Open Source Summit North America 2025

Beyond the hype, AI is already impacting Linux kernel engineering workflows. This talk presents concrete examples from real-world applications in Linux kernel LTS maintenance and CVE assignment processes. We'll examine where AI tools have meaningfully improved development processes and where they fall short.
Drawing from hands-on experience, we'll demonstrate how AI assists in analyzing patches for LTS kernel trees and streamlines vulnerability classification workflows. We'll share specific metrics showing both successes and limitations, focusing on practical applications rather than theoretical possibilities. We'll also explore emerging opportunities where AI could enhance kernel development while maintaining high engineering standards.
This technical session provides kernel developers, maintainers, and engineering leaders with actionable insights for integrating AI tools into their workflows while preserving the rigor of kernel development practices.

COSMIC DE is a new, full-featured desktop environment (like GNOME and KDE) written from scratch in the Rust programming language. It does not rely on GTK or Qt. Instead COSMIC uses a new Rust GUI toolkit called iced and the system76 developed libcosmic toolkit for building interfaces and applications with advanced theming and customization features.

COSMIC DE includes a suite of first-party applications including a file browser, text editor, application store, settings, and terminal. There is also a growing community of third-party apps. COSMIC includes a custom compositor that features variable refresh rate, Xwayland support, animations, fractional scaling, modern hybrid graphics features, window snapping and auto-tiling.

What makes COSMIC truly unique is that it's the first modular, composable desktop environment. For a user that means they can easily adapt COSMIC to their preferred workflow. Linux distributions can create wholly unique user experiences.
And companies can develop unique products using COSMIC.

Carl will discuss why system76 built COSMIC DE, show its features, and demonstrate how unique experiences can be composed with COSMIC DE.

Are you drowning in a sea of vulnerability advisories, wondering why patching one thing doesn't fix everything? Despite a shared origin, a CVE's impact diverges significantly across Linux distributions. Consequently, a fix at the source does not automatically translate to comprehensive protection downstream. Each distribution requires independent patching, leading to a complex web of security advisories stemming from a single flaw.

In this talk, you'll learn how OSV tools can help you navigate this sea of advisories. We'll explore the root causes of advisory proliferation in Linux and demonstrate how OSV.dev aggregates and cross-references vulnerability data at scale to provide a more complete picture. You'll also see how OSV-Scanner accurately identifies vulnerabilities in your Linux systems, considering distribution-specific nuances and offering actionable guidance. By the end of this session, you'll be equipped with the knowledge and tools to patch smarter and secure your Linux infrastructure more effectively.

Understand how all binaries interact with the linux kernel, how the linux kernel sees userspace code, how it expects it to behave, and how you, an author of such programs, should in response interact with it. intentrace is a rewrite of strace in Rust. currently in Beta.

This talk presents a method to enhance CPU scheduling by leveraging machine learning (ML) to extract the key features necessary for task migration, allowing for dynamic and stable optimization of workloads in scenarios prone to CPU imbalance. The approach is built on the sched_ext framework, which integrates eBPF to support user-defined scheduling policies within the Linux kernel.

While conventional approaches maximize CPU utilization, they often overlook contention for lower-level hardware resources, leading to performance bottlenecks -- particularly in compute-intensive servers. By using an ML-based, resource-aware load balancer, this method effectively addresses such imbalances. With sched_ext, we can collect training data and run inference on the model without modifying the kernel.

Our experiments demonstrate that, for certain workloads, this ML-driven approach can outperform EEVDF, offering notable performance gains for the CPU scheduler.

The Linux kernel project has been going for well over 30 years. From its beginnings on floppy diskettes and beige boxes through to its current home in pockets and unseen data centers, the kernel project has been a constant exercise in rapid development and adaptation. I have been present for almost all of the kernel project's history as an observer, contributor, maintainer, and more; all that experience will be boiled down into a fast-moving tour of how the kernel got to where it is, what makes it successful, and what may be coming next.

While containers provide isolation for CPU cycles and memory capacity, they offer limited protection against performance interference through shared CPU caches and memory bandwidth. Such contention was shown to increase application response times by 4-13x. The Linux resctrl infrastructure provides monitoring and control mechanisms, but has limitations for controlling real-world applications.

For example, child processes do not inherit their parent's resctrl groups, leaving any application that forks improperly monitored and controlled. Additionally, the current filesystem-based interface makes it difficult to build a controller that can monitor and adjust quickly enough to keep up with frequently changing application memory behavior.

This talk introduces the memory interference problem and presents new kernel mechanisms to address these limitations. A new collector enables effective control by capturing per-container measurements of cache and memory bandwidth usage at millisecond frequencies. We'll cover how the solution combines Intel RDT, AMD QoS, high-resolution timers, perf counters, and cgroups to achieve this. We'll discuss future work and opportunities for collaboration.

We present the Rex project (https://github.com/rex-rs/rex). Rex is a Linux kernel extension framework that allows extension programs to be written in safe Rust. Rex offers similar safety guarantees to eBPF. Unlike eBPF-based tools like Aya, Rex extensions are not compiled into eBPF bytecode. Rex eliminates the in-kernel verifier – the safety of Rex extensions is built atop language-based safety plus runtime protection. Specifically, the Rex compiler enforces Rex extensions to be written in a subset of safe Rust, and emits native code directly. Rex implements its kernel crate with a safe interface that wraps existing eBPF interface. Rex also employs a lightweight runtime that implements graceful Rust panic handling with resource cleanups, kernel stack checks, and program termination.

