11:00:58 a.m. - jmckenna: Hi all, MapServer PSC meeting starting now...   agenda is at: https://github.com/MapServer/MapServer/wiki/PSC-Meeting-2022-09-29
11:01:17 a.m. - sdlime: hey!
11:01:50 a.m. - jmckenna: agenda1: how to manage OSS-Fuzz proposed changes
11:03:04 a.m. - jmckenna: I saw some chat offline today regarding this, which I think we should move to public, as we may get help from other eyes
11:03:26 a.m. - jmckenna: (I personally don't think Fuzz is a private issue)
11:04:11 a.m. - sdlime: that's fine. i think EvenR has some good ideas on the topic and certainly the most experience
11:04:41 a.m. - seth_: there seem to be quite a few steps to go through to recreate the issue.. https://google.github.io/oss-fuzz/advanced-topics/reproducing/
11:05:17 a.m. - seth_: i was hoping there'd be a test input file causing the issue that could just be run through the debugger
11:05:36 a.m. - EvenR: I can take charge of moving https://github.com/google/oss-fuzz/blob/master/projects/mapserver/mapfuzzer.c to mapserver repo, adjusting mapserver CMake to generate binaries that can take ossfuzz reproducer and run them against your local build, and adjust https://github.com/google/oss-fuzz/blob/master/projects/mapserver/build.sh to that
11:06:03 a.m. - sdlime: that would be awesome
11:06:04 a.m. - EvenR: basically a setup similar to the GDAL one
11:06:11 a.m. - jmckenna: cool
11:06:56 a.m. - sdlime: we'd just need to update 0x34d about those intentions
11:08:10 a.m. - sdlime: then we'd start with shapefile and mapfile fuzzing and expand from there
11:08:42 a.m. - seth_: i'm not familiar with fuzzing beyond the general concept - what are the inputs causing the crashes/issues? are they actual shapefiles, or simply random bytes passed in to mapserv in a file masquerading as a shapefile?
11:09:30 a.m. - jmckenna: I'm also wondering if I can setup fuzzing for Windows as well.
11:09:40 a.m. - EvenR: seth: initially random stuff that is progressively morphed to something sufficiently close to a shapefile/mapfile that mapserver believes it is a legitimate one
11:09:49 a.m. - Jukka: I believe that fuzzer starts to find bugs but who's gonna fix them?
11:10:41 a.m. - sdlime: I'll certainly take some on
11:10:52 a.m. - EvenR: jmckenna: in what I mentionned, the reproducer binaries should be cross platform. The fuzzing work itself is done on the cloud by google infra. You can also run it locally (at least on Linux) with their python & docker infrastructure
11:11:09 a.m. - jmckenna: EvenR: ah thanks, understood
11:11:13 a.m. - seth_: thanks for the explanation EvenR. happy to run some inputs causing issues in a debugger to see what happens
11:11:49 a.m. - seth_: there are already strange memory issues when running in Visual Studio 2022
11:13:19 a.m. - EvenR: there's the matter of how to deal with ossfuzz reports.  In my opinion, it should be enough to just issue a pull request with the fix with a reference to the ossfuzz ticket URL.  of course there's the issue of bugs that would have clear security implications (that would be more for bugs in a potential future QUERY_STRING based fuzzer)
11:14:51 a.m. - sdlime: the latter, it seems, would warrant CVEs and corresponding releases - wouldn't most projects follow that pattern?
11:18:11 a.m. - EvenR: you know most of the time the Linux kernel just issue bug fixes without saying they have security impacts (sometimes they don't know the real impact, sometimes they do but are silent about it). They let it to other people to play the CVE game
11:20:01 a.m. - sdlime: i'm not excited about the potential of published exploits (starting with the shapefile and mapfile fuzzers seems a good start)
11:21:35 a.m. - seth_: shapefile and mapfile issues would require someone to have access to the server already i guess. the QUERY_STRING one is a lot more problematic (plus the remote SLD/XML)
11:24:48 a.m. - Jukka: Great part of the vulnerability reports for Geoserver deal with remote XML and they can appear everywhere in the OGC services: filters, styles, items used in styles....
11:24:55 a.m. - sdlime: that's were some local fuzzing would be nice, at least at some level
11:26:58 a.m. - EvenR: sdlime: a solution would be to write the fuzzer, and just modify https://github.com/google/oss-fuzz/blob/master/projects/mapserver/build.sh locally to include the new fuzzer, and run the ossfuzz infra locally as documented in https://google.github.io/oss-fuzz/getting-started/new-project-guide/#testing-locally
11:28:34 a.m. - sdlime: makes sense, would want to do that initially with the new fuzzer anyway
11:28:43 a.m. - jmckenna: It's always been a headache (remote SLD with MapServer), and one that few users leverage or require.  Fuzzing could expose thousands of issues for that, where few MapServer users leverage it.
11:30:47 a.m. - sdlime: so the short-term plan is to proceed with OSSFuzz once EvenR moves some things into the main branch - correct
11:31:05 a.m. - sdlime: that could be proposed on the -dev list anyway
11:31:07 a.m. - EvenR: well OSSFuzz has always started 😁
11:31:15 a.m. - EvenR: already I mean
11:31:30 a.m. - jmckenna: +1
11:31:35 a.m. - Jukka: +1
11:33:09 a.m. - jmckenna: agenda2: 8.0.1 / 7.6.5 release plan discussions
11:33:52 a.m. - jmckenna: you can check the closed changes in the 8.0.1 milestone at https://github.com/MapServer/MapServer/milestone/56?closed=1
11:34:16 a.m. - sdlime: i can take a crack (on my fork) at back porting some important items to branch-7-6
11:34:45 a.m. - jmckenna: (the database credentials change is a big one to get out there in the wild)
11:35:23 a.m. - sdlime: agreed, it's already in that branch but there are other things that aren't (yet)
11:35:32 a.m. - jmckenna: ah ok
11:35:49 a.m. - sdlime: people must not use connection pooling?
11:35:59 a.m. - jmckenna: most use it
11:35:59 a.m. - gaston: jmckenna: https://github.com/MapServer/MapServer/issues/6613 should be on this milestone since #6617 fixes it (sorry, just lurking around)
11:36:33 a.m. - gaston: err #6619 was a backport to 8.0 of #6617
11:36:53 a.m. - jmckenna: gaston: it's already in the milestone (see second last entry)
11:37:30 a.m. - gaston: yeah the pr is, not the original issue fixed by it 😁
11:37:39 a.m. - sdlime: "most use it" - then most must not use logging
11:37:51 a.m. - jmckenna: most use logging
11:37:53 a.m. - jmckenna: 😁
11:38:11 a.m. - jmckenna: i think no one has reported this, that's all
11:38:36 a.m. - sdlime: wild
11:38:58 a.m. - jmckenna: in my case i'd have to scroll very right to read the long single-line entry in the log, to see the credentials
11:39:08 a.m. - jmckenna: i never did! ha
11:39:21 a.m. - sdlime: i'll work over the weekend to get a candidate for review but I don't think we can set a date yet
11:40:02 a.m. - jmckenna: ok thanks
11:40:36 a.m. - sdlime: i'd like to think a week or two
11:41:07 a.m. - jmckenna: i'm not happy about my own issue / battles.    mysterious 1 record, 1 polygon, no labels, simple layer CRASH with no logs, only for OGCAPI:Features
11:41:15 a.m. - jmckenna: not happy at all, ha. been stuck on that a month
11:41:33 a.m. - jmckenna: this is not my first rodeo
11:41:42 a.m. - jmckenna: this smells like an underlying library issue
11:41:57 a.m. - jmckenna: and BIZARRE: setting ENCODING at layer level solves it
11:42:34 a.m. - jmckenna: so i need to run through debugger, upgrade all libraries etc
11:42:43 a.m. - jmckenna: yes i need time to tackle this too, sorry, damn
11:43:34 a.m. - jmckenna: sdlime: stepping back from that, do you see any reason why a user would have to set ENCODING at the mapfile LAYER level, for OGCAPI:Features to work??
11:43:58 a.m. - jmckenna: map2img, WFS, etc etc all work
11:44:07 a.m. - sdlime: I think that one is solvable and just needs a little investigation (getting your test case setup locally)
11:44:08 a.m. - jmckenna: but not OGCAPI:Features
11:44:36 a.m. - EvenR: probably a UTF-8 related issue. Other outputs are (too) tolerant against non-UTF-8 characters
11:44:49 a.m. - seth_: possibly a template/inja issue?
11:45:05 a.m. - sdlime: more likely nhlohman
11:45:30 a.m. - EvenR: probably a C++ exceptin that isn't properly caught
11:45:44 a.m. - sdlime: that's where I was leaning
11:45:47 a.m. - jmckenna: EvenR: i agree with you
11:46:09 a.m. - seth_: also for info Python MapScript 8.0 is also failing the test suite on the convertToString() method. will try to progress https://github.com/MapServer/MapServer/issues/6628
11:46:51 a.m. - sdlime: template then gets an empty JSON object and fails with the general template error
11:47:00 a.m. - jmckenna: ah ok, yikes
11:47:13 a.m. - seth_: unfortunately it runs fine in RelWithDebug/in the debugger, but not in a Release build. sthg going on with optimizations in VS2022
11:47:45 a.m. - jmckenna: it sounds like we all have tough homework, several tough issues
11:48:54 a.m. - jmckenna: let's squeeze in the remaining agenda items now...
