[Geoserver-devel] GeoServer PSC Meeting 2023-03-28

GeoTools / GeoServer PMC meeting - 2023-03-28### Attending- Torben Barsballe

  • Jody Garnett

  • Andrea Aime

  • Kevin Smith

Actions from prior meetings:- N/A

Agenda1. GSIP-217

  1. GSIP-218

  2. GeoServer 2.23.0 release

  3. org.opengis action

  4. Security policy

  5. Jenkins red builds

  6. geowebcache website

Actions- jody: GSIP-218 has some support/feedback for mailing list discussion

GSIP-217

Sibling repository for GeoServer ACL project

https://github.com/geoserver/geoserver/wiki/GSIP-217

Needs a couple votes from Kevin and Torben :slightly_smiling_face: Sounds like Gabe is wishing to get a move on :slight_smile:

Discussion about having ACL / GeoFence work with an active GeoServer version of GeoServer? stable / maintenance

  • discussion: As long as stable / maintenance JUnit tests ensure integration tests it should be fine?

  • Treat as an upstream dependency; as long as geoserver pulls in dependencies from latest GeoFence then it should be compatible

Counter proposal could GeoFence use a bill of material pom.xml?

  • Not easy? As GeoFence wishes to be behind the curve

  • GeoServer ACL wants to be head of the curve

If there are problems then the approach is to add more integration tests. GeoServer ACL will be vulnerable as a community module (without automated tests running). Good encouragement to become an extension…

GSIP-218

Control remote HTTP requests sent by GeoTools \ GeoServer

https://github.com/geoserver/geoserver/wiki/GSIP-218

Start with most obvious gaps:

  • remote styles

  • remote wps sources

Lots of ideas for the future, could handle some of the external entity limitations (presently system parameter).

This is server side request forgery protection … which is kind of baked into the WPS and remote Style standards (which were made when the internet was a more innocent place apparently).

Discussion:

  • Should we speak up as OGC members (GeoSolutions / GeoCat) to prevent this kind vulnerability occuring in OGCAPI family of standards? Consider as topic for upcoming code sprint

Discussion:

  • Where does this show up in the UI? Top-level page in the security section is proposed?

  • Global settings has similar stuff also?

  • Regex is two problems? The problem and is your regex correct?

  • Andrea proposes a testing panel? Yeah …

  • A list with “https://blah.blah/*” prefix matches? For the simple case since this is an important … even a localhost example.

  • Q: List of domain names be easier?

  • Yes that is how EXTERNAL ENTITY is controlled? No it lists prefixes …

  • Prefer to point to the exact service for better control / security …

  • Expect that this list is usually a list of regex

  • Andrea will make the type of checks “regex” (like sql view parameters) in case Jody wants to add “prefix” …

Action:

  • Jody will vote +1 with feedback on the mailing list (does not trust this to be a documentation problem). This is a great step …

GeoServer 2.23.0 release

Jody has deadlines this week; so this is a background activity.

Some feedback:

  • windows installer is “okay” but not great; but it is is the same “not great” as before … Java 11 just made things awkward with Oracle

  • a spring upgrade and spring security upgrade was added (gak)

  • Not really happy about that, but it is a bugfix for spring expression language which we do not use very much

  • RC2? no just go for release

Q: Anything needing to be back ported to 2.23.x?

  • did a round up; some doc fixes

org.opengis action

Some discussion about this not being just a search/replace - in order to provide value to the geotools community.

Provide a one-upgrade experience for downstream projects.

OSGeo Board Meeting in 2 hours

  • Need a landing page for initiative and sponsoring

  • GeoSolutions offered to do in-kind (work hours), would like to ask other organizations to do the same

  • Would like to target foss4g sprint (design), and bolsena sprint (implementation), and OSGeo funding for downstream project (monthly drop-in office hours).

Discussion: style as immutable interface, and a mutable implementation!

  • so we cannot trust object not to change; so we make a copy all the time

  • the copy-on-write builder approach proposed is looking really good

actions:

Security policy

Getting some feedback on updating dependencies that are addressing there own CVEs

Both points are good:

  1. It is NOT GOOD to highlight these CVEs in release announcement without assessment to check if GeoServer is even vulnerable

  2. It becomes noise and trains our community to ignore security vulnerability seciotns; so they do not act promptly when faced with an actual important upgrade (like the SQL Injection one last month)

  3. Keeping secret is not useful as dependency has already advertised a CVE

The original ticket titles for the spring upgrade mentioned the CVE numbers in the ticket title; so it would show up in our release notes and thus be “highlighted” in the release announcement.

How do we like the github security disclosure workflow?

  • Idea of inviting interested parties security disclosure (for something like JQuery that comes up in scans, but has been assessed with the determination that GeoServer is not vulnerable)?

  • How about using this without inviting interested parties? May work …

  • Could we use this to make a public statement about JQuery above?

Goal would like to cut down on recurring reports from automated scans …

Idea:

  • Test: Make an advisory about the JQuery vulnerability consisting only of an assessment.

Example:

https://github.com/geotools/geotools/security/advisories/GHSA-99c3-qc2q-p94m

  • when anonymous no discussion is available

  • when logged in geotools PMC can see discussion and associated PR review

Jenkins red builds

github changed ssh so jenkins was sad with broken builds

a documentation fix based on antrunner / ant incompatibility also.

Thanks Andrea, disaster averted etc…

geowebcache website

Planet still has https://www.geowebcache.org/ - and we need to arrange domain transfer. Ask Andrea to talk to Chris again? Only thing that had an effect …

OSGeo

https://trac.osgeo.org/osgeo/ticket/2416

OSGeo website is available, but no index page https://geowebcache.osgeo.org/docs/main/#

action: