The Linux Foundation Member Summit 2025

Open Source today lives in an age of great scrutiny and regulations. The use of open source in mission critical applications and critical infrastructure means the bar is higher for security and quality. Governments around the world are putting regulations and policies in place to hold open source software to a higher bar. And OSPOs need to understand these regulations and focus on what they need to do to get the organization ready for them. I will discuss the role of the OSPO and what it can do to prepare their organizations and developers in this age of regulations.

Discover the power of the Open Mobile Hub Project (OMH), a game-changer in mobile development. Hosted by the Linux Foundation Europe and supported by a global network of industry leaders, OMH is creating an open, collaborative ecosystem for developers, service providers, and users alike.

This session will highlight how OMH’s open-source framework simplifies cross-platform app development, boosts interoperability, and fosters innovation. Learn how OMH is reshaping the mobile landscape and how you can get involved in driving this transformative movement forward.

Open source software (OSS) has become a cornerstone of modern technological innovation. By allowing developers to collaborate and share code, OSS enables rapid progress and democratizes access to cutting-edge software. However, the very characteristics that make OSS so powerful—its openness, adaptability, and applicability—also make it a target for patent assertion entities (PAEs). These entities attempt to exploit the widespread adoption of common technologies across industries to extract patent settlements from businesses. The threat continues to grow as district court patent filings from PAEs grew by 14.1% in 2024, and are over half of all patent litigation cases.

Since 2005, Open Invention Network (OIN) has acted to safeguard OSS from patent risk through its patent cross-license in core OSS technologies. This session will provide information on the cross-license and case studies on how it has been used to successfully defend against PAEs.

This presentation will also discuss in detail efforts to protect OSS from PAEs by:
• collecting prior art and providing invalidity claim analyses
• supporting initiatives like the Open Source Zone, which has invalidated 50 NPE patents

Organizations that use open source software face risks related to licensing, security, and project health. Ensuring the sustainability of the open source ecosystem requires staying informed about compliance developments and achieving comprehensive visibility across activities. As the importance of Software Bill of Materials (SBOM) continues to grow, managing and utilizing this wealth of information effectively is becoming increasingly critical.

The goal is to equip application teams with tools that are both accessible and easy to manage while fostering strategic collaboration with internal risk partners, leadership, open source projects, open source contributions, and even vendors. Achieving scalable, efficient visibility into actual OSS usage is key.

So, how can organizations position themselves as proactive partners in this dynamic landscape? Join Georg Link and Brittany Istenes as they share practical strategies for navigating this complex ecosystem, empowering your organization to confidently and successfully leverage open source software.

Generative AI has plenty of use cases in Finance. From the customer support on the front office, to research, business analysis and optimization of investment cases.
However most companies get stuck at the "Proof of concept" stage.
While it is relatively quick to create a demo with a "Wow effect", building the right pipelines, governance, security and controls and in general get the buy in and approvals from legal and compliance teams is extremely hard.

In this presentation we will show a detailed runbook on how to leverage Generative AI cases at scale in the organization, from the perspective of the first company that delivered a production application in the market.

We will review how to build an open innovation system that promotes collaboration in what we called "The era of the 14.000 innovators" where every employee became a prompt engineer. And how we harnessed that power to put dozens of use cases in production (internal and external) as well as the edge research on agents and beyond.

In the rapidly evolving landscape of AI regulations, ensuring compliance with standards such as the EU AI Act, CRA (Cyber Resilience Act), ISO, and IEEE is paramount for organizations. The Linux Foundation's has a number of AI frameworks, such as the Model Openness Framework (MOF), Supply-chain Levels for Software Artifacts (SLSA), Responsible Generative AI Framework (RGAIF) and SPDX and Software Package Data Exchange (SPDX), which together provide a comprehensive approach to meeting
the needs of regulatory requirements. This talk demonstrates how these frameworks can be used to provide evidence of compliance,to enhance transparency, and ensure the security and integrity of AI systems.

By using these approaches, organizations can streamline their compliance processes, mitigate risks, and foster innovation. MOF ensures the openness and transparency of AI models, SLSA secures the software supply chain, RGAF guides organizations to embrace the ethical and intentional design, development and deployment of GAI solutions. Together, these tools offer a robust solution for navigating the complexities of AI regulations and standards.

When faced with a difficult challenge sometimes it helps to look back at lessons from ancient history to guide your thinking. The Open Source Initiative (OSI) is working to create a definition for Open Source AI (OSAID), aiming to apply open source principles to artificial intelligence development, but clearly the 1.0 version is a work-in-progress. Can it find success? How may policy-makers react? Join this session to hear about the latest efforts to define open source AI and what's likely in store for 2025.

The modern Academic Medical Center ("AMC") has evolved beyond research & patient care to perform traditional commercial IP functions such as administration, licensing, and development, all in support of their central mission of the advancement of science and medicine. Aligned with this central mission is the proliferation of open-science research and open source innovation at AMCs, who have received millions of dollars from the US government in hopes of creating a flourishing ecosystem of collaboration. Unfortunately, at Mass General Brigham ("MGB") and other AMCs, open science and open source projects struggle to find fit in both licensing compliance and policy. Particularly for MGB, the largest recipient of NIH Open Science funding in the country, its commercial evolution and conservative licensing polices have combined to cause an open source licensing log jam. This session will review the competing AMC policy concerns that have caused MGB to disavow the use of most if not all osi approved licenses, and eventually lead to the development of their own permissive "open source" license.