11:49:10 a.m. - jmckenna: Agenda3: OGC Services CI with MapServer
11:49:10 a.m. - darkblueb: Hi PSC, guests, all  .. Brian M Hamlin, in Berkeley, California here. thx for having me today
11:49:32 a.m. - sdlime: welcome brian!
11:49:39 a.m. - darkblueb: 😁
11:49:48 a.m. - darkblueb: OGC efforts continue to evolve.
11:49:57 a.m. - darkblueb: The item here today is including MapServer in continuous integration automated testing,
11:50:05 a.m. - darkblueb: not for security exactly but for OGC development support ..
11:50:21 a.m. - darkblueb: Of course there are some (limited) budgets
11:50:34 a.m. - darkblueb: This automatable work is high skill, but very complementary to build chains that already exist.
11:50:56 a.m. - darkblueb: so - The good will and cooperation of different individuals and dot-orgs, can avoid friction and spread much-needed funding to get more completed.
11:51:21 a.m. - darkblueb: I would like to ask the MapServer PSC about participating in this, wearing my OSGeo dot org hat
11:52:06 a.m. - sdlime: i don't know why we wouldn't consider it
11:52:06 a.m. - jmckenna: darkblueb: is this related to OGC reference implementation efforts?  I've considering taking that on
11:52:16 a.m. - darkblueb: yes
11:52:37 a.m. * jmckenna my company GatewayGeo joined as a paid industry member of OGC, this past December.  i think it's ok to mention here!
11:53:19 a.m. - darkblueb: there is possibly some equipment and CI skill at the Oregon State University Open Source Labs ..
11:53:26 a.m. - jmckenna: I think running MapServer through those reference implementation steps would be great for the project
11:53:30 a.m. - darkblueb: I am not in charge of anything.. I do not know all the details
11:54:08 a.m. - darkblueb: I did communicate a way for funding to get accumulated and distributed here, earlier this week..  based on an email sent to me at OSGeoLive
11:54:22 a.m. - darkblueb: no idea how to do this, but I want to mention the possibility
11:54:37 a.m. - darkblueb: thats all I have on this now
11:54:43 a.m. - jmckenna: I wasn't aware of funding for this
11:54:55 a.m. - jmckenna: thanks for mentioning this!
11:55:11 a.m. - Jukka: Would it mean that Mapserver should be made OGC compliant that it currently is not for any OGC service, I fear?
11:55:49 a.m. - darkblueb: I think we have to take details into followup.. especially since I am not a decision maker here
11:55:52 a.m. - jmckenna: Jukka: my brain can't understand your question
11:56:00 a.m. - jmckenna: the wording
11:56:16 a.m. - darkblueb: AND that brings me to the second item, in the remaining five minutes
11:56:47 a.m. - Jukka: Sorry. Is the aim to make Mapserver OGC compliant and with CI guarantee that it stays compliant?
11:56:55 a.m. - darkblueb: yes
11:56:56 a.m. - jmckenna: yes
11:57:20 a.m. - darkblueb: may I address the next item quickly?
11:57:25 a.m. - sdlime: yes
11:57:29 a.m. - jmckenna: it's good timing with our OGCAPI work
11:57:34 a.m. - jmckenna: darkblueb: yes
11:57:35 a.m. - Jukka: Should we start from OGC API Features Core?
11:58:05 a.m. - Jukka: I fear it would be hard to pass all WFS 2.0 or WCS tests.
11:58:31 a.m. - EvenR: I kind of remember that mapserver passed WFS 2.0 testing when I developed it
11:58:45 a.m. - jmckenna: true, i remember also ha
11:58:46 a.m. - EvenR: (had to do a few hacks for some edge cases)
11:58:47 a.m. - sdlime: strict compliance could be expensive to achieve, compliance != useful in all cases but I get the broader goal
11:59:39 a.m. - jmckenna: Jukka: i like that plan, running through OGCAPI:Features tests
12:00:01 p.m. - EvenR: shouldn' that be a github action job ?
