[Geoserver-devel] Release train starting for 2.21.x

With the RC out of the way; I still have some customers waiting on a stable release for security improvements.

Is it okay if I make a 2.21.x release? That way we still get a stable release for October here.

Jody

···


Jody Garnett

+1000 from me, this way we get back on track

Cheers
Andrea

···

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

+1 from me

Ian

···

Ian Turton

Here is draft blog post while we wait for build process: https://github.com/geoserver/geoserver.github.io/pull/135

Okay, gather the bits for release:


Jody Garnett

On Thu, 20 Oct 2022 at 07:17, Jody Garnett <jody.garnett@anonymised.com> wrote:

With the RC out of the way; I still have some customers waiting on a stable release for security improvements.

Is it okay if I make a 2.21.x release? That way we still get a stable release for October here.

Jody


Jody Garnett

Do we want to mention the CVE-2022-42889 vulnerability, that doesn’t actually affect us and is now patched anyway?

Ian

···

Ian Turton

We do not have a ticket for it (since we were not affected).

I think I am against reporting CVEs from dependencies where our software is not affected. It just adds “noise”. I would prefer when we have a security vulnerability section that everyone take it seriously and upgrade…

What do you think?

Jody

···


Jody Garnett

On Sat, 22 Oct 2022, 17:23 Jody Garnett, <jody.garnett@anonymised.com> wrote:

We do not have a ticket for it (since we were not affected).

Well we do have a ticket, it just doesn’t mention the cve. I’ve answered one question on the security list and one on gis.se so people seem worried about it.

I think I am against reporting CVEs from dependencies where our software is not affected. It just adds “noise”. I would prefer when we have a security vulnerability section that everyone take it seriously and upgrade…

What do you think?

Since we do use the effected jar it is probably worth mentioning in the release notes.

Ian

Jody

On Sat, Oct 22, 2022 at 3:01 AM Ian Turton <ijturton@anonymised.com> wrote:

Do we want to mention the CVE-2022-42889 vulnerability, that doesn’t actually affect us and is now patched anyway?

Ian

On Sat, 22 Oct 2022 at 04:52, Jody Garnett <jody.garnett@anonymised.com> wrote:

Here is draft blog post while we wait for build process: https://github.com/geoserver/geoserver.github.io/pull/135

Okay, gather the bits for release:


Jody Garnett

On Thu, 20 Oct 2022 at 07:17, Jody Garnett <jody.garnett@anonymised.com…> wrote:

With the RC out of the way; I still have some customers waiting on a stable release for security improvements.

Is it okay if I make a 2.21.x release? That way we still get a stable release for October here.

Jody


Jody Garnett


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Ian Turton


Jody Garnett

Op 22-10-2022 om 18:23 schreef Jody Garnett:

I think I am against reporting CVEs from dependencies where our software is not affected. It just adds "noise". I would prefer when we have a security vulnerability section that everyone take it seriously and upgrade....

I agree with Jody on this
- M

Sounds good Ian, please make the change as a suggestion to the PR and it should go in :slight_smile:

···


Jody Garnett

Release artifacts are available for pre-flight testing:

···


Jody Garnett