Attending
-
Torben Barsballe
-
Jody Garnett
-
Jukka Rahkonnen
-
Peter Smythe
-
Austin Joachim
-
Kevin Smith
Actions from prior meetings:
-
Jody: (In Progress) Ask brad about A/B testing, and if modal dialog is a
blocker
-
Update release announcements with CVE links at the end of June
-
Update spring-framework roadmap, for geofence communication refactor
Agenda
-
GDAL Version Support and Community Modules
-
How to add people to geoserver-security list
-
CVE Disclosure Update
-
Release Schedule
-
Roadmap communication
-
Snowflake DataStore
Actions
-
Torben: Add @ignore to failing ogr-jni and vsi tests
-
Torben: Update supported GDAL version in docs
-
Torben: Add flag to fail imageio-ext-gdal tests if GDAL bindings aren’t
found
-
Jody: Reject recent geoserver-security join attempt: This is a volunteer
list with no possibility to subscribe. Please contact geotools-devel if you
wish to volunteer.
-
Jody: Add something to our developers guide for geoserver-security list
(in addition to SECURITY.md note)
-
GDAL Version Support and Community Modules
Work on macOS build for geotools for GDAL testing:
-
homebrew gdal stopped working
-
custom build with java bindings
-
found that community/ogr-jni and ogr-vsi do not support any 3.2+
(due to API change int / long etc…)
-
action: fix or @ignore tests for ogr-jni and org-vsi so build works
-
action: update gdal supported versions in docs
All the other OGR/GDAL tests are not running…
-
https://github.com/geotools/geotools/pull/4808
-
action: Add flag to fail on skipped gdal
How to add people to geoserver-security list
The recent disclosures have highlighted the role of geoserver-security
email list:
-
jody has encouraged core-contributors (at least) to subscribe
-
but really we seek volunteers here…
-
https://github.com/geoserver/geoserver/blob/main/SECURITY.md
indicates it is volunteers but not how to join? Those seeking greater
visibility are encouraged to volunteer with the geoserver-security list.
-
From https://geoserver.org/comm/ geoserver-security is a “moderated
listed with no possibility to subscribe” (and no archives)
We have a subscription request from an astun technologies employee: Tom
Chadwin <tomchad...@astuntechnology.com>
-
they visited https://lists.osgeo.org/mailman/listinfo/geoserver-security
and tried subscribing
-
Anybody know him? A couple emails in 2022
-
action: Reject: This is a volunteer list with no possibility to
subscribe. Please contact geotools-devel if you wish to volunteer.
-
action: Add something to our developers guide for geoserver-security
list (in addition to SECURITY.md note)
CVE Disclosure Update
Disclosures published:
-
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
-
Mitigation patched jars for prior downloads, uploaded to SF
-
https://github.com/geoserver/geoserver/security/advisories/GHSA-j59v-vgcr-hxvf
-
https://github.com/geoserver/geoserver/security/advisories/GHSA-jhqx-5v5g-mpf3
Andrea provided patched jars for earlier geotools (thanks these are
uploaded to SF).
-
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
-
The example here {...} seems confusing?
org.geotools.data.complex.expression.MapPropertyAccessorFactory.new
PropertyAccessor() {...}.get(Object, String, Class<T>)
-
Feedback: Searching for these methods would not indicate if you are safe
or not? You can provide an xpath via many ways that ends up these methods.
-
action: (done) GHSA-w3pj-wh35-fq8w mitigation updated to ask apps to
check for and remove “gt-complex” jar …
Feedback is okay:
-
noticed slack #geoserver channel only noticing now …
Release Schedule
Ian has volunteered - scheduled updated.
Roadmap communication
Jody did not manage a Q2 update, shall we try for a Q3 (sigh):
-
No code sprint seems to be in the works, insufficient sponsorship
response
-
Highlight activities that can be done now, to provide opportunity for
those responding with in-kind support
-
The spring-security core based OIDC client work can go ahead? Any
interested parties?
-
ImageN is ready; need to reinvite
Development stuff:
-
Gabe (camptocamp) and Jody (geocat) are looking at OGCAPI-Features to
extension status. A lot of work is being highlighted as this has been “code
sprint quality” code :P
-
Jody is going to have a rematch with mkdocs; try the the approach peter
suggested of setting up an automation to publish to gh-pages (so everyone
can take part in fixing RST docs for migration)
Snowflake DataStore
Marc here to talk about a proof-of-concept of a snowflake datastore for
GeoTools.
-
Marc is mentoring Austin as they look at prior datastores MySQL
datastore and others …
-
Unit tests? Yes …
-
Integration tests? Mark as “OnlineTest” and then developer can add
“.geotools/snowflake/connections.parameters” in order to run such tests
locally. Apparently a challenge with 2FA (lo!)
-
MongoDB and others get these challenges
-
Looking for guidance on coding standards and approach:
-
See the documentation
<https://docs.geotools.org/latest/developer/procedures/create.html>
-
Ask on the email list for commit access to add a community module
-
Community modules have very permissive code standards, when things
graduate to extension there are a few more requirements
See the developers guide for penguin or fish examples:
-
https://docs.geotools.org/latest/developer/procedures/create.html
-
low friction to make a community module (don’t break the build)
-
only get serious review when graduating to a plugin/extension
_______________________________________________
GeoTools-Devel mailing list
GeoTools-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-devel
