Want to get more involved in open source and understand better how to contribute? Making your first contributions can be a daunting prospect, regardless of technical background. But fear not! This burd of a feather welcomes those who want a gentle introduction to the topic, and will equip you with what you need to get up to speed.

We will demystify the process of contributing to an open source project, offering insights from the Open Source Masterclass MOOC https://opensourcemasterclass.org/ and several major open source projects and contributors. Whether you're aiming to submit code, improve documentation, or participate in discussions, you'll learn key strategies for making your first contribution meaningful and accepted by the community.

Open source projects are the backbone of innovation in today's technology landscape, and contributing to them can be a fulfilling and career-enhancing experience. However, taking that first step into an active project can seem overwhelming.

We will explore the different types of contributions valued by open source communities: from code and documentation to community support and quality assurance. You will gain knowledge about the importance of communication, how to interact with project maintainers, and ways to align contributions with the current needs and priorities of the project.

Furthermore, this session will touch upon the practical aspects of the open source contribution lifecycle, including how to stay motivated, deal with feedback or rejection, and find mentorship opportunities within the community.

In recent years, Europe has seen an increase in regulations directly affecting the software industry, and with implications for free and open source software. The regulatory landscape is complex and evolving, which makes a deeper understanding of the intended and unintended consequences on FOSS projects and the ecosystem necessary.

This session will explore the intricacies of EU legislative processes, using the CRA as a focal point. The panel aims to share and identify key moments of realization ('aha' moments) that enable navigating regulatory challenges more efficiently.

Participants will hopefully gain practical models and strategies for navigating legislative processes, and actionable methods to effectively engage with policymakers and other stakeholders, or in short: to be better able to talk to the right people at the right moment about the right subject to have most impact.

You've heard it from colleagues, you've seen it on Reddit... Zephyr RTOS can be difficult to navigate.

Join this session for a "Zephyr Roasting Party" where we'll openly look at and discuss the most complained-about aspects of Zephyr, and try to honestly answer common questions and criticisms such as:

• "Zephyr is bloated and really has poor real-time performance compared to other RTOSes"
• "I already have a HAL from my silicon vendor, why would I need even more HW abstractions?"
• "Devicetree is so complex! How do I even understand what's going on with all these 'macrobatics'?"
• "There's lots of drivers available upstream, sure, but how do I know how mature they are?"
• "What is this west thing, and why are you asking me to learn Python?"
• "Why is my board/driver not supported?"

The goal of the talk is NOT to rhetorically question some of the "bad" parts of Zephyr, only to immediately tell you why Zephyr is in fact the best thing since sliced bread. Instead, we will honestly discuss these pain points to help you understand better some of the design decisions behind Zephyr, and why they might (or might not!) actually be worth the steep learning curve. This will also prove to be an interesting exercise that will help you understand when you might not need or want an RTOS in the first place.

Through practical demos and examples, we’ll show how tools like Devicetree, Kconfig, or West can actually make embedded development more efficient, and we'll try to make those "scary" parts of Zephyr more approachable, and give a sense of the roadmap for all the other areas of Zephyr that still need work and love.

Cypht is an awesome Free/Libre/Open Source webmail aggregator written in PHP and JavaScript. Tiki is the Free/Libre/Open Source Web Application with the most built-in features, obviously including a webmail. Cypht within Tiki expands on the collaboration possibilities.

Email handling (reading, replying and archiving) should be part of a larger collaborative workflow. Instead of one gigantic mail store, we should have a number of smaller ones that make sense to one's workflow (ex.: around projects, tasks, clients, etc.) and that can easily be shared and prioritized.

Most, if not all, mobile devices have a GPS receiver in them, and most, if not all of them, support A-GPS. A-GPS as a technology is not designed with privacy in mind (in fact, it is specifically designed to not be private, as it sends the phones' IMSI to the A-GPS server), and one of the few providers of A-GPS services is Google. There exists, at present, no open source, privacy-respecting A-GPS service; mostly impacting FOSS on Mobile projects, such as Ubuntu Touch, who do not wish to use this Google service (and may not be allowed to either, as Google only offically provides SUPL services for Android devices, as far as I understand)

The OpenAGPS project aims to create a open-source A-GPS / SUPL (Secure User Plane Positioning) service. GNSS systems (such as GPS) are both surprisingly simple and complicated; the talk would provide a short overview into the functioning of a GNSS system, how asssisted GNSS / A-GPS / SUPL works, how a privacy-respecting system could be built, and the current state of the OpenAGPS project.

This project has also received a grant from NLNet (Mobifree call) very recently; at the time of this submission we do not have any fully functioning code/codebase, although we hope to get a working prototype of the system in time for it to be potentially showed of as a working demo at FOSDEM.

