That is an email best sent to geoserver-security email list (where we figure out such stuff).
For more information please see our security policy https://github.com/geoserver/geoserver/security -- Jody Garnett On May 30, 2024 at 8:00:00 AM, "Lahr-Vivaz, Emilio" < emilio.lahr-vi...@ga-ccri.com> wrote: > Hey guys, > > I don't want to put any additional work on anyone, but if anyone is > feeling inspired, netty 4.1.41.Final has several high-severity CVEs out > against it[1] (current latest is 4.1.110.Final). > > Thanks, > > *Emilio Lahr-Vivaz* > General Atomics, CCRi > > [1]: https://github.com/netty/netty/security > > ------------------------------ > *From:* Andrea Aime <andrea.a...@geosolutionsgroup.com> > *Sent:* Thursday, May 30, 2024 10:45 AM > *To:* Gabriel Roldan <gabriel.rol...@camptocamp.com> > *Cc:* GeoServer <geoserver-devel@lists.sourceforge.net> > *Subject:* Re: [Geoserver-devel] Thinking about community modules > packaging > > Hi Gabriel, > my plan would be to split the COG module into sub-parts, because when one > needs to deploy on AWS, the azure libraries are not needed, > and vice versa. So make a packaging looking like: > > - cog-core (http support) > - cog-aws > - cog-azure > - cog-google > > That should hopefully solve the issue, because cog-azure uses the > azure-storage-blob v11, just like the blobstore. > > > Regards, > > Andrea Aime > > > == > GeoServer Professional Services from the experts! > > Visit http://bit.ly/gs-services-us for more information. > == > > Ing. Andrea Aime > @geowolf > Technical Lead > > GeoSolutions Group > phone: +39 0584 962313 > > fax: +39 0584 1660272 > > mob: +39 339 8844549 > > https://www.geosolutionsgroup.com/ > > http://twitter.com/geosolutions_it > > ------------------------------------------------------- > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE > 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si > precisa che ogni circostanza inerente alla presente email (il suo > contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è > riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il > messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra > operazione è illecita. Le sarei comunque grato se potesse darmene notizia. > > This email is intended only for the person or entity to which it is > addressed and may contain information that is privileged, confidential or > otherwise protected from disclosure. We remind that - as provided by > European Regulation 2016/679 “GDPR” - copying, dissemination or use of this > e-mail or the information herein by anyone other than the intended > recipient is prohibited. If you have received this email by mistake, please > notify us immediately by telephone or e-mail > > > On Thu, May 30, 2024 at 4:38 PM Gabriel Roldan < > gabriel.rol...@camptocamp.com> wrote: > > I'm afraid this would solve the packaging issue but not the problem of > deploying both the COG and the Azure blobstore extensions, as you'd end up > with duplicate netty dependencies with incompatible versions. > > In GeoServer Cloud I had to deal with this specific issue, using the > "dependencyConvergence" maven enforcer plugin rule [1], and ensuring a > single version of each duplicate dependency is in place. With the > additional overhead of ensuring the plugins whose dependencies are > overridden still work. > > For the specific case of the netty version, I'm pegging it to > 4.1.41.Final. Both COG and Azure blobstore work with that one. > The libs are in the pom's "dependencyConvergence" maven profile [3]. > > So probably we could do something similar in geoserver to ensure a single > version of each dependency is ever present. > Though that'd probably open its own can of worms. Perhaps just making sure > both COG and Azure blobstore carry over netty 4.1.41.Final would suffice > for the time being, without a rewrite of the Azure blobstore? > > [1] > https://github.com/geoserver/geoserver-cloud/blob/main/src/pom.xml#L904 > [2] > https://github.com/geoserver/geoserver-cloud/blob/main/src/pom.xml#L30-L32 > [3] > https://github.com/geoserver/geoserver-cloud/blob/main/src/pom.xml#L1070-L1124 > *camp**to**camp* > INNOVATIVE SOLUTIONS > BY OPEN SOURCE EXPERTS > > *Gabriel Roldán* > Geospatial Developer > > > > On Wed, May 29, 2024 at 12:35 PM Lahr-Vivaz, Emilio < > emilio.lahr-vi...@ga-ccri.com> wrote: > > Sounds good, dependency sets do provide include/exclude filtering[1] (or > if the pom already has things correctly scoped as provided vs compile then > you can easily filter out provided), but I'm all for easy wins! > > Thanks, > > Emilio > > [1]: > https://maven.apache.org/plugins/maven-assembly-plugin/examples/single/including-and-excluding-artifacts.html > > *Emilio Lahr-Vivaz* > General Atomics, CCRi > ------------------------------ > *From:* Andrea Aime <andrea.a...