FOSS Backstage

Digital sovereignty has become central to EU technology policy, with FOSS frequently positioned as a solution to dependencies on foreign proprietary systems. But simply deploying open source software does not automatically deliver sovereignty.This talk examines what actually confers digital sovereignty, license freedoms or something more demanding: sustained participation in development communities, institutional knowledge, and capacity to shape technological trajectories. The critical distinction is between passive adoption (downloading and deploying FOSS) and active engagement (contributing code, influencing governance, operating critical infrastructure).Analysis of different national strategies reveals a counterintuitive finding: copyright ownership matters less than developmental participation. More provocatively, certain forms of international collaboration enhance rather than compromise strategic autonomy, a concept this talk frames as "interdependent autonomy." Participation in global FOSS communities can strengthen rather than weaken national capabilities.Key takeaways: what sovereignty requires beyond license compliance, why passive adoption often fails to deliver independence, how different FOSS governance models affect sovereignty outcomes, and whether collaborative innovation can compete with proprietary R&D for strategic capabilities. The implications reshape procurement policy, workforce development strategies, and alliance frameworks for technology cooperation.

The speaker will talk about the importance of security audits and a process tailored to open source communities, and highlight numerous success stories in improving the security posture of open source projects. Examples include the audit of git, kubernetes, ruby on rails, and php-src. The topic is relevant to the audience because the evidence presented in the talk suggests that a real implementable solution to solve the security and technical debt of software projects is tenable. The main takeaways are as follows: (a)Security audits are an effective tool for helping improve the security posture of projects (b)Projects of all sizes, maturity levels, and complexities have benefited from additional security audit work and (c) OSTIF, as an independent nonprofit, is facilitating and executing security audits for critical open source projects at a high level of effectiveness. While many solutions to the security problems of open source are theoretical and require considerable effort, OSTIF has honed in on a process to help open source projects en masse with a well established best practice: independent expert security review.

Even well-engineered security tools can expose users to risk if design choices make safe actions unclear or burdensome. This talk examines how usability directly shapes security, based on Ura Design’s audits and field studies for SecureDrop, Qubes OS, and Mailvelope.We define a usability vulnerability as a design flaw that predictably leads users to unsafe behavior, despite correct technical implementation. Examples include misleading encryption states, ambiguous trust cues, and compartmentalization patterns that break user mental models.The session introduces a repeatable method for identifying and documenting such vulnerabilities within existing security review cycles. Attendees, including maintainers, designers, and security reviewers, will learn how to integrate usability findings into threat models, triage design issues with the same rigor as code CVEs, and prevent security regressions before they reach production.

As Europe aims for 100% online public services by 2030, local governments face unique challenges in adopting and reusing open source software, particularly when building internal capacity, adapting for the needs of the public sector, working within existing regulations, and collaborating across borders. This talk presents exciting research from a new Open Source Observatory (OSOR) study on open source in local governments, examining five mature European case studies of local government open source collaboration, from Madrid's Consul Democracy platform used globally to Prague's Golemio smart city solution.Participants will discover three critical collaboration archetypes: local governments as adopters, community actors as stewards, and service suppliers as technical enablers. They will learn how cities overcome barriers like conservative procurement practices, limited technical capabilities, and vendor lock-in through innovative governance models and cross-border partnerships. Key takeaways include: proven strategies for designing reusable solutions from day one, funding models that ensure project sustainability, effective roles for local government associations, and recommendations for building capable service supplier ecosystems.Whether you're a policymaker, technologist, or open source advocate, you will gain practical insights for creating and sustaining digital infrastructure through collaborative open source development in the public sector.

The EU Cyber Resilience Act (CRA) introduces the Open-Source Software Steward (OSSS) role — a novel legal construct acknowledging entities that systematically support open-source development. While it promises lighter duties than full “manufacturers,” the OSSS label can create unexpected exposure for foundations, associations (e.V.s) and volunteer organizations.This session focuses exclusively on non-commercial actors — not on businesses seeking OSSS qualification — and explores the pitfalls of leveraging the status: • Benefits of OSSS recognition for NPOs: legitimacy, funding leverage, and security-governance credibility. • Problems & Obligations: Article 24 CRA obligations (security policy, vulnerability handling, authority cooperation). • Achieving / Avoiding OSSS classification. • Liability effects: how far the penalty exception in Art. 64 para. 10 CRA could extend to civil liability. • Tax status implications: narrative conflicts between “intended for commercial activities” and non-profit status (Gemeinnützigkeit); mitigation through legal operations and desirable tax legislation. • Other legal angles: antitrust boundaries and GDPR responsibilities. • “OSSS as a Service”: outsourcing as an option for every NPO? And what to keep in mind when signing and executing such an agreement? • Case Studies: ◦ A German Fediverse gGmbH with no non-profit status and it’s U.S. 501(c)(3) counterpart ◦ A Belgian Private Foundation ◦ A German Association with non-profit status

