Attending- Torben Barsballe
-
Jody Garnett
-
Jukka Rahkonnen
-
Peter Smythe
-
Austin Joachim
-
Kevin Smith
Actions from prior meetings:- Jody: (In Progress) Ask brad about A/B testing, and if modal dialog is a blocker
-
Update release announcements with CVE links at the end of June
-
Update spring-framework roadmap, for geofence communication refactor
Agenda- GDAL Version Support and Community Modules
-
How to add people to geoserver-security list
-
CVE Disclosure Update
-
Release Schedule
-
Roadmap communication
-
Snowflake DataStore
Actions- Torben: Add @ignore to failing ogr-jni and vsi tests
-
Torben: Update supported GDAL version in docs
-
Torben: Add flag to fail imageio-ext-gdal tests if GDAL bindings aren’t found
-
Jody: Reject recent geoserver-security join attempt: This is a volunteer list with no possibility to subscribe. Please contact geotools-devel if you wish to volunteer.
-
Jody: Add something to our developers guide for geoserver-security list (in addition to SECURITY.md note)
GDAL Version Support and Community Modules
Work on macOS build for geotools for GDAL testing:
-
homebrew gdal stopped working
-
custom build with java bindings
-
found that community/ogr-jni and ogr-vsi do not support any 3.2+
(due to API change int / long etc…) -
action: fix or @ignore tests for ogr-jni and org-vsi so build works
-
action: update gdal supported versions in docs
All the other OGR/GDAL tests are not running…
-
action: Add flag to fail on skipped gdal
How to add people to geoserver-security list
The recent disclosures have highlighted the role of geoserver-security email list:
-
jody has encouraged core-contributors (at least) to subscribe
-
but really we seek volunteers here…
-
https://github.com/geoserver/geoserver/blob/main/SECURITY.md indicates it is volunteers but not how to join? Those seeking greater visibility are encouraged to volunteer with the geoserver-security list.
-
From https://geoserver.org/comm/ geoserver-security is a “moderated listed with no possibility to subscribe” (and no archives)
We have a subscription request from an astun technologies employee: Tom Chadwin <tomchadwin@anonymised.com>
-
they visited https://lists.osgeo.org/mailman/listinfo/geoserver-security and tried subscribing
-
Anybody know him? A couple emails in 2022
-
action: Reject: This is a volunteer list with no possibility to subscribe. Please contact geotools-devel if you wish to volunteer.
-
action: Add something to our developers guide for geoserver-security list (in addition to SECURITY.md note)
CVE Disclosure Update
Disclosures published:
-
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
-
Mitigation patched jars for prior downloads, uploaded to SF
-
https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf
-
https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3
Andrea provided patched jars for earlier geotools (thanks these are uploaded to SF).
-
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
-
The example here {…} seems confusing?
org.geotools.data.complex.expression.MapPropertyAccessorFactory.new PropertyAccessor() {…}.get(Object, String, Class) -
Feedback: Searching for these methods would not indicate if you are safe or not? You can provide an xpath via many ways that ends up these methods.
-
action: (done) GHSA-w3pj-wh35-fq8w mitigation updated to ask apps to check for and remove “gt-complex” jar …
Feedback is okay:
- noticed slack GeoServer channel only noticing now …
Release Schedule
Ian has volunteered - scheduled updated.
Roadmap communication
Jody did not manage a Q2 update, shall we try for a Q3 (sigh):
-
No code sprint seems to be in the works, insufficient sponsorship response
-
Highlight activities that can be done now, to provide opportunity for those responding with in-kind support
-
The spring-security core based OIDC client work can go ahead? Any interested parties?
-
ImageN is ready; need to reinvite
Development stuff:
-
Gabe (camptocamp) and Jody (geocat) are looking at OGCAPI-Features to extension status. A lot of work is being highlighted as this has been “code sprint quality” code
-
Jody is going to have a rematch with mkdocs; try the the approach peter suggested of setting up an automation to publish to gh-pages (so everyone can take part in fixing RST docs for migration)
Snowflake DataStore
Marc here to talk about a proof-of-concept of a snowflake datastore for GeoTools.
-
Marc is mentoring Austin as they look at prior datastores MySQL datastore and others …
-
Unit tests? Yes …
-
Integration tests? Mark as “OnlineTest” and then developer can add “.geotools/snowflake/connections.parameters” in order to run such tests locally. Apparently a challenge with 2FA (lo!)
-
MongoDB and others get these challenges
-
Looking for guidance on coding standards and approach:
-
Ask on the email list for commit access to add a community module
-
Community modules have very permissive code standards, when things graduate to extension there are a few more requirements
See the developers guide for penguin or fish examples:
-
https://docs.geotools.org/latest/developer/procedures/create.html
-
low friction to make a community module (don’t break the build)
-
only get serious review when graduating to a plugin/extension