Hey guys,

I don't want to put any additional work on anyone, but if anyone is feeling 
inspired, netty 4.1.41.Final has several high-severity CVEs out against it[1] 
(current latest is 4.1.110.Final).

Thanks,

Emilio Lahr-Vivaz
General Atomics, CCRi

[1]: https://github.com/netty/netty/security

________________________________
From: Andrea Aime <andrea.a...@geosolutionsgroup.com>
Sent: Thursday, May 30, 2024 10:45 AM
To: Gabriel Roldan <gabriel.rol...@camptocamp.com>
Cc: GeoServer <geoserver-devel@lists.sourceforge.net>
Subject: Re: [Geoserver-devel] Thinking about community modules packaging

Hi Gabriel,
my plan would be to split the COG module into sub-parts, because when one needs 
to deploy on AWS, the azure libraries are not needed,
and vice versa. So make a packaging looking like:

  *   cog-core (http support)
  *   cog-aws
  *   cog-azure
  *   cog-google

That should hopefully solve the issue, because cog-azure uses the 
azure-storage-blob v11, just like the blobstore.


Regards,

Andrea Aime


==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.
==

Ing. Andrea Aime
@geowolf
Technical Lead


GeoSolutions Group
phone: +39 0584 962313

fax:     +39 0584 1660272

mob:   +39  339 8844549


https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it

-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 
2016/679 - Regolamento generale sulla protezione dei dati "GDPR"), si precisa 
che ogni circostanza inerente alla presente email (il suo contenuto, gli 
eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i 
destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per 
errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei 
comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed 
and may contain information that is privileged, confidential or otherwise 
protected from disclosure. We remind that - as provided by European Regulation 
2016/679 "GDPR" - copying, dissemination or use of this e-mail or the 
information herein by anyone other than the intended recipient is prohibited. 
If you have received this email by mistake, please notify us immediately by 
telephone or e-mail


On Thu, May 30, 2024 at 4:38?PM Gabriel Roldan 
<gabriel.rol...@camptocamp.com<mailto:gabriel.rol...@camptocamp.com>> wrote:
I'm afraid this would solve the packaging issue but not the problem of 
deploying both the COG and the Azure blobstore extensions, as you'd end up with 
duplicate netty dependencies with incompatible versions.

In GeoServer Cloud I had to deal with this specific issue, using the 
"dependencyConvergence" maven enforcer plugin rule [1], and ensuring a single 
version of each duplicate dependency is in place. With the additional overhead 
of ensuring the plugins whose dependencies are overridden still work.

For the specific case of the netty version, I'm pegging it to 4.1.41.Final. 
Both COG and Azure blobstore work with that one.
The libs are in the pom's "dependencyConvergence" maven profile [3].

So probably we could do something similar in geoserver to ensure a single 
version of each dependency is ever present.
Though that'd probably open its own can of worms. Perhaps just making sure both 
COG and Azure blobstore carry over netty 4.1.41.Final would suffice for the 
time being, without a rewrite of the Azure blobstore?

[1] https://github.com/geoserver/geoserver-cloud/blob/main/src/pom.xml#L904
[2] https://github.com/geoserver/geoserver-cloud/blob/main/src/pom.xml#L30-L32
[3] 
https://github.com/geoserver/geoserver-cloud/blob/main/src/pom.xml#L1070-L1124
camptocamp
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

Gabriel Roldán
Geospatial Developer



On Wed, May 29, 2024 at 12:35?PM Lahr-Vivaz, Emilio 
<emilio.lahr-vi...@ga-ccri.com<mailto:emilio.lahr-vi...@ga-ccri.com>> wrote:
Sounds good, dependency sets do provide include/exclude filtering[1] (or if the 
pom already has things correctly scoped as provided vs compile then you can 
easily filter out provided), but I'm all for easy wins!