Website (slight update: placeholder has been replaced with a blog, although its still not got too much yet): https://openagps.net/ Source: https://gitlab.com/openagps/

Many popular free and open source projects are owned and driven by corporations, and in today's difficult economic climate, those companies are under increasing pressure to protect their businesses or show stronger returns for investors. One response to this pressure has been the relicensing of popular open source projects to more restrictive licenses like what we’ve seen with MongoDB, Elasticsearch, HashiCorp’s Terraform / Vault, and Redis to name just a few. These companies are putting their projects under non-open source licenses, despite there not being consistent evidence that this actually generates improved financial outcomes for those companies.

In some cases, this relicensing has resulted in a hard fork of the original project. Both the relicensing and the resulting fork create turmoil for the users of that project and the community of contributors. In this panel, we’ll discuss the following topics: dynamics around relicensing that results in such hard forks; examples of forks along with the impact on the communities; and thoughts about what this means for the future of free and open source software. The audience will gain an appreciation of why relicensing results in hostile forks and how to think about this issue when selecting projects for contribution or usage.

Local AI requires a full-stack problem-solving approach to succeed. At Homebrew, we’ve addressed key issues like hardware compatibility, multimodal model optimization, and enabling efficient inference on edge devices.

In this talk, we’ll draw from our experience deploying local AI to over 1M+ devices with Jan, a small multi-modal AI. We’ll share insights into optimization hurdles, architectural trade-offs, hardware requirements, and their impact on developers and users alike.

Plus, we’ll share how a full-stack approach enables us to integrate user feedback loops and collect RLHF data, continuously improving model performance and delivering more effective solutions.

Integrated in the Linux kernel since 2014, eBPF has allowed the creation of a large variety of projects (observability, security, network, etc.). Unlike kernel modules, eBPF programs can be loaded by unprivileged users. The Linux kernel is protected by a static analyzer, called the eBPF verifier, which verifies that eBPF programs cannot harm the kernel and respect required security properties. Recently, several research works have shown that the eBPF verifier, which is a critical component, is not sound. This means that programs which should be rejected are accepted by the verifier, allowing unprivileged users to run malicious programs (e.g [1,2,3,4,5]). In this talk, we propose to evaluate the performance of the eBPF verifier through the measurement of three main aspects:

• Performance evaluation: to understand the evolution of the eBPF verifier versions, we evaluated the verification time and consumed memory of six eBPF verifier versions (Linux kernel 5.0 to 6.8, both included). The results show that for some eBPF programs, the verifiers have nearly the same verification times (except for the conditional jumps, where the verification time has decreased since the introduction of the bounded loops in the Linux kernel 5.3). Consumed memory remains also stable.

• Comparative evaluation with PREVAIL: as the eBPF verifier is not sound, we compared it to PREVAIL, which is another verifier proposed in 2019 at the PLDI conference. PREVAIL is a sound verifier that runs in user space and is used in the eBPF infrastructure of Windows. On the one hand, we were interested in the implementation differences between the two verification solutions and on the other hand, we observed the performance difference between the two verifiers. We observed that, although PREVAIL's performance has improved, it remains less efficient than the eBPF verifier. Nevertheless, PREVAIL showed that it can efficiently verify programs containing a lot of paths (implied by conditional jumps) thanks to the join operator and the fixpoint computation used for the bounded loops, where the eBPF verifier would have created a lot of paths, trying to reduce them with pruning.

• Impact of compilers: beyond the verification mechanisms, there are external constraints such as the compilers: An eBPF program is first compiled into eBPF bytecode and then analyzed. However, we observed that for the eBPF verifier with a specific eBPF program, which varies only by its number of loop iterations, Clang-8 produced more programs accepted by the eBPF verifier and these programs are verified faster than those produced by Clang-14.

I want to keep up my mission to make STARTTLS a technology of the past by recapping on the issues STARTTLS creates and providing advice how to (avoid) implementing (most of) it. The talk will be 5 to 10 minutes and is motivated by my research about real-world STARTTLS issues (https://nostarttls.secvuln.info/) and the implementations I (reluctantly) wrote (https://github.com/duesee/imap-next).

Today, each application (and server/instance) that participates in the Fediverse is largely independent when it comes to discovery. User search, discovery of content, trends and recommendations are not easily possible across the network. This is especially problematic for small servers.

"Fediscovery" is a project led by Mastodon gGmbH and funded by NGI Search that explores a way to improve this situation with a set of external services that any fediverse software can use.

The project is meant to produce both specifications that everyone can implement and a reference server implementation.

This talk will give an overview of the project and its goals. And it will give an update about the current state of both the specification efforts and the reference implementation.

The Log4j project gained worldwide attention, when the Log4Shell bug shook the foundations of many software companies and government agencies, affecting millions of applications worldwide.

While the possibility of a security vulnerability can never be excluded, we will look at the steps taken by the Log4j project to minimize the security exposure of its users and drastically improve reaction times to any future vulnerability.

Parallelism is hard. So until recently, TinyGo (the alternative Go compiler for small systems) simply did not implement it. Instead, we used a simple single threaded scheduler that provides concurrency, but not parallelism. This made all programs act like GOMAXPROCS=1, which caused some practical issues.

