Open Source Summit Europe 2025

In a digital-first world, how are governments adapting the public infrastructure underpinning services for public administrations, businesses, organizations, and citizens? What risks and challenges do they face as they digitize these services? Sean Bohan of LF Decentralized Trust will sit down for a Q+A with the incoming director of Europeum EDIC about delivering EU-wide cross-border services via the European Blockchain Services Infrastructure (EBSI) network. This session will dive into the roll-out of EBSI as a secure, trustworthy digital verification infrastructure for Europe. It will cover how EBSI and other public infrastructure projects serve as a model for verifying identities, credentials, and data integrity with reduced inefficiencies and fraud.

Topics will include:
-Services EBSI supports—verifiable educational, medical, and travel credentials; patent protections; product authentication, and more
-Adoption and interoperability challenges of deploying across 30+ countries, each with its own regulatory framework and infrastructure
-Decision to build on Besu, an enterprise Ethereum client.
-Role of open source, decentralized tech in delivering digital verification at scale

Ken Thompson's "Reflection on Trusting Trust" warns against blindly relying on others' code, emphasizing the gap between reviewed source and built artifacts. This is critical for developers navigating complex trust models, where source code alone offers limited assurance. Recent supply chain attacks on open source packages, like xz and boltdb-go, expose the real-world practicality of deceiving traditional source reviews, threatening the foundation of open source consumption.

In this talk, we discuss a novel method for analysing and investigating the code that actually gets built using Capslock, an open source CLI tool for analyzing Go packages. By analysing and exposing discrepancies between a package’s advertised and actual permissions, potential attacks (such as the malicious version of boltdb-go) can be thwarted. Integrating this capability information into both free public data sources (e.g. deps.dev) and guided code review systems enables developers to shift left, and feel more confident trusting open source.

Open source has a trust problem. One may attribute this to the age old problem of identity frauds and related security vulnerabilities on the Internet. One may further worry that the rise of AI will dramatically increase this risk and even overrun the Internet altogether without mitigation in a fundamental level. One may also see it as an inevitable consequences of 'de-globalization' or 'fragmentation' which sows distrust and threatens to undo many of the progress we had made in the past two plus decades. The Linux Foundation's Executive Director Jim Zemlin highlighted this challenge during the LFDT member summit last year, then re-emphasized it again during the LF member summits in the fall last year and again this spring in 2025. This is a followup to that "Call to Action" to a First Person Project. A decentralized First Person developer ID system is one of the things we can do in the open source infrastructure level, i.e. the fundamental ways of practice that we know as open source, to meet this challenge. In this session, we will examine the issues, discuss the First Person Project and solution approaches, and update the community its progress.

Identity and Access Management is a delicate balance of security and usability. Passwords are simple for a user to understand, but suffer from a lack of security and have a long history of being compromised. Passkeys and third party providers can add an additional layer of security, but tend to be more complex on the backend, and prone to technical errors, downtime, and a more frustrating user experience when things go wrong. What we need is a fast way to access accounts that is simple to use, easy to implement, and secure.

Verifiable Credentials offer a secure way to issue your users complete digital identities to be stored locally on their mobile device using a decentralized network. Once stored in this way, the credential can quickly be verified by anyone with the authentication software, and access can be granted with a simple scan of a QR code, no multifactor authentication required.

In this session we will discuss and show a demonstration of how APIs can quickly enable your existing applications to accept these credentials, and start providing a better user experience for your employees and customers.

Would you drink milk past its expiration date? Probably not—because you know it could make you sick. Yet, many organizations keep using software long past its End-of-Life (EOL) date, exposing themselves to security breaches, compliance failures, and operational breakdowns. Just like spoiled food, outdated software can have hidden dangers that aren’t always visible—until it’s too late.

In this talk, we’ll explore:

- What happens when software expires? (Like food, software deteriorates over time)

- The hidden risks of EOL software (Security vulnerabilities = the mold you don’t see)

- Why do businesses ‘keep’ expired software (Cost? Inconvenience? Same reason some people keep old condiments!)

- Best practices for a healthy eating (Regular upgrades, patching, and a strong tech lifecycle strategy) based on our experience managing a EoL Software at Okta.

- Case studies of organizations that ‘got food poisoning’ (Real-world consequences of ignoring EOL software)

IBM is dedicated to promoting Responsible AI by equipping developers with cutting-edge tools that improve fairness, transparency, and accountability of AI systems. In line with this effort, this session is designed to introduce Granite Guardian, an open-source suite of AI models that allow developers to monitor AI systems, mitigate bias, and comply with regulations. Granite Guardian is not just an open-source suite of AI models; it is a comprehensive AI governance framework, a strategic enabler for creating responsible, transparent, and compliant AI at scale. Attendees will leave this session with knowledge of AI governance and a set of tools that allow them to create, launch, and manage AI responsibly. Whether they are developers who already embed ethical AI behaviour into their designs, or industry leaders aligning with ethical and regulatory guidance, this session will empower them to create scalable, not just sustainable, AI.

