TSC Meeting Notes 2020-05-21
Attending:
Arkell Rasiah
Cary Phillips
Christina Tempelaar-Lietz
Eskil Steenburg
Joseph Goldstone
Kimball Thurston
Larry Gritz
Nick Porcino
Owen Thompson
Peter Hillman
Rod Bogart
Phil Ames
Abishek Arya
Discussion:
Arkell will investigate updating open-exr images over the summer. Will also reach out to Florian to see if he’s interested in providing some test images.
Arkell raised a concern about images in the openexr-images/Chromaticities folder. Should the Rec709.exr and XYY.exr appear the same? Aren’t the chromaticies the same? Rv inherently adapts with a bradford transformation. Was the XYX made with the wrong adaptation matrix?
Phil Ames and Abishek Arya from the Google AutoFuzz team joined to discuss the OSS-Fuzz service.
Phil is on the information security team. The team fuzzes a lot of open source projects, especially file formats.
Abishek leads the OSS-Fuzz development effort.
The goal is to make fuzzing really simple, simplifying workflow as much as possible.
Integrated with 300 projects (e.g. OpenSSL)
They used to manually reproduce and file bugs, but that doesn’t scale, so the process has been automated.
Lots of work has been done to de-duplicate bugs by comparing stackframes.
OSS-Fuzz focuses on making bugs reproducible. Otherwise they aren’t filed.
Most of the integration can be done in < 100 LOC.
Vendors can sign up to be notified when bugs are detected.
Security bugs are restricted for 90 days.
Bugs are closed automatically when a fix is checked in.
It’s using the existing IlmImfFuzzTest. Will need to break it up into smaller tests.
OSS-Fuzz instrument with many sanitizers, on many cores.
What happens if something is discovered that’s in code that doesn’t matter (documentation generation code)? We control that, since it’s our code that runs the fuzzers.
There’s a CI option: on every PR it does 5 minutes of fuzz.
OSS-Fuzz doesn’t file CVE’s.
Example integration setup PR, for the tinyexr project:Â https://github.com/google/oss-fuzz/pull/3801/files
Larry pointed out the recent Autodesk maya file security issue:
https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0003
We also want to run the sanitizer against the regular tests, as well as against the fuzz tests.
Owen shared the Imath project task spreadsheet:Â https://docs.google.com/spreadsheets/d/1rC_USR4lLXVUTyAG62gOG-uJlxzRguMNTlMYYf2rUrQ/edit?usp=sharing
Christina reports that Azure Pipelines is completely retired, all migrated to GitHub Actions. One remaining issue with the Windows build, but everything seems to be working properly.