ASWF TAC Meeting - 16 November, 2022

Video Conference Link

Voting member attendance

  • Kimball Thurston - Chairperson, Weta Digital Limited
  • Bill Roberts, Adobe
  • Gordon Bradley, Autodesk
  • Roy C Anthony, DNEG
  • Matthew Low, DreamWorks Animation
  • Christina Tempelaar-Lietz, Epic Games, Inc.
  • Brian Cipriano, Google & OpenCue Representative
  • Sean C McDuffee, Intel Corporation
  • Larry Gritz, Sony Pictures Imageworks
  • Jean-Francois Panisset, VES Technology Committee
  • Cory Omand, The Walt Disney Studios
  • Daniel Heckenberg - Animal Logic Pty Ltd / Industry Representative
  • Eric Enderton, NVIDIA & Asset Repo Representative
  • Esteban Papp, Amazon Web Services
  • Michael Min, Netflix
  • Michael B. Johnson, Apple
  • Greg Denton, Microsoft
  • Sean O’Connell, Advanced Micro Devices
  • Mark Visser, Unity Technologies
  • Ken Museth, OpenVDB Representative
  • Carol Payne, OpenColorIO Representative
  • Cary Phillips, OpenEXR Representative
  • Joshua Minor, OpenTimelineIO Representative
  • Chris Kulla, Open Shading Language Representative
  • Jonathan Stone, MaterialX Representative

Observer member attendance

  • Alex Forsythe, AMPAS
  • Allan Johns, Method Studios
  • Gary Oberbrunner, OpenFX
  • Tom Cowland, OpenAssetIO
  • Erik Strauss, Review & Approval

Other Attendees

  • David Morin, ASWF
  • John Mertic, Linux Foundation
  • Emily Olin, Linux Foundation
  • JT Nelson, Pasadena Open Source consortium / SoCal Blender group
  • Scott Wilson, Rust WG
  • Eric Reinecke, Netflix/OTIO
  • Stephen Mackenzie, NVIDIA
  • Tony Micilotta, DNeg
  • Mike Mahony, Pixar
  • Doug Walker, Autodesk/OpenColorIO
  • Mitch Prater, Laika
  • Robin Rowe, Cinepaint
  • Lee Kerley, Sony Imageworks

