Open Source Summit Europe 2025

The Cyber Resielience Act (CRA) was approved late 2024 by European Union. 
Open source community was heavily involved in influencing drafting of the CRA. But the need for active engagement with the regulator did not end there. During the three-year period from late 2024 to late 2027 a lot of standardisation and guidance needs to be created to guide industries, manufacturers and open source community to best comply and cope with the CRA. Open source communities have organised to address these challenges.

Here we shortly explain the motivation for, and the main requirements set forth by the CRA, the various relevant organisations working on the regulation and the timelines of the work, as well as the achievements of the open source community in this work so far, and what is the work ahead of us towards the final deadline in late 2027. After the presentation you should be able to understand what the CRA is and why it is introduced, how it impacts world wide - also open source, how open source community is addressing this new regulation and how you can join the community.

Reliably identifying software components is a critical requirement for regulatory compliance. 

PURL is the de-facto standard for the reliable naming of components in software applications, products, and systems, across programming languages, package ecosystems, tools, APIs and databases. Every open source and most proprietary tools for Software Composition Analysis (SCA), along with all SBOM and Vulnerability Exploitability Exchange (VEX) specifications and most vulnerability databases, adopted PURL for component identification. But a 2024 Software Composition Analysis (SCA) report demonstrated significant inconsistencies in how different tools create PURLs… 

Better PURLs is a comprehensive project of open source tools and open data to correct this problem. The extended PURL syntax validation confirms that the PURL components (namespace, name, version, qualifiers) are correct for a given package ecosystem, according to the specification, and that the PURL locates an existing software package artifact. 

In this talk, Philippe from AboutCode and Dennis from Bloomberg will share the latest developments and how accurate and correct PURLs facilitate better compliance processes.

To securely deploy an identity and access management product implementing authentication & authorisation specifications like OpenID Connect 1.0 and OAuth 2.0 respectively, we need to ensure that the specifications are safe, the product correctly implements the specifications, and the product does not contain any vulnerabilities specific to the specifications. Methods for checking these points are formal analysis, conformance testing, and vulnerability testing, respectively. However, developers are not usually familiar with them. Based on the speaker’s investigation on academic research, the speaker describes them in a straightforward way.

The speaker is a maintainer of Keycloak, identity and access management open source software, CNCF incubating project. Therefore, the speaker will use Keycloak as a case study and explain how the specifications that Keycloak implements are verified to be secure and how Keycloak is verified to be compliant with the specifications.

The audience could gain insight into how to ensure that the identity and access management product they use or develop is secure.

Regulatory pressures, quantum computing threats or security breaches in complex supply chains have elevated cryptographic algorithm management to unprecedented importance. Understanding which crypto algorithms your software includes, and the implications for downstream users, is increasingly valued by developers and organizations. Several open source initiatives are now emerging to make cryptographic algorithm detection and declaration universal, enhancing the existing Bill of Materials (xBOM) generation.

This presentation explores some of those emerging initiatives, putting focus in two of the most promising ones:

* SPDX Crypto Algorithms List (https://github.com/spdx/crypto-algorithms): This aims to standardize crypto algorithm declaration.

* Open Dataset for Keyword-Based Detection (https://github.com/scanoss/crypto_algorithms_open_dataset): open dataset for detecting crypto algorithms via keywords, useful for automated scanning.

After a short demo of a simple PoC on how to implement them, the talk will cover the background behind these efforts, the latest news and plans, their relevance for security and transparency, and how participants can use and contribute to them.

Lottie is an efficient, feature-rich, vector animation format that delivers animations across platforms without sacrificing performance or file size, maintaining quality at any resolution. Lottie is widely adopted across various tools spanning the web, mobile and desktop systems.

In this session, we'll explore the journey of Lottie and the Lottie Animation Community (LAC) in establishing the official Lottie 1.0 specification under the Linux Foundation.

We'll examine the technical challenges addressed in standardizing this format, cross-platform compatibility, and feature consistency across different renderers. Attendees will gain insight into the collaborative process behind creating an open specification with input from diverse stakeholders across industries. We'll discuss the key components of the Lottie format, the standardization work that improved interoperability between creation tools and rendering engines, and demonstrate real-world applications showing the format's capabilities. Finally, we will provide a preview of upcoming efforts and welcome collaboration.

IIn today's evolving tech landscape, open collaboration is driving the next wave of AI innovation. This session will explore how open source principles—transparency, community collaboration, and shared innovation—are transforming the way we build and integrate open geospatial data. From autonomous vehicles and smart cities to AR/VR and logistics, industries worldwide depend on high quality, interoperable mapping data. We’ll look at real‑world use cases where open ecosystems not only lower barriers for innovators but also advance the development of standards that benefit all. Join us to learn how initiatives like the Overture Maps Foundation are uniting developers, enterprises, and communities to create sustainable, scalable solutions that power the future of AI.