The Linux Foundation Member Summit 2025

When we launched the Zephyr project 9 years ago, we had the goal of adopting security and safety best practices. In the years since then it has grown to be one of the most active projects at the Linux Foundation. There were some good starting points and practices available to adopt for Security, but Safety was an open area. How could an open source project with a high velocity of change achieve safety certification? This session will go through some of the learning experiences that let us get our concept approval in December of 2024, and have a solid plan to achieve safety certification.

Universities are important sources of talent and innovation for open source projects. Successful open source projects originating from academic researchers – including Ceph and Jupyter – highlight the benefits to be gained from university-based open source projects. However, much of the open source work occurring in academic settings are siloed, and potential innovations that could benefit industry and society at large are lost as funding cycles end and research stalls. This session aims to answer the question of how to create mutually beneficial relationships between academia and open source. It will include introductory discussion by experts to provide insights for improving collaborations between open source, industry and universities, and how organizations like the Linux Foundation can play a part. The discussion will ask participants to consider questions such as: how can universities improve training for the next generation of open source leaders; how can communities better on-board students and researchers looking to contribute to their projects; and how can industry partners and foundations/fiscal sponsors help the development of academic open source ecosystems?

Microsoft's Open Source Programs Office (OSPO) has been building tools and resources to increase visibility of risk according to a set of metrics (Rubrics) in our open source dependencies.

Like many things open source, the path to resolving risk through investment, is a 'learn by doing' exercise. Simply saying 'this project needs funds' isn't helpful to decision makers. What *is*helpful is being able to describe risk, who shares that risk, and what type of investment is most likely to have impact (and ways of tracking that investment over time).

In this talk, I'll share with you our new learn by doing 'investing in open source dependencies framework' to help those advocating for funding, build business cases to advocate strategically for those outcomes. I'll also share a couple of case studies to show how it might work in your company.

We’re learning here too, and look forward to expanding some of the ways we can experiment together and empower every employee to advocate for the need that they see in their dependencies to ultimately contribute to a more secure healthy ecosystem.

The Cyber Resiliency Act was passed into EU law in 2024, and the clock is ticking. Manufacturers of products with digital elements must begin reporting in 2 years, with compliance enforceable in 3 years. This talk will share Dell’s initial compliance approach, which includes analyzation of requirements and intent into actionable items to drive product teams to compliance and roadmap development efforts. The presenters will share how Dell’s participation in OpenSSF accelerates our internal CRA compliance journey, as well as creates opportunities for Dell to collaborate with others in the industry to improve OSS security of the upstream OSS we all share.

This Ask Me Anything session connects attendees to the TODO Group Steering Committee. The TODO Group is an open community of practitioners who aim to create, share knowledge and collaborate on best practices on open source management in organizations to run successful Open Source Program Offices.

Members of the steering committee will assist the audience through the best practices, guides, and tools made by and for open source managers to help them in their day-to-day responsibilities, as well as share their first-hand experiences and lessons learned in building and operating OSPOs. Additionally, attendees will learn ways to connect with the TODO Group – the largest OSPO community dedicated to building best practices in open source management. The session will also provide insights into what OSPOs are facing within the compliance and policy space as well as how people can partner with the ToDo Group.

Ant Group established its Open Source Program Office (OSPO) over three years ago, initially focused on compliance and project support. Over the years, the team has evolved into a full-fledged business unit with dedicated emphasis on strategy, growth, developer experience, and internationalization. As the team has matured, one key insight we've gained is the critical importance of development tooling and "OSPO infra" to systematically support our growing portfolio of more than 20 internal projects—a number that continues to expand.

Operating without dedicated developer or product resources, we have pioneered a unique approach to building and scaling our infrastructure. In this session, we will share our perspective for "OSPO infra" and the toolkit we've developed so far. We will also explore a specialized area of focus for Ant Group—graph technology—and how it plays a critical role in this initiative.

The second half of the presentation will delve into a case study demonstrating how our OSPO collaborates with the Graph team (https://github.com/tugraph-family) to build open-source tools that have proven valuable in supporting and serving OSS teams.

Research has shown that diversity is not just a buzzword but a critical factor that significantly impacts the effectiveness and success of open-source communities. Building an inclusive environment requires more than recognizing the importance of diversity; it demands concrete actions, tangible outcomes, and a genuine commitment to creating a welcoming space for all contributors. This talk draws from an in-depth study of the GNOME Project's diversity and inclusion strategies, examining the opportunities and challenges in fostering inclusiveness. By exploring these experiences, the aim of this talk is to provide actionable recommendations for improving diversity efforts.

While some open-source projects have implemented strategies to create a diverse and inclusive environment, they often struggle to achieve impactful outcomes. How can we move beyond setting diversity and inclusion strategies to achieve measurable results? Are policies and initiatives enough to foster true inclusiveness? In this talk, I will share recommended strategies to foster contributions from diverse groups.