Since October 2023 Neighbourhoodie Software has been the Sovereign Tech Agency’s partner for the Bug Resilience Program and has helped improve a large number of high-profile FOSS projects.For FOSS maintainers, this talk covers how the program works, how you can apply and what you can expect from it.For the generally curious, this talk gives a fascinating insight into the variety of the FOSS landscape, what projects of different sizes, ages and importances struggle with, and how the team at Neighbourhoodie managed to make substantial contributions. The insights begin with the peculiarities of how certain projects organise their project communication, what they think is important to address (versus what the world might think is important) and we’ll cover the gratitude project maintainers send us after a job well done.This talk also covers strategies for how to become a valuable contributor in projects of high complexity and impact in just a couple of days. Communication and honesty are obviously key, but some skill is required and this talk will help you get up to speed, should you want to join and help a project.

What happens when a federal state doesn’t just talk about supporting open source - but actually does it?In this talk, we’ll share insights on how the state of Saxony is becoming a pioneer for open source in Germany: with a clear open source strategy and real financial support such as the publicly funded project FOCIS, which enables our non-profit association ALASCA to grow into a more stable, independent home for open source projects.We’ll take you through our journey from a young association supported mostly by volunteers, to a professionally staffed organization that now supports six projects. With public funding, we were able to hire own employees, stabilize and expand existing governance structures, and lay the groundwork for a resilient open source foundation.You’ll learn: How public funding can help in bootstrapping an open source foundation which benefits and support have been established using public funding What other communities or regions can take from this exampleThis talk is for anyone building or supporting open source communities - from maintainers and foundation organizers to policy makers and public sector advocates - who care about long-term sustainability, governance, and funding models.

Digital sovereignty—the ability for nations, organisations, and individuals to control their own digital future—is one of the key policy priorities of our time. This joint talk, shared between a representative from the Digital Public Goods Alliance (DPGA) and a team member from Mastodon, will explain how Digital Public Goods (DPGs) are a key building block for achieving greater digital sovereignty in the wake of geopolitical insecurity. We will start by unpacking the term "digital sovereignty" and the role open source technologies and digital public goods play in it. We will then discuss the strengths and weaknesses of core EU policies that support the open source ecosystem, mandating interoperability and data portability as key measures to level the playing field and provide opportunities for open alternative solutions. We will use Mastodon as a prime example of a globally recognised, federated DPG that challenges entrenched market powers, discussing practical pathways for seizing the opportunities EU policies provide. We aim to move beyond philosophical debates to offer concrete strategies for leveraging FOSS for the public good, helping to build and maintain a decentralised and democratically controlled internet infrastructure with sovereignty at its heart.

Open source builders are at the heart of many citizen science initiatives — creating platforms, tools, and data systems that enable communities to participate in real research. Yet, these efforts often face similar challenges: maintaining software, ensuring data quality, and sustaining collaboration.This 60-minute RIECS¹-Concept workshop brings together developers, maintainers, and project organizers to share experiences and identify what kinds of technical services, governance models, and community support are most needed.The insights gathered will inform the concept design of a European research infrastructure for citizen science — connecting open source innovation with participatory research and long-term sustainability.Learn more about the RIECS-Concept: Project Website | Mastodon¹ Research Infrastructure for Excellence in Citizen Science

When an open source companies abandons their open source license, it's rarely because they are horrible people and more often because they've failed to use open source to their advantage. In this talk, I'll draw on concrete examples from five years of The Business of Open Source, plus my experience as a consultant, to talk about ways that an open source project can give a company an advantage in terms of product development, marketing, sales enablement, internal alignment and more. The goal of this talk is to ultimately prevent more companies from abandoning open source by giving them a concrete roadmap for how to not just mitigate risk but really leverage their open source project to accelerate their business growth over the long term.

With 43,000 employees, the City of Munich administration is the largest employer in the city and has its own comprehensive IT provider. With our own data center, we have the opportunity to achieve a high degree of digital sovereignty. In order to systematically increase our digital sovereignty, we have developed a measurement method that evaluates various criteria. In our talk, we will show how the measurement method is used and what measures have been derived from it. We will place a special focus on measures that promote the use of FOSS.

AI tools such as GitHub Copilot are not creative geniuses – they copy! And they do so more frequently and more demonstrably than many people believe. Anyone who incorporates AI-generated code into their software today is often already acting with conditional intent – and making themselves vulnerable to claims for damages, injunctions, and even criminal consequences.We present current developments, figures on the frequency of plagiarism, and other prominent cases, shed light on the legal situation, and explain why companies urgently need to protect themselves. We provide clear answers to burning questions:1. Why does AI code become a liability risk?2. How can software manufacturers and purchasers still protect themselves?3. What technical and legal measures can prevent a ticking time bomb in your own product? Anyone who uses AI code carelessly in the future will be left to deal with the damage. We show you how to save yourself—before it's too late.Speakers:Chan-jo Jun and Dr. Andreas Kotulla

For Inner Source to thrive and gain contributors, we need to make the experience as frictionless as possible. Often, we have built large frameworks around Inner Source with the intention of maximizing safety and governance, but these frameworks can inadvertently create unintended obstacles for potential contributors. Let us share with you how we can address this challenge. We assessed the full process for contributing to Inner Source within our company, including all requirements, necessary actions, and governance regulations. We analyzed and measured where people spend time in the process, and then came up with suggestions for cutting the red tape and also for automating unloved compliance topics. Finally, for a smooth Inner Source journey, also from an individual project perspective, we need to make it as easy as possible to contribute. We’ll share some examples and suggestions here which can serve as a model for achieving this.

