The Linux Foundation Member Summit

The success of an open source project is directly related to the utility it provides its community and to benefit from a project, people must know of it as well as how to either contribute to or use it. Many projects are launched with great promise but die a painful and public death from a dearth of developers and/or users. In this talk we take a pragmatic look at growing open source project success through education programs. We cover the ways training can drive awareness and create 'pull' for people to get involved as users or developers. This talk will expose attendees to the open source training and certification landscape, discussing resources available to projects, such as courseware development, self paced learning, open enrollment, and, in more mature projects, skills testing and certification. Upon completion, attendees will have a clear understanding of the possibilities and benefits of having a comprehensive education agenda for their open source project.

To simplify open source security for the long term, we will need some help from curation and automation. How can we – as an OSS community and industry – help drive this transition, without placing too much of the burden on maintainers? We’ll share our vision for the future, and explore a variety of solutions and examples.

Mentorship is a powerful way to invite new contributors to the table – or repo, in the world of open source. An effective mentor can share their professional network, model problem solving skills, and offer advice on-demand for a wide range of topics – for example, writing issues and PRs, submitting conference proposals, or navigating a vast and unfamiliar codebase. Mentorship can also help grow communities; by integrating new contributors into the social and technical fabric of a project, they may be more likely to stick around. For those marginalized in tech, mentorship can also help cultivate a sense of belonging. Our academic OSPO has grown two very different mentorship programs in recent years: one pairs a globally distributed community of new contributors with academic open source research projects, and the other offers a high-touch contribution onramp to Historically Black College and University (HBCU) students via a hybrid in-person/remote format. Along the way, we’ve learned a number of lessons about what works… and also, what doesn’t! This talk will synthesize and share highlights in a generalizable way, while offering space for others to share their experiences, too.

In this session led by Marc Prioleau, Executive Director of Overture Maps Foundation, we explore the often-misunderstood distinction between open map data and open source code. While open source code underpins many software projects within the Linux Foundation, open map data, especially in the context of Overture Maps Foundation's work presents unique challenges and opportunities. This talk will: - Clarify the differences and overlaps between open data and open source code. - Discuss the specific challenges in creating and maintaining open map data in the case of Overture Maps - Highlight how open data contributes uniquely to technological advancements, distinct from open source software. - Address common misconceptions in the open source community regarding these two domains.

As cloud native technologies mature, AI agents are emerging as game-changers for automation and optimization. This talk explores their transformative potential in cloud environments, focusing on Kubernetes and Istio management. We'll present a case study on how Aokumo has deployed AI agents to service clients globally, demonstrating tangible benefits in managing complex cloud infrastructures. The session will showcase practical applications where AI agents streamline operations, enhance security, and drive efficiency. We'll also discuss the open source community's crucial role in developing, standardizing, and ethically implementing these technologies.

Since US President Joe Biden issued an executive order specifying requirements for SBOMs among software suppliers to US federal agencies, there have been more questions than answers regarding what this would look like, even from the US government itself. This time will be a facilitated discussion around what this means specifically for open source communities and corporate entities that use open source in their products. Some of the potential discussion areas: Do people view this as a potential limiting factor for corporate use of open source software? What are the potential impacts of this requirement on open source? Is the Secure Software Development Framework (SSDF) useful and realistic? With the goal of risk, vulnerability, and incident management, does the proposed SBOM structure “work” to analyze open source software? What tools are people currently using to make and analyze SBOMs? As input is still being considered, is there anything from an open source perspective that we should be advocating for?

In July, the United Nations hosted the second OSPOs for Good symposium to bring together open source thought leaders to discuss using OSPOs as a global network for helping reach the UN’s Sustainable Development Goals (SDGs). Discussions touched on open source and AI, OSPOs in government and networked cities, software security, and the impact open source can have on research and science. This panel brings together several of the speakers from the event to talk about their perspectives and the next steps we can take together to use the power of the open source ecosystem for good.

The software delivery lifecycle landscape (SDLC) is rich with tools and services that help engineers automate every step and aspect of the software production process: configuration management, testing, build tools, artefact storage, deployment and monitoring. How do we connect all these tools, and adopt supply chain security best practices while maintaining a good developer experience from beginning to end? The CDEvents project aims to help solve this problem through standardisation and interoperability. In this talk, the speaker will introduce CDEvents, its vision, the latest news and roadmap; he will present how the project’s shared event format is being adopted by various tools across the SDLC and how interoperability enables a consistent developer experience and helps to achieve a secure software factory.

