Open Source Summit North America 2025

Policies, standards, and governance are often perceived as hurdles for innovation - especially within regulated industries where it may be difficult to leverage and contribute to open-source. But there is a way to reframe these perceived obstacles and turn them into streamlined "guardrails" that can help drive innovation and enable the ability to not only consume, but also contribute to open-source.

Open source is the foundation of modern software, yet many projects struggle with sustainability—not just in attracting contributors, but in ensuring they stay, grow, and thrive. The landscape of open source contribution has evolved dramatically, demanding a fresh approach to community building and contributor engagement.

Traditional pathways into open source don’t work for everyone. This panel brings together experts who have successfully expanded contributor pipelines beyond the usual audience—through initiatives like the CNCF Deaf and Hard-of-Hearing WG, CHAOSS Africa, and mentorship programs. We’ll explore best practices for guiding contributors from their first PR (or non-code contribution) to meaningful, long-term engagement.

Beyond code, open source thrives on diverse contributions: marketing, content creation, event planning, automation, governance, and more. By broadening the definition of “contributor,” we lower barriers to entry, strengthen projects, and build a more inclusive, resilient ecosystem.

Join us for a discussion on how we can transform contributor journeys to be more inclusive, fulfilling, and impactful for individuals and the broader open source ecosystem.

With escalating cyber threats and increasing regulatory pressure, government agencies face a critical need to modernize their security strategies. The Zero Trust model—"never trust, always verify"—has emerged as a cornerstone for safeguarding sensitive data and infrastructure. However, implementing Zero Trust in government settings presents unique challenges, including legacy systems, complex compliance requirements, and the need to balance security with operational efficiency. This talk will provide a roadmap for adopting Zero Trust principles in government environments, offering actionable insights to overcome obstacles and ensure mission readiness.

In the world of API development, standardization & interoperability are essential for seamless integration across industries. CAMARA Project, in collaboration with GSMA, TM Forum, and the LF, leads the charge in harmonizing telco API standards. Through open collaboration, the project has established a unified, industry-wide framework that simplifies API adoption for telco operators, enabling them to integrate with marketplaces, aggregators, & hyperscalers more efficiently.
This session summarizes the telco API ecosystem, the key organizations shaping it, and how developers can get involved:

How CAMARA defines telco end-user-facing APIs and streamlines adoption for operators; The GSMA Open Gateway Initiative’s role in standardizing API distribution across different channels;
TM Forum’s work in enabling communication between operators, marketplaces, and hyperscalers; and Practical ways developers can contribute—whether by implementing APIs within operators, connecting exposure platforms, integrating their own portals, or adapting products to fit into this growing ecosystem.

Explore how OSS transforms the telco industry and how to be part of this collaborative movement!

This session introduces **Interns for Open Source (IFOS)**, a program that offers undergraduate and graduate Computer and Information Sciences students hands-on experience with open source projects for academic credit. Over 10 weeks, students bridge classroom learning and real-world application by contributing through issue tracking and pull requests. Their fresh perspectives provide open source communities with valuable feedback, usability insights, and rigorous testing. Students sharpen technical skills, learn professional workflows, and build portfolios. Open source projects benefit from innovative ideas and unbiased input. Attendees will learn about the program structure, its benefits for students and open source communities, and how to get involved.

In this talk, we will introduce two open-source projects vLLM and KServe and explain how they can be integrated to leverage better performance and scalability for LLMs in production. The session will include a demo showcasing their integration.

vLLM is a high-performance library specifically designed for LLM inference and serving, offering cutting-edge throughput and efficiency through techniques such as PagedAttention, continuous batching, and optimized CUDA kernels, making it ideal for production environments that demand fast, large-scale LLM serving.

KServe is a Kubernetes-based platform designed for scalable model deployment. It provides robust features for managing AI models in production, including autoscaling, monitoring, and model versioning.

By combining vLLM's inference optimizations with KServe's scalability, organizations can deploy LLMs effectively in production environments, ensuring fast, low-latency inference and seamless scaling across cloud platforms.

