Jukka and Andrea: I updated the https://github.com/geoserver/geoserver/wiki/Jakarta-EE page based on the ideas brought up in today's meeting.
I think it is great emphasis to have for next year (prior to Java 11 reaching end-of-life). I did notice that different distributors have different dates for java 11 service: - Oracle: 2023-09-30 <-- this is soon :) - OpenJDK: 2023-09-30 - RedHat: 2024-10 - Adoptium: 2024-10 (the one we follow) - Microsoft: 2024-10 With commercial support being available longer. -- Jody Garnett On Sep 26, 2023 at 10:40:12 AM, Andrea Aime < andrea.a...@geosolutionsgroup.com> wrote: > GeoTools / GeoServer PMC meeting - 2023-09-26Attending > > - > > Torben Barsballe > - > > Jody Garnett > - > > Jukka Rahkonnen > - > > Andrea Aime > > Actions from prior meetings: > > - > > action: Discuss with Alexandre Gacon on the geoserver-devel list about > translation (done) > - > > action: Ask on the geoserver-devel list for assistance setting up new > branches and jobs (done) > > Agenda > > - > > GeoServer 2.24-RC / GeoTools 30-RC > - > > GSIP 220 - Revised Security Policy and CVE handling > > Actions > > - > > > GeoServer 2.24-RC / GeoTools 30-RC > > GeoTools 30-RC: > > - > > thanks to downstream projects you are excellent > > > Released: > > > https://geoserver.org/announcements/2023/09/25/geoserver-2-24-RC-released.html > > > - > > twitter (aaime) > - > > mastodon (jody) > - > > linkedin (jody) > > > Community modules: > > - > > script worked well :) added instructions for next time > - > > consider updating script to block out community module tickets from > the main list > - > > action: gabe did not have docs for geoserver-acl > - > > action: GPL license is not included > - > > GEOS-11134 - GeoServer 2.24-RC packaging feedback > <https://osgeo-org.atlassian.net/browse/GEOS-11134> > > > When do we wish to make the release? > > - > > two weeks → October 10th? > > > Docker image with ogcapi features > > > docker run -it -p8080:8080 --env INSTALL_EXTENSIONS=true --env > COMMUNITY_EXTENSIONS="ogcapi-features" docker.osgeo.org/geoserver:2.24.x > > Welcome to GeoServer 2.24-RC > > Initialize /opt/geoserver_data/ from data directory included in > geoserver.war > > Starting download of extensions > > URL does not exist: /geoserver-2.24-RC-ogcapi-features-plugin.zip > > Finished download of extensions > > Starting installation of extensions > > Finished installation of extensions > > lol: > > - > > 2.24.x should pull from nightly server > - > > stable should pull from source forge > - > > it got confused checking 2.24-RC and thinks it is a “snapshot” > > > > https://build.geoserver.org/view/release/job/geoserver-release-docker/390/parameters/ > > > https://build.geoserver.org/view/release/job/geoserver-release-docker/390/console > > > Jody fails bash if/else check: > > - > > https://github.com/geoserver/docker/blob/master/build/release.sh > > > > GSIP 220 - Revised Security Policy and CVE handling > > The experiment with creating a CVE number has helped communication with > national CVE Numbering Authority, they recommend our policy is clearly a > “Coordinated Vulnerability Disclosure” (since we disclose when patch is > ready on stable and maintenance). > > > - > > Be clear we can provide CVE number > - > > Be clear we time our announcements in SECURITY.md file > > > action: > > - > > jody: update security.md file with “Coordinated Vulnerability > Disclosure” heading > - > > aaime: credit steve on jai-ext jiffle vulnerability? it was already > one .. > > > Steve wished credit on https://github.com/advisories/GHSA-59x6-g4jr-4hxc > > - > > this was externally reported so we do not have direct control > - > > jody did a pull request, perhaps steve can do the same? > - > > jody also asked MITRE three times to update the original ( > https://nvd.nist.gov/vuln/detail/CVE-2023-35042) > > > aside: Credit Steve on: > > - > > GHSA-59x6-g4jr-4hxc > - > > GHSA-fh7p-5f6g-vj2w > > > Update prior security vulnerability sections: > > - > > > > https://geoserver.org/announcements/2023/07/21/geoserver-2-23-2-released.html > publish the new CVE number > update security vulnerability sections with CVE number > - > > > > https://geoserver.org/announcements/2023/09/25/geoserver-2-24-RC-released.html > h2 no longer included; not really a vulnerability as no known exploit. > but we can make a heading for it. > > > Chit chat > > Roadmap - Java 11 becomes EOL in 2024? > > - > > Can we just run with Java 17 and Tomcat 9? I think so … > - > > Compiling for Java 17? JAI → ImageN? > - > > We have the code, but *no* test cases were provided (and no native > code) > - > > This is clean-room code so we need to write out own test-cases > - > > https://github.com/eclipse/imagen :) > > > Tomcat 10: > > - > > someone had success with automatic conversion on the email list? Huh? > How … > - > > uses bytecode on the fly hacking … > - > > “successful” in startup, but I would not trust in production, .. > > JavaEE: > > - > > requires Java 17 because of spring6, then need to do everything at > once, … > > > - > > https://github.com/geoserver/geoserver/wiki/Jakarta-EE > - > > TOO MUCH to do in one go? can we split it up … > > - > > Phase 1 > - > > Wicket 7 → Wicket 9 > - > > JAI → ImageN > - > > spring-security-oauth modules > - > > Phase 2 > - > > Java 17 minimum > - > > Phase 3 > - > > JakartaEE > - > > spring-framework? > > > action: > > - > > Jukka: blog post about this :) > > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
