Daniel Heckenberg - Chairperson, Animal Logic Pty Ltd
Gordon Bradley, Autodesk
Mark McGuire, Blue Sky Studios, Inc.
Michael O’Gorman, Cisco Systems Inc.
Henry Vera, Double Negative
Jeff Bradley for Bill Ballew, DreamWorks
Matt Kuhlenschmidt, Epic Games, Inc.
Brian Cipriano, Google
Jim Jeffers, Intel Corporation
Larry Gritz, Sony Pictures Imageworks
Jean-Francois Panisset, VES Technology Committee
Cory Omand, The Walt Disney Studios
Kimball Thurston, Weta Digital Limited
Ken Museth, OpenVDB Representative
Michael Dolan, OpenColorIO Representative
Cary Phillips, OpenEXR Representative
Eric Enderton, NVIDIA
Apologies
Other Attendees
John Mertic (Linux Foundation)
Emily Olin (Linux Foundation)
Cary Gooding (Cisco)
Dan Bailey (ILM)
Andrew Grimberg (Linux Foundation Release Engineering)
Robert Vinluan (SideFX)
Mark Elendt (SideFX)
Agenda
Goals for TAC: Year 1 (0:00-0:05)
Timeline:
June: CII badge. At least one project graduation.
Static analysis update
CVE reporting
OpenColorIO may be able to get to CII certification, OpenVDB has also made progress, so should hopefully 1, maybe 2 projects eligible for graduation by SIGGRAPH.
TAC will need to vote on project graduation (meeting or via email), governing board also needs to approve.
July: Dependency management.
SIGGRAPH (0:05-020)
ASWF events and involvement
Encourage people to RSVP so we can get sense of turnout
Schedule confirmed for wednesday meetings, Emily will be sharing graphic to send out
TAC meeting invite has been sent out, schedule can be changed
TAC members encouraged to attend OSS Maintainers meeting
Inviting other open source project maintainers, trying to get as many as possible
Encouraged to recommend people, spreadsheet sent to email list
DigiPro: we have the option to have a table, Emily will not be present, if someone wants to man the table that would be appreciated and better credibility.
Larry: is this only during the breaks? Yes, nothing happens outside the single session track.
Same during Open Source day, would be good to have people to man tables / hang around to ask questions.
Brian: need to coordinate events with other Google events.
There will be AV available.
Need to RSVP for “Beers of a Feather” event
OSS Maintainers meeting
ASWF + non ASWF projects: connect with other people doing OSS projects in the industry. Primary goal is NOT recruiting, use as opportunity to learn how we can support the broader community. Other events to promote ASWF membership.
Fairly small audience, 35-40 seats, invitation based. Best if invitation comes from people who already have connections to projects. Please add suggestions on the spreadsheet being circulated.
John suggesting we should prime the agenda with points from survey being circulated to invitees.
Daniel will be busy at SIGGRAPH with ASWF and other commitments, reached out to Larry to help lead the session.
Emilly: projects that have good talking points about benefits / impact of ASWF membership should share those. Will send template of what kind of talking points would be helpful. By July 12th.
Cary: some of the updates for OpenEXR may only drop very close to SIGGRAPH (CII badge for instance)
Every project should be represented at the ASWF BoF.
Technical Project updates (0:20-0:40)
OpenVDB
Dan: all remaining CII items ticked off except static analysis.
SonarCloud builds are working, not discussed impact in TSC meeting yets.
SonarCloud raised issue of an empty “catch” statement (as 5 separate security issues). Trying to understand the meaning / importance of this report.
Takes quite a long time to run, especially the code coverage (2.5 hours to run through test suite). So can’t be used on every commit, but that’s not required for CII badge.
Some of the language of static analysis says that static analysis must be applied to major production release, that hasn’t been done before, but would be applied to next one.
Andy: suggestion is that you don’t need to run it all the time, but running it once a week (or even month) is enough to meet CII badge requirements. We can set up the CI system to run it automatically on a regular schedule.
Major release planned for SIGGRAPH, so that release could be done under the CII badge process. Dan: release will actually happen after SIGGRAPH.
Dan: can run SonarCloud in non-automated way for now. Daniel: enough to meet CII requirement.
Requirement to address vulnerabilities relates to official, reported (CVE) vulnerabilities.
OpenColorIO
Michael: getting ready to merge updates that redo CI and static analysis, working with Dan and Aloys to get this set up.
