...
- CI Build Matrix:
- Doug: Remi has been working on a proposal for a refreshed CI build matrix. We will discuss again at a future meeting when Remi is able to join, but does anyone have any comments on the matrix right now?
- https://docs.google.com/spreadsheets/d/12fS8A3rcAHz5X05NVM11CeeD2N8EG6l1dRbuOqnHL7U/edit#gid=0
- Zach: Looking at the line between build 7 and 8, do we need that one to verify that the static lib is usable in other projects. Doug: Cedrik added a test that should catch the OIIO issue you ran into that will run whenever there is a Shared=OFF build. Looks like there is coverage of that situation without needing the line you referenced.
- Zach: What does the blue color mean? Kevin: Certain features, such as docs, are largely independent of interactions with the other variables, so they only need to be "ON" for one row, to verify that feature works. The blue might be indicating that.
- Doug: Remi has been working on a proposal for a refreshed CI build matrix. We will discuss again at a future meeting when Remi is able to join, but does anyone have any comments on the matrix right now?
- Third-party security notifications:
- Doug: Looking for suggestions for what is the best way to deal with updates from third-parties, particularly around new security vulnerabilities. Our sister repo, for ACES configs generation, uses DependaBot. That's more straight-forward to use with a Python project, such as the config repo, than a C++ project. Has anyone used that for C++ or have any suggestions for other approaches?
- Kevin: One issue is that each dependency may have a different approach to notifying that an update is available. We should find out what mechanisms are available for each of them. The recommended approach for each should be documented. Would also be nice to have a check-list of things that need to be done when adding a new dependency and this should be on the list. Zach/Doug: Great suggestions.
- Doug: One resource is the GitHub Advisory Database. I will try to compile a list of each dependency and where we might be able to look for notifications.
- Doug: Looking for suggestions for what is the best way to deal with updates from third-parties, particularly around new security vulnerabilities. Our sister repo, for ACES configs generation, uses DependaBot. That's more straight-forward to use with a Python project, such as the config repo, than a C++ project. Has anyone used that for C++ or have any suggestions for other approaches?
- Rez scripts
- Zach: Would it be helpful to have Rez scripts for OCIO that could be used with different dependency settings?