Open Source Summit North America 2025

For the past three years, LF Education has partnered with LF Research to produce a yearly State of Tech Talent report surveying hiring and training managers to capture trends in the IT talent market. The 2025 study, which will go live at Open Source Summit North America, explores AI’s impact on organizational operations and developers; the fastest-growing areas of job responsibility; and compliance shifts from policies like the Cyber Resilience Act. In this session, the LF Research team will host a discussion of this year’s study findings, with panelists from LF Education and OpenSSF sharing their expertise on hiring and training to address cybersecurity concerns, regulatory compliance, AI, and more. In discussing the findings of the study, this session will describe how the community is grappling with resourcing amidst the new and shifting priorities in this landscape, from AI to Cybersecurity to platform engineering. The session will deliver insight on how the open source community can take the findings of the study to fortify its organizations and people for the market in 2025 and beyond and maintain relevance among economic, regulatory, and technological changes.

When building an application, we often start with simple requirements: “Just make sure only the admin can see this page.” Fast forward a few months, and the requirements have grown into a tangled web of roles, attributes, exceptions, and edge cases. Sound familiar?

In this talk, we’ll follow the journey of a fictional project that begins with no access control, progresses to Role-Based Access Control (RBAC), struggles with Attribute-Based Access Control (ABAC), and ultimately finds its footing with Fine-Grained Authorization (FGA). In this process, you’ll learn how OpenFGA addresses the growing complexity of modern applications with a relationship-based model that’s both flexible and scalable.

The telecom industry constantly evolves to meet the demands of modern communication.
As a supporter of the Linux Foundation Valkey project, this presentation will explore other ways to utilize Valkey compared to many cloud providers, and the benefits this brings to the community and the project itself.

We will discuss the technical aspects of Valkey's use in telecom, drawing from insights for the advantages of public forks managed by foundations, leading to faster and more expansive development.

Our company was one of the founding supporters of Valkey, and Viktor Söderqvist is a core maintainer of Valkey. We will cover how we integrate community engagement and governance, David as a manager and Viktor maintainer and our collaborative efforts together.

We'll highlight our contributions to Valkey, and the discussions that led to our strategic pivot and fork and creation Valkey.

We will also present unique requirements in telecom that has been added to Valkey, and demonstrate how these requirements also benefit the broader project, with features like downgrade mechanisms and key hash improvements for higher performance.

Endor Labs coined the term "Phantom Dependency Problem" to describe dependencies that are bundled into software packages but not represented in the package metadata. This is common in many software package ecosystems, but it is most prevalent in the Python package ecosystem (PyPI) where many packages include compiled C, C++, and Rust dependencies.

Bundled software not being included in package metadata is meaning means that software composition analysis (SCA), SBOM, and vulnerability scanning tools are not able to detect the bundled software. This can cause vulnerabilities to be missed and make.

The Security Developer-in-Residence at the Python Software Foundation, Seth Larson, worked on solving to the Phantom Dependency problem for Python packaging, involving work on standards and tooling.

By the end of this session attendees will understand the Phantom Dependency problem, how it relates to Python and other packaging ecosystems, how SBOM and SCA tools work, and what work was done to make bundled dependencies measurable and what that means for users.

Weaponized open source components are silently infiltrating software supply chains, evading detection, and leaving organizations vulnerable to devastating attacks. Brian Fox, Co-founder and CTO of Sonatype, will pull back the curtain on this invisible threat, diving into the rise of malicious components that proliferate at an unprecedented rate.

Discover the stealthy tactics used to infiltrate networks, masquerading as legitimate software, and understand why traditional security solutions are failing. This session will provide the knowledge and tools to proactively protect software supply chains, blocking malicious components before they wreak havoc, and fortify defenses against this invisible and growing enemy.