# 5/21/2020 ### Attending: * Arkell Rasiah * Cary Phillips * Christina Tempelaar-Lietz * Eskil Steenburg * Joseph Goldstone * Kimball Thurston * Larry Gritz * Nick Porcino * Owen Thompson * Peter Hillman * Rod Bogart * Phil Ames * Abishek Arya ### Discussion: * Arkell will investigate updating open-exr images over the summer. Will also reach out to Florian to see if he’s interested in providing some test images. * Arkell raised a concern about images in the openexr-images/Chromaticities folder. Should the Rec709.exr and XYY.exr appear the same? Aren’t the chromaticies the same? Rv inherently adapts with a bradford transformation. Was the XYX made with the wrong adaptation matrix? * Phil Ames and Abishek Arya from the Google AutoFuzz team joined to discuss the OSS-Fuzz service. * Phil is on the information security team. The team fuzzes a lot of open source projects, especially file formats. * Abishek leads the OSS-Fuzz development effort. * The goal is to make fuzzing really simple, simplifying workflow as much as possible. * Integrated with 300 projects (e.g. OpenSSL) * They used to manually reproduce and file bugs, but that doesn’t scale, so the process has been automated. * Lots of work has been done to de-duplicate bugs by comparing stackframes. * OSS-Fuzz focuses on making bugs reproducible. Otherwise they aren’t filed. * Most of the integration can be done in < 100 LOC. * Vendors can sign up to be notified when bugs are detected. * Security bugs are restricted for 90 days. * Bugs are closed automatically when a fix is checked in. * It’s using the existing IlmImfFuzzTest. Will need to break it up into smaller tests. * OSS-Fuzz instrument with many sanitizers, on many cores. * What happens if something is discovered that’s in code that doesn’t matter (documentation generation code)? We control that, since it’s our code that runs the fuzzers. * There’s a CI option: on every PR it does 5 minutes of fuzz. * OSS-Fuzz doesn’t file CVE’s. * Example integration setup PR, for the tinyexr project: https://github.com/google/oss-fuzz/pull/3801/files * Larry pointed out the recent Autodesk maya file security issue: https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0003 * We also want to run the sanitizer against the regular tests, as well as against the fuzz tests. * Owen shared the Imath project task spreadsheet: https://docs.google.com/spreadsheets/d/1rC_USR4lLXVUTyAG62gOG-uJlxzRguMNTlMYYf2rUrQ/edit?usp=sharing * Christina reports that Azure Pipelines is completely retired, all migrated to GitHub Actions. One remaining issue with the Windows build, but everything seems to be working properly.