Open Source Summit North America 2025

Managing risk is always top-of-mind in the financial industry and mitigation is essential to reduce it. One significant risk is the software supply chain that represents the complex network of processes, tools and stakeholders involved in the development, distribution and deployment of software throughout the entire software development lifecycle (SDLC). Operational Data Stores (ODS) can be used to help mitigate the risk associated with software running in any enterprise. They accomplish this by aggregating and correlating operational data from across the disparate systems and tools that comprise the SDLC pipeline into a single, standards-based software bill of materials (SBOMs) data model. By providing real-time data access for investigational queries and composite views of all applications for stakeholders and regulatory agencies, risk associated with the full lifecycle of software management and consumption can be mitigated. Join this session to see how Discover is embracing Operational Data Stores and how it can apply to the broader enterprise community.

Refreshing long-standing policies in OSS communities can be a long and difficult process. Last year at OSS Summit NA, we discussed getting to the mid-point in our journey in developing a new trademark policy for the Rust community. Following a lot of further work, consultation, and iteration, and final board approval, we are now able to reflect on the whole process of redeveloping a legal policy with an OSS community, the pitfalls, challenges, and paths to success.

Software Asset Management (SAM) provides a way to manage software across small, medium and large entities. It is often seen as a way of addressing licensing or for making sure company staff are using permitted software applications and versions.

Open source has traditionally been divorced from SAM, which was focused on proprietary software solutions. Partly this was due to practical matters like different licensing schemes, and partly it was an artifact of separate paths of evolution.

However, in recent years open source has increasingly adopted approaches to licensing, security and other challenges that mirror SAM. Examples include the use of standards like ISO/IEC 5230 for licensing and ISO/IEC 18974 for security, of implementation standards like ISO/IEC 5962 for Software Bill of Materials.

As a consequence, open source is now more closely aligned with SAM. This talk will examine what that means for open source management overhead today, and where it will take us in the future. This talk is intended to equip people in open source strategy, legal and team leadership to navigate changes as smoothly as possible.

Last year we introduced the LF-SBOM, which we are now generating for many projects. Today we will provide an update on this important effort to provide SBOMs for most critical LF projects. We will review the work done to date, and go into more detail on how to use the LF-SBOM specification. We will give real world concrete examples on how to use our SBOM to generate a Security Vulnerability report, and how to generate a report of open source licenses. We will also discuss how to use our SBOMs to meet new regulations (e.g. US CISA and EU CRA) when delivering software to the government sector, and how to use our SBOM as an example when you create one for your own project.

Picture the WHOLE software supply chain, beginning to end; it's a little like that olde tyme classic, "Candyland".

Designed NOT with preschoolers in mind, AI Supply Chain Candy Land is for everyone interested in learning about the software supply chain for AI/ML. Travel through exotic locations like The Peppermint Forest of swirly-twirly dependencies, The Fudgy Swamp of Compliance, and much more!

AI/ML is a fast-moving space within technology. However, everything we've learned in software engineering of the last few decades ALSO applies to this "new" world of AI/ML. We'll apply traditional software supply chain security techniques and, wherever able, tools to help developers and consumers win AI Supply Chain Candyland.

Through an enjoyable and colorful game, with useful examples taken from standards and frameworks, the audience will have a better appreciation and ability to apply supply chain security concepts and tools to the development and support of AI/ML-based solutions.

The EU Cyber Resilience Act (CRA) aims to safeguard European consumers and at first glance it targets only the EU market. But in fact the entire OSS ecosystem falls under its scope as CRA creates mandatory cybersecurity requirements for vendors, distributors, integrators, even enterprise consumers and, in fact, the entire open-source ecosystem by introducing terms like “Manufacturer”, “Steward”, “Individual developer” among others. So, how to ensure **you** stay compliant?

I’ll cover what we, as part of the various working and regulatory expert groups, are doing to help the entire open-source community navigate the actual requirements. We’ll explore how these roles are played together by the leading industry players (yes, revealing some non-trivial scenarios) and what best practices and tools can be used right away for your organization or by you as an individual contributor. Finally, let’s discuss how we together should turn CRA into an opportunity to make open-source better for all.