With the RC out of the way; I still have some customers waiting on a stable release for security improvements.
Is it okay if I make a 2.21.x release? That way we still get a stable release for October here.
Jody
···
–
Jody Garnett
With the RC out of the way; I still have some customers waiting on a stable release for security improvements.
Is it okay if I make a 2.21.x release? That way we still get a stable release for October here.
Jody
–
Jody Garnett
+1000 from me, this way we get back on track
Cheers
Andrea
Regards,
Andrea Aime
==
GeoServer Professional Services from the experts!
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions Group
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
https://www.geosolutionsgroup.com/
http://twitter.com/geosolutions_it
Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail
+1 from me
Ian
Ian Turton
Here is draft blog post while we wait for build process: https://github.com/geoserver/geoserver.github.io/pull/135
Okay, gather the bits for release:
Security hiding layer groups: https://github.com/geoserver/geoserver/pull/6290 (done)
Windows installer needs assembly changes backport https://github.com/geoserver/geoserver/pull/6291 (done)
aside: Noticed many of the assembles try and gather src/release/RELEASE_NOTES.txt … which has not been present since 2.13.x- Did a round up of other backports, we should be good …
–
Jody Garnett
On Thu, 20 Oct 2022 at 07:17, Jody Garnett <jody.garnett@anonymised.com> wrote:
With the RC out of the way; I still have some customers waiting on a stable release for security improvements.
Is it okay if I make a 2.21.x release? That way we still get a stable release for October here.
Jody
–
–
Jody Garnett
Do we want to mention the CVE-2022-42889 vulnerability, that doesn’t actually affect us and is now patched anyway?
Ian
Ian Turton
We do not have a ticket for it (since we were not affected).
I think I am against reporting CVEs from dependencies where our software is not affected. It just adds “noise”. I would prefer when we have a security vulnerability section that everyone take it seriously and upgrade…
What do you think?
Jody
–
Jody Garnett
On Sat, 22 Oct 2022, 17:23 Jody Garnett, <jody.garnett@anonymised.com> wrote:
We do not have a ticket for it (since we were not affected).
Well we do have a ticket, it just doesn’t mention the cve. I’ve answered one question on the security list and one on gis.se so people seem worried about it.
I think I am against reporting CVEs from dependencies where our software is not affected. It just adds “noise”. I would prefer when we have a security vulnerability section that everyone take it seriously and upgrade…
What do you think?
Since we do use the effected jar it is probably worth mentioning in the release notes.
Ian
Jody
On Sat, Oct 22, 2022 at 3:01 AM Ian Turton <ijturton@anonymised.com> wrote:
Do we want to mention the CVE-2022-42889 vulnerability, that doesn’t actually affect us and is now patched anyway?
Ian
On Sat, 22 Oct 2022 at 04:52, Jody Garnett <jody.garnett@anonymised.com> wrote:
Here is draft blog post while we wait for build process: https://github.com/geoserver/geoserver.github.io/pull/135
Okay, gather the bits for release:
Security hiding layer groups: https://github.com/geoserver/geoserver/pull/6290 (done)
Windows installer needs assembly changes backport https://github.com/geoserver/geoserver/pull/6291 (done)
aside: Noticed many of the assembles try and gather src/release/RELEASE_NOTES.txt … which has not been present since 2.13.x- Did a round up of other backports, we should be good …
–
Jody GarnettOn Thu, 20 Oct 2022 at 07:17, Jody Garnett <jody.garnett@anonymised.com…> wrote:
With the RC out of the way; I still have some customers waiting on a stable release for security improvements.
Is it okay if I make a 2.21.x release? That way we still get a stable release for October here.
Jody
–
–
Jody Garnett
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel–
Ian Turton
–
–
Jody Garnett
Op 22-10-2022 om 18:23 schreef Jody Garnett:
I think I am against reporting CVEs from dependencies where our software is not affected. It just adds "noise". I would prefer when we have a security vulnerability section that everyone take it seriously and upgrade....
I agree with Jody on this
- M
Sounds good Ian, please make the change as a suggestion to the PR and it should go in
–
Jody Garnett
Release artifacts are available for pre-flight testing:
–
Jody Garnett