TSC Meeting Notes 2019-06-13

Attending:

• Cary Phillips - ILM

• Larry Gritz - SPI

• Rod Bogart - Epic

• Peter Hillman - Weta

• Kimball Thurston - Weta

• Nick Porcino - Oculus

• Christina Tempelaar-Lietz - Epic

• John Mertic - Linux Foundation

Discussion:

• Welcome new TSC members:

  • Nick Porcino - Oculus

  • Christina Tempelaar-Lietz - Epic

  • Kimball Thurston - Weta

  • Piotr was invited by hasn’t responded.

• Project goals by SIGGRAPH:

  • Reach “adopted” status, seems attainable.

    • CII badge progress is at 68%

    • Need CI setup

    • Need static/dynamic analysis setup

    • Need to address security issues/policies

  • Put out a new release, version 2.4:

    • Address outstanding CVE’s

    • Document existing CVE’s

    • Compiler warnings

    • CMake fixes

  • Acknowledge most Issues and PRs; many can be closed as is.

  • Proposal/position on the future of Imath; go into the BOF prepared to discuss.

• “Guide to the OpenEXR Project”

  • GOVERNANCE.md, CONTRIBUTING.md, etc.

  • Clarify project roles and clarify terminology:

    • Committer vs. TSC

      • Nick Rasmussen is an example of a committer not on the TSC.

      • Need to clarify terms of service, how long do TSC members serve.

    • OCIO meeting notes designate a PR Reviewer?

      • Ad-hoc for that project to ensure fast turn around due to large number of contributions

      • May want some form of this to ensure that PRs are reviewed

• Legal:

  • Who keeps track of CLA’s on file?

    • Should just be part of the process (CLA, DCO checks)

    • Old PRs, what to do about obtaining CLAs prior to merge

    • Need to check w/ ILM legal just to clarify old copyright / CLA

  • Does OCIO have a policy of accepting small fixes without a CLA? No, that’s OIIO. All ASWF/Linux Foundation projects require CLA’s for every PR, no matter how small.

• CII Badge requires “acknowledgment of bug reports”. What should our policy be?

  • Standard use of GitHub labels, documented in CONTRIBUTING.

  • Use of GitHub Milestones to indicate priority.

• Status of the CII Best Practices Badge:

  • Must ensure timely response to posts on openexr-dev

  • What does it take to ensure that the website now uses https?

  • Security:

    • security@openexr.com, info@openexr.com

      • John to arrange setting up the forwards to private tsc

    • Outstanding CVE’s:

      • One has a PR that needs to be merged.

      • Other CVE issues have been resolved but the issues were never closed.

      • CVE’s should be documented in CHANGES.md.

    • OpenEXR needs a designated security expert

    • Cryptographic protocols are not applicable.

  • Ready to set up Azure?

  • Compiler Warning flags

    • -Wall with GCC 7/C++17 on Ubuntu gives a handful of warnings, straightforward to fix.

    • What about Windows?

  • Code coverage, static analysis, dynamic analysis: SonarCloud?

    • Just needs to have been done at least prior to release (as opposed to fully integrated to release schedule)

  • Test policy adherence?

• Should we update source code copyright notices?

  • Cary will check with Lucasfilm Business Affairs.

• What’s the status of moving the github repository?

• TODO’s and action items:

  • Label issues and PR’s

    • Gives perception of response

    • Use milestones instead to mark issues for including in next release

    • Need to be more aggressive with closing issues that had a back and forth resulting in a consensus there’s nothing to do

      • Standard comment about a house-cleaning event in migration to ASWF

  • Merge/act on existing PR’s

  • Fix compiler warnings

  • SonarCloud: Static and dynamic analysis

  • Azure

  • Web site/documentation

    • JM: Can be moved independently, whenever ready

    • CP: wants to re-do web site to make it easier to maintain

  • Email addresses for info & security

  • Imath white paper

  • Christina - will work on SonarCloud

  • Kimball - will work on PRs, cmake, compile warnings

  • Nick - will review PRs as well