The goal is to shift meetings to using LFX Meeting Management, which enables a smoother experience, easier management, and better data tracking.

Update on transition:

Projects moved over:

CI Working Group
Digital Production Example Library (DPEL)
OpenAssetIO
OpenFX
OpenImageIO
Open Review Initiative
OpenVDB
Rez
USD Working Group
OpenColorIO
Rust WG
D&I Working Group
MaterialX
Open Shading Language (OSL)
OpenTimelineIO
RAW to ACES Utility
OpenEXR
OpenCue

In Progress:

None

TODO:

None

Describe the purpose of the group in no more than 4-5 sentences

The purpose of the Zero Trust Working Group is to support ASWF projects that need to function in a Zero Trust operating environment. As workflows and assets move to the cloud, perimeter security is no longer adequate in many situations. New models, such as Zero Trust, are being used that require many clients and services to become security aware. For example, they may need to integrate with authentication and authorization services or to interoperate with logging, monitoring, or threat detection systems.

The aim of this working group is to assist ASWF projects in determining their zero trust security needs and to share best practices on implementation approaches.

Goals of the working group

1. Assist community members in becoming aware of the use of zero trust security models and how that relates to ASWF projects.
2. Consolidate and share best practices for implementing those models including security by design.
3. Explore the value of having an ASWF project for Zero Trust framework and supporting elements that could be shared between multiple ASWF projects.

Non-goals of the working group

1. Maintain code for actual solutions beyond samples needed to support documentation.
2. Duplicate security work already being done in other Working Groups, such as CI.

Deliverables

1. Documentation of guidelines and best practices to help other ASWF projects incorporate the mechanisms and components necessary for operating in a ZT environment.
2. Proposals for other projects, such as frameworks or code, that the group may determine are needed.

Schedule for December and January:

• December 13, 2023 - TAC Meeting
• December 27, 2023 - NO TAC MEETING ( HOLIDAY BREAK )
• January 10, 2024 - TAC Meeting
• January 24, 2024 - NO TAC MEETING ( LF OFFSITE )
• February 7, 2024 - TAC Meeting
• February 21, 2024 - NO TAC MEETING ( ASWF Open Source Forum )

Please share any additional details on this topic

OCIO, USD, and MaterialX leaders have been working on a proposal for a lightweight version of OCIO for use in rendering, texture, and material use cases. We are at the point where we would like to discuss and get feedback from the TAC. Here is the charter: https://docs.google.com/document/d/1eGLtOHY-hNKXdtBUJWQHK25WQcK2zjDJYkldmE6eZVY/edit?usp=sharing

Detail what actions or feedback you would like from the TAC

We are seeking feedback from the TAC on the overall plan, and also for stakeholders to participate from member companies as needed.

How much time do you need for this topic?

5 minutes or less

Please share any additional details on this topic

CLOTributor is a tool from CNCF to help developers find ways to contribute to projects. Currently, CNCF, LF AI and Data, and CD Foundation projects have issues highlighted on the site.

We are adding all the ASWF Projects to this tool to help drive awareness of where help is needed within projects.

Detail what actions or feedback you would like from the TAC

Projects wishing to have issues shown of theirs in CLOTributor need to:

• Add the 'help wanted' tag to OPEN and UNASSIGNED issues from the last year you want to be highlighted on CLOTributor
• Add additional special tags to highlight things like the type of issue, difficulty, and more.

How much time do you need for this topic?

5 minutes or less

Please share any additional details on this topic

Emily is arranging an Open Source Track at FMX 2024

Detail what actions or feedback you would like from the TAC

Interest for participation

How much time do you need for this topic?

None

We are combining the previous member and maintainer survey into one stakeholder survey. This survey aims to get feedback on the ASWF programs and identify any areas of improvement.

Complete the survey at https://forms.gle/TVhc1UwTCj2qWUM48

This survey will go live 12/1 and close on 12/31. We will re-run the survey again in June 2024 and December 2024.

https://lists.aswf.io/g/tac/message/2454

Annually we review and re-elect these roles...

• TAC Chairperson
• Industry Representative

Suggest making awareness of this 11/15, and discuss more on 11/29

Please submit your vote for if TAC meetings should be automatically recorded.

+1 - Yes
0 - Abstain
-1 - No

Please share any additional details on this topic

[Uniform Type Identifiers ](https://en.wikipedia.org/wiki/Uniform_Type_Identifier#:~:text=A%20Uniform%20Type%20Identifier%20(UTI,class%20or%20type%20of%20item.) akin to MIME types

Detail what actions or feedback you would like from the TAC

We'd love to get any guidance from the TAC re: this. Should not take long.

How much time do you need for this topic?

