GeoTools / GeoServer PMC meeting - 2023-03-28### Attending- Torben Barsballe
-
Jody Garnett
-
Andrea Aime
-
Kevin Smith
Actions from prior meetings:- N/A
Agenda1. GSIP-217
-
GSIP-218
-
GeoServer 2.23.0 release
-
org.opengis action
-
Security policy
-
Jenkins red builds
-
geowebcache website
Actions- jody: GSIP-218 has some support/feedback for mailing list discussion
-
jody: initiative landing page for osgeo board meeting: https://www.osgeo.org/opengis-harmonization/
-
andrea: talk to chris about domain name transfer of geowebcache.org to osgeo foundation
GSIP-217
Sibling repository for GeoServer ACL project
https://github.com/geoserver/geoserver/wiki/GSIP-217
Needs a couple votes from Kevin and Torben Sounds like Gabe is wishing to get a move on
Discussion about having ACL / GeoFence work with an active GeoServer version of GeoServer? stable / maintenance
-
discussion: As long as stable / maintenance JUnit tests ensure integration tests it should be fine?
-
Treat as an upstream dependency; as long as geoserver pulls in dependencies from latest GeoFence then it should be compatible
Counter proposal could GeoFence use a bill of material pom.xml?
-
Not easy? As GeoFence wishes to be behind the curve
-
GeoServer ACL wants to be head of the curve
If there are problems then the approach is to add more integration tests. GeoServer ACL will be vulnerable as a community module (without automated tests running). Good encouragement to become an extension…
GSIP-218
Control remote HTTP requests sent by GeoTools \ GeoServer
https://github.com/geoserver/geoserver/wiki/GSIP-218
Start with most obvious gaps:
-
remote styles
-
remote wps sources
Lots of ideas for the future, could handle some of the external entity limitations (presently system parameter).
This is server side request forgery protection … which is kind of baked into the WPS and remote Style standards (which were made when the internet was a more innocent place apparently).
Discussion:
- Should we speak up as OGC members (GeoSolutions / GeoCat) to prevent this kind vulnerability occuring in OGCAPI family of standards? Consider as topic for upcoming code sprint
Discussion:
-
Where does this show up in the UI? Top-level page in the security section is proposed?
-
Global settings has similar stuff also?
-
Regex is two problems? The problem and is your regex correct?
-
Andrea proposes a testing panel? Yeah …
-
A list with “https://blah.blah/*” prefix matches? For the simple case since this is an important … even a localhost example.
-
Q: List of domain names be easier?
-
Yes that is how EXTERNAL ENTITY is controlled? No it lists prefixes …
-
Prefer to point to the exact service for better control / security …
-
Expect that this list is usually a list of regex
-
Andrea will make the type of checks “regex” (like sql view parameters) in case Jody wants to add “prefix” …
Action:
- Jody will vote +1 with feedback on the mailing list (does not trust this to be a documentation problem). This is a great step …
GeoServer 2.23.0 release
Jody has deadlines this week; so this is a background activity.
Some feedback:
-
windows installer is “okay” but not great; but it is is the same “not great” as before … Java 11 just made things awkward with Oracle
-
a spring upgrade and spring security upgrade was added (gak)
-
Not really happy about that, but it is a bugfix for spring expression language which we do not use very much
-
RC2? no just go for release
Q: Anything needing to be back ported to 2.23.x?
- did a round up; some doc fixes
org.opengis action
Some discussion about this not being just a search/replace - in order to provide value to the geotools community.
Provide a one-upgrade experience for downstream projects.
OSGeo Board Meeting in 2 hours
-
Need a landing page for initiative and sponsoring
-
GeoSolutions offered to do in-kind (work hours), would like to ask other organizations to do the same
-
Would like to target foss4g sprint (design), and bolsena sprint (implementation), and OSGeo funding for downstream project (monthly drop-in office hours).
Discussion: style as immutable interface, and a mutable implementation!
-
so we cannot trust object not to change; so we make a copy all the time
-
the copy-on-write builder approach proposed is looking really good
actions:
- jody: (done) need an initiative landing page before osgeo board meeting in 2 hours! https://www.osgeo.org/opengis-harmonization/
Security policy
Getting some feedback on updating dependencies that are addressing there own CVEs
Both points are good:
-
It is NOT GOOD to highlight these CVEs in release announcement without assessment to check if GeoServer is even vulnerable
-
It becomes noise and trains our community to ignore security vulnerability seciotns; so they do not act promptly when faced with an actual important upgrade (like the SQL Injection one last month)
-
Keeping secret is not useful as dependency has already advertised a CVE
The original ticket titles for the spring upgrade mentioned the CVE numbers in the ticket title; so it would show up in our release notes and thus be “highlighted” in the release announcement.
How do we like the github security disclosure workflow?
-
Idea of inviting interested parties security disclosure (for something like JQuery that comes up in scans, but has been assessed with the determination that GeoServer is not vulnerable)?
-
How about using this without inviting interested parties? May work …
-
Could we use this to make a public statement about JQuery above?
Goal would like to cut down on recurring reports from automated scans …
Idea:
- Test: Make an advisory about the JQuery vulnerability consisting only of an assessment.
Example:
https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m
-
when anonymous no discussion is available
-
when logged in geotools PMC can see discussion and associated PR review
Jenkins red builds
github changed ssh so jenkins was sad with broken builds
a documentation fix based on antrunner / ant incompatibility also.
Thanks Andrea, disaster averted etc…
geowebcache website
Planet still has https://www.geowebcache.org/ - and we need to arrange domain transfer. Ask Andrea to talk to Chris again? Only thing that had an effect …
OSGeo
https://trac.osgeo.org/osgeo/ticket/2416
OSGeo website is available, but no index page https://geowebcache.osgeo.org/docs/main/#
action:
- andrea: talk to chris about domain name transfer of geowebcache.org