Thanks,

Emilio

[1]: 
https://maven.apache.org/plugins/maven-assembly-plugin/examples/single/including-and-excluding-artifacts.html

Emilio Lahr-Vivaz
General Atomics, CCRi
________________________________
From: Andrea Aime 
<andrea.a...@geosolutionsgroup.com<mailto:andrea.a...@geosolutionsgroup.com>>
Sent: Wednesday, May 29, 2024 11:15 AM
To: Lahr-Vivaz, Emilio 
<emilio.lahr-vi...@ga-ccri.com<mailto:emilio.lahr-vi...@ga-ccri.com>>
Cc: Jody Garnett <jody.garn...@gmail.com<mailto:jody.garn...@gmail.com>>; 
GeoServer 
<geoserver-devel@lists.sourceforge.net<mailto:geoserver-devel@lists.sourceforge.net>>
Subject: Re: [Geoserver-devel] Thinking about community modules packaging

Hi Emilio,
I'm aware of it, but there are issues... one one side, we want to package in 
the zip file only the jars that are not already covered by core.
The other bit is, even if there was a way to achieve the above, all 74 
community module packaging files would have to be individually rewritten.

What I'm proposing is simple, mechanical, and can be at least partially 
automated, which means, it fits a small budget.
If we can party up with several people and attempt a technically better 
approach, so that my isolated effort is more or less the same,
I'm all for it!


Regards,

Andrea Aime


==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.
==

Ing. Andrea Aime
@geowolf
Technical Lead


GeoSolutions Group
phone: +39 0584 962313

fax:     +39 0584 1660272

mob:   +39  339 8844549


https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it

-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 
2016/679 - Regolamento generale sulla protezione dei dati "GDPR"), si precisa 
che ogni circostanza inerente alla presente email (il suo contenuto, gli 
eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i 
destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per 
errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei 
comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed 
and may contain information that is privileged, confidential or otherwise 
protected from disclosure. We remind that - as provided by European Regulation 
2016/679 "GDPR" - copying, dissemination or use of this e-mail or the 
information herein by anyone other than the intended recipient is prohibited. 
If you have received this email by mistake, please notify us immediately by 
telephone or e-mail


On Wed, May 29, 2024 at 5:06?PM Lahr-Vivaz, Emilio 
<emilio.lahr-vi...@ga-ccri.com<mailto:emilio.lahr-vi...@ga-ccri.com>> wrote:
If it's helpful, the maven assembly plugin has a concept of 'dependencySets', 
which could replace some of the fileSets and allow you to avoid running 
dependencies:dependency-copy.

Thanks,

Emilio

________________________________
From: Andrea Aime 
<andrea.a...@geosolutionsgroup.com<mailto:andrea.a...@geosolutionsgroup.com>>
Sent: Wednesday, May 29, 2024 10:40 AM
To: Jody Garnett <jody.garn...@gmail.com<mailto:jody.garn...@gmail.com>>
Cc: GeoServer 
<geoserver-devel@lists.sourceforge.net<mailto:geoserver-devel@lists.sourceforge.net>>
Subject: Re: [Geoserver-devel] Thinking about community modules packaging

Hi Jody.
yes each module would have the assembly configuration local, besides its 
pom.xml.
I've made a small experiment, on the COG module alone, this should work:

<assembly>
  <id>cog-plugin</id>
  <formats>
    <format>zip</format>
  </formats>
  <includeBaseDirectory>false</includeBaseDirectory>
  <fileSets>
    <fileSet>
      <directory>target/dependency</directory>
      <outputDirectory></outputDirectory>
      <includes>
        <include>annotations-2.*.jar</include>
        <include>auth-2.*.jar</include>
        <include>aws-*-2.*.jar</include>
        <include>azure-storage*.jar</include>
        <include>checksums-*2*.jar</include>
        <include>client-runtime*.jar</include>
        <include>crt-core-*-2*.jar</include>
        <include>endpoints-spi-2*.jar</include>
        <include>gs-cog*.jar</include>
        <include>http-auth-*2*.jar</include>
        <include>http-client-spi-2*.jar</include>
        <include>http*-osgi*.jar</include>
        <include>imageio-ext-*rangereader*.jar</include>
        <include>identity-spi*.jar</include>
        <include>jackson-datatype*.jar</include>
        <include>jackson-module*.jar</include>
        <include>kotlin-stdlib*.jar</include>
        <include>metrics-spi-2.*.jar</include>
        <include>*netty*.jar</include>
        <include>okhttp*.jar</include>
        <include>okio*.jar</include>
        <include>profiles-2.*.jar</include>
        <include>protocol-core-2.*.jar</include>
        <include>reactive-streams*.jar</include>
        <include>regions-2.*.jar</include>
        <include>rxjava*.jar</include>
        <include>s3-2.*.jar</include>
        <include>sdk-core-2.*.jar</include>
        <include>utils-2.*.jar</include>
      </includes>
    </fileSet>
    <fileSet>
      <directory>target</directory>
      <outputDirectory></outputDirectory>
      <includes>
        <include>gs-cog*.jar</include>
      </includes>
    </fileSet>
  </fileSets>
</assembly>