None

Sponsorships: Here are the sponsorship opportunities for Open Source Forum, if you would like to proudly have your logo on display during the event. Several of the options are already pending, so don't wait too long.

Registration: The member code for registration is ASWFOSF24MEM, and it's for both in-person and virtual attendance. This event is FREE for all employees of member companies, so please share the link and code with your teams and co-workers. Register here.

Please share any additional details on this topic

The LF has published a policy regarding using Generative AI tools in development for hosted projects. See below...

https://www.linuxfoundation.org/legal/generative-ai

Detail what actions or feedback you would like from the TAC

Awareness of the TAC.

How much time do you need for this topic?

5 minutes or less

Site/Registration is live: https://sites.google.com/view/aswfdevdays/home

Project Lead info / tasks: https://docs.google.com/document/d/1l6VTBRXZju4twJKW-PL_oymWEJTD1I3I7BtH4GY-KLk/edit?usp=sharing

Example Outreach Templates: https://docs.google.com/document/d/17zDTKW39wWHzN-NNZjzyy98BgYMxhFC38AOykWW2u5k/edit?usp=sharing

Please share any additional details on this topic

We have a proposal for a Zero Trust Working Group including participation commitments from several ASWF members. We want to update the TAC on the proposal so they can review it for subsequent approval.

Not sure of the process here. We could do 5-10 minutes at one meeting, get TAC review and comments off line, and then bring back for approval.

Detail what actions or feedback you would like from the TAC

TAC feedback on the proposed charter and subsequent TAC approval.

How much time do you need for this topic?

5 minutes or less

Please share any additional details on this topic

As proposed by Jonathan Stone on the #tac channel in the ASWF Slack.... ( https://academysoftwarefdn.slack.com/archives/CKB8RR3FT/p1695761680176419 )

Hello all!
John Mertic and I have been discussing the pros and cons of requiring Silver and Gold OpenSSF badges for ASWF project graduation, and this seems like a topic that is interesting enough to open up for broader discussion.
Based on our conversation so far, here are some of the reasons that we might consider changing our lifecycle rules, maintaining Silver and Gold badges as aspirational goals for all ASWF projects, but not using them as blockers for project graduation:
No ASWF project has ever achieved either a Silver or Gold badge, including the foundational computer graphics projects that launched with the ASWF itself.
Our most recent graduating projects were approved unanimously without achieving either a Silver or Gold badge.
Outside of the ASWF, none of the foundational OSS projects in computer graphics (e.g. PBRT, Mitsuba, Embree, OpenUSD, Filament) has ever achieved either a Silver or Gold badge, and there's no evidence that they're currently pursuing them. One potential reason for this is the disconnect between the focus of the Silver and Gold badges (security guarantees, statement and branch coverage), and the emphasis of computer graphics projects on visual parity and visual regression testing.
We'd be very interested in additional thoughts from this group, and this could be a good discussion topic for a future TAC meeting.

Detail what actions or feedback you would like from the TAC

Discussion on how to proceed

How much time do you need for this topic?

At least 30 minutes

Please share any additional details on this topic

This has been pushed live now - read more at https://tac.aswf.io/tools/resource_request

For now, any requests will be put on the TAC meeting agenda board and triaged into a meeting for review/approval. We can continue to refine the project as we go on.

Detail what actions or feedback you would like from the TAC

Awareness

How much time do you need for this topic?

5 minutes or less

Please share any additional details on this topic

To help address some of the questions on security for projects and to help prepare them for a future security audit, we'd like to have some of our projects go through a security threat model analysis. An example of the output of this work can be seen at the link below...

https://ostif.org/wp-content/uploads/2023/11/Eclipse-Mosquitto-Threat-Model.pdf

Detail what actions or feedback you would like from the TAC

Interest from a few projects to do this.

How much time do you need for this topic?

5 minutes or less

From email thread and @jfpanisset

My understanding of some of the steps required:

• We decided to only target GitHub Actions, since that's the where ASWF projects are moving towards, and to use OCIO as the initial project to deploy this. Support for GitHub Actions is being worked on currently in OCIO, but we will need this work to appear in the repo.
• We will be targeting AWS, and yes apparently it is now possible to have "sub accounts" under the overall LF releng AWS account, and to target any ASWF-specific AWS credits to that sub account.
• I think for now we can target only the OCIO nightly build out of the branch in which PRs have been merged, so we don't need to solve right away the issue of managing secrets / AWS credentials in PR forks. Of course there's still the possibility of a bad actor managing to obfuscate credential stealing code that makes it past the reviewers and gets merged into the OCIO repo, but that's a general problem that everyone has to deal with, not just us.
• Strict limits can be set on the ASWF AWS sub account to allow it to allocate a single GPU VM, and nothing else, we can raise these limits as our needs increase.
• Most importantly, currently the "on demand GPU VM allocation via GitHub Actions" code in https://github.com/jfpanisset/cloud_gpu_build_agent is not very robust, and in particular if the build fails, it will leave the GPU VM running and chewing up money. But that code can be improved along the way, it's not a bad idea to get GPU support going in a real world CI scenario as soon as possible.

