Reminder that the next PMC meeting is scheduled for tomorrow, December 16, at 18:30 CET.

Cheers,
Torben

GeoTools / GeoServer PMC meeting - 2025-12-16

Attending

• Torben Barsballe
• Cécile Vuilleumier
• Pierre Mauduit
• Jody Garnett
• Jukka Rahkonen
• Peter Smythe
• Andrea Aime

Actions from prior meetings:

• All: Test out the GeoServer 3.0 Nightly build
• Check builds for repo.osgeo.org for 502 errors, it seems like it has improved

Agenda

1. Release Schedule
2. OGC Certification Renewal
3. 2026 Budget / Sponsorship
4. Service version selection
5. Configurable custom CRS authorities and transformation factories
6. Nullify properties on REST PUT
7. Security scanning in GeoServer main
8. Happy holidays / Chit Chat

Actions

• Jody: Send email, or news item, asking for 2026 cite certification, listing what certifications would be lost, etc…
• Peter: Run the CITE 2.28.1 tests first, as the above how to pay for it is sorted out
• Jody: Write blog post for 2026 Sponsorship, update wiki page, etc..
• Invite Cécile to geoserver-security volunteer list (thanks for work thus far!)

Release Schedule

• 2.27.4 is scheduled for Thursday, but no volunteers are listed
  • Peter has stepped up! Thanks Peter

OGC Certification Renewal

See sponsorship topic below!

• How much money is needed? This is for full year …

Options:

1. Do nothing, remove certification
2. Retain the certification we get for free
3. Or do we pay for the full certification?
   1. For 2025 we were certified for half a year at 450 EUR.
      Around 1000 EUR
   2. aside: We can also certify GS3 later in the year, and have budget for that

Q: Do we have PSC money?

• Yes we do …
• But this takes away a clear sponsorship objective, with separate logos on the home page, etc…
• So good to ask very clear if anyone wants to sponsor this?

Q: What would we lose?
- We keep the ones we are reference implementations for, … the others we lose
- For example we would lose OGCAPI-Feature certification as there are 2 reference implementations already for public testing
- include list of what would be lost in the email
- https://portal.ogc.org/public_ogc/compliance/product.php?pid=1846 shows what we have

• Reference implementations we keep if we re-certify
• We would lose:

1. OGC API - Features - Part 1: Core 1.0
2. OGC API - Features - Part 2: Coordinate Reference Systems by Reference 1.0
3. OpenGIS Web Feature Service (WFS) Implementation Specification 1.1.0
4. OpenGIS Web Feature Service (WFS) Implementation Specification (Basic) 1.1.0
5. OpenGIS Web Feature Service (WFS) Implementation Specification (Transactional) 1.1.0
6. OpenGIS Web Feature Service - Basic 2.0
7. OpenGIS Web Feature Service - Locking 2.0
8. OpenGIS Web Feature Service - Transactional 2.0
9. OpenGIS Web Feature Service 2.0 Interface Standard (also ISO 19142) 2.0
10. OpenGIS Web Map Service (WMS) Implementation Specification 1.3.0
11. OpenGIS Web Map Tile Service Implementation Standard 1.0.0
12. Web Map Service 1.1.1

• Option one: All
  • 12 * $150 = $1800 USD
• Option two: Only latest version of each service

Note:

• There should be new OGCAPI standards that can be added over the course of the year … stay tuned! (OGC API Tiles 1.0)
• OSGeo board is also noticing this as a recurring expense and may talk with OGC as OSGeo wishes to promote adoption and this expense makes it uneven encouragement between reference implementation projects and others…

Note: For sponsors this is EXCELLENT visibility on the geoserver home page separate from other sponsors, and on very slide about these services etc…

See https://geoserver.org/ home page heading “CERTIFIED OGC COMPLIANT”:

Q: What happens in 2026?

• the dynamic badge should turn off
  https://portal.ogc.org/public_ogc/compliance/srv_ogc_compliance_badge2.php?id=102&pid=1846
• Valid Until: 2026-01-09

Actions:

• Jody: Send email, or news item, asking for 2026 cite certification, listing what certifications would be lost, etc…
• Peter: Run the CITE 2.28.1 tests first, as the above how to pay for it is sorted out

2026 Budget / Sponsorship

Sponsorship opportunities:

• OGC CITE Certification, solid expense with great visibility for prospective sponsors
• Support geoserver-security as cyber resilience act begins to bite (chomp chomp chomp). This one is important.
• that is more than enough
• OSGeo has not done a call for budget as they are doing board elections right now. And have no money I guess….

Action:

• Jody: Write blog post for 2026 Sponsorship, update wiki page, etc…

Service version selection

• List discussion
  • surfaced a few times (example WCS)
  • How to turn on and off WCS 1.1 and WCS 1.0
  • Can we add this to ServiceInfo? … wow
  • Check thread for plan …
• ServiceInfo provides disabled list, for backwards compatibility with data directory
• Q: Profiles? Like WFS 1.1 Transaction
  A: Not in scope
• This would be great, workspace level, …

This is great, jody would like a GSIP if we can

Configurable custom CRS authorities and transformation factories

What is this?

• EPSG (earth) and IAU (for mars and the moon and france)
• Can we include our own authority for a specific server? So for the specific GeoServer…
• user projection “foo.properties” → “FOO:1234” as an extra authority
  • Insert South Park respect my authority here
• Have something to drop-in a transformation between EPSG ←→ FOO
  • IAU, IGN, …
• Approach: Properties files …
  • Builds on existing work, ..
• Alternative approach: Expand database, … nope do not have funds

GSIP pending funding, input very much welcome.

• great idea, very helpful for the folks that need it

Who can use this:

• national agencies that define their own authority, would allow them to use GeoServer (e.g. IGN)
• Field data collection where site has own or survey has its own setup for the location
• some cities have their own, to have smaller numbers

Can these the definition be:

• Via new OGCAPI Protocols the URI goes to the OGC
• For these custom ones, it would be up to the user to setup a website for the URIs
• WOULD BE NICE:
  Perhaps an OGCAPI endpoint that takes a URI and provides the definition?

Nullify properties on REST PUT

okay going quickly:

• Make a PUT against REST configuration api a null value, code cannot determine if you set null, or did not provide a value.
  • Our PUT is more like a Patch (using values to update the entry)
  • This is a problem, any ideas?
  • null reason in xml:
    <foo/>
    <foo reason**=”null”/>**

json:
{
nativeSRS: null;
}

But in Java null is null?

• What about Optional? Massive API change

• Null.String
  Null.Integer
  Null.Boolean - this one is a problem
  Boolean valueOf(boolean b) results in Boolean.TRUE or Boolean.FALSE
  public static Boolean valueOf(String s) – nope

• for v1

  • Add Set<String> removed():
    Mark the fields to actually remove
    This would allow things to be removed…
    Which we cannot do right now …
  • Smarter to adopt something like the patch example below

• for v2

  • Proper put, no partial objects
  • Property patch, follow the documented convention also documented as jsonpath

[
{ “op”: “test”, “path”: “/a/b/c”, “value”: “foo” },
{ “op”: “remove”, “path”: “/a/b/c” },
{ “op”: “add”, “path”: “/a/b/c”, “value”: [ “foo”, “bar” ] },
{ “op”: “replace”, “path”: “/a/b/c”, “value”: 42 },
{ “op”: “move”, “from”: “/a/b/c”, “path”: “/a/b/d” },
{ “op”: “copy”, “from”: “/a/b/d”, “path”: “/a/b/e” }
]

Security scanning in GeoServer main

Activities

1. Scan dependencies maven plugin OWASP
   1. caution: Note scan results should be kept private
   2. there is a profile you can try out already on src/pom.xml
2. Use Sonar Cloud to scan the code
   1. How does this work since it is a commercial tool?
      Free if you keep the information public; not smart for open source project but GREAT advertising for sonar cloud
   2. So this may need ongoing budget / sponsorship to be viable
   3. Perhaps an option to set up our own server alongside the build server?
3. github action like DependaBot, to make automatic PRs

Looking at this in the scope of GS3 if budget is available for the activity:

• Would not delay 3.0 release in March, …

Note this produces more stuff to review, so it is important to resource geoserver-security so people can actually ready the results and act…

• so back to sponsorship priority

Happy holidays / Chit Chat

action:

• Invite Cécile to geoserver-security volunteer list (thanks for work thus far!)

Hi,

A remark about the alternative and custom CRS authority codes, for some other implementations it has been a surprise that code part is not always numeric as in the EPSG:1234 codes. Especially IGNF, for example IGNF:C67IG95UTM21.GUYA77

-Jukka Rahkonen-