It is challenging esp. for small to medium enterprises (SMEs) to understand and deal with the obligations from the Cyber Resilience Act (CRA). While commercial solutions exist, these usually come at a high cost and the risk of a vendor lock-in. This talk provides an overview of how the open source ORT Server platform can help here.The talk will start with a bit of history of the OSS Review Toolkit and ORT Server projects, how they relate to each other, who the target audiences are, and highlight some technical differences between the two solutions.While the ORT Server also has a REST API, the talk will then focus on using its dedicated UI for making the complex compliance topic and legal workflows more accessible to less technical users. At a concrete example project, the talk will guide through how to deal with vulnerabilities and other policy rule violations found in a way that fulfills CRA requirements.Finally, an outlook will be given over the upcoming and planned features for ORT Server, extending it a general platform to automate software compliance checks including and beyond other regulations like NIS2 and DORA.

Sustaining FOSS projects continues to pose a challenge. As a funder, we are investigating in our research how combining different funding and resource models might offer viable solutions, and where gaps remain. In this workshop, we want to refine a map we are working on that captures different income and resource streams for FOSS projects.We want to engage with the question of which (combinations) of those funding models can sustain which projects or project stages. Next to grants, donations, sales, and capital investments, we map, amongst others, models such as tiered licenses, corporate open source contributions, and contributions by students as part of their coursework. The search for a stable funding model is complicated by better or worse fits of different kinds of communities and software. We are further well aware that none of these models is likely to be a standalone solution to sustain a project and that each of them has its own difficulties.Instead, we want to investigate how combinations of those can balance each other and support different projects and different project stages. In the workshop we want to walk through three tasks in three 10-15min rounds with you: 1. Add models that are missing from the map 2. Specify pros and cons of the models 3. Specify which projects are eligible for which modelsThe session will be closed by taking stock of what is missing: Which demands are not met by the array of listed approaches to sustain projects in the FOSS ecosystem. We welcome everybody interested and invite specifically people who are active in (F)OSS-projects and their support, to participate in reflecting on these questions with us and to contribute to the map. We fund innovative FOSS from society and for society, with funds from the Federal Ministry of Research, Technology and Space. This workshop is part of the research done in our organisation. We intend to make the map openly accessible after the workshop.

Open source has long been celebrated as a global commons — a space where collaboration transcends borders. But what happens when states start curating their own open stacks? From India Stack to the emerging “Deutschland Stack,” governments are assembling and exporting open-source components as part of their digital public infrastructure strategies. These stacks aren’t just technical blueprints — they’re instruments of digital sovereignty, industrial policy, and geopolitical influence.This talk explores how open source has become a site of stack diplomacy: where nations intentionally assemble, govern, and export open technologies to shape global standards and alliances. Drawing on examples from India, China, and the EU, we’ll unpack how “stack curation” works — how the choice of APIs, identity frameworks, or governance models can reflect national philosophies, and how this transforms open infrastructure into soft (and sometimes hard) power.We’ll discuss what this means for open source communities:How do we navigate the line between openness and national interest?Can open collaboration coexist with state-led curation?And what responsibilities do open source maintainers have in this new landscape?By the end, participants will have a clearer understanding of how open stacks are reshaping global cooperation — and how the open source community can respond to ensure openness remains a principle, not just a branding tool.

Using data from hundreds of millions of open source repositories provided by ecosyste.ms we seek to answer the question: is The InnerSource Commons good for open source? We look at data from 800 member companies to answer what might seem like a simple question, in the process unpacking what it means to support, contribute, and maintain open source software. What a 'healthy' open source project looks like, and where and how we can identify and support important projects that need our help.

The goal of this talk is to provide an overview of the economic component of the CRA attestation project [1].Fair-share cost tokens are cryptographically signed tokens which allow manufacturers to prove that they are making their "fair" contribution to thehealth of their FOSS Ecosystem. Whenever a commercial software producer - a manufacturer in terms of the CRA - includes FOSS code maintained by a legal entity - an Open Source Software Steward in terms of the CRA - the token is used for attestation. Thus, the two parties can create a communication channel in case of a security incident. The same mechanisms should allow to bring resources deeper into the supply chain, as it can also be used by software stewards to allocate resources towards stewards whoms codebase they are using.Frameworks like SCITT [2] and Omnibor [3] could allow for their technical implementation. However, some policy work is required to make the situation of potential FOSS projects in the EU compatible with 501 (c) 3´s in the US.[1] https://github.com/orcwg/cra-attestations[2] https://datatracker.ietf.org/wg/scitt/about/[3] https://omnibor.io/project/

Since its inception, Decidim has relied primarily on funding from the city of Barcelona, creating a dependency on this public organization. In 2022, following a funding crisis that nearly jeopardized the project, we developed a Sustainability Plan aimed at diversifying funding sources and reducing our dependence on a single funder.Three years after implementing the plan, we have made significant progress toward our goal.This session will reflect on our approach and key learnings. We will explain how we designed this plan, the challenges for sustainability that a FLOSS project faces, the learnings we have made during the process and the main actions we have takenWe will delve into the different strategies we have designed to attract new funders, especially from the private and philanthropic sector, as well as the challenges we face when it comes to receiving funding from public agencies. Finally, we will evaluate the successes and failures of this plan.This is an ideal talk if you are interested in knowing the challenges that FLOSS projects face when seeking funding, want to learn which are the best strategies to diversify your sources of income and ensure a sustainable growth of your project.

Launching an OSPO in a global, non-tech-native corporation presents unique cultural, legal, and organizational hurdles. This session provides a practical feedback on how Michelin built and now operates its OSPO.We will walk through the entire journey, covering:* The historical context and business strategy that drove the need for a formal OSPO. * The practical steps of establishing a strong governance model and the OSPO's structure * A deep dive into our multi-faceted program for cultural change. This is now the core of our strategy and includes: * Company-wide training modules (which we are now in the process of open sourcing). * A gamified badging system to incentivise learning and contribution. * The creation and management of an OSS Champions community to scale our efforts. * Our approach to external communication * The tools we use. * And finally, the road ahead us: the significant challenges that remain on our journey.

Why do promising open source projects struggle to attract and keep contributors? After training 2,000+ developers across Africa and Europe and leading community engagement for 10,000+ API users at Paga, I’ve seen the answer firsthand: contributors vanish when documentation is dense, demos are missing, or mentorship is nonexistent.This talk transforms those gaps into growth engines. I’ll break down three pillars to turn your project into a self-sustaining contributor magnet:A. Docs as Onboarding Enginesi - Transform static guides into interactive pathways that welcome newcomers and accelerate their first PR.B. Demos as Trust Buildersi - Use lightweight, reproducible examples (e.g., GitHub Codespaces) to prove your project’s value in seconds—not hours.C. Mentors as Multipliersi - Design scalable mentorship models that pair newcomers with experienced contributors without burning out maintainers.You’ll walk away with:1 - A playbook to make docs actionable, demos irresistible, and mentorship sustainable.2 - Metrics that matter: time-to-first-PR, repeat contribution rates, and retention benchmarks.3 -Anti-burnout strategies to operationalize growth while protecting maintainer energy.Drawing from global projects (like Kubernetes) and local communities I’ve supported), this session answers the questions every maintainer asks:"Why aren’t more people contributing?""How do we scale without adding more maintainers?"If you’re tired of answering the same beginner questions or watching contributors slip away—this is your roadmap to resilient growth.

The more insight we gain into our software supply chains, the more we face the challenge of acting on it. OSPOs must turn vast data into focused, meaningful decisions. This talk shares a risk-based framework we apply at Deutsche Bahn, designed to be broadly adoptable. It helps prioritize what truly matters: balancing compliance, governance, and sustainability.We’ll discuss how we:* manage regulatory obligations like CRA and NIS2 without overburdening teams* set internal rules and automation that keep compliance practical* identify real risks instead of chasing theoretical ones* facilitate open source culture across the organization to understand and participate in communities* include ecosystem health in our decisionsAs a small virtual OSPO in a large non-IT company, we focus on pragmatic, incremental steps rather than perfect coverage. The session offers hands-on insights for anyone trying to make sense of large-scale SBOM data and turn transparency into responsible action.

Open source licenses like GPL or MIT matter, but aren't the whole story. An open project is often rather defined by its ecosystem: transparency, contribution access, buildability, and governance. In this talk, we’ll explore how projects often lean on their license as a proxy for openness, even while locking in features, obscuring build processes, or limiting community agency. I'd like to introduce the “Is It Really FOSS?” initiative, and have a look at how legal license choices intersect with reality. Let's look at lock-in tactics beyond licensing and how to build and steward genuinely open projects that can still be sustainable.Why it’s relevant: • Legal professionals and OSPOs will gain insight into how licensing interacts with project structure and governance. • Entrepreneurs and contributors will learn how to evaluate and encourage true openness—not just in words, but in processes. • It helps you look beyond pure licensing to ecosystem trust and sustainability.

The Open Collective Platform has been a big advocate for open-source since it's inception in 2015. Not only have we helped the open source ecosystem but it has supported our growth in return. The largest Fiscal Host on our platform is Open Source Collective. The true open-source back office star. Ensuring the legal and accounting compliance of over 3000 open-source projects. Our platform enables these projects to transparently showcase their financials. Highlighting the critical gaps in funding and encouraging collaborative ownership. https://discover.opencollective.com/opensourceOpen Source Collective has been a key instigator in freeing the platform from it's venture capital history and pursing true community ownership. We would love to celebrate this and dive into how this was negotiated. It's one thing to take the step and become community owned, it's an entirely different reality to shape the shared governance and put our words into action. While we are still grappling to find our footing and achieve financial sustainability. We would love to share the governance processes we have implemented and the key challenges we have faced. What was sacrificed and lost in the process and what challenges do we still need to navigate.

When I joined the Prometheus project through the [Linux Foundation Mentorship](https://mentorship.lfx.linuxfoundation.org/project/36e3f336-ce78-4074-b833-012015eb59be) program, UX research wasn’t something the community had ever done before. Prometheus is a mature, developer-focused open source project, so introducing UX research meant stepping into new territory—for both me and the community.This talk shares what that experience looked like: the messy but rewarding process of doing UX in the open, learning to align design with a developer culture, and building trust in a space where design wasn’t yet a familiar practice. It also looks at what happened after the research: the impact on the project, the momentum it created for future design work, and how Prometheus continues to nurture design contributions today.Key takeaways:- Candid lessons from integrating design into technical open source communities- What helps design efforts become part of the community, not just a one-time experiment- Practical insights for projects considering design contributions and for designers exploring open source.

Open source software transformed computing through collaborative infrastructure. Why hasn't open hardware followed? Despite decades of advocacy and similar technical collaboration potential, we still face expensive tool licenses, foundry barriers, and fragmented volunteer projects. This isn't an accident, it's the result of the biggest industrial policy failure of the last century. **Three Critical Divergences**Capital intensity: Software tools scale to reasonable costs, once built, they can distributed generally at low-cost. Hardware requires unavoidable physical capital: €100K-€1M annual EDA licenses, €500K-€2M foundry access minimums, substantial prototyping costs. This creates fundamentally different economic dynamics that can't be overcome through better licensing or community organizing.Institutional vacuum: Open software largely succeeded because new organizational forms emerged to employ maintainers, coordinate development, and provide infrastructure at scale. Open hardware has no equivalent institutional layer. Universities produce research, not production tools. Companies optimize for proprietary capture. Traditional foundations lack capacity to employ hundreds of engineers or deploy patient capital. Governments fund research grants, not operational infrastructure. The missing piece is the organizational capacity to build and maintain technology commons.Revenue generation: Software can monetize through services, support, and usage, value extracted without controlling physical production. Hardware value concentrates in intellectual property, manufacturing and supply chains, making service-based sustainability far harder. This determines which organizations can viably build hardware commons long-term.**Why the FOSS Community Should Care:**Hardware is becoming the constraint on software freedom. European tech companies pay billions annually in proprietary tool licensing. Supply chain concentration creates strategic vulnerabilities, and geopolitical tensions could cut access to critical design tools or fabrication. Digital sovereignty requires open hardware foundations, not just open software. Without addressing this, FOSS gains remain dependent on proprietary infrastructure.What You'll Learn:Why replication fails: Software's organizational models don't transfer to hardware due to structural economic barriers. You can't create "Apache Foundation but for chip design" because the capital requirements, employment scale, and revenue dynamics are categorically different.The missing institution: What would an "Open Hardware Infrastructure Works", a public institution maintaining open hardware infrastrucutre, might look like? What would an institution like that be able to do to level the playing field and open up hardware development? How would an institution like that be financed? What can we learn from precedents: adapting models from highway authorities, utility companies, and transnational consortia for big infrastructure projects?This isn't about better funding models or governance reforms. It's recognizing that hardware commons require institutional forms that don't yet exist. Just as societies created new organizational types for railroads, electrification, and telecommunications, we need purpose-built institutions for 21st-century technology infrastructure. The question isn't whether open hardware is desirable, that is clear, it's whether we can design and build organizations capable of developing it at competitive scale.This talk is relevant for anyone working on digital sovereignty, FOSS sustainability, supply chain resilience, institutional design, or infrastructure commons, and anyone frustrated that hardware seems perpetually behind software in open development despite equivalent technical collaboration potential.

