January 23, 2023
Host: Doug Walker
Secretary: Doug Walker
Attendees:
- Rémi Achard (TSC) - DNEG
Mark Boorer (TSC) - Industrial Light & Magic
Mei Chu (TSC) - Sony Pictures Imageworks
Sean Cooper (TSC ACES TAC Rep) - ARRI
Michael Dolan (TSC) - Epic Games
Patrick Hodoul (TSC) - Autodesk
John Mertic - Academy Software Foundation / Linux Foundation
Carol Payne (TSC Chair) - Netflix
Mark Titchener (TSC) - Foundry
Carl Rand (TSC) - Weta Digital
Doug Walker (TSC Chief Architect) - Autodesk
Kevin Wheatley (TSC) - Framestore
- Zach Lewis - Method
Apologies:
- Carol Payne
- Remi Achard
OCIO TSC Meeting Notes
- CI Build Matrix:
- Doug: Remi has been working on a proposal for a refreshed CI build matrix. We will discuss again at a future meeting when Remi is able to join, but does anyone have any comments on the matrix right now?
- https://docs.google.com/spreadsheets/d/12fS8A3rcAHz5X05NVM11CeeD2N8EG6l1dRbuOqnHL7U/edit#gid=0
- Zach: Looking at the line between build 7 and 8, do we need that one to verify that the static lib is usable in other projects. Doug: Cedrik added a test that should catch the OIIO issue you ran into that will run whenever there is a Shared=OFF build. Looks like there is coverage of that situation without needing the line you referenced.
- Zach: What does the blue color mean? Kevin: Certain features, such as docs, are largely independent of interactions with the other variables, so they only need to be "ON" for one row, to verify that feature works. The blue might be indicating that.
- Doug: Remi has been working on a proposal for a refreshed CI build matrix. We will discuss again at a future meeting when Remi is able to join, but does anyone have any comments on the matrix right now?
- Third-party security notifications:
- Doug: Looking for suggestions for what is the best way to deal with updates from third-parties, particularly around new security vulnerabilities. Our sister repo, for ACES configs generation, uses DependaBot. That's more straight-forward to use with a Python project, such as the config repo, than a C++ project. Has anyone used that for C++ or have any suggestions for other approaches?
- Kevin: One issue is that each dependency may have a different approach to notifying that an update is available. We should find out what mechanisms are available for each of them. The recommended approach for each should be documented. Would also be nice to have a check-list of things that need to be done when adding a new dependency and this should be on the list. Zach/Doug: Great suggestions.
- Doug: One resource is the GitHub Advisory Database. I will try to compile a list of each dependency and where we might be able to look for notifications.
- Doug: Looking for suggestions for what is the best way to deal with updates from third-parties, particularly around new security vulnerabilities. Our sister repo, for ACES configs generation, uses DependaBot. That's more straight-forward to use with a Python project, such as the config repo, than a C++ project. Has anyone used that for C++ or have any suggestions for other approaches?