[Geoserver-devel] GeoServer PSC meeting notes, Sept 26th 2023

GeoTools / GeoServer PMC meeting - 2023-09-26Attending

   -

   Torben Barsballe
   -

   Jody Garnett
   -

   Jukka Rahkonnen
   -

   Andrea Aime

Actions from prior meetings:

   -

   action: Discuss with Alexandre Gacon on the geoserver-devel list about
   translation (done)
   -

   action: Ask on the geoserver-devel list for assistance setting up new
   branches and jobs (done)

Agenda

   -

   GeoServer 2.24-RC / GeoTools 30-RC
   -

   GSIP 220 - Revised Security Policy and CVE handling

Actions

   -

GeoServer 2.24-RC / GeoTools 30-RC

GeoTools 30-RC:

   -

   thanks to downstream projects you are excellent

Released:

https://geoserver.org/announcements/2023/09/25/geoserver-2-24-RC-released.html

   -

   twitter (aaime)
   -

   mastodon (jody)
   -

   linkedin (jody)

Community modules:

   -

   script worked well :slight_smile: added instructions for next time
   -

   consider updating script to block out community module tickets from the
   main list
   -

   action: gabe did not have docs for geoserver-acl
   -

   action: GPL license is not included
   -

   GEOS-11134 - GeoServer 2.24-RC packaging feedback
   <https://osgeo-org.atlassian.net/browse/GEOS-11134&gt;

When do we wish to make the release?

   -

   two weeks → October 10th?

Docker image with ogcapi features

docker run -it -p8080:8080 --env INSTALL_EXTENSIONS=true --env

COMMUNITY_EXTENSIONS="ogcapi-features" docker.osgeo.org/geoserver:2.24.x

Welcome to GeoServer 2.24-RC

Initialize /opt/geoserver_data/ from data directory included in
geoserver.war

Starting download of extensions

URL does not exist: /geoserver-2.24-RC-ogcapi-features-plugin.zip

Finished download of extensions

Starting installation of extensions

Finished installation of extensions

lol:

   -

   2.24.x should pull from nightly server
   -

   stable should pull from source forge
   -

   it got confused checking 2.24-RC and thinks it is a “snapshot”

https://build.geoserver.org/view/release/job/geoserver-release-docker/390/parameters/

https://build.geoserver.org/view/release/job/geoserver-release-docker/390/console

Jody fails bash if/else check:

   -

   https://github.com/geoserver/docker/blob/master/build/release.sh

GSIP 220 - Revised Security Policy and CVE handling

The experiment with creating a CVE number has helped communication with
national CVE Numbering Authority, they recommend our policy is clearly a
“Coordinated Vulnerability Disclosure” (since we disclose when patch is
ready on stable and maintenance).

   -

   Be clear we can provide CVE number
   -

   Be clear we time our announcements in SECURITY.md file

action:

   -

   jody: update security.md file with “Coordinated Vulnerability
   Disclosure” heading
   -

   aaime: credit steve on jai-ext jiffle vulnerability? it was already one
   ..

Steve wished credit on https://github.com/advisories/GHSA-59x6-g4jr-4hxc

   -

   this was externally reported so we do not have direct control
   -

   jody did a pull request, perhaps steve can do the same?
   -

   jody also asked MITRE three times to update the original (
   https://nvd.nist.gov/vuln/detail/CVE-2023-35042)

aside: Credit Steve on:

   -

   GHSA-59x6-g4jr-4hxc
   -

   GHSA-fh7p-5f6g-vj2w

Update prior security vulnerability sections:

   -

   https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html
   publish the new CVE number
   update security vulnerability sections with CVE number
   -

   https://geoserver.org/announcements/2023/09/25/geoserver-2-24-RC-released.html
   h2 no longer included; not really a vulnerability as no known exploit.
   but we can make a heading for it.

Chit chat

Roadmap - Java 11 becomes EOL in 2024?

   -

   Can we just run with Java 17 and Tomcat 9? I think so …
   -

   Compiling for Java 17? JAI → ImageN?
   -

      We have the code, but *no* test cases were provided (and no native
      code)
      -

      This is clean-room code so we need to write out own test-cases
      -

      https://github.com/eclipse/imagen :slight_smile:

Tomcat 10:

   -

   someone had success with automatic conversion on the email list? Huh?
   How …
   -

      uses bytecode on the fly hacking …
      -

      “successful” in startup, but I would not trust in production, ..

JavaEE:

   -

   requires Java 17 because of spring6, then need to do everything at once,
   …

   -

   https://github.com/geoserver/geoserver/wiki/Jakarta-EE
   -

TOO MUCH to do in one go? can we split it up …

   -

   Phase 1
   -

      Wicket 7 → Wicket 9
      -

      JAI → ImageN
      -

      spring-security-oauth modules
      -

   Phase 2
   -

      Java 17 minimum
      -

   Phase 3
   -

      JakartaEE
      -

      spring-framework?

action:

   -

   Jukka: blog post about this :slight_smile:

Jukka and Andrea:

I updated the https://github.com/geoserver/geoserver/wiki/Jakarta-EE page based on the ideas brought up in today’s meeting.

I think it is great emphasis to have for next year (prior to Java 11 reaching end-of-life).

I did notice that different distributors have different dates for java 11 service:

  • Oracle: 2023-09-30 ← this is soon :slight_smile:
  • OpenJDK: 2023-09-30
  • RedHat: 2024-10
  • Adoptium: 2024-10 (the one we follow)
  • Microsoft: 2024-10

With commercial support being available longer.

···


Jody Garnett

GeoTools / GeoServer PMC meeting - 2023-09-26### Attending- Torben Barsballe

  • Jody Garnett

  • Jukka Rahkonnen

  • Andrea Aime

Actions from prior meetings:- action: Discuss with Alexandre Gacon on the geoserver-devel list about translation (done)

  • action: Ask on the geoserver-devel list for assistance setting up new branches and jobs (done)

Agenda- GeoServer 2.24-RC / GeoTools 30-RC

  • GSIP 220 - Revised Security Policy and CVE handling

Actions-

GeoServer 2.24-RC / GeoTools 30-RC

GeoTools 30-RC:

  • thanks to downstream projects you are excellent

Released:

https://geoserver.org/announcements/2023/09/25/geoserver-2-24-RC-released.html

  • twitter (aaime)

  • mastodon (jody)

  • linkedin (jody)

Community modules:

  • script worked well :slight_smile: added instructions for next time

  • consider updating script to block out community module tickets from the main list

  • action: gabe did not have docs for geoserver-acl

  • action: GPL license is not included

  • GEOS-11134 - GeoServer 2.24-RC packaging feedback

When do we wish to make the release?

  • two weeks → October 10th?

Docker image with ogcapi features

docker run -it -p8080:8080 --env INSTALL_EXTENSIONS=true --env COMMUNITY_EXTENSIONS=“ogcapi-features” docker.osgeo.org/geoserver:2.24.x

Welcome to GeoServer 2.24-RC

Initialize /opt/geoserver_data/ from data directory included in geoserver.war

Starting download of extensions

URL does not exist: /geoserver-2.24-RC-ogcapi-features-plugin.zip

Finished download of extensions

Starting installation of extensions

Finished installation of extensions

lol:

  • 2.24.x should pull from nightly server

  • stable should pull from source forge

  • it got confused checking 2.24-RC and thinks it is a “snapshot”

https://build.geoserver.org/view/release/job/geoserver-release-docker/390/parameters/

https://build.geoserver.org/view/release/job/geoserver-release-docker/390/console

Jody fails bash if/else check:

GSIP 220 - Revised Security Policy and CVE handling

The experiment with creating a CVE number has helped communication with national CVE Numbering Authority, they recommend our policy is clearly a “Coordinated Vulnerability Disclosure” (since we disclose when patch is ready on stable and maintenance).

  • Be clear we can provide CVE number

  • Be clear we time our announcements in SECURITY.md file

action:

  • jody: update security.md file with “Coordinated Vulnerability Disclosure” heading

  • aaime: credit steve on jai-ext jiffle vulnerability? it was already one …

Steve wished credit on https://github.com/advisories/GHSA-59x6-g4jr-4hxc

aside: Credit Steve on:

  • GHSA-59x6-g4jr-4hxc

  • GHSA-fh7p-5f6g-vj2w

Update prior security vulnerability sections:

Chit chat

Roadmap - Java 11 becomes EOL in 2024?

  • Can we just run with Java 17 and Tomcat 9? I think so …

  • Compiling for Java 17? JAI → ImageN?

  • We have the code, but no test cases were provided (and no native code)

  • This is clean-room code so we need to write out own test-cases

  • https://github.com/eclipse/imagen :slight_smile:

Tomcat 10:

  • someone had success with automatic conversion on the email list? Huh? How …

  • uses bytecode on the fly hacking …

  • “successful” in startup, but I would not trust in production, …

JavaEE:

TOO MUCH to do in one go? can we split it up …

  • Phase 1

  • Wicket 7 → Wicket 9

  • JAI → ImageN

  • spring-security-oauth modules

  • Phase 2

  • Java 17 minimum

  • Phase 3

  • JakartaEE

  • spring-framework?

action:

  • Jukka: blog post about this :slight_smile: