GeoTools / GeoServer PMC meeting - 2023-09-26Attending
-
Torben Barsballe
-
Jody Garnett
-
Jukka Rahkonnen
-
Andrea Aime
Actions from prior meetings:
-
action: Discuss with Alexandre Gacon on the geoserver-devel list about
translation (done)
-
action: Ask on the geoserver-devel list for assistance setting up new
branches and jobs (done)
Agenda
-
GeoServer 2.24-RC / GeoTools 30-RC
-
GSIP 220 - Revised Security Policy and CVE handling
Actions
-
GeoServer 2.24-RC / GeoTools 30-RC
GeoTools 30-RC:
-
thanks to downstream projects you are excellent
Released:
https://geoserver.org/announcements/2023/09/25/geoserver-2-24-RC-released.html
-
twitter (aaime)
-
mastodon (jody)
-
linkedin (jody)
Community modules:
-
script worked well added instructions for next time
-
consider updating script to block out community module tickets from the
main list
-
action: gabe did not have docs for geoserver-acl
-
action: GPL license is not included
-
GEOS-11134 - GeoServer 2.24-RC packaging feedback
<https://osgeo-org.atlassian.net/browse/GEOS-11134>
When do we wish to make the release?
-
two weeks → October 10th?
Docker image with ogcapi features
docker run -it -p8080:8080 --env INSTALL_EXTENSIONS=true --env
COMMUNITY_EXTENSIONS="ogcapi-features" docker.osgeo.org/geoserver:2.24.x
Welcome to GeoServer 2.24-RC
Initialize /opt/geoserver_data/ from data directory included in
geoserver.war
Starting download of extensions
URL does not exist: /geoserver-2.24-RC-ogcapi-features-plugin.zip
Finished download of extensions
Starting installation of extensions
Finished installation of extensions
lol:
-
2.24.x should pull from nightly server
-
stable should pull from source forge
-
it got confused checking 2.24-RC and thinks it is a “snapshot”
https://build.geoserver.org/view/release/job/geoserver-release-docker/390/parameters/
https://build.geoserver.org/view/release/job/geoserver-release-docker/390/console
Jody fails bash if/else check:
-
https://github.com/geoserver/docker/blob/master/build/release.sh
GSIP 220 - Revised Security Policy and CVE handling
The experiment with creating a CVE number has helped communication with
national CVE Numbering Authority, they recommend our policy is clearly a
“Coordinated Vulnerability Disclosure” (since we disclose when patch is
ready on stable and maintenance).
-
Be clear we can provide CVE number
-
Be clear we time our announcements in SECURITY.md file
action:
-
jody: update security.md file with “Coordinated Vulnerability
Disclosure” heading
-
aaime: credit steve on jai-ext jiffle vulnerability? it was already one
..
Steve wished credit on https://github.com/advisories/GHSA-59x6-g4jr-4hxc
-
this was externally reported so we do not have direct control
-
jody did a pull request, perhaps steve can do the same?
-
jody also asked MITRE three times to update the original (
https://nvd.nist.gov/vuln/detail/CVE-2023-35042)
aside: Credit Steve on:
-
GHSA-59x6-g4jr-4hxc
-
GHSA-fh7p-5f6g-vj2w
Update prior security vulnerability sections:
-
https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html
publish the new CVE number
update security vulnerability sections with CVE number
-
https://geoserver.org/announcements/2023/09/25/geoserver-2-24-RC-released.html
h2 no longer included; not really a vulnerability as no known exploit.
but we can make a heading for it.
Chit chat
Roadmap - Java 11 becomes EOL in 2024?
-
Can we just run with Java 17 and Tomcat 9? I think so …
-
Compiling for Java 17? JAI → ImageN?
-
We have the code, but *no* test cases were provided (and no native
code)
-
This is clean-room code so we need to write out own test-cases
-
https://github.com/eclipse/imagen
Tomcat 10:
-
someone had success with automatic conversion on the email list? Huh?
How …
-
uses bytecode on the fly hacking …
-
“successful” in startup, but I would not trust in production, ..
JavaEE:
-
requires Java 17 because of spring6, then need to do everything at once,
…
-
https://github.com/geoserver/geoserver/wiki/Jakarta-EE
-
TOO MUCH to do in one go? can we split it up …
-
Phase 1
-
Wicket 7 → Wicket 9
-
JAI → ImageN
-
spring-security-oauth modules
-
Phase 2
-
Java 17 minimum
-
Phase 3
-
JakartaEE
-
spring-framework?
action:
-
Jukka: blog post about this