The Linux Foundation Member Summit 2025

The OpenChain Project has built two open source process management standards (ISO/IEC 5230 and ISO/IEC 18974) and deployed them across the open source supply chain. While OpenChain was the first Linux Foundation project in 14 years to produce an ISO standard, it is far from the last. During the 2023~2024 period, we saw growing engagement around Joint Development Foundation and committee discussions around standards or specifications in other LF projects. This talk will consolidate OpenChain's lessons learned in creating, submitting and deploying open source standards. It will help projects at any stage in the development lifecycle of specifications, including those only just considering this option for long-term impact. It will also help people with a specific interest in a more trusted supply chain to get more involved in OpenChain, building on our existing work or participating in new potential standards. Our optics will be on the legal, risk and compliance side due to the nature of the OpenChain Project's mission for a more trusted supply chain, but the core material will be equally applicable to technical, code or other projects working on this topic.

Open Source today lives in an age of great scrutiny and regulations. The use of open source in mission critical applications and critical infrastructure means the bar is higher for security and quality. Governments around the world are putting regulations and policies in place to hold open source software to a higher bar. And OSPOs need to understand these regulations and focus on what they need to do to get the organization ready for them. I will discuss the role of the OSPO and what it can do to prepare their organizations and developers in this age of regulations.

Open source software (OSS) has become a cornerstone of modern technological innovation. By allowing developers to collaborate and share code, OSS enables rapid progress and democratizes access to cutting-edge software. However, the very characteristics that make OSS so powerful—its openness, adaptability, and applicability—also make it a target for patent assertion entities (PAEs). These entities attempt to exploit the widespread adoption of common technologies across industries to extract patent settlements from businesses. The threat continues to grow as district court patent filings from PAEs grew by 14.1% in 2024, and are over half of all patent litigation cases.

Since 2005, Open Invention Network (OIN) has acted to safeguard OSS from patent risk through its patent cross-license in core OSS technologies. This session will provide information on the cross-license and case studies on how it has been used to successfully defend against PAEs.

This presentation will also discuss in detail efforts to protect OSS from PAEs by:
• collecting prior art and providing invalidity claim analyses
• supporting initiatives like the Open Source Zone, which has invalidated 50 NPE patents

Organizations that use open source software face risks related to licensing, security, and project health. Ensuring the sustainability of the open source ecosystem requires staying informed about compliance developments and achieving comprehensive visibility across activities. As the importance of Software Bill of Materials (SBOM) continues to grow, managing and utilizing this wealth of information effectively is becoming increasingly critical.

The goal is to equip application teams with tools that are both accessible and easy to manage while fostering strategic collaboration with internal risk partners, leadership, open source projects, open source contributions, and even vendors. Achieving scalable, efficient visibility into actual OSS usage is key.

So, how can organizations position themselves as proactive partners in this dynamic landscape? Join Georg Link and Brittany Istenes as they share practical strategies for navigating this complex ecosystem, empowering your organization to confidently and successfully leverage open source software.

In the rapidly evolving landscape of AI regulations, ensuring compliance with standards such as the EU AI Act, CRA (Cyber Resilience Act), ISO, and IEEE is paramount for organizations. The Linux Foundation's has a number of AI frameworks, such as the Model Openness Framework (MOF), Supply-chain Levels for Software Artifacts (SLSA), Responsible Generative AI Framework (RGAIF) and SPDX and Software Package Data Exchange (SPDX), which together provide a comprehensive approach to meeting
the needs of regulatory requirements. This talk demonstrates how these frameworks can be used to provide evidence of compliance,to enhance transparency, and ensure the security and integrity of AI systems.

By using these approaches, organizations can streamline their compliance processes, mitigate risks, and foster innovation. MOF ensures the openness and transparency of AI models, SLSA secures the software supply chain, RGAF guides organizations to embrace the ethical and intentional design, development and deployment of GAI solutions. Together, these tools offer a robust solution for navigating the complexities of AI regulations and standards.

When faced with a difficult challenge sometimes it helps to look back at lessons from ancient history to guide your thinking. The Open Source Initiative (OSI) is working to create a definition for Open Source AI (OSAID), aiming to apply open source principles to artificial intelligence development, but clearly the 1.0 version is a work-in-progress. Can it find success? How may policy-makers react? Join this session to hear about the latest efforts to define open source AI and what's likely in store for 2025.

The modern Academic Medical Center ("AMC") has evolved beyond research & patient care to perform traditional commercial IP functions such as administration, licensing, and development, all in support of their central mission of the advancement of science and medicine. Aligned with this central mission is the proliferation of open-science research and open source innovation at AMCs, who have received millions of dollars from the US government in hopes of creating a flourishing ecosystem of collaboration. Unfortunately, at Mass General Brigham ("MGB") and other AMCs, open science and open source projects struggle to find fit in both licensing compliance and policy. Particularly for MGB, the largest recipient of NIH Open Science funding in the country, its commercial evolution and conservative licensing polices have combined to cause an open source licensing log jam. This session will review the competing AMC policy concerns that have caused MGB to disavow the use of most if not all osi approved licenses, and eventually lead to the development of their own permissive "open source" license.

