-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
On merging jupyter-lsp
org
#25
Comments
CC @bollwyvl I think this was never formally confirmed, but I could agree that jupyter-lsp org is under the Jupyter EC governance (although without representation); indeed, at least one member of the EC was added to the team of owners after the LSP JEP (jupyter/enhancement-proposals#72) was merged. In that case the question is why not make it an official Jupyter GitHub org? Previously there was a proposal to move the server part to jupyter-server (jupyter-server/team-compass#30) but it was abandoned because there was no bandwidth to sync across repos across orgs. Moving all the repositories to another org rather than splitting out a bit would be easier, but still it would make it harder to manage. One non-disruptive solution would be adding representative(s) of the security team to the jupyter-lsp org as a security manager(s) (jupyter/security#68), an approach that we discussed on at least two security meetings. |
See #12 among other discussion.
The question here is for whom ? Having to manage 15+ org and search repositories, or check settings, or remove write permissions from someone because they got their machine compromised in 15 org is definitely not fun. |
Another simple solution is to remove the jupyter-lsp dependency from jupyterlab. It is not really used right now as jupyterlab does not ship with any LSP server. |
Just to spell it out, it looks like we are stuck in a bad place here (either inconveniencing maintainers or security team) because we are using a free produce whereas the platform also offers a paid version which does not have the limitation that the security team is facing:
Link: https://docs.github.com/en/enterprise-cloud@latest/admin/overview/about-github-enterprise-cloud |
Let's keep the discussion on reducing the number of orgs into a issue to reduce the number of orgs.
It's not sufficient for me, if we remove it and jupyter-lsp org is not official then it also need to clearly update the description and the log and actually be unaffiliated. It also does not solve how we open a security discussion, because we have a report and it affects existing deployment. |
I have now created security managers team in juypter-lsp and invited security team members there. |
@krassowski and others - what do you think about proposing jupyter-lsp be adopted by the jupyterlab subproject and github org? |
No strong opinion, also depends on what exactly you mean; again we had this discussion before:
Keeping it as a monrepo and moving it to jupyterlab org:
Splitting up jupyter-lsp (server) from jupyterlab-lsp (front) and moving only jupyter-lsp into jupyterlab org:
Here are the current repos that could be migrated:
Of course we could only migrate the first repo and leave the gutted jupyter-lsp org as an unofficial org for jupyter-lsp-adjacent stuff (where you would find e.g. ipython-optimized language server extensions for python-lsp-server). At this point it is probably better for me to distance myself from the decision and let EC decide. |
I guess this issue would be friendlier if Jupyter Security team approached jupyter-lsp directly first rather than starting with EC, especially given that a presence of a security vulnerability is now being discussed in public although it was not reported to maintainers, and I still don't know if I should prepare for a sleepless night because of a potential a critical issue which as stated affects existing deployments ;) |
I opened jupyter/security#73 to consider a different solution to the underlying problem. |
During the EC meeting someone was present and pointed out that some discussion of having lsp into jupyterLab were already discussed and took a long time, likely hence the reason for the separate org. Hence our decision to directly open an issue at a higher level. I don't think the discussion that there is a security vulnerability report is a problem, It does not give attacker any information, nor say if the report is valid. Which I don't know as I have not read it. |
Thanks for the extra context and thank you for taking care of everything security! |
Thanks for looking at this @krassowski and @Carreau There are two routes for incorporating jupyter lsp:
|
That would make sense. Maybe https://github.com/jupyter-lsp/jupyterlab-lsp could be transferred to https://github.com/jupyterlab as is, under the Jupyter Frontends subproject? |
Yeah, I am happy for it to happen if someone is going to champion it (and help with the associated reconfigurations). |
Maybe we could have an issue on the Jupyter Frontends team compass repo to discuss this? |
Yes, I reopened jupyterlab/frontends-team-compass#67. @ellisonbg regarding a conversation ( jupyterlab/frontends-team-compass#247 (comment)) about AWS team being constrained to contribute to repositories in
I presume this implies that the EC's stance is then that
If you don't change the process too much I already have a checklist filled for this option, ready to go since 2020, here: jupyterlab/frontends-team-compass#67 (comment). But seriously, think I would lean that it makes more sense to make it a part of Jupyter Frontends subproject than create a new thing. The overhead of holding an election for representative does not seem worth it, and it would be odd for this rather a minor feature to have the same voting power as both Jupyter Notebook and JupyterLab combined. And the debugger does not have its own subproject either ;). |
Thanks for reopening jupyterlab/frontends-team-compass#67 👍 Yes it would make sense to make it part of the Jupyter Frontends, and eventually retire the |
So apparently Jupyter is now using Enterprise as per jupyter/enhancement-proposals#122 (comment). I don't think it changes much, except reducing the number of arguments against having a separate jupyter-lsp org. |
See jupyter/governance#219 for more info about the enterprise org. |
I accepted the invite to the Jupyter Enterprise Org for jupyter-lsp based on the invite as per jupyter/governance#221 (comment) |
Thanks @krassowski. Based on the messages in the past few weeks about jupyter-lsp being adopted under the Project Jupyter umbrella, can we have a jupyter frontend subproject council vote about adopting the jupyter-lsp org under the frontend subproject before the final approval from our end to join the jupyter enterprise org? |
Ping @krassowski and @jtpio (the frontends SSC rep) for their thoughts. What do you think about having a frontends subproject council vote about adopting the jupyter-lsp github org and repos? |
Yes that makes sense. We can probably comment on jupyterlab/frontends-team-compass#67 as mentioned above, and open a new issue on the team compass for the vote. |
The Jupyter Security team was recently informed of a vulnerability that impacts the
jupyter-lsp
package (which is installed by default with JupyterLab). However, this package's source is hosted under thejupyter-lsp/
GitHub org, rather than an official Jupyter GitHub org likejupyter/
orjupyterlab/
. This makes it challenging for us to open private discussion about potential security issues, or review any best practices.Can the executive council consider merging the
jupyter-lsp/
GitHub org intojupyterlab/
orjupyter/
?cc @jtpio @krassowski and @martinRenou
The text was updated successfully, but these errors were encountered: