GeoTools / GeoServer Meeting 2015-07-21 =======================================
Attending --------- Ben Caradoc-Davies Kevin Smith Jody Garnett Andrea Aime Torben Barsballe Agenda ------ - Backports for XXE vulnerability - Release schedule - CITE test upgrade status report Actions ------- - Torben: merge GEOS-7095 fix backports to 2.7.x, 2.6.x, and 2.5.x - Kevin: submit port-scan fix and backport Actions from last meeting ------------------------- AA: Create Jira components Security (Authentication) and Security (Authorization) to replace Security Backports for XXE vulnerability ------------------------------- GeoServer only? https://osgeo-org.atlassian.net/browse/GEOS-7095 - Torben's fix cuts down on url parameters for entity resolver - future consideration of gt-xsd, xsd, xerces action: create new bug report for SSRF discussion! idea: schema resolution whitelist? - what about feature portrayal? - WPS inherently open to this class of attack? Either break WPS remote input resolution, or allow SSRF idea: schema resolution blacklist? idea: two-phase 1) resolve and check for local ip address and blacklist 2) then consult whitelist for local chained services Action: - Torben: Merge latest GEOS-7095 fix as an improvement (backport to 2.7.x for inclusion in 2.7.2 release, 2.6.x, and 2.5.x) - Kevin: submit-port scan fix and backport (for 2.7.2 release) No new 2.5.x release planned. Release schedule ---------------- https://github.com/geoserver/geoserver/wiki/Release-Schedule - discussion about short turnaround - still later feature freeze is good :) GT 13 release failed on rsync ... http://ares.boundlessgeo.com/geotools/release/13.2/ http://repo.boundlessgeo.com/main/org/geotools/gt-main/13.2/ Ask Kevin to release GWC 1.7.2? Has time today, but not tomorrow. CITE test upgrade status report ------------------------------- https://github.com/aaime/geoserver-cite-tools/tree/ng Prior: - svn checkout, push to github, maintain a fork Approach: - git submodules (since cite is not deploying releases) - no fork to maintain :) Q: what to do to use this? Justin did the previous ares configuration (extra scripts on ares). Consider build directory in here for the extra scripts on ares... 1. merge to geoserver repo 2. grab scripts to a build the directory 3. expect some test failures (on tests we plan together) 4. ideas for new tests: wmts, wfs 2.0, wps, wcs 2.0 Idea run concurrently, merge to a different branch, migrate over a bit at a time. CITE Conformance / Reference Implementation ------------------------------------------- Idea: - OGC may be able to host it - configuration is tricky, say one workspace per specification and version https://osgeo-org.atlassian.net/browse/GEOS-7089 Pull request roundup -------------------- https://github.com/geotools/geotools/pull/918 - Jody to merge (needs docs) https://github.com/geotools/geotools/pull/889 - merge and update (c) info https://github.com/geoserver/geoserver/pull/1132 - roadmap discussion https://github.com/geoserver/geoserver/pull/1114 - failing travis checks, waiting on s3 dependency https://github.com/geoserver/geoserver/pull/1117 - broken but looks easy to fix https://github.com/geoserver/geoserver/pull/1094 - waiting on test - missing a bug report (seems be a module conflict?) -- Ben Caradoc-Davies <b...@transient.nz> Director Transient Software Limited <http://transient.nz/> New Zealand ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
