GeoServer 2024 Roadmap Planning
Happy new year and welcome to 2024 from the GeoServer team!
The GeoServer team is doing something different this year: sharing our roadmap plans and asking our community for resources (participation and funding) to meet our 2024 goals.
The GeoServer project is supported and maintained thanks to the hard work of volunteers and the backing of companies providing professional support.
We are seeking a healthy balance in 2024 and request increased support in the following areas:
-
Maintenance: GeoServer was started in 2001 by a non-profit technology incubator. Subsequent years has seen the project supported by larger companies with investors and venture capital. This support is no longer available - and without this cushion we must rely on our community to play a greater role in sharing ongoing maintenance activities.
The team has provided a great response with increased use of automation, quality assurance tools, and dropping modules such as SAML that have not attracted participation. Keep in mind that participation, not popularity, determines what functionality is available each release.
However maintenance costs for software are increasing in 2024. Expectations for prompt response to security vulnerabilities have increased. This causes the components used by GeoServer to be updated more frequently, and with greater urgency.
Volunteers can answer questions on geoserver-user list, reproduce issues as they are reported, and verify fixes.
Developers are encouraged to get started by reviewing pull-requests to learn what is needed, and then move on to fixing issues.
Trusted volunteers can help mind geoserver-security email list, and help reproduce vulnerabilities as they are reported. We also seek developer capacity and funding to address confirmed vulnerabilities.
-
Testing: In 2023 we saw a greater response to our call for release-candidate testing. This was very much appreciated given the technical-challenge undertaken in 2023. However this response was largely taken up by downstream projects, where we could personally create a ticket in their issue trackers discussing the technical risk and asking for help.
Volunteers and service providers are asked to help test release-candidates in March 2024 and September 2024. The GeoServer team operates with a time-boxed release model so it is predictable when testing will be expected.
-
Sponsorship: In 2023 we made a deliberate effort to “get over being shy” and ask for financial support, setting up a sponsorship page, and listing sponsors on our home page.
We received $1000 USD. You might think of this as a poor response.
North River Geographic Systems Inc provided funding to thank Andrea Aime for speaking at an event with no clear expectation of sponsorship. How 2 Map sponsorship reflects Jody’s personal company being used for screen snaps on how to badge a github repository as supporting OSGeo.
With this in mind - no funds were directly raised in answer to our 2023 call for financial support. So this is actually a terrible response.
We ask for your financial assistance in 2024 (see bottom of page for recommendations).
The above priorities of maintenance, testing and sponsorship represent the normal operations of an open-source project. This post is provided as a reminder, and a call to action for our community.
Roadmap Planning
We have shared the following roadmap planning information in foss4g presentations in 2023, and it is time to share these goals with a wider audience as part of this blog post.
This is a brave step for the project: as we learned early on that placing a goal on a roadmap can be taken as an indication that funding is already secured. We even had a negative example where placing a goal on a roadmap resulted in the interested party withdrawing (as they understood that the community was now going to do the work instead!)
With this in mind here are our priorities for 2024:
-
Migrate to spring-framework-6 (Deadline December 2024)
GeoServer uses the spring-framework 5.3 which will reach end-of-life in December 2024. This provides motivation for all roadmap planning in calendar year 2024.
We are already getting concerned inquiries in response to CVE scans recommending upgrading to spring-framework 6. We look forward to your support of this activity.
In order to stay on a supported version of spring-framework we need to migrate to spring-framework 6 for December 2024.
-
Migrate to spring-security 6
The spring-security framework is used by GeoServer for integrating with a number of systems.
- Central Authentication Service (CAS)
- Lightweight Directory Access Protocol (LDAP)
Use of spring-framework 6 and above requires the use of spring-security 6.
-
Remove spring-security-oauth plugin
A number of popular community modules are built on spring-security-oauth plugin:
- OAuth2 google
- OAuth2 github
- OAuth2 geonode
- OAuth2 OpenID Connect
Support for OAuth2 in GeoServer is based on the deprecated spring-security-oauth library. The same functionality is now provided by spring-security itself, but exposing a different API, making the GeoServer plugin incompatible.
Our GeoServer security integrations will need to be rewritten to use the spring-security framework directly.
The good news is that this activity is available to be worked on immediately with spring-security 5.8 and then migrated to spring-security 6. Other projects such as GeoNetwork have already made the transition.
The use of spring-security 6 requires removing spring-security-oauth plugin.
-
Remove spring-security-keycloak plugin
A community module offering keycloak integration will need to be rewritten or replaced.
The Keycloak team has announced that their spring-security-keycloak plugin has reached end-of-life and will be removed from a future release of Keycloak. They recommend migrating to OAuth2/OpenID Connect support from spring-security 6.
We recommend those using the spring-security-keycloak plugin to join forces in development and testing of OAuth2/OpenID Connect integration.
The use of spring-security 6 requires removing spring-security-keycloak plugin.
-
Migrate to Jakarta Enterprise Edition
GeoServer is a Java Web Application comprised of a number of “servlets” that can be run by an application server. The specification of how these components work together is defined by the Java Enterprise Edition specification. This specification is now managed by the Eclipse Foundation as Jakarta Enterprise Edition.
With the change to Jakarta Enterprise Edition we expect a number of compatibility issues:
-
The charts extension is based on eastwood charts last updated in 2008.
