GeoTools / GeoServer PMC meeting - 2023-09-26Attending -
Torben Barsballe - Jody Garnett - Jukka Rahkonnen - Andrea Aime Actions from prior meetings: - action: Discuss with Alexandre Gacon on the geoserver-devel list about translation (done) - action: Ask on the geoserver-devel list for assistance setting up new branches and jobs (done) Agenda - GeoServer 2.24-RC / GeoTools 30-RC - GSIP 220 - Revised Security Policy and CVE handling Actions - GeoServer 2.24-RC / GeoTools 30-RC GeoTools 30-RC: - thanks to downstream projects you are excellent Released: https://geoserver.org/announcements/2023/09/25/geoserver-2-24-RC-released.html - twitter (aaime) - mastodon (jody) - linkedin (jody) Community modules: - script worked well :) added instructions for next time - consider updating script to block out community module tickets from the main list - action: gabe did not have docs for geoserver-acl - action: GPL license is not included - GEOS-11134 - GeoServer 2.24-RC packaging feedback <https://osgeo-org.atlassian.net/browse/GEOS-11134> When do we wish to make the release? - two weeks → October 10th? Docker image with ogcapi features > docker run -it -p8080:8080 --env INSTALL_EXTENSIONS=true --env COMMUNITY_EXTENSIONS="ogcapi-features" docker.osgeo.org/geoserver:2.24.x Welcome to GeoServer 2.24-RC Initialize /opt/geoserver_data/ from data directory included in geoserver.war Starting download of extensions URL does not exist: /geoserver-2.24-RC-ogcapi-features-plugin.zip Finished download of extensions Starting installation of extensions Finished installation of extensions lol: - 2.24.x should pull from nightly server - stable should pull from source forge - it got confused checking 2.24-RC and thinks it is a “snapshot” https://build.geoserver.org/view/release/job/geoserver-release-docker/390/parameters/ https://build.geoserver.org/view/release/job/geoserver-release-docker/390/console Jody fails bash if/else check: - https://github.com/geoserver/docker/blob/master/build/release.sh GSIP 220 - Revised Security Policy and CVE handling The experiment with creating a CVE number has helped communication with national CVE Numbering Authority, they recommend our policy is clearly a “Coordinated Vulnerability Disclosure” (since we disclose when patch is ready on stable and maintenance). - Be clear we can provide CVE number - Be clear we time our announcements in SECURITY.md file action: - jody: update security.md file with “Coordinated Vulnerability Disclosure” heading - aaime: credit steve on jai-ext jiffle vulnerability? it was already one .. Steve wished credit on https://github.com/advisories/GHSA-59x6-g4jr-4hxc - this was externally reported so we do not have direct control - jody did a pull request, perhaps steve can do the same? - jody also asked MITRE three times to update the original ( https://nvd.nist.gov/vuln/detail/CVE-2023-35042) aside: Credit Steve on: - GHSA-59x6-g4jr-4hxc - GHSA-fh7p-5f6g-vj2w Update prior security vulnerability sections: - https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html publish the new CVE number update security vulnerability sections with CVE number - https://geoserver.org/announcements/2023/09/25/geoserver-2-24-RC-released.html h2 no longer included; not really a vulnerability as no known exploit. but we can make a heading for it. Chit chat Roadmap - Java 11 becomes EOL in 2024? - Can we just run with Java 17 and Tomcat 9? I think so … - Compiling for Java 17? JAI → ImageN? - We have the code, but *no* test cases were provided (and no native code) - This is clean-room code so we need to write out own test-cases - https://github.com/eclipse/imagen :) Tomcat 10: - someone had success with automatic conversion on the email list? Huh? How … - uses bytecode on the fly hacking … - “successful” in startup, but I would not trust in production, .. JavaEE: - requires Java 17 because of spring6, then need to do everything at once, … - https://github.com/geoserver/geoserver/wiki/Jakarta-EE - TOO MUCH to do in one go? can we split it up … - Phase 1 - Wicket 7 → Wicket 9 - JAI → ImageN - spring-security-oauth modules - Phase 2 - Java 17 minimum - Phase 3 - JakartaEE - spring-framework? action: - Jukka: blog post about this :)
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
