AWSF TAC Meeting - July 31, 2019
Voting member attendance
- Daniel Heckenberg - Chairperson, Animal Logic Pty Ltd
- Gordon Bradley, Autodesk
- Mark McGuire, Blue Sky Studios, Inc.
- Michael O’Gorman, Cisco Systems Inc.
- Henry Vera, Double Negative
- Bill Ballew, DreamWorks Animation
- Matt Kuhlenschmidt, Epic Games, Inc.
- Brian Cipriano, Google & OpenCue Representative
- Jim Jeffers, Intel Corporation
- Larry Gritz, Sony Pictures Imageworks
- Jean-Francois Panisset, VES Technology Committee
- Cory Omand, The Walt Disney Studios
- Kimball Thurston, Weta Digital Limited
- Eric Enderton, NVIDIA
- Sean Looper, Amazon Web Services
- Ken Museth, OpenVDB Representative
- Michael Dolan, OpenColorIO Representative
- Cary Phillips, OpenEXR Representative
- Erik Strauss (Netflix)
Other Attendees
- OTIO representatives (3x): Joshua Minor (Pixar), Stephan Steinbach (Pixar), Eric Reinecke (Netflix)
- Emily Olin (Linux Foundation)
- John Mertic (Linux Foundation)
- Alex Forsythe (AMPAS)
- Sean Wallitsch (Dreamworks)
- Patrick Hodoul (Autodesk / OpenColorIO)
Agenda
- Welcome new member: Sean Looper (AWS)
- Welcome new project: OpenTimelineIO (Pixar)
- Review of Year 1
- Goals and progress
- 5 projects, one graduated, good progress on CI system
- Friction points
- Cary: security seems to remain a concern, need to consult with an expert. Sean: AWS might be able to provide some resources. Cary: having a security expert give a presentation to the TAC would be helpful. We had that for the CII badge, but want it more focussed to security per se. May need to create a security working group. We understand the code and the security implications, but how do we handle reports where a low probability compromise would result in a large performance hit?
- Cary: Google suggested the oss-fuzz project be applied to OpenEXR, we decided that the 2 week bug report period was beyond our abilities to deal with.
- Larry: is there a way we can run the oss-fuzz ourselves without turning on the actual “service” so we get an idea of our exposure? How often would we expect to get reports?
- Brian: Google runs it internally due to internal use of OpenEXR.
- OpenEXR does have fuzz testing, but they take hours to run.
- Brian: has been looking for security resource internally, but hasn’t found one yet.
- Daniel: we need to set the norms for our own projects, and understand the processes for updating a CVE report (for instance).
- Larry: we probably don’t need a lot of handholding, just having a checklist we can rundown would be a good start, we could do that ourselves. We may not need a lot of long term “hand holding”.
- Daniel: we can rely on internal resources, or try to hire an external consultant.
- Gordon: non airgapped applications (operating systems) are using our projects, so “security is coming for us” whether we like it or not. Our goals for next year should be broader than the CII badge.
- Sean: what would be the expectations from a security expert from a member company: regular cadence review board, a visit to discuss best practices?
- Daniel: really we’re looking for clarity on approaches, someone we can go through the details of how this would apply to our projects. But also need someone with ongoing responsibility, integrate into CI infrastructrure.
- Gordon: we need to establish our security posture, how do we respond.
- CVE fixes are often one line fixes, but how do you communicate back that something was fixed in a specific version.
- Sean: having a security expert “on call” without compromising their day job commitments.
- Goals and progress
- Goals for TAC: Year 2
- Diversity
- Daniel: we’ve discussed diversity goals but have not made progress. What mechanisms do we have, and what should we seek to do.
- Cary: realized the TSC needs more people, we need to look around ourselves for more than just “the usual suspects”. One of the benefits of participating are the networking opportunities, which is something attractive to offer. Also opportunity to nurture “future generation”.
- Erik: What are the specific goals for diversity, many of our member organizations have formal internal efforts in that respect.
- Larry: some of us represent projects, so of us represent member companies, but we’ve been involved in this field for a while. Getting people involved with projects and the TSCs for the projects is a way to bring more diversity to the TAC.
- John: TAC is open body, anyone is welcome to attend / participate, the only restriction is on voting of project acceptance.
- Erik: excluding people from voting can be awkward…
- Gordon: Autodesk hired a director of diversity, could organize to have this person present to us what that implies? General agreement that this would be a good idea.
- Sean: are we trying to make the whole group more diverse or voting members? Or projects? Yes to all.
- Emily: we should set a formal group that each TSC + TAC has at least one person who meets diversity requirements.
- TAC chair election
- TAC chair tenure is one year, and comes up in September.
- Gordon: do we want to have a goal on the number of projects?
- Emily: should we have a more formal survey of our community, above the simple straw poll from the ASWF SIGGRAPH BoF..
- Gordon: Foundation has been running for a year, are we going to survey the community to learn how we’ve done? Yes, this is happening (John).
- John: presenting straw poll results from ASWF BOF. What should ASWF solve for Open Source projects:
- Legal Framework
- Versionitis
- …
- Open source projects that should be submitted:
- USD
- OIIO
- Rez
- OpenSubdiv
- Aces
- DJV
- ….
- Seems a bit like “what project do you like”? Larry: there’s definitely something to people wanting to see USD.
