Open Source Summit North America 2025

Join the TODO Group and CURIOSS community for an interactive session where attendees can share use cases on how their organizations are investing in academic research. Explore practices for transferring knowledge from academia and the research community.

We welcome open source managers, OSPO leaders, and other stakeholders from organizations and universities engaged in research or interested to learn more.

Today it’s nearly impossible to build software without open source. Some projects are massively popular, and quite often used in multiple products within the same organization. But are we all collaborating on these projects in ways that are aligned across the company? Here your OSPO can help your organization work towards the same goals.
Which open source projects are built into your product portfolio? Who in your organization is contributing to these projects? How do you know your contributions are not impeding each other?
Broader involvement should occur in a coordinated and thoughtful manner across the key projects. Having a united front within open source communities will help your organization drive consistent and effective contributions.
The talk will cover:
● How can your OSPO help coordinate contributions across the organization?
● How can you identify your company’s strategic open source projects?
● How can we ensure these projects will continue to be viable and sustainable?
The audience will learn how an OSPO can enable more efficient and effective contributions to open source projects in ways that are aligned with both their business and community goals.

Package managers are essential to modern software development, simplifying dependency management but often hiding transitive changes. This has led to large, shifting dependency trees with little oversight.

Despite evolving independently, most package managers follow a similar model: fetching software and metadata. However, the format, quantity, and quality of this metadata vary significantly.

With heterogeneous language stacks on the rise, OSPOs struggle to manage these differences, making compliance an ongoing challenge.

This talk explores different package managers, the compliance data they provide, and highlights good practices from each. Finally, it proposes how the OSPO community can break silos between ecosystems, encouraging convergence on non-language-specific metadata and practices. This, in turn, will streamline compliance work and strengthen the open source ecosystem as a whole.

Open source has become a critical component of modern business strategy, yet its importance has often been overlooked in traditional strategic discussions. This presentation demonstrates how PEST analysis can be used to clarify its strategic value.

We validated Sony's history with open source initiatives in electronics, gaming, and film production, this analysis shows how these efforts aligned with favorable external factors. This provides insights into how open source drives innovation and talent acquisition.

Looking forward, this presentation explores how companies can strategically align their open source initiatives with current political, economic, social, and technological trends. This includes understanding the impact of emerging regulations, generative AI, and the evolution of distributed collaboration.

Participants gain valuable insights into the strategic importance of open source and learn how to effectively advocate for open source initiatives within their organizations. This presentation offers practical tips for engaging both management and engineers in open source activities, ensuring that open source becomes a key driver of business success.

This Ask Anything session connects attendees to the TODO Group Steering Committee. The TODO Group is an open community of practitioners who aim to create, share knowledge and collaborate on best practices on open source management in organizations to run successful Open Source Program Offices.

Members of the steering committee will assist the audience through the best practices, guides, and tools made by and for open source managers to help them in their day-to-day responsibilities, as well as share their first-hand experiences and lessons learned in building and operating OSPOs. Additionally, attendees will learn ways to connect with the TODO Group – the largest OSPO community dedicated to building best practices in open source management. The session will also provide information on accessing OSPO mentorship in their local regions.

Growing new talent and attracting new developers is challenging for open source communities. Yet, it is vital to reach out to train the next generation of developers to keep the open source communities healthy and sustainable.

Equitable access to learning resources is a barrier for a significant number of new developers. It isn't easy for new developers to get a start in open source, connect with open source communities and contribute to them. It is equally challenging for employers to find new developers to add to their technical projects.

Shuah Khan will talk about Linux Foundation's six year journey to provide learning resources for new open source developers, opportunities to experts in open source communities to train and mentor the next generation, and make newly trained talent available to prospective employers.

In the vast landscape of the global Open Source community, Asia, despite its significant population, has historically seen limited contributions.
This session will delve into the recent surge in the establishment of regional user group in Japan and their ripple effects across Asia. We will explore the inception and growth of the OpenChain Project's Japan Chapter since 2017, which has catalyzed the expansion of regional communities in China, Korea, and beyond.
We will discuss the motivations driving individuals in these regional communities and highlight the unique characteristics of the OpenChain Japan community. Furthermore, we will examine the collaborative efforts between the Japanese community and other open source communities like the TODO Group, showcasing how these partnerships have amplified their impact.
Through our experiences, we will share insights on the essential elements for fostering successful regional communities in Japan. Additionally, we will introduce messages from the managers of OpenChain and the TODO Group, emphasizing the importance of integrating regional activities with the global open source ecosystem.

The origins of artificial intelligence can be traced back to Ancient Greek mythology and philosophy, where early musings on what it means to be human began. Throughout history, these ideas have shaped our understanding of intelligence and influenced our pursuit of creating machines like us. However, this quest often relies on an idealized version of what it means to be “human”, leading to the exclusion of diverse representations and perpetuating ableism. In this talk, we will explore how AI technologies contribute to modern ableism by reinforcing narrow definitions of intelligence and humanity. We will examine the exclusions inherent in these definitions and discuss whom these technologies leave behind and how. By understanding these biases embedded in AI, we can better address its role in society and work towards more inclusive technology.

