People want to run Java workloads in Linux containers and they want that to work well. Historically, Java has tended to prefer to manage things itself, and without tuning, there have been challenges getting OpenJDK payloads to excel alongside other workloads in container workloads. But that has been changing.

This talk will give a high-level overview of the journey that OpenJDK has taken to play nicely with others in a container context (Kubernetes or otherwise), the current state-of-play, and where we might be going in the future.

No deep Java knowledge necessary.

The author works on OpenJDK and containers, both in the upstream OpenJDK project and downstream, initially at Red Hat, and now at IBM.

https://openjdk.org https://rh-openjdk.github.io/redhat-openjdk-containers/

In early 2025 we started the process to create the Kubernetes Checkpoint Restore Working Group. In December the working group had its first meeting and in this short presentation I want give an overview why we think it is important to continue the checkpoint restore related work from the last five years in this working group. In addition I want to present the topics the working group hopes to solve in the context of Kubernetes.

Reducing container image size improves security, speeds up cold starts, and cuts network transfer costs. Yet in development workflows, it’s easy to inherit bloated base images or copy templates full of unused tools. To build minimal, production-ready OCI images, we need visibility into what a container actually uses at runtime

This talk presents a lightweight method for profiling file access inside containers using eBPF, Podman, and OCI lifecycle hooks. By leveraging the prestart hook, we can gain access to the container’s initial PID, allowing an eBPF program to trace all file opens. Tracepoint and LSM (Linux Security Module) eBPF programs are combined to capture the absolute path of each opened file.

In this presentation, we will show how this approach can allow us to distinguish required files from bloat, validate dependencies, and reduce container image size, resulting in smaller, faster, and more secure OCI images.

We usually think about successful open source in terms of user adoption, level of community contributions, or even vanity metrics like GitHub stars. But what if the success of many of the most popular open source projects in the cloud native ecosystem lies in the ability of external consumers to extend the project in ways the creators didn’t even envision?

In this talk we’ll look at the containerd project and its intentionally designed extensibility. These extensible capabilities have become key launching points for innovation created and even maintained outside of the core project. We’ll look at the details of our snapshotter and shim interfaces, two popular ways to extend containerd that have many examples after 10 years of project development. New features will be demonstrated that utilize these interfaces such as native macOS support that uses the brand new "nerdbox" shim and the erofs snapshotter.

We'll detail the concrete value provided by extensibility and invite other project creators and maintainers to consider how they are designing for extensibility to enable innovation.

Reproducing a container image would ideally be just a matter of setting SOURCE_DATE_EPOCH in your build commands or containerfiles. Like most reproducible builds though, that’s just one part of the story. And unfortunately, the other part is not the rest of the sources of non-determinism (and yes, there are quite a few). The most critical part of the story is guaranteeing that anyone can reproduce your container image bit-for-bit, regardless of the date, location, device architecture, or container runtime they are using. Who’s doing this though?

In this talk we’ll explain why one should care about reproducible images, why are we reproducibly building sha256:b0088ba0110c2acfe757eaf41967ac09fe16e96a8775b998577f86d90b3dbe53 for about a year now, and how you can easily leverage some of the stuff we learned along the way.

Containers are everywhere, whether you run them locally for testing or on a production server, there is always a need to find its logs, metrics to know how much resources are being consumed and whether it is stable or not.

In this talk, we will demonstrate an example of how to monitor your Docker Containers using Prometheus and cAdvisor and view the metrics in Grafana to get better observability.

It will be an introduction Open Source tools, integration and also an excellent opportunity to learn more about the advanced features, including troubleshooting & debugging.

join us to learn more about Grafana, community contributions and share your feedback and suggestions!

Last year we open sourced a Containerization framework and container CLI tooling to enable developers to create and run Linux container images directly on their Mac in a way that focuses on security and privacy. In this talk, we'll dive into the Containerization framework, describing its foundational role in creating the container CLI which enables users to build, run and deploy Linux containers on Mac. We’ll walk through the architecture, highlight key APIs and discuss why we wrote it in Swift. We’ll then discuss some of our future roadmap for feature development and integration opportunities and challenges in the existing open source ecosystem.

OCI is many things, and soon it's a format systemd is going to understand somewhat natively. In this talk I want to explain the how, the why, and where we are going with this.

Over the past decade (or three) of container runtimes on Linux, the attacks against container runtimes with the most bang-for-your-buck have generally been filesystem related — often in the form of a confused-deputy style attack. This is aided in part by the sheer number of juicy targets accessible through filesystem APIs such as /proc.

In particular, the past few years have seen quite a few security issues of this form in runc and other container runtimes — most recently in a set of CVEs published in November 2025 (CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881). However, this is far from a container-specific issue. Many Unix programs have historically suffered from similar issues, and the various attempts at resolving it have not really measured up.

This talk will go through the myriad of issues necessary to protect user space programs against these kinds of attacks, completed and ongoing kernel work to try to make these problems easier to resolve, and our experience migrating a container runtime's codebase to a design which emphasises path-safety. In addition, this talk will also include an update on libpathrs (a library intended to make mitigating these attacks much easier for most Linux programs).

This talk is aimed to give an overview on a problem of system resource reporting in LXC-based containers.

We will cover: - LXCFS - syscall interception (sysinfo) - what is still missing in kernel API

I run my 3D in Kubernetes, as-code and git versioned, and you can too! Say goodbye to your Raspberry Pets, lost configs, clunky updates, apt upgrade breaking your setup, and always out-of-date backups. Say hi to everything is versioned and tracked in git, one git revert away from mistakes.

In this session I will showcase kubeklipper, a helm chart to run Klipper, Moonraker, a web frontend (Mainsail or Fluidd) and even a slicer all in your Kubernetes cluster.

In 2025 we rebuilt www.epfl.ch from the ground up: a fleet of 650 WordPresses, masquerading as one Web site. By applying Kubernetes and nginx (instead of Apache previously) to the best of their abilities, we achieved a 10-fold reduction of our footprint, from 20 Kubernetes pods to 2. Our contribution consists of two dozen plug-ins for WordPress, and extensive configuration-as-code including an OpenShift (OLM)-compatible WordPress operator. You can use it in whole or in part for your organization today, and we'll show you where to start.

Starting Points

• wp-ops: the main thing, w/ Dockerfiles and Ansible configuration-as-code. In turn, these pull together a whole lot of open-source code, and a number of other GitHub repositories from below https://github.com/epfl-si , all open-source; including:
• wp-theme-2018, showing the EPFL colors,
• wp-menu-api, a Node microservice to stitch all menus together,
• wp-operator, the OLM-conformant Kubernetes operator and Custom Resource Definition (CRD),
• various WordPress plugins, some generic like wp-plugin-pushgateway to push your wp-cron results into Prometheus, some very specific like wp-plugin-epfl-restauration which shows what's for lunch today;
• wp-veritas, our backoffice GUI to create, update and delete WordPresses in the tree (written in Next.js);
• and many more.
• wp-dev: to get the whole shebang (or most of it) up and running on your workstation — ready for hacking, committing, forking, and contributing.

devroom opening

Nixpkgs is massive with the largest, most up-to-date collection of Nix packages, powering reproducible systems and forming the backbone of many projects. But there's a problem: Nix packages' license metadata is a mess.

Nix's license tracking uses a custom license ID system that doesn't match the best practice of using SPDX license expressions standards, inconsistently referencing SPDX or ScanCode LicenseDB. The metadata often falls out of sync with the actual code or misrepresents what's really licensed, and packagers typically only check the top-level declared license and skip the file-level details where the real complexity hides. For an ecosystem built on correctness and reproducibility, this is a gap we need to close.

Nixpkgs Clarity fixes this with state-of-the-art automated license detection. We're correcting and standardizing license metadata across the entire Nixpkgs collection, aligning with SPDX best practices, and making sure what we declare actually matches what's in the code. This matters because accurate license data is critical for software supply chain security, CRA compliance, and anyone who needs to responsibly reuse Nixpkgs packages in production.

This talk shows how we're detecting and correcting license metadata across Nixpkgs, and what changes when you finally have accurate license data. We'll share how we are tackling the unique challenges of Nixpkgs at scale, with tens of thousands of packages, Nix's functional approach to package definitions, and automated detection in a way that maintainers can trust and verify.

If you care about making Nixpkgs even more reliable and supply chain ready, come see how we're bringing Nix's correctness principles to Nix packages' license metadata.

Since 2015, IndieHosters has specialized in hosting and making accessible free software as a service, from blogs and forums to wikis and online collaboration tools, with a core mission to enable people and organizations to always keep control over their data and privacy in order to achieve data sovereignty.

To support this mission, we created libre.sh, a framework of tools that enables us to host free software at scale. It has evolved quite a bit since our initial talk at FOSDEM 2017. We progressively changed many of the tools and software we have been using, for instance, transitionning from Docker Compose to kubernetes. In more recent time, we are progressively using Nix and NixOS in various part of our work. In this talk, we wish to show what this change actually looks like in our processes.

As a demonstration, we are gonna deploy an instance of LaSuite.coop, a fully-fledged application suite, starting from a fresh environment. Along the way we'll cover how our provisionning is done with nixos-anywhere and disko, how declarative Nix environments impacted our workflow, how we build reproducible container images using Nix, and more. Basically, if it uses Nix at IndieHosters, we will discuss it! We can't wait to discuss, share our experiences with the Nix community and receive valuable feedback from you!

• https://k8s.libre.sh
• https://LaSuite.coop is a cooperative of various french cooperatives, hosting free software mainly developped by https://lasuite.numerique.gouv.fr/en
• Our 2017 FOSDEM Talk

Our digital lives are increasingly fragmented across numerous centralised online services. This model concentrates power, leaving us with minimal technical control over our personal data and online identities. The long-term permanence of these platforms is uncertain, and their commercial incentives are often misaligned with user interests. We propose inverting this model: instead of centralising our data in proprietary silos, let’s centralise our presence under our own control using open, federated services. We introduce the concept of ‘digital islands’, or Eileans – self-hosted hubs for an individual’s or community’s online presence. By hosting services ourselves, we regain autonomy and control. Eilean is a project designed to simplify the creation and management of these digital islands. The core idea is to parameterise a complete operating system deployment by a domain name and a desired set of services. This allows users to easily deploy their own instances of federated services like Matrix, Mastodon, and E-Mail. We utilise NixOS to enable declarative, reproducible configuration and deployment of these services. This provides strong guarantees about the system’s state.

See the code at https://github.com/RyanGibb/eilean-nix

Get in touch at https://ryan.freumh.org/about.html

See the slides at https://ryan.freumh.org/talks/slides/2026-fosdem-eilean.html

With TAPPaaS we are building a small, composable private cloud for homes, communities and small organisations. It should feel like an enterprise‑grade packaged solution, but be built fully with FOSS and declarative Nix/NixOS tooling. Our current design is a 2‑node cluster with a third backup node, using Proxmox as cluster manager, NixOS and flakes for all VMs running platform services. All changes go through GitOps workflows, and services are packaged as NixOS modules that share central identity, secrets, backup and monitoring. We will show the architecture, NixOS/Flake deployment structure and CI/CD pipeline, and how declarative configuration helps with upgrades, failures and restores. This talk is for Nix/NixOS users and operators who want to turn homelab ideas into robust platforms for real organisations. We will share what works and where we struggle, and invite experienced nixers to challenge our choices and point us to patterns and tools we should adopt.

Reproducibility remains one of the largest challenges in benchmarking distributed systems, especially when hardware, kernel settings, and dependency versions vary between tests. This talk presents a NixOS-based approach for constructing deterministic, portable benchmark environments for large-scale data infrastructure. We show how Nix’s declarative system configuration, content-addressed builds, and reproducible packaging model allow engineers to isolate performance variables and eliminate configuration drift entirely. Using Apache Cassandra as the primary case study, the talk demonstrates how NixOS can define and reproduce complete cluster environments—from OS images to JVM parameters and custom benchmarking tools—across both cloud and on-prem setups. Attendees will learn practical patterns for packaging workloads, pinning dependencies, and generating ephemeral benchmark nodes. The session concludes with a discussion of how Nix abstractions can support multi-architecture testing.

NixOS reproducibility monitoring has historically been limited to the ISO images we ship, because they are a package set small enough to be rebuilt on a single machine. In this talk, we introduce LILA, a decentralized reproducibility monitoring infrastructure for the NixOS community, aimed at removing this limit and allowing a collaborative monitoring of the entirety of nixpkgs!

The OCaml language package manager, Opam, has support for interfacing with system package mangers to provide dependencies external to the language. Supporting Nix required re-thinking the abstractions used to interface with traditional package managers, but enables using Opam for development easy whilst benefitting from Nix's reproducible system dependencies. This provides one example of how Nix interfaces with other software development and deployment technologies.

Read more at https://ryan.freumh.org/opam-nix.html

Get in touch at https://ryan.freumh.org/about.html

See the slides at https://ryan.freumh.org/talks/slides/2026-fosdem-opam-nix.html

All the big cloud providers provide your machines with a unique cryptographic identity that can be used to talk to their cloud services securely without having to manage or rotate any cryptographic secrets yourself. For example GCP has Service accounts and AWS has IAM roles. This ubiquity of cloud identity and the seamless integration with all the the services of these cloud providers is one of the reasons why they are so successful.

SPIFFE (Secure Production Identity Framework For Everyone) tries to unify these concepts of workload identity in a vendor neutral framework. But how do we bootstrap our cryptographic identity securely when we are running things on our own hardware as opposed to on cloud? What is our bottom turtle?

In this talk, I will show how I use Nix OSin combination with the swiss-army knife of tools provided by systemd (ukify, systemd-measure, systemd-repart, systemd-veritysetup-generator) to create reproducible images for which we can predict TPM measurements.

Paired with a custom attestation plugin for SPIRE (the reference CA server for SPIFFE) that uses TPM remote attestation I can give each of my servers a unique identity encoded in a TLS certificate if and only if they were booted up with the software that I intended them to boot up with.

This then allows me to have workloads talk to each other with mutual TLS without having to manage any keys or certificates myself.

Have you ever felt the need for a virtual machine in your NixOS server environment? Maybe the functionality you want is not available in NixOS? Maybe there’s a custom OS image for a service you want to provide? Maybe you just want to securely isolate your workload? NixOS promises reproducible and declarative systems, but for VMs it just wasn’t there yet. To close this gap we built the ctrl-os.vms NixOS module, a solution to define generic virtual machines directly in your NixOS configuration. It works just like virtualisation.oci-containers, but for VMs instead of containers. 20 lines of Nix make it possible to run any Linux distribution you want as a VM on your NixOS host. To put a cherry on top you can use cloud-init, from our NixOS configuration to configure your guests declaratively, too! ctrl-os.vms is part of the ctrl-os-modules repository.

I'll present my story of building a machine-readable inventory of computing equipment of my employer. It collects information such as: “This computer is located in this room with this network configuration, these software requirements and is connected to this port of this switch” so that I can easily develop scripts that configure the machine, the switch, monitoring of both and many other things including a physical map.

I went through many iterations of this project–codenamed AR–and settled on NixOS modules for their balance between how easy it is to write new records and how easy it is to use them. Let me share the joy it brought to my job and present curated code snippets so you can build your own inventory with ease.

Nix and Nixpkgs are gaining ever-broader adoption at the same time that SBOMs (Software Bills of Materials) are emerging as a standard format for demonstrating provenance. This talk will argue that bridging the gap is imperative for the Nix ecosystem, illustrate a fleshed-out approach to SBOM generation. This will suggest some improvements to Nixpkgs that I believe could unlock further progress.

Nixss (pronounced "nix" like you're a snake) is a Nix library for making static sites. It's not a static site generator, rather, it provides tools to build your own. Nixss comes with several pre-processors and combinators that will turn whatever files you throw at it into a tree of Nix derivations, which builds into a static site. It also has its own Nix-based templating system, if you'd rather not use more conventional ones.

NixOS, with its ability to centrally manage multiple devices, is an ideal way to maintain a network infrastructure that consists of multiple devices (routers, switches, access points). This presentation will provide an overview of how NixOS can be utilized on routers. This will include configuration based on systemd-networkd for routing and switching, as well as hostapd for Wi-Fi. It aims to provide you with tips on setting up your network infrastructure on NixOS itself.

My personal NixOS configuration with three different home networks backed by NixOS: https://gitlab.com/Cynerd/nixos-personal/

Project providing support for running NixOS on Turris routers: https://gitlab.com/Cynerd/nixturris/

Introducing sphinxcontrib-nixdomain! A plugin for the Sphinx documentation generator that takes your Nix code and generates documentation for NixOS options, Nix packages, and Nix functions.

This talk shows how to set up sphinxcontrib-nixdomain for your project, how to generate documentation for Nix objects, and how to add cross-references to those Nix objects.

We'll also go over the benefits the Sphinx documentation system provides when used with this plugin.

Resources:

• sphinxcontrib-nixdomain documentation
• sphinxcontrib-nixdomain source code
• Sphinx documentation
• EPNix documentation, my work project that extensively uses sphinxcontrib-nixdomain

Nima, the Nix Manipulator, is a new Python library and collection of tools for parsing, manipulating and reconstructing Nix source code.

This presentation will introduce the project, its original goals, key features, and practical applications. It will explore the tradeoffs and decisions made during development and demonstrate how to use its various features.

Context

Started during SaltSprint 2025, Nima aims to fill the absence of tools for easily updating and editing Nix code. Popular tools such as nix-update rely on simple string replacement or regular expressions for updating Nix code.

Goals

• Ease of use.
• High-level abstractions make manipulating expressions easy.
• Preserving formatting and comments in code that respects RFC-166.

Eccentric formatting that does not respect RFC-166 and would add unnecessary complexity may not be preserved.

Targeted applications

• Updating values in Nix code by hand, scripts, pipelines, and frameworks.
• Writing refactoring tools.
• Interactive modifications from a REPL.

Foundations

Nima builds on tree‑sitter, a multilingual concrete‑syntax AST, with the tree‑sitter‑nix grammar providing lossless parsing of Nix files.

Project status

The project is still in early‑stage:

• Most Nix syntax is supported, but not all everything yet.
• Test-driven approach prevents regressions.
• CLI and API stability is still evolving.

Links

Source: https://github.com/hoh/nix-manipulator Announcement: https://discourse.nixos.org/t/announcing-nix-manipulator-nima-structured-edits-for-nix-that-keep-formatting/68513/11

Nix Forge is an attempt to lower the barrier and learning curve required for packaging and deploying software with Nix, enforce best practices and unlock the superpowers of Nix.

By providing a human-readable packaging recipe format (inspired by conda-forge), Nix Forge abstracts away the need for advanced Nix packaging knowledge and experience without sacrificing its powers. Users can define packages and multi-component applications running in shell environments, containers, or inside a NixOS system using simple declarative configurations instead of writing Nix expressions. The NixOS-style module system guides users through the packaging process, enforces best practices, and provides type checking for recipes—ensuring quality and correctness from the start. On the other hand, the web user interface provides an attractive catalog of packages and applications with copy-paste instructions for end users.

This presentation will demonstrate how this approach significantly benefits developers in the era of LLMs. With its simplified, structured format, LLMs can now effectively help users create and modify Nix packages—a task that previously required deep Nix expertise. The human-readable recipes allow developers to easily verify LLM-generated configurations, while built-in type checking enforces correctness automatically.

Source code - https://github.com/imincik/nix-forge Web UI - https://imincik.github.io/nix-forge

This talk details our personal journey of creating a setup for video streaming at conferences, called mixos. We explain the challenges we faced and how Nix and NixOS helped us get the work done in a robust and efficient way. We do not consider ourselves extremely proficient in Nix, so any feedback from the community would be greatly appreciated.

In addition, we (as part of the FOSDEM video team) demonstrate how the same Nix-based setup can run on a FOSDEM video box.

Debugging Nix can be frustrating: poor error reporting, non-incremental builds, and cryptic stack traces make fixing a derivation a pain. This talk presents practical tools and techniques to make working with Nix expressions and builds more fun. A significant portion of this talk is a live coding demo, targeted at somewhat beginner-intermediate Nix users.

An Introduction from the Organisers to the Open Source & EU Policy devroom.

European digital sovereignty is moving from slogan to strategy. Faced with dependencies and in line with its resilience goals, the EU increasingly turns to open source as a pillar of its technological autonomy. Yet the debate often stalls on the questions: Where is software “made”? Who “owns” the code? And can sovereignty be achieved simply by adopting European-labelled alternatives? - all questions that often are not compatible with how open source actually works, and potentially leading to missing out on the vast potential of the global OS ecosystem for Europe.

In this panel, the speakers will focus not on trying to define “European open source” but on the fact that sovereignty is less about origin or ownership than about capability, participation, and influence. Drawing on perspectives from the industry and SMEs, as well as the global open source ecosystem, the discussion will focus on the future-looking (and pragmatic) idea of interdependent autonomy: where strategic independence is strengthened, not weakened, by deep engagement in global open source communities.

• What is the most omitted in digital sovereignty discussions, and should not be?
• If you were to point to one action that Europe should focus on in the next 10 years for its digital sovereignty, what would it be?
• What should open source foundations do in order to strengthen this interdependence, while not hampering EU’s goals of supporting its own, homegrown industry?
• How can European companies build viable business models on open technologies without retreating into protectionism or undermining global collaboration?

Europe’s IT landscape has long been heavily reliant on just a few large American tech providers, and this is equally true for the systems used in public administration. This dependence jeopardises the administrative services that underpin our states’ functioning. To counter this, Europe needs a tech stack that strengthens digital sovereignty at every level, from databases and virtualisation to operating systems and end-user applications.

Various governments and governmental organisations in Europe are already working to provide building blocks for a sovereign public infrastructure. The newly founded European Digital Infrastructure Consortium for Digital Commons (DC-EDIC) can fuel this development. This session brings together actors involved in setting up DC-EDIC in conversation with civil society and the wider open source community. We will explore the EDIC's role in supporting the open source ecosystem, as well its connections to European policy:

• How can we support long-term sustainability for open source public infrastructure?
• What capacity barriers still stand in the way of OS adoption?
• What governance models can enable meaningful participation from stakeholders?

With this session, we hope to help steer the EU's ambitions for digital sovereignty toward models that genuinely empower the open source community and reinforce the sustainability of Digital Commons.

As it takes a village to raise a child, it takes a global open ecosystem to build a Euroshack. Inspired by the Frugal Manifesto, we envision the Euroshack as the first agile prototype of a truly open EuroStack: modest in form, ambitious in purpose. Grounded in pragmatism and powered by free and open software, the Euroshack avoids nationalist overtones and instead champions a scalable, dependable core. “Shack” is a humble name, but it reflects a bold mission: to secure digital sovereignty and protect our electronic freedoms in Europe from the mood swings of oligarchs. With its modular, adaptable structure, the Euroshack is built to grow, evolve, and empower.

Abstract

Europe has bold ambitions for open source and digital sovereignty, yet most initiatives struggle to deliver meaningful change where it matters: at the level of local institutions. Despite strong strategies and political commitments, implementation stalls because the policy frameworks guiding European digital transformation ignore a simple truth. Europe is built on a multi-level governance system where local actors carry the responsibility for execution but lack the incentives, support, and capacity to act.

Drawing on hands-on experience from Denmark’s OS2 (os2.eu) community, where more than 85% of municipalities jointly develop and maintain open source solutions, this talk examines why current EU-level open source policy risks failing in practice. It unpacks three systemic barriers:

1. Weak incentives at local level: Municipalities lack resources, competencies, and organisational maturity to prioritise open source adoption. Financial savings are not an effective incentive, because open source is not a budget trick; it requires long-term investment in capacity.
2. Multi-level governance creates structural friction: Authority is distributed across EU, national, and local levels. While this strengthens democracy, it fragments responsibility. National governments centralise; local authorities implement without adequate support; and EU ambitions rarely translate into actionable change.
3. Vendor dominance distorts procurement and advice: Large IT vendors shape decision-making, reinforce proprietary dependency, and overshadow sovereign alternatives. The barriers are governance- and leadership-related, not technical.

The talk ends with practical policy recommendations: risk-bearing EU capital for local transitions, stronger alignment between EU-level commitments and local implementation realities, and a cultural shift where every new digital project must explicitly break with “doing things the way we always have”.

Speaker bio

Rasmus Frey is Chief Executive and Secretary at OS2 (os2.eu), Denmark’s open-source community for public digital collaboration.

He works at the intersection of governance, innovation, and technology, helping municipalities and public institutions co-develop and reuse digital solutions through open collaboration and shared ownership.

Rasmus contributes to European networks on open-source governance and digital sovereignty, with a focus on institutional design and democratic digital infrastructure.

Roundtable discussion with policymakers and the community: how can the public procurement framework, that is currently being reformed, be used to achieve digital sovereignty goals? Open Source provides many answers to the questions digital sovereignty raises, but how can public procurers be empowered to buy more Open Source, what are their expectations, and what hurdles exist?

A Blueprint for Trusted European Digital Services

The European Commission’s Cloud Sovereignty Framework (Version 1.2.1, Oct. 2025) is a critical blueprint for defining, assessing, and ensuring the sovereignty of cloud services used within the European Union. Born from initiatives like Gaia-X, CIGREF's Trusted Cloud Referential, and EU legislation (NIS2, DORA), this framework supplements security requirements with sovereignty-specific safeguards to reduce dependency on non-EU actors and proprietary systems.

This session will dive into the technical and legal requirements of the framework, which uses a dual assessment approach: the Sovereignty Effective Assurance Level (SEAL) and a quantitative Sovereignty Score.

Key Components

In this talk Emiel will break down the framework's core pillars:

1. The 8 Sovereignty Objectives (SOVs)

The assessment is built around eight objectives that define what sovereignty means in a cloud context:

SOV-1: Strategic Sovereignty SOV-2: Legal & Jurisdictional Sovereignty SOV-3: Data & AI Sovereignty SOV-4: Operational Sovereignty SOV-5: Supply Chain Sovereignty SOV-6: Technology Sovereignty SOV-7: Security & Compliance Sovereignty SOV-8: Environmental Sustainability

1. The 5 Sovereignty Effectiveness Assurance Levels (SEALs)

The SEAL levels determine the minimum required level of assurance a cloud provider must meet for each objective:

SEAL-0: No Sovereignty SEAL-1: Jurisdictional Sovereignty SEAL-2: Data Sovereignty SEAL-3: Digital Resilience SEAL-4: Full Digital Sovereignty

This talk is crucial for open-source developers, EU-based cloud providers, and policymakers interested in contributing to or complying with the future of digital service procurement in Europe. We will discuss that digital sovereignty starts with open source and how open-source technology can directly contribute to achieving the highest SEAL levels and the maximum Sovereignty Score.

We will also dive into the EU first policy and how that helps EU organizations to be more sovereign.

Simpl is the open-source smart middleware platform that enables cloud-to-edge federations and all major data initiatives funded by the European Commission.

https://simpl-programme.ec.europa.eu/ https://code.europa.eu/simpl

The recently proposed Digital Omnibus aims to simplify a series of digital regulations, such as the GDPR, the Data Act and other laws, such as the ePrivacy directive. The goal of this legislative package is to reduce administrative burdens on organisations and boost innovation, although it can have significant impacts on open source communities, foundations and SMEs building open-source software.

Using Matrix as a case study, this talk will go through the areas of the Omnibus proposal which might have potential impacts on the wider FOSDEM community, namely proposals around redefinition of key concepts, changes to incident reporting requirements (and how they align with CRA requirements) and data sharing. It also aims to identify opportunities which might be brought on by the Omnibus, particularly around standardisation of approaches and improved collaboration.

This panel will bring together lawmakers who worked on the Digital Services Act and the Fediverse community for a panel on the challenges modern social media bring, from disinformation to hate speech and censorship, and how the EU's Digital Services Act and the Fediverse try to solve them.

Further information on speakers and content will be provided shortly.

This session will explore the specific consequences for the Open Source community arising from the EU's policy agenda on protecting children online. While there is a very real need to ensure reasonable child safety measures, many lawmakers favour blunt 'solutions' that can have serious consequences for privacy and data protection, and can particularly impact free and open source software projects.

For example, the draft CSA Regulation (sometimes referred to as "chat control") contains provisions that could make the use of age verification tools effectively mandatory for many online communications providers (messages, emails etc.) and app stores. Whilst a final law has not yet been agreed, negotiations are likely to be in their final stage by FOSDEM 2026.

In addition, calls from lawmakers for a minimum age for the use social media are getting increasing traction. Proposals range from implementing such age gating at the level of online platforms, app stores or operating systems.

This could not only impact code collaboration platforms, which could inadvertently be classified as social media. Mandatory age verification at the OS level could pose insurmountable problems for open source operating systems. Furthermore, projects that now rely heavily on a distributed system to offer software downloads and collect as little data as possible from their users would be forced to either thoroughly test every application they offer in advance or, even worse, completely centralize for the sake of age verification. Finally, age verification could threaten users’ ability to install apps outside of proprietary app stores. For all these reasons, open source developers should raise their voices in the age verification debate.

The 2024 European elections marked the start of the new 5 year mandate of the European Parliament followed by forming a new political direction of the European Commission. What does this change mean for cryptography and its regulation in Europe? How can encryption be framed as a vital tool to secure fundamental rights in the digital age, rather than as a law enforcement nightmare? The talk will primarily focus on the recent developments in political narratives around securing access to encrypted data by law enforcement authorities, the current European Commission’s plans as presented in ProtectEU: the European Internal Security Strategy, and the impact on privacy, security, and Free and Open Source Software.

Whether you are new to the Brussels EU Policy maze or already experienced in arguing your case with policymakers, this session wants to help you find your way.

Who are the right contacts to reach out to, and how to find their contact details?

How does my submission to a call for feedback develop the most impact?

What can I do to make my voice heard?

This interactive session brings together experts from different civil society organisations, with experience from past or present work in the European institutions, and Open Source practitioners at FOSDEM to advocate for fundamental rights, digital, and Open Source policy towards the European institutions, including the European Commission, Parliament and Council.

Participatory platforms are now widely used across Europe for consultations, participatory budgeting, petitions, and deliberation. However, despite this growth, civic tech ecosystems remain deeply fragmented: platforms are isolated, data is locked into silos, and citizen contributions rarely travel across institutional levels or over time. This fragmentation limits transparency, weakens democratic legitimacy, and prevents collective learning at scale.

This talk presents the Democracy Data Space, an open, interoperable infrastructure designed to reconnect participatory processes across platforms, institutions, and territories while preserving local autonomy and data sovereignty. Inspired by European data space principles and built on open standards, this initiative explores how interoperability can enable traceability of citizen contributions, federated identity, shared governance rules, and cross-platform democratic intelligence.

We will share:

The political and technical problems caused by today’s civic tech silos The core architectural principles of a Democracy Data Space How open protocols and federated data spaces enable democratic traceability Early experiments, governance challenges, and next steps for this european data space for democracy This session is aimed at open-source developers, civic tech builders, data space practitioners, and anyone interested in building public digital infrastructure for democracy.

We present HowTheyVote.eu, a free and open-source website that makes roll-call votes in the European Parliament more accessible and transparent. We briefly showcase the site’s features and how we built it, focusing on the different official data sources we combine. We will discuss good and not-so-good practices of the European Parliament’s websites and take stock of what we learned from four years of scraping parliamentary data. Lastly, we present examples of HowTheyVote.eu data being used in journalism, research, and civil society, showcasing how accessible voting records can inform debates and thus ultimately strengthen European democracy.

The European Parliament is the only directly democratically elected EU institution, and, as such, the voting behavior of its members is of particular interest. With a significantly larger number of right-wing MEPs since last year's elections, keeping an eye on the developments in Parliament has become more important than ever. Although the Parliament publishes information such as roll-call vote results and plenary minutes on its website, it can be difficult to find out what exactly MEPs voted on or how a particular vote turned out, as the data is scattered across multiple sources, published in different formats, and made available at different times.

We started HowTheyVote.eu in 2021 as a free and open-source project to address these problems. On HowTheyVote.eu, users can search for votes and view results. We also publish our entire dataset under an open-data license.

Across Europe, open source is increasingly used to address systemic challenges in a variety of sectors, including agriculture, energy, and public infrastructure. However, its full potential depends on how projects, policies, and markets are being shaped in those verticals.

This panel brings together concrete experiences from digital agriculture, energy system modelling, and public procurement to explore how open source enables innovation, transparency, and technological sovereignty across vertical industries. Drawing on EU-funded projects, open science methodologies, and real-world procurement practices, speakers will discuss how open source supports interoperable solutions, trustworthy policymaking, and resilient public infrastructures. The session highlights the critical role of policy choices - funding, licensing, procurement rules, and governance - in turning open source software into sustainable ecosystems that serve Europe’s economic, environmental, and democratic goals.

This talk is for a broad audience, including projects and smaller organisations that don't have compliance and policy staff. The primary goal is to give people information so that they can check if they have CRA obligations, and what compliance work might be required. It will also show what projects can do voluntarily to make compliance work easier for others that want to use their software.

The secondary goal of this session is to enable more people to participate or provide feedback. Eclipse Foundation and other entities of the FOSS ecosystem are creating educational materials and compliance tools. To ensure that such tools are useful for the entire ecosystem, feedback is needed from all types of projects and organisations. Do the current information resources meet your needs? What more would be useful?

What if open source software projects could receive ongoing and sustaining funding from the corporations that use those project commercially — without changing the license or charging a fee for usage? This may sound self-contradictory; soon, it may be more than theoretical.

In Article 25 of the Cyber Resilience Act, one can see that the European Commission has the opportunity to create a Delegated Act for Voluntary Security Attestations. This could open a path for open source project maintainers, stewards, or third parties to reduce manufacturer's cybersecurity compliance obligations in exchange for sustained funding. The exchange benefits companies by reducing their compliance costs, but without turning the open source foundation into a manufacturer itself, without assuming liability, and without jeopardizing a steward's non-profit status.

In this presentation, Æva Black will introduce their ongoing work with the Eclipse Foundation to develop an understanding of how such a programme might function and how it might impact different segments of our community-of-communities.

This presentation is part one of a two-part series. Part two will feature a panel discussion with representatives of open source foundations and the European Commission.

What if open source software projects could receive ongoing and sustaining funding from the corporations that use those project commercially — without changing the license or charging a fee for usage? This may sound self-contradictory; soon, it may be more than theoretical.

In Article 25 of the Cyber Resilience Act, one can see that the European Commission has the opportunity to create a Delegated Act for Voluntary Security Attestations. This could open a path to reduce manufacturer's CRA-related compliance costs in exchange for support for the volunteers maintaining open source projects -- and to do this without becoming a manufacturer, without assuming liability, and without jeopardizing a steward's non-profit status.

In this panel, we will hear different perspectives on how this could improve the sustainability of open source across Europe, explore the potential impacts of different approaches, and invite audience participation and questions.

This presentation is part two of a two-part series. In part one, Æva introduced their ongoing work with the Eclipse Foundation to develop a holistic view of how such a program might function.

In this short talk, Jordan Maris and Simon Phipps of the OSI will explain how the Open Source Community can get involved in building the standards for the EU's Cyber Resilience Act, and why you should!

The European Commission’s report on Regulation 1025 openly acknowledges what practitioners have long observed: the EU standardisation system is struggling to deliver the kinds of outcomes needed to support the Union’s ambitious push into digital regulation. In this presentation, Tobie draws on his long experience driving large-scale standardisation efforts in organisations such as OASIS, W3C, JDF, Ecma, and the WHATWG, as well as on his work introducing open-source development practices within them. He will discuss why these practices work, the benefits they bring, how they could be adopted by the European Standardisation Organisations, and which transition mechanisms could help bridge the gap until the ESOs are able to catch up.