The promise of smartphones was freedom in your pocket. The reality? Two corporate gatekeepers controlling what software billions of users can run on devices they supposedly own. This talk examines the uncomfortable compromises FLOSS developers face when trying to distribute apps through iOS and Android app stores, where every principle we hold dear—user freedom, privacy, transparency, and community control—runs headlong into the profit-driven interests of the global mobile duopoly.

We'll explore the battleground where free software principles meet platform restrictions: mandatory code signing that undermines reproducible builds, opaque review processes that can arbitrarily reject apps exercising user freedom, 30% revenue cuts that punish sustainable FLOSS funding models, and Terms of Service that can revoke your ability to distribute software overnight. The Digital Markets Act promised to open these walled gardens, but has it? Or have we merely traded one gatekeeper's rules for slightly different ones?

This isn't just about technical hurdles—it's about fundamental questions. Should FLOSS projects compromise on GPL compliance to reach users? Is it ethical to pay fees and developer taxes when that money funds the very infrastructure restricting user freedom? When F-Droid and alternative app stores offer true freedom but reach only 2% of users, do we accept the compromise or maintain ideological purity while our potential impact dwindles?

The stakes are existential. As our digital lives increasingly occur on locked-down mobile devices, FLOSS becomes the last line of defense against surveillance capitalism, planned obsolescence, and the erosion of user agency. If we can't effectively distribute free software on the platforms where users actually are, we risk relegating FLOSS to irrelevance precisely when it's needed most.

But there's hope. New regulatory frameworks, emerging alternative stores, advances in progressive web apps, and creative technical solutions offer paths forward. We'll discuss practical strategies for maximizing reach while minimizing compromise, building communities that value freedom over convenience, and preparing for a post-duopoly future.

This talk will challenge both the compromisers and the purists, asking uncomfortable questions: Are we collaborating with platforms that fundamentally oppose our values? Or are we pragmatically meeting users where they are? The answer may determine whether free software thrives or withers in the mobile era.

We need to talk about war. And we need to talk about companies building bots that propose to rewrite our source code. And about the people behind both, and how we preserve what is great about FOSS while avoiding disruption. How do geopolitical conflicts on the one hand and the risk of bot-generated (adversarial) code on the other influence the global community working together on Free and Open Source software?

The immense corpus of free and open source software created by a global community of researchers and engineers, developers, architects and designers is an impressive achievement of human collaboration at an unprecedented scale. An even bigger circle of users, translators, writers, creatives, civil society advocates, public servants and private sector stakeholders has helped to further develop and spread this technological Gesamtkunstwerk far and wide - with the help of the internet and the web. With individual freedoms and user empowerment at its center, these jointly created digital public goods have removed many economic and societal barriers for a large part of the world's population. Users are not just allowed to benefit from technology, but each and every user can in principle actively help shape it. On top of the FOSS ecosystem our global economy has been propelled to unprecedented levels.

Much of this incredible growth was achieved within a (relatively) calm geopolitical situation, in the wake of the cold war which ended in the very same year that also saw the genesis of the World Wide Web at CERN in Switzerland. Economists, philosophers and other observers at the time spoke of the 'end of history' and expected no more big conflicts at the superpower level. We could now globalise the economy and all work together. The flood of innovation taking place all around us promised a bright future for all, with room for altruism and collaboration. In retrospect it certainly was an ideal situation for an optimistic and constructive global movement like the FOSS community to take over the helm.

But apart from the fact that under the surface that narrative was already flawed (with some actors like the USA having a double agenda, as the Snowden and Shadowbrokers revelations exposed) history didn't end. To some ironic extent we are now becoming victim of our own success. In recent years we've seen geopolitical stability punctured by war effort levering low cost technology that includes heaps of FOSS. Social media powered by FOSS infrastructure promote disinformation and have successfully stirred large scale polarisation. Within some of the largest and most populous countries on the planet authoritarian regimes have successfully used technology to break oppression in a new race towards totalitarianism. While for instance Europe has tried to regulate 'dual use' technology, "any use" technology (which our libre licenses guarantee) has escaped our attention. Even in countries which had stable non-authoritarian regimes there is a visible technology-assisted relapse towards anti-democratic movements. On the back of a tech stack which consists of FOSS with a thin crust of proprietary special sauce, unprecedented private capital (sometimes referred to as 'hypercapitalism') is interfering with global politics at an alarming rate. Apart from the direct democratic disbalance the resulting oligarchy is giving rise to overt nepotism, corruption and a new global protectorate for predatory business models and unethical extractive behaviour. Expecting peace in cyberspace any time soon is probably naive, and free and open source technology stands to make up for a significant part of the battleground.

At the same time we are facing other challenges, such as climate change and an imminent scarcity of non-renewable resources. We have more people living on the surface of the planet than ever before, and they are consuming more raw materials and more energy than ever. This won't go on indefinitely. And right at that point we see an army of next generation Trojan horses galloping through the gates of our global commons villages, accelerating our use of both. Generative pre-trained transformers (also known as Large Language Models) kindly offer to take cumbersome and boring coding work off our hands. They can liberate us from responsibility and allow us to do other things or move even faster.

But is it really wise to accept this apparent gift, or should we be a little more suspicious? Just as it has proven way too easy for AI to poison the web with fake content, our software supply chain is vulnerable to manipulation. The attack surface is immense. Due to the inherent complexity of software it is easier to achieve and harder to detect manipulation before it is too late. While many talented and committed people have spent years reverse engineering binary blobs to avoid the associated risks, those blobs were at least isolated and clearly marked. AI is the ultimate black box and it introduces significantly more uncertainty: it rewrites the truth from the inside.

AI in its current form has no actual sense of truth or ethics. Like with Russian roulette, once in a while the models completely bork up and create phantom code and real risk - and that is even in a best case scenario, without assuming malicious intent and manipulation from the outside. In an adversarial scenario (and this adversity can come from traditional nation state actors with non-aligned interests but also from corporate or even private individuals with some determination - like Cambridge Analytica illustrated so vividly) manipulation only requires subtle changes. At the frantic scale at which any available learning content is ingested from the internet these days one can expect targeted adversarial training to manipulate specific code with subtle triggers to go unnoticed.

As a community we have spent billions of hours of careful coding and software engineering to make free and open source technology as trustworthy as it is today. Geopolitical conflict is an incentive to hollow out that trust. AI is an additional leap of faith, and if you look at the forces driving its adoption and their interests, are we really sure those black boxes are safe to invite into our trusted coding base? It is clear that the end game of AI coding is not a healthy FOSS ecosystem, but its total displacement. The threat of machine crafted and man-crafted malicious code in war-time FOSS are equally realistic. Perhaps we can find a middle ground, where we combine some of AI and human skill - and add enough checks and balances, and a variety of assurances through compartementalisation, formal and symbolical proofs and other traditional means of quality assurance.

This talk is an open exploration of some of the challenges the FOSS community will have in the years ahead, working towards a hopeful notion of maximal defendable FOSS.

Software Freedom Conservancy (SFC) sued Vizio in October 2021 because Vizio did not provide the required source code for the GPL and LGPL works that Vizio chose to use in its TVs, preventing SFC from making privacy and security enhancing changes, among other improvements that the GPL and LGPL require that companies allow in devices they sell. SFC brought the case as a third-party beneficiary of these copyleft agreements, to demonstrate how users of copylefted software can directly enforce the agreements if a company fails to comply.

The trial in this case was to finish last week, but a last-minute delay by the court means the trial will happen later this year instead. In the meantime, we'll discuss the case so far, including notable technical points about what Vizio did and didn't provide, what arguments have been made, and what we're likely to see at trial. We look forward to your questions and discussion around this historic case for user rights!

This presentation traces a five-year cat-and-mouse chase between a small VPN provider — more than 150 servers worldwide, millions of users, available on all major platforms — and the Russian state censorship machine. A real-world “Tom and Jerry” scenario where survival hinges on constant adaptation.

I’ll walk through the evolving technical and non-technical tactics used by Russian authorities to block VPN access for ordinary users. Every story comes from real, first-hand experience. The methods used five years ago and the methods used today are on entirely different levels; Tom keeps learning new tricks, and Jerry’s struggle to stay alive only gets harder.

This talk aims to be useful and insightful for network security engineers, business decision-makers, and human rights activists. Russia is not the only dictatorship experimenting with these techniques — and we expect more dictators to learn from the Russian playbook and adopt similar methods.

Activists and whistleblowers often handle sensitive documents that can incriminate both the exposed parties and themselves for acquiring or distributing the material. To move forward with their revelations, they must ensure they leave no identifiable trail. Enter Dangerzone, an open-source tool that sanitizes suspicious documents and removes incriminating metadata in the process.

This talk covers metadata removal: concrete examples of how metadata has been used to de-anonymize authors and distributors, the limitations of current tools, and the challenges posed by adversaries who can apply advanced watermarking and tracing techniques to documents.

FOSS communities have historically developed governance models that include within them biases and other problems, often belatedly recognized. For example, there is now general agreement that no dictator can be benevolent. Common alternatives to the "benevolent" dictator— the "meritocracy", "do-acracy", and the self-perpetuating committee — also have serious problems. Often the alternative offered to these kinds of governance systems is for some kind of elected governance body.

