[Geoserver-devel] GeoTools / GeoServer PMC meeting - 2024-01-02

Attending- Torben Barsballe

  • Andrea Aime

  • Peter Smythe

  • Jukka Rahkonen

Actions from prior meetings:- [DONE] Jody: Call for vote on GSIP 221, plan to update early Jan

  • [DONE] Andrea: warn people about Java 21 build requirements and start merging PRs. Also make a GWC 21 PR.

Agenda- 2024 Roadmap blogpost is ready (planned for tomorrow)

  • GSIP 221 ready - votes requested

  • JIRA Licence limit

  • Wicket 9 upgrade

  • Spotless/Palantir upgrade

  • Some thoughts about JAI to ImageN upgrade

Actions- Andrea: Look into JIRA license limit

  • Brad: Give the OK on the Wicket 9 Upgrade

2024 Roadmap blogpost is ready (planned for tomorrow)

Blog post is ready:

https://github.com/geoserver/geoserver.github.io/pull/175 describing 2024 roadmap

Planned to merge and publish January 3

All looks ready to go. No further feedback needed

GSIP 221 ready - votes requested

GSIP is ready:

https://github.com/geoserver/geoserver/wiki/GSIP-221

We now have 5 votes, which is sufficient to pass. But still please vote if you haven’t yet.

Example of outstanding work:

https://jodygarnett.github.io/geoserver/installation/docker/#adding-geoserver-extensions

JIRA Licence limit

We hit the JIRA Licence limit 5 days ago.

Manual clean-up has been the fix in the past, but is not really practical long-term

We should consider migrating to github issues (eventually), but that will be fairly involved, even with available automation.

Shorter term, can we contact Atlassian support to get our limit increased slightly?

Jira has a feature request to handle this, still open.

Action: Andrea will look into workarounds, no guarantees through…

Wicket 9 upgrade

https://github.com/geoserver/geoserver/pull/7154

Need to collect all pages and panels that need to be tested, make a list, and divide the list amongst participants to the testing effort. First we need Brad’s ok to move on.

Spotless/Palantir upgrade

Current status, Spotless and Google Java Format.

Using older version of them, that still support Java 8.

Example Geotools upgrade: https://github.com/aaime/geotools/tree/spotless_upgrade

More examples in a geoserver-devel mail.

No objections during the meeting

Some discussion on workarounds to the git history pollution issue here: https://gdal.org/development/rfc/rfc69_cplusplus_formatting.html#big-reformat

Some thoughts about JAI to ImageN upgrade

Part of the Jakarta EE upgrade plan.

ImageN as it stands today.

Some considerations and a plan here.

Positive comments during the meeting.

On Wednesday, 3 January 2024 5:35:42 AM AEDT Torben Barsballe wrote:

Wicket 9 upgrade

https://github.com/geoserver/geoserver/pull/7154

Need to collect all pages and panels that need to be tested, make a list,
and divide the list amongst participants to the testing effort. First we
need Brad’s ok to move on.

Part of the Wicket 9 changes is a (strict) Content Security Policy.
See
https://nightlies.apache.org/wicket/guide/9.x/single.html#_content_security_policy_csp

CSP could help us a lot with security. See
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
for what it does. The TL;DR; version is it blocks most XSS attacks.

It doesn't come for free though. We need to move or remove all the
inline styling and javascript. For inline javascript, it
needs to go into a "renderHead()" method.

We also need to remove inline event handlers.

I would like help to do that work, although I will get some of it done soon.
Please let me know if you can help

Since this stands a pretty good chance of breaking stuff,
we should defer the manual testing.

The only good news I have is that it looks like there will be automation
support for getting from Wicket 9 to Wicket 10.
https://cwiki.apache.org/confluence/display/WICKET/Migration+to+Wicket+10.0#MigrationtoWicket10.0-AddmigrationrecipestoWicket10WICKET-7029

Brad

Ok, let’s try to find out how much work that is.

