TSC Meeting Notes 2024-02-08

Owned by Christina Tempelaar-Lietz
Feb 08, 2024

Attendance:

  • Cary Phillips
  • Christina Tempelaar-Lietz
  • John Mertic
  • Joseph Goldstone
  • Kimball Thurston
  • Larry Gritz
  • Nick Porcino
  • Peter Hillman
  • Rod Bogart

Guests:

  • Li Ji, ILM
  • Christian Wieberg-Nielsen, Colorist, Storyline

Discussion:

  • Deep CVE bug fix - OIIO test suite issues are failing 
    • Larry will verify further
    • Peter & Nick had discussed possible change to core so every exception can be caught so you can capture the true source of an error.
  • Christian
    • interested in how to get metadata from the camera into OpenEXR
  • GitHub security vulnerability reporting
    • Cary: anyone have any insight? People who filed the CVE had a blocked address so we did not receive the message, email not as reliable for CVE reports.
    • You have to be an administrator to accept a draft and turn it into a CVE, Cary will look into it further.
    • Need multiple administrators
    • fuzz reports go to openexr.org, but cve reports go to openexr.com ?
    • Cary made it all consistent a while back except for the fuzz reports. Should test if the openexr.org address is working.
  • Deep CVE bug
    • Peter is getting a repro, Kimball was able to repro
    • Kimball needs to update the checkfile test to catch the break reported by OIIO
    • As a repro, this fails:
      • iinfo -v --hash --stats testsuite/iinfo/src/tinydeep.exr
    • Kimball: Pointer unpack is causing this issue
    • OpenSUSE already cherry picked the fix into their next release but caught it in their tests before releasing
    • Deep file limits 2.5 gb
    • Peter: amplification attacks could be a risk if you can allocated a lot of memory for loading
  • PR 1616 - automate compression method detection - Phillipe lePrince
    • Kimball: shouldn't have automated detection
    • Peter: compile time trick, wouldn't have implemented it this way because it's a little difficult to reason about
    • Not built every time you build library, only when a new compression type added, done at cmake time but only if you ask it too.
    • Doesn't need to work for everybody
    • Kimball: went away from having float tables auto built. do that for configuration but we should be against such a mechanism if it something that doesn't change very often.
    • Peter: could do it with the CI , generate the files and inject back into system
    • But added 1000 lines of code to save writing 5 lines of code when adding new compression types.
    • cmake changes are large
    • Peter: could ask to take out the automation, leaving files as is and modifying them by hand
    • Would need to add a comment to cpp file as to what needs updating when adding compression type
    • Kimball: Add static assert in compression.cpp or compression.c to check the length of the enum against the compression types.
    • Peter: old c interface uses #define's instead of an enum so difficult to check
    • Peter: should be able to catch that in the test suite
    • Cary: what about std compression in the PR?
    • Peter: scanline implementation breaks with deep, single scanline would solve, compression step is just given raw data doesn't know which datatype it is dealing with (on C++ side, it's different on the C side). maybe special case handling of compression type just in the core then forward it.
    • Kimball: we already did that with ... (missed this) , handled in core then forwarded.
    • Blosc library performs differently when it knows if it has 4-byte vs 3-byte data.
    • Z-standard or LZMA have discrete chunk vs streaming mode, can keep a little bit of state around that helps the streaming.  should make sure we are taking advantage of these capabilities.