/
2026-01-05 TSC Meeting notes

2026-01-05 TSC Meeting notes

January 5, 2026

Host: Carol Payne

Secretary: Doug Walker

Attendees: 

  • Carol Payne (TSC Chair)

  • Doug Walker (TSC Chief Architect) - Autodesk

  • Kevin Wheatley (TSC) - Framestore

  • Michael Dolan (TSC) - Epic Games

  • Cuneyt Ozdas (TSC) - Autodesk

  • Mark Boorer (TSC) - ILM

  • Mark Titchener (TSC) - Foundry

  • Sean Cooper (TSC) - Skydance Animation

  • Zach Lewis (TSC)

  • Scott Dyer - AMPAS

  • Sam Richards - Disney

Apologies:

  • Remi Achard

OCIO TSC Meeting Notes

  • OCIO 2.5.1 Release

    • Doug: As communicated earlier, we will try to proceed with a 2.5.1 release the first week of January. PRs that need approvals are the following:

      • PR #2227: ACES 2 array out of range issue

      • PR #2224: Avoid clamping on ICC profile linear and pure-gamma TRCs

      • PR #2226: Fix issue with texture index binding for Vulkan

  • Issue #2228 – “Use-after-free” bug

    • Doug: This is from a new contributor who has been doing fuzz-testing on OCIO. The description looks probably AI-generated and the description of the problem is not quite correct, but Cuneyt is investigating.

    • Cuneyt: Yes, the description was wrong, but the provided info helped find the issue quickly. Was actually an out of bounds string access. It’s a one-line fix, will have a PR today.

    • Michael: Agree, the description looks AI generated. Was the issue in a WASM context? Not clear if this is a likely attack vector. Carol: Agree, usually the calling app would prevent this.

    • Michael: There are some other more likely vectors than this issue. Mark B: Agree.

    • Kevin: Fuzzing can generate a lot of false positives noise, but something we should consider.

    • Doug: Usually fuzzing generates more than one bug, so it’s unusual this person only submitted one. Carol: Agree.

    • Carol: At the TAC level, we have been working on security audits, did two last year: OpenEXR and MaterialX. Will do two more this year. OCIO could be a candidate but would need one or two people in addition to Doug and I to volunteer to shepherd it, as it’s significant work.

  • PR #2230 – Adding Dependabot

    • Doug: Very pleased to see a new contributor has stepped up to work on some of the issues Cary Phillips logged based on his security experience with OpenEXR. This one is straight-forward, implements the same Action used in OpenEXR. Will check for available updates in GitHub Actions commands and Python packages.

    • Michael: Is it doing major or just patch updates? Kevin: Dependabot is configurable.

    • Doug: In some cases, we are not able to run the latest GitHub Actions commands when running on earlier OCIO releases. And fixing the stuff that breaks is not always straight-forward. But I think we should try it and see how it goes.

    • Carol: Agree, we could always tweak it or turn it off if it is not helpful.

  • PR #2229 – Release signing

    • Doug: This is another nice contribution from the same person as #2230, again based on one of Cary’s suggestions. It uses the Sigstore technique used by OpenEXR to sign release tar-balls.

    • Kevin: We don’t do binary releases, so the benefit is to avoid the code being tampered with in-transit, when downloading it from GitHub.

    • Carol: Several projects are using this, I’ve not heard of any issues. Even if the threat is small, it’s just good to follow the best-practices.

    • Doug: Should we try to get this in for the 2.5.1 release? Kevin: Might be better to wait.

    • Zach: Actions are often tricky, might not work the first time. And might be difficult to test. Perhaps we should go ahead now. Doug: Agree, we have someone who is interested in it now. Not sure when our next release will be.

    • Cuneyt: It’s not signing the zip, so not everything is signed.

    • Michael: We should update the documentation to contain the verification process.

  • Do a 2.4.3 release for the ACES 2 fix?

    • Kevin: Should we do a 2.4.3 release for the ACES 2 fix (PR #2227)? Would it be useful?

    • Doug: If we do a release, it will trigger a bunch of downstream work. Not sure if this is a big enough issue to warrant it, it’s kind of an edge case. If vendors or studios who need to be using 2.4.x run into the problem, they could easily apply the 2.5.1 fix to their own copy of 2.4.2.

    • Mark T: Agreed, not sure a separate release is needed at this point.

    • Carol: We will hold off on that for now then.

    • Kevin: Scott, you may want to check if the same issue applies to the CTL implementation. Scott: Good point, I’ll check.

  • ASWF TAC Leadership change

    • Carol is now chair of the ASWF TAC! Last year, Larry Gritz was chair and Carol was vice-chair. This year, Cary Phillips will be vice-chair. Please let Carol know if there are any issues that should be surfaced to the TAC level.