Open source thrives on collaboration, but who gets to participate, and how? GitHub’s latest Open Source Survey provides key insights into the state of diversity, equity, inclusion, and accessibility (DEIA) in open source communities—revealing persistent challenges and opportunities for change.
In this session, we’ll explore data-backed strategies for fostering inclusivity at scale, blending insights from GitHub’s research with real-world case studies from diverse open source communities.

We’ll cover:
Key findings from GitHub’s Open Source Survey on inclusivity trends, barriers, and participation gaps.

Proven strategies for increasing diversity in open source projects, including best practices from GitHub’s programs and successful open source initiatives.

Lessons from the field: Case studies of communities that have successfully improved inclusion through mentorship, governance changes, and innovative outreach.

Metrics that matter: How to track progress in DEIA efforts without falling into vanity metrics.

Many organizations, companies, and departments are now eliminating DEI programs, and with this development, you may be asking what happens next. Even though DEI programs may be disappearing, the conversation around what it entails will still exist. How do we frame the conversation now, and what can we do to advocate on behalf of underrepresented groups? I will walk through some ways in which we can move forward. As someone who had to work with a global audience, I found that the term DEI did not always resonate with everyone. From that experience, I had to find ways to discuss the issues that DEI was meant to address, such as disparity in experiences, perceptions around fairness, the need for better communication processes, and psychological safety on teams. We can use these lessons with a global audience that had different histories and cultural contexts to ensure that conversation is relevant for everyone.

With escalating cyber threats and increasing regulatory pressure, government agencies face a critical need to modernize their security strategies. The Zero Trust model—"never trust, always verify"—has emerged as a cornerstone for safeguarding sensitive data and infrastructure. However, implementing Zero Trust in government settings presents unique challenges, including legacy systems, complex compliance requirements, and the need to balance security with operational efficiency. This talk will provide a roadmap for adopting Zero Trust principles in government environments, offering actionable insights to overcome obstacles and ensure mission readiness.

Drawing from our experiences within the public sector, we discuss software supply chain security as it pertains to public sector organizations, including the unique risks and challenges they face and how we can all work together to improve the security of the open source ecosystem.

In this session, I will explore how Generative AI agents are becoming a cornerstone of Digital Public Infrastructure (DPI) using open source, reshaping citizen services and empowering governments to deliver more efficient, responsive, and accessible public services. Learn how Generative AI Agents are revolutionizing government websites, offering 24/7 citizen support, and providing real-time assistance across a wide range of public services. With the ability to handle inquiries, process data, and generate personalized responses, these AI agents significantly reduce wait times and streamline interactions, ensuring faster and more seamless communication between citizens and government agencies. We’ll dive into practical applications, from simplifying bureaucracy to enhancing transparency and accountability, and discuss the transformative potential of Generative AI in creating smarter, more inclusive government channels.

As security concerns continue to grow in the software industry, customers seek assurance that the software they rely on is built securely. While applying security patches is essential, it is equally important to understand the proactive measures taken throughout the development process to ensure that our software is built securely.

Red Hat follows a comprehensive Secure Software Development Lifecycle (SDLC) framework to improve software security during the entire software lifecycle. We use an open source end-to-end build and release environment, which uses SLSA framework as a guide for reinforcing and gating the build process to secure and fortify your software supply chain against various threats.

This session will include:
- The key difference between proactive and reactive security measures.
- SDLC objectives and how Red Hat achieves them to meet high security standards.
- Overview of how automated testing and open-source solutions enhance SDLC.
- Proactive vulnerability management during the build lifecycle phase.
- Secure software building with attestation data production, including CSAF/VEX and SBOM.
- Future of AI testing within the software supply chain security.

Software supply chain attacks have surged in recent years, posing significant threats to organizations. In response, Software Bill of Materials (SBOMs)—structured inventories that document software components—have been proposed to enhance supply chain transparency, track dependencies, and manage vulnerabilities. Despite increasing adoption, their correctness and completeness in real-world open-source ecosystems remain largely unexamined. Incomplete SBOMs can result in overlooked vulnerabilities while incorrect dependency may waste resources on non-existent issues.

This talk introduces JBomAudit, an open-source tool to automatically verify Java SBOMs by systematically assessing their correctness and completeness against NTIA minimum requirements. We will cover technical details of JBomAudit, demonstrate how it examines missing and incorrect dependencies, and present findings from our large-scale analysis of over 25,000 Java SBOMs, highlighting the prevalence of non-compliant SBOMs and security implications. We will also discuss common pitfalls in SBOM generation, analyze the root causes of non-compliance, and provide actionable recommendations to improve SBOM quality.