TSC meeting notes

ASWF/tsc-meetings/2019-09-05.md

@@ -0,0 +1,39 @@
+# 9/5/2019
+
+### Attendees:
+
+* Cary Phillips
+* Christina Tempelaar-Lietz
+* Kimball Thurston
+* Peter Hillman
+* Joseph Goldstone
+
+### Discussion
+
+* Ready to tag the 2.4 beta release, as soon as the current PR’s are
+  approved and merged.
+
+* After the tag, it’s open season on merging in other changes.
+
+* Still waiting on Lucasfilm business affairs to set up easyCLA; can’t
+  move the repo to the ASWF organization until that’s done.
+
+* After the repo move, split Imath into a separate repo. Should we
+  split sooner or later? Nobody feels strongly. What’s the best way to
+  preserve the history? Duplicate the repo entirely, which will carry
+  the Imath history with it, then delete all OpenEXR from the new
+  repo, and Imath from the OpenEXR repo.
+
+* Are there any issues with binary metadata? J Schulte wants to
+  know. No, probably not.
+
+* Issue #548: will revisit this when attempting to rectify Half
+  w/CUDA, although the ship has probably sailed with implicit/explicit
+  conversion between Half and float/double, we’d rather not break
+  existing application code.
+
+* Issue #452 - Peter fixed it, it was an alignment issue.
+
+* Issue #453 and #454, test failures: should ping again.
+
+* Issue #506 - Ask Robert to help.

ASWF/tsc-meetings/2019-09-12.md

@@ -0,0 +1,35 @@
+# 9/12/2019
+
+### Attendees:
+
+* Cary Phillips
+* Christina Tempelaar-Lietz
+* Rod Bogart
+* Kimball Thurston
+* Peter Hillman
+* Arkell Rasiah
+* Joseph Goldstone
+
+### Discussion
+
+* Release v2.4.0-beta.1 is out
+
+* Arkell asks about EasyCLA
+
+* SonarCloud bugs:
+
+  - Random
+
+  - Boost::python
+
+    + Use python buffers, will need a numpy module for backwards compatibility
+
+  - Constructors
+
+  - Coverage
+
+* CVE’s
+
+* Openexr-images repo - move to ASWF
+
+* Arkell: abx 512, CUDA 

ASWF/tsc-meetings/2019-09-19.md

@@ -0,0 +1,49 @@
+# 9/19/2019
+
+### Attendees:
+
+* Cary Phillips
+* Christina Tempelaar-Lietz
+* Rod Bogart
+* Kimball Thurston
+* Peter Hillman
+* Joseph Goldstone
+
+### Discussion
+
+* Beta v2.4.0-beta.1 is ready for official release.
+
+* Next up:
+
+  * finish off the CII best practices badge.
+
+  * fix sonar bugs
+
+  * request updates to mitre.org CVE entries.
+
+  * Still waiting on Lucasfilm Business Affairs to configure EasyCLA;
+    repo move is blocked until that happens.
+
+  * Start port of PyImath to pybind11, which is going to be a lot of work.
+
+  * clang-format (not to be confused with clang-tidy, which is
+    different) - Larry has a setup on OIIO that runs clang-format on
+    PR, rejects if the formatting is off but also posts a diff, so the
+    submitter can get the formatting right even if they don't have
+    clang installed.
+
+* CVE's: 
+
+  * CVE-2016-4629 and CVE-2016-4629 were fixed by Apple in the OS.
+
+  * CVE-2006-2277 - the link on the mitre.org page is broken, but the
+    offending .exr is available on the internet archive wayback
+    machine here:
+    https://web.archive.org/web/20060520062054/http://w148.de/~cmertes/nachbarhaus1.exr
+
+* Christina gives an overview of SonarCloud set-up. Read the YAML
+  documentation here:
+  https://docs.microsoft.com/en-us/azure/devops/pipelines/yaml-schema?view=azure-devops&tabs=schema
+
+* Joseph: We should reach out to distro packagers and
+  request/encourage/help them to update to the new release.

ASWF/tsc-meetings/2019-09-26.md

@@ -0,0 +1,97 @@
+# 9/26/2019
+
+### Agenda:
+
+* Dan Hutchinson (Foundry, security expert)
+  - What should we know? We don’t know what we don’t know.
+  - CVE’s on mitre.org
+  - Allocating huge memory: -x option?
+* Tarball signing
+* VFX reference platform says 2.3.x ?!?
+* Distro packages
+* SonarCloud has failed on last 2 PRS’s
+* Mission Statement
+* Reference images
+
+### Attending:
+
+* Cary Phillips
+* Christina Tempelaar-Lietz
+* Kimball Thurston
+* Joseph Goldstone
+* Peter Hillman
+* Doug Walker
+* Dan Hutchinson
+* Carol Payne
+* Daniel Heckenberg
+
+### Discussion:
+
+* Dan Hutchinson joined from Foundry to discuss security.
+
+* There’s a healthy security research community, likes to look at
+  popular libraries and does research to find vulnerabilities. They’re
+  quite enthusiastic.
+
+* Projects need a security policy, and should announce a solicitation
+  to the community to report vulnerabilities. Some projects post a PGP
+  key with which to encrypt vulnerability reports.
+
+* Projects should have a Responsible Disclosure Policy - given 60 days
+  to respond.
+
+* There’s a huge chasm between a bug and an exploit, a way of turning
+  the bug into an actionable way of gaining access to a system. It’s
+  legitimate for projects to ask, “Do you have an exploit available?”
+
+* Projects need static and dynamic analyzers. OpenEXR uses
+  Sonar. SonarCube is a report aggregator. It can subsume valgrind
+  reports.
+
+* How concerned should we be about security?  Put yourself in the
+  shoes of a hacker: file formats are a common attack vector.
+
+* Dan: OpenEXR is being proactive already;IlmImfFuzzTest is “awesome”.
+
+* Dan: Fewer than 10 CVE’s in 10 years is a pretty good record for a
+  file format.
+
+* Dan: From what you’ve said, OpenEXR has ticked all the security
+  boxes.
+
+* There are issues with how the library is used: the API says pass in
+  a buffer of size X and application passes in buffer of size X-1, and
+  we overwrite. Is that our problem? Not really.
+
+* Some of the complaints were that the library could allocate all the
+  machine’s memory, then something else would crash, leading to a
+  DoS. DoS attacks are common, but not the worst vulnerability.
+
+* An image can be large but compress well, so a small file can lead to
+  large memory allocation.
+
+* Tiff has a comparable attribute structure: is there anything we can
+  learn from them?
+
+* Is there a plan to provide binary packages hosted in nexus? Not yet.
+
+* Should use common hardening C++ flags.
+
+* Is it worth providing GPG signatures? It prevents against someone
+  someone inserting something into the repo, and man-in-the-middle
+  attacks..
+
+* Should enable 2-factor authentication on GitHub accounts.
+
+* Would hope that package maintainers would be proactive, but many of
+  them probably include OpenEXR only because it’s a dependency of
+  something else which might not have changed..
+
+* Reference images: it would be helpful to have a set of images for
+  use with a performance test suite, and that exhibit a range of
+  features of the library and format, such as multiple AOV’s,
+  etc. https://github.com/openexr/openexr-images needs some curating.
+
+* TAC meeting yesterday - Michael Johnson mentioned that Apple is
+  sitting on some security-related issues, will work on getting them
+  approved.