CRA is coming. And this European regulation will impact software development worldwide. And your operations will be impacted.

You will have 24 hours to discover and disclose any relevant, critical vulnerabilities and notify security agencies.

Join Philippe Ombredanne to review which people, what processes, and technologies you will need to deploy by September 2026 to avoid large fines. We will share the latest development of the regulation implementation and how to work out minimalist and practical plans for compliance.

The SBOM (Software Bill of Materials) for a single automotive vehicle is in high demand. Modern vehicles are advanced information systems that constantly evolve, with frequently changing software configurations. This trend is even more pronounced in Software Defined Vehicles (SDVs). Open source supports this evolution. Understanding the software components that make up a vehicle is crucial for asset and risk management, making it a valuable endeavor in the software supply chain. The introduction of process management standards like ISO 5230 and ISO 18974, and the adoption of standard data formats through SPDX Lite (ISO 5962 (SPDX 2.2.1) and the annex of SPDX 2.3), are expected to yield significant results. Meanwhile, there is growing interest in more effective SBOM content and how to share and handle this information. In this session, we will share insights and challenges gained through the development of IVI.

Microsoft's Open Source Programs Office (OSPO) has been building tools and resources to increase visibility of risk according to a set of metrics (Rubrics) in our open source dependencies.

Like many things open source, the path to resolving risk through investment, is a 'learn by doing' exercise. Simply saying 'this project needs funds' isn't helpful to decision makers. What *is*helpful is being able to describe risk, who shares that risk, and what type of investment is most likely to have impact (and ways of tracking that investment over time).

In this talk, I'll share with you our new learn by doing 'investing in open source dependencies framework' to help those advocating for funding, build business cases to advocate strategically for those outcomes. I'll also share a couple of case studies to show how it might work in your company.

We’re learning here too, and look forward to expanding some of the ways we can experiment together and empower every employee to advocate for the need that they see in their dependencies to ultimately contribute to a more secure healthy ecosystem.

This Ask Me Anything session connects attendees to the TODO Group Steering Committee. The TODO Group is an open community of practitioners who aim to create, share knowledge and collaborate on best practices on open source management in organizations to run successful Open Source Program Offices.

Members of the steering committee will assist the audience through the best practices, guides, and tools made by and for open source managers to help them in their day-to-day responsibilities, as well as share their first-hand experiences and lessons learned in building and operating OSPOs. Additionally, attendees will learn ways to connect with the TODO Group – the largest OSPO community dedicated to building best practices in open source management. The session will also provide insights into what OSPOs are facing within the compliance and policy space as well as how people can partner with the ToDo Group.

Ant Group established its Open Source Program Office (OSPO) over three years ago, initially focused on compliance and project support. Over the years, the team has evolved into a full-fledged business unit with dedicated emphasis on strategy, growth, developer experience, and internationalization. As the team has matured, one key insight we've gained is the critical importance of development tooling and "OSPO infra" to systematically support our growing portfolio of more than 20 internal projects—a number that continues to expand.

Operating without dedicated developer or product resources, we have pioneered a unique approach to building and scaling our infrastructure. In this session, we will share our perspective for "OSPO infra" and the toolkit we've developed so far. We will also explore a specialized area of focus for Ant Group—graph technology—and how it plays a critical role in this initiative.

The second half of the presentation will delve into a case study demonstrating how our OSPO collaborates with the Graph team (https://github.com/tugraph-family) to build open-source tools that have proven valuable in supporting and serving OSS teams.

Research has shown that diversity is not just a buzzword but a critical factor that significantly impacts the effectiveness and success of open-source communities. Building an inclusive environment requires more than recognizing the importance of diversity; it demands concrete actions, tangible outcomes, and a genuine commitment to creating a welcoming space for all contributors. This talk draws from an in-depth study of the GNOME Project's diversity and inclusion strategies, examining the opportunities and challenges in fostering inclusiveness. By exploring these experiences, the aim of this talk is to provide actionable recommendations for improving diversity efforts.

While some open-source projects have implemented strategies to create a diverse and inclusive environment, they often struggle to achieve impactful outcomes. How can we move beyond setting diversity and inclusion strategies to achieve measurable results? Are policies and initiatives enough to foster true inclusiveness? In this talk, I will share recommended strategies to foster contributions from diverse groups.

Open source is everywhere. Anyone can use it and anyone can contribute codes to the community regardless of the countries and regions. It is inherently borderless.In the meantime, it is also true that most of the critical open source projects are English speaking communities. This actually creates a gap between English speaking regions and non-English speaking regions in terms of the knowledge about the technologies as well as opportunity to get involved in the community development. There has to be a “Bridge” to fill the gap.

The Linux Foundation Japan office launched a program to solve this issue by launching the Japan Evangelist Program, which has been a big success so far. The evangelists can also become a community by itself, they become a force to connect multiple communities to co-work to create larger values as well as sharing best practice to run meetup etc, which has been a nice side effect of the program.

In this session, through the discussion with the panelists (they are all Japan Evangelists) we would like to elaborate how the program is actually working.