The Linux Foundation Member Summit

For members of the Linux Foundation, open-source software is recognized as critically essential to modern software development. Without it, the breadth and pace of innovation would plummet, and the costs to develop products and services based on software would skyrocket. Over the past several years, we've seen a destabilization of the open-source supply chain. Projects with poor security practices, malicious repo takeovers, and license rug-pulls are a small sample of the growing list of threats facing open-source users. As the largest commercial benefactors of this software supply chain, we have the most to lose. Efforts to address these issues have begun but are under-resourced and moving slowly. This is a Prisoner’s Dilemma & Free-Rider problem that needs a solution, or we are all worse off. This presentation will explore what methods can be brought to bear to increase development, oversight, and quality assurance in the open-source software supply chain to break out of the prisoner’s dilemma. How do those who invest in such work get an appropriate ROI? Can industry and governments work together to find a solution?

OSPOs have gone through a lot of changes lately with some shrinking, some becoming distributed and the rise of new industries and government building OSPOs. The challenges that OSPOs were created to solve have also changed. With new areas to address such as regulations, AI, Security and open source software issues becoming more well understood, OSPOs need to change their organization shape and focus. As someone who has led multiple OSPOs through the maturity cycles, I want to cover the new challenges and how OSPOs are evolving to address them. And how OSPOs can remain relevant and influential during these years of change. I will cover writing the new strategy document, the organization structure and working across the organization and outside the organization to accomplish the mission,

Open Source projects in the JS ecosystem that are typically directly depended on are widely known: React, Babel, TypeScript, Vue, node.js, etc. These projects are affirmatively chosen by millions of humans. They get the lion's share of the (wildly insufficient) amount of available funds, contributions, sponsorships, and contributors.

What about the proverbial xkcd 2347 maintainers? Typically transitive dependencies, who are affirmatively selected by a mere dozens of humans, but whose code runs on hundreds of millions of developer machines, and serves billions of users? These projects are unknown, unsung, underfunded, and under-considered. Virtually every impactful security incident in the npm ecosystem has been due to a transitive dependency maintainer either going rogue, having their account taken over, or handing over the reins to an unvetted contributor - what levers can we apply to support these people's stability and vigilance?

As a prolific maintainer of almost entirely this category of package, Jordan Harband will offer his perspective on what proactive steps companies, governments, and individuals can take to improve this reality.

After XZ, OpenJS came the realisation within the community that we don't really understand how trust works within the ecosystem of open source projects, their contributors, maintainers and consumers. This is a socio-technical problem, and in order to understand it and to work out how to build stronger, more secure ties across the ecosystem, we don't just need to engage in technical innovation but also delve in the fields of sociology, behaviour psychology, organisational theory and beyond. This talk will discuss some of the existing work in the field in a relatable (not overly academic!) way and consider plausible research directions and topics. It aims to be a strongly interactive session and the hope is to encourage formation and involvement in this important work.

This session will provide an overview of the project's accomplishments to date, and provide a roadmap of what is being planned for 2025. Zephyr project is now the 5th most active project hosted by the Linux Foundation. Each release sees about 30% new contributors, and these contributors are resulting in around 3 changes per hour in the code base. Products as diverse as Chromebooks, to Wind Turbines, to Hearings Aids, and Pet Trackers are being built with Zephyr. Learn about the open source and security best practices that have been applied to Zephyr over the years, and why it is now one of the most active open source projects at the Linux Foundation.

This session will provide an overview of the Alliance for OpenUSD, an LF Joint Development Foundation project aimed at building a set of specifications to formalize the Pixar Open Universal Scene Description technology. Specific topics covered will include the alliance's purpose, work to date, as well as special focus on collaboration and interaction with the open source community and other Linux Foundation consortia such as the Academy Software Foundation.

There is a looming threat to all on the horizon. Today’s data and communications are secured using various forms of public-key encryption. These schemes are all (principally) based on the surprising complexity of factoring large numbers. The issue with modern-based cryptography is that, in 1994, Peter Shor discovered a quantum algorithm that can break modern encryption when executed on large enough quantum computers (QCs). What can we do today to protect from this looming threat? The QC and cryptography communities have been hard at work on devising new encryption algorithms that can be resistant to QCs. Working closely with the Linux Foundation and leaders of the cryptography and OSS community the Post-Quantum Cryptography Alliance (PQCA) was created to host and lead a collection of initial post-quantum projects that can be used to make the world’s software quantum safe. As part of the original representative members of the PQCA, Max has seen the progression of the alliance from its inception at the LF Member’s Summit 2022 to its current form. In this talk, he will present the foundation and its charter along with an overview of the current projects and algorithms.

We all depend on the Linux kernel for critical parts of our society's infrastructure. Yet, our capacity to keep our Linux systems up to date with the latest features, security, and stability fixes is rather limited. Companies are collectively wasting millions and millions of dollars upgrading their systems to new kernels. I am sure you can relate to that! The Linux kernel community does a fantastic job developing the Linux kernel. It is an ever-evolving operating system that becomes more secure, stable, and feature rich every day. However, rebasing existing infrastructure on new kernels is not straightforward at all. We still lack processes, tools, and culture to make that job smoother in the Linux kernel ecosystem. KernelCI, a project under the Linux Foundation, is on a mission to change that. Our goal is to support the community and companies to ensure the quality, stability, and long-term maintenance of the Linux kernel while also reducing product integration costs drastically. In this talk, you will learn what KernelCI is, what we are doing to improve this situation, and, more importantly, what you can do to help!

All votes have passed on the EU CRA. It will now become the law after a short transition period. As the neutral steward of many essential small and large open source projects, the Linux Foundation aims to lead the way for the open source ecosystem in implementing the CRA. Beginning from an assessment of the state of the art of cybersecurity best practises in leading open source projects and an analysis of the gaps to the requirements of the CRA, the Linux Foundation is driving three multi-year work streams that reflect the required adaptation of the open source ecosystem - formalizing community best practices into standards, building awareness within the open source community, and implementing updated processes and tooling. Many of these changes will require deeper collaboration between the manufacturers of products with digital elements and the upstream communities and stewards.


This presentation will provide an overview of the CRA implementation roadmap developed by the Linux Foundation. It will also dive into how the CRA shapes the future of the relationship between manufacturers and upstream communities.

Understanding organizations funding behaviors is not well understood. Join us for a live read out of the inaugural 2024 Open Source Funding Funding report that found organizations invest over $7.7B annually in open source. We’ll explore potential misalignments and opportunities to improve funding at a top-level, and provide defined strategies, frameworks, and tools to help your organization measure the value created and the impact received from those investments. The primary audience for the session are OSPOs, Heads of Engineering and Product, C-Level Executives, and other individuals with a varying levels of understanding of their organization's open source engagement.