# 6/13/2019 ### Attending: * Cary Phillips - ILM * Larry Gritz - SPI * Rod Bogart - Epic * Peter Hillman - Weta * Kimball Thurston - Weta * Nick Porcino - Oculus * Christina Tempelaar-Lietz - Epic * John Mertic - Linux Foundation ### Discussion: * Welcome new TSC members: * Nick Porcino - Oculus * Christina Tempelaar-Lietz - Epic * Kimball Thurston - Weta * Piotr was invited by hasn’t responded. * Project goals by SIGGRAPH: * Reach “adopted” status, seems attainable. * CII badge progress is at 68% * Need CI setup * Need static/dynamic analysis setup * Need to address security issues/policies * Put out a new release, version 2.4: * Address outstanding CVE’s * Document existing CVE’s * Compiler warnings * CMake fixes * Acknowledge most Issues and PRs; many can be closed as is. * Proposal/position on the future of Imath; go into the BOF prepared to discuss. * “Guide to the OpenEXR Project” * GOVERNANCE.md, CONTRIBUTING.md, etc. * Clarify project roles and clarify terminology: * Committer vs. TSC * Nick Rasmussen is an example of a committer not on the TSC. * Need to clarify terms of service, how long do TSC members serve. * OCIO meeting notes designate a PR Reviewer? * Ad-hoc for that project to ensure fast turn around due to large number of contributions * May want some form of this to ensure that PRs are reviewed * Legal: * Who keeps track of CLA’s on file? * Should just be part of the process (CLA, DCO checks) * Old PRs, what to do about obtaining CLAs prior to merge * Need to check w/ ILM legal just to clarify old copyright / CLA * Does OCIO have a policy of accepting small fixes without a CLA? No, that’s OIIO. All ASWF/Linux Foundation projects require CLA’s for every PR, no matter how small. * CII Badge requires “acknowledgment of bug reports”. What should our policy be? * Standard use of GitHub labels, documented in CONTRIBUTING. * Use of GitHub Milestones to indicate priority. * Status of the CII Best Practices Badge: * Must ensure timely response to posts on openexr-dev * What does it take to ensure that the website now uses https? * Security: * security@openexr.com, info@openexr.com * John to arrange setting up the forwards to private tsc * Outstanding CVE’s: * One has a PR that needs to be merged. * Other CVE issues have been resolved but the issues were never closed. * CVE’s should be documented in CHANGES.md. * OpenEXR needs a designated security expert * Cryptographic protocols are not applicable. * Ready to set up Azure? * Compiler Warning flags * -Wall with GCC 7/C++17 on Ubuntu gives a handful of warnings, straightforward to fix. * What about Windows? * Code coverage, static analysis, dynamic analysis: SonarCloud? * Just needs to have been done at least prior to release (as opposed to fully integrated to release schedule) * Test policy adherence? * Should we update source code copyright notices? * Cary will check with Lucasfilm Business Affairs. * What’s the status of moving the github repository? * TODO’s and action items: * Label issues and PR’s * Gives perception of response * Use milestones instead to mark issues for including in next release * Need to be more aggressive with closing issues that had a back and forth resulting in a consensus there’s nothing to do * Standard comment about a house-cleaning event in migration to ASWF * Merge/act on existing PR’s * Fix compiler warnings * SonarCloud: Static and dynamic analysis * Azure * Web site/documentation * JM: Can be moved independently, whenever ready * CP: wants to re-do web site to make it easier to maintain * Email addresses for info & security * Imath white paper * Christina - will work on SonarCloud * Kimball - will work on PRs, cmake, compile warnings * Nick - will review PRs as well