TSC Meeting Notes 2020-05-21

Attending:

  • Arkell Rasiah
  • Cary Phillips
  • Christina Tempelaar-Lietz
  • Eskil Steenburg
  • Joseph Goldstone
  • Kimball Thurston
  • Larry Gritz
  • Nick Porcino
  • Owen Thompson
  • Peter Hillman
  • Rod Bogart
  • Phil Ames
  • Abishek Arya

Discussion:

  • Arkell will investigate updating open-exr images over the summer. Will also reach out to Florian to see if he’s interested in providing some test images.

  • Arkell raised a concern about images in the openexr-images/Chromaticities folder. Should the Rec709.exr and XYY.exr appear the same? Aren’t the chromaticies the same? Rv inherently adapts with a bradford transformation. Was the XYX made with the wrong adaptation matrix?

  • Phil Ames and Abishek Arya from the Google AutoFuzz team joined to discuss the OSS-Fuzz service.

    • Phil is on the information security team. The team fuzzes a lot of open source projects, especially file formats.

    • Abishek leads the OSS-Fuzz development effort.

    • The goal is to make fuzzing really simple, simplifying workflow as much as possible.

    • Integrated with 300 projects (e.g. OpenSSL)

    • They used to manually reproduce and file bugs, but that doesn’t scale, so the process has been automated.

    • Lots of work has been done to de-duplicate bugs by comparing stackframes.

    • OSS-Fuzz focuses on making bugs reproducible. Otherwise they aren’t filed.

    • Most of the integration can be done in < 100 LOC.

    • Vendors can sign up to be notified when bugs are detected.

    • Security bugs are restricted for 90 days.

    • Bugs are closed automatically when a fix is checked in.

    • It’s using the existing IlmImfFuzzTest. Will need to break it up into smaller tests.

    • OSS-Fuzz instrument with many sanitizers, on many cores.

    • What happens if something is discovered that’s in code that doesn’t matter (documentation generation code)? We control that, since it’s our code that runs the fuzzers.

    • There’s a CI option: on every PR it does 5 minutes of fuzz.

    • OSS-Fuzz doesn’t file CVE’s.

    • Example integration setup PR, for the tinyexr project: https://github.com/google/oss-fuzz/pull/3801/files

  • Larry pointed out the recent Autodesk maya file security issue:

    https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0003

  • We also want to run the sanitizer against the regular tests, as well as against the fuzz tests.

  • Owen shared the Imath project task spreadsheet: https://docs.google.com/spreadsheets/d/1rC_USR4lLXVUTyAG62gOG-uJlxzRguMNTlMYYf2rUrQ/edit?usp=sharing

  • Christina reports that Azure Pipelines is completely retired, all migrated to GitHub Actions. One remaining issue with the Windows build, but everything seems to be working properly.