AWSF TAC Meeting - February 22, 2023

Voting member attendance

Premier member representatives

  • Bill Roberts - Adobe Inc.
  • Brian Cipriano - Google LLC
  • Cory Omand - The Walt Disney Studios
  • Eric Enderton - NVIDIA Corporation
  • Eric Reinecke - Netflix, Inc.
  • Gordon Bradley - Autodesk
  • Greg Denton - Microsoft Corporation
  • Kimball Thurston - Weta Digital Ltd
  • Larry Gritz - Sony Pictures Imageworks
  • Mark Visser - Unity Technologies
  • Matthew Low - DreamWorks Animation
  • Michael B. Johnson - Apple Inc.
  • Sean Looper - Amazon Web Services, Inc.
  • Sean McDuffee - Intel Corporation
  • Sean O’Connell - Advanced Micro Devices (AMD)
  • Tony Micilotta - DNEG

Project Representatives

  • Carol Payne - OpenColorIO
  • Cary Phillips - OpenEXR
  • Chris Kulla - Open Shading Language
  • Jonathan Stone - MaterialX
  • Joshua Minor - OpenTimelineIO
  • Ken Museth - OpenVDB

Industry Representatives

  • Jean-Francois Panisset - Visual Effects Society

Other Attendees

  • Brett Russell
  • David Morin
  • Doug Walker
  • Emily Olin
  • Esteban Papp
  • Gary Oberbrunner
  • JT Nelson
  • Jean-Christophe Morin
  • John Mertic
  • Kerby Geffrard
  • Laura Reznikov
  • Lee Kerley
  • Nick Porcino
  • Sergio Rojas
  • Stephen Mackenzie
  • Tony Micilotta
  • Yarille Kilborn

Agenda

  • Technical Project updates
  • Working Groups
  • Update on candidate projects
  • Next meeting

Notes

  • Security working group update (Jean-Christophe Morin)
    • First met two weeks ago
    • Met again a few days ago
    • Set out to establish what they will and won’t do
    • Generated this doc
    • Goals
      • Started with OpenSSF best practices badges
        • Would like to provide guidelines
      • education guidelines for helping projects get security education
      • Collaborations with others (like MovieLabs) around security best practices
      • Make sure all projects are engaging with LFX Security and work with LFX to make the experience in adoption work better for us
    • Non-Goals
      • General security education for industry on the whole
    • Deliverables
      • Maintain some documentation for best practices badge to make it easier for projects to navigate
      • Develop policy for binary artifact distribution (e.g. supply chain, signing, credentials/secrets management, etc.)
      • Develop plan for CVE management for hosted projects
        • Would love to hear from projects that have some structure in place to use as a starting point
      • Best practices for implementing security in the projects
      • Document security tooling that is in place for ASWF projects
      • Collaborative whitepaper with OpenSSF and MovieLabs for security topics related to our industry
    • Kimball - You see this working group as a permanent fixture (like the CI working group), that sustains as long as needed?
      J.C. - that’s correct, we want to be around to continue to provide guidance
      • Kimball - I think that makes sense, we just may need to call that out specifically because by default the working groups have a time limit
      • Larry - Should this maybe treated as a task of the CI working group if the interested parties have high enough overlap?
      • John M. (via chat) - Could be just a rebrand - CI, Infrastructure, and Security WG
        Then perhaps subgroups focused on the deliverables as needed
        Either way is a good approach - just a question on resources as Larry mentioned
      • Kimball - If we were going to fold it into the CI working group, we should circle around and update the CI working group charter.
      • John M. - Another thing to consider is where is the balance of what they do for projects vs. here’s a guidance for the project about how they address certain issues
      • Larry - I’d expect them to provide guidance about how to navigate the process but I wouldn’t expect them to go in and fix bugs for the projects
      • John M. - I think where I was thinking was about whether or not the group could handle the logistics around the CVEs while the projects focus more on the code itself.
      • Kimball - other thoughts on separate vs. combined?
      • Gordon B. - I think just the name is odd bedfellows on the surface, so we may want to think about what we call the group in that case
      • John M. - Within CI group you’ll have certain people with expertise in devops, but the security infrastructure may require a different set of folks to support that. Would that increase in scope cause people to bring in new domain experts and change the overlap profile of the groups?
      • Larry - If that did happen, that would certainly make sense to break out, but that hasn’t happened yet
      • Larry - We’ve been scraping along with no real security expertise, cobbling together solutions. In that scope it makes sense to focus on sharing what we’ve put together. It would be nice to have better expertise, but we haven’t gotten that yet.
      • John M. - That brings the question of who we can have that would actually run it. Right now we’ve identified a sort of wishlist of what we’d actually want, but who can we get to drive the rigor and expertise to deliver to the endpoints.
      • Michael B. Johnson - I think in the case of these projects, a lot of the vendors who might otherwise know about security stuff are former studio so they may not have been exposed to much more on these matters.
      • Kimball - Do we need more discussion on this or should we come to a vote?
      • Gordon B. - I think maybe the leader doesn’t need to be a security expert to focus on identifying the kinds of things we want to do and what needs to be designed.
      • Kimball - I think the thing for the group to focus on is if you’re one of the projects and you receive a security report, how do we respond? How do we triage the severity of the issue?
      • Larry - When we receive these I don’t feel like we know how to even judge whether it’s a big threat or something we can let go. It would be great to have some process around that.
      • Gordon B. - I think it’s exactly that, providing the guidance about how to navigate that.
      • J.T. Nelson (via chat) - Either way is a good approach - just a question on resources as Larry mentioned
      • Carol P. - We have this working group structure, as a way to talk about this and decide what we should do. These are designed to be flexible so we can figure this stuff out. Maybe what this means is that the CI working group meets a little more frequently for a bit, then they can use that time to try and get expertise and find domain experts to help until they craft guidelines.
      • General agreement that we should go to the CI working group and ask if they’ll absorb this group to proceed in the way Carol pitched.
    • Open Source forum 2023 call for feedback
      • Michael B. Johnson - as someone who was there, it was great, but I’d love to hear from people that called in
      • Kimball - I really missed the side conversations, that’s where a lot of the value is for me. I really missed that.
      • Larry - I felt the same way
      • Michael B. Johnson - The happy hour at the end was great, would’ve been great to have had that for even longer. It felt a lot like old siggraph.
      • Eric Enderton (from chat) - Yes, happy hour was super valuable
      • Carol P. - Would like to have had some more time to submit presentations
      • Emily O. - Would it be best to keep it as a half day, should we try and push it to a day
      • Laura R. - We had really good content to fill the day we had, if we extended would we have the content to fill that?
      • Michael B. Johnson - There was a lot of content to absorb in the time, but there is a finite amount I can absorb in a day, so that is worth considering
      • Tony M. - The Q&A was great but the camera was at the back, so having a camera to see the audience would be great
      • Michael B. Johnson - The academy museum was a really good venue for me, centrally located and made it easy to get in and out
      • Carol P. - for people that attended remotely or current get their company to help them attend, would it being a full day impact their ability to attend?
      • Larry - I think it being a half day means you can fly in for a day, fly back, and avoid a hotel
      • General +1s from Laura R. and Michael B. Johnson
      • Kimball - as an international travel person, having it timed around other events like VES, Scitech, and HPA helps justify the travel cost
    • Wranglebot
      • Larry - is it in use?
      • Carol - I think they said maybe in use for a few german pieces of content and some others maybe?
      • Carol - I think the general idea is cool, I’m a little unclear if they’d be able to separate the add-ons and things they monetize on top
      • Gordon B - I think that would be a good area to explore
      • Larry - my general level of skepticism for any new project applying is that it’s kind of a high bar for things that aren’t established projects. I don’t know if we want to be a place for various open source projects landing on our door. That’s just me though, not sure I have a lot to back that up.
      • John M. - It sounds like there is hesitancy based on where the project stands
      • Gordon B. - Also, right now you need the cloud to host it
      • General acknowledgement that that would be something that changed if they were adopted
      • Carol P. - I think a lot of the established studios aren’t as interested in switching over to something like this from something their using, but the question of whether something like this existing would make this kind of tool more accessible to new and smaller entities and whether we want to be helping with that.
      • Kimball - It sounds like we at least need to go back and get clarification on their monetization model and come back to discuss more.
      • Gordon - We also may want to talk about whether or not sandboxing is a one way on-ramp and becomes a commitment
      • John M. - One way to think about the sandbox is like being an angel investor and set expectations and have them part ways if it doesn’t pan out. It’s good to create a place where projects don’t have to get themselves lined up from bootstraps and then come to us only when they’re totally figured out
      • Gordon B. - One exercise would be to figure out how we evaluate whether or not a project is a good spend of resources so we understand what to add
      • Nick P. (via chat) - one criterion has to be “can we even pay enough attention to the sandbox project to make it worth everyone’s time”
      • Michael B. Johnson (via chat) - one criterion has to be “can we even pay enough attention to the sandbox project to make it worth everyone’s time”
        “what” not “which”
      • Larry (via chat) - There is a view that ASWF is primarily an exercise in risk management for the industry. The two kinds of projects we’ve admitted so far: (1) foundational projects that are established and crucial to the industry; (2) new projects that are sponsored by multiple premier members with track records of successful projects.
      • Kimball - We’re at time, but at a follow-up let’s discuss how to best focus our budget and how to decide where we should be spending it.