Will allow to update lots of requirements for CII badge
80% of CII badge for now
Still need to address security-related issues being discussed on TAC list
Embedded external dependencies: being resolved in CMake / install scripts, expect to be done in a week or so.
Shouldn’t be a huge deal to get worked out
Dan: are you using the ASWF Staging Images? Michael: yes, also using the base image and installing their dependencies on top of that.
SonarCloud run takes about 30min, coverage takes the most time
Could there be two levels of SonarCloud, usual static analysis on every build, then a full coverage analysis once a week / before major release?
Michael: running full analysis over weekends, could be divided.
Daniel: collaboration between projects to help with these efforts is really encouraging.
Dan suggested adding “long names” to make sure that headers aren’t being tested multiple times in every place they are included.
OpenCue
Brian: Quiet TSC month in June due to travel / vacation, getting back into it this month, plus SIGGRAPH.
Some good progress on the transfer of the project, repo is transfered, CLA is in place, domains are transferred. Only remaining part is CI system.
Had talked about transferring Jenkins system, but it looks like Azure Pipelines system would work fine, so that’s likely where the project will end up. Enough similarity in the job description languages.
Majority of recent contributions from third parties, one contributor added Python 3 compatibility to a component, so very encouraging.
Next on the list: working on the CII badge, made progress on unit test coverage. Will be working through other badge requirements over coming weeks.
SIGGRAPH is next big thing, scheduling challenges with Google events, in process of getting resolved. Should have proposed agendas for events next week, will circulate to TSC.
Based on contributions, issues and list discussions, it seems there are people using OpenCue in production, enough to find and fix issues. Hard to tell the exact user base. Should there be a survey at the BoF? Yes, primary goal to figure out what the community is, finding priorities and turning it into roadmap.
OpenEXR
Larry: in OpenEXR older CVEs are not easily reproducible, or misuse from the calling program rather than the library itself. How do you get rid of a CVE when you think “it’s not your fault”. Cary: has some leads on some security folks, but how do you make sure that the CVE database at Mitre.org gets updated to note that something has been fixed? Wants to speak to an expert before submitting updates.
There’s a CVE from 2006 without instructions on how to reproduce. There’s an EXR file that’s claimed to crash Safari but is no longer reproducible. Daniel: clang-ASan is a good tool to address this.
Some of the CVEs have valgrind logs attached to them
CII badge currently at 76%. Kimball has changes to address all compiler warnings, on the cups of being warning free.
Security issues: one is addressed in upcoming release, one is being discussed how to fix. Others have been addressed in previous releases, so need to update the documentation
First pass on SonarCloud by Christina, working on coverage now, looking forward to coverage report. She will reach out to Dan to get the Azure PIpelines setup sync’ed up.
Working on slide deck for SIGGRAPH BoF.
Hoping to have a release out, or at least announce an upcoming release.
Want to discuss the reorganization of the repo at the BoF, especially splitting out imath component.
Also want to review the discussion from last year: standardization of metadata, support for a fast / lightweight version of the library for apps that don’t need the full functionality.
Spent time looking at 100% GitHub issues, lots are related to Python bindings to OpenEXR. There are external projects that aren’t part of OpenEXR project itself, but issues are being reported against the OpenEXR projects. Is there an opportunity to leverage the ASWF to try to coordinate with these “adjacent” projects?
John: these are open source projects? Cary: yes. An example: “pip install openexr” fails. But that’s not part of the OpenEXR project itself.
John: do we know the maintainers of these projects?
Larry: suggests people use OpenImageIO for Python bindings to OpenEXR
Kimball has CMake updates, any consensus on minimal CMake version for projects? Pushing for 3.11 which is included in RHEL 8, would prefer 3.12. Larry: does it matter?
Larry: has been reporting this issue for a long time in context of VFX Platform.
Can have multiple CMake versions in parallel.
FindPython has been changed in recent CMake.
Daniel: do we need to support alternate code paths for different versions of CMake.
Kimball: 3.11 has full support for cppcheck static analysis.
Dan: OpenVDB figured minimum Ref Platform supported (2017) and earliest CMake version from that year.
Wants to discuss it at the BoF
Cary: looking at the GitHub issues, it’s built on a lot of obscure platforms, issues filed by packagers on various Linux distros. Lots of communities that care about building OpenEXR that are not represented at the TAC, how do we reach these people? Is there a better forum? Openexr-dev mailing list is one.
Daniel: this is a tricky issue, good topic for the BoF. We may need to use our individual contact networks to try to reach some people.