This library is not compatible with Jakarta Enterprise Edition and will need to be replaced.
-
mapfish-print-v2
This library is not compatible with Jakarta Enterprise Edition and will need to be updated or replaced.
Application Servers that support Jakarta Enterprise Edition:
- Apache Tomcat 10.1 / Jakarta Enterprise Edition 10 / Servlet 6 / Java 17+
- Jetty 12.0 / Jakarta Enterprise Edition 10 / Servlet 6 / Java 17+
When ready we will need volunteers to test on the new application servers and update the binary release and documentation to reflect the new environment. Organizations operating in a managed environment may wish to pursue permission to operate Tomcat 10.1 ahead of this planned change.
The spring-framework version 6 uses the newer Jakarta Enterprise Edition specification.
-
-
Upgrade to Apache Wicket 10
Apache Wicket user-interface framework is used for the GeoServer Admin console screens.
Brad Hards has started this activity by going to the intermediate goal of Wicket 9, and will require a fleet of testers to perform A/B testing of each screen. This is an impressive undertaking, in 2016 we did an entire round of fundraising to assemble a team sprint when updating from Apache Wicket 1.4. to Wicket 7.x
Volunteers can help Brad test Wicket 9 now, and when the transition to Wicket 10 is complete a second round of A/B testing will be scheduled
The use of Jakarta Enterprise Edition requires the use of Apache Wicket 10.
-
Upgrade to Java 17
GeoServer is presently compiled with Java 11 LTS, with the result tested on Java 11 LTS, Java 17 LTS, and soon Java 21 LTS.
With the change to Java 17 we expect a number of libraries we use to require updating or replacing.
GeoServer is presently building on Java 17, however documentation will need to be updated when Java 11 support is dropped. Organizations may wish to pursue permission to operate Java 17 LTS ahead of this planned change.
The spring-framework 6 and Jakarta Enterprise Edition application servers require Java 17 as a minimum.
-
Migrate to ImageN 1.0
The Java Advanced Imaging library is used as the engine for our image and raster processing capabilities. This library reached end-of-life with the last JAI 1.1.3 release in 2005.
This library has received considerable investment from our community with GeoSolutions heading up the JAI-EXT project to better work with geospatial datasets, operations and analysis including recent support for hyperspectral imagery.
We have been planning for this migration for some time:
- Boundless worked with LocationTech to outline the creation of a new “Raster Processing Engine” library (with estimate of $150k). This library was planned after assessing alternatives in the Java ecosystem (nothing matched JAI on-demand capabilities required for geospatial content).
- LocationTech was able to contact Oracle, resulting in the source code being donated to the Eclipse Foundation as the ImageN project (consider that a $100k savings)
- Jody has worked on this project as a background activity when unemployed and the source code now compiles in a modern environment with documentation migrated to markdown (consider that at $25k savings)
- However test cases were not provided with the code donation (estimate $25k work remaining)
Once this library is ready:
- Migrate JAI-EXT project to ImageN 1.0 baseline (or merge for ImageN 1.1)
- GeoTools migration to ImageN 1.0 and integration testing
This activity is suitable for Java developers interested in Image Processing and will require coordination between ImageN, JAI-EXT and GeoTools projects.
Compiling with Java 17 requires migrating to ImageN library
This roadmap outlines goals that we wish to accomplish - we are seeking resources (funding, developers, testers, documentation writers) before work can be scheduled.
Further reading:
Service Providers
Service providers help bring GeoServer technology to a wider audience. We recognize core-contributors who take on an ongoing responsibility for the GeoServer project on our home page, along with a listing of commercial support on our website. We encourage service providers offering GeoServer support to be added to this list.
Helping meet project roadmap planning goals and objectives is a good way for service providers to gain experience with the project and represent their customers in our community. We recognize service providers that contribute to the sustainability of GeoServer as experienced providers.
We encourage service providers to directly take project maintenance and testing activities, and financially support the project if they do not have capacity to participate directly.
Sponsorship Opportunities
The GeoServer project steering committee uses your financial support to fund maintenance activities, code sprints, and research and development that is beyond the reach of an individual contributor.
GeoServer recognizes your financial support on our home page, sponsorship page and in release notes and presentations. GeoServer is part of the Open Source Geospatial Foundation and your financial support of the project is reflected on the OSGeo sponsorship page.
Recommendations:
- Individuals can use Donate via GitHub Sponsors to have their repository badged as supporting OSGeo.
- Individuals who offer GeoServer services should consider $50 USD a month to be listed as a bronze Sponsor on the OSGeo website.
- Organisations using GeoServer are encouraged to sponsor $50 USD a month to be listed as a bronze sponsor on the OSGeo website.
- Organisations that offer GeoServer services should consider $250 a month to be listed as a silver sponsor on the OSGeo website.
For instructions on sponsorship see how to Sponsor via Open Source Geospatial Foundation.
Further reading:
Vulnerability
- GeoServer 2.26.1 Release
- GeoServer 2.25.4 Release
- GeoServer 2.26.0 Release
- CVE-2024-36401 Remote Code Execution (RCE) vulnerability in evaluating property name expressions
- GeoServer 2.25.2 Release
- GeoServer 2.24.4 Release
- GeoServer 2.23.6 Release
- GeoServer 2.25.1 Release
- GeoServer 2.25.0 Release
- GeoServer 2.23.5 Release