NextGraph is an open source ecosystem providing solutions for end-users (a platform) and software developers (a framework), wishing to use or create decentralized apps featuring: live collaboration on rich-text and JSON documents, peer to peer communication with end-to-end encryption, offline-first, local-first, portable and interoperable data, total ownership of data and software, security and privacy.

Centered on repositories containing semantic data (RDF), rich text, and structured data formats like JSON, synced between peers belonging to permissioned groups of users, it offers strong eventual consistency, thanks to the use of CRDTs. Documents can be linked together, signed, shared securely, queried using the SPARQL language and organized into sites and containers.

Collabora Online (COOL) delivers collaborative document editing based on LibreOffice Technology to any modern browser. Come and hear about how we've been improving usability, deploy-ability, performance, feature-set and georgeousness of Collabora Online. See how COOL can be deployed and catch the excitement of making code simpler, faster and better for users at pace.

Finally hear how you can get involved with the fun.

LLVM libc has been steadily growing over the past few years. From its origins as an overlay to be used on top of an existing libc, LLVM libc is now complete enough and scalable enough to be used on embedded toolchains too.

This talk will contain: * LLVM libc's current status. * Why you might want to use LLVM libc. * How to build it for linux and an embedded system. * How to use a prebuilt example from LLVM Embedded Toolchain for Arm. * Other uses including the Google Pigweed SDK.

LLVM libc in llvm-project https://github.com/llvm/llvm-project/tree/main/libc

After looking at the current way Go code is packaged in nixpkgs using buildGoModule, disadvantages are pointed out with a focus on security (backed by data from govulncheck-nixpkgs project) and performance. Out-of-tree alternatives are presented with a focus on the new and promising approach of gobuild.nix, which implements a hook-based builder with module-level caching.

Flakes aka tests that don’t behave deterministically, i.e. they fail sometimes and pass sometimes, are an ever recurring problem in software development. This is especially the sad reality when running end-to-end tests where a lot of components are involved. There are various reasons why a test can be flaky, however the impact can be as fatal as CI being loaded beyond capacity causing overly long feedback cycles or even users losing trust in CI itself.

Ideally we want potential flakes to be flagged at the earliest stage of the development lifecycle, so that they do not even enter the end-to-end test suite. We want a gate that acts as a safeguard for developers, pointing out to them what kind of stability issues a test has. This reduces CI user frustration and improves trust in CI. At the same time it cuts down on unnecessary waste of CI system resources.

This talk will explore the CANNIER approach, which aims to reduce the time cost of rerunning tests. We will take a closer look at the feature set used to create training data from existing test code of the KubeVirt project, enabling us to predict probable flakiness of a certain test with an AI model.

We will cover how a subset of the CANNIER feature set is implemented, how it is used to generate training data for an AI model, and how the model is used to analyze flakiness probability, generating actionable feedback for test authors.

Attendees will gain insight on how the CANNIER approach can help them improve test reliability, ultimately enhancing overall software quality and team productivity.

Geospatial programming often requires stitching together a variety of formats, interfaces, APIs, libraries, tools and languages. How can we fluidly download data from OpenStreetMap using the Overpass Query Language, run performant queries with GEOS, calculate projections with PROJ, store and manipulate GeoJSON or WKT-formatted data with duckdb's spatial extention, and then visualize things with a javascript library like Leaflet or Deck.gl?

This talk explores Raku's expressive and powerful style as we mesh together all of these things, creating new modules along the way, and leapfrogging ahead of other implementations with some of Raku's unique features such as NativeCall for native libraries, Grammars for parsing, multiple modes of interacting with command line tooling, and plentiful concurrency models. Also let's see how we can reign in large language models so that we can apply them judiciously to our data and our code.

Links:

raku-geos, Geo::Basic, WebService::Overpass, Geo::Geometry, Duckie, WebService::Nominatum

The RISC-V ecosystem currently relies on multiple disconnected repositories and specifications, including the assembly manual, opcode database, formal specifications like Sail and the non-machine readable ISA manual. This fragmentation of information is error prone and makes it hard for hardware designers, researchers, and tool developers to efficiently find, modify, and verify essential data. To address these challenges, we introduce the RISC-V Unified Database (UDB), a single, machine-readable source that consolidates and cross-validates RISC-V specifications against established resources like binutils and riscv-opcodes. Built through collaboration between engineers at industry-leading companies, the UDB already generates version-specific ISA manuals, instruction indexes, and standardized opcode definitions. Ongoing work extends to generating simulator configurations for QEMU and other instruction set simulators. The UDB's YAML-based format ensures broad compatibility and positions it as a foundation for next-generation RISC-V tools. This approach is starting to gain traction with official RISC-V working groups, including the Certification Steering Committee, which already uses the UDB for generating certification requirements. This talk explores UDB’s architecture, showcases its use cases, and invites you to contribute to this transformative project for the RISC-V community.

The talk will introduce CartABl https://igarun.univ-nantes.io/CartABl/ , a free (GPL) web-based authoring tool for creating interactive maps and figures, and discuss its impact on user workflows and design decisions. Designed primarily for geographers and cartographers, CartABl also serves broader communities seeking to produce interactive cartographic content. It addresses the technical barrier that coding poses to creating interactive cartographic content (using js) through a graphical interface for defining interactions. It integrates seamlessly with traditional workflows by enhancing maps created in vector graphics editors like Inkscape or Adobe Illustrator with interactivity, without requiring programming knowledge. CartABl leverages SVG (Scalable Vector Graphics) as its base format, embedding interactive rules as declarative elements interpreted by a lightweight JavaScript runtime. This results in standalone, browser-compatible interactive SVG files, preserving the scalability and versatility of the format.

The development of CartABl follows an instrumental genesis approach, where tool and user co-evolve through iterative feedback. Initial prototypes allowed basic interactivity like tooltips and layer toggling. Feedback from its application in projects such as L’Atlas Bleu, a journal focused on coastal and marine maps, guides its refinement. This iterative process not only improves the tool but also influences how cartographers structure and design their graphical maps and figures: the structure of the graphical objects must be adapted to facilitate the definition of interaction rules, and the interactive features proposed by the tool impact the design decisions of the users.

CartABl aims to democratize interactive cartography, making it accessible and intuitive for professionals and non-experts alike. By transforming workflows and expanding the possibilities of digital cartographic publishing, it stands out as a valuable resource for advancing geographic and graphic research and communication.

XWiki is a wiki engine, and, as with most wiki engines, it allows uploading attachments to wiki pages. In order to edit these attachments quickly, we recently released an extension allowing to link an XWiki instance with a COOL server, and thus enabling real-time collaboration office files attached to wiki pages.

This presentation will focus on the technical integration of COOL with XWiki, and will discuss use-cases that we identified over the years, as well as the roadmap for this extension. The application code can be found at https://github.com/xwikisas/application-collabora

There have been a lot of talks in the past years about how to present Linux/Posix semantics over the SMB3.11 protocol to provide an alternative to the NFS protocol for installations that already have existing SMB infrastructure and who could benefit from better semantics when sharing files to Linux and other Posix-based file server clients.

In the past few months there has been a great deal of progress in Samba towards the goal of better supporting Linux clients. Notable changes are improvements to present special files like sockets and FIFO files to clients. There has been improvements to better support operations like chmod and chown in the Linux client and the Samba server.

The biggest change on the Samba side has been an overhaul of handling native symlinks. Samba 4.22 will present symlinks for Posix clients in the same way Windows presents symlinks it finds on its local NTFS file system.

This talk will present the current status of the ongoing work to improve Linux file system semantics presented over the SMB protocol.

In 2024, I worked with a small team to bring up BlueZ as the Bluetooth stack of a real-world automotive In-Vehicle Infotainment (IVI) system. In this talk, I am going to discuss the steps that we went through, the challenges that we faced, the caveats of BlueZ in contrast with closed-source alternatives and also present the contributions that we made to BlueZ and PipeWire as part of this process.

Progress in hardware development often leaves devices with outdated software versions behind. This primarily affects Android devices, especially as Google is currently accelerating its release schedule for Android versions. The rapid version change means that older devices are often left without software updates, which makes the devices vulnerable to security threats and compatibility problems. This presentation shows how this trend can be counteracted by upgrading a handheld device from Android 9 to Android 14 by using open-source components.

We will outline the entire upgrade process from migrating the kernel to UI and HAL customizations to match the original device’s look and feel. This includes discussing technical challenges developers face when dealing with outdated drivers, newer kernel versions, and hardware abstractions during OS upgrades of old devices.

To ease the pain of testing container images, we’ve developed the pytest_container plugin for pytest. The plugin makes it possible to use pytest to perform tests on containers and software inside containers. You don’t have to take care of pulling images, building them, or picking ports on the host. You just describe your container setup and pass it to a test function. In return, the plugin gives you a connection to the container. Using the connection, you can verify the container’s state using the testinfra python framework. The plugin even cleans up after itself when you’re done.

In short, pytest_container makes it possible to write tests in Python: no need to build your own framework from scratch or worry about the boring container plumbing tasks.

Join this talk to see pytest_container in action and learn how it can make your life easier!

In open-source projects, contributors often wear many hats—developer, tester, writer—and resources are typically stretched thin. This multitasking environment can make it challenging to maintain comprehensive and accurate API documentation. Yet, high-quality documentation is vital for the usability and adoption of any open-source project.

This talk focuses on how AI can help simplify one aspect of documentation development: testing. By using AI to simulate user interactions, we can efficiently identify gaps and inconsistencies in API documentation that a contributor might miss due to exceptional knowledge of the topic.

By integrating AI-driven user simulations into your workflow, you can improve the quality of your documentation while managing multiple responsibilities more effectively. This approach not only benefits individual contributors but also strengthens the overall success and sustainability of open-source projects.

This talk explores the practical implementation of Large Language Models (LLMs) in email filtering, giving the example of the integration between Rspamd and various LLM services. We'll discuss how LLMs can complement traditional filtering methods, comparing supervised (Bayes) and unsupervised (LLM-based) approaches to spam detection.

We'll examine real-world results from different models (GPT-3.5, GPT-4, and alternatives via OpenRouter), analyzing their effectiveness, false positive rates, and cost implications. The presentation will cover advanced features such as content categorization, password extraction from archives, and message anonymization for privacy-preserving learning.

Special attention will be given to practical deployment considerations, including:

• Cost-effective strategies for different scales of operation
• Self-hosted models vs. cloud APIs
• Privacy considerations and message anonymization techniques
• Integration with existing email infrastructure
• Extended message analysis capabilities

The talk will conclude with insights into future developments and best practices for implementing LLM-based email filtering in both personal and enterprise environments.

Target Audience: Email administrators, spam filtering specialists, and developers interested in modern email security solutions.

OAuth 2.0 uses access tokens to grant access to secured resources. When using Single Page Applications, they are passed from browsers to the servers as bearer tokens using HTTP headers.

While they are secured in transit using TLS, those tokens could be stolen from a browser, replayed, or mis-used by a malicious or vulnerable server. OAuth 2.0 Demonstrating Proof-of-Possession (DPoP) takes this one step further by equipping the client like your Single Page Application with a key pair so that it can show a proof when passing the access token, so no-one else can use the access token. DPoP is part of the FAPI 2.0 Security Profile by the OpenID Foundation. It promotes best practices on how to protect APIs exposing high-value and sensitive (personal and other) data, for example, in finance, e-health and e-government applications.

This talk will explain the concepts and demos how this can be implemented using Keycloak and other open source components. We will also describe the current challenges, limitations and alternatives of the approach.

TrenchBoot is an open source project led by 3mdeb, Apertus Solutions, and Oracle. It aims at the security and integrity of the boot process by leveraging advanced silicon security features, like Intel Trusted Execution Technology (TXT) and AMD Secure Startup. It integrates with open source projects like GRUB2, Xen, and Linux, to perform a measured launch of the operating system software, also called Dynamic Root of Trust for Measurement (DRTM).

The presentation will provide an overview of the project's current status, emphasizing the key developments during the last year such as progress towards upstreaming patches in Linux and GRUB, as well as bringing UEFI support for Xen boot path.

Pretty much every application has state, the bigger your application the more state you have. Things can get challenging when you are asking much of your state. You might need to maintain multiple indexes into your state, react to changes to the state, keep multiple pieces of state in sync and make sure that all of it is thread-safe for multiple readers and writers. Doing this for one piece of state is a challenge, but doing it for a few dozen is painful.

Presenting, StateDB (cilium/statedb) a non-persistant in-memory database of your application state. It was created to tackle state management challenges experienced by Cilium. It leverages Go features such as generics, iterators, channels and Go’s garbage in combination with immutable data structures to make complex state management easy.

StateDB provides Multi Version Concurrency Control (MVCC) through snapshots, indexing(multiple indexes per table, unique and non-unique indexes, composite keys), write transactions across multiple tables and the ability to watch for changes on a whole table or a subset of data. To name a few.

Let's explore StateDB together and take a little peek under the hood.

This talk looks deeper at class metadata storage in the Hotspot JVM and the changes JEP 450 "Compact Object Headers" brought. We will examine the mechanics and CPU cache effects of oop iteration and propose a more cache-friendly solution. We will investigate the class storage limits and possible ways to circumvent them. Finally, we will examine an alternative to the current class space solution.

A disk full, a saturated or lossy network, too-few CPU cores, an unexpected IO error… how will your software handle such scenarios?

In this talk we present a collection of tools that can be used to systematically "break" things, so you can write test cases and make sure that these unexpected situations will be handled gracefully by your software: ToxiProxy, charybdefs, tc qdisc, strace --inject, taskset, numactl, cgroups and syscall overloading, all can be used to emulate a wide array of failures.

Interactive maps on the web have evolved a lot in the past years. OpenLayers is no exception: it has been around for more than a decade and has become a reference with its extensive feature set and excellent performance. As a landmark open-source project, it has received thousands of contributions over time while managing a very high level of quality.

In this talk we will look at the state of the library today, what it now allows and why, now more than ever, it is an essential part of every geospatial web application. From high-performance rendering of large datasets to on-the-fly satellite image processing, its list of features is so large that you will most likely discover things along the way. New formats, ever-improving WebGL rendering, a powerful new expression-based styling API, and more!

Whether you're a long-time user or just discovering OpenLayers, this session promises fresh insights and practical takeaways for leveraging its full potential.

Find the OpenLayers website here: https://openlayers.org/

And the GitHub repository here: https://github.com/openlayers/openlayers

Securing embedded devices, particularly those with minimal resources, presents a unique and pressing challenge. Conventional approaches to Trusted Execution Environments (TEEs) often require specialized hardware or substantial system resources, leaving low-end devices vulnerable to breaches. The need for a lightweight, efficient solution that bridges this gap is greater than ever in today’s interconnected world.

Introducing Spock

Through the development of Spock, we have created a versatile and efficient Trusted Execution Environment (TEE) tailored for RISC-V embedded devices. By relying solely on Physical Memory Protection (PMP) for isolation and requiring only machine and user modes as specified in the RISC-V privileged instruction set, Spock delivers robust security without relying on any specialized hardware.

At the core of Spock’s architecture is the Security Manager (SM), which plays a key role in managing enclave data and buffer permissions. The SM enables Spock to efficiently virtualize buffers and dynamically allocate PMP entries, providing a flexible and scalable approach to memory isolation. By leveraging this abstraction, Spock can create virtual enclaves that surpass hardware-imposed limitations, such as the number of PMP entries.

Core Features and Capabilities

Spock’s minimalist API design delivers essential security functions, including secure execution and attestation. This design supports:

• Virtualization of critical operations while maintaining a minimal Trusted Computing Base (TCB).
• Integration into very low resource embedded devices.
• Both relocatable and fixed enclaves, offering flexibility for diverse use cases.

Why Spock Matters

Spock’s design represents a modern, efficient solution for secure computing in low-resource embedded devices. Its ability to combine robust security with minimal hardware requirements makes it uniquely suited for the demands of today’s connected world, ensuring that even the smallest devices can operate securely.

Available at : https://github.com/jiphelsen/Spock

Open-source software thrives on diverse perspectives, yet women remain significantly underrepresented in FOSS communities.

While we celebrate women who've "made it"—and their visibility is vital—survivorship bias hides a crucial truth: up to half leave tech by age 35, women exit at a higher rate than men, and many never even join the field.

This talk delves into the concept of survivorship bias—the tendency to focus on successful individuals while ignoring those who faced barriers—and how it impacts women in open source. You’ll learn how this bias skews community perceptions, perpetuates systemic challenges, and limits opportunities.

By examining barriers like unwelcoming dynamics, recruitment biases, and a lack of mentorship, you'll understand why many are deterred before or during their FOSS journeys. You'll also learn how survivorship bias interacts with intersectionality, compounding challenges for women of color, LGBTQ+ individuals, and others.

We’ll also explore examples of communities and initiatives that successfully counter these trends, demonstrating allyship's role in building equitable environments. Finally, drawing on research and real-world examples, we’ll propose actionable steps to create a more inclusive and welcoming FOSS landscape for all.

Whether you’re a contributor, maintainer, or community leader, this session will give you a deeper understanding of the problem and tangible ways to drive change in your circles.

How we work together and bring Collabora Online integration in Nextcloud to the next level with file conversion, document transformation and AI.

For me, Nix-the-package manager has replaced homebrew, ASDF, and even docker. But its potential goes far beyond managing development environments. With its declarative, reproducible configurations, Nix is also an excellent choice for managing entire servers.

In this talk, I’ll share how I use NixOS and nixos-generators in order to create both stable and ephemeral VMs on my Proxmox hypervisor hosts, and how I run services like Grafana, Docker, Tailscale, and more.

We’ll explore how to deploy and update Proxmox VMs remotely using Nix, set up a WireGuard router with NixOS, and deploy services directly to NixOS declaratively. I’ll also show how to deploy Docker services to NixOS, using the same object tree and code files as all of your other configurations.

Whether you’re managing a homelab or building out larger infrastructure, this talk will showcase how Nix can transform your approach to system configuration and service deployment.

Since the beginning of time, declarative APIs have been driving everything that can happen inside a Kubernetes cluster. Predefined CRDs, operators defining custom CRDs, everything is about declarative APIs. Write your YAML once, deploy it, forget it. That’s how you create a cluster, that’s how you deploy your workload.

But is it, for real, as simple as it sounds? How do you bring declarativeness to the imperative world? In the current state of things, host networking is one huge imperative nightmare. So how to happily marry an old-school Network Manager and brand new Kubernetes API?

Over the years we were working on the NMstate project to provide you with a Declarative Network API, allowing you to manage host networking in a declarative manner.

In 2025 we are coming back with brand new features. Based on the feedback, we focused on air-gapped and big clusters – think hundreds of nodes with hundreds of VLANs each. We also happily married K8s and KubeVirt – no matter what your workload is, containers or VMs, NMstate is there for you.

Not only a project update – we will also show you how the Kubernetes cluster with NMState Operator manages networking on the nodes it deploys. It may sound like a chicken and egg situation, but trust us, it is not. Last but not least, we show how it protects itself from applying destructive network changes potentially taking your cluster down.

Join us and discover what’s new in the world of complex network topologies.

The LLVM compiler infrastructure uses a range of resources for testing various project components, including Buildbots, Buildkite, and GitHub Actions. However, the diversity of these technologies can be confusing, particularly for new maintainers. I personally found it challenging to understand. The introduction of the new CI/CD admin role and the discussions in the RFC are promising developments that should help clarify these complexities.

AMD ROCm™ is based on the LLVM project, which is why AMD is deeply invested in supporting its development. This includes providing resources to test the AMDGPU code generation backend and various GPU offloading programming models. Consequently, AMD maintains a range of upstream buildbots for this purpose.

In this presentation, I discuss the motivation and objectives behind the AMD ROCm™ compiler buildbots and related initiatives. I share my two-year journey, which began with inheriting a single buildbot, then another, and eventually maintaining multiple machines and bot configurations. I delve into the technical challenges I encountered and the solutions I implemented. I also touch on non-technical issues from my perspective and how they were resolved by both me and the community. The presentation concludes with a forward-looking perspective on potential additions to the upstream test infrastructure to address existing blind spots from our point of view.

Necturus is a free and open-source tool for visualizing the connection between handwritten manuscript images and their machine-readable transcriptions. While platforms like Transkribus and eScriptorium excel at generating text from handwritten material, they leave visualization to the side—Transkribus hides its solution behind a paywall, and eScriptorium offers none at all. Yet, for many research endeavors, the line-by-line relationship between text and image remains critical, as seen in projects like the Beckett Digital Manuscript Project and the Joyce Letters Project.

Designed as a lightweight, embeddable React component, Necturus makes it easy for libraries, archives, and researchers to present manuscript images alongside their transcriptions in an interactive and accessible format. A plug-and-play template allows deployment via GitHub Pages with no coding required, while a full version supports scalable, customizable setups for larger projects. By emphasizing both transcription and the manuscript as objects of study, Necturus offers a practical solution for those who value visualization in the process of, as Transkribus puts it, “unlocking the past”.

Project Repositories: Necturus, Necturus Compact

Asfaload aims to secure internet downloads by ensuring the integrity and authenticity of downloaded files. With attacks on the software supply chain becoming more common and more sophisticated, an effective and simple to use solution has to be found for both the developers and their users. All our published software is under the AGPLv3 or MPLv2, and allows for a self-hosted deployment.

The first building block of our solution is a mirror of checksums files, which helps detect modification of released files but is of no help in case of account compromise. That's why we are also working on an upcoming blockchain-based multi-user multi-factor signature scheme, though users will not be directly exposed to the blockchain. For end users, we develop a CLI downloader tool with its accompanying library at asfald. As for software developers, publishing a checksum file (with sha256sum or sha512sum) is sufficient to integrate with Asfaload. In this talk we will present the problem we are addressing, why it is important, how we are addressing it and what simple steps project authors can take to increase the security of their users.

A presentation about the challenges of tracking and analysis COOL UI / UX commands.

The Server Base Boot Requirements (SBBR) by ARM requires UEFI and ACPI support on AArch64 platforms.

While UEFI is already natively supported by U-Boot, ACPI support on ARM64 was only recently added. A first patch series added basic support for booting Linux on QEMU's sbsa-ref machine, which doesn't provide a device-tree to the OS, but ACPI tables only. This is opening the path for U-Boot booting recent ARM server platforms using the SBBR specification.

The session gives an overview how ACPI tables are generated by U-Boot drivers. The challenges of integrating the ACPI subsystem with U-Boot's infrastructure on ARM64 are described and an outlook is provided.

Questions this talk should answer: - How does the ACPI driver model work? - How does this integrate with U-Boot? - What to expect next in U-Boot's ACPI implementation?

Collabora Online is an online document editor based on LibreOffice, but there's also both an Android and an iOS Collabora Office app based on the same technology - LibreOffice Kit. Have you ever wondered how it works?

In this talk, I'll give a high-level overview of the architecture of the Collabora Office mobile app. Along the way, I'll discuss how it's similar but different to the Collabora Online server, and what limitations on the mobile platform (for example a lack of availability of clipboard web APIs) pushed us to write in the way that we have.