The Linux Foundation Member Summit

Understanding how and why organizations invest in and fund open source is not well understood, yet open source is inextricably woven into the entire software industry. This presentation summarizes findings from a 2024 Open Source Funding Survey about how and why organizations and companies contribute and fund open source. Leverage learnings to apply to your own programs as benchmarks. The survey is a collaboration between GitHub, Linux Foundation and researchers at Harvard University. High level insights: Organizations are quick to cite OSS as critical to infrastructure, to employees, and culture - 82% consider funding OSS as critical and 29% have OSPOs. Organizations tend to have a very good understanding of how and why they make code contributions to OSS - median organization allocate 250-1000 labor hours annually to OSS code and most contributions are made to projects managed by the organization itself or upstream. Organizations make non-code contributions along a number of dimensions - Median organization estimates the value of annual non-code contribution at

As anyone who has ever run a license or security scan knows, *numerically*, the vast majority of packages installed and used by modern software shops are small packages with one maintainer. Those folks mostly don’t show up to conferences like this one, so they can be “dark matter”—we know they’re there but know little more about them. This panel will use survey data (from Tidelift, Harvard, CMU, and others) to help draw a sharper, data-driven, picture—what motivates these maintainers, what sorts of security practices they do (and don’t) do, and what sorts of value we draw from them. Maintainer Jordan Harband will then use his wide expertise as a maintainer of dozens of key packages to provide human context to the data.

After XZ, OpenJS came the realisation within the community that we don't really understand how trust works within the ecosystem of open source projects, their contributors, maintainers and consumers. This is a socio-technical problem, and in order to understand it and to work out how to build stronger, more secure ties across the ecosystem, we don't just need to engage in technical innovation but also delve in the fields of sociology, behaviour psychology, organisational theory and beyond. This talk will discuss some of the existing work in the field in a relatable (not overly academic!) way and consider plausible research directions and topics. It aims to be a strongly interactive session and the hope is to encourage formation and involvement in this important work.

Picture the WHOLE software supply chain, beginning to end; it's a little like that olde tyme classic, "Candyland". Designed NOT with preschoolers in mind, AI Supply Chain Candy Land is for everyone interested in learning about the software supply chain for AI/ML. Travel through exotic locations like The Peppermint Forest of swirly-twirly dependencies, The Fudgy Swamp of Compliance, and much more! AI/ML is a fast-moving space within technology. However, everything we've learned in software engineering of the last few decades ALSO applies to this "new" world of AI/ML. We'll apply traditional software supply chain security techniques and, wherever able, tools to help developers and consumers win AI Supply Chain Candyland. Through an enjoyable and colorful game, with useful examples taken from standards and frameworks, the audience will have a better appreciation and ability to apply supply chain security concepts and tools to the development and support of AI/ML-based solutions.

There is a looming threat to all on the horizon. Today’s data and communications are secured using various forms of public-key encryption. These schemes are all (principally) based on the surprising complexity of factoring large numbers. The issue with modern-based cryptography is that, in 1994, Peter Shor discovered a quantum algorithm that can break modern encryption when executed on large enough quantum computers (QCs). What can we do today to protect from this looming threat? The QC and cryptography communities have been hard at work on devising new encryption algorithms that can be resistant to QCs. Working closely with the Linux Foundation and leaders of the cryptography and OSS community the Post-Quantum Cryptography Alliance (PQCA) was created to host and lead a collection of initial post-quantum projects that can be used to make the world’s software quantum safe. As part of the original representative members of the PQCA, Max has seen the progression of the alliance from its inception at the LF Member’s Summit 2022 to its current form. In this talk, he will present the foundation and its charter along with an overview of the current projects and algorithms.

We all depend on the Linux kernel for critical parts of our society's infrastructure. Yet, our capacity to keep our Linux systems up to date with the latest features, security, and stability fixes is rather limited. Companies are collectively wasting millions and millions of dollars upgrading their systems to new kernels. I am sure you can relate to that! The Linux kernel community does a fantastic job developing the Linux kernel. It is an ever-evolving operating system that becomes more secure, stable, and feature rich every day. However, rebasing existing infrastructure on new kernels is not straightforward at all. We still lack processes, tools, and culture to make that job smoother in the Linux kernel ecosystem. KernelCI, a project under the Linux Foundation, is on a mission to change that. Our goal is to support the community and companies to ensure the quality, stability, and long-term maintenance of the Linux kernel while also reducing product integration costs drastically. In this talk, you will learn what KernelCI is, what we are doing to improve this situation, and, more importantly, what you can do to help!