Over the past few months we added support for running multiple goroutines in parallel on Linux, MacOS, and on the dual-core RP2040 chip. This required changes in many parts of TinyGo that previously assumed single threaded operation.

This talk will cover a variety of topics that may be interesting to anybody who wants to learn about low level primitives:

• Which parts of Go are affected by parallelism.
• Futexes: the building block of concurrency primitives on modern operating systems.
• How some synchronisation primitives like channels and sync.Mutex are implemented in TinyGo.
• How parallelism is implemented in TinyGo on Linux, MacOS, and the RP2040 chip.

The first stage of Valhalla (https://openjdk.org/projects/valhalla/) is almost ready, soon we will release the first stage of the rocket, the ability to declare a class as a value class. A value class object is like a cheap box that is able to solarise itself on stack, avoiding the traditional boxing cost. The next phase is to allow to flatten value class into fields, but for that we need to get ride of null as a possible value. This talk is about the challenges to introduce nullness emotion ('?' Or '!') to the Java type system. Sadly, if you hope that Java can be turned into Kotlin, you will be disappointed.

Testing packages across diverse environments often involves integrating legacy setups like bash scripts with modern frameworks such as testinfra. For many testing teams, traditional Jenkins setups rely on pre-provisioned worker nodes managed exclusively by DevOps, Build and Release, or Operations teams. This reliance often creates a bottleneck, as testing teams are restricted from modifying infrastructure directly, limiting their ability to adapt environments dynamically to meet specific testing requirements.

In this talk, we will demonstrate how Molecule, an open-source testing tool, provides a robust framework for overcoming these challenges. By decoupling test environment management from pre-configured nodes, Molecule empowers testing teams to independently define and execute their tests across multiple environments. We’ll discuss how this approach integrates seamlessly with Jenkins pipelines and supports both legacy and modern testing frameworks.

Attendees will learn how to use Molecule to reduce infrastructure dependencies, streamline testing workflows, and increase flexibility in testing.

In an attempt to increase security and reduce spam, website services ask for more proofs. Most services require you to confirm your email address, but nowadays, some services also demand a proof of domain ownership. Sometimes you need to prove write access to a website. Registration gets much harder, and we have to do it so often. Time to rethink.

We have been used to creating usernames for three decades by now, but the practice has reached it limits: users need to do much more to get access to a service. A tiny simplification is offered via OpenID ("Login via Google"), but the new Open Console project offers a more integrated solution to build a trust relation between a person and a service provider.

In Open Console, a person (or group) collects personal (and group) facts, and can share them with the requirements of the service. When the service only needs a proven email-address, it only gets that email address, not your name. The negotiation about which data is delivered is totally transparent and far more diverse.

Besides personal facts, many different kinds of proofs can be maintained, like a proof of website-ownership. You only need to prove ownership once, and this can be shared with any service which requires it.

Proving website ownership is not easy. The focus of this talk is on the process of establishing this proof. There are many complications in checking the validity of a website. We implemented different approaches for this proof (via DNS, HTML-meta, and file). We would also like to discuss the possible proofs of domain and network (ip-range) ownership with the participants: how to express them in DNS.

Open Console received support from NGI OpenWebSearch.EU and the NLnet Foundation.

Have you ever wondered what happens inside a distributed database when you run a query? In this talk, we’ll explore the inner workings of ClickHouse using OpenTelemetry-compatible distributed tracing to analyze the internal workings of various ClickHouse clusters while we run a variety of queries. Perfect for database enthusiasts and cloud-native developers, this session offers practical insights into tracing tools and query optimization in distributed systems.

The goal of this presentation is twofold:

Firstly, we want to demystify open source project governance. Do you freeze when you hear the term governance? Do you blindly copy and paste the governance of other projects hoping it works for your project too? Do you struggle to keep governance up to date or aligned with what’s actually going on in the project? You’re not alone.

Secondly, we want to provide a simple, practical, and proven approach to writing governance that’s directly inspired from coding best practices. The very same concepts that are used when writing code (e.g. Don’t Repeat Yourself, Keep It Simple, or Separation of Concerns) have direct application when authoring governance documents and create the same kind of positive outcomes: governance that is simple to understand, flexible, and and easy to maintain. You’ll never come back from thinking about governance as code.

By the time you leave this presentation, you’ll have an entirely new perspective on governance and will feel empowered by your ability to leverage your existing software engineering skills in this new domain.

"A scalable, High-Performance Distributed File System" marked the beginning of Ceph story and since CephFS has been declared stable, it has become a viable option for workloads ranging from High Performance Computing to Kubernetes. In this talk we discuss the configuration tuning we applied to transition from a freshly deployed filesystem to one suitable for a production usecase that mixes decent performance, reliability and capacity.

After spending the past 10 years (and more!) working with WebRTC, and even more than that with SIP/RTP, I decided to have a look at the efforts happening within the standardization community on how to leverage QUIC for real-time media. This led me to studying not only QUIC itself, but also RTP Over QUIC (RoQ) and Media Over QUIC (MoQT).

As part of my learning process, I started writing a QUIC library, called imquic. While it can (mostly) be used as a generic QUIC/WebTransport library, I also implemented native support within the library for both RoQ and MoQT, as a testbed to use for prototyping the new protocols in an experimental way. This presentation will introduce these new protocols and the imquic library implementing them, talking a bit about the existing demos and the proof-of-concept integration in the Janus WebRTC Server for QUIC-to-WebRTC translation.

Get to know the Aparoksha project. Write your app once and deliver a truly native look and feel across the major desktop platforms, all with a declarative framework!

The most mature part of this project is the Adwaita for Swift package, allowing the creation of native GNOME apps.

In this presentation, I'll introduce the core principles of Aparoksha, showcase its current capabilities, and share my vision for its future.

Wikis are a place where humans collaborate to store knowledge. It excels at free-form natural language representation of knowledge which can be stored and retrieved easily by humans. It also increasingly serves as a knowledge base for chat bots and other artificial agents which are based on LLMs and their technologies.

While interacting with humans in a chat, AI agents can also gain new knowledge. This talk proposes that the wikis can also be a place where AI agents can persist this information. In that way, it would be readable for both humans and AI agents. This would make the wiki a perfect place for human / AI collaboration.

Abstract

The Borgman's conundrum challenges [1] have been initially formulated concerning the difficulties to share Research Data: which Research Data might be shared, by whom, with whom, under what conditions, why, and to what effects.

In our previous work, we have proposed a Research Software Definition [2] with a formulation that we have adapted in order to propose a Research Data definition [3,4]. We have thus constructed a framework to understand and to explain Research Software and Research Data in the Open Science context [5].

This framework is constructed in three stages: definition, dissemination, and evaluation of these research outputs [2,3,4], and it is now completed with answers to the Borgman's conundrum challenges for Research Data [3] and for Research Software [6].

In this talk we will present our answers to the Borgman's conundrum challenges, and we will explain the comparison methodologies that we have developed in order to construct and to complete this Open Science framework.

It is our understanding that to provide correct and clear answers to the conundrum questions will have, as a consequence, the improvement of Research Software and Research Data sharing and dissemination practices, which, in turn, will enhance trustworthiness, correctness, rigor, reproducibility, reusability and transparency in the research endeavor.

This is a joint work with Prof. Tomas Recio, Universidad Antonio de Nebrija, Madrid.

This FOSDEM'25 presentation follows and extends our previous talks at FOSDEM:

• [FOSDEM'21] Free/Open source Research Software production at the Gaspard-Monge Computer Science laboratory. Lessons learnt. https://archive.fosdem.org/2021/schedule/event/open_research_gaspard_monge/

• [FOSDEM'22] On the dissemination/evaluation loop for Research Software. https://archive.fosdem.org/2022/schedule/event/open_research_cdur/

References

[1] Borgman, C.L. The conundrum of sharing research data. J Am Soc Inf Sci Tec 2012, 63, 1059–1078. https://doi.org/10.1002/asi.22634

[2] Gomez-Diaz, T.; Recio, T. On the evaluation of research software: the CDUR procedure [version 2; peer review: 2 approved]. F1000Research 2019, 8 1353. https://doi.org/10.12688/f1000research.19994.2

[3] Gomez-Diaz, T.; Recio, T. Research Software vs. Research Data I: Towards a Research Data definition in the Open Science context. [version 2; peer review: 3 approved]. F1000Research 2022, 11 118. https://doi.org/10.12688/f1000research.78195.2

[4] Gomez-Diaz, T.; Recio, T. Research Software vs. Research Data II: Protocols for Research Data dissemination and evaluation in the Open Science context. [version 2; peer review: 2 approved]. F1000Research 2022, 11 117. https://doi.org/10.12688/f1000research.78459.2

[5] Gomez-Diaz, T.; Recio, T. Towards an Open Science definition as a political and legal framework: on the sharing and dissemination of research outputs.

• POLIS 2020, N. 19. https://doi.org/10.58944/yuro5734
• Version 3, 2021, available at https://zenodo.org/doi/10.5281/zenodo.4577065

[6] Gomez-Diaz, T.; Recio, T. The conundrum challenges for Research Software in Open Science, Computers, 2024, 13(11), 302. https://doi.org/10.3390/computers13110302

RISC-V's instruction set architecture (ISA) has enabled seasoned embedded software engineers to experiment with FPGAs since numerous open-source RISC-V cores can be flashed onto an FPGA.

The Zephyr Project is rapidly emerging as a leading real-time operating system (RTOS). Zephyr integrates open-source and security best practices to ensure a vendor-neutral, secure, and reliable platform.

One of the exciting features of the RISCV ISA is the Custom Function Unit (CFU), which enables a framework to support custom operations in hardware, which is accessible from software. In this talk, Mohammed will provide an in-depth demonstration on how to add a CFU into a RISCV core on an FPGA, how to make the appropriate calls from Zephyr, and the possibilities that the CFU enables for hardware acceleration in embedded systems.

During compilation, GCC breaks down switch statements into simpler statements. If a switch has a specific structure, GCC may use techniques that result in faster code. We call these techniques "switch optimizations".

In this talk we'll overview switch optimizations in GCC. Then we'll go into more detail on turning switches into array lookups. In GCC this is called "switch conversion". I'll introduce a new method called "exponential transformation" that I recently contributed to switch conversion. If time permits, we will also discuss potential future work on switch optimizations.

I plan to make this talk beginner-friendly. I myself have started working on GCC just 2 years ago. The talk should however give the audience a good idea about what switch optimizations are available and what they do.

Expected prior knowledge: What is a C switch statement. What is an intermediate representation (or intermediate language).

The eBPF verifier has repeatedly suffered from bugs in its verification algorithm which enable malicious applications to perform container escapes and privilege escalation. To improve upon this, existing work applies fuzzing (Chaignon'24) and formal methods (Agni) to the verifier in order to find and fix bugs. However, in the mid-term, these approaches are unlikely to result in a verifier that is fully bug-free. While academic works have proposed the use of hardware-based isolation (MOAT, Hive, SafeBPF) and software-fault isolation (BeeBox) to mitigate verifier bugs, these approaches suffer from portability issues, require significant design-changes with unclear consequences, or have runtime overheads.

Motivated by the shortcomings of the existing approaches, this talk discusses an alternative approach to prevent verifier-bugs from being exploited. By requiring eBPF bytecode to be compiled from safe Rust source code by a trusted systems service, program-safety would effectively be checked twice by two very different static analyzers (i.e., rustc's compiler passes and the eBPF verifier). Therefore, a bug in one of the analyzers will no longer directly result in a kernel exploit as the other analyzer is unlikely to exhibit the same buggy behavior and therefore still catch malicious programs. This approach is appealing as it is unlikely to result in runtime overheads and does not require significant changes to the kernel.

We analyze whether this is a viable approach to mitigate bugs in the eBPF verifier, taking runtime-overheads, expressiveness, and security into consideration. Specifically, we analyze whether past bugs in rustc and the eBPF verifier could have been chained together in order to exploit the proposed design as a whole.

We find that the fundamental flexibility of the Rust-IR-to-eBPF mapping allows attackers to still exploit the system as a whole. We also investigate whether using the alternative PREVAIL eBPF verifier would prevent a similar attack, but find that there exists a simple construction that allows attackers to combine exploits for the individual verifiers into an exploit that works for the verifiers when chained together.

LIVE! Writing and deploying your first AWS Lambda function using Swift. We'll write a simple lambda function and deploy it within 20 minutes using the VSCode extension for AWS Lambda.

In the realm of operating systems, the heart of performance lies in the CPU scheduler: a critical component responsible for managing the execution of tasks on a system.

Exploring and customizing CPU scheduling policies has long been the realm of few highly specialized kernel developers, leaving most developers and researchers without the tools to tailor system performance to their unique needs.

What if we could unlock this potential and make it accessible to a wider audience, from game developers, cloud service providers to AI researchers and performance engineers?

With sched-ext [1], eBPF and Rust, this vision can become a reality, enabling the development of multiple dynamic specialized schedulers, tailored to specific system workloads and architectural topologies, that can be loaded and managed as regular user-space programs [2].

[1] https://sched-ext.com/ [2] https://github.com/sched-ext/scx/tree/main/rust/scx_rustland_core

We present a formal specification of NOVA that captures its complex concurrent and architectural behavior. Our specification combines an operational specification for unprivileged user code with a separation logic specification of privileged state and operations. The specification precisely captures the subtle behaviors of NOVA such as address translation and user faults. Separation logic’s small footprint and open world nature makes the specification highly modular and reasonably high level, allowing us to abstract architectural details that are encapsulated by NOVA and evolve the formal specification as NOVA evolves. Using the specification, we have carried out proofs of the NOVA source code as well as of applications running on top of NOVA.

Containers have become the preferred solution for cloud-native applications due to their lightweight nature and scalability. However, their security limitations, particularly from shared kernel access, have led to a renewed interest in traditional VMs for stronger isolation. Technologies like kata-containers enhance security by running containers inside microVMs, offering better isolation, but they introduce complexity and overhead. Specifically, the container runtimes spawn additional processes to manage the container within the VM, adding extra layers of complexity and resource consumption.

This talk examines the pros and cons of sandboxed container runtimes, focusing on the added complexity of auxiliary processes. It then proposes a more efficient and streamlined approach based on the unikernel paradigm, where only the application and its dependencies are running. Rather than using strict unikernels, it explores how containers can run inside specialized, stripped-down Linux VMs, containing only the components required by the application and without additional services. This is achieved through urunc, a CRI-compatible container runtime that treats unikernels like standard containers, managing the user application via the VM process.

Arguably the single most important piece of software on any mobile phone is its Web browser. This is especially true on alternative mobile platforms where Web apps are often the best or only way to access essential services and functionality.

While mobile apps are increasingly targeted at just the dominant platforms, they are also increasingly built using Web technologies, making them accessible to any platform with a decent browser. The result is that Linux-based mobile platforms beyond Android and iOS have the potential to be more viable than ever before.

But the embedded browser landscape is in continual flux, with multiple offerings built on different technologies, including Blink, V8, WebKit, JavaScriptCore, Gecko, SpiderMonkey and Servo Layout. On top of these are frameworks intended to make their use more accessible to embedded systems. These include the Chromium Embedded Framework, Web Platform for Embedded, Qt WebEngine and Gecko WebView.

In this talk I'll look at the different offerings available and consider their appropriateness for mobile Linux. What features do they offer, how practical is their use and why should you choose one over another? In particular I'll look at the minimal API needed for any practical implementation, how the APIs differ across the offerings and how they can be made use of as embedded browsers in mobile applications.

To give a more complete understanding of what embedded browsers are like to use in practice, the talk will include example applications with demonstration code.

The Wikimedia Foundation supports hundreds of thousands of people around the world in creating the largest free knowledge projects in history. In order to do this we run on-premise infrastructure at significant scale, using almost exclusively free and open-source components. Our data processing and real-time analytics requirements are constantly evolving and our Data Platform Engineering teams face complex challenges in the fields of data-engineering and machine-learning, as well as the operational workload of supporting these systems in production.

Wikimedia’s data platform today runs on some of the most vital open source projects such as Hadoop, Kubernetes, Ceph, Druid, Cassandra, Spark, Hive, Iceberg, Flink, Presto, Jupyter, MariaDB, PostgreSQL, Superset, and Airflow.

We started working with Airflow in 2019, when it was still an Apache incubator project. Over the past five years our deployments have matured and we succeeded in migrating the last of our Oozie-based workflows to Airflow in mid-2023. In addition, we offer Airflow services to other data-focused WMF engineering teams, in order to facilitate a self-service approach to data pipelines.

During 2024, the Data Platform SRE team undertook a major project to enhance our Airflow services by migrating them from bare-metal and VMs to our on-premise Kubernetes and Ceph clusters. This burgeoning integration between Airflow, Kubernetes, Spark, and Ceph has enabled us to broaden the scope and applicability of Airflow to include ML model training and data publishing workloads, plus more in future.

This is an account of how we got here, the challenges we overcame and where we plan to go from here.

How we implemented PVH boot capability to the NetBSD kernel, allowing it to start straight from QEMU's -kernel parameter or Firecracker's VMM. In the process, we reduced boot time from 300 to 20ms, using methods borrowed from FreeBSD, and some in-house optimisations to get rid of unnecessary delays.

Our community has been confused and concerned at the last-minute addition to the Cyber Resilience Act (CRA) that created the class of “Open Source Steward”. Many projects want to know ASAP if their own project will be such a Steward, or if their fiscal sponsor will be forced to be a Steward. Most projects operate with small budgets, even those with fiscal sponsors, and as such CRA compliance could financially ruin projects.

At this session, we'll have experts to answer these questions and others, and help you to not panic about what we face in the CRA.

Bluetooth Low Energy, commonly abbreviated as BLE, is a well-known wireless communication technology aimed at low-power applications. It divides devices into two categories: low-cost, potentially high volume, battery constrained peripheral devices such as head phones or heart rate monitors, and comparatively more powerful and less constrained central devices, such as smartphones and notebooks.

The Zephyr Project has supported developing BLE peripheral applications for a long time. But it may not be well known that it also supports BLE host applications, or central devices as the standard calls them. In his talk, Florian will take a look at how we can develop BLE host applications using Zephyr. After a (very) short introduction to the BLE protocol stack, he will delve into Zephyr's Bluetooth API and more importantly talk about the pitfalls he encountered while getting his feet wet with Zephyr. On the practical side, this talk will look into how BLE applications remain portabile between boards by different vendors, and how the many BLE-enabled emulators and simulators provided by Zephyr can be used for quicker development and testing.

In this talk you will learn about:

• the basics of the BLE protocols
• the Zephyr Bluetooth API and its pitfalls
• how portable Zephyr applications using BLE are
• how you can utilize the Zephyr emulators and simulators for BLE development

Passbolt is an open-source platform for secure credential management. The solution has demonstrated its effectiveness with over 400,000 daily users and thousands of companies relying on it worldwide.

In this talk, we will present real-world use cases, and discuss Passbolt strengths in centralizing, organizing, and sharing credentials without compromising security or privacy. We will also provide a sneak peek at the upcoming v5 release, which features a new security model.

This talk aims to provide insights into technical advancements while sparking discussions on the challenges and opportunities posed by the need for secure collaboration.

As a follow up to my award-winning FOSDEM 2023 talk "Hosting your own DNS for 'fun' and zero profit", I'll provide an update covering my experiences using Lightning Stream for zone replication between PowerDNS authoritative servers.

Lightning Stream offers significant advantages over traditional database-style replication (typically using relational databases like MariaDB and PostgreSQL), including simpler configuration, easier troubleshooting, and the ability to add/remove cluster members without having to reconfigure existing cluster members (providing a very loosely coupled 'cluster').

PowerDNS Lightning Stream MinIO LMDB

IRC is a venerable 37 year old chat protocol used by many open-source software projects, technical experts happily lending their help and other discussion groups. However, the historic IRC protocol is not always well-suited to modern usage, such as connecting from multiple devices with unreliable connectivity, or connecting from battery-constrained mobile devices.

In this talk, Simon and Thomas will explain how IRC has evolved in the last few years to address these challenges through efforts like the IRCv3 working group and new software (soju, senpai, gamja, goguma). We've been working on adding new features such as easily accessing message history, sharing files and pictures and searching through messages. Some of the architectural design decisions may be interesting to people working on other open protocols, for instance secure and interoperable push notifications or OAuth integration.

Quantum computers that are able to break classical cryptography are generally expected to appear in the coming decades. To prevent encrypted emails from being decryptable by an attacker at that point, we need to start using post-quantum cryptography as soon as feasible.

To that end, we're standardizing the use of post-quantum cryptography in OpenPGP. In addition, for long-term storage and archival, we're standardizing the use of persistent symmetric keys, which allows for more efficient encryption, while still being post-quantum secure as well.

In this talk, we'll present the state of the standardization and implementation efforts, and discuss how the transition might affect applications using OpenPGP, as well as their end users.

ActivityPub remains, to this day, the most successful decentralized social networking platform to date: dozens of interoperable implementations, thousands of servers, millions of users, all speaking over the same protocol in what's today called the "fediverse" (federated social web). The modern-day fediverse is an impressive achievement, but it also leaves many issues to be addressed. Servers can go down, content can disappear and users can lose access to their identity. Authorization mechanisms are under-specified and rich interactions are fairly limited. This talk, by the two primary editors of the ActivityPub specification, explores where we think the fediverse should go and how we're building a future for "secure collaboration" technology at the Spritely Institute.

What was the last npm package you installed? Did anything unexpected happen? Are you sure?

The scale and pace of modern software development are made possible by the ready availability of open-source packages via major registries like npm and PyPI. These registries are always within reach of developers thanks to command-line package managers like npm and pip, enabling rapid testing and deployment of third-party code as part of normal workflows. However, these benefits come at the cost of particular security concerns: threat actors routinely target software developers via open-source package registries, either by publishing backdoored packages or by taking over and corrupting legitimate software. In many such supply-chain attacks, merely installing the malicious package is enough to hand control of one’s system over to the adversary.

In this talk, we lay out the strategies that threat actors use when targeting software developers via open-source package registries. We do so by examining case-studies in open-source malware delivery via npm and PyPI, some involving nation-state actors, that we at Datadog Security Research have collected while continuously monitoring these ecosystems with GuardDog, an open-source scanner for identifying malicious packages by analyzing code patterns and package metadata. We then propose recommendations for developers, as well as for the package registries themselves, to counter these strategies that could lead to a greater overall level of software supply-chain security in the open-source community.

In the latest installment of the Go Without Wires saga, I will demonstrate several new capabilities in wireless communication using a variety of frequencies of the electromagnetic spectrum, all using our favorite programming language. There will be moving objects.

Java developers struggle with the trade-off between precise profiling and application stability. Unofficial methods like AsyncGetCallTrace offer precision but risk crashes, while official APIs such as JVMTI, JMX, and StackWalker are stable but biased due to safepoint polling. Java Flight Recorder (JFR) reduces this bias but introduces interpolation errors.

This talk addresses these challenges with three key topics: • Combining precise sampling with JFR’s stability to remove biases without sacrificing reliability. • Using eBPF probes and examining JVM internals for safer, detailed profiling. • Enhancing precision with user-supplied profiling contexts.

We will review the history of Java profilers and discuss the future of JVM profiling, with a focus on CPU profiling. Attendees will gain insights into new methods aimed at achieving accurate, stable performance analysis in Java applications, comparing them with async-profiler and existing tools.

The Dronecode Foundation hosts an ecosystem of open-source projects, developers, and contributing organizations. Dronecode is an umbrella foundation (part of The Linux Foundation) hosting open-source projects that offer solutions to robotics developers looking to build Aerial solutions.

The PX4 Autopilot is an open-source flight controller project that offers developers a stable foundation for building drones. The project sustains a community of thousands of robotics developers and hundreds of companies building complex drone solutions on top of PX4, including everything from wedding photography to package delivery for Walmart.

Our humble open-source project has supported an ever-growing community of contributors at times with little to no resources. With the growing complexity of demanding robotics workflows, proving reliable and reproducible testing to guarantee the safety of our codebase has been a constant challenge.

I will share the cautionary tale of how not to run CI for a robotics project, the scary times when we wanted to delete our whole infra and start fresh, and how we found the strength to move on. I will also share the gory details behind running an open-source robotics project and the supporting tooling needed to support our complex workflows and demanding community.

Our Continuous Integration pipeline is far from sophisticated, but it is responsible for supporting thousands of developers and is the backbone of our infrastructure. Some of the topics I will be discussing: Maximizing containers for reproducible builds Running a hardware-in-the-loop service with embedded hardware connected to the cloud. Moving from Jenkins to GitHub Actions Hosting our own GitHub Actions runners Build patterns for better GitHub Actions development across distributed teams. Building an array of upwards of 60 builds per pull request in GitHub Actions

Digital Public Goods are often celebrated as open-source software, open data, open AI models, open standards, and open content. However, true public goods require more than openness—they demand active community governance, collective stewardship, and responsible contributions to thrive as shared resources.

While proprietary software sustains itself through licensing, support, and vendor lock-in, open-source software relies on a delicate balance of professional firms, organizational backing, and dedicated enthusiasts. The open model has fueled flexibility, innovation, and the global adoption of open technologies.

Yet, the rapid growth of "open" has not been matched by an equivalent rise in contributions or investments in maintenance. Discussions often prioritize licensing over the essential question: How do we, as a community, ensure that digital public goods are sustainable? This talk explores the responsibility of contributors, organizations, and users in building a resilient ecosystem for open technologies.

Incremental LTO in GCC

Link Time Optimization (LTO) postpones many compiler steps into linking, when we have access to all files linked together. This allows us to optimize across compilation units leading to significantly faster and smaller binaries. However it comes at a cost of long compile times because after even a minor edit the entire application needs to be re-optimized. Incremental LTO will be a new feature of GCC 15 which aims to reduce those compile times for small changes by caching LTO partitions unaffected by the change.

This talk will cover quick overview of Incremental LTO and how to use it in upcoming GCC 15 along with a simple example. I will also show estimate of how much compile time can be saved when recompiling GCC itself.

eBPF (Extended Berkeley Packet Filter) is revolutionizing the way developers interact with the Linux kernel, enabling them to run user-defined programs in a highly efficient and safe manner.

This session will introduce you to Aya, a modern Rust-based eBPF library. Unlike traditional eBPF libraries such as libbpf and bcc, Aya is built entirely in Rust and leverages the libc crate for syscalls, offering a clean, lightweight, and efficient interface for eBPF development.

In this session, we’ll explore how Aya simplifies the eBPF programming workflow, including features like BTF (BPF Type Format) support, which enables programs to run across different kernel versions without needing recompilation.

You’ll learn how Aya’s architecture ensures fast deployment and builds, with no need for a kernel build, compiled headers, or even a C toolchain. The result is a streamlined, "compile once, run everywhere" solution that allows you to easily deploy a single self-contained binary across different Linux distributions and kernel versions.

We'll cover that by using a sample XDP program where we'll be covering aya we'll go across and explain how to use aya components such as aya_log_ebpf or aya_ebpf to bootstrap the code and how our dev and build environment looks like.

Whether you’re new to eBPF or an experienced kernel developer, this session will provide you with the tools and insights to leverage the full power of eBPF using Rust and Aya in your next project.

Links:

• Aya on GitHub
• bpfman on GitHub

Manyfold (https://manyfold.app) is a self-hosted tool for storing, organising and sharing 3d print models. This session will talk about how we've approached adding ActivityPub federation to the system using the "Federails" Rails Engine (https://gitlab.com/experimentslabs/federails), and our approach to using custom extensions to share information across instances and different AP software systems.

This talk gives an overview of the new Swift unqualified name lookup swift-syntax library: SwiftLexicalLookup and the process required to integrate it within the compiler.

It dives into the intricacies of Swift’s name handling, highlights the complex lexical scope hierarchy with many, sometimes unexpected, interesting cases, and provides an overview of the challenging process of testing the new implementation and integrating it within the compiler.

Lastly, the talk provides some practical insights on how to start contributing to Swift from the perspective of a new contributor.

In this talk we will review together TrendS, a newly implemented subsystem within CGRateS to help you build your own traffic trends analysis as well as react to unexpected behaviour through automatic actions available. CGRateS is a battle-tested Open-Source Enterprise Billing Suite with support for various prepaid and postpaid billing modes.

What is a problem on Twitter et al will become the same mess on GitHub od Gitlab - just a matter of time.

For this reason Forgejo is working on federation for git platforms. Some months ago we released the first user visible feature the federated star and we will continue our path.

We will talk about our motivation, point out the general roadmap and show implementation details.

Other fedi devs and discussions are very welcome.