Open Source Summit North America 2025

In an era of growing concerns over misinformation, surveillance, and data breaches, building a more secure, private, and authentic web has never been more critical.

In this talk, I'll explore the current state of web security, privacy, and authenticity, focusing on key efforts shaping the future of the open web. You'll hear about the latest work in W3C, including advancements in privacy principles, ethical web guidelines, web developer security guidelines, all aimed at creating a more secure, trustworthy, and user-centric web. You'll also learn about how emerging standards like Content Credentials (C2PA) may revolutionise the way we verify the authenticity of digital content, helping to combat misinformation and ensure transparency in the information we consume online.

When faced with a difficult challenge sometimes it helps to look back at lessons from ancient history to guide your thinking. The Open Source Initiative (OSI) is working to create a definition for Open Source AI (OSAID), aiming to apply open source principles to artificial intelligence development, but clearly the 1.0 version is a work-in-progress. Can it find success? How may policy-makers react? Join this session to hear about the latest efforts to define open source AI and what's likely in store for 2025.

Policies, standards, and governance are often perceived as hurdles for innovation - especially within regulated industries where it may be difficult to leverage and contribute to open-source. But there is a way to reframe these perceived obstacles and turn them into streamlined "guardrails" that can help drive innovation and enable the ability to not only consume, but also contribute to open-source.

In the world of API development, standardization & interoperability are essential for seamless integration across industries. CAMARA Project, in collaboration with GSMA, TM Forum, and the LF, leads the charge in harmonizing telco API standards. Through open collaboration, the project has established a unified, industry-wide framework that simplifies API adoption for telco operators, enabling them to integrate with marketplaces, aggregators, & hyperscalers more efficiently.
This session summarizes the telco API ecosystem, the key organizations shaping it, and how developers can get involved:

How CAMARA defines telco end-user-facing APIs and streamlines adoption for operators; The GSMA Open Gateway Initiative’s role in standardizing API distribution across different channels;
TM Forum’s work in enabling communication between operators, marketplaces, and hyperscalers; and Practical ways developers can contribute—whether by implementing APIs within operators, connecting exposure platforms, integrating their own portals, or adapting products to fit into this growing ecosystem.

Explore how OSS transforms the telco industry and how to be part of this collaborative movement!

Established quality standards, designed for traditional V-Model ( requirements driven) development, are inadequate for evaluating and supporting code-driven, CI/CD-based nature of modern (open source) software. This hinders OSS adoption in regulated industries, particularly for safety-critical systems. This session introduces a novel standard proposal specifically designed to assess OSS process capabilities by documenting open source best practices and providing a practical assessment guide. It aims to bridge the gap between OSS development practices and the needs of regulated industries, fostering greater trust and enabling wider adoption.

This session outlines the three phases from research to execution for establishing the standard, drawing on relevant academic research and showcasing exemplary open source projects with established best practices. The authors will also explore existing scoring initiatives and some quality metrics. The session concludes with a roadmap for collaborative development of the standard and a call to action for community participation.

What does a version specification look like? Most would say that one looks something like “1.2.3”.

But what does a requirement look like? That is a more complicated question and answers vary and depend on which packaging ecosystem —Maven, Cargo, PyPI and so on— is involved.

While Semver 2.0 offers a generally agreed upon syntax for versions, there is no standard for requirements.

Understanding how requirements work is required for addressing issues such as vulnerabilities and license conflicts. The absence of an agreed-upon requirement specification limits the ability to understand the problem and limits the sharing of tooling across ecosystems.

Deps.dev has looked at the way requirements are specified in five ecosystems and translated them into a single set representation that enables unified tooling. We’ve discovered many ecosystem-specific quirks, but also discovered much commonality we can build upon.

This talk will define the essence of requirements, demonstrate how they are incompletely met by various existing systems, and most importantly we will argue that a well-defined, well-supported requirement specification is vital to the industry.

The Software Bill of Materials (SBOM) and Supply-chain Levels for Software Artifacts (SLSA) are key frameworks for securing modern software supply chains. SPDX SBOM provides a detailed inventory of software components, dependencies, and metadata, while SLSA ensures these components are built through verifiable, tamper-resistant processes with clear provenance.

This talk will examine the synergies and differences between SLSA and SPDX SBOM, focusing on how SLSA’s provenance and authentication mechanisms can enhance the trustworthiness of SBOMs. We will explore overlapping fields captured by both standards, emphasizing the importance of interoperability and a shared roadmap to reduce duplication while leveraging their respective strengths.

A clear separation of concerns, with SLSA handling provenance and verification, and SPDX SBOM capturing comprehensive component metadata, can reduce redundancy and promote more efficient adoption. This session will outline how aligning these standards can improve software supply chain security and reliability, while fostering collaboration for cohesive evolution within the open-source community.

The last 12-18 months have been a landmark period for SBOM (software bill of materials) adoption. Although a fair number of organizations have been producing SBOMs for multiple years (often for specific regulatory compliance purposes), a much larger group has recently implemented broader SBOM management programs that cover a wider range of use cases.

This presentation — “SBOMs in the Real World: Practical Guidance for Three Common SBOM Scenarios” — will focus on three of these emerging areas:

SBOM generation and distribution to meet customer requests and new regulatory requirements
SBOM aggregation from internal teams and product units to facilitate centralized vulnerability management and response
SBOM ingestion from external software supplier networks to facilitate first- and third-party vulnerability management and response

Each section of this talk — which is based on extensive firsthand experience directly supporting numerous SBOM programs (from organizations in multiple regions, industries, and stages of maturity) — will include specific guidance to help attendees understand how SBOM programs within their organizations can more effectively manage these scenarios.

A discussion has opened inside the OpenChain community regarding what future standards may join the existing portfolio of ISO/IEC 5230 for license compliance and ISO/IEC 18974 for security assurance.

The focus of the OpenChain Project is on building trust in the supply chain, and on doing this from the perspective of compliance matters. In the last year, the project has begun to prepare guides for SBOM Quality Management and AI Bill of Material Compliance in the Supply Chain. Both of these read against the project charter and mission.

This talk will explore how these two guides could potentially grown into future ISO standards via the existing practices of the OpenChain Project and lessons learned in making ISO/IEC 18974 in the 2023/2024 period. Rather than announcing new standards, the talk is sharing the processes involved in consideration, to illustrated how open projects address ideas and proposals from all parties in a genuinely inclusive manner.