Does that correspond to everyone's recollection of where we've ended up?

Describe the purpose of the group in no more than 4-5 sentences

The Swift working group is dedicated to providing both Swift and C/C++ interoperability between each of these languages which allows the many existing libraries across the industry to be easily extended, safer, and easier to use. While additionally empowering all software development by easy adoption of industry software through harnessing the capabilities of the Swift package manager (SPM), which makes adding a library to other projects as simple as copying a library's link and pasting it into its package dependency section.

We have currently provided Swift support of Pixar's Universal Scene Description as a proof of concept, which currently supports both Linux and Apple's operating systems.

Goals of the working group

• To work in collaboration across the ASWF in the mission to allow all of its existing projects and libraries to be consumed by other SPM projects, in the form of creating a Package.swift file at the root of every project across the ASWF, a task in which MetaverseKit proves is possible, but to do so in a modular fashion through each project's official channels.
• Through the availability of SPM plugins and other tooling to aid in bringing existing libraries to SPM.
• Creating safe, easy to use Swift APIs of these libraries, or allowing for interesting paradigms such as declarative APIs built around Swift's @resultBuilder.
• Supporting macOS, visionOS (where applicable), Linux, Wasm (where applicable), and Microsoft Windows.

Non-goals of the working group

• Existing C/C++ libraries should not be modified, or modified very little, an acceptable modification would be to add clang attributes to existing classes through the usage of macros - so long as it is done in a low-touch cross platform way, like we did for USD here.
• Rewriting existing C/C++ code into Swift.
• Supporting versions of Swift prior to Swift 5.9's C++ Interop Feature.

Deliverables

• Universal Scene Description (USD) for Swift.
• Proof of concept, MetaverseKit that will be made obsolete once ASWF projects adopt Package.swift files at the root of their repositories, if an existing ASWF project does not wish to do so we could instead provide a SPM package repository to work as a wrapper around a git submodule that fetches the project's official source code.

@jmertic Should the top level readme.md for the TAC repo include a link to the Netflify published version of the repo?

Also the initial commit added some metadata to the top of most of the markdown documents indicating their
position in the (directory) hierarchy, does this data get auto-generated, or do new documents need to add
this data explicitly?

If so we may want to document that process somewhere, and perhaps there should be a PR time check to make sure
the metadata is present?

Please share any additional details on this topic

John has been working with our LFX Security team and OpenEXR on a solution so that C/C++ projects can be included in the Synk scans in LFX Security. See the issue below.

AcademySoftwareFoundation/openexr#1608

Detail what actions or feedback you would like from the TAC

We'd like other project leads to try this out in their projects if this is a blocker for them.

How much time do you need for this topic?

5 minutes or less

Please share any additional details on this topic

Intel has volunteered a resource to do security reviews for our hosted projects, though they requested to have an additional member provide a resource in addition so there is a balanced view.

Detail what actions or feedback you would like from the TAC

Seeing if a member company would have such a resource.

How much time do you need for this topic?

5 minutes or less

Review calculated COCOMO models for hosted projects; get TAC feedback

As discussed on TAC meeting of 29-Jul-2020, @jmertic could you update the sample CLA and guidance to reflect the preference for the Apache CLA going forward?

We launched a new swag store at Open Source Days!

https://store.aswf.io

Seeing that there is already a Slack thread, Let's capture some feedback in the store in this ticket to make it a bit more structured. Thanks for all your feedback.

Describe the purpose of the group in no more than 4-5 sentences

OpenLensIO is a community dedicated to enhancing interoperability in lens distortion modelling for media production. It formulates a set of standard mathematical models for lenses targeting their application in media production and presents open-source reference implementations for the providers and consumers of lens metadata.

Goals of the working group

• Reach consensus on and publish a generic, practical, end-to-end mathematical model for lenses for use in visual effects and virtual production
• Provide training resources and detailed documentation on lens distortion processes - capture, transmission and application
• Provide open-source reference implementations for lens metadata that can be used by calibration tools, in real- and non-real-time visual effects pipelines, and in live lens data transmission
• Provide a framework for an open and free online lens library that can be contributed to by the community.