The EU Cyber Resilience Act (CRA) has been adopted, and the new obligations for manufacturers and open source software stewards will come into effect in 2026 and 2027. This joint session between Linux Foundation Europe, LF Research, and the OpenSSF will describe how the Linux Foundation is seizing the opportunity for an improved state of the union in cybersecurity that the CRA offers, and is steering necessary adaptations for the benefit of our members, projects, and contributors.

Specifically, this session will describe CRA implementation progress, commencing with the Linux Foundation's stewards and manufacturers workshop in December 2024, new working groups at the OpenSSF, and research projects, to provide guidance and raise awareness within our ecosystem. It will end with an interactive panel discussion where questions about the impact of the CRA on our collaborative development efforts will be addressed.

When we launched the Zephyr project 9 years ago, we had the goal of adopting security and safety best practices. In the years since then it has grown to be one of the most active projects at the Linux Foundation. There were some good starting points and practices available to adopt for Security, but Safety was an open area. How could an open source project with a high velocity of change achieve safety certification? This session will go through some of the learning experiences that let us get our concept approval in December of 2024, and have a solid plan to achieve safety certification.

Universities are important sources of talent and innovation for open source projects. Successful open source projects originating from academic researchers – including Ceph and Jupyter – highlight the benefits to be gained from university-based open source projects. However, much of the open source work occurring in academic settings are siloed, and potential innovations that could benefit industry and society at large are lost as funding cycles end and research stalls. This session aims to answer the question of how to create mutually beneficial relationships between academia and open source. It will include introductory discussion by experts to provide insights for improving collaborations between open source, industry and universities, and how organizations like the Linux Foundation can play a part. The discussion will ask participants to consider questions such as: how can universities improve training for the next generation of open source leaders; how can communities better on-board students and researchers looking to contribute to their projects; and how can industry partners and foundations/fiscal sponsors help the development of academic open source ecosystems?

Microsoft's Open Source Programs Office (OSPO) has been building tools and resources to increase visibility of risk according to a set of metrics (Rubrics) in our open source dependencies.

Like many things open source, the path to resolving risk through investment, is a 'learn by doing' exercise. Simply saying 'this project needs funds' isn't helpful to decision makers. What *is*helpful is being able to describe risk, who shares that risk, and what type of investment is most likely to have impact (and ways of tracking that investment over time).

In this talk, I'll share with you our new learn by doing 'investing in open source dependencies framework' to help those advocating for funding, build business cases to advocate strategically for those outcomes. I'll also share a couple of case studies to show how it might work in your company.

We’re learning here too, and look forward to expanding some of the ways we can experiment together and empower every employee to advocate for the need that they see in their dependencies to ultimately contribute to a more secure healthy ecosystem.

The Cyber Resiliency Act was passed into EU law in 2024, and the clock is ticking. Manufacturers of products with digital elements must begin reporting in 2 years, with compliance enforceable in 3 years. This talk will share Dell’s initial compliance approach, which includes analyzation of requirements and intent into actionable items to drive product teams to compliance and roadmap development efforts. The presenters will share how Dell’s participation in OpenSSF accelerates our internal CRA compliance journey, as well as creates opportunities for Dell to collaborate with others in the industry to improve OSS security of the upstream OSS we all share.

This Ask Me Anything session connects attendees to the TODO Group Steering Committee. The TODO Group is an open community of practitioners who aim to create, share knowledge and collaborate on best practices on open source management in organizations to run successful Open Source Program Offices.

Members of the steering committee will assist the audience through the best practices, guides, and tools made by and for open source managers to help them in their day-to-day responsibilities, as well as share their first-hand experiences and lessons learned in building and operating OSPOs. Additionally, attendees will learn ways to connect with the TODO Group – the largest OSPO community dedicated to building best practices in open source management. The session will also provide insights into what OSPOs are facing within the compliance and policy space as well as how people can partner with the ToDo Group.

Ant Group established its Open Source Program Office (OSPO) over three years ago, initially focused on compliance and project support. Over the years, the team has evolved into a full-fledged business unit with dedicated emphasis on strategy, growth, developer experience, and internationalization. As the team has matured, one key insight we've gained is the critical importance of development tooling and "OSPO infra" to systematically support our growing portfolio of more than 20 internal projects—a number that continues to expand.

Operating without dedicated developer or product resources, we have pioneered a unique approach to building and scaling our infrastructure. In this session, we will share our perspective for "OSPO infra" and the toolkit we've developed so far. We will also explore a specialized area of focus for Ant Group—graph technology—and how it plays a critical role in this initiative.

The second half of the presentation will delve into a case study demonstrating how our OSPO collaborates with the Graph team (https://github.com/tugraph-family) to build open-source tools that have proven valuable in supporting and serving OSS teams.

Research has shown that diversity is not just a buzzword but a critical factor that significantly impacts the effectiveness and success of open-source communities. Building an inclusive environment requires more than recognizing the importance of diversity; it demands concrete actions, tangible outcomes, and a genuine commitment to creating a welcoming space for all contributors. This talk draws from an in-depth study of the GNOME Project's diversity and inclusion strategies, examining the opportunities and challenges in fostering inclusiveness. By exploring these experiences, the aim of this talk is to provide actionable recommendations for improving diversity efforts.

While some open-source projects have implemented strategies to create a diverse and inclusive environment, they often struggle to achieve impactful outcomes. How can we move beyond setting diversity and inclusion strategies to achieve measurable results? Are policies and initiatives enough to foster true inclusiveness? In this talk, I will share recommended strategies to foster contributions from diverse groups.