To work, it still requires dependencies:dependency-copy to run, which we can 
either have running
subject to a flag, or move it as part of the explicit build instructions.


Regards,

Andrea Aime


==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.
==

Ing. Andrea Aime
@geowolf
Technical Lead


GeoSolutions Group
phone: +39 0584 962313

fax:     +39 0584 1660272

mob:   +39  339 8844549


https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it

-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 
2016/679 - Regolamento generale sulla protezione dei dati "GDPR"), si precisa 
che ogni circostanza inerente alla presente email (il suo contenuto, gli 
eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i 
destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per 
errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei 
comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed 
and may contain information that is privileged, confidential or otherwise 
protected from disclosure. We remind that - as provided by European Regulation 
2016/679 "GDPR" - copying, dissemination or use of this e-mail or the 
information herein by anyone other than the intended recipient is prohibited. 
If you have received this email by mistake, please notify us immediately by 
telephone or e-mail


On Wed, May 29, 2024 at 4:35?PM Jody Garnett 
<jody.garn...@gmail.com<mailto:jody.garn...@gmail.com>> wrote:
I would like to see each module contains its own assembly, it would make things 
more normal.

Initially we made the release module to force assembly to occur at the end, and 
to avoid taking the time to build download artifacts during day to day 
development.

We could keep the release profile and only build zip download bundles when it 
is used.
--
Jody Garnett


On Wed, May 29, 2024 at 1:15?AM Andrea Aime 
<andrea.a...@geosolutionsgroup.com<mailto:andrea.a...@geosolutionsgroup.com>> 
wrote:
Hi all,
I've got reports that the COG community module packaged zip bundles are not 
working any
longer. Looking into it, it seems there are conflicting versions of 
dependencies that are causing the trouble.

As you probably know, the packaging is currently done this way:

  *   A "release" module depends on all the modules that want to be packages
  *   The release module dumps all these module dependencies into a single 
directory
  *   Each module packaging descriptor picks from that pile of jars using globs

Now, we already had some issues with incompatible dependency versions, but we 
more or less managed. Now there is a group of 3 different community modules 
that depend, in turn, to AWS and Azure  cloud libraries, which in turn depend 
on Netty. Unfortunately, two different and incompatible versions of it.
Ideally, we could just upgrade the Azure blob storage library in GWC, but that 
amounts to a rewrite of the module.

Rather than doing that, I'd suggest to untangle community module packaging in 
the simplest possible way:

  *   Have each module collect its own dependencies in target/dependencies when 
a specific profile is used (e.g., -Passembly?)
  *   Have the assembly descriptor point at its own module
  *   Get rid of the "release" module

Ideally we could do that for extensions as well, but I'd try that with 
community modules first.

Thoughts?


Regards,

Andrea Aime


==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.
==

Ing. Andrea Aime
@geowolf
Technical Lead


GeoSolutions Group
phone: +39 0584 962313

fax:     +39 0584 1660272

mob:   +39  339 8844549


https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it

-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 
2016/679 - Regolamento generale sulla protezione dei dati "GDPR"), si precisa 
che ogni circostanza inerente alla presente email (il suo contenuto, gli 
eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i 
destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per 
errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei 
comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed 
and may contain information that is privileged, confidential or otherwise 
protected from disclosure. We remind that - as provided by European Regulation 
2016/679 "GDPR" - copying, dissemination or use of this e-mail or the 
information herein by anyone other than the intended recipient is prohibited. 
If you have received this email by mistake, please notify us immediately by 
telephone or e-mail
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net<mailto:Geoserver-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net<mailto:Geoserver-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net<mailto:Geoserver-devel@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to