Apologies

  • Jean-Francois Panisset, VES Technology Committee

Agenda

  • Updates
    • Kimball: Hackathon Followup: discussion at the Governing Board yesterday, there’s a request to try to pull in more people to form a working group.
    • Larry: was talking to John Mertic, we were noting that it’s nice for projects to be able to document what films they are working on, but it’s really hard for maintainers to know this. So if you are at an organization that is a user of these projects, it’s really nice to contact the maintainers and share which movies a project is used on. It’s useful for morale and recruitment. Even if only once a year, sending the list to the project maintainers, would be greatly appreciated! John: project could capture this in a file, could be used for PR, getting “implicit” signoff mechanism in case there’s sensitivity around it. Larry: it’s in the README for OSL, so in theory anyone can make a PR, in practice I’m the one maintaining it, and don’t really get notified. If I know a studio uses it for everything, I can track the projects done by that studio.
  • OTIO Project Review (Josh)
    • It’s been a while since OTIO has done a project review
    • Outline
      • Project lifecycle: incubation -> adoption
      • Highlights:
        • Studio & vendor adoption
        • New features
      • Plans & Challenges
        • ASWF collaboration
        • TSC expansion
        • Requests for the TAC
    • ASWF Project Lifecycle
      • Transferred OpenTimelineIO trademark to ASWF
      • Switch from “Modified Apache License” to Apache 2.0
      • Switched to ASWF CLA
      • Moved GitHub repo to ASWF org
      • Enabled DCO & EasyCLA enforcement
      • Approved the OTIO TSC Charter
        • All the “paperwork” that needed to happen, had no idea how long it would take to sort out
        • Once this got sorted out, it’s working pretty smoothly, have had people reach out asking how DCO / CLA works. Thank you everyone who helped to make this work
      • Incubation -> Adopted
        • Would like to graduate to Adopted stage
        • DONE: Demonstrate a substantial flow of commits and merged contributions, authored by a healthy number of diverse contributors
        • DONE: Demonstrable roadmap progress
        • DONE: A healthy number of public adopters that are identified within the project
          • TODO: (using an ADOPTERS file or showcased on the projects’s website) -> relates to Larry’s earlier request, really helpful if it comes with people with first hand knowledge.
        • TODO: Have achieved and maintaining a Core Infrastructure Initiative Best Practices Gold Level Badge -> Currently at 82% Passing
          • Will talk further at end of presentation, a couple of blockers. Not yet at Silver level, were supposed to be at “Passing” for Incubation phase. Not asking today to move to next level yet.
        • DONE: Have a technical lead appointed for voting representation of the project to the TAC
        • REQUEST: Be deemed by the TAC to add value to the mission of ASWF
        • REQUEST: Obtain both a 2/3 supermajority vote of the TAC and an affirmative majority vote of the Governing Board
    • Studio Adoption
      • Newly adopted
        • Animal Logic: co-presented at SIGGRAPH (“Editorial Pipeline Conversion: Animal Logic’s Transition to OpenTimelineIO”), recording available
        • Disney Feature Animation (WIP)
      • Already adopted
        • Pixar, Netflix, Storm Studios, RodeoFX, more…
    • Vendor Adoption
      • Now shipping with native OTIO support:
        • Autodesk RV
        • FoundryL nuke Studio & Hiero
        • Ftrack: cineSync Play
      • Already shipping:
        • Cezanne, Matchbox, tlRender, etc
    • New Features
      • Forwards & backwards compatibility
        • New software can write old format versions via downgrade feature
      • Embedded media
        • OTIOD & OTIOZ bundle OTIO + any media
        • Similar model to how USD works. OTIOD is a directory with all files, OTIOZ is a zipped bundle
      • Spatial bounds
        • 2D transform & bounds - from Autodesk
      • Multiple media references per-clip
        • Hires, proxy, local, cloud, etc - from Autodesk
      • Experimental re-write of otioview in C++ & Dear ImGui
        • Seeing good progress, a lot more performant than previous implementation
        • Able to iterate quickly
    • ASWF Collaboration
      • DPEL example Editorial assets
        • Animal Logic ALab Trailer
        • In talks with AWS for Picchu
        • In Talks with ASC for Making of StEM2 documentary
        • Real assets for people to test OTIO with, instead of a final, finished project. Looking to illustrate the richness of the editorial process with these files.
      • Effects schema collab with OpenFX
        • Seems promising, just getting started. Want to have effects schemas in OTIO
      • Open Review Initiative
        • Mentioned a lot in this context, looking forward to collaborating
    • TSC Expansion
      • Expanding TSC
        • Currently 4 main people
        • Healthy for project growth & maturity
        • Seeking industry connections, partnership & influence
        • Broadening beyond Pixar & Netflix
        • New opportunities for individual growth
      • Adding 3 new Committers
        • Daniel Flehner Heen, Jean-Christophe Morin, Darby Johnston, active contributors and trusted members of the community. Help carry some of the load, code reviews, managing GitHub activities.
        • So far hadn’t separated TSC vs Committers roles, experimenting with how that works in practice
    • Challenges to Vendor Adoption
      • Some vendors seem reluctant to talk directly with OTIO TSC
      • Is there a need for confidential vendor forums?
        • Seem reluctant to show up at public meetings / ask GitHub questions
      • Does version less than 1.0 block anyone?
        • Technically still in “beta”
      • Can ASWF help us with this?
        • Help us communicate more directly / formally with vendors
    • Requests for Help from TAC
      • TAC members, please ask for active OTIO participation from:
        • Apple: Final Cut Pro X team
        • Adobe: Premiere Pro team
          • Some conversations with Premiere team, hopeful about that
        • Avid: Media Compose team
        • Blackmagic: DaVinci Resolve team
        • This community needs these tools well, ASWF member companies are customers for these tools. OTIO for a while was Pixar / Netflix centric, we have different relationships with these companies. If TAC members can reach out to these companies
      • Follow the lead of Autodesk, Foundry, ftrack, Epic
        • Attend OTIO TSC meetings
        • Let us know what you need to successfully adopt OTIO
        • Make plans for OTIO native support
