Attendance:

Cary Phillips
Christina Tempelaar-Lietz
John Mertic
Joseph Goldstone
Kimball Thurston
Larry Gritz
Nick Porcino
Peter Hillman
Rod Bogart

Guests:

Li Ji, ILM
Christian Wieberg-Nielsen, Colorist, Storyline

Discussion:

Deep CVE bug fix - OIIO test suite issues are failing
- Larry will verify further
- Peter & Nick had discussed possible change to core so every exception can be caught so you can capture the true source of an error.
Christian
- interested in how to get metadata from the camera into OpenEXR
GitHub security vulnerability reporting
- Cary: anyone have any insight? People who filed the CVE had a blocked address so we did not receive the message, email not as reliable for CVE reports.
- You have to be an administrator to accept a draft and turn it into a CVE, Cary will look into it further.
- Need multiple administrators
- fuzz reports go to openexr.org, but cve reports go to openexr.com ?
- Cary made it all consistent a while back except for the fuzz reports. Should test if the openexr.org address is working.
Deep CVE bug
- Peter is getting a repro, Kimball was able to repro
- Kimball needs to update the checkfile test to catch the break reported by OIIO
- As a repro, this fails:
  - iinfo -v --hash --stats testsuite/iinfo/src/tinydeep.exr
- Kimball: Pointer unpack is causing this issue
- OpenSUSE already cherry picked the fix into their next release but caught it in their tests before releasing
- Deep file limits 2.5 gb
- Peter: amplification attacks could be a risk if you can allocated a lot of memory for loading
PR 1616 - automate compression method detection - Phillipe lePrince
- Kimball: shouldn't have automated detection
- Peter: compile time trick, wouldn't have implemented it this way because it's a little difficult to reason about
- Not built every time you build library, only when a new compression type added, done at cmake time but only if you ask it too.
- Doesn't need to work for everybody
- Kimball: went away from having float tables auto built. do that for configuration but we should be against such a mechanism if it something that doesn't change very often.
- Peter: could do it with the CI , generate the files and inject back into system
- But added 1000 lines of code to save writing 5 lines of code when adding new compression types.
- cmake changes are large
- Peter: could ask to take out the automation, leaving files as is and modifying them by hand
- Would need to add a comment to cpp file as to what needs updating when adding compression type
- Kimball: Add static assert in compression.cpp or compression.c to check the length of the enum against the compression types.
- Peter: old c interface uses #define's instead of an enum so difficult to check
- Peter: should be able to catch that in the test suite
- Cary: what about std compression in the PR?
- Peter: scanline implementation breaks with deep, single scanline would solve, compression step is just given raw data doesn't know which datatype it is dealing with (on C++ side, it's different on the C side). maybe special case handling of compression type just in the core then forward it.
- Kimball: we already did that with ... (missed this) , handled in core then forwarded.
- Blosc library performs differently when it knows if it has 4-byte vs 3-byte data.
- Z-standard or LZMA have discrete chunk vs streaming mode, can keep a little bit of state around that helps the streaming. should make sure we are taking advantage of these capabilities.

Browser not supported