Non-goals of the working group

• Infringe on lens, camera tracking or render engine manufacturers' intellectual property or commercial value in lens calibration techniques
• Handle lens distortion outside of content creation / media production verticals

Deliverables

• End-to-end mathematical model for lens distortion
• Reference implementations for capture, transmission and application of lens distortion
• Framework and guidelines for contribution to the OpenLensIO lens library

If it's not already on your calendar, Open Source Forum 2024 will take place on Thursday, February 22, at the Petersen Automotive Museum in LA (and virtually).

Everything you need to know (at least for now) is in very succinct bullets below. Please read through them and pass along to others however you see fit. Shout, or quietly email, with any questions.

-Emily

1. Program Committee: Nominations are due by Friday, December 15. Program Committee members review the talk submissions and decide what makes it into the agenda! We are looking for a diverse mix of people on the committee, you do not need to be technical. Nominate yourself or someone else here.

2. Talk Submissions: The Call for Presentations (CFP) for Open Source Forum is now open! Talks need to be submitted by Thursday, December 21. It doesn't need to be related to a Foundation production, it just needs to be relevant to open source. Bonus points if it's related to AI, ML, virtual production or includes production examples. Please share with your teams and anyone else who might be interested in submitting. Application is here. You can also send me the name of someone you think would be fantastic to give a talk, and I'll reach out to them.

3. Sponsorships: Here are the sponsorship opportunities for Open Source Forum, if you would like to proudly have your logo on display during the event. Several of the options are already pending, so don't wait too long.

4. Registration: The member code for registration is ASWFOSF24MEM, and it's for both in-person and virtual attendance. This event is FREE for all employees of member companies, so please share the link and code with your teams and co-workers. Register here.

Project description

The Python Imaging Library adds image processing capabilities to your Python interpreter. This library provides extensive file format support, an efficient internal representation, and fairly powerful image processing capabilities. The core image library is designed for fast access to data stored in a few basic pixel formats. It should provide a solid foundation for a general image processing tool.

Sponsor from TAC

N/A

Proposed Project Stage

Adopted

Please explain how this project is aligned with the mission of the Academy Software Foundation?

To explain this I'll cite this blog entry, in which Cary Phillips said:

"Before the ASWF was established, the responsibility for fixing bugs and addressing security issues was resting solely on ILM. Now that responsibility is shouldered by people throughout the industry which is a much better position to be in."

Currently a 4-person team funded by Tidelift is responsible for fixing Pillow bugs and addressing security issues. The current funding is insufficient and so therefore the long term viability of Pillow has not been secured. Insomuch as the ASWF cares about the entire VFX Reference Platform, even small projects, our missions are aligned! EDIT: this request is not exclusively about $$$, although $$$ would help. It's more about trying to get folks to care about and appreciate Pillow's role in the ecosystem. 🙏

What is the project’s license for code contributions and methodology for code contributions?

HPND

What tool or platform is utilized for source control (GitHub, etc.), and what is the location (e.g., URL)?

https://github.com/python-pillow/Pillow

What are the external dependencies of the project, and what are the licenses of those dependencies?

• libjpeg: The Independent JPEG Group's JPEG software. License: Independent JPEG Group's JPEG license (compatible with the GNU GPL).
• zlib: A general-purpose data compression library. License: Zlib License (compatible with the GNU GPL).
• freetype: A software library to render fonts. License: FreeType License (similar to the GNU GPL).
• lcms2: Little CMS (Color Management System) version 2. License: MIT License.
• libtiff: A library for reading and writing TIFF (Tagged Image File Format) files. License: libtiff License (compatible with the GNU GPL).
• webp: A method for lossy and lossless compression of images developed by Google. License: Apache License 2.0.

What roles does the project have (e.g., maintainers, committers?) Who are the current core committers of the project, or which can a list of committers be found?

The core team includes myself (fork author and project leader), Eric Soroos, Hugo van Kemenade, Andrew Murray. In addition to the core team we have ~400 other contributors.

What mailing lists are currently used by the project?

Image-sig back in the day, but now-a-days GitHub Discussions

What tool or platform is leveraged by the project for issue tracking?

https://github.com/python-pillow/Pillow/issues

Does the project have an OpenSSF Best Practices Badge? Do you foresee any challenges in obtaining one?

Yes

What is the project’s website? Is there a wiki?

• https://python-pillow.org
• https://pillow.readthedocs.io/en/stable

What social media accounts are used by the project?

We're retiring our Twitter and moving to Mastodon.

What is the project’s release methodology and cadence?

Quarterly releases, at least one of which is timed to occur immediately following annual major Python releases.

Are any trademarks, registered or unregistered, leveraged by the project? Have any trademark registrations been filed by the project or any third party anywhere in the world?

No, unless you count the Python trademark.

We have a new system for adding agenda items. We will demo it.