      • Security
        • Can we get an expert from an ASWF member company to become an active participant in OTIO?
        • OpenSSF best practices badge requirement:
          • The project MUST have at least one primary developer who knows how to design secure software
          • None of our primary developers have security expertise, need to train those people, or add primary developers. So far the design of secure software is not something that our primary developers have expertise or much interest in. Even a week of training would not be enough to call ourselves “experts” in security. To our knowledge, only OpenEXR has tried to do this in earnest and took a lot of effort from Apple and others to make it happen. For OTIO either some company / individual would need to step forward and fill that role, or will languish and not get addressed indefinitely. How do we address this impasse?
    • Time for Q&A
      • Larry: you were wondering whether not being at a 1.0 release is hurting adoption, is there something you feel is missing to be at 1.0? Joshua: not being perfectionist, we have achieved most of our 1.0 milestones, but documentation / developer onboarding is still missing for a 1.0 version. We can do a bit more there and call it 1.0 and go from there. There aren’t blockers, except the time to do this work. Eric Reinecke (chat): Josh can contextualize, but we use this GitHub project board to track our 1.0 roadmap
      • Carol: dealing with integration with vendors. Wanted to encourage you that you are not alone in this situation, the approach that OCIO has adopted is to meet vendors where they are at. If they want a separate meeting, we do that, even if it’s annoying. Recently for the camera vendors for the configs WG to make sure the right IDTs were incorporated. Sometimes vendors don’t want to announce intention to support features until they are far along the development process. OCIO TSC sometimes divides up based on links with companies, and have some separate meetings. Happy to discuss this directly, how we handle this, and how we create connections with vendors. Joshua: we had initial meeting about RV support, how do we get some of the other vendors to get to this step. We had a vendor ask for specific technical information, they offered to give specific technical documentation under NDA to a specific ASWF member company, which doesn’t really help. We need to find a way for these other companies to be able to talk to use as a community. They are usually set up to talk to other companies, but not communities. Can a ASWF TSC member sign an NDA in the context of the OTIO TSC for instance? Probably not. John: it can be difficult. It can be good not to incorporate internal information. Can do research on how other projects handle this. Carol/Josh are dealing with this in the correct way, sometimes companies will just go off and build things on their own. 80% of the certified k8s vendor list have never contributed directly to the project itself. May want to think how to formalize the process over time to avoid having to repeat information from meeting to meeting, having some documentation in place. Can help with this process, not to get crushed by this load. Josh: we can point people to Open Source Days presentation, they already know what OTIO is, but may have an outdated perception from 2 years ago. Better documentation would help as well. If there are folks who already have influence at those companies. It would be great if they could ask about the state of OTIO projects, point to OTIO TSC and encourage engagement. David: you had 4 names, Avid/Adobe/Apple/Black Magic, two of these are ASWF members. Josh: sometimes the people we know aren’t in the right group / in charge of the right product. David: you can ask Wave to help at Apple. For Avid and BMD, they are not ASWF members, we’ve been trying to get them to become members for a long time. What could be helpful with them, “who will take up the cause of open source and OTIO within the company”, identifying this person is key. Having an overview of OTIO to present to them as if they didn’t know anything would be helpful. I imagine that’s either already existing, or wouldn’t be too difficult to put together? You were mentioning in terms of having difficulty engaging with them, do you have other examples that you would see gravitating around the project but not engaging? Joshua: those are the ones we get the most frequent requests about. There are also requests around game engines, Epic / Unity have already engaged with us, as are Autodesk and Foundry, but it’s more the NLE / broadcast companies that are less engaged. More used to working with end users that don’t have software developers, and not providing SDKs. David: we will get them in the end! JT (chat): what Carol just said on waiting until almost ready to release to announce and hesitant to make known early interest. I’ve seen this a lot as a freelance consultant. Larry (chat): Need to normalize vendors showing up to TSC meetings even for projects they don’t use, so their presence doesn’t give away any useful secret information about what they are planning to use.
      • Cary: the security course offered by the LF https://training.linuxfoundation.org/training/secure-software-development-requirements-design-and-reuse-lfd104/, got as far as looking at the web page, seems like a fairly minimal commitment, a few hours time. Planning to take it when I can carve out time. Probably a lot of things that don’t apply to OpenEXR, but the knowledge we are supposed to have is to be able to segment what we know we don’t have to deal with as opposed to what applies to our projects. Assuming that taking this course will satisfy this badge requirement? John: yes, that’s one of the intentions of it. As a CS grad, was taught programming, C++, functional languages… but didn’t teach anything about secure programming. Starting to get into more curriculums, but being able to build software securely starts at the beginning, not added after the fact. If you look at the badge, the intention is to have people in the project who can think this way. Doesn’t mean that we need to be at the level of dedicated security researchers, but have people who can look at PR code reviews, think about where buffer overflows can happen… This is what the course focuses on. Doesn’t mean that just because you have security conscious developers, that you shouldn’t use checking tools. Doesn’t necessarily mean you have a high level / dedicated security researcher on the team. Joshua: how secure / against which adversary, we can take the course and make an outline of what applies and doesn’t apply to OTIO. So we have a “story” of why we have a Python API, some things are “insecure by design” to handle