[Geoserver-devel] PSC meeting notes, March 1st 2022

GeoTools / GeoServer PMC meeting - 2022-02-15Attending

   -

   Jody Garnet
   -

   Kevin Smith
   -

   Andrea Aime
   -

   Jukka Rahkonnen
   -

   Torben Barsballe

Actions from prior meetings:

   -

   Jody: Ask email list on release manager availability for 2.19.5 and
   2.21-RC [done, Ian on 2.19.5, Jody reluctantly volunteer with 2.21-RC]
   -

   Andrea: Check with geonode developers about disabling 2.18.x / 2.18.x
   nightly builds [2.18.x needed for another month, 2.19.x for another 6]

Agenda

   -

   Jira users limit update
   -

   Build Server Release Jobs
   -

   ImageIO-EXT update
   -

   Log4J status update and tentative release date
   -

   handling of security vulnerabilities
   -

   ML archives
   -

   Java 11

Actions

   -

   action: jody: update communication page to change from nabble to
   mailarchive
   -

   action: take github advisory discussion to geoserver-devel list
   -

   action: aaime: Make a proposal to make 2.22.x Java 11 only

Jira users limit update

250 more users (so users can now create new accounts) and indication of how
to use REST API to clean more users

Ideas

   -

   can we make an "anonymous" read-only user to access release notes?
   -

   problem will go away as prior release notes available in github

To try navigate to:
https://osgeo-org.atlassian.net/jira/software/c/projects/GEOS/issues/?filter=allissues,
click back to project, login is required.

Jukka reports direct link to release notes is okay (2.12-RC1):
https://osgeo-org.atlassian.net/jira/secure/ReleaseNote.jspa?projectId=10000&version=16600

New releases (2.20.3)
https://osgeo-org.atlassian.net/jira/secure/ReleaseNote.jspa?projectId=10000&version=16838

Build Server Release Jobs

   -

   having some trouble deploying to nexus (grr)

[INFO] Security UI JDBC Module ............................ SUCCESS [01:35
min]

[INFO] Security UI LDAP Module ............................ SUCCESS [
49.735 s]

[INFO] REST UI Module ..................................... SUCCESS [
42.090 s]

[INFO] GeoServer Web Application .......................... FAILURE [10:51
min]

[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on
project gs-web-app: Failed to deploy artifacts: Could not transfer artifact
org.geoserver.web:gs-web-app:jar:2.20.3 from/to nexus (
https://repo.osgeo.org/repository/Geoserver-releases/): Transfer failed for
https://repo.osgeo.org/repository/Geoserver-releases/org/geoserver/web/gs-web-app/2.20.3/gs-web-app-2.20.3.jar:
Connection reset -> [Help 1]

   -

   windows installer permissions remain an a trouble (the exe is copied)

Release status notes:

   -

   2.20.3 is being tested, blog post written
   <https://github.com/geoserver/geoserver.github.io/pull/120&gt; (with
   security vulnerabilities noted)
   -

      include in announcement if fixes in all stable branches (see 2.19.5
      below)

   -

   2.19.5 ian waiting feedback, will merge security fixes above?
   -

      published
      <https://sourceforge.net/projects/geoserver/files/GeoServer/2.19.5/&gt;
      just not announced (Andrea pinged Ian)
      -

      https://github.com/geoserver/geoserver/pull/5695

ImageIO-EXT update

Benchmarking of GDAL: here
<https://docs.google.com/spreadsheets/d/1nPUtXkrbelUPM8XuLuXsr3oYe19lw8Z9faEGGD-9fnY/edit?usp=sharing&gt;

A number of PRs:

   -

   https://github.com/geosolutions-it/imageio-ext/pull/253
   -

   https://github.com/geotools/geotools/pull/3808
   -

   https://github.com/geoserver/geoserver/pull/5704

Log4J status update and tentative release date

Status update: jody working on it this week

   -

   goal to have geotools updated and documented this week

Tentative release date: it will take 1-2 weeks to do

Expect 2.21-RC mid month, see imageIO-EXT update also

handling of security vulnerabilities

Some email discussion:

   -

   email discussion clarifies current practice
   -

      We may wish to add this to the developers guide? Can hand out link …
      -

   Consider
   https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories
   -

      Could enable, geoserver would get actually CVE
      -

      Alerts community once patch is released…
      -

      May take place of current procedure
      -

   Review outstanding issues, several are already closed/resolved - just
   not announced as they were waiting for prior releases to age out
   -

      Consider tagging, will need to remember when making new RC to check
      -

   action: take github advisory discussion to geoserver-devel list

ML archives

Notes:

   -

   nabble is gone still mentioned here http://geoserver.org/comm/
   -

   sourceforge archive got stuck, and is now unstuck …

action: update communication page to change from nabble to mailarchive :

   -

   users
   <https://www.mail-archive.com/geoserver-users@lists.sourceforge.net/&gt;
   -

   devel
   <https://www.mail-archive.com/geoserver-devel@lists.sourceforge.net/&gt;

Java 11?

More and more dependencies are Java 11 only …

   -

   some "updated" by accident (did not notice)

Why now?

   -

   2 years of Java 11 support if we update for 2.22.x timeframe?

Can we skip Java 11 and go to Java 17 LTS?

   -

   Would requite ImageIO → ImageN (not ready yet, no tests)
   -

   no spring framework yet
   -

   library issues: ASAM and Mockito

action: aaime: Make a proposal to make 2.22.x Java 11 only.