How we work together and bring Collabora Online integration in Nextcloud to the next level with file conversion, document transformation and AI.

For me, Nix-the-package manager has replaced homebrew, ASDF, and even docker. But its potential goes far beyond managing development environments. With its declarative, reproducible configurations, Nix is also an excellent choice for managing entire servers.

In this talk, I’ll share how I use NixOS and nixos-generators in order to create both stable and ephemeral VMs on my Proxmox hypervisor hosts, and how I run services like Grafana, Docker, Tailscale, and more.

We’ll explore how to deploy and update Proxmox VMs remotely using Nix, set up a WireGuard router with NixOS, and deploy services directly to NixOS declaratively. I’ll also show how to deploy Docker services to NixOS, using the same object tree and code files as all of your other configurations.

Whether you’re managing a homelab or building out larger infrastructure, this talk will showcase how Nix can transform your approach to system configuration and service deployment.

Since the beginning of time, declarative APIs have been driving everything that can happen inside a Kubernetes cluster. Predefined CRDs, operators defining custom CRDs, everything is about declarative APIs. Write your YAML once, deploy it, forget it. That’s how you create a cluster, that’s how you deploy your workload.

But is it, for real, as simple as it sounds? How do you bring declarativeness to the imperative world? In the current state of things, host networking is one huge imperative nightmare. So how to happily marry an old-school Network Manager and brand new Kubernetes API?

Over the years we were working on the NMstate project to provide you with a Declarative Network API, allowing you to manage host networking in a declarative manner.

In 2025 we are coming back with brand new features. Based on the feedback, we focused on air-gapped and big clusters – think hundreds of nodes with hundreds of VLANs each. We also happily married K8s and KubeVirt – no matter what your workload is, containers or VMs, NMstate is there for you.

Not only a project update – we will also show you how the Kubernetes cluster with NMState Operator manages networking on the nodes it deploys. It may sound like a chicken and egg situation, but trust us, it is not. Last but not least, we show how it protects itself from applying destructive network changes potentially taking your cluster down.

Join us and discover what’s new in the world of complex network topologies.

The LLVM compiler infrastructure uses a range of resources for testing various project components, including Buildbots, Buildkite, and GitHub Actions. However, the diversity of these technologies can be confusing, particularly for new maintainers. I personally found it challenging to understand. The introduction of the new CI/CD admin role and the discussions in the RFC are promising developments that should help clarify these complexities.

AMD ROCm™ is based on the LLVM project, which is why AMD is deeply invested in supporting its development. This includes providing resources to test the AMDGPU code generation backend and various GPU offloading programming models. Consequently, AMD maintains a range of upstream buildbots for this purpose.

In this presentation, I discuss the motivation and objectives behind the AMD ROCm™ compiler buildbots and related initiatives. I share my two-year journey, which began with inheriting a single buildbot, then another, and eventually maintaining multiple machines and bot configurations. I delve into the technical challenges I encountered and the solutions I implemented. I also touch on non-technical issues from my perspective and how they were resolved by both me and the community. The presentation concludes with a forward-looking perspective on potential additions to the upstream test infrastructure to address existing blind spots from our point of view.

Necturus is a free and open-source tool for visualizing the connection between handwritten manuscript images and their machine-readable transcriptions. While platforms like Transkribus and eScriptorium excel at generating text from handwritten material, they leave visualization to the side—Transkribus hides its solution behind a paywall, and eScriptorium offers none at all. Yet, for many research endeavors, the line-by-line relationship between text and image remains critical, as seen in projects like the Beckett Digital Manuscript Project and the Joyce Letters Project.

Designed as a lightweight, embeddable React component, Necturus makes it easy for libraries, archives, and researchers to present manuscript images alongside their transcriptions in an interactive and accessible format. A plug-and-play template allows deployment via GitHub Pages with no coding required, while a full version supports scalable, customizable setups for larger projects. By emphasizing both transcription and the manuscript as objects of study, Necturus offers a practical solution for those who value visualization in the process of, as Transkribus puts it, “unlocking the past”.

Project Repositories: Necturus, Necturus Compact

Asfaload aims to secure internet downloads by ensuring the integrity and authenticity of downloaded files. With attacks on the software supply chain becoming more common and more sophisticated, an effective and simple to use solution has to be found for both the developers and their users. All our published software is under the AGPLv3 or MPLv2, and allows for a self-hosted deployment.

