Open Source Summit Europe 2025

In a digital-first world, how are governments adapting the public infrastructure underpinning services for public administrations, businesses, organizations, and citizens? What risks and challenges do they face as they digitize these services? Sean Bohan of LF Decentralized Trust will sit down for a Q+A with the incoming director of Europeum EDIC about delivering EU-wide cross-border services via the European Blockchain Services Infrastructure (EBSI) network. This session will dive into the roll-out of EBSI as a secure, trustworthy digital verification infrastructure for Europe. It will cover how EBSI and other public infrastructure projects serve as a model for verifying identities, credentials, and data integrity with reduced inefficiencies and fraud.

Topics will include:
-Services EBSI supports—verifiable educational, medical, and travel credentials; patent protections; product authentication, and more
-Adoption and interoperability challenges of deploying across 30+ countries, each with its own regulatory framework and infrastructure
-Decision to build on Besu, an enterprise Ethereum client.
-Role of open source, decentralized tech in delivering digital verification at scale

Ken Thompson's "Reflection on Trusting Trust" warns against blindly relying on others' code, emphasizing the gap between reviewed source and built artifacts. This is critical for developers navigating complex trust models, where source code alone offers limited assurance. Recent supply chain attacks on open source packages, like xz and boltdb-go, expose the real-world practicality of deceiving traditional source reviews, threatening the foundation of open source consumption.

In this talk, we discuss a novel method for analysing and investigating the code that actually gets built using Capslock, an open source CLI tool for analyzing Go packages. By analysing and exposing discrepancies between a package’s advertised and actual permissions, potential attacks (such as the malicious version of boltdb-go) can be thwarted. Integrating this capability information into both free public data sources (e.g. deps.dev) and guided code review systems enables developers to shift left, and feel more confident trusting open source.

Open source has a trust problem. One may attribute this to the age old problem of identity frauds and related security vulnerabilities on the Internet. One may further worry that the rise of AI will dramatically increase this risk and even overrun the Internet altogether without mitigation in a fundamental level. One may also see it as an inevitable consequences of 'de-globalization' or 'fragmentation' which sows distrust and threatens to undo many of the progress we had made in the past two plus decades. The Linux Foundation's Executive Director Jim Zemlin highlighted this challenge during the LFDT member summit last year, then re-emphasized it again during the LF member summits in the fall last year and again this spring in 2025. This is a followup to that "Call to Action" to a First Person Project. A decentralized First Person developer ID system is one of the things we can do in the open source infrastructure level, i.e. the fundamental ways of practice that we know as open source, to meet this challenge. In this session, we will examine the issues, discuss the First Person Project and solution approaches, and update the community its progress.

Identity and Access Management is a delicate balance of security and usability. Passwords are simple for a user to understand, but suffer from a lack of security and have a long history of being compromised. Passkeys and third party providers can add an additional layer of security, but tend to be more complex on the backend, and prone to technical errors, downtime, and a more frustrating user experience when things go wrong. What we need is a fast way to access accounts that is simple to use, easy to implement, and secure.

Verifiable Credentials offer a secure way to issue your users complete digital identities to be stored locally on their mobile device using a decentralized network. Once stored in this way, the credential can quickly be verified by anyone with the authentication software, and access can be granted with a simple scan of a QR code, no multifactor authentication required.

In this session we will discuss and show a demonstration of how APIs can quickly enable your existing applications to accept these credentials, and start providing a better user experience for your employees and customers.

Would you drink milk past its expiration date? Probably not—because you know it could make you sick. Yet, many organizations keep using software long past its End-of-Life (EOL) date, exposing themselves to security breaches, compliance failures, and operational breakdowns. Just like spoiled food, outdated software can have hidden dangers that aren’t always visible—until it’s too late.

In this talk, we’ll explore:

- What happens when software expires? (Like food, software deteriorates over time)

- The hidden risks of EOL software (Security vulnerabilities = the mold you don’t see)

- Why do businesses ‘keep’ expired software (Cost? Inconvenience? Same reason some people keep old condiments!)

- Best practices for a healthy eating (Regular upgrades, patching, and a strong tech lifecycle strategy) based on our experience managing a EoL Software at Okta.

- Case studies of organizations that ‘got food poisoning’ (Real-world consequences of ignoring EOL software)