Funding a security initiative can be a game-changer for open source projects, but what does it really take to make it successful?

In this talk, we’ll share insights from a funded security audit in FreeBSD—how we secured support, scoped the work, engaged the community, and navigated challenges. You’ll learn how to evaluate if funding is right for your project, what to expect from the process, and how to collaborate effectively with sponsors.

Whether you're considering funding for security, sustainability, or growth, this session will equip you with practical takeaways to make it a success.

Open source software is the basis for the tools used to create almost all visual effects and animation used in the motion picture industry today, providing the backbone for creating blockbuster films like The Wild Robot, Moana 2, Dune, Oppenheimer, the Star Wars movies and all of the Marvel Cinematic Universe films.

The most important open source projects that are used on almost every film production today are housed at the Academy Software Foundation (ASWF), which provides a neutral forum for open source software developers in the motion picture and broader media industries to share resources and collaborate on technologies for image creation, visual effects, animation and sound.

The Foundation has flourished since its launch in 2018, hosting 14 projects and supporting a growing ecosystem of open source engineers. During this session, David Morin, Executive Director of the Academy Software Foundation, will share more about the Foundation’s growth over the last six years, including new open source projects, engineering events such as Dev Days, and D&I initiatives including the Summer Learning Program.

Have you ever botched your git repo so badly that you needed to delete it and reclone it? You're not alone!

This talk dives into the dark side of Git - exploring common disasters like accidental force-pushes, tangled merge conflicts, unrelenting rebases, and the dreaded detached HEAD. We'll look at how and why these situations arise, exploring the underlying Git mechanics that got us into the situation and how we can undo or resolve these problems.

You'll come away from this talk with a greater understanding of Git internals, and the knowledge and tools necessary to rescue yourself from any Git workflow gone awry!

What does a version specification look like? Most would say that one looks something like “1.2.3”.

But what does a requirement look like? That is a more complicated question and answers vary and depend on which packaging ecosystem —Maven, Cargo, PyPI and so on— is involved.

While Semver 2.0 offers a generally agreed upon syntax for versions, there is no standard for requirements.

Understanding how requirements work is required for addressing issues such as vulnerabilities and license conflicts. The absence of an agreed-upon requirement specification limits the ability to understand the problem and limits the sharing of tooling across ecosystems.

Deps.dev has looked at the way requirements are specified in five ecosystems and translated them into a single set representation that enables unified tooling. We’ve discovered many ecosystem-specific quirks, but also discovered much commonality we can build upon.

This talk will define the essence of requirements, demonstrate how they are incompletely met by various existing systems, and most importantly we will argue that a well-defined, well-supported requirement specification is vital to the industry.

For years, the supply chain security community has been working hard to generate security metadata about repositories, software builds, vulnerability reports, releases, and SBOMs that describe how software is composed.

Transparent build processes with visible supply chains are great, but all that information has been remarkably difficult to use. Until now!

Meet AMPEL, the Amazing Multi-Purpose Policy Engine. Ampel (https://github.com/carabiner-dev/ampel) is the missing piece in the supply chain ecosystem: an open source policy engine that natively understands in-toto attestations, verifies keyless Sigstore signatures and understands any attestation predicate type. 

Ampel is embeddable: it can look into SBOMs and warn about bad dependencies, understand security scans and gate builds when vulnerabilities are present, or stop artifacts from publishing when they don't meet security frameworks. 

Ampel is slowly building an ecosystem: Starting with the bnd attester, the Ampel universe has tools that can work across the SLDC to secure CI/CD systems.

In this talk, we'll explore with practical examples how Ampel can ensure compliance of a hardened pipeline through verifiable evidence.

Most of the advice around new contributor experience is oriented towards developers at the beginning of their career - students or those breaking into the tech industry. This time, though, we want to talk about the basics of contribution for senior developers who already have plenty of industry experience. These potential contributors have more than enough technical expertise, but still struggle to participate in open source. For them the barriers tend to be more social and “communicational” than technical, as their previous incentives, goals, and development cultures are fairly different from those present in most open source communities.

