The Linux Foundation Member Summit 2025

The OpenChain Project has built two open source process management standards (ISO/IEC 5230 and ISO/IEC 18974) and deployed them across the open source supply chain. While OpenChain was the first Linux Foundation project in 14 years to produce an ISO standard, it is far from the last. During the 2023~2024 period, we saw growing engagement around Joint Development Foundation and committee discussions around standards or specifications in other LF projects. This talk will consolidate OpenChain's lessons learned in creating, submitting and deploying open source standards. It will help projects at any stage in the development lifecycle of specifications, including those only just considering this option for long-term impact. It will also help people with a specific interest in a more trusted supply chain to get more involved in OpenChain, building on our existing work or participating in new potential standards. Our optics will be on the legal, risk and compliance side due to the nature of the OpenChain Project's mission for a more trusted supply chain, but the core material will be equally applicable to technical, code or other projects working on this topic.

Open Source today lives in an age of great scrutiny and regulations. The use of open source in mission critical applications and critical infrastructure means the bar is higher for security and quality. Governments around the world are putting regulations and policies in place to hold open source software to a higher bar. And OSPOs need to understand these regulations and focus on what they need to do to get the organization ready for them. I will discuss the role of the OSPO and what it can do to prepare their organizations and developers in this age of regulations.

Open source software (OSS) has become a cornerstone of modern technological innovation. By allowing developers to collaborate and share code, OSS enables rapid progress and democratizes access to cutting-edge software. However, the very characteristics that make OSS so powerful—its openness, adaptability, and applicability—also make it a target for patent assertion entities (PAEs). These entities attempt to exploit the widespread adoption of common technologies across industries to extract patent settlements from businesses. The threat continues to grow as district court patent filings from PAEs grew by 14.1% in 2024, and are over half of all patent litigation cases.

Since 2005, Open Invention Network (OIN) has acted to safeguard OSS from patent risk through its patent cross-license in core OSS technologies. This session will provide information on the cross-license and case studies on how it has been used to successfully defend against PAEs.

This presentation will also discuss in detail efforts to protect OSS from PAEs by:
• collecting prior art and providing invalidity claim analyses
• supporting initiatives like the Open Source Zone, which has invalidated 50 NPE patents

Organizations that use open source software face risks related to licensing, security, and project health. Ensuring the sustainability of the open source ecosystem requires staying informed about compliance developments and achieving comprehensive visibility across activities. As the importance of Software Bill of Materials (SBOM) continues to grow, managing and utilizing this wealth of information effectively is becoming increasingly critical.

The goal is to equip application teams with tools that are both accessible and easy to manage while fostering strategic collaboration with internal risk partners, leadership, open source projects, open source contributions, and even vendors. Achieving scalable, efficient visibility into actual OSS usage is key.

So, how can organizations position themselves as proactive partners in this dynamic landscape? Join Georg Link and Brittany Istenes as they share practical strategies for navigating this complex ecosystem, empowering your organization to confidently and successfully leverage open source software.

In the rapidly evolving landscape of AI regulations, ensuring compliance with standards such as the EU AI Act, CRA (Cyber Resilience Act), ISO, and IEEE is paramount for organizations. The Linux Foundation's has a number of AI frameworks, such as the Model Openness Framework (MOF), Supply-chain Levels for Software Artifacts (SLSA), Responsible Generative AI Framework (RGAIF) and SPDX and Software Package Data Exchange (SPDX), which together provide a comprehensive approach to meeting
the needs of regulatory requirements. This talk demonstrates how these frameworks can be used to provide evidence of compliance,to enhance transparency, and ensure the security and integrity of AI systems.

By using these approaches, organizations can streamline their compliance processes, mitigate risks, and foster innovation. MOF ensures the openness and transparency of AI models, SLSA secures the software supply chain, RGAF guides organizations to embrace the ethical and intentional design, development and deployment of GAI solutions. Together, these tools offer a robust solution for navigating the complexities of AI regulations and standards.

When faced with a difficult challenge sometimes it helps to look back at lessons from ancient history to guide your thinking. The Open Source Initiative (OSI) is working to create a definition for Open Source AI (OSAID), aiming to apply open source principles to artificial intelligence development, but clearly the 1.0 version is a work-in-progress. Can it find success? How may policy-makers react? Join this session to hear about the latest efforts to define open source AI and what's likely in store for 2025.

The modern Academic Medical Center ("AMC") has evolved beyond research & patient care to perform traditional commercial IP functions such as administration, licensing, and development, all in support of their central mission of the advancement of science and medicine. Aligned with this central mission is the proliferation of open-science research and open source innovation at AMCs, who have received millions of dollars from the US government in hopes of creating a flourishing ecosystem of collaboration. Unfortunately, at Mass General Brigham ("MGB") and other AMCs, open science and open source projects struggle to find fit in both licensing compliance and policy. Particularly for MGB, the largest recipient of NIH Open Science funding in the country, its commercial evolution and conservative licensing polices have combined to cause an open source licensing log jam. This session will review the competing AMC policy concerns that have caused MGB to disavow the use of most if not all osi approved licenses, and eventually lead to the development of their own permissive "open source" license.

CRA is coming. And this European regulation will impact software development worldwide. And your operations will be impacted.

You will have 24 hours to discover and disclose any relevant, critical vulnerabilities and notify security agencies.

Join Philippe Ombredanne to review which people, what processes, and technologies you will need to deploy by September 2026 to avoid large fines. We will share the latest development of the regulation implementation and how to work out minimalist and practical plans for compliance.