GeoTools / GeoServer PMC meeting - 2023-02-28### Attending- Torben Barsballe
-
Gabriel Roldan
-
Jukka Rahkonnen
-
Jody Garnett
-
Andrea Aime
-
Kevin Smith
Actions from prior meetings:- [TODO] Torben: Add GWC Doc build on Jenkins
- [TODO] Jody: Update sphynx python instructions for GeoServer
Agenda1. GeoFence 4.x - spring-boot application, upgrade obsolete dependencies (POC https://github.com/groldan/geofence/tree/4.0.x/src)
-
geoserver 2.23-RC planning (get changes in now)
-
build changes / stability
-
security announcements / discussion
-
foss4g submissions
-
osgeo/ogc code sprint invitation from camptocamp Open Standards and Open Source Software - Open Geospatial Consortium (ogc.org)
Actions- Torben: Add GWC Doc build on Jenkins
- Jody: Update sphynx python instructions for GeoServer
GeoFence 4.x - spring-boot application, upgrade obsolete dependencies
Gabe has a POC:
Service / Embedded:
-
GeoFence has been struggling a bit with client/server communication (only use of spring client RMI which is now deprecated)
-
POC makes use of a REST API using OpenAPI
GeoFence Roadmap planning discussion:
-
consider dropping service and just use embedded
-
but having a standalone service would be nice (makes sense for microservices)
-
discussion: options to combine embedded / service into one
-
discussion of other challenges like hibernate spatial update
-
Any upgrade/migration is a challenge to consider for users.
-
shaded jar to migrate from old h2 → new h2 due to package conflict
-
make current h2 optional, and have the subsystems rebuild
-
progress
-
upgrade to hibernate JPA 2.1 was okay (no migration plan see above)
Gabe has some budget and commitment to work on this; ideally would like to connect to other geofence developers / stakeholders for planning.
Action:
- Gabe: Send emails to geoserver-devel list and set up meeting with Emanuele and Alessiol
GeoServer 2.23-RC planning
Release schedule is here:
There is presently no volunteer for 2.23-RC
-
some work on jobs is required as this is the first Java 11 release
-
idea: quick experiment of making java config option for geotools-release - did not work. But the idea is sound, the alternative is duplicate make new release jobs.
Idea is RC for March 3rd, released March 18th.
- Gabe has some capacity, Andrea will help with GWC, everyone can help with Jenkins
Action:
- Gabe will schedule a release for March 3rd (or when he has time this weekend)
build changes / stability
Some activity on antrun version change …
Build job on windows job; and get stuck downloading a dependency from maven central or osgeo.
- [Backport 2.22.x] [GEOS-10871] Force use of AntRun plugin 3.1.0 (experiment with reverting changes)
Jody thought it was a recent PR being backported without running tests, and provided:
- [GEOS-6313] revert changes due to windows build failure (this can be closed)
We do not have any great ideas how to improve.
security announcements / discussion
Some feedback on how detailed the vulnerability was (upgrade as there is no mitigation) and lack of time to update systems.
We made the vulnerability announcement clear and put in the effort to make many branches available (thanks GeoSolutions) because there was no mitigation possible.
Discussion:
-
idea: Provide the releases, with a warning that you have a week to upgrade. And then publish the CVE a week later.
-
This does not help as it provides a false sense of security; the details of the release PR and the version control history ends up showing the attack vector in very detailed terms
GeoTools policy was updated to use security advisory submissions?
Do we want the same policy for GeoServer?
- Can we shut down geoserver-security email list and replace with security advisory reporting? Not yet but it is an idea?
Can we keep module matainters in the loop on vulnerabilities?
-
Yes if trusted to join geoserver-security for communication
-
How does this work with private security advisory reporting? I think we can invite folks on a case by case basis. Hard to know who needs to know.
-
Should we “promote” module maintainers to some kind of trusted status? This is case where we recognize commitment / responsibility but not taken very seriously
Can we list “known” issues as security vulnerabilities somewhere:
-
for things like JQuery which turns up in all the scans but we are not vulnerable due to how we use the library. These are common questions that we would like to avoid answering all the time?
-
Can we add these to list of security advisories (even response is just an assessment)
-
Wiki page? That way we would have a single link to hand out to these emails …
-
Jira? Could we tag security vulnerabilities to make them easier to find …
foss4g submissions
Deadline is today? Anyone need a review …
-
gabe has one: https://talks.osgeo.org/foss4g-2023/talk/review/CNSGSULX9AZR3K9HS3X3GRJADYTEWCBJ
-
Jody: Has one for community involvement / additions:
http://talks.osgeo.org/foss4g-2023/talk/review/LS7MPGT3TEPJFTRBCD8F7HQ7VXVMQERG
osgeo/ogc code sprint invitation from Camptocamp
Invitation:
Camptocamp is hosting the next OGC / OSGEO code sprint last week of April, in Lausanne.
Like every OGC/OSGEO code sprint, the goal is to improve how Foss support OGC standards.
Do you see any topic for GeoServer for this sprint? If you are interested to participate (on site or online), I will soon share the subscription link.
Alexandre
Discussion:
-
Good if we can find an ogcapi topic we can work on together?
-
I guess the org.opengis packages are not ontopic
-
If this is an osgeo/apache sprint it may be appropriate
-
General cite tests? acceptsVersions work stalled out.
-
There is some osgeo / sponsors towards this activity
-
Andrea: the first day, April 25th, is national holiday. Might participate in 2nd and 3rd day from remote, yet to be confirmed.