The Linux Foundation Member Summit

In the beginning, open source gained the public’s trust through direct relationships with maintainers, participating in communities, and reliance on curators. Somewhere along the way, the essential role of curators seems to have been forgotten. Sophisticated actors have been systematically seeking to abuse the trust placed in open source, and individual maintainers are not equipped to fend this off - nor should they have to go it alone, if they don’t want to. Let’s gather for a discussion of community-based solutions to this threat to open source.

The “Software” Product Data Exchange was created in 2010 to provide machine and human readable metadata for licensing information to consumers of open source software. Over the years, the SPDX community has added support for a wide range of additional use cases. Complex software component interactions between open source and proprietary as well as the requirements to support SBOMs optimized for security risk management have been driving forces for many of the changes. With the SPDX 3.0 release and work being done for the upcoming SPDX 3.1 release, the scope of SPDX has expanded beyond software to entire systems including datasets, AI models, services and hardware. This will enable consumers to satisfy additional use cases in areas like product safety and export regulation compliance. With the SPDX 3.0, we’ve renamed SPDX from “Software” Product Data Exchange to “System” Product Data Exchange to better reflect where the project is aiming. In this talk, we’ll go over changes we’ve made to the SPDX model to support systems, the additional profiles that are focused on system level problems and what this means to both the producers and consumers of SPDX data.

In the great hall of The Open Source, gathered together from the cosmic reaches of the multiverse are some of the greatest heroes of open source security ever assembled. Their mission, to fight injustice, to right that which is wrong, and to serve all mankind by helping make open source software more secure. In this session, attendees will learn from the OpenSSF about simple techniques, tactics, and tools that can help improve the overall security posture of their project, help them better defend against attackers, and react more quickly when the inevitable vulnerability report lands in their inbox. Key Takeaways - Learn about steps that can be taken to prepare your project to respond effectively to security findings - Learn about industry standards such as CVE, CVSS, VEX, CVD, and others that will help contextualize external and downstream interest in security - Learn about resources available to learn valuable secure coding techniques and concepts - Learn about community resources that are available to help triage, coordinate, and disclosure discovered vulnerabilities in your codebase, dependencies, and your supply chain

Security terminology often portraits a simple picture; e.g. good v. bad guys, inside v. outside, trusted v. zero-trust. This picture was never quite as simple, but with the advent of modern AI powered systems, this simplest picture is entirely obsolete and that means many of the technical building blocks of security and privacy as well. In this talk, Wenjing will discuss in non-technical terms why and how we should transition from security oriented language and mindset to a trust oriented one. Trust is a very human concept that can be applied to both human and intelligent AI systems or agents. Messy? Yes. But it's much closer to the real world reality, esp. when populated with a lot of AI agents/systems. Wenjing is co-Chair of the AI and Metaverse task force in the Trust over IP Foundation, and also the Governing Board and TAC of the OpenWallet Foundation.

The threat of quantum computers to cryptography and, more broadly, computer security, is something that gets a little closer to reality every passing day. But what this means for real-world software can be confusing. When (and how) do we need to be ready? What do we need to do now to be ready when quantum computers come? In this talk, Hart Montgomery will explain what open source software projects, companies, and anyone who relies on cryptography need to do to protect themselves against the quantum threats of the future. He will explain projected timelines of when quantum attacks against cryptography could be viable, and then discuss what this means for software and data today. By the end of the talk, attendees will understand how to “threat model” quantum computing for their software or company needs and be better informed on how to make decisions regarding updating cryptography. In addition, Hart will explain how the tools of the LF’s PQCA project can be used to mitigate quantum threats. This talk will require no mathematical or cryptographic background to understand and will be aimed at business leaders who need to lead their companies in the transition to post-quantum cryptography.