[Openexr-devel] OpenEXR source code audit, project status

[Drew Hess]

Hi all,

As you may have heard, Savannah, the site which hosts the OpenEXR project
source code, was compromised last month.  The Savannah team immediately 
took the site down and began a source code audit, comparing CVS trees from 
September 16 (prior to the breakin) to CVS trees the day the compromise 
was detected.

Using this audit trail, combined with ILM's own internal source code
control system where we keep a duplicate copy of the OpenEXR source code,
I've just competed an audit of our projects and I believe them to be
clean.  It's unlikely that a malicious party would "booby trap" OpenEXR
libraries or apps anyway, since they're not typically run by system
servcies, network servers, or privileged applications, but I decided to do
this audit anyway just to be safe.

Now that the audit is done, I'm going to resume development of the
project.  Over the next few days I'll be checking in the final edits for
the 1.0.7 release.  Expect a 1.0.7 official release by Wednesday at the
latest.

I'm not sure when Savannah's "download" section will be operational again,
so if it's not functioning by the time we release the 1.0.7 source code,
I'll try to find another source to host the source tarballs/zips until
Savannah is 100% so that you don't have to use CVS to obtain the 1.0.7
release.


After 1.0.7 is released, I'll be checking into the public CVS preliminary
support for tiled and mip-mapped OpenEXR files.  This feature will involve
a file format change.  Non-tiled files created by the new version of the
library will be backward-compatible with applications linked against older
versions of the library, but tiled files will only be readable by
applications linked against the new version.  In other words, if you don't
create tiled files, OpenEXR images created by the new library will be
readable by all existing OpenEXR software.

Additionally, if you're not creating tiled files and don't want to/need to
take advantage of the tiling support for reading, you will not need to
make any source code changes to your applications.  Existing source code
compiled against and linked to the new libraries will create non-tiled
files, and will be able to read both tiled and non-tiled files (when you
read a tiled/mipmapped file, you'll simply get the level 0 image in
scanline chunks like you do with the current library).

Although the tiling code passes all the regression tests we've created for
it, we haven't used it much in production yet.  We're checking this code
into CVS sooner rather than later in order to solicit feedback from the
OpenEXR community.  We won't do an official release of this code for a few
months so that there's time for OpenEXR developers to use it, test it, and
suggest improvements before we freeze the new file format and call it a
new release.  So while I encourage all OpenEXR developers who're
interested in tiled OpenEXR images to try the code from CVS once it's
available later this month, please continue to use the 1.0.7 release in
your production applications until the tiled code is released, as we
reserve the right to break the tiled format, if feedback dictates, up
until the point where we release the tiled code.  But please do test it
and use it in non-production applications to make sure we haven't missed
something important.

More on this in the next week or two.

Thanks for your patience over the last few weeks while we deal with the
holidays and the Savannah compromise.

-dwh-