The first building block of our solution is a mirror of checksums files, which helps detect modification of released files but is of no help in case of account compromise. That's why we are also working on an upcoming blockchain-based multi-user multi-factor signature scheme, though users will not be directly exposed to the blockchain. For end users, we develop a CLI downloader tool with its accompanying library at asfald. As for software developers, publishing a checksum file (with sha256sum or sha512sum) is sufficient to integrate with Asfaload. In this talk we will present the problem we are addressing, why it is important, how we are addressing it and what simple steps project authors can take to increase the security of their users.

For decades, ODBC/JDBC have been the standard for row-oriented database access. However, modern OLAP systems tend instead to be column-oriented for performance - leading to significant conversion costs when requesting data from database systems. This is where Arrow Database Connectivity comes in!

ADBC is similar to ODBC/JDBC in that it defines a single API which is implemented by drivers to provide access to different databases. The difference being that ADBC's API is defined in terms of the Apache Arrow in-memory columnar format. Applications can code to this standard API much like they would for ODBC or JDBC, but fetch result sets in the Arrow format, avoiding transposition and conversion costs if possible..

This talk will cover goals, use-cases, and examples of using ADBC to communicate with different Data APIs (such as Snowflake, Flight SQL or postgres) with Arrow Native in-memory data.

A presentation about the challenges of tracking and analysis COOL UI / UX commands.

Rust's type system can feel complicated and overwhelming. However, crates like Bevy and Divan take advantage of the advanced features to deliver simpler developer experiences. This talk will demonstrate how to create these easy-to-use APIs by covering advanced techniques like polymorphism, type states, and conditional typing.

The Server Base Boot Requirements (SBBR) by ARM requires UEFI and ACPI support on AArch64 platforms.

While UEFI is already natively supported by U-Boot, ACPI support on ARM64 was only recently added. A first patch series added basic support for booting Linux on QEMU's sbsa-ref machine, which doesn't provide a device-tree to the OS, but ACPI tables only. This is opening the path for U-Boot booting recent ARM server platforms using the SBBR specification.

The session gives an overview how ACPI tables are generated by U-Boot drivers. The challenges of integrating the ACPI subsystem with U-Boot's infrastructure on ARM64 are described and an outlook is provided.

Questions this talk should answer: - How does the ACPI driver model work? - How does this integrate with U-Boot? - What to expect next in U-Boot's ACPI implementation?

Zynq 7000 SoCs are popular devices widely used in embedded scenarios when both CPU power and flexible logic are required. However, the ARM (processing system, PS) + FPGA (programmable logic, PL) combo makes developments reply on an even heavier set of propriety toolchains.

In this talk, I'll introduce the recently developed GenZ, a free software BSP generator for the Zynq 7000 PS register configuration. Together with OpenXC7, the free and open source FPGA toolchain for Xilinx 7-series chips, and a enlarging amount of open-source IP cores, development on Zynq 7000 SoCs can be done without a single piece of propriety tool.

The speed and ease of GenZ + OpenXC7 will be demonstrated on site with an ARM laptop and Zynq boards.

Have you ever wondered why certain Python packages fail to install on riscv64 devices? Why, instead of pleasing "Successfully installed" messages, riscv64 users are often presented with bleak screens full of errors? How, in the face of all of these errors, are those users supposed to run Python based AI or data analytic workloads? To the curious who have briefly pondered such things as the package names and errors go scrolling by, this talk is aimed at you! It will explain how Python packages are built and why upstream projects do not provide versions of their packages for riscv64 devices. It will discuss the progress being made in adding riscv64 support to the Python packaging ecosystem. Finally, it will explain how RISE is mitigating the current lamentable situation by building and distributing riscv64 wheels for a select set of popular Python packages.

Murena team developed a new launcher for /e/OS, based on Launcher3. In this talk, we will introduce this AOSP key component, and how it is possible to use it as a base for your own Android Launcher project.

https://gitlab.e.foundation/e/os/BlissLauncher3

One of the reasons why Go is easy to learn is due to the interactive examples all through the documentation, we wanted to emulate this success. Six months later, we now manage 26 sandbox tutorials and totalled over 9,800 unique instances. They transformed our documentation by letting users run commands, deploy sample projects, and see real-world use cases come alive.

Scaling the concept to support over 10 products brought unique challenges for us. How could we streamline the creation of new sandbox tutorials? How could we maintain a single source of truth between our sandboxes and evolving documentation?

In this session, we’ll dive into: *What an interactive sandbox is and how it enhances developer experiences * How we created an open-source tool to automatically synchronize our documentation and sandboxes via CI/CD pipelines

This talk will help you get started integrating interactive sandboxes into your documentation and arm you with the tools you need to scale them effectively!

Mushroom is a project for securely running Linux workloads in attestable, integrity-protected environments with a minimalistic TCB. Mushroom depends on TEEs to provide integrity guarantees for data in use. It was initially developed for AMD SEV-SNP, but it recently gained support for running on Intel TDX as well. This talk will explore some of the required changes and discuss how the differences between AMD SEV-SNP and Intel TDX informed some of the design decisions.

From out daily experience as Linux Mail Security Consultants, we see different groups of infrastructures like universities and government authorities getting similar spam and threats. We have implemented automated ways to share this information among these clusters. We will introduce the techniques used in our Rspamd implementations and we will point at some pitfalls that should be avoided. We also like to talk about our experience with pre-queue deep threat second stage security analysis like sandboxing.

In a world where security training often feels like a mundane chore, discover the refreshing impact of gamification and turn learning into an enjoyable experience. Embark on an insightful journey as we unveil the success story of gh.io/secure-code-game, an open-source game hosted on GitHub Skills, that attracted over 5,000 developers within its first year.

This session will provide you with an exclusive behind-the-scenes perspective, offering valuable insights and practical strategies to revolutionize various aspects of security training for your benefit. We’ll explore a case study from a tech startup that observed, among the developers who played the game, an increased sense of ownership for code security, improved communication with security teams, and a strong willingness to embrace further security training.

gRPC is a popular RPC framework and go has a quite performant gRPC implementation. However, the performance can still be significantly increased by changing the default setup and by using the library in a way that reduces memory allocations.

This talk will also show how to use the excellent go tooling to profile and benchmark some code.

Native Memory Tracking (NMT) has supported diagnosing memory issues in Hotspot for over a decade. Yet, much of the native memory allocated cannot be accounted for using NMT, as it is not only Hotspot but core libraries, JNI and FFM which may perform native allocations. Clearly, NMT must extend itself if it intends to remain a useful tool.

In this talk, I will present a design for extending NMT to core libraries and a possible future extension to FFM. External APIs will be shown in the context of porting small portions of the core libraries. Internal design details, including data structure design, will likewise be presented and its trade offs discussed. Finally, possible ways of bringing NMT and the new Foreign Function & Memory API will be presented.

Incus is a next-generation manager for system containers, application containers, and virtual machines, forked from Canonical's LXD in August 2023.

This presentation explores the evolution of LXD/Incus, with a focus on clustering and its capabilities for natively managing both stateless and stateful workloads.

Drawing on real-world experience as a system architect at a cloud provider using LXD/Incus since 2016, we will examine the technologies underpinning Incus, including OVN-based networking and flexible storage configurations. The session will also showcase the key commands and workflows for building and managing an Incus cluster, with practical examples to highlight best practices.

This session is intended for system administrators, DevOps engineers, and container enthusiasts seeking to enhance their understanding of Incus and its role within the modern container ecosystem.

After fuzzing databases for the last 3 years, I learned that simple design decisions on a fuzzer impact on the issues it can ever find. In this talk I would to address some of those decisions. As an example, I would to discuss about the design of BuzzHouse, a new database fuzzer to test ClickHouse.

You, Eleanor Shellstrop, are dead. You are in cardiac arrest. Your heart has stopped beating, you have stopped breathing, and medically speaking you have died. Not a great start to your day! But worry not: someone has called emergency services. This is the story of that call — and how open geospatial information just might help save your life.

This talk, presented by the CAD & Technical Lead at the London Ambulance Service, will discuss how we use open data to locate patients, how your phone sends live geospatial information to our control room, and the other open (and some not-open) data that our emergency medical service uses to save lives across London every day.

Expect high-level conversations about medical emergencies, but this talk is suitable for all ages.

Collabora Online is an online document editor based on LibreOffice, but there's also both an Android and an iOS Collabora Office app based on the same technology - LibreOffice Kit. Have you ever wondered how it works?

In this talk, I'll give a high-level overview of the architecture of the Collabora Office mobile app. Along the way, I'll discuss how it's similar but different to the Collabora Online server, and what limitations on the mobile platform (for example a lack of availability of clipboard web APIs) pushed us to write in the way that we have.

We explore the security model exposed by Rook with Ceph, the leading software-defined storage platform of the Open Source world. We discuss major updates within the past year to our threat model, dashboard, call home, and encryption, including work on TCMs, NVMe and exploration of open source post quantum encryption algorithms, within a major project. We discuss the challenges and benefits of promoting open source, and how to ensure we adhere to Executive Order 14028, and the challenges and rewards of dependency tracking and updating.

NixOps used to be the only Nix-native deployment and provisioning tool, but it failed. NixOps4 is a complete redesign of the tool, taking lessons from NixOps, taking inspiration from Terraform, and borrowing its providers. In doing so, it creates a unified deployment platform, architecturally similar to how Nix is a platform for unified builds. It allows you to combine configurations freely with the Nix language and build system, and it makes it easy to "extend" the tool.

In this presentation, we'll have a look at the concepts that make up NixOps4, as well as its integration into the Fediversity project, which aims to enable hosting providers to let their customers deploy applications such as Mastodon, PeerTube and Pixelfed, fully automatically - running NixOps4 "unattended" in production.

My name is David Berman. I am an electrician by trade, not a programmer by profession, but I have ventured into the world of programming out of necessity and conviction. My journey into this realm has been fueled by a desire to challenge the prevailing norms of an industry heavily skewed toward proprietary, enterprise-oriented solutions. Specifically, I have worked to advocate for open-source, cost-effective methods to control city streetlights and other industrial control systems traditionally dominated by expensive and exclusive technologies.

During my talk I would like to share my newest project, Gungnir: https://github.com/davidjrb/gungnir

This journey has been far from easy. The resistance to change in this space is significant, and the challenges are both technical and cultural. One of the key barriers is the entrenched power of profit-driven opponents, including corporate lobbyists and those with vested interests in maintaining the status quo. These forces often stifle innovation and prevent the adoption of solutions that could benefit society as a whole by reducing costs and fostering collaboration.

Another challenge comes from within the very community I advocate for. Despite the immense potential of open-source solutions, there is a tendency among many non-programmers—particularly those in traditional trades or management roles—to dismiss these solutions out of hand. This is often due to a lack of familiarity with the technology or misconceptions about its reliability and scalability. Bridging this gap requires not only technical expertise but also the ability to communicate the value and viability of open-source approaches in terms that resonate with a broader audience.

In my talk, I aim to explore these challenges in depth, sharing insights from my own experience as a non-programmer navigating a highly technical field. I will discuss the hurdles faced by the open-source community when advocating for transparency, collaboration, and cost-efficiency in an industry often resistant to such ideals. I will also highlight strategies to foster greater acceptance and collaboration between open-source advocates and those unfamiliar with or skeptical of these technologies.

Ultimately, my goal is to spark a dialogue about how we, as a community, can better advocate for open-source solutions in industrial and civic systems, ensuring that they are not only adopted but also embraced as a viable and beneficial alternative to proprietary models. By sharing stories, challenges, and strategies, I hope to inspire others—whether programmers, non-programmers, or industry professionals—to join this important movement.

Thank you for having me.

I look forward to seeing you all 14:00, Saturday, 1. February in Baudoux - UB5.230

Most software build systems, following the tradition of make, refer to artifacts by an assigned location on the file system. However, when developing software, one is usually more interested in the contents of the file than its location. So why not take the definition itself as key? Similarly, when building typical complex targets, like libraries, additional information has to be considered when using them, e.g., transitive dependencies when linking. So why not make that part of the data of the analyzed library? In this way, we obtain definitions that are independent of their origin and hence can meaningfully be cached. This high-level caching allows a seamless transition between fine-granular building and traditional package building (obtaining all artifacts by a single lookup). As an additional benefit, when using remote build execution, it is enough to have the sources of the project you're working on, while still having the benefits of a bootstrapped build.

All those concepts are implemented in the open-source build system justbuild, available, at https://github.com/just-buildsystem/justbuild

Profile-Guided Optimization (PGO) is a well-known compiler optimization technique that brings runtime statistics about how an application is executed to the Ahead-of-Time (AoT) compilation model. However, this technique is not widely used nowadays.

In this talk, I want to discuss with a wider audience typical issues that I met with PGO implementation in LLVM-based compilers (like Clang and Rustc). During my work on the Awesome PGO project, I gathered a lot of interesting data points and insights about current PGO issues in the ecosystem (mostly with LLVM-based tools since I prefer using LLVM), and discussed many issues with different stakeholders like end-users, maintainers, and application developers. We will talk about:

• PGO documentation issues across compilers
• Different PGO integration states across LLVM-based compilers
• PGO awareness across the industry
• Strengths and weaknesses of different PGO modes for different use cases in real-world
• Top blockers for PGO adoption
• And many other things!

I believe that after the talk more people will be aware of PGO, aware of usual PGO blockers with LLVM, and know more about how to avoid these limitations in practice.

Target audience: LLVM users (especially LLVM-based compiler engineers and LLVM adopters)

Panoptic is a tool to explore locally and easily big images datasets: https://github.com/CERES-Sorbonne/Panoptic Images abound on the web and digital social networks. Their proliferation is one of the characteristics of digital culture. In particular, they are widely mobilized in contemporary controversies, with the aim of revealing and debating important social issues. Far beyond natively digital images, whether moving or still, images are first and foremost an object of study in their own in many disciplines (art history, film studies...), just as they can be a way of accessing a research field (photographs of animal and plant species, pages from digitized books...). A key challenge for the human and social sciences is to equip themselves with tools for exploring, sorting and annotating image corpora.

While a number of tools already exist for working with such corpora (XnView, Tropy, voxel51, Aikon, Arkindex, for example), a key issue to be resolved is the multiplication in the number of images we work with: how can we efficiently explore, sort and annotate a corpus of several tens of thousands of images? How can we provide researchers with a tool that facilitates such work?

Indeed, working with a large number of images means first of all having a synoptic view of them, in order to understand them as a whole, but also being able to manipulate them directly in the presentation interface (for both exploration and analysis).

Secondly, working with a large number of images also imposes time constraints on analysis, which can be resolved by using similar-image clustering tools (computer vision tools), to group together images that have formal similarities (reduces exploration time), but also by using batch annotation functionalities (reduces analysis time).

Finally, working with images is rarely just about working with images, but also with textual data associated with the images (texts of tweets, photographer's name, shooting date, etc.). Another challenge, then, is to adopt a plurisemiotic approach to the content of the corpus being worked on, in order to avoid having to move back and forth between different work spaces.

Created at CERES, by developers, researchers and designers, Panoptic is an open source tool for visualizing, exploring and annotating large images corpora. In particular, the tool integrates algorithms for grouping images by similarity (by using ml model CLIP), to help users with sorting and exploration. The tool also offers various filtering, search and annotation options, enabling the creation, analysis and export of sub-corpora.

Our talk will present the tool we have developed, and how its various functions are designed to meet the methodological needs of research using tools for working with large volumes of images.

We will close the devroom with lightning talks that will serve as a great conversation starter during the lunch break.

Windows-on-ARM devices (primarily laptops) provide a nice execution environment for running Linux or any other open-source OS. As the provisioned ACPI tables make heavy use of PEP, it is next to impossible to make use of the ACPI in a proper way, This talk focuses on the the possible ways to select and sideload corresponding device tree blob before passing control to the OS kernel.

This talk introduces Apache Arrow's tensor arrays as a tool for representing an array of tensors in memory, their storage and transportation. We'll introduce the tensor array memory layout specification, its implementation in Arrow C++ and Python, showcasing how it can help interoperate with PyData and database ecosystems.

We'll present the fixed and variable shape tensor array specifications, their implementations and how they can be used to interoperate with Arrow aware ecosystem such as DLPack, NumPy, and others. Further we'll discuss design decisions we made to make the two tensor arrays as generic and universal as possible.