ManaTEE is an open-source framework that enables private data analytics for public research using Trusted Execution Environments (TEEs). In this talk, we show how ManaTEE supports verifiable AI transparency, especially for proprietary models where open inspection is not feasible. TEEs allow sensitive model evaluation and data analysis in isolated, secure environments with cryptographic attestation, ensuring the integrity of both the model and data. This enables external researchers and auditors to assess AI systems without direct access to the model or sensitive data. ManaTEE simplifies this process with a secure, interactive Jupyter Notebook interface where users can load benchmarks, write evaluation code, and analyze results—preserving data confidentiality and model secrecy. We will demo how ManaTEE evaluates a closed-source AI model in a reproducible and auditable way, helping balance the need for transparency with confidentiality.

This session will first give an introduction and update of the current safety activities and then provide a place for interested folks to meet, ask and discuss questions and open topics.

OpenSSH has built-in support for FIDO security keys since version 8.2 (released in 2020). This means you can protect your SSH private keys using security keys, similar to how this can be done with OpenPGP smart cards and cryptographic tokens that support PKCS#11. Although such devices all allow you to protect your private keys using cryptographic hardware, the benefits on using FIDO include:

- FIDO is easier to use, especially for beginners

- security keys can be used on the web as well to store passkeys

- no need for vendor-specific software (like PKCS#11 modules)

- security keys are inexpensive

- FIDO features device attestation, which lets you cryptographically prove you are using a specific security key make and model.

In this talk, we will give a short introduction to FIDO security keys, and provide several demos of the use of security keys with OpenSSH, such as signing arbitrary data, authenticating to remote systems, and using key attestation.

The talk consists of a number of demos that participants can follow along on their system. Participants can bring their own security key (any vendor will do). If they do not own a security key one will be provided to them.

Industrial environments depend on secure collaboration among internal employees and external technicians. Traditional centralized identity systems like LDAP fall short when managing external parties, while industrial constraints prevent modifying legacy equipment.

This session presents a pragmatic architecture using open-source tools - including OpenZiti and W3C Verifiable Credentials (VCs) - to enforce Zero Trust precisely at the application level. By combining decentralized identity management for external supplier technicians with corporate OIDC for internal staff, we demonstrate how to achieve secure, identity-aware communication flows without rewriting legacy MQTT hardware.

Attendees will learn how application-level binding ensures that only explicitly authorized actions occur, preventing any unauthorized bypass even in constrained industrial setups. The approach not only strengthens security in today’s complex environments but also boosts the value and potential of these emerging technologies through practical integration.

The Linux Kernel Mentorship Program (LKMP) was more than just a chance to contribute to open source—it was a turning point in my career and technical growth.

Join me as I share how this experience helped me land my current role, give back to the Linux community, and inspired me to take a more active role in my local community—organizing events, mentoring, and sharing knowledge.

The Developer Relations Foundation is a new part of the Linux Foundation to advance the professional practices of Developer Relations. As a Manager of the Resources Working Group we're on a mission to collect open-data resources like Personas, Events, and Tools that any practicing Developer Relations role can use to accomplish their outreach and community goals.

This session will share how we kick-started the working group and then examples of using these resources for my own role on the free open-source tool Semgrep for engaging with developer communities to make software more secure.

We’re in a climate crisis—and the web isn’t off the hook. From energy-hungry AI to bloated, resource-intensive websites, our industry’s digital footprint is growing fast.

This talk explores how we can flip the script using open source tools to measure and reduce the carbon impact of our work. We’ll dive into practical ways to assess emissions, spotlight FOSS projects leading the way, and share actionable steps every open source project can take to help cut down energy use.

Together, we can build toward a solarpunk future—one where technology empowers a healthier planet and better lives for everyone.

Client server computing relies on encryption algorithms to ensure that data sent across networks cannot be read, or faked, by untrusted parties. This is the rock on which financial computing works in a business to customer environment, as well as how data at rest is protected from malicious prying eyes reading our personal data.

This talk will cover the basics of how Diffe-Hellman encryption works, how symmetric and asymetric keys operate, as well as how all of this will soon become unsafe because of quantum computing. As well as showing the audience the basics (no maths degree required) this talk will show how quantum safe encryption is able to address this, and how folks can get wise and get started.

What happens when you combine real radar images of Venus, a bunch of volcanoes, and deep learning? In this talk, I’ll walk you through a fully open-source machine learning pipeline that turns extraterrestrial data into structured scientific insights. Our goal is to automatically recognize geological formations like craters, ridges, or volcanoes on radar imagery — a bit like Google Maps, but for another planet.

The workflow starts with hand-labeled GeoJSON data in QGIS, then moves through preprocessing, training, and testing using PyTorch, scikit-learn, and AWS SageMaker — all running on Linux-based cloud infrastructure. This ESA (European Space Agency) funded scientific project is coordinated by the Hungarian Research Network (HUN-REN), and every part of it is powered by open tools and services.

If you're curious about how Linux, Python, and AWS can work together to map alien surfaces, this session will take you there — without leaving Earth.