- Areas of new development:
- Media Player
- Metadata
- Imath extracted from OpenEXR
- Rig exchanging
- Asset management
- Context management
- Compositor
- Monitor calibration
- Fabric Engine replacement
- Cloud Services
- …
- Gordon: seems a lot of these could be grouped under “rigging”.
- Any other areas ASWF should concentrate on:
- VFX Reference Platform: what does this mean? Erik: we should be clearer about the dependencies / overlap with VFX Reference Platform
- 4 or 5 choices related to documentation
- Licensing considerations (GPL vs non GPL)
- Need further consolidation of results
- Gordon: there’s value in the physical manifestation of the VFX Reference Platform (Aloys Docker containers). Daniel: need further specifications (compiler flags..).
- Survey results: majority of people attending “beers of a feather” and “open source day” not directly involved with open source projects.
- Gordon: Autodesk has customers in multiple industries, including games. There’s a desire to have consistency / interchange between VFX and games, doing a lot of outreach to the games industry. Daniel: have had people from the games industry reach out, so there does seem to be interest. Epic is a member of ASWF. We recognize that the game toolset is increasingly part of our toolsets. There are amazing projects going on in the games industry, there’s value in getting more exposure to what’s happening there.
- Sean: if our members say that a media player is their top priority, how should that influence our priorities? Daniel: we don’t prioritize specific types of projects, we haven’t initiated a project from scratch, but that’s not impossible. But “wide scale industry adoption” (if only potential) remains an important criteria.
- Emily: additional working groups may be appropriate to address results of the survey (straw poll or more formal survey).
- Diversity
- Technical Project updates
- OpenTimelineIO
- Joshua: Need to offline figure out their next steps, lots of work to be done. Talking to other projects about how their TSC is structured since that needs to be created. When people are on the TSC / TAC are they representing as an individual or their company? Wasn’t clear from reading all the charters. Need help for onboarding. John: can definitely help with that, can be worked offline. Gordon: should be captured in FAQ. John: yes. Cary: join one of the other TSC meetings to see how it goes.
- Have a pretty clear idea of the future roadmap, know the Pixar and other contributors, but would like to get some ideas from software vendors, to help drive native implementations. For instance was OpenEXR support a “push” or “pull” model. Gordon: Autodesk creative finishing group is very interested, can provide names of people who would be interested, possibly joining TSC. Joshua: sometimes can be difficult to get companies to engage in public discussion. Daniel: Linux Foundation can help with that. Sean: should there be an official mechanism for that (i.e. interacting with commercial vendors). Erik: members of the foundation who represents customers of these packages have influence, and should try to tell vendors that they want this functionality. Sean: providing a mechanism for “matchmaking” between users and software vendors. We can enable the project maintainers, and help them communicate with vendors. Gordon: the most compelling story is when you can show great workflows. Sean: vendors want to see actual demand from industry. Daniel: ASWF offers a number of mechanisms, both formal and informal.
- Developers inside facilities often “don’t know what they don’t know” with respect to security.
- OpenCue
- Brian: Very interesting SIGGRAPH so far, great turnout at Open Source Day BoF. Lots of interest, lots of sidebar conversations. But not a lot of actual adoption. Not unexpected, new project, lots of work to switch render queue systems. Need to focus on actual adoption going forward.
- Focus on documentation, deployments, workflows. Looking for ideas in that area.
- Collected a lot of feature requests from Q&A, long list of features to work on. But new features may not drive actual adoption.
- Proper Windows support is high on the list.
- Fully migrated to Azure Pipelines. Was caught off guard by transition from a single Jenkins instance to a build system without persistence (rebuilding Docker images from scratch taking more time).
- Progress on CII badge, finished initial pass through, 83% so far. Looking at static analysis and unit tests.
- Will publish a roadmap for the next while based on feedback from SIGGRAPH events. Will dictate what Google’s work will be focussed on, and what others might want to work on.
- Daniel: laying out roadmaps that identify specific areas where external contributors and work is a good idea.
-
OpenVDB
- OpenColorIO
- Michael: good turnout at BoF, was good that it followed ACES. Gave update on incubation status, about ready for graduation vote. Completed CII badge requirements, need to rerun license scan.
- Two outstanding pull requests for licensing and contributors.
- Most of the licensing related issues have been addressed.
- Daniel: any traction on resourcing? Michael: Method offered some help with documentation, Netflix may be interested in contributing as well.
- Efforts at identifying “first issues” for new contributors.
- Patrick: CI build system is running, SonarCloud static analysis. A lot of false positives, trying to fix the ones that are relevant, but that generates a lot of noise, especially for security related issues. Would be helpful to get guidance there.
- Is there an ideal way to respond to static analysis false positives? Comments in the code, or squelching results in SonarCloud? What if we disagree with what SonarCloud is reporting?
- You can add comments to disable some warnings.
- Larry: not much choice but to look at what’s reported.
- Long term would be great if a “clean” SonarCloud report would be used to gate builds that break it.
- OpenEXR
- Cary: good session yesterday.
- CII badge: getting close. Azure / Sonar Cloud is up and running. As soon as the latest build issue is fixed will make new release.
- A couple of people have reached out from the community and will attend next TSC.
- OpenTimelineIO
-
CI updates
- Working group
-
Update on candidate projects
-
Next meeting
- 14 August 2019