I believe inline styling can be found this way?
git grep “style\s*=\s*” – “*.html” > /tmp/style.txt

Result attached. That’s 95 occurrences that need to be removed with classes in geoserver.css, some like “display:none” can probably
be controlled by code instead (making the wicket component non visible).

For local scripts, the following returns 17 occurrences:

git grep -i “<script” – “*.html”

community/gsr/src/main/resources/demos/dynamic_map_layer.html:
community/gsr/src/main/resources/demos/dynamic_map_layer.html:
community/gsr/src/main/resources/demos/layers-featurelayer-polygon.html:
web/core/src/main/java/org/geoserver/web/GeoServerBasePage.html:
web/core/src/main/java/org/geoserver/web/GeoServerBasePage.html:
web/core/src/main/java/org/geoserver/web/wicket/GeoServerTablePanel.html:
web/core/src/main/java/org/geoserver/web/wicket/js/editarea/plugins/charmap/popup.html:
web/demo/src/main/java/org/geoserver/web/demo/SRSDescriptionPage.html:

For the local event handlers bit I’ve come up with this instead:

git grep -E -i " on\w+\s*=" – “*.html”
web/core/src/main/java/org/geoserver/web/system/status/JVMConsolePanel.html: <wicket:message key=“download”>download as dump text</wicket:message>
web/core/src/main/java/org/geoserver/web/wicket/js/editarea/plugins/charmap/popup.html:
web/core/src/main/java/org/geoserver/web/wicket/js/editarea/plugins/charmap/popup.html:
web/demo/src/main/java/org/geoserver/web/demo/DemoRequestResponse.html:

Do you think it’s a complete list? If so, it’s big (the style part at least) but not massive. Looks like a lot of small changes, which would
fit nicely in my “around one hour a week” typical availability.

And now… back to house chores before wife gets mad at me :rofl:

Cheers
Andrea

···

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

And of course I forgot the attachment. Here.

Cheers
Andrea

(attachments)

style.txt (15.7 KB)

···

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

On Wednesday, 3 January 2024 7:21:43 PM AEDT Andrea Aime wrote:

If so, it's big (the style part at
least) but not massive. Looks like a lot of small changes, which would
fit nicely in my "around one hour a week" typical availability.

I don't have a good feel for how complete the list is, but at least
the style fixes probably a good estimate.

I plan to do the style fixes first, then look at inline scripts.

I can do most of them, but would like help with the "display: none" part,
especially in the base page where there is a comment about using the feedback
spinner as a veil (proxy?) for AJAX interactions. I have no idea how that
works, and its causing noise on every page that derives from it.

Have dropped a comment in the PR to show the unsafe-inline setting.

Brad

Perhaps Michel who did the initial cleanup of inline styles can offer perspective?

···


Jody Garnett

On Thursday, 4 January 2024 10:03:25 AM AEDT Brad Hards wrote:

On Wednesday, 3 January 2024 7:21:43 PM AEDT Andrea Aime wrote:
> If so, it's big (the style part at
> least) but not massive. Looks like a lot of small changes, which would
> fit nicely in my "around one hour a week" typical availability.

I don't have a good feel for how complete the list is, but at least
the style fixes probably a good estimate.

I plan to do the style fixes first, then look at inline scripts.

I can do most of them, but would like help with the "display: none" part,
especially in the base page where there is a comment about using the
feedback spinner as a veil (proxy?) for AJAX interactions. I have no idea
how that works, and its causing noise on every page that derives from it.

I have worked through most of the inline styles, and have pushed the results
as
https://github.com/geoserver/geoserver/pull/7154/commits/
08e471f3ee537a9522751605566175b0aa4d0e42

Perhaps Michel who did the initial cleanup of inline styles can offer
perspective?

If there is a better way to do any of that, please make it so.

The "display:none" part is still to be done.

There are a bunch of errors that appear to relate to jquery. I'm not sure why.

I haven't done all of the templating module. Perhaps it needs its own CSS file.

The GWC disk quota page has some computed style. I don't know how to fix that
yet.

Brad