Rex provides a more usable and arguably safer alternative to eBPF. The usability advantage comes from the elimination of in-kernel verifiers that are known to reject safe extension programs with cryptic feedback. We also show that Rex’s runtime protection provides stronger safety than eBPF in a few aspects, e.g., protecting kernel stacks from overflowing.

More details: https://tinyurl.com/y8uj8ypp

The vmalloc mechanism in the Linux kernel provides contiguous virtual memory allocations, even when the underlying physical memory is non-contiguous. However, with increasing adoption and usage, the synchronization of vmalloc data structures poses significant performance challenges, particularly in many-core systems with 256+ cores.

This session will explore the scalability improvements made to the vmalloc mechanism, covering the following key topics:

1. An overview of the legacy vmalloc approach, which relies on a single global lock for data synchronization.

2. Introduction to an enhanced vmap node implementation designed to address the limitations of the legacy approach.

3. Identification and detailed analysis of two remaining performance bottlenecks despite the enhanced vmap node implementation, along with their proposed solutions.

Join us to gain insights into the evolving design of vmalloc and its implications for performance in modern high-core-count systems.

Ever wonder how a bug fix lands on the kernel you are running on your system?

Would you like to know how to effectively get such fixes in the hands of most users?

From the time it gets submitted for review until an update is available in a distro, a lot of processes need to be followed and many people are involved.

The talk will go over some of these processes, some of the obstacles that may get in the way and how to make it easier for the people who do the work to get these fixes into the hands of as many people as possible.

Over the past decade, the Xen community has worked tirelessly to develop key features that now form a top-tier automotive solution. Xen's most important role remains that of an enforcer, ensuring strict isolation between domains so that the execution of one domain remains unaffected by others. As one of the system's most critical components, Xen is well suited for the highest levels of safety certification.

Since 2023, AMD, in collaboration with the Xen community, has been working to make Xen safety-certifiable according to the ISO 26262 and IEC 61508 safety standards. A major milestone was achieved in Q4 2024 when we obtained Safety Concept Approval from the safety assessors. They reviewed Xen and our safety plans and confirmed compliance with the relevant standards. This is a critical milestone on the road to Xen safety, demonstrating that Xen can be safety-certified.

This presentation will provide detailed insights into the Safety Concept, the activities involved in its development, and the review process. Additionally, it will offer an in-depth update on our journey toward achieving Xen safety certification.

The Rust programming language is experiencing rapid adoption in critical infrastructure and systems programming, propelled by its memory safety guarantees and developer productivity advantages. Significant technology policies, such as the US National Cyber Strategy, explicitly endorse Rust as a pathway to memory-safe software. Unsafe code blocks, however, can circumvent Rust’s compile-time guarantees. To address this disparity, AWS has collaborated with the Rust Foundation on the Rust Standard Library Verification project, whose objective is to formally verify the safety of the Rust standard library. We are actively integrating automated verification into the Rust Library release process, thereby ensuring continuous safety validation across releases.

Our presentation will elucidate the structural framework and rationale underpinning our verification contest. We will demonstrate our current progress, showcasing successful verification examples and discussing the diverse open-source tools employed in the verification process. We will conclude with our prioritized areas for 2025 and practical ways for the Rust community to actively participate in this pivotal security initiative.

Recently the Safe Open Vehicle Core (S-Core) project was started as a collaborative code-first project between automotive OEMs and Tier suppliers developing a safety-certifiable middleware stack for high-performance ECUs in software-defined vehicles. Targeting the non-differentiating core functionality, S-Core middleware software sits between the hardware abstraction layer and the platform API accessed by vehicle function applications. Compatible with POSIX-based OSes like Automotive Grade Linux and complementary to the ELISA project, S-Core focuses on achieving ISO 26262, ASPICE, and ISO 21434 compliance.

This presentation details S-Core's development process, scope, status, and timeline, highlighting its integration within the broader automotive safety and SDV landscape. The author further showcases the project's work towards robust and automated development through a docs-as-code approach utilizing open-source tools such as ReStructuredText, Sphinx-Needs, Bazel, and PlantUML.

The shift towards software-defined vehicles (SDVs) is set to profoundly impact Original Equipment Manufacturers (OEMs) and their supply chains. As vehicles become increasingly defined by software and connectivity, OEMs face a new era of software supply chain logistics that emphasizes agility, cybersecurity, and regulatory compliance. This presentation examines how SDV technology affects each stage of the OEM supply chain, from sourcing and logistics to manufacturing and data-driven optimization. Critical to this transformation is the secure management of software and data flows across the supply chain, with a focus on cybersecurity strategies to counter software-based vulnerabilities. Additionally, the presentation explores how data analytics can be leveraged to streamline logistics and ensure compliance with rapidly evolving regulations

As open-source adoption expands into safety-critical domains, ensuring continuous compliance is a growing challenge. This session, grounded in the ELISA (Enabling Linux in Safety Applications) project, explores how SBOM-driven traceability can bridge the gap between open-source development and regulatory safety requirements. We’ll cover how SPDX 3.x, automated CI/CD workflows, and tools like ELISA’s BASIL enable traceability between compliance requirements, validation tests, and software components. Attendees will gain insights into best practices for managing SBOM evolution, mitigating risks in change impact analysis, and integrating compliance automation into modern DevOps pipelines. Whether you’re in open-source governance or safety-critical software engineering, this session provides actionable strategies to align compliance with innovation.