The Linux Foundation Member Summit 2025

The OpenChain Project has built two open source process management standards (ISO/IEC 5230 and ISO/IEC 18974) and deployed them across the open source supply chain. While OpenChain was the first Linux Foundation project in 14 years to produce an ISO standard, it is far from the last. During the 2023~2024 period, we saw growing engagement around Joint Development Foundation and committee discussions around standards or specifications in other LF projects. This talk will consolidate OpenChain's lessons learned in creating, submitting and deploying open source standards. It will help projects at any stage in the development lifecycle of specifications, including those only just considering this option for long-term impact. It will also help people with a specific interest in a more trusted supply chain to get more involved in OpenChain, building on our existing work or participating in new potential standards. Our optics will be on the legal, risk and compliance side due to the nature of the OpenChain Project's mission for a more trusted supply chain, but the core material will be equally applicable to technical, code or other projects working on this topic.

Open source software is at the heart of innovation, but its complexity often slows developer adoption, limiting impact. Developers need more than great technology—they need intuitive, hands-on experiences that empower them to truly engage.

Sean Lauer, VP of Marketing & Product, will share insights from The State of Developer Adoption 2025, a research report commissioned by Instruqt and conducted by Developer Marketing Alliance, exploring trends in developer enablement. Learn how leaders plan to turn complexity into opportunity—empowering developers, aligning goals, and fostering ecosystems that drive open source innovation.

Key takeaways for attendees:
• Strategic insights into overcoming adoption challenges and engaging developers with open source tools
• How to align open source project goals with organizational enablement strategies for long-term impact
• Emerging trends in developer engagement and the future of open source adoption

This session will examine the importance of developing a strategy for maintenance, growth and development for OSS projects and foundations, and discuss the challenges in doing so. It will consider how to plan strategy development, how to ensure it is inclusive of the community and relevant stakeholders, how to ensure that key organisational and external aspects are considered, and how to track progress meaningfully towards success.

AI is everywhere now whether we like it or not. People want to use it in the workplace, but there are concerns about using this technology. Arm has established an AI Office (AIO) to give employees guidance on how they can use AI in their working lives as the world’s understandings evolve over license and copyright questions. As we stand on the brink of this transformative change, we must ask ourselves: are we ready to embrace the future and unlock the full potential of AI in our professional lives?

Unless your project explicitly becomes a Certification Numbering Authority (CNA), it is possible for almost anyone else to create a random CVE entry against your project. With the upcoming responsibility that projects have due to laws like the CRA in Europe, it is getting more and more important for all open source projects to handle the tracking of security bugs and identifiers themselves, instead of assuming others will do it for them.

cve.org now allows all open source projects to be their own CNA, so there is no excuse not to take ownership of this for your project. Groups like curl, the Linux Kernel, Kubernetes, and Python have all done this already, and OpenSSF has produced information explaining how you too can do it.

This talk will go into why you want to become a CNA, the steps involved, and tips learned from the Linux kernel CVE team in handling their 8 CVEs issued a day, alone with other information about other country's numbering authorities which will be coming online in the next few years.

Despite the availability of fixes for well-known vulnerabilities, open source software remains a significant target for attackers. In fact, three years after the infamous Log4j vulnerability, 13% of its downloads are still vulnerable. Even more concerning, 95% of vulnerable components downloaded today have a fixed version available.

In this session, Brian Fox (Sonatype), Christopher Robinson (OpenSSF), and Madison Oliver (GitHub) will explore these stark realities of open source vulnerabilities. The speakers will discuss why these vulnerabilities persist and how outdated or vulnerable components can slip through the cracks. Drawing from years of industry expertise, they will outline real-world remediation strategies and actionable best practices for mitigating open source risks.

Attendees will learn how to accelerate the adoption of secure components, integrate automated tools, and foster collaboration in the open source community to protect their software supply chain. Whether you’re a developer, security professional, or business leader, this session will equip you with the insights needed to secure your open source dependencies and strengthen your organization's resilience.

CRA is coming. And this European regulation will impact software development worldwide. And your operations will be impacted.

You will have 24 hours to discover and disclose any relevant, critical vulnerabilities and notify security agencies.

Join Philippe Ombredanne to review which people, what processes, and technologies you will need to deploy by September 2026 to avoid large fines. We will share the latest development of the regulation implementation and how to work out minimalist and practical plans for compliance.