production pipeline needs, as opposed to OpenEXR being incorporated in OSes. We thought the commitment was a full week, but if it’s just a few hours and help us make a better choice… John: there’s a requirement for the project to document how it thinks about security, as opposed to what we’re not handling. It takes some of the onus off the project from having to handle every single handle, instead define the scope of what the project is taking care of, as opposed to what’s left to the user to handle. Larry: we can’t predict how these projects end up, as small in house project can turn up years later to be embedded in an OS. So we don’t have the ability to be confident that some things don’t become relevant later on. Also most of our projects don’t have anything to do with logins / passwords / accounts / PII, so it’s mostly about buffer overflows. These things that get caught also reflect inability to handle a corrupted input file, so fixing those issues generally increases the quality of the software, and is worth chasing down and fixing. Joshua: so can we fullfil that badge by doing diligence against buffer overflows, and clearly labelling the software, here are our thoughts about security, here are “holes”, maybe a recommendation of “please don’t put this in your OS since we know about limitations”? Larry: can go a long way by making sure your CI suite has a good static and dynamic analysis, have sanitizers turned on. Fuzzing on input files catches a lot of what would bring you down based on bad input. OpenEXR is an example of a project that a lot of stuff was caught because of the Google Fuzzing project, they were all legit problems. Cary: when we were first invited to joining OSS Fuzz, were leery of it, but it turned out to be positive. Uncovered flurry of things at first, but now has slowed down. Maybe half dozen this year, came with reproduction case. They approached use, but you could approach them, they cover thousands of projects. The hook you put in their project is simple, takes a bit to figure out what you need to do, but we can help explain. Ken: there’s another security hazard is often overlooked, especially when projects are file formats, is steganography. We looked at this in OpenVDB, we uncovered ways of doing this in OpenVDB. I imagine you could do that as well in OpenEXR. Larry: what was rationale for handling this? Ken: can smuggle information, lots of blind data that can be embedded, could be a mechanism for importing viruses. Kimball: sometimes the project can’t do this, and it has to be put on the end user. Ken: not claiming we patched it, but we documented it, allowing users to look for additional / hidden data. Cary: transparency is important, letting the user know what they are getting. Joshua: thank you, that really helps us out. JT (chat): Can LF in its partnership have one of their security experts do “audits” with a coding recommendations report as outcome to guide project developers?
      • Kimball: Thank you Josh!
  • John: elections
    • It is election season, industry representatives, JF + Daniel, would like to redo this election here in the coming weeks. Can send a proposed timeline, identifying the existing representatives, whether they want to continue. Also do we want to identify other industry representatives as voting TAC members. Can also revisit on Nov 30 meeting. Kimball: how are we doing these elections for TAC chair + industry representatives? John: want to reach out to both industry representatives to see if they are interested in continuing, can be done as a vote at TAC meeting. For additional representatives, if someone wants to nominate someone, can send to TAC email list, we can have 3 industry representatives total. Does that sound reasonable?
    • John: on the TAC Chair side, want to do a similar process. Kimball has been our chair for a while, if he wants to keep doing it, or if someone else is interested in doing this, can drop an email. If we don’t have anyone else present themselves and Kimball still wants to do it. Kimball: would be happy to have someone else do it, don’t want to be the BDFL! John: similar situation in every project I work with.
  • John: a project proposal went to TAC mailing list, open source 3D Atlas of Anatomy project, haven’t invited them to a meeting yet, not sure if they aligned with this group. Anyone agree / disagree? Doesn’t seem like it’s very related to this domain? TAC mailing list post
    • Larry: doesn’t seem to fit? Or maybe a DPEL asset? If it’s production quality. Kimball: it would make most sense as a DPEL asset. But doesn’t seem like the data is oriented towards these applications, although anatomically correct rigging data in the repo could be useful. Could ask DPEL group if they are interested in talking to them? And they can make the call.
  • John: there was an ask to Board on a presentation on the budget. We are working on closing the bridge, so didn’t want to present until 2023 budget is approved by the board, at which point we will present to the TAC. It’s coming, but delayed until adoption of 2023 budget.
  • John: we have a bunch of projects on LFX Security, but not getting scans done. Some of the projects are lacking the right metadata, asking each project lead to take a look and figure out why your project is not being scanned. If you need help, can get help on this from the team. Scott: would it make sense to have a WG to look at security in the ASWF, gather a wiki of all the information on best practices from the projects, or do we leave it to every project, but have a central repository. John: source like a good idea, could have a specific WG, or could be in scope of CI WG. Kimball: if you want to propose a charter, it wouldn’t need to be open ended. Scott: will try writing something, and see if someone is interested in chairing this. Larry (chat): Perhaps we should set up a Wiki so projects with any experience can help craft a “best practices” or list of steps they take to help beef up security. Like, OpenEXR can write how the fuzzing works and how we respond to CVEs, etc. Just so everybody doesn’t need to start from zero the first time these pop up on their projects. Stephen Mackenzie (chat): rez has kind of a similar “security” burden/issue. The entire point of it is to execute the code the user arbitrarily wants to execute in the environment they want to - If your rez package repository is compromised, you already have far worse problems. (But there are always things we can do better, or say, to facilitate newer versions of python being used for so their security updates can take effect, or whatever). I also think as many of our projects are providing file formats for files that may be flowing across air gaps, it’s extra important that we aren’t threat vectors.