At 9elements we do firmware, which is rather niche and complicated. As developing firmware is already difficult enough, we think that building / compiling it should not be. Which is the reason why we made firmware-action -- an automation tool to build firmware, powered by Dagger that can be used on your local machine as well as in CI/CD pipelines.

firmware-action is an open-source tool under MIT license available at https://github.com/9elements/firmware-action

By now everybody should know what a 15-minute city concept is. What amenities are accessible with a 15 minute walk? What parts of a city do not do well in this regard? Much has been talked about, but how would you get this information about your own city? Uhm... Find some maps online? They are outdated and use buckets that are a bit too big for local usage. Calculate those yourself? With what? There has been nothing on Github.

Until now. Here I will demonstrate how 15-minute maps are done, which open source tools help with calculations, and what further opportunities do this new tool provide.

The software industry traditionally used the right to exclude granted by copyright as the means for generating revenue. Free software came along and flipped the script, giving away for free what traditionally was the primary mechanism for extracting payment. But free software has struggled ever since, trying to figure out how to create value that customers are willing to pay for when they can’t use the copyright that way.

More and more, companies are recognizing and leveraging the truly unique asset in free software – the brand. Ketchup is a commodity market, but Heinz has captured 80% of it by convincing U.S. consumers that Heinz ketchup is better than all the rest. Open source software is similar to a commodity market because the original software may be competing with the identical product. Open source software companies are learning how to develop business models around the brand, convincing customers that the customer will be better served by remaining loyal to the branded product instead of their competitors who are simply copying and distributing the software.

But it’s also possible for companies to overextend their trademark rights to subvert the promise given in the copyright license. Frustrated at free-riding or the perception of it, companies are now also trying to extract revenue through questionable trademark infringement theories.

This session will review the current state of trademark thinking in free software as a revenue strategy, both the appropriate and inappropriate ways to manage the customer relationship through the brand.

*Robert Young, How Red Hat Software Stumbled Across a New Economic Model and Helped Improve and Industry, Open Sources, Voices from the Revolution p. 116 (1999).

Regular software updates are essential for fixing common vulnerabilities and exposures (CVEs), addressing bugs, and adding new features, all while maintaining security and increasing the lifespan of embedded Linux devices. Over the past decade, the landscape has changed significantly, with many high-quality and reliable open source solutions now available, making the development of in-house update solutions unnecessary. During this time, several SOTA solutions using different strategies have come and gone. Open source options based on the dual A/B redundant update scheme have become widely adopted in the industry. This session will focus on three such solutions: Mender, RAUC, and swupdate. We will analyze their strengths and weaknesses, offering guidance on selecting the best solution for different use cases and industries. Additionally, we will explore advanced features such as HTTP streaming, which allows direct installation of updates without the need to download and store the update file locally. We will also discuss the potential of adaptive and delta updates, which are additional features built on top of A/B update schemes. These features minimize data transfer by sending only the changes, rather than the full update files.

The hands-on examples will demonstrate the integration of three different open source solutions: Mender, RAUC, and swupdate - on two different devices: Raspberry Pi 5 and the open source hardware Olimex I.MX8MP SoM, using the Yocto Project and OpenEmbedded. The demonstrations will highlight the differences in setup, configuration, and update management for each solution. Additionally, we will explore support for other build systems such as Buildroot, PTX dist, and distributions like Debian, Ubuntu, ArchLinux, and NixOS, emphasizing how each solution integrates with these environments.

This talk is suitable for engineers and developers looking to implement an open source update solution for embedded Linux devices. It will provide a deeper understanding of the technical challenges and available open source solutions, empowering attendees to address these challenges more effectively and focus on enhancing the unique features of their products.

I will present some first person experiences learned while handholding a relative newcomer to LibreOffice QA, about how easy (or not) is it to pick up speed with bug triaging, bibisecting and more, based on the Wiki instructions.

Keeping up with the AOSP/main branch is hard. In this session the authors will talk about the realities of AOSP development and maintenance from the developer's perspective. They will share their struggles and stories of AOSP development. They will also talk about what is being brewed in AOSP lately: be it the Trunk Stable/Staging development branch model or Generic Bootloader (GBL) initiative or Page-Agnostic AOSP builds to support 16K page-size in GKI or the long-term (7 yrs) software support cycle everyone is talking about.

We at Ubuntu/Canonical/Mir are working on enabling Flutter to use multiple windows across Desktop platforms.

The (not very well hidden) aim is to bring the abundant Flutter developers and apps to FOSS Desktops. Which is why we actually started on Windows, where most of the Flutter community lives.

I'll show our approach and FOSS inspirations, how and where it's going, and ask you to try it out!

Design document Merge proposals and demos

The compiler intrinsic __builtin_object_size and the LLVM intrinsic llvm.objectsize are used to compute the amount of memory allocated given an address. They play an important role in several security-related passes. This talk describes their behavior, where they are used within LLVM and the recent improvements made to their evaluation.

Actually both _FORTIFY_SOURCE, -fsanitize=undefined and -fsanitize=address rely at some point on an efficient implementation of llvm.objectsize and how it is folded by the compiler. I once wrote a small testbed[0] to compare gcc and clang wrt. the folding of __builtin_object_size and they were mostly on par, until something changed and clang started to stop folding some expressions. Using that story as an Ariadne's thread, we'll dive into the folding of this intrinsic, how it's used by various sanitizer and how it has been improved over the past few months.

[0] https://github.com/serge-sans-paille/builtin_object_size-test-suite

Users and developers demand more and better documentation but, as a FOSS maintainer, you’re an expert in making software, not documentation. Technical writers are docs experts, but it can be hard to collaborate across that gap of expertise. It’s especially challenging to define and scope the work to be done, leading to misunderstandings and disappointing outcomes, for maintainers and writers alike.

Wouldn’t it be nice to have clear expectations of what your next documentation project would look like and to pull together as a team from the start? In this talk, you’ll get a preview of a new open-source resource for maintainers to help recognize archetypal documentation projects, the skills you’ll need to successfully complete them, and common pitfalls to avoid. And across documentation projects—whether you’re adopting new docs tools, rewriting tutorials, or deleting out-of-date materials—you’ll learn some important themes that will lead maintainers and tech writers to make the docs that users and developers want.

Daniel D. Beck is a documentation consultant who helps software engineering teams make tools, processes, and content that reach developer audiences. His talk draws from experience as a longtime contributor and maintainer of open source software and documentation, including as a current maintainer of Baseline, a browser compatibility tool, and a past role as technical content lead for MDN Web Docs.

In this talk, we introduce ManaTEE, an open-source framework designed to enable private data analytics for public research. Private data holds immense value not only for businesses but also for critical research domains like public health, economics, social sciences, and civic engagement. However, leveraging such data for analytics comes with significant privacy risks. ManaTEE aims to address these challenges by integrating a set of Privacy Enhancing Techniques (PETs), including confidential computing, to safeguard data privacy without compromising usability. The framework provides an interactive interface through JupyterLab, ensuring an intuitive experience for researchers and data scientists. We will showcase how Trusted Execution Environments (TEEs) ensure both data confidentiality and execution integrity, fostering trust between data owners and analysts. Furthermore, we will highlight how confidential computing can offer additional properties such as proof of execution, enabling researchers to demonstrate the reproducibility and integrity of their results through attestation. Finally, we discuss how ManaTEE simplifies deployment across various confidential computing backends, making secure and private data analytics both accessible and scalable for diverse use cases.

Structured Email allows to extend common email messages with a machine readable representation. The talk describes available libraries and implementation experience with the Structured Email Plugin for Roundcube Webmail. The talk also explains ongoing work within the IETF Structured Email working group.

Key recovery is the process of regaining access to end-to-end encrypted data after the user has lost their device, but still has their password. Existing E2EE key recovery methods, such as those deployed by Signal and WhatsApp, centralize trust by relying on servers administered by a single provider.

In this talk, we share our recent work on Kintsugi, a decentralized recovery protocol that distributes trust over multiple recovery nodes, which could be servers run by independent parties, or end users in a peer-to-peer setting. This talk will cover how we developed Kintsugi and its unique security properties, as well as compare it to prior E2EE key recovery work.

See the WIP implementation here.

Did you know that the 'map' type has a whole new implementation as of Go 1.24? Known as "Swiss Maps", they run as much as 60% faster and 25% smaller.

Originally created in 2016 as a C++ library, Swiss Map uses ingenious bit-manipulation techniques to get more throughput from your CPU.

We'll cover:

• How does it work?
• How do benchmarks look for the new maps?
• New SIMD (single-instruction, multiple-data) support in the compiler.
• Performance results from real-world applications.
• Gotchas and caveats.

Generational mode of Shenandoah is a new experimental feature that has been added to JDK24. The generational mode preserves pause-less operation of traditional Shenandoah, while decreasing CPU time consumed by GC and allowing higher allocation rates without degenerated cycles in the same heap sizes. For many workloads, this allows robust deployment in smaller heap sizes.

This talk provides selected performance comparisons with traditional Shenandoah, Generational ZGC, and G1 GC. It provides selection criteria for helping to determine whether Generational mode of Shenandoah is a good match for your service needs. It also provides best-practice recommendations for how to tune Generational Shenandoah to extract the greatest value for your particular service.

Kubernetes API server provides a standardized extension layer, called CustomResourceDefinitions (CRDs). This is a go-to contract, used to implement a controller with added functionality. There are some standard libraries, like controller-runtime and kubebuilder, written in Go, built to integrate with it natively. But what about other languages, like Rust?

How would a controller look like written in Rust? Why would you want to consider writing one? What benefits or downsides this approach might have? And how can a Rust controller still benefit from an established Go ecosystem?

We will explore these topics, compare implementations and share experience over other projects using Rust within kubernetes.

Projects: - https://github.com/kube-rs/kube - https://github.com/kube-rs/kopium - https://github.com/rancher-sandbox/cluster-api-addon-provider-fleet - https://github.com/crust-gather/crust-gather

KernelCI has come a long way. It started as a simple tool that was only building and boot testing ARM devices, but its story didn't end there. KernelCI evolved to actively participate in the workflow of Linux developers and maintainers and is committed to provide a CI system that alleviates their workload.

In this talk Paweł will present how various CI workflow challenges were approached and resolved. He will show how KernelCI integrates with existing tools and highlight recently introduced improvements. Join Paweł to see how it enhances Linux kernel development process and discuss the next chapter of the KernelCI story!

On this talk I present my experience introducing Nix, home-manager, darwin-nix and devenv in a project where most team members use a macbook but we spend quite some time on Linux too.

A declarative configuration - that does not interfere with OSX and company provided tooling - that can be shared with team members to be used with minimum changes - that keeps a working environment on every iteration - that really boosts productivity

adding devenv to the mix - so people with no exposure to nix feel comfortable - so developers have an almost identical setup - so complexity is hiden using processes and services instead of customised containers and scripts

Unfortunately some pain points too - as it was impossible to replicate workflows Linux users were used to - not all available packages can be installed

After this six months experience, this combination is highly recommendable for all projects aiming to enjoy the good parts and some to polish edges I have seen.

A profitable business is one of the best protections for commercial open source projects and communities that depend on them. Our talk draws on the experience of companies that pulled it off to explain how to do it for your own projects. We’ll discuss commercial models that actually work, giving back to the community, and gracefully collecting money for free software. We'll also discuss topics for larger projects like foundations and taking VC funding. It is possible to balance a strong belief in open source communities with making payroll every two weeks. We've done it and will share our secrets.

With multi-threaded LibreOffice spreadsheet calculations atomic reference counting can become a surprisingly dominant bottleneck. Some profiling data and case studies on implemented improvements in this area.

NooBaa is a software-defined storage platform that enables seamless management of object storage across diverse environments. In NooBaa, the database plays a vital role, it stores information related to the object buckets, object indexing, configuration data etc, — but what happens if that database fails or becomes slow? It can bring your entire storage system to a halt, impacting availability and performance.

In this session, we'll discuss the current noobaa architecture, the challenges of NooBaa’s database dependency , along with some real-world examples of outages caused by this. We’ll explore how to safeguard your storage environment and ensure consistent access to your object buckets, even during database failures using different database handling strategies.

links: https://github.com/noobaa

Huge graphs, from billions to trillions of nodes and arcs, are more and more common in modern data-intensive applications. Graph compression techniques allow loading and manipulating such graphs into main memory of either high-end workstations or commercial-grade servers, depending on graph size. In this talk, we report about webgraph-rs, a recent clean-slate Rust re-implementation of WebGraph, a state-of-the-art graph compression framework, formerly implemented in Java. webgraph-rs comes as a series of interconnected Rust crates of general interest, including high-performance bit streams, zero-copy (de)serialization, constant-time measurement of heap size for large data structures, and high-performance implementation of succinct data structures . Using webgraph-rs one can load graphs such as the Software Heritage Merkle DAG (about 0.6 trillion edges ) in less than 200 GiB of RAM and visit it in a few hours with a single core.

How many times have you built a taxonomy for open source software analysis? Whether you’re writing a survey for open source contributors or categorizing thousands of repositories, you’ve most likely had to create some kind of organizational structure to make sense of the data. Over the course of researching and analyzing open source projects, I’ve searched for and created many bespoke taxonomies to meet my analytical needs. In this talk, I’d like to share key learnings and pitfalls in my pursuit to answer “how do project characteristics influence behavior?”, as well as propose a solution for open source researchers to share and collaborate on open source taxonomies. No one should have build a new OSS taxonomy in a vacuum!

An average Linux distro has about half a dozen file syncing libs. The source code we sync with git and other SCMs. But how can we sync some structured data? JSON, for example. Two-way, maybe in real time, for collaboration, revision control, and simply device syncing. As it turns out, there are challenges.

I will outline the history of the question and the ongoing efforts. Then, we will delve into the Replicated Data eXchange format (RDX) and the progress of librdx.

Panoramax is a FLOSS project initiated 2 years ago in France by OpenStreetMap France and the national geographic institute (IGN).

Its goal is to provide a decentralized way to share and publish street level imagery.

This session will present the current status of the project, the software stack and the standards on which we built Panoramax like STAC and EXIF.

LibreOffice's Python API is among the more user-friendly options. It provides extensive functionality in a Pythonic manner right out of the box. However, for aspects of the UNO API that aren't straightforwardly supported, alternative methods may be necessary.

Join me as I demonstrate a few problems on this topic, along with some handy tips and tricks!

Learn about Poppler, the PDF rendering library used by the main Linux desktop applications. Where it came from? What about the name? Which features does it have?

Fortran => Scientific Computing => Performance Wasm => In Browser => Portability

Why would someone want to have both? Can Flang actually do that?

We will cover into that talk a new proposal to design and distribute open source firmware in the datacenter world by relying on secure boot from a single component (the BMC) and extensive attestation from the remaining part of a server. The BMC will starts from a network boot and load all required firmware (from PCIe end points, to microcontroller) from a trusted source before starting target. This approach is currently implemented on HPE Gen11 servers which supports Open Source Firmware. Our goal is to enhance security by decoupling the firmware and hardware supply chain, and allowing easier update process.

In this presentation, we introduce DuckPGQ, an open-source community extension for DuckDB, an in-process analytical database system with a relational data model. DuckPGQ extends DuckDB’s capabilities to support graph processing, leveraging the property graph data model and implementing the SQL/PGQ standard. This enables users to query and analyze graph data within the familiar SQL environment. By harnessing DuckDB’s efficient in-memory architecture, DuckPGQ facilitates fast and seamless graph operations on tabular data and has been shown to outperform traditional graph databases like Neo4j on certain pattern matching queries. Additionally, DuckPGQ supports efficient execution of graph algorithms, enabling complex analytics such as PageRank and clustering operations. We’ll explore how DuckPGQ bridges the gap between relational and graph data, empowering users to perform pattern matching, path-finding, and more—all without needing specialized graph databases and from the convenience of your own laptop.

In 2015 a ticket was opened asking for container migration support in Kubernetes. In 2022 the first minimal support to checkpoint and restore containers was added to Kubernetes 1.25 as an Alpha feature. In Kubernetes 1.30 (2024 ) the checkpoint/restore support graduated to the Beta phase.

In this session I want to give an overview what is currently possible in regards to checkpointing and restoring containers in Kubernetes. I want to give details in what way the containerd and CRI-O implementations differ and I want to describe the future plans for checkpoint/restore in Kubernetes.

This session will present an end-to-end scenario to support confidential computing on Arm (CCA). The first part will focus on a reference implementation stack that integrates firmware, operating system, virtual machine monitor and container environment on QEMU's SBSA platform. From there we will present the verifier that runs in the cloud to attest security claims generated by the reference stack. We will conclude by going over the tooling needed to compute initial Realm measurements and give an overview of a key broker proof-of-concept that works with the stack and verifier to deliver a secret payload.

SFC funded and supported Sebastian Steck's lawsuit against wireless router manufacturer AVM. That lawsuit has recently concluded. AVM has provided the complete source code for all LGPL works, which means everything needed to reinstall changes, for the FRITZ!Box 4020. This marks the first time to our knowledge in Germany that an individual purchaser has successfully sued a manufacturer and received complete source code as a result. This talk will describe what the case was about, what the compliance issues were before the lawsuit, and how "the scripts used to control compilation and installation" that AVM provided over the course of the lawsuit brought them into compliance with LGPLv2.1.

The Yocto Project offers the cve-check class to allow users to check for known vulnerabilities in the packages they include in their distribution. However, the CRA (Cyber Resilience Act) and changes around vulnerability databases require a different approach. The move to multiple databases and more dynamic vulnerability checking is in progress.

In this talk, we will explain the ongoing move to external checking for vulnerabilities in the Yocto Project. This will allow users to verify their distribution years after the release without the original build directory.

As the future of the NVD (National Vulnerability Database) is unknown, we are also considering using other databases, starting with raw data from the CVE (Common Vulnerability Enumeration) program.

The audience will also discover VEX (Vulnerability Exchange), allowing per-product annotations of vulnerabilities: you can finally say, "Not affected, we disabled the vulnerable configuration option!"

This talk is 25 minutes; if we have 50, we can add more content and examples.

Let's take look at how much of the LibreOffice internal and external API is marked as deprecated and since when. Maybe also ask ourselves whether we are doing fine or we forgot something important we wanted to do.

At the Scientific Computing Institute at TU Darmstadt, we have experience with developing LLVM-based tools. In the past, however, we usually focused on C/C++ codes via the Clang compiler [1,2]. With the change to flang-new [3] as the default LLVM Fortran frontend, we were interested in developing tooling for Fortran codes. In this talk we want to take you through our journey towards flang‑new based Fortran tooling. After building ~legacy~ established Fortran codes [4,5] with flang-new we wrangled with OpenMPI, employed static analysis tools inside the compile pipeline, and measured performance with the Score‑P [6] profiling library.

We will conclude our talk by presenting first results and describing our first impressions working with the evolving flang-new infrastructure.

This talks is intended for people with an interest in Fortran applications, tooling, or a general curiosity in the possibilities given by the LLVM infrastructure.

With zero experience with NixOS, I grabbed an unused $60 LTE-enabled laptop bought in a fire sale during the pandemic and an LTE SIM card to build a router for my newly purchased home so I could have the minimal Internet necessary for its security system and home automation without having to record what I did in case the laptop died.

I did this in a few hours with less than 100 lines of Nix. I did not think that it would be this easy. It served my Internet needs for several months without failure.

This talk will cover some hijinks of NixOS, using LTE for home internet somewhere you don't yet live, and the joy of things that Just Work... when they work.

After 3 years of development, Project Lilliput, also known as 'Compact Object Headers' is going to ship JEP 450 in JDK24. We want to celebrate that by looking back at how we got here and talk about what Java users can expect from it. We also talk about why we are not done, yet, how all Java users are going to benefit from 'Lilliput 2' and what it takes to get there.

Consider you want to have a concurrency bug that requires threads to run in a specific order. Wouldn't it be great if you could stop and start threads at random? Prevent them from being scheduled onto the CPU? And the best part: Without the application being able to prevent this, like it could do with POSIX STOP and START signals? In come the scheduler extensions for the Linux Kernel. Introduced in version 6.12, they allow you to quickly write your own schedulers with eBPF, and can be the base for simple libraries that enable you to start and stop threads directly in the Linux kernel. This opens the possibility of creating complex scheduler scenarios at a whim.

In this talk, we'll show you a prototypical sched_ext-based library for concurrency testing that we used to reproduce bugs when working on the OpenJDK.

Putting the pixels of LibreOffice into a browser window. With or without Qt. Asking for interaction.

Talk Summary This talk introduces a groundbreaking project aimed at creating a universal solution for scanner drivers across various Linux distributions. By leveraging Snaps and OCI containers, the ScaniVerse project enables the distribution-independent packaging of scanner drivers and applications. This approach enhances flexibility, reduces dependencies, and supports immutable operating systems. Attendees will gain insights into advanced techniques for integrating scanner and printer drivers, including the use of the PAPPL library for retrofitting legacy devices.

Project Description The ScaniVerse project is a pioneering initiative designed to streamline the installation and management of scanner drivers across different Linux distributions. By utilizing Snaps, the project enables the creation of distribution-independent packages, allowing scanner drivers to be easily installed on any system that supports snapd. Additionally, scanner applications can be containerized using OCI containers, facilitating their deployment on immutable operating systems. Key components of the project include the integration of scanner support into the PAPPL library, originally developed for printer applications. This integration supports multi-function devices and provides a unified driver format for both printers and scanners. The project also focuses on retrofitting legacy scanners to ensure continued support for older hardware.

Learning Outcomes for the Community Learning basics of how to package printer/scanner drivers in Snaps for easy installation on any distro supporting snapd. Gaining insights into separating scanning frontends from drivers, enhancing modularity and reducing dependencies. Explore how to package and deploy scanner applications in OCI containers for enhanced manageability and deployment on immutable systems. Understand the potential of eSCL and IPP scanning as standardised infrastructures, moving beyond the limitations of SANE. Discover methods to support legacy scanners using SANE and PAPPL-retrofit for a seamless transition to modern systems. Learn about establishing a common scanning infrastructure that simplifies development and maintenance, benefiting the entire ecosystem.

Traditional package updates using tools like RPM or Zypper can introduce risks, such as incomplete updates or accidentally breaking the running system. To overcome these challenges, we developed container-snap, a prototype plugin designed to deliver atomic OS updates—updates that are fully applied or rolled back without compromising the system's state.

container-snap leverages OCI images as the source for updates and integrates seamlessly with openSUSE’s tukit to enable transactional OS updates. By utilizing Podman’s btrfs storage driver, it creates btrfs subvolumes directly from OCI images, allowing systems to boot from the OCI image. This approach empowers users to construct their own OS images using familiar container image-building tools, like Docker or Buildah.

In this session, we’ll dive into: - The architecture and technical implementation of container-snap - Challenges encountered during development and how we resolved them - Key lessons learned along the way - A live demo showcasing container-snap in action

Come and join this session to learn more about how to boot from an OCI image without bricking your system!