[Geoserver-devel] PSC meeting notes, March 1st 2022

Hi,

This release note links works for me now without login. Have you/they changed something?

https://osgeo-org.atlassian.net/jira/secure/ReleaseNote.jspa?projectId=10000&version=16838

2.21-RC works as well

https://osgeo-org.atlassian.net/jira/secure/ReleaseNote.jspa?projectId=10000&version=16829

I noticed that when I am logged in and browse the release pages in Jira the url is like https://osgeo-org.atlassian.net/secure/… and requires login but by adding /jira/ like in https://osgeo-org.atlassian.net/jira/secure/… the release notes can be accessed. Does not seem to have an effect on other kind of reports and tested only with a sample of two release notes.

-Jukka-

···

Lähettäjä: Andrea Aime <andrea.aime@…6887…>
Lähetetty: tiistai 1. maaliskuuta 2022 20.24
Vastaanottaja: GeoServer geoserver-devel@lists.sourceforge.net
Aihe: [Geoserver-devel] PSC meeting notes, March 1st 2022

GeoTools / GeoServer PMC meeting - 2022-02-15### Attending- Jody Garnet

  • Kevin Smith
  • Andrea Aime
  • Jukka Rahkonnen
  • Torben Barsballe

Actions from prior meetings:- Jody: Ask email list on release manager availability for 2.19.5 and 2.21-RC [done, Ian on 2.19.5, Jody reluctantly volunteer with 2.21-RC]

  • Andrea: Check with geonode developers about disabling 2.18.x / 2.18.x nightly builds [2.18.x needed for another month, 2.19.x for another 6]

Agenda- Jira users limit update

  • Build Server Release Jobs
  • ImageIO-EXT update
  • Log4J status update and tentative release date
  • handling of security vulnerabilities
  • ML archives
  • Java 11

Actions- action: jody: update communication page to change from nabble to mailarchive

  • action: take github advisory discussion to geoserver-devel list
  • action: aaime: Make a proposal to make 2.22.x Java 11 only

Jira users limit update

250 more users (so users can now create new accounts) and indication of how to use REST API to clean more users

Ideas

  • can we make an “anonymous” read-only user to access release notes?
  • problem will go away as prior release notes available in github

To try navigate to: https://osgeo-org.atlassian.net/jira/software/c/projects/GEOS/issues/?filter=allissues, click back to project, login is required.

Jukka reports direct link to release notes is okay (2.12-RC1): https://osgeo-org.atlassian.net/jira/secure/ReleaseNote.jspa?projectId=10000&version=16600

New releases (2.20.3) https://osgeo-org.atlassian.net/jira/secure/ReleaseNote.jspa?projectId=10000&version=16838

Build Server Release Jobs- having some trouble deploying to nexus (grr)

[INFO] Security UI JDBC Module … SUCCESS [01:35 min]

[INFO] Security UI LDAP Module … SUCCESS [ 49.735 s]

[INFO] REST UI Module … SUCCESS [ 42.090 s]

[INFO] GeoServer Web Application … FAILURE [10:51 min]

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on project gs-web-app: Failed to deploy artifacts: Could not transfer artifact org.geoserver.web:gs-web-app:jar:2.20.3 from/to nexus (https://repo.osgeo.org/repository/Geoserver-releases/): Transfer failed for https://repo.osgeo.org/repository/Geoserver-releases/org/geoserver/web/gs-web-app/2.20.3/gs-web-app-2.20.3.jar: Connection reset → [Help 1]

  • windows installer permissions remain an a trouble (the exe is copied)

Release status notes:

ImageIO-EXT update

Benchmarking of GDAL: here

A number of PRs:

Log4J status update and tentative release date

Status update: jody working on it this week

  • goal to have geotools updated and documented this week

Tentative release date: it will take 1-2 weeks to do

Expect 2.21-RC mid month, see imageIO-EXT update also

handling of security vulnerabilities

Some email discussion:

  • email discussion clarifies current practice

  • We may wish to add this to the developers guide? Can hand out link …

  • Consider https://docs.github.com/en/code-security/repository-security-advisories/about-github-security-advisories-for-repositories

  • Could enable, geoserver would get actually CVE

  • Alerts community once patch is released…

  • May take place of current procedure

  • Review outstanding issues, several are already closed/resolved - just not announced as they were waiting for prior releases to age out

  • Consider tagging, will need to remember when making new RC to check

  • action: take github advisory discussion to geoserver-devel list

ML archives

Notes:

action: update communication page to change from nabble to mailarchive :

Java 11?

More and more dependencies are Java 11 only …

  • some “updated” by accident (did not notice)

Why now?

  • 2 years of Java 11 support if we update for 2.22.x timeframe?

Can we skip Java 11 and go to Java 17 LTS?

  • Would requite ImageIO → ImageN (not ready yet, no tests)
  • no spring framework yet
  • library issues: ASAM and Mockito

action: aaime: Make a proposal to make 2.22.x Java 11 only.