@geosolutionsgroup.com> > *Sent:* Wednesday, May 29, 2024 11:15 AM > *To:* Lahr-Vivaz, Emilio <emilio.lahr-vi...@ga-ccri.com> > *Cc:* Jody Garnett <jody.garn...@gmail.com>; GeoServer < > geoserver-devel@lists.sourceforge.net> > *Subject:* Re: [Geoserver-devel] Thinking about community modules > packaging > > Hi Emilio, > I'm aware of it, but there are issues... one one side, we want to package > in the zip file only the jars that are not already covered by core. > The other bit is, even if there was a way to achieve the above, all 74 > community module packaging files would have to be individually rewritten. > > What I'm proposing is simple, mechanical, and can be at least partially > automated, which means, it fits a small budget. > If we can party up with several people and attempt a technically better > approach, so that my isolated effort is more or less the same, > I'm all for it! > > Regards, > > Andrea Aime > > > == > GeoServer Professional Services from the experts! > > Visit http://bit.ly/gs-services-us for more information. > == > > Ing. Andrea Aime > @geowolf > Technical Lead > > GeoSolutions Group > phone: +39 0584 962313 > > fax: +39 0584 1660272 > > mob: +39 339 8844549 > > https://www.geosolutionsgroup.com/ > > http://twitter.com/geosolutions_it > > ------------------------------------------------------- > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE > 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si > precisa che ogni circostanza inerente alla presente email (il suo > contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è > riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il > messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra > operazione è illecita. Le sarei comunque grato se potesse darmene notizia. > > This email is intended only for the person or entity to which it is > addressed and may contain information that is privileged, confidential or > otherwise protected from disclosure. We remind that - as provided by > European Regulation 2016/679 “GDPR” - copying, dissemination or use of this > e-mail or the information herein by anyone other than the intended > recipient is prohibited. If you have received this email by mistake, please > notify us immediately by telephone or e-mail > > > On Wed, May 29, 2024 at 5:06 PM Lahr-Vivaz, Emilio < > emilio.lahr-vi...@ga-ccri.com> wrote: > > If it's helpful, the maven assembly plugin has a concept of > 'dependencySets', which could replace some of the fileSets and allow you to > avoid running dependencies:dependency-copy. > > Thanks, > > Emilio > > ------------------------------ > *From:* Andrea Aime <andrea.a...@geosolutionsgroup.com> > *Sent:* Wednesday, May 29, 2024 10:40 AM > *To:* Jody Garnett <jody.garn...@gmail.com> > *Cc:* GeoServer <geoserver-devel@lists.sourceforge.net> > *Subject:* Re: [Geoserver-devel] Thinking about community modules > packaging > > Hi Jody. > yes each module would have the assembly configuration local, besides its > pom.xml. > I've made a small experiment, on the COG module alone, this should work: > > <assembly> > <id>cog-plugin</id> > <formats> > <format>zip</format> > </formats> > <includeBaseDirectory>false</includeBaseDirectory> > <fileSets> > <fileSet> > <directory>target/dependency</directory> > <outputDirectory></outputDirectory> > <includes> > <include>annotations-2.*.jar</include> > <include>auth-2.*.jar</include> > <include>aws-*-2.*.jar</include> > <include>azure-storage*.jar</include> > <include>checksums-*2*.jar</include> > <include>client-runtime*.jar</include> > <include>crt-core-*-2*.jar</include> > <include>endpoints-spi-2*.jar</include> > <include>gs-cog*.jar</include> > <include>http-auth-*2*.jar</include> > <include>http-client-spi-2*.jar</include> > <include>http*-osgi*.jar</include> > <include>imageio-ext-*rangereader*.jar</include> > <include>identity-spi*.jar</include> > <include>jackson-datatype*.jar</include> > <include>jackson-module*.jar</include> > <include>kotlin-stdlib*.jar</include> > <include>metrics-spi-2.*.jar</include> > <include>*netty*.jar</include> > <include>okhttp*.jar</include> > <include>okio*.jar</include> > <include>profiles-2.*.jar</include> > <include>protocol-core-2.*.jar</include> > <include>reactive-streams*.jar</include> > <include>regions-2.*.jar</include> > <include>rxjava*.jar</include> > <include>s3-2.*.jar</include> > <include>sdk-core-2.*.jar</include> > <include>utils-2.