[Geoserver-devel] GeoTools / GeoServer PMC meeting - 2024-07-02

Attending- Torben Barsballe

  • Jody Garnett

  • Jukka Rahkonnen

  • Peter Smythe

  • Austin Joachim

  • Kevin Smith

Actions from prior meetings:- Jody: (In Progress) Ask brad about A/B testing, and if modal dialog is a blocker

  • Update release announcements with CVE links at the end of June

  • Update spring-framework roadmap, for geofence communication refactor

Agenda- GDAL Version Support and Community Modules

  • How to add people to geoserver-security list

  • CVE Disclosure Update

  • Release Schedule

  • Roadmap communication

  • Snowflake DataStore

Actions- Torben: Add @ignore to failing ogr-jni and vsi tests

  • Torben: Update supported GDAL version in docs

  • Torben: Add flag to fail imageio-ext-gdal tests if GDAL bindings aren’t found

  • Jody: Reject recent geoserver-security join attempt: This is a volunteer list with no possibility to subscribe. Please contact geotools-devel if you wish to volunteer.

  • Jody: Add something to our developers guide for geoserver-security list (in addition to SECURITY.md note)

GDAL Version Support and Community Modules

Work on macOS build for geotools for GDAL testing:

  • homebrew gdal stopped working

  • custom build with java bindings

  • found that community/ogr-jni and ogr-vsi do not support any 3.2+
    (due to API change int / long etc…)

  • action: fix or @ignore tests for ogr-jni and org-vsi so build works

  • action: update gdal supported versions in docs

All the other OGR/GDAL tests are not running…

How to add people to geoserver-security list

The recent disclosures have highlighted the role of geoserver-security email list:

  • jody has encouraged core-contributors (at least) to subscribe

  • but really we seek volunteers here…

  • https://github.com/geoserver/geoserver/blob/main/SECURITY.md indicates it is volunteers but not how to join? Those seeking greater visibility are encouraged to volunteer with the geoserver-security list.

  • From https://geoserver.org/comm/ geoserver-security is a “moderated listed with no possibility to subscribe” (and no archives)

We have a subscription request from an astun technologies employee: Tom Chadwin <tomchadwin@anonymised.com>

  • they visited https://lists.osgeo.org/mailman/listinfo/geoserver-security and tried subscribing

  • Anybody know him? A couple emails in 2022

  • action: Reject: This is a volunteer list with no possibility to subscribe. Please contact geotools-devel if you wish to volunteer.

  • action: Add something to our developers guide for geoserver-security list (in addition to SECURITY.md note)

CVE Disclosure Update

Disclosures published:

Andrea provided patched jars for earlier geotools (thanks these are uploaded to SF).

  • https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w

  • The example here {…} seems confusing?
    org.geotools.data.complex.expression.MapPropertyAccessorFactory.new PropertyAccessor() {…}.get(Object, String, Class)

  • Feedback: Searching for these methods would not indicate if you are safe or not? You can provide an xpath via many ways that ends up these methods.

  • action: (done) GHSA-w3pj-wh35-fq8w mitigation updated to ask apps to check for and remove “gt-complex” jar …

Feedback is okay:

  • noticed slack GeoServer channel only noticing now …

Release Schedule

Ian has volunteered - scheduled updated.

Roadmap communication

Jody did not manage a Q2 update, shall we try for a Q3 (sigh):

  • No code sprint seems to be in the works, insufficient sponsorship response

  • Highlight activities that can be done now, to provide opportunity for those responding with in-kind support

  • The spring-security core based OIDC client work can go ahead? Any interested parties?

  • ImageN is ready; need to reinvite

Development stuff:

  • Gabe (camptocamp) and Jody (geocat) are looking at OGCAPI-Features to extension status. A lot of work is being highlighted as this has been “code sprint quality” code :stuck_out_tongue:

  • Jody is going to have a rematch with mkdocs; try the the approach peter suggested of setting up an automation to publish to gh-pages (so everyone can take part in fixing RST docs for migration)

Snowflake DataStore

Marc here to talk about a proof-of-concept of a snowflake datastore for GeoTools.

  • Marc is mentoring Austin as they look at prior datastores MySQL datastore and others …

  • Unit tests? Yes …

  • Integration tests? Mark as “OnlineTest” and then developer can add “.geotools/snowflake/connections.parameters” in order to run such tests locally. Apparently a challenge with 2FA (lo!)

  • MongoDB and others get these challenges

  • Looking for guidance on coding standards and approach:

  • See the documentation

  • Ask on the email list for commit access to add a community module

  • Community modules have very permissive code standards, when things graduate to extension there are a few more requirements

See the developers guide for penguin or fish examples: