How many times have you built a taxonomy for open source software analysis? Whether you’re writing a survey for open source contributors or categorizing thousands of repositories, you’ve most likely had to create some kind of organizational structure to make sense of the data. Over the course of researching and analyzing open source projects, I’ve searched for and created many bespoke taxonomies to meet my analytical needs. In this talk, I’d like to share key learnings and pitfalls in my pursuit to answer “how do project characteristics influence behavior?”, as well as propose a solution for open source researchers to share and collaborate on open source taxonomies. No one should have build a new OSS taxonomy in a vacuum!

An average Linux distro has about half a dozen file syncing libs. The source code we sync with git and other SCMs. But how can we sync some structured data? JSON, for example. Two-way, maybe in real time, for collaboration, revision control, and simply device syncing. As it turns out, there are challenges.

I will outline the history of the question and the ongoing efforts. Then, we will delve into the Replicated Data eXchange format (RDX) and the progress of librdx.

Panoramax is a FLOSS project initiated 2 years ago in France by OpenStreetMap France and the national geographic institute (IGN).

Its goal is to provide a decentralized way to share and publish street level imagery.

This session will present the current status of the project, the software stack and the standards on which we built Panoramax like STAC and EXIF.

LibreOffice's Python API is among the more user-friendly options. It provides extensive functionality in a Pythonic manner right out of the box. However, for aspects of the UNO API that aren't straightforwardly supported, alternative methods may be necessary.

Join me as I demonstrate a few problems on this topic, along with some handy tips and tricks!

Learn about Poppler, the PDF rendering library used by the main Linux desktop applications. Where it came from? What about the name? Which features does it have?

Fortran => Scientific Computing => Performance Wasm => In Browser => Portability

Why would someone want to have both? Can Flang actually do that?

We will cover into that talk a new proposal to design and distribute open source firmware in the datacenter world by relying on secure boot from a single component (the BMC) and extensive attestation from the remaining part of a server. The BMC will starts from a network boot and load all required firmware (from PCIe end points, to microcontroller) from a trusted source before starting target. This approach is currently implemented on HPE Gen11 servers which supports Open Source Firmware. Our goal is to enhance security by decoupling the firmware and hardware supply chain, and allowing easier update process.

In this presentation, we introduce DuckPGQ, an open-source community extension for DuckDB, an in-process analytical database system with a relational data model. DuckPGQ extends DuckDB’s capabilities to support graph processing, leveraging the property graph data model and implementing the SQL/PGQ standard. This enables users to query and analyze graph data within the familiar SQL environment. By harnessing DuckDB’s efficient in-memory architecture, DuckPGQ facilitates fast and seamless graph operations on tabular data and has been shown to outperform traditional graph databases like Neo4j on certain pattern matching queries. Additionally, DuckPGQ supports efficient execution of graph algorithms, enabling complex analytics such as PageRank and clustering operations. We’ll explore how DuckPGQ bridges the gap between relational and graph data, empowering users to perform pattern matching, path-finding, and more—all without needing specialized graph databases and from the convenience of your own laptop.

In 2015 a ticket was opened asking for container migration support in Kubernetes. In 2022 the first minimal support to checkpoint and restore containers was added to Kubernetes 1.25 as an Alpha feature. In Kubernetes 1.30 (2024 ) the checkpoint/restore support graduated to the Beta phase.

In this session I want to give an overview what is currently possible in regards to checkpointing and restoring containers in Kubernetes. I want to give details in what way the containerd and CRI-O implementations differ and I want to describe the future plans for checkpoint/restore in Kubernetes.

This session will present an end-to-end scenario to support confidential computing on Arm (CCA). The first part will focus on a reference implementation stack that integrates firmware, operating system, virtual machine monitor and container environment on QEMU's SBSA platform. From there we will present the verifier that runs in the cloud to attest security claims generated by the reference stack. We will conclude by going over the tooling needed to compute initial Realm measurements and give an overview of a key broker proof-of-concept that works with the stack and verifier to deliver a secret payload.

SFC funded and supported Sebastian Steck's lawsuit against wireless router manufacturer AVM. That lawsuit has recently concluded. AVM has provided the complete source code for all LGPL works, which means everything needed to reinstall changes, for the FRITZ!Box 4020. This marks the first time to our knowledge in Germany that an individual purchaser has successfully sued a manufacturer and received complete source code as a result. This talk will describe what the case was about, what the compliance issues were before the lawsuit, and how "the scripts used to control compilation and installation" that AVM provided over the course of the lawsuit brought them into compliance with LGPLv2.1.

The Yocto Project offers the cve-check class to allow users to check for known vulnerabilities in the packages they include in their distribution. However, the CRA (Cyber Resilience Act) and changes around vulnerability databases require a different approach. The move to multiple databases and more dynamic vulnerability checking is in progress.

In this talk, we will explain the ongoing move to external checking for vulnerabilities in the Yocto Project. This will allow users to verify their distribution years after the release without the original build directory.

As the future of the NVD (National Vulnerability Database) is unknown, we are also considering using other databases, starting with raw data from the CVE (Common Vulnerability Enumeration) program.

The audience will also discover VEX (Vulnerability Exchange), allowing per-product annotations of vulnerabilities: you can finally say, "Not affected, we disabled the vulnerable configuration option!"

This talk is 25 minutes; if we have 50, we can add more content and examples.

How to ensure that object files from two compilers are ABI (Application Binary Interface) compatible?

This talk presents a tool capable of extracting ABI properties for a RISC-V compiler. This human readable summary can be compared to another version, be it a reference version or one created for a different compiler or with different options, exposing where compatibility problems can pop up.

While the topic may not receive extensive attention, certain methods for ABI validation do exist, most of which focus on libraries. This tool, however, adopts a unique approach by focusing on extracting ABI properties to ensure compatibility between object files produced by different compilers. It covers aspects from data type sizes/alignment to the organization of data in registers and on the stack. For example, it identifies which registers or stack locations are used for variable/struct argument passing and distinguishes caller-saved from callee-saved registers.

Let's take look at how much of the LibreOffice internal and external API is marked as deprecated and since when. Maybe also ask ourselves whether we are doing fine or we forgot something important we wanted to do.

Want to stay in sync with Android’s latest features and bring them into your own projects? Join a former Googler and Android team member as we dive into Trunk Stable – Android’s new quarterly release model.

We’ll explore why this change is much needed for improving quality, releasing more frequently, and meeting upcoming regulatory compliance.

You’ll learn how to define features, A/B test them, and make sense of next, trunk_food, and trunk_staging. We’ll discuss strategies for rebasing your changes onto the latest code, managing feature flags with tools like aconfig, and keeping your projects aligned with the newest Android updates.

We are planning to kick off this BoF by discussing the Continuous Performance Testing (CPT) methodology. At Red Hat, We are implementing this approach to ensure that our projects and products consistently meet the minimum performance and scalability standards with each update.

After that, participants will have the opportunity to discuss the performance and scalability challenges they are encountering, as well as the strategies they are employing to address these issues prior to the final release of their projects or products.

Following these discussions, We intend to arrange dedicated talks later with attendees that will concentrate on the specific performance and scalability challenges they are facing.

At the Scientific Computing Institute at TU Darmstadt, we have experience with developing LLVM-based tools. In the past, however, we usually focused on C/C++ codes via the Clang compiler [1,2]. With the change to flang-new [3] as the default LLVM Fortran frontend, we were interested in developing tooling for Fortran codes. In this talk we want to take you through our journey towards flang‑new based Fortran tooling. After building ~legacy~ established Fortran codes [4,5] with flang-new we wrangled with OpenMPI, employed static analysis tools inside the compile pipeline, and measured performance with the Score‑P [6] profiling library.

We will conclude our talk by presenting first results and describing our first impressions working with the evolving flang-new infrastructure.

This talks is intended for people with an interest in Fortran applications, tooling, or a general curiosity in the possibilities given by the LLVM infrastructure.

With zero experience with NixOS, I grabbed an unused $60 LTE-enabled laptop bought in a fire sale during the pandemic and an LTE SIM card to build a router for my newly purchased home so I could have the minimal Internet necessary for its security system and home automation without having to record what I did in case the laptop died.

I did this in a few hours with less than 100 lines of Nix. I did not think that it would be this easy. It served my Internet needs for several months without failure.

This talk will cover some hijinks of NixOS, using LTE for home internet somewhere you don't yet live, and the joy of things that Just Work... when they work.

Lots of open-source projects use documentation as code to collaborate on web sites and documentation. But how do you integrate the different parts of a documentation pipeline to provide a great contributor and user experience? AsciiDoc is a popular plain text markup language for writing technical content, and lots of open-source projects use it. It’s loved for its rich features and its ability to modularize and reuse content. The AsciiDoc Working Group at the Eclipse Foundation has recently published the AsciiDoc Language documentation, and it is continuing to work on the AsciiDoc Language Specification that is the foundation to define standard parsing rules for the language. This talk showcases different AsciiDoc tools in real-world project documentation pipelines to show what is possible today when you author, verify, convert, and publish content. It also highlights what challenges will be solved with the evolving AsciiDoc Language Specification.

Self-hosting an e-mail server is notoriously challenging. While privacy is a top concern for many individuals and businesses, the complexities of self-hosting a mail server often outweigh the benefits, leading many to choose to sacrifice some privacy and pay a third-party provider to manage their email instead. One of the key challenges of self-hosting an email server is the outdated and complex nature of most available open-source mail server software.

Stalwart Mail Server seeks to change this by providing a modern, open-source mail server built in Rust that prioritizes ease of use, security, and privacy. Designed to simplify self-hosting, Stalwart Mail Server enables individuals and businesses to reclaim their email autonomy with confidence. This talk will explore how Stalwart Mail Server democratizes email, promoting decentralization by making self-hosted email accessible, secure, and efficient. Join us to learn how Stalwart can empower you to take back control of your email in today’s digital landscape.

In May 2023, the a decloaking method called tunnelvision raised awareness about security implications about supporting the DHCP option 121. This talk with show practical mitigation methods against this technique and also similar issues that deserve similar attention. This will be from the perspective of the team developing NetworkManager that makes mitigation against this easily available.

Most computer programs run with far more privileges than necessary. Many techniques have been developed to drop privileges and split applications into multiple components, each of which can run with the least amount of privileges necessary to do its job. This can greatly reduce the impact of security bugs, as the affected component will hopefully no longer have the rights to spawn other processes or even access files. Relatively small architectural changes can result in huge security gains.

Most privilege separated daemons out there are written in C. However, it is also possible to do this in Go, as this talk will show with almost copy-pasteable examples targeting POSIX-like operating systems.

After 3 years of development, Project Lilliput, also known as 'Compact Object Headers' is going to ship JEP 450 in JDK24. We want to celebrate that by looking back at how we got here and talk about what Java users can expect from it. We also talk about why we are not done, yet, how all Java users are going to benefit from 'Lilliput 2' and what it takes to get there.

Consider you want to have a concurrency bug that requires threads to run in a specific order. Wouldn't it be great if you could stop and start threads at random? Prevent them from being scheduled onto the CPU? And the best part: Without the application being able to prevent this, like it could do with POSIX STOP and START signals? In come the scheduler extensions for the Linux Kernel. Introduced in version 6.12, they allow you to quickly write your own schedulers with eBPF, and can be the base for simple libraries that enable you to start and stop threads directly in the Linux kernel. This opens the possibility of creating complex scheduler scenarios at a whim.

In this talk, we'll show you a prototypical sched_ext-based library for concurrency testing that we used to reproduce bugs when working on the OpenJDK.

Open source projects can promise the moon in their READMEs, but have you ever wondered what causes end users to actually adopt a project? Bill has interviewed over 20 companies in industries ranging from media to financial services about why they picked Cilium for their cloud native platform.

In this talk, he will reveal what end users truly want when adopting open source projects and what the forcing function was for each of them. You’ll hear firsthand accounts of why companies like DigitalOcean, Rabobank, and The New York Times chose to deploy a project to production, the specific benefits these organizations are reaping, from enhanced security and observability to improved performance and cost savings, and all the triumphs and tribulations along the way.

The talk will also teach other open source projects a process for creating impactful case studies to grow their community. By the end, the audience will how to grow their project with a case study program and why end users actually pick a project.

What's Guix? GNU Guix is a software deployment tool that supports reproducible software deployment. As research results are increasingly the outcome of computational processes, software plays a central role. The ability to verify research results and to experiment with methodologies, core tenets of the scientific methods, requires reproducible software deployment.

What's Software Heritage? Software Heritage is a long term, non-profit, multistakeholder initiative with the ambitious goal to collect, preserve and share all source code publicly available. To our knowledge, Software Heritage is the largest publicly available archive of software source code.

Could we connect Guix with Software Heritage? Yes! It makes Guix the first free software distribution and tool backed by Software Heritage, to our knowledge.

This presentation describes design and implementation we came up and reports on the archival coverage for package source code with data collected over five years. It opens to some remaining challenges toward a better open and reproducible research.

Putting the pixels of LibreOffice into a browser window. With or without Qt. Asking for interaction.

Talk Summary This talk introduces a groundbreaking project aimed at creating a universal solution for scanner drivers across various Linux distributions. By leveraging Snaps and OCI containers, the ScaniVerse project enables the distribution-independent packaging of scanner drivers and applications. This approach enhances flexibility, reduces dependencies, and supports immutable operating systems. Attendees will gain insights into advanced techniques for integrating scanner and printer drivers, including the use of the PAPPL library for retrofitting legacy devices.

Project Description The ScaniVerse project is a pioneering initiative designed to streamline the installation and management of scanner drivers across different Linux distributions. By utilizing Snaps, the project enables the creation of distribution-independent packages, allowing scanner drivers to be easily installed on any system that supports snapd. Additionally, scanner applications can be containerized using OCI containers, facilitating their deployment on immutable operating systems. Key components of the project include the integration of scanner support into the PAPPL library, originally developed for printer applications. This integration supports multi-function devices and provides a unified driver format for both printers and scanners. The project also focuses on retrofitting legacy scanners to ensure continued support for older hardware.

Learning Outcomes for the Community Learning basics of how to package printer/scanner drivers in Snaps for easy installation on any distro supporting snapd. Gaining insights into separating scanning frontends from drivers, enhancing modularity and reducing dependencies. Explore how to package and deploy scanner applications in OCI containers for enhanced manageability and deployment on immutable systems. Understand the potential of eSCL and IPP scanning as standardised infrastructures, moving beyond the limitations of SANE. Discover methods to support legacy scanners using SANE and PAPPL-retrofit for a seamless transition to modern systems. Learn about establishing a common scanning infrastructure that simplifies development and maintenance, benefiting the entire ecosystem.

Traditional package updates using tools like RPM or Zypper can introduce risks, such as incomplete updates or accidentally breaking the running system. To overcome these challenges, we developed container-snap, a prototype plugin designed to deliver atomic OS updates—updates that are fully applied or rolled back without compromising the system's state.

container-snap leverages OCI images as the source for updates and integrates seamlessly with openSUSE’s tukit to enable transactional OS updates. By utilizing Podman’s btrfs storage driver, it creates btrfs subvolumes directly from OCI images, allowing systems to boot from the OCI image. This approach empowers users to construct their own OS images using familiar container image-building tools, like Docker or Buildah.

In this session, we’ll dive into: - The architecture and technical implementation of container-snap - Challenges encountered during development and how we resolved them - Key lessons learned along the way - A live demo showcasing container-snap in action

Come and join this session to learn more about how to boot from an OCI image without bricking your system!

While metrics provide valuable insights into system behavior, they often lack the detail to really understand the system. In this talk, we will explore how tracing techniques can complement metrics to provide a more detailed view of Ceph operations, enabling deeper analysis and troubleshooting.

The presentation will discuss current state of GRUB upstream development.