Every open community runs on more than code, it runs on story. In this talk, I’ll explore how storytelling can be used as narrative infrastructure to build stronger, more inclusive open-source communities. Drawing from my experience leading WriteTech Hub and contributing to open documentation initiatives, I’ll show how narrative can align diverse contributors, spark engagement, and sustain collaboration over time.We’ll unpack practical ways storytelling can humanize onboarding, strengthen contributor identity, and create trust in open ecosystems. Attendees will leave with simple frameworks to use story as a tool for communication, governance, and culture-building.At a time when contributor burnout and disengagement are rising, this talk offers a fresh, human-centered approach, helping communities reconnect with why they build, not just what they build

Accessibility is as complex as human nature. Making a user experience that is genuinely accessible requires going beyond the letter of the law to address less obvious issues. For instance, it’s trivial to check if two colours have enough contrast; ensuring the language used in an app is easy to understand for everyone, not so much.How can we create incredible accessible products? External agencies may help with audits, but accessibility should be an ongoing effort, not just a one-off project to address existing issues. New features should be accessible from the get-go, ideally validated with real-world users: easier said than done.In this talk, we will share how creating a community of interest and tapping into our team’s diversity helped us come up with a more robust experience. We will also discuss the role of collaboration across disciplines including design, engineering, content and documentation, and how to facilitate community contributions to these efforts. Coming up with a better accessibility practice is not always a straight path, but is definitely a one worth taking.

Africa has a talented pool of tech enthusiasts. In recent years, there has been a meteoric rise in the number of young people in Africa actively learning tech skills and aspiring to be part of the future. Despite Africa’s growing developer population, African contributors remain underrepresented in open source. In this talk, I’ll share my journey into open source as an Outreachy intern working on the Git project and highlight the problems that many African developers face, from limited access to resources to a lack of awareness and socio-economic hurdles. I’ll explore practical ways we as a community can bridge these gaps through mentorship, outreach, and inclusive programs.

The Hare programming language started in December 2019 with a small, secret prototype and gradually built out a community of curious adventure-seekers who stumbled into its open, but well-hidden, borders. Once unveiled to the public, this community's governance, policy-making, and day-to-day conduct of its affairs grew and evolved with careful deliberation into its present-day form, with 11 co-maintainers of various disciplines and over 100 contributors.This talk will take the audience through each stage of this journey and highlight each of the changes made to its governance over time, explaining how each decision was weighed against our values and practices and helped us grow into a thriving community.

Perfect security works like a transparent umbrella — it shields you from the storm, often without you realizing there’s one. That invisibility, however, is why open source security is too often seen as a cost rather than a strategic investment.Most organizations only start paying attention to security after a crisis — think Log4j — when it’s already too late. In the open source world, many projects depend on volunteers to respond to security incidents. Their contributions are invaluable, but what happens when projects have dedicated, full-time security engineers instead?In this session, we’ll explore that question through the stories of Mike, Seth, and Samuel, who once volunteered their time supporting security in the Python and Ruby ecosystems. With funding from AWS and Alpha-Omega, they later became full-time security engineers employed by the Python Software Foundation and Ruby Central.By comparing their impact as volunteers versus full-time professionals, we’ll quantify the value of dedicated security investment and measure its return on investment.Open source is everywhere — securing it benefits everyone. Through this talk, we’ll challenge you to rethink security not as an afterthought or a cost center, but as a core strategy worth proactive investment.

Open source runs on community, and communities run on stories. A good story gives people a reason to join, stay, and care. In this session, we’ll explore how storytelling can strengthen open-source communities and help build trust and excitement. We’ll look at practical examples of how to tell a story with visual design and what role motion, iconography, tone and voice, or color play. I’ll also share practical tools to help teams maintain their story over time that help align contributors around a common message. By the end, you’ll leave with an actionable framework that connects people and builds trust, and keeps the open-source flame burning bright.

The typical software supply chain has many participants: open source communities, maintainers, companies, and others. There is a rising number of regulations, policies, and processes around that, for example, the Cyber Resilience Act or other security requirements. Expectations of companies sometimes do not match what the community can or wants to offer, and vice versa. The misalignment creates stress on both sides. How can this stress be resolved, so that all participants can benefit from one another and reap the advantages of open source, which has become ubiquitous wherever software is?In the panel, we bring together representatives of different perspectives to discuss these questions. It will cover open source maintainers, companies using open source for internal services and for basing products on, and people working on processes.List of participants:* Moderator: Melanie Wollnik (OpenRail Association and DB Systel)* Sven Erik Jeroschewski (Bosch Digital)* Cornelius Schumacher (DB Systel)* Dr. Lina Böcker (Osborne Clarke)* TBATogether we’ll ask:* What drives users vs maintainers in the open source supply chain?* Where do expectations clash?* How can process, governance and community shape better alignment?* How can organizations and projects adapt to serve each other, not just co-exist?

Open source is the foundation of modern software, yet many projects struggle with sustainability, not just in attracting contributors, but in ensuring they stay, grow, and thrive. The landscape of open source contribution has evolved dramatically, demanding a fresh approach to educating potential contributors as part of broader community building and contributor engagement strategies.Every educational program depends on participant support for projects and mentors towards the programs’ outcomes, and we need industry participation to make these programs successful. The only way for these programs to scale to the growing and various needs of program organizers is for more people to understand how these programs work and how to engage with these programs to support their own diverse needs to grow the broad open source contributor pool. By getting a wide variety of industry support from companies and the maintainers who are employed by these companies, we can create educational programs where students learn the skills that they need to participate in open source projects and become our next generation of contributors.In this panel, we’ll talk about education programs for our youth and university students. We’ll discuss the landscape of open source contributors in the different regions along with the motivations for participation in open source and how those differ across regions. Because we want contributors who will continue contributing, we’ll also talk about some challenges that prevent sustainable contributions over the long term.Our panelists have experience teaching open source to university students, creating and sustaining open source education and contribution programs, and building new open source communities in Africa. In this panel, we’ll talk about what we’ve learned, what’s worked, and provide tips for you to grow the next generation of contributors from within your local communities. This talk presents attendees with a breadth of perspectives on educational programs, how they work, and how we can all work together to make them successful.

For open source to reach new audiences and grow sustainably, it must welcome and recognize more than code. Skills like event organizing, technical writing, design, and accessibility advocacy are vital to promoting adoption and building inclusive communities. Yet many projects still lack structures that value these contributions.This 60-minute workshop reframes diversity and inclusion in open source by demonstrating how non-code contributions are powerful tools for outreach and growth. Participants will reflect on their own skills, map them to real project needs, and collaboratively create a No-Code Contribution Map, a framework that connects diverse abilities to concrete ways of promoting and sustaining open source.We will also explore practices that support inclusivity: onboarding pathways for non-technical contributors and recognition systems that ensure everyone feels they belong.Learning Outcomes:Understand how non-code contributions promote adoption and inclusion.Build a practical No-Code Contribution Map for open source projects.Gain strategies for designing contributor journeys that welcome everyone.Learn inclusive practices that strengthen open source outreach and growth.

The goal of this talk is to spark reflection and conversation about the tools we use to build open source projects, not just the code we write. It is meant to encourage both new and experienced maintainers to think critically about how proprietary tools may, unintentionally, be limiting their communities and values. We'll explore how can we strengthen our open source ecosystem by reducing our dependency on tech giants and supporting community-owned infrastructure. The audience will leave with a better understanding of the trade-offs involved, where to take action, and the motivation to make small changes that lead to more open, inclusive, and resilient projects. Whether you're starting a new project or maintaining a mature one, this talk will challenge you to think critically about the tools you use and advocate for open, community-controlled alternatives that align with the spirit of FOSS.

In an increasingly digitalized Europe, legislation such as the Digital Markets Act, AI Act, and Cyber Resilience Act, depend on technology-neutral, interoperable frameworks to achieve their goals. Free and open standards, together with transparent and inclusive standardization processes, are emerging as essential tools for effective and accountable regulation.Drawing on the Linux Foundation’s report, The State of Open Standards, Standardization and Patents in Organizations, this session explores how open standards are becoming a pillar of digital policy implementation. The research shows that nearly 80% of organizations view standardization as vital for compliance and strongly favor openly developed standards over proprietary or closed models.We will examine three interconnected policy dimensions:Why open standards matter for Europe and how they reduce dependency, enhance interoperability, improve quality, and advance strategic autonomy while supporting legislative aims such as transparency, data portability, and resilience.What attributes drive trust and adoption: how openly published, consensus-based, and extensible standards strengthen compliance, innovation, and public confidence.How policy can embed openness and the practical approaches for European institutions, standardization bodies, and industry to align around “free and open” standards as enabling infrastructure. This includes integrating open standards into procurement frameworks, certification schemes, and public-private partnerships.The discussion will also consider the evolving role of standard-essential patents (SEPs) and the balance between openness, innovation, and fair intellectual property practice.Attendees will leave with actionable insights on how to integrate open-standards thinking into policy design, regulatory compliance, and procurement strategy, turning evolving EU mandates into an opportunity for digital resilience and sustainable competitiveness.

Open source often thrives on engineering-driven processes, where feedback loops, tools, and contributions are tailored to developers. But where does design fit in? This panel brings designers and engineers together to discuss how UX practices can be embedded in engineering workflows, from using GitHub as a design collaboration tool to framing design contributions in ways developers can get value from. Our panelists will share success stories and lessons from bridging design and engineering in open source. Their experiences as designers and engineers will bring different perspectives to uncover strategies and patterns for making design more visible and impactful in developer-focused environments. They will highlight what worked, what didn’t, and how their approaches evolved across projects and communities. Attendees will take away ideas for embedding design into engineering-focused environments, and inspiration from projects where cross-disciplinary collaboration has led to better user experiences and stronger collaboration.Interested in embedding design thinking into the engineering world? Join us!

