The Linux Foundation Member Summit

“What do you mean I can’t bring my car keys into this building?” “No internet?? But how do I download things from GitHub?” Join a recovering government attorney and an open-source hacker for a fiery debate that dives into the world of DoD cybersecurity inefficiencies. Rebecca, a former DoD lawyer, pairs her intricate understanding of perplexing government policies with Eddie’s fresh, critical (and dare we say naive?) insights from the private sector. This session will explore the frustrating “how” behind the government’s “why,” from slow booting government laptops to the realities of “military-grade technology.” Together, they will challenge the status quo, proposing innovative, open-source inspired solutions to streamline and secure DoD operations. Expect a dynamic exchange filled with real-world frustrations, enlightening explanations, and a hacker’s touch on how to fix what’s broken.

Many open source communities struggle to achieve strong community participation from Asia despite the region representing 60% of the entire world population. Although there are numerous participants from India and China, the number is disproportionately low when compared with the US and Europe. An obvious reason could be time zones, however, as a Japanese woman who grew up and worked in Japan, and as a working mother, it seems probable this could also be explained by culture and other social barriers like language. Although we appreciate the benefit of diversity, it remains challenging to have an optimally balanced community. Do we compromise by having some people in each region to convince ourselves that we’ve achieved a target? Or do we look for ways to overcome the barriers enabling real benefit? Many DEI categories are grouped together which removes our ability to identify areas needing improvement. Asia consists of 40 countries with different culture, and Asians who grew up in the US have different views. Diversity is defined by a combination of multiple factors. Let’s look at our goals more closely and see what communities can actually do to bring real value.

The “Software” Product Data Exchange was created in 2010 to provide machine and human readable metadata for licensing information to consumers of open source software. Over the years, the SPDX community has added support for a wide range of additional use cases. Complex software component interactions between open source and proprietary as well as the requirements to support SBOMs optimized for security risk management have been driving forces for many of the changes. With the SPDX 3.0 release and work being done for the upcoming SPDX 3.1 release, the scope of SPDX has expanded beyond software to entire systems including datasets, AI models, services and hardware. This will enable consumers to satisfy additional use cases in areas like product safety and export regulation compliance. With the SPDX 3.0, we’ve renamed SPDX from “Software” Product Data Exchange to “System” Product Data Exchange to better reflect where the project is aiming. In this talk, we’ll go over changes we’ve made to the SPDX model to support systems, the additional profiles that are focused on system level problems and what this means to both the producers and consumers of SPDX data.

Many popular open source projects are owned and driven by corporations, and in today's difficult economic climate, those companies are under increasing pressure to protect their businesses or show stronger returns for investors.. One response to this pressure has been the relicensing of popular open source projects to more restrictive licenses. In some cases, this relicensing has resulted in a hard fork of the original project. Both the relicensing and the resulting fork create turmoil for the users of that project and the community of contributors, and this impact can have a ripple effect throughout the ecosystem. In this session, we’ll discuss the following topics using a data-driven approach: dynamics around relicensing that results in such hard forks; examples of several forks along with the impact on the communities; and thoughts about what this means for the future of open source. The audience will walk away with an appreciation of why relicensing results in hostile forks and how to think about this issue when selecting which open source projects to use.

Security terminology often portraits a simple picture; e.g. good v. bad guys, inside v. outside, trusted v. zero-trust. This picture was never quite as simple, but with the advent of modern AI powered systems, this simplest picture is entirely obsolete and that means many of the technical building blocks of security and privacy as well. In this talk, Wenjing will discuss in non-technical terms why and how we should transition from security oriented language and mindset to a trust oriented one. Trust is a very human concept that can be applied to both human and intelligent AI systems or agents. Messy? Yes. But it's much closer to the real world reality, esp. when populated with a lot of AI agents/systems. Wenjing is co-Chair of the AI and Metaverse task force in the Trust over IP Foundation, and also the Governing Board and TAC of the OpenWallet Foundation.