TSC Meeting Notes 2019-06-13

Attending:

  • Cary Phillips - ILM

  • Larry Gritz - SPI

  • Rod Bogart - Epic

  • Peter Hillman - Weta

  • Kimball Thurston - Weta

  • Nick Porcino - Oculus

  • Christina Tempelaar-Lietz - Epic

  • John Mertic - Linux Foundation

Discussion:

  • Welcome new TSC members:

    • Nick Porcino - Oculus

    • Christina Tempelaar-Lietz - Epic

    • Kimball Thurston - Weta

    • Piotr was invited by hasn’t responded.

  • Project goals by SIGGRAPH:

    • Reach “adopted” status, seems attainable.

      • CII badge progress is at 68%

      • Need CI setup

      • Need static/dynamic analysis setup

      • Need to address security issues/policies

    • Put out a new release, version 2.4:

      • Address outstanding CVE’s

      • Document existing CVE’s

      • Compiler warnings

      • CMake fixes

    • Acknowledge most Issues and PRs; many can be closed as is.

    • Proposal/position on the future of Imath; go into the BOF prepared to discuss.

  • “Guide to the OpenEXR Project”

    • GOVERNANCE.md, CONTRIBUTING.md, etc.

    • Clarify project roles and clarify terminology:

      • Committer vs. TSC

        • Nick Rasmussen is an example of a committer not on the TSC.

        • Need to clarify terms of service, how long do TSC members serve.

      • OCIO meeting notes designate a PR Reviewer?

        • Ad-hoc for that project to ensure fast turn around due to large number of contributions

        • May want some form of this to ensure that PRs are reviewed

  • Legal:

    • Who keeps track of CLA’s on file?

      • Should just be part of the process (CLA, DCO checks)

      • Old PRs, what to do about obtaining CLAs prior to merge

      • Need to check w/ ILM legal just to clarify old copyright / CLA

    • Does OCIO have a policy of accepting small fixes without a CLA? No, that’s OIIO. All ASWF/Linux Foundation projects require CLA’s for every PR, no matter how small.

  • CII Badge requires “acknowledgment of bug reports”. What should our policy be?

    • Standard use of GitHub labels, documented in CONTRIBUTING.

    • Use of GitHub Milestones to indicate priority.

  • Status of the CII Best Practices Badge:

    • Must ensure timely response to posts on openexr-dev

    • What does it take to ensure that the website now uses https?

    • Security:

      • security@openexr.com, info@openexr.com

        • John to arrange setting up the forwards to private tsc

      • Outstanding CVE’s:

        • One has a PR that needs to be merged.

        • Other CVE issues have been resolved but the issues were never closed.

        • CVE’s should be documented in CHANGES.md.

      • OpenEXR needs a designated security expert

      • Cryptographic protocols are not applicable.

    • Ready to set up Azure?

    • Compiler Warning flags

      • -Wall with GCC 7/C++17 on Ubuntu gives a handful of warnings, straightforward to fix.

      • What about Windows?

    • Code coverage, static analysis, dynamic analysis: SonarCloud?

      • Just needs to have been done at least prior to release (as opposed to fully integrated to release schedule)

    • Test policy adherence?

  • Should we update source code copyright notices?

    • Cary will check with Lucasfilm Business Affairs.

  • What’s the status of moving the github repository?

  • TODO’s and action items:

    • Label issues and PR’s

      • Gives perception of response

      • Use milestones instead to mark issues for including in next release

      • Need to be more aggressive with closing issues that had a back and forth resulting in a consensus there’s nothing to do

        • Standard comment about a house-cleaning event in migration to ASWF

    • Merge/act on existing PR’s

    • Fix compiler warnings

    • SonarCloud: Static and dynamic analysis

    • Azure

    • Web site/documentation

      • JM: Can be moved independently, whenever ready

      • CP: wants to re-do web site to make it easier to maintain

    • Email addresses for info & security

    • Imath white paper

    • Christina - will work on SonarCloud

    • Kimball - will work on PRs, cmake, compile warnings

    • Nick - will review PRs as well