The benefits of building software on top of open source solutions are well understood, such as avoiding reinventing the wheel, leveraging global expertise, and enabling interoperability. Another benefit is the ability to customise open source software for your use case, but in practice this will often be done by making a fork of the project, which can result in a significant maintenance overhead.This talk is a case study of the BBC's fork of dash.js, a JavaScript library for media playback that is a key dependency for BBC web and connected TV apps. We will explore the reasons why a fork is being maintained, what the costs and benefits have been, and what is being done to reduce the maintenance overhead going forwards, including contributing to the mainline and engaging with the community. Attendees will come away with a better understanding of why and why not to fork, and how to reduce the burden of maintaining a fork.

"It's free as in speech, not free as in beer." How many times have you heard people define free software this way? But free speech, as important as it is, is only one kind of liberty. When we think of freedom only in terms of freedom from restraint—the restraint of government censors, or the restraints of proprietary licenses—we miss out on whole other categories of freedom."Positive liberties" are those we enjoy through the support of others. They are "freedom to", not "freedom from". Positive liberties tend to be harder to define and harder to realize than negative freedoms. For example, if a piece of FOSS is difficult to modify, the user may have "freedom from" prosecution for modifying the software, but no real "freedom to" modify it. And not because the maintainers don't want to give them that freedom! But "freedom to" is often complicated, messy and contextual.This talk charts a way forward through the complications and the mess: friendship. The words "freedom" and "friend" come from the same root, the Proto-Indo-European "prī-", meaning "to love". It is love and friendship that allows us to navigate the complex ways that we depend on each other, without turning dependency into coercion—in other words, without turning our efforts to achieve positive liberties into violations of negative liberty.This talk focuses on a particular conceptualization of friendship from relational psychology, called "intersubjectivity". We will discuss what intersubjectivity is, how it helps protect us from coercion and enables us to flourish, and how we can practice intersubjectivity within FOSS projects and within all our communities.

OpenStreetMap creates, collects and delivers Open Data about our world. But it is more: It is a worldwide community and a human cultural endeavour. The OSM community, that is millions of volunteers, but also companies large and small, and organisations from the UN down to the local hiking club. How do we organize all of this with an extremely slim (and maybe too slim?) governance structure that is still mostly based on volunteer work? Where does this work and where are the problems? What makes it similar to other digital commons projects and what makes it different? What can we learn from other communities like ours?

From the perspective of a global humanitarian organization, this session examines the constraints and trade offs of building open source products for government customers. It covers restricted user access, slow procurement and feedback cycles, legal and compliance limits, political turnover, language barriers and uneven infrastructure. The talk presents governance patterns, procurement-ready artifacts, and design rules that keep projects usable, useful, and maintainable in government contexts.

Openwashing has become a growing challenge for users, developers, and public administrations, and for the entire Free Software ecosystem. Using various methods, some companies advertise their products as “free” or “open”, while in reality distributing proprietary software. The supposed creativity of these openwashers is remarkable: whether by using free/open wording, by introducing new licences that falsely appear to be free, or by imposing additional barriers that make it more difficult to use the freedoms offered by Free Software.This misleading behaviour undermines efforts to achieve digital sovereignty through Free Software. It weakens strategic procurement aimed at ensuring that public money funds Free Software, as promoted by the Free Software Foundation Europe’s "Public Money? Public Code!" initiative. It also distorts competition, misleads customers, and erodes trust in the Free Software ecosystem.The FSFE has been analysing openwashing and other questionable market practices over the past years. In this talk, we will look at concrete examples and examine how they harm Free Software manufacturers and maintainers. Finally, we will discuss what administrations, regulators, and the Free Software community can do to curb openwashing.

If your product or service relies on an open source project, ensuring the sustainability of that project is just good business sense. Forking that source project should be a last resort, to be considered only after all other options have been exhausted. But writing a detailed plan to fork has two benefits. First, it ensures that should the worst happen, you’ve already considered how you’ll deal with it. But perhaps more importantly, thinking proactively about forking will help you take actions that will ensure that it never gets to that.

Most open source software is not maintained by a large community but by a single person in limited time. Hobbyist maintainer projects have previously been discussed from the perspective of security risks and reliance of complex ecosystems on single actors (cue XKCD 2347 "Dependency"), but this talk will focus the tools and work methods at the hand for these developers in regards to community building, usability and documentation. A lot of practices that might be helpful to improve software imply the availiability of resources, most importantly team with diverse, complementary skills. But most maintainers do not have access to these resources. I suggest that we need an awareness and appreciation of small project and a critical review of tools and work methods for their fit for the situation of small projects. I will use examples from usability to show the problems of many commonly recommended methods as well as alternatives that are better suited.

In 2015, the Open Source Hardware Association (OSHWA) kicked off the process of creating an open source hardware certification.[1] In the decade since, OSHWA has certified thousands of pieces of hardware from over 60 countries on 6 continents [2] as compliant with the community definition of open source hardware.[3]This presentation will discuss why the certification program was created in the first place, how it is being used today, and what lessons other communities might be able to learn from its success. [1] https://certification.oshwa.org/ [2] https://certification.oshwa.org/list.html [3] https://www.oshwa.org/definition/