12:00:05 p.m. - darkblueb: I request an extra five minutes, please
12:00:14 p.m. - jmckenna: yes please go ahead
12:00:16 p.m. - EvenR: so it is run each time a PR is submitted
12:00:29 p.m. - darkblueb: EvenR:  ++
12:01:00 p.m. - darkblueb: Jukka:  this item concerns you I think, can add the info ?
12:01:12 p.m. - darkblueb: if quesitons about OGC are done for now?
12:01:25 p.m. - Jukka: please do
12:01:28 p.m. - jmckenna: Agenda4: Suomen Kieli and Hungarian Outreach in 2022
12:01:37 p.m. - darkblueb: all - competition between Nations and societies is in the news everyday.
12:01:46 p.m. - darkblueb: Here in Berkeley, Calif. I have started an outreach based on recent
12:01:55 p.m. - darkblueb: publications by OSGeoLive. We have language expertise in Berkeley
12:02:03 p.m. - darkblueb: and some experience in cooperative learning. I add that outreach
12:02:11 p.m. - darkblueb: builds bridges, and that many people, families and geography are
12:02:23 p.m. - darkblueb: impacted by recent events, and that building bridges now is important human work
12:02:55 p.m. - darkblueb: there is a Finnish Brotherhood Hall next to me in Berkeley, around the corner
12:03:13 p.m. - darkblueb: I printed this .. https://live.osgeo.org/v15/fi/index.html
12:03:42 p.m. - darkblueb: and I personally coordinated volunteers for this https://live.osgeo.org/v15/hu/index.html
12:04:07 p.m. - darkblueb: in cooperation with the Docs Translation Team for OSGeoLive, currently led by my colleague Vicky
12:04:27 p.m. - darkblueb: we did a fantastic job together, despite real personal challenges
12:05:00 p.m. - darkblueb: I offer this opportunity to carry Mapserver, Openstreetmap and the rest, as a way to find and work together with non-English speakers
12:05:12 p.m. - darkblueb: five minutes is up..
12:05:37 p.m. - jmckenna: does this mean that you are proposing to give some love to the MapServer documentation translations effort?
12:05:42 p.m. - jmckenna: I'm trying to follow
12:06:08 p.m. - darkblueb: I have looked to create physical meetings in the meeting hall in Berkeley, based on new learning and math
12:06:11 p.m. - Jukka: The Finnish OSGeoLive page is rather good Finnish. Can't say anything about the Hungarian.
12:06:23 p.m. - darkblueb: we worked hard on it Jukka
12:06:53 p.m. - darkblueb: obviously the general computer skills in Finland are very good
12:07:25 p.m. * jmckenna life goes full circle: my OGCAPI:Features crash is a single Hungarian word.
12:07:40 p.m. - darkblueb: Jukka my email is maplabs -AT- light42.com
12:08:26 p.m. - Jukka: thanks, I will ask you for more details
12:08:33 p.m. - darkblueb: ++
12:08:47 p.m. - jmckenna: darkblueb: can you spell out here directly what you are proposing for the MapServer PSC?
12:08:56 p.m. - jmckenna: now that we have the background
12:09:09 p.m. - jmckenna: how does this impact the MapServer project?
12:09:20 p.m. - darkblueb: it is a new intiative that I have started in the last two weeks, now that OSGeoLive 15 is Final
12:09:28 p.m. - jmckenna: i am aware
12:09:40 p.m. - darkblueb: so - brain storming and communicating is the activity right now
12:09:49 p.m. - dmorissette has left the room (Quit: Client closed).
12:09:54 p.m. - jmckenna: so nothing to do with MapServer?
12:10:04 p.m. - darkblueb: nothing?
12:10:11 p.m. - jmckenna: great work!  but i'm trying to understand
12:10:22 p.m. - jmckenna: can we leverage this for the MapServer translation efforts?
12:10:23 p.m. - darkblueb: its people-facing, not exactly about code
12:10:28 p.m. - darkblueb: yes
12:10:31 p.m. - jmckenna: ah
12:10:48 p.m. - jmckenna: it sure is needed, translation love, for MapServer
12:11:23 p.m. - darkblueb: the goal is to involve new people, with language that they know
12:12:30 p.m. - Jukka: OSGeo is hosting a Weblate instance if technology is needed in addition to people-facing.
12:12:53 p.m. - darkblueb: right - and also I think we need a human meeting part to it, too
12:13:07 p.m. - darkblueb: due to recent events
12:14:34 p.m. - jmckenna: darkblueb: keep us posted.  any MapServer-related translation additions is sorely needed
12:14:46 p.m. - darkblueb: thank you for the time today
12:15:23 p.m. - jmckenna: thanks everyone for the meeting today!