GeoTools / GeoServer Meeting 2015-07-21
Attending
---------
Ben Caradoc-Davies
Kevin Smith
Jody Garnett
Andrea Aime
Torben Barsballe
Agenda
------
- Backports for XXE vulnerability
- Release schedule
- CITE test upgrade status report
Actions
-------
- Torben: merge GEOS-7095 fix backports to 2.7.x, 2.6.x, and 2.5.x
- Kevin: submit port-scan fix and backport
Actions from last meeting
-------------------------
AA: Create Jira components Security (Authentication) and Security
(Authorization) to replace Security
Backports for XXE vulnerability
-------------------------------
GeoServer only? https://osgeo-org.atlassian.net/browse/GEOS-7095
- Torben's fix cuts down on url parameters for entity resolver
- future consideration of gt-xsd, xsd, xerces
action: create new bug report for SSRF discussion!
idea: schema resolution whitelist?
- what about feature portrayal?
- WPS inherently open to this class of attack? Either break WPS remote input resolution, or allow SSRF
idea: schema resolution blacklist?
idea: two-phase
1) resolve and check for local ip address and blacklist
2) then consult whitelist for local chained services
Action:
- Torben: Merge latest GEOS-7095 fix as an improvement (backport to 2.7.x for inclusion in 2.7.2 release, 2.6.x, and 2.5.x)
- Kevin: submit-port scan fix and backport (for 2.7.2 release)
No new 2.5.x release planned.
Release schedule
----------------
https://github.com/geoserver/geoserver/wiki/Release-Schedule
- discussion about short turnaround
- still later feature freeze is good 
GT 13 release failed on rsync ...
http://ares.boundlessgeo.com/geotools/release/13.2/
http://repo.boundlessgeo.com/main/org/geotools/gt-main/13.2/
Ask Kevin to release GWC 1.7.2? Has time today, but not tomorrow.
CITE test upgrade status report
-------------------------------
https://github.com/aaime/geoserver-cite-tools/tree/ng
Prior:
- svn checkout, push to github, maintain a fork
Approach:
- git submodules (since cite is not deploying releases)
- no fork to maintain
Q: what to do to use this?
Justin did the previous ares configuration (extra scripts on ares).
Consider build directory in here for the extra scripts on ares...
1. merge to geoserver repo
2. grab scripts to a build the directory
3. expect some test failures (on tests we plan together)
4. ideas for new tests: wmts, wfs 2.0, wps, wcs 2.0
Idea run concurrently, merge to a different branch, migrate over a bit at a time.
CITE Conformance / Reference Implementation
-------------------------------------------
Idea:
- OGC may be able to host it
- configuration is tricky, say one workspace per specification and version
https://osgeo-org.atlassian.net/browse/GEOS-7089
Pull request roundup
--------------------
https://github.com/geotools/geotools/pull/918
- Jody to merge (needs docs)
https://github.com/geotools/geotools/pull/889
- merge and update (c) info
https://github.com/geoserver/geoserver/pull/1132
- roadmap discussion
https://github.com/geoserver/geoserver/pull/1114
- failing travis checks, waiting on s3 dependency
https://github.com/geoserver/geoserver/pull/1117
- broken but looks easy to fix
https://github.com/geoserver/geoserver/pull/1094
- waiting on test
- missing a bug report (seems be a module conflict?)
--
Ben Caradoc-Davies <ben@anonymised.com>
Director
Transient Software Limited <http://transient.nz/>
New Zealand