Open Source Summit Europe 2025

The Cyber Resielience Act (CRA) was approved late 2024 by European Union. 
Open source community was heavily involved in influencing drafting of the CRA. But the need for active engagement with the regulator did not end there. During the three-year period from late 2024 to late 2027 a lot of standardisation and guidance needs to be created to guide industries, manufacturers and open source community to best comply and cope with the CRA. Open source communities have organised to address these challenges.

Here we shortly explain the motivation for, and the main requirements set forth by the CRA, the various relevant organisations working on the regulation and the timelines of the work, as well as the achievements of the open source community in this work so far, and what is the work ahead of us towards the final deadline in late 2027. After the presentation you should be able to understand what the CRA is and why it is introduced, how it impacts world wide - also open source, how open source community is addressing this new regulation and how you can join the community.

Reliably identifying software components is a critical requirement for regulatory compliance. 

PURL is the de-facto standard for the reliable naming of components in software applications, products, and systems, across programming languages, package ecosystems, tools, APIs and databases. Every open source and most proprietary tools for Software Composition Analysis (SCA), along with all SBOM and Vulnerability Exploitability Exchange (VEX) specifications and most vulnerability databases, adopted PURL for component identification. But a 2024 Software Composition Analysis (SCA) report demonstrated significant inconsistencies in how different tools create PURLs… 

Better PURLs is a comprehensive project of open source tools and open data to correct this problem. The extended PURL syntax validation confirms that the PURL components (namespace, name, version, qualifiers) are correct for a given package ecosystem, according to the specification, and that the PURL locates an existing software package artifact. 

In this talk, Philippe from AboutCode and Dennis from Bloomberg will share the latest developments and how accurate and correct PURLs facilitate better compliance processes.

To securely deploy an identity and access management product implementing authentication & authorisation specifications like OpenID Connect 1.0 and OAuth 2.0 respectively, we need to ensure that the specifications are safe, the product correctly implements the specifications, and the product does not contain any vulnerabilities specific to the specifications. Methods for checking these points are formal analysis, conformance testing, and vulnerability testing, respectively. However, developers are not usually familiar with them. Based on the speaker’s investigation on academic research, the speaker describes them in a straightforward way.

The speaker is a maintainer of Keycloak, identity and access management open source software, CNCF incubating project. Therefore, the speaker will use Keycloak as a case study and explain how the specifications that Keycloak implements are verified to be secure and how Keycloak is verified to be compliant with the specifications.

The audience could gain insight into how to ensure that the identity and access management product they use or develop is secure.

Regulatory pressures, quantum computing threats or security breaches in complex supply chains have elevated cryptographic algorithm management to unprecedented importance. Understanding which crypto algorithms your software includes, and the implications for downstream users, is increasingly valued by developers and organizations. Several open source initiatives are now emerging to make cryptographic algorithm detection and declaration universal, enhancing the existing Bill of Materials (xBOM) generation.

This presentation explores some of those emerging initiatives, putting focus in two of the most promising ones:

* SPDX Crypto Algorithms List (https://github.com/spdx/crypto-algorithms): This aims to standardize crypto algorithm declaration.

* Open Dataset for Keyword-Based Detection (https://github.com/scanoss/crypto_algorithms_open_dataset): open dataset for detecting crypto algorithms via keywords, useful for automated scanning.

After a short demo of a simple PoC on how to implement them, the talk will cover the background behind these efforts, the latest news and plans, their relevance for security and transparency, and how participants can use and contribute to them.

Lottie is an efficient, feature-rich, vector animation format that delivers animations across platforms without sacrificing performance or file size, maintaining quality at any resolution. Lottie is widely adopted across various tools spanning the web, mobile and desktop systems.

In this session, we'll explore the journey of Lottie and the Lottie Animation Community (LAC) in establishing the official Lottie 1.0 specification under the Linux Foundation.

We'll examine the technical challenges addressed in standardizing this format, cross-platform compatibility, and feature consistency across different renderers. Attendees will gain insight into the collaborative process behind creating an open specification with input from diverse stakeholders across industries. We'll discuss the key components of the Lottie format, the standardization work that improved interoperability between creation tools and rendering engines, and demonstrate real-world applications showing the format's capabilities. Finally, we will provide a preview of upcoming efforts and welcome collaboration.

IIn today's evolving tech landscape, open collaboration is driving the next wave of AI innovation. This session will explore how open source principles—transparency, community collaboration, and shared innovation—are transforming the way we build and integrate open geospatial data. From autonomous vehicles and smart cities to AR/VR and logistics, industries worldwide depend on high quality, interoperable mapping data. We’ll look at real‑world use cases where open ecosystems not only lower barriers for innovators but also advance the development of standards that benefit all. Join us to learn how initiatives like the Overture Maps Foundation are uniting developers, enterprises, and communities to create sustainable, scalable solutions that power the future of AI.

As AI systems proliferate, ensuring transparency, trust, and traceability across the model supply chain has become a critical challenge. The Model Openness Framework (MOF), developed by LF AI & Data and Generative AI Commons, offers a standardized classification system to evaluate the completeness and openness of AI models across 17 key components—from architecture to evaluation code and documentation. This talk will explore how the MOF addresses model "openwashing" and supply chain risk by establishing clear standards for licensing and disclosure. We will demonstrate how enterprises can operationalize MOF compliance using open source tools like OCI-based model packaging, model signing, and automated documentation pipelines. Attendees will gain practical insights into aligning with emerging governance requirements and building trustworthy, reproducible AI systems through open collaboration.

CAMARA is redefining how developers interact with telco networks. Hosted by the LF in collaboration with GSMA and TM Forum, CAMARA is an OSS project creating standardized, operator-exposed APIs—giving developers secure, scalable access to capabilities like Quality-on-Demand, Location Verification, and Edge Discovery.

This session introduces how CAMARA bridges the gap between telcos and the developer ecosystem. Learn how you can use CAMARA APIs to power real-world use cases in gaming, XR, IoT, and more—without needing deep telco expertise.

We’ll showcase active APIs, demo contributions in action, and explain how you can get involved—whether by implementing APIs within operators, connecting exposure platforms, integrating their own portals, or adapting products to fit into this growing ecosystem. If you’re building applications that rely on connectivity, this is your invitation to help shape the next generation of open, programmable networks.

Explore how open source is unlocking network capabilities and how you can contribute to the next generation of telco innovation.

SBOMs (Software Bills of Material) are essential for improving visibility and security in the software supply chain. As open-source code drives modern development, organizations face growing security risks due to limited transparency in software dependencies. Attacks like SolarWinds (2020) and Kaseya (2021) highlight the urgent need for stronger software supply chain security.

However, SBOMs are often inaccurate. This talk explores why these inaccuracies occur, how attackers exploit them, and how to address these issues. A key challenge is dependency management file analysis (e.g., cargo.toml for Rust), which struggles to track components effectively.

Enter SBOMit, an OpenSSF sandbox project leveraging in-toto attestations to create cryptographically verifiable SBOMs. By capturing supply chain steps as they occur, SBOMit enhances accuracy, mitigates tampering risks, and strengthens security. This talk examines SBOMit’s role in improving SBOM reliability across the CNCF ecosystem.

In an era of growing concerns over misinformation, surveillance, and data breaches, building a more secure, private, and authentic web has never been more critical.

In this talk, I'll explore the current state of web security, privacy, and authenticity, focusing on key efforts shaping the future of the open web. You'll hear about the latest work in W3C, including advancements in privacy principles, ethical web guidelines, web developer security guidelines, all aimed at creating a more secure, trustworthy, and user-centric web. You'll also learn about how emerging standards like Content Credentials (C2PA) may revolutionize the way we verify the authenticity of digital content, helping to combat misinformation and ensure transparency in the information we consume online.

As API ecosystems grow, keeping designs consistent and governance scalable can really be a challenge for both open platforms and internal teams. In this talk, we’ll dive into how AI-assisted tools, when combined with open standards and policy engines, can help simplify two of the toughest parts of the API lifecycle: design and compliance. We’ll show you how developers can use natural language prompts to generate and update OpenAPI specs, and how teams can use policy-as-code (with tools like OPA) to automate checks for things like naming, versioning, and security. You’ll walk away with practical workflows that help balance developer speed with organizational standards—all built with open source tools.

Are you an open source maintainer who wants to create better docs for your project? In this talk you'll learn about some new tools for docs maintainers (a Docs Advisor working guide and a set of Docs Archetypes) and some pro tips on how to use them:  

* the types of technical documentation and docs projects -- how to decide what is a fit for your organization or project
* how to get basic info about your users and the kinds of documentation they need
* how to determine when a project is a bad fit for your needs
* how to onboard technical writers to your project
* how to choose and measure criteria for the success of your docs project
* how to keep your docs momentum going!

Materials for these new tools are based on the real experiences of the more than 70 projects who have participated in Google Season of Docs, and are currently available at github.com/google/opendocs.

Hardware documentation varies widely in quality and accessibility — ranging from treasured to frustratingly opaque. In this talk, we’ll introduce a framework for classifying types of hardware documentation and discuss their impact on enabling community-driven innovation.

We’ll showcase a real-world example of valuable documentation by exploring how Texas Instruments’ open documentation for the J784S4EVM empowered us to debug and fix its watchdog system. This process involved navigating multiple subsystems within the SoC, leveraging publicly available resources every step of the way.

Attendees will gain insight into how open documentation accelerates debugging, fosters collaboration, and enables independent hardware support. Beyond this case study, we hope to inspire vendors to embrace open documentation practices and encourage community members to prioritize documentation quality when selecting hardware.

https://lore.kernel.org/linux-arm-kernel/hqifchzwvzyexlcq6vfhlnrp3sixkgk23vau6o46k6einn5vee@gj5a53ee2gsi/T/#m7ecce818686b775105367e19e9548970c26c4427

https://lore.kernel.org/all/20240911-j784s4-esm-enable-v2-0-957f56b588d9@redhat.com/

This talk covers how to run a documentation sprint for your project.

Docs sprints improve your project by giving contributors an opportunity to collaborate within a well-defined structure and limited time.

In this talk, we'll cover everything you need to set up a sprint, run it, and build on the results.

This talk is based on real-world experience running docs sprints for open source projects, including Kubernetes.

Some developers like to study documentation, while others dive straight into their editor to start hacking on code — but what if documentation was the code? With today’s technologies it is more feasible than ever to blur the line between learning and building, by embedding live, editable examples directly into docs. Join me as I explore examples of interactive documentation from across the open source ecosystem and unpack five years' worth of lessons from building interactive docs for a developer platform.

This talk explores how The Good Docs Project integrated user research methodologies into an open-source environment to better understand our users and improve documentation templates and suite we provide. I'll share our journey of creating a UX research kit tailored for open-source projects, conducting user interviews, and analyzing qualitative data - all while navigating the unique challenges of distributed collaboration and volunteer contributors. This case study offers practical insights for other open-source communities looking to implement user-centered design approaches.