The Linux Foundation Member Summit

Understanding how and why organizations invest in and fund open source is not well understood, yet open source is inextricably woven into the entire software industry. This presentation summarizes findings from a 2024 Open Source Funding Survey about how and why organizations and companies contribute and fund open source. Leverage learnings to apply to your own programs as benchmarks. The survey is a collaboration between GitHub, Linux Foundation and researchers at Harvard University. High level insights: Organizations are quick to cite OSS as critical to infrastructure, to employees, and culture - 82% consider funding OSS as critical and 29% have OSPOs. Organizations tend to have a very good understanding of how and why they make code contributions to OSS - median organization allocate 250-1000 labor hours annually to OSS code and most contributions are made to projects managed by the organization itself or upstream. Organizations make non-code contributions along a number of dimensions - Median organization estimates the value of annual non-code contribution at

For members of the Linux Foundation, open-source software is recognized as critically essential to modern software development. Without it, the breadth and pace of innovation would plummet, and the costs to develop products and services based on software would skyrocket. Over the past several years, we've seen a destabilization of the open-source supply chain. Projects with poor security practices, malicious repo takeovers, and license rug-pulls are a small sample of the growing list of threats facing open-source users. As the largest commercial benefactors of this software supply chain, we have the most to lose. Efforts to address these issues have begun but are under-resourced and moving slowly. This is a Prisoner’s Dilemma & Free-Rider problem that needs a solution, or we are all worse off. This presentation will explore what methods can be brought to bear to increase development, oversight, and quality assurance in the open-source software supply chain to break out of the prisoner’s dilemma. How do those who invest in such work get an appropriate ROI? Can industry and governments work together to find a solution?

As anyone who has ever run a license or security scan knows, *numerically*, the vast majority of packages installed and used by modern software shops are small packages with one maintainer. Those folks mostly don’t show up to conferences like this one, so they can be “dark matter”—we know they’re there but know little more about them. This panel will use survey data (from Tidelift, Harvard, CMU, and others) to help draw a sharper, data-driven, picture—what motivates these maintainers, what sorts of security practices they do (and don’t) do, and what sorts of value we draw from them. Maintainer Jordan Harband will then use his wide expertise as a maintainer of dozens of key packages to provide human context to the data.

After XZ, OpenJS came the realisation within the community that we don't really understand how trust works within the ecosystem of open source projects, their contributors, maintainers and consumers. This is a socio-technical problem, and in order to understand it and to work out how to build stronger, more secure ties across the ecosystem, we don't just need to engage in technical innovation but also delve in the fields of sociology, behaviour psychology, organisational theory and beyond. This talk will discuss some of the existing work in the field in a relatable (not overly academic!) way and consider plausible research directions and topics. It aims to be a strongly interactive session and the hope is to encourage formation and involvement in this important work.

This session will provide an overview of the project's accomplishments to date, and provide a roadmap of what is being planned for 2025. Zephyr project is now the 5th most active project hosted by the Linux Foundation. Each release sees about 30% new contributors, and these contributors are resulting in around 3 changes per hour in the code base. Products as diverse as Chromebooks, to Wind Turbines, to Hearings Aids, and Pet Trackers are being built with Zephyr. Learn about the open source and security best practices that have been applied to Zephyr over the years, and why it is now one of the most active open source projects at the Linux Foundation.

This session will provide an overview of the Alliance for OpenUSD, an LF Joint Development Foundation project aimed at building a set of specifications to formalize the Pixar Open Universal Scene Description technology. Specific topics covered will include the alliance's purpose, work to date, as well as special focus on collaboration and interaction with the open source community and other Linux Foundation consortia such as the Academy Software Foundation.

There is a looming threat to all on the horizon. Today’s data and communications are secured using various forms of public-key encryption. These schemes are all (principally) based on the surprising complexity of factoring large numbers. The issue with modern-based cryptography is that, in 1994, Peter Shor discovered a quantum algorithm that can break modern encryption when executed on large enough quantum computers (QCs). What can we do today to protect from this looming threat? The QC and cryptography communities have been hard at work on devising new encryption algorithms that can be resistant to QCs. Working closely with the Linux Foundation and leaders of the cryptography and OSS community the Post-Quantum Cryptography Alliance (PQCA) was created to host and lead a collection of initial post-quantum projects that can be used to make the world’s software quantum safe. As part of the original representative members of the PQCA, Max has seen the progression of the alliance from its inception at the LF Member’s Summit 2022 to its current form. In this talk, he will present the foundation and its charter along with an overview of the current projects and algorithms.

We all depend on the Linux kernel for critical parts of our society's infrastructure. Yet, our capacity to keep our Linux systems up to date with the latest features, security, and stability fixes is rather limited. Companies are collectively wasting millions and millions of dollars upgrading their systems to new kernels. I am sure you can relate to that! The Linux kernel community does a fantastic job developing the Linux kernel. It is an ever-evolving operating system that becomes more secure, stable, and feature rich every day. However, rebasing existing infrastructure on new kernels is not straightforward at all. We still lack processes, tools, and culture to make that job smoother in the Linux kernel ecosystem. KernelCI, a project under the Linux Foundation, is on a mission to change that. Our goal is to support the community and companies to ensure the quality, stability, and long-term maintenance of the Linux kernel while also reducing product integration costs drastically. In this talk, you will learn what KernelCI is, what we are doing to improve this situation, and, more importantly, what you can do to help!