GeoTools / GeoServer Meeting 2015-06-23 =======================================
Attending --------- Ben Caradoc-Davies Jukka Rahkonen Jody Garnett Kevin Smith Andrea Aime Agenda ------ - Vulnerability disclosure and notification process - LayerGroup min/max Scale (design discussion) - Preventing vulnerability with build checks - CITE Test - Feature freeze incoming - Cross layer z-ordering (design discussion) Actions ------- AA: Create Security (Authentication) and Security (Authorization) to replace Security BCD: email user list: "SECURITY: Remote file disclosure vulnerability [GEOS-7032]" BCD: add Vulnerability component to GeoServer Jira Actions from last meeting ------------------------- - JG: Tag 14-M0 release in GitHub (this was only on ares, so would need to ssh in) - BCD: Release 12.4 / 1.6.2 / 2.6.4 next week! (thanks Ben) [DONE] - JG/BCD: Send PMC/PSC refresh emails to developer lists [PENDING] - KS: follow up with gabriel about blob store pull request (done) - JG: MongoDB datastore request (done) - KS: kevin to follow up on pull request #707 [PENDING] Vulnerability disclosure and notification process ------------------------------------------------- What a crazy problem? Fundemental problem with XML parsing (turned on by default in most languages) ... except .net :) Anything else we need Johannes Kröger? Not really although it would be nice if he was here. See: https://osgeo-org.atlassian.net/browse/GEOS-7032 See: http://osgeo-org.1560.x6.nabble.com/Handling-of-GEOS-7032-Remote-File-Disclosure-td5212383.html Add a responsible disclosure process to the developers guide. See GSIP-129 for outline. Discussion on tease out authentication / authorization from security reports in jira? Q: Should we pull the 2.7.1 download link from the website home page? - still available for download but yeah it is a good idea Q: Should we make a 2.7.1.1 patch release? - if we have a volunteer? - ideas: we could make the release for geoserver alone. Check out the tag and apply the patch and then release Q: Should we email user list? - Lets do so when the 2.7.1.1 patch release is available? - Action: Ben to email list now (recommend nightly builds and 2.6.4 maintenance release) - Action: AA: edit description / example of GEOS-7032 to minimize casual damage (done) Clarification: * Edit irresponsible jira reports to avoid the discoverability of exploits, while they are being fixed * Edit jira "description" to link to the developers guide page on responsible disclosure. Or put a link in the field description or something, custom workflow etc... Actions: * JG: Update https://github.com/geoserver/geoserver/wiki/GSIP-129 based on discussion (developers guide and communication page). * JG can look at custom field and/or workflow * AA: untangle "authentication" and "authorization" components from "security" / "vulnerability" components? Ben created a new Jira component for GeoServer: Vulnerability: Weakness that permits circumvention of security policy: FOLLOW RESPONSIBLE DISCLOSURE PROCEDURE IN DEVELOPER GUIDE BEFORE CREATING ISSUE - Discussion about getting a CVE LayerGroup min/max Scale (Design Discussion) ------------------------ Kevin: reusing layer in different layer groups is difficult as he would like the style the same, but control scale/visibility differently in each LayerGroup. Jody: Layer by layer interpolation solution was upsetting to me (as clients do not know how many layers in a layergroup). The SINGLE mode Idea is to add vendor option on a layer by layer basis in LayerGroup. Need to discuss this with Mauro? Treat both interpolation and min/max scale as vendor option. So during GetMap request the LayerGroup is "unpacked". Similar approach to: https://github.com/geoserver/geoserver/wiki/GSIP-111 Preventing vulnerability with build checks ------------------------------------------ Jenkins plugin may allow us to run automated vunerability check: * https://www.blackducksoftware.com/vulnerability-plugin Can we make a build profile for this similar to database tests... Action: need a volunteer or budget to look into this one... CITE Tests ---------- Any update from Justin after foss4gna? Andrea got a copy and is working on it ... Semi working copy on the command line to get an XML report on pass/fail (ie for nightly builds). Kind of useless for debugging failures. Process is horibly manual - hand edit files, copy from one place to the other, etc.... sounds terrible. Or stand up local cite server to test locally (must be inside tomcat). Good for debugging geoserver to see what is actually wrong. Jody: We woudl like to help on this if you can send details to geoserver-devel. Feature freeze incoming ----------------------- Feature freeze is July 18th, no new features beyond that point. Q: Did we reduce to one month due to low RC feedback? Jody - if not I am willing to make one. RC feedback has been useless. Indeed the milestone did not get any feedback (for GeoServer). Jukka indicated some feedback on the geoserver user list. GeoTools feedback has been positive from the LocationTech projets. Action: Jody - will ask on the developer list about pushing back scheduled (Beta in July, RC August, Release September). Feature freeze and branch on the RC1. Cross layer z-ordering (Design discussion) ------------------------------------------ WMS model: the client decides the main z order First ordering extension: apply sort-by at the feature type style level. Vendor param like sort-by in WFS. This provides in-layer z-ordering. Think of road network. What about rails and road, separate tables, different attributes, OSM z-ordering style. Idea: break a bit the WMS model, if two layers are side by side and using the same attributes, then do global ordering in that group. Add second tag, sort-group, to identify. Requirement: - Introduce physical order (ie sorting) to make this repeatable - Alternate: mark an attribute as "z-order" (this is limiting / confusion) - Some ability to "group" feature-type styles into the same bucket (ie a vendor property "sortGroup: a". Two feature-type styles with same group are handled together). - Need a common attribute to sort on between the two layers? Stratagy: Take all the features from the two, dump them on disk (typical andrea solution). Do a sort merge out of the file dump (avoid memory bound and deadlock over database connections). Draw through both feature collection at the same time, swapping between the two as the z-order changes. Discussion and Ideas: - KS: Sort on y-order (useful for pretty maps) - AA: sort on expression (to cover the above) - JG: Is not the above a requirement (since not all feature collections will have a common property to sort or compare on?). AA: this is too complicated to live - chances are this is beyond the scope of what we are trying to accomplish - JG: Evaluate expression and record the result in your feature dump. Vendor option "sortExpress: a + b" -- Ben Caradoc-Davies <b...@transient.nz> Director Transient Software Limited <http://transient.nz/> New Zealand ------------------------------------------------------------------------------ Monitor 25 network devices or servers for free with OpManager! OpManager is web-based network management software that monitors network devices and physical & virtual servers, alerts via email & sms for fault. Monitor 25 devices for free with no restriction. Download now http://ad.doubleclick.net/ddm/clk/292181274;119417398;o _______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
