Open Source Summit Europe 2024

Our BoF panel features representatives of popular, highly specialized Linux distributions like Kairos, Flatcar, Eve, BottleRocket, Unikraft, SUSE MicroOS, and others. After a brief introduction we will open a discussion with the audience about the purpose, and limits, of special-purpose operating systems, on operational challenges, and on differences to general purpose operating systems. Discussions may include a wide variety of topics our audience is interested in discussing, e.g. opportunities to improve operations reliability and security, developing and operating cloud-native workloads, workload isolation, and trusted/measured boot.

Strategic position of AI development in industrial settings, the surrounding regulations, and organizational challenges, have an interesting analogy in how we deal with Open Source Software on industrial scale. Definition of governance as set of processes and guidelines for decision making within an organization gives us an opportunity to apply similar abstract models to seemingly different areas of endeavor such as AI production and consumer organizations, on one side, and Open Source Software, on the other. The learnings from running technical operations of OSPOs translate remarkably well into this model. Intake, compliance, distribution, so well known in the world of Open Source Program Offices, with its federated democratized governance, are some of the pillars of the processes that drive AI production and consumption organizations. In this talk we will try to shed some light on how in Volvo Cars we approach practical aspects of these growing processes.

This session will showcase how open source metrics can be used for monitoring open source projects developed for global health challenges. GitHub and the World Health Organization (WHO) partnered to build a framework for tracking and analyzing the health of open source projects. The WHO, an international public health agency of the United Nations, utilizes and creates open source digital tools to enhance global health efforts for remote care, disease surveillance, epidemiological modeling, health information systems for data collection and analysis, and digital platforms for emergency response. Within these tools, challenges exist in monitoring open source: the lack of a high level view of best practices adopted by various open source projects; linking open source practices to realized impact in the public health; and building interest in open source work and advocating for more open source development within the global health community. This presentation will highlight these challenges, discuss opportunities to tackle them and close with an open dialogue on how open source projects can be measured, and drive collaboration between the OS community and public health practitioners.

The distributed development effort across individual teams to build secure software in a constantly evolving security threat landscape results in massive duplication of CI/CD automation work and inconsistent security and compliance postures across teams. The solution is to standardize the CI/CD security & compliance automation for development teams and centralize platform operations and maintenance. Our centralized CI/CD platform prevents software security problems from reaching production systems and streamlines compliance audits using built-in DevSecOps practices. Tekton is used as the open source orchestrator to standardize CI/CD and contribute open source enhancements through our valued ecosystem partnerships to benefit all users. The platform includes open source scanning tools such as Clair for OSS threat intelligence, SonarQube for SAST, and OWASP ZAP for DAST. The platform also extends the traditional CI and CD pipelines with a Continuous Compliance (CC) pipeline which ensures that deployed applications are scanned for new vulnerabilities on a daily basis with unique capabilities to auto remediate identified vulnerabilities and auto close resolved incident issues.

Come learn about the great accomplishments of our Outreachy Linux Kernel Interns! Outreachy offers open source internships to people subject to systemic bias and impacted by under-representation in the technical industry where they are living. Julia Lawall offers an overview of the Outreachy Linux Kernel Community followed by intern presentations showcasing their projects and experiences: * Dorcas Litunya: Improving support for the Vivid Test Driver * Khadija Kamran: Analyzing Linux Kernel Security Subsystems * Tahera Fahimi: Improving Landlock Access Control Linux Kernel Maintainer Hans Verkuil wraps up the panel by sharing his experience as an Outreachy mentor.

Zephyr, as also other open source projects, is heading towards functional safety, to achieve a safety certification as a Safety Element out of Context (SEooC) the question of what this really means comes up quite often.

There are usually three stakeholders in a project like project community, the assessor and the user, who actually wants to use the certified software

As all these parties have different expectations of what this certification will require, there are a lot of different rumours and opinions out there regarding functional safety certification. This talk will give an introduction to what qualification evidence is usually prepared and assessed for a SEooC certification, what this means for the project and how it can actually be integrated into a safety relevant software system.

This talk will also give an update of the current status of the safety working group, how to participate and what to expect there.

Containers revolutionized the software development and deployment process. But there are still practical concerns, especially related to software supply chain integrity and security, that require further improvements. Software Composition Analysis (SCA) identifies components used in software applications and systems, often for software supply chain concerns like SBOMs, which is increasingly important for distributed, containerized systems. Many open source and proprietary SCA tools are marketed specifically for containers. After testing many open source and proprietary tools, we completed a project comparing the accuracy, depth, and breadth of these tools' detection capabilities. The results were not always good. In this talk, Arun from Siemens Healthineers and Philippe from AboutCode will share their experiences so you don't make the same mistakes.

In the last three decades, we’ve seen an evolution of open source starting from the ’90s when foundations and ideas were birthed with the likes of the Free Software Foundation, the Open Source Initiative, and projects that changed the world like the Linux Kernel and the Apache server. From there, open source has gotten into mainstream adoption and advocacy, where we have platforms like GitLab, GitHub, and SourceForge, enabling people to build software projects openly and increasing collaboration among people in tech. Within the last ten years, groundbreaking innovations like the cloud, AI, and big data have become open source by default - this is where we are now. However, the global south is still stuck in the advocacy and adoption phase, with people who haven’t moved beyond their first contribution or are only aware of open source. We need to address this and move the global south to the next phase of open source—ideation, designing, and building. In this talk, we will share what we’ve been doing in Open Source Community Africa for the last 8 years and how we are currently fixing this problem through our latest flagship program, IDB (Ideate, Design, Build).