The AgStack Foundation launched in 2021 to develop and preserve the open infrastructure and data that supports digital agriculture and a sustainable food system. Since then it's attracted collaborators from around the world, released several projects, and won several grants to support its work. As exciting as all that is, the best is yet to come. In this session we'll… * fill you in on everything that's happened at AgStack since its launch, * give you a summary of the work we have planned for 2025 and beyond, and * show you how you can be a part of our community.

“What do you mean I can’t bring my car keys into this building?” “No internet?? But how do I download things from GitHub?” Join a recovering government attorney and an open-source hacker for a fiery debate that dives into the world of DoD cybersecurity inefficiencies. Rebecca, a former DoD lawyer, pairs her intricate understanding of perplexing government policies with Eddie’s fresh, critical (and dare we say naive?) insights from the private sector. This session will explore the frustrating “how” behind the government’s “why,” from slow booting government laptops to the realities of “military-grade technology.” Together, they will challenge the status quo, proposing innovative, open-source inspired solutions to streamline and secure DoD operations. Expect a dynamic exchange filled with real-world frustrations, enlightening explanations, and a hacker’s touch on how to fix what’s broken.

Many open source communities struggle to achieve strong community participation from Asia despite the region representing 60% of the entire world population. Although there are numerous participants from India and China, the number is disproportionately low when compared with the US and Europe. An obvious reason could be time zones, however, as a Japanese woman who grew up and worked in Japan, and as a working mother, it seems probable this could also be explained by culture and other social barriers like language. Although we appreciate the benefit of diversity, it remains challenging to have an optimally balanced community. Do we compromise by having some people in each region to convince ourselves that we’ve achieved a target? Or do we look for ways to overcome the barriers enabling real benefit? Many DEI categories are grouped together which removes our ability to identify areas needing improvement. Asia consists of 40 countries with different culture, and Asians who grew up in the US have different views. Diversity is defined by a combination of multiple factors. Let’s look at our goals more closely and see what communities can actually do to bring real value.

The “Software” Product Data Exchange was created in 2010 to provide machine and human readable metadata for licensing information to consumers of open source software. Over the years, the SPDX community has added support for a wide range of additional use cases. Complex software component interactions between open source and proprietary as well as the requirements to support SBOMs optimized for security risk management have been driving forces for many of the changes. With the SPDX 3.0 release and work being done for the upcoming SPDX 3.1 release, the scope of SPDX has expanded beyond software to entire systems including datasets, AI models, services and hardware. This will enable consumers to satisfy additional use cases in areas like product safety and export regulation compliance. With the SPDX 3.0, we’ve renamed SPDX from “Software” Product Data Exchange to “System” Product Data Exchange to better reflect where the project is aiming. In this talk, we’ll go over changes we’ve made to the SPDX model to support systems, the additional profiles that are focused on system level problems and what this means to both the producers and consumers of SPDX data.

Many popular open source projects are owned and driven by corporations, and in today's difficult economic climate, those companies are under increasing pressure to protect their businesses or show stronger returns for investors.. One response to this pressure has been the relicensing of popular open source projects to more restrictive licenses. In some cases, this relicensing has resulted in a hard fork of the original project. Both the relicensing and the resulting fork create turmoil for the users of that project and the community of contributors, and this impact can have a ripple effect throughout the ecosystem. In this session, we’ll discuss the following topics using a data-driven approach: dynamics around relicensing that results in such hard forks; examples of several forks along with the impact on the communities; and thoughts about what this means for the future of open source. The audience will walk away with an appreciation of why relicensing results in hostile forks and how to think about this issue when selecting which open source projects to use.

Security terminology often portraits a simple picture; e.g. good v. bad guys, inside v. outside, trusted v. zero-trust. This picture was never quite as simple, but with the advent of modern AI powered systems, this simplest picture is entirely obsolete and that means many of the technical building blocks of security and privacy as well. In this talk, Wenjing will discuss in non-technical terms why and how we should transition from security oriented language and mindset to a trust oriented one. Trust is a very human concept that can be applied to both human and intelligent AI systems or agents. Messy? Yes. But it's much closer to the real world reality, esp. when populated with a lot of AI agents/systems. Wenjing is co-Chair of the AI and Metaverse task force in the Trust over IP Foundation, and also the Governing Board and TAC of the OpenWallet Foundation.