TSC Meeting Notes 2019-06-13

Attending:

Cary Phillips - ILM
Larry Gritz - SPI
Rod Bogart - Epic
Peter Hillman - Weta
Kimball Thurston - Weta
Nick Porcino - Oculus
Christina Tempelaar-Lietz - Epic
John Mertic - Linux Foundation

Discussion:

Welcome new TSC members:
- Nick Porcino - Oculus
- Christina Tempelaar-Lietz - Epic
- Kimball Thurston - Weta
- Piotr was invited by hasn’t responded.
Project goals by SIGGRAPH:
- Reach “adopted” status, seems attainable.
  - CII badge progress is at 68%
  - Need CI setup
  - Need static/dynamic analysis setup
  - Need to address security issues/policies
- Put out a new release, version 2.4:
  - Address outstanding CVE’s
  - Document existing CVE’s
  - Compiler warnings
  - CMake fixes
- Acknowledge most Issues and PRs; many can be closed as is.
- Proposal/position on the future of Imath; go into the BOF prepared to discuss.
“Guide to the OpenEXR Project”
- GOVERNANCE.md, CONTRIBUTING.md, etc.
- Clarify project roles and clarify terminology:
  - Committer vs. TSC
    - Nick Rasmussen is an example of a committer not on the TSC.
    - Need to clarify terms of service, how long do TSC members serve.
  - OCIO meeting notes designate a PR Reviewer?
    - Ad-hoc for that project to ensure fast turn around due to large number of contributions
    - May want some form of this to ensure that PRs are reviewed
Legal:
- Who keeps track of CLA’s on file?
  - Should just be part of the process (CLA, DCO checks)
  - Old PRs, what to do about obtaining CLAs prior to merge
  - Need to check w/ ILM legal just to clarify old copyright / CLA
- Does OCIO have a policy of accepting small fixes without a CLA? No, that’s OIIO. All ASWF/Linux Foundation projects require CLA’s for every PR, no matter how small.
CII Badge requires “acknowledgment of bug reports”. What should our policy be?
- Standard use of GitHub labels, documented in CONTRIBUTING.
- Use of GitHub Milestones to indicate priority.
Status of the CII Best Practices Badge:
- Must ensure timely response to posts on openexr-dev
- What does it take to ensure that the website now uses https?
- Security:
  - security@openexr.com, info@openexr.com
    - John to arrange setting up the forwards to private tsc
  - Outstanding CVE’s:
    - One has a PR that needs to be merged.
    - Other CVE issues have been resolved but the issues were never closed.
    - CVE’s should be documented in CHANGES.md.
  - OpenEXR needs a designated security expert
  - Cryptographic protocols are not applicable.
- Ready to set up Azure?
- Compiler Warning flags
  - -Wall with GCC 7/C++17 on Ubuntu gives a handful of warnings, straightforward to fix.
  - What about Windows?
- Code coverage, static analysis, dynamic analysis: SonarCloud?
  - Just needs to have been done at least prior to release (as opposed to fully integrated to release schedule)
- Test policy adherence?
Should we update source code copyright notices?
- Cary will check with Lucasfilm Business Affairs.
What’s the status of moving the github repository?
TODO’s and action items:
- Label issues and PR’s
  - Gives perception of response
  - Use milestones instead to mark issues for including in next release
  - Need to be more aggressive with closing issues that had a back and forth resulting in a consensus there’s nothing to do
    - Standard comment about a house-cleaning event in migration to ASWF
- Merge/act on existing PR’s
- Fix compiler warnings
- SonarCloud: Static and dynamic analysis
- Azure
- Web site/documentation
  - JM: Can be moved independently, whenever ready
  - CP: wants to re-do web site to make it easier to maintain
- Email addresses for info & security
- Imath white paper
- Christina - will work on SonarCloud
- Kimball - will work on PRs, cmake, compile warnings
- Nick - will review PRs as well