As open source contributors working in a big company, we watch our colleagues face these issues. We want to share our experience and what we learned while trying to help these colleagues participate in open source development for the first time.

Note: PDF copy of notes does not contain speaker notes; follow the link in the slides for speaker notes and additional links!

Generative AI (GenAI) is ushering in a new era of human innovation, but building your own GenAI application can feel overwhelming. Which Large Language Model (LLM) should you choose? Should you incorporate Retrieval-Augmented Generation (RAG)? How can you ensure your application runs securely and efficiently on Kubernetes, with robust observability and debugging? And how do you manage API calls and control costs for external LLMs?

This demo-driven session will guide you step by step through building, running, securing, and managing traffic for a GenAI application from scratch. Starting with a native setup, we’ll then transition to Kubernetes, simplifying the entire process. You’ll learn how to enhance your application with domain-specific knowledge using RAG and leverage cloud-native tools like Kubernetes, Prometheus, Kiali, Istio, and the Kubernetes Gateway API to run your application securely and effectively.

As security concerns continue to grow in the software industry, customers seek assurance that the software they rely on is built securely. While applying security patches is essential, it is equally important to understand the proactive measures taken throughout the development process to ensure that our software is built securely.

Red Hat follows a comprehensive Secure Software Development Lifecycle (SDLC) framework to improve software security during the entire software lifecycle. We use an open source end-to-end build and release environment, which uses SLSA framework as a guide for reinforcing and gating the build process to secure and fortify your software supply chain against various threats.

This session will include:
- The key difference between proactive and reactive security measures.
- SDLC objectives and how Red Hat achieves them to meet high security standards.
- Overview of how automated testing and open-source solutions enhance SDLC.
- Proactive vulnerability management during the build lifecycle phase.
- Secure software building with attestation data production, including CSAF/VEX and SBOM.
- Future of AI testing within the software supply chain security.

The Linux Foundation has hundreds of projects under its auspices all working to gain adoption — especially in the case of forks like OpenBao and Valkey. In this struggle for adoption, projects could be doing more in support of our common goal. This talk proposes a system by which projects can work together, integrate each other, and increase cohesion between projects under a common foundation. This talk will serve as the opening of a discussion meant to engage both the participants and maintainers of projects and Linux Foundation community members.

Join us to discover how Intuit's GenAI framework is reshaping AI development, enabling swift integration of AI functions across varied business units. We'll focus on a robust framework of reusable agents and tools derived from open-source technologies like LangChain/LangGraph, facilitating diverse functionalities from simple data retrieval to complex processes such as query generation, optimization, pipeline creation and debugging. This framework dramatically reduces the time required for data workers to operationalize data pipelines and supports diverse customer interactions through notebooks, no-code approaches, REST integrations, and Python libraries, catering to a wide range of needs including agent developers and teams in pre-production settings. Our meticulous evaluation process ensures that each tool and agent is rigorously tested against high-performance benchmarks to guarantee reliability and consistency before deployment. By centralizing these AI components, Intuit has not only accelerated development timelines but also upheld a high standard of quality, establishing a benchmark for crafting scalable, effective AI solutions in the dynamically evolving tech landscape.

The EU Cyber Resilience Act (CRA) aims to safeguard European consumers and at first glance it targets only the EU market. But in fact the entire OSS ecosystem falls under its scope as CRA creates mandatory cybersecurity requirements for vendors, distributors, integrators, even enterprise consumers and, in fact, the entire open-source ecosystem by introducing terms like “Manufacturer”, “Steward”, “Individual developer” among others. So, how to ensure **you** stay compliant?

I’ll cover what we, as part of the various working and regulatory expert groups, are doing to help the entire open-source community navigate the actual requirements. We’ll explore how these roles are played together by the leading industry players (yes, revealing some non-trivial scenarios) and what best practices and tools can be used right away for your organization or by you as an individual contributor. Finally, let’s discuss how we together should turn CRA into an opportunity to make open-source better for all.