*.jar</include> > </includes> > </fileSet> > <fileSet> > <directory>target</directory> > <outputDirectory></outputDirectory> > <includes> > <include>gs-cog*.jar</include> > </includes> > </fileSet> > </fileSets> > </assembly> > > To work, it still requires dependencies:dependency-copy to run, which we > can either have running > subject to a flag, or move it as part of the explicit build instructions. > > Regards, > > Andrea Aime > > > == > GeoServer Professional Services from the experts! > > Visit http://bit.ly/gs-services-us for more information. > == > > Ing. Andrea Aime > @geowolf > Technical Lead > > GeoSolutions Group > phone: +39 0584 962313 > > fax: +39 0584 1660272 > > mob: +39 339 8844549 > > https://www.geosolutionsgroup.com/ > > http://twitter.com/geosolutions_it > > ------------------------------------------------------- > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE > 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si > precisa che ogni circostanza inerente alla presente email (il suo > contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è > riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il > messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra > operazione è illecita. Le sarei comunque grato se potesse darmene notizia. > > This email is intended only for the person or entity to which it is > addressed and may contain information that is privileged, confidential or > otherwise protected from disclosure. We remind that - as provided by > European Regulation 2016/679 “GDPR” - copying, dissemination or use of this > e-mail or the information herein by anyone other than the intended > recipient is prohibited. If you have received this email by mistake, please > notify us immediately by telephone or e-mail > > > On Wed, May 29, 2024 at 4:35 PM Jody Garnett <jody.garn...@gmail.com> > wrote: > > I would like to see each module contains its own assembly, it would make > things more normal. > > Initially we made the release module to force assembly to occur at the > end, and to avoid taking the time to build download artifacts during day to > day development. > > We could keep the release profile and only build zip download bundles when > it is used. > -- > Jody Garnett > > > On Wed, May 29, 2024 at 1:15 AM Andrea Aime < > andrea.a...@geosolutionsgroup.com> wrote: > > Hi all, > I've got reports that the COG community module packaged zip bundles are > not working any > longer. Looking into it, it seems there are conflicting versions of > dependencies that are causing the trouble. > > As you probably know, the packaging is currently done this way: > > - A "release" module depends on all the modules that want to be > packages > - The release module dumps all these module dependencies into a single > directory > - Each module packaging descriptor picks from that pile of jars using > globs > > Now, we already had some issues with incompatible dependency versions, but > we more or less managed. Now there is a group of 3 different community > modules that depend, in turn, to AWS and Azure cloud libraries, which in > turn depend on Netty. Unfortunately, two different and incompatible > versions of it. > Ideally, we could just upgrade the Azure blob storage library in GWC, but > that amounts to a rewrite of the module. > > Rather than doing that, I'd suggest to untangle community module packaging > in the simplest possible way: > > - Have each module collect its own dependencies in target/dependencies > when a specific profile is used (e.g., -Passembly?) > - Have the assembly descriptor point at its own module > - Get rid of the "release" module > > Ideally we could do that for extensions as well, but I'd try that with > community modules first. > > Thoughts? > > Regards, > > Andrea Aime > > > == > GeoServer Professional Services from the experts! > > Visit http://bit.ly/gs-services-us for more information. > == > > Ing. Andrea Aime > @geowolf > Technical Lead > > GeoSolutions Group > phone: +39 0584 962313 > > fax: +39 0584 1660272 > > mob: +39 339 8844549 > > https://www.geosolutionsgroup.com/ > > http://twitter.com/geosolutions_it > > ------------------------------------------------------- > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE > 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si > precisa che ogni circostanza inerente alla presente email (il suo > contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è > riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il > messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra > operazione è illecita. Le sarei comunque grato se potesse darmene notizia. > > This email is intended only for the person or entity to which it is > addressed and may contain information that is privileged, confidential or > otherwise protected from disclosure. We remind that - as provided by > European Regulation 2016/679 “GDPR” - copying, dissemination or use of this > e-mail or the information herein by anyone other than the intended > recipient is prohibited. If you have received this email by mistake, please > notify us immediately by telephone or e-mail > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel