[Geoserver-devel] GSIP 218: Control remote HTTP requests, merged on main... now what?

Hi all,
so the GSIP work has been merged on main. Which will be released in September.
As a breaking change, backport as-is may not be an option (with checkers enabled by default).
But we might backport, with checks disabled, and suggest users to enable them and configure accordingly.

What do you think?

Cheers
Andrea

···

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

I would do that to avoid disruptions later on.

···

Regards,

Simone Giannecchini

Online training classes for GeoNode, GeoServer and MapStore from the experts!
Visit https://www.geosolutionsgroup.com/professional-training/ for more information.

Ing. Simone Giannecchini
@simogeo
Founder/Director GeoSolutions Italy
President GeoSolutions USA

phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928
US: +1 (845) 547-7905

http://www.geosolutionsgroup.com
http://twitter.com/geosolutions_it


This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

+1

Can we consider being a bit more forthright “on by default” with security things; as it is too easy for folks with long running implementation to not keep up with best practice.

Backport with the improvement added and a clear security consideration section calling out the new functionality.

I know our policy is to make stable l, and especially maintenance releases, preserve existing workflow. In this case I think the safety improvement is worth asking admins to pay attention. Security is special :slight_smile:

Aside: it is probably time to enabled the entity resolution allow list by default.

Jody

···


Jody Garnett

+1

···

Regards,

Nuno Oliveira

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Nuno Miguel Carvalho Oliveira
@nmcoliveira
Technical Lead / Project Manager

GeoSolutions Group
phone: +39 0584 962313
fax: +39 0584 1660272

https://www.geosolutionsgroup.com/
http://twitter.com/geosolutions_it

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Hmm… nope, if the direction was to have it enabled by default, I’d consider waiting for September instead.
Let’s backport with disabled as default, mark the release blog for security consideration, and tell people to enable and configure instead?

Cheers
Andrea

···

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

+1 for backport with disabled by default.

While security is important, we don’t want people not upgrading at all because we’ve broken their configs. This path still gets the security patch in for those who need it, but doesn’t break any existing systems.

Cheers,
Torben

On Thu, May 11, 2023 at 10:16 AM Andrea Aime <andrea.aime@anonymised.com> wrote:

On Wed, May 10, 2023 at 2:06 AM Jody Garnett <jody.garnett@anonymised.com> wrote:

+1

I know our policy is to make stable l, and especially maintenance releases, preserve existing workflow. In this case I think the safety improvement is worth asking admins to pay attention. Security is special :slight_smile:

Hmm… nope, if the direction was to have it enabled by default, I’d consider waiting for September instead.
Let’s backport with disabled as default, mark the release blog for security consideration, and tell people to enable and configure instead?

Cheers
Andrea

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel