period will have their privileges adjusted or may be removed from the organization. This process aims to to enhance security by ensuring that only active contributors retain access. ## Scope @@ -10,7 +10,7 @@ This process applies to *all projects* governed by Jupyter (including those unde ## Defining Inactivity -A member is considered inactive if they have not performed any *public* [Github events](https://docs.github.com/en/rest/activity/events?apiVersion=2022-11-28#list-public-events-for-a-user) within the last [365] days. Some examples of those public activities include: +A member is considered inactive if they have not performed any *public* [GitHub events](https://docs.github.com/en/rest/activity/events?apiVersion=2022-11-28#list-public-events-for-a-user) within the last [365] days. Some examples of those public activities include: - Commits to public repositories - Pull requests to public repositoryies From 131fde5f85755eb1f55dcb327796e6ad197e1180 Mon Sep 17 00:00:00 2001 From: RRosio Date: Tue, 1 Apr 2025 08:58:33 -0700 Subject: [PATCH 3/5] clarify membership --- docs/member-auditing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/member-auditing.md b/docs/member-auditing.md index 14f3807..ad594cc 100644 --- a/docs/member-auditing.md +++ b/docs/member-auditing.md @@ -2,7 +2,7 @@ This document proposes a new security policy concerning member activity within our GitHub organizations. The Jupyter Security Council aims to routinely review the activity levels of members across our GitHub organizations. -Members who have not engaged in any activity for a specific period will have their privileges adjusted or may be removed from the organization. This process aims to to enhance security by ensuring that only active contributors retain access. +Members who have not engaged in any activity for a specific period will have their privileges adjusted or may be removed from the organization. This process aims to to enhance security by ensuring that only active contributors retain access. This policy and GitHub privileges do not indicate membership or status within the Jupyter project. This policy aims to support the Jupyter project's overall security efforts. ## Scope From d08d925e06dc929ba7be65e20b9a484ebb444e33 Mon Sep 17 00:00:00 2001 From: RRosio Date: Tue, 1 Apr 2025 09:01:54 -0700 Subject: [PATCH 4/5] clear up wording --- docs/member-auditing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/member-auditing.md b/docs/member-auditing.md index ad594cc..7a63fd9 100644 --- a/docs/member-auditing.md +++ b/docs/member-auditing.md @@ -2,7 +2,7 @@ This document proposes a new security policy concerning member activity within our GitHub organizations. The Jupyter Security Council aims to routinely review the activity levels of members across our GitHub organizations. -Members who have not engaged in any activity for a specific period will have their privileges adjusted or may be removed from the organization. This process aims to to enhance security by ensuring that only active contributors retain access. This policy and GitHub privileges do not indicate membership or status within the Jupyter project. This policy aims to support the Jupyter project's overall security efforts. +Members who have not engaged in any activity for a specific period will have their privileges adjusted or may be removed from the organization. This process aims to to enhance security by ensuring that only active contributors retain access. GitHub privileges do not indicate membership or status within the Jupyter project, this policy aims to support the Jupyter project's overall security efforts. ## Scope From 6217968bec6d3f0cf7b15710975b29225a935fbc Mon Sep 17 00:00:00 2001 From: Rosio Date: Tue, 22 Apr 2025 07:53:09 -0700 Subject: [PATCH 5/5] Update docs/member-auditing.md Co-authored-by: David L. Qiu --- docs/member-auditing.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/member-auditing.md b/docs/member-auditing.md index 7a63fd9..87211bb 100644 --- a/docs/member-auditing.md +++ b/docs/member-auditing.md @@ -13,7 +13,7 @@ This process applies to *all projects* governed by Jupyter (including those unde A member is considered inactive if they have not performed any *public* [GitHub events](https://docs.github.com/en/rest/activity/events?apiVersion=2022-11-28#list-public-events-for-a-user) within the last [365] days. Some examples of those public activities include: - Commits to public repositories -- Pull requests to public repositoryies +- Pull requests to public repositories - Participating in issues or pull requests - Applying or managing labels on issues or pull requests