The satellites of the Sentinel family are Europe's eye in space – managed by the European Space Agency (ESA). They observe the earth continuously and collect enormous amounts of data that provide valuable insights into environmental, climatic, and geospatial changes. These data are used for various applications, including Land Use and Land Cover (LULC) mapping, environmental monitoring, disaster response, climate change analysis, and agricultural monitoring. The Copernicus Data Space Ecosystem makes these data freely available to users, along with tools for processing and analysis. It encourages researchers, developers, and organizations to use these products for various applications, from scientific studies to practical environmental monitoring solutions. These products include but are not limited to, Sentinel data, Digital Elevation Models (DEMs), mosaics, and service products like biophysical parameters such as FAPAR (Fraction of Absorbed Photosynthetically Active Radiation). In addition to these products, the ecosystem also provides a range of tools, including cloud-computing environments and APIs, to simplify and enhance the usability of Earth Observation data. In this session, we will explore how, in addition to freely available data, the Copernicus Data Space Ecosystem provides several open-source capabilities to simplify and enhance EO data usability. These include a cloud-computing environment like JupyterLab, a user-friendly Copernicus Browser for easy data exploration, and APIs like STAC and openEO for streamlined data access and integration. By offering these resources openly, the Copernicus Data Space Ecosystem supports a growing community of users, helping them turn satellite data into actionable knowledge to address global challenges.

LibreOffice Technology provides great engine for processing the documents with LibreOfficeKit. For more advanced usage in a user-friendly fashion the good UI is needed. JSDialog API provides way to interact with existing dialogs and build bespoke widgets for different platforms in the browser.

The Coconut community is actively developing the Secure VM Service Module (SVSM) to provide secure services and trusted device emulation for guest operating systems running in Confidential Virtual Machines (CVMs). Originally designed for AMD SEV-SNP, Coconut SVSM is evolving into a multi-platform solution, with ongoing efforts to integrate support for Intel TDX Partitioning.

This talk will dive into the current progress of Coconut SVSM, focusing on the emulation of devices such as the virtual Trusted Platform Module (vTPM), based on the reference implementation from the Trusted Computing Group (TCG). At this stage, the vTPM in Coconut SVSM is ephemeral, being re-manufactured with each boot. To unlock broader use cases, the community is working on introducing a persistent state for SVSM, enabling the vTPM to preserve its state across reboots. This enhancement will also allows us to support UEFI variable store to support Secure Boot.

Achieving this persistence requires storing encrypted state securely on the untrusted host, with early boot-time attestation to decrypt and validate the state. This process raises several technical challenges that we are actively tackling.

Join us to explore the latest progress in Coconut SVSM, the challenges we’ve overcome, and the exciting opportunities still ahead.

The Torch-MLIR project [1] builds a bridge between the world of machine learning and the LLVM project by providing compiler support from the PyTorch ecosystem to the MLIR ecosystem. This short tutorial covers:

• The projects structure and how to build it
• The TorchOnnxToTorch conversion
• Decomposing complex ONNX
• Lowering from Torch to LinAlg and other lower level dialects

Furthermore, it is discussed how you can get involved and what opportunities especially exist for first time contributors to contribute (code) to the project.

[1] https://github.com/llvm/torch-mlir/

In this talk, I will present how to integrate the Nix package manager with Buck2, an open-source build system developed by Meta, to achieve highly granular and reproducible builds across different platforms.

By integrating Nix and Buck2, developers can benefit from Nix's robust package management and reproducible build environments, while also taking advantage of Buck2's scalable and efficient build system.

I will dive into the details of using remote execution services that support the Bazel remote execution protocol with Buck2 in conjunction with Nix's remote build capabilities and showcasing that using a sample project.

Come to see a first prototype of a CRDT-based real-time distributed collaboration implementation - for being able to collaboratively comment on a Writer document, from a number of distributed LibreOffice instances (desktop, browser or cloud).

Ladybird is a brand-new browser & web engine. Driven by a web standards first approach, Ladybird aims to render the modern web with good performance, stability and security. Currently in heavy development, we take a quick look at its progress, architecture and challenges.

In a continuously changing IT world, not being able to adapt is the difference between yesterday's and tomorrow’s projects. Everybody wants the benefits of changes, but nobody wants to endorse its associated risk. From dev to ops, I’ll share why we created Updatecli, an open-source declarative dependency manager. How automation helps us to anticipate, and fix early, our day-to-day challenges, and where the traps lie.