Democratic governance institutions are messy, however. We'll consider some historical examples of problems that have occurred in various democratic FOSS initiatives and organizations, and will focus particularly on the Open Source Initiative (OSI) board of directors elections of 2025. We'll consider the question: how can we design elected governance bodies for FOSS that truly represent the views of our community and are held properly accountable to their constituencies?

Joe 'Zonker' Brockmeier will moderate this panel, and additional individuals have been invited and will be added once they are confirmed.

CentOS is the Community Enterprise Operating System, a Linux distribution built by the CentOS Project. For over two decades, CentOS has powered servers and workstations around the world. During this time it has accumulated its fair share of myths, tall tales, and urban legends. Many of these stem from the transition from the legacy CentOS Linux variant to the modern CentOS Stream variant.

In this session, we won't just tell the myths, we'll put them to the test. In the spirit of the TV show MythBusters, we'll use observable data, historical events, and project insights to rate each myth as BUSTED, PLAUSIBLE, or CONFIRMED. Attendees will gain a better understanding of the advantages of CentOS and the state of the CentOS Project, which they can use to make informed choices for their own deployments.

I stumbled upon a forum post of Jean, tasked in 2010 with recovering text documents for a friend from their broken Windows 95 computer. Their friend used Microsoft Bob, and the Microsoft Bob letter writer exclusively.

I was fascinated by this story, and then spent months reverse-engineering the Microsoft Bob APIs. Ultimately producing the first third-party Microsoft Bob application. During this I learned that Microsoft Bob isn't only a laughable flop, (The word "only" is doing a lot of work here), it also had strong ideas on what computing should be.

We will take a tour of Bob and its history and what I discovered about its technical underpinnings while reverse engineering.

Hopefully I can convince you that these stories are still relevant today, and can inform us on how we think about the software we use. But most importantly; the software we recommend our (non-techy) friends and family to use.

Introducing Hard-working, Easy going Software Everyone Will Use

We had a canceled session: a wonderful opportunity to crowd source a topic! What would you like to hear about? What is the hot topic you don't already see on the schedule?

Let us know what you think by filling out this form, or by writing your suggestion on a piece of paper and handing it to one of the Legal & Policy Devroom organizers.

https://sfc.ngo/idea

The German-European initiative Save Social proposes a 25 minutes session focused on broadening the involvement of society in the development and stewardship of the open social web. Despite immense progress in establishing open alternatives like Mastodon or Friendica, today's open social web has struggled to connect with and empower the wider public, often because structural support has concentrated on technical advancements rather than inclusive engagement and content diversity. A handful of global platform monopolies dominate – as we all know - public discourse and information, undermining democratic exchange and transparency. While open alternatives exist, their reach is limited without the structural, content, and educational investment needed to engage broader segments of society. Current alternatives have not always made participation intuitive or relevant for users from fields outside the technology sector, which limits their impact and hinders genuine diversity in dialogue and innovation. Therefore the future of the social web is not just a matter for developers, but for everyone—requiring regulatory support, media education, and the creation of citizen committees to define public-good requirements. The session will highlight specific, actionable pathways for different sectors to join the open web movement, making digital democracy a society-wide project rather than a niche initiative, e. g.: • Frame the strategy around a clear democratic and social purpose, not only technical openness. • Frame strategies around stories and lived experiences instead of only technical roadmaps. • Treat communities as Co-desginers, move from “getting feedback” to “sharing authorship.” • Assume most people are not protocol experts and design engagement accordingly. • Build bridges to sectors of society Save Social's proposal is for a session that inspires and equips participants to break silos and bring the open social web to everyone, ensuring it serves as a democratic, accessible, and resilient foundation for the digital society of the future. Save Social is a network of 120 individuals, being supported by more that 260.000 signatories from Germany, collectively covering journalism, the arts, unions, startup founders, established economic leaders, public institutions, and research. This cross-sector representation is unique and powerful, fostering collaboration and a user-centric approach to digital democracy.

The exponential growth of scientific literature—doubling roughly every nine years—has made it increasingly difficult for researchers and decision-makers to locate, assess, and synthesize the evidence needed for sound policy and practice. Systematic maps and systematic reviews offer robust, unbiased ways to answer “what works?” but today they depend on manual search and screening workflows that are slow, costly, and vulnerable to human error. The result is a bottleneck: high-quality, up-to-date evidence syntheses are often too labor-intensive to produce at the pace conservation challenges demand.

This talk and demo presents an open, community-driven approach to lowering that bottleneck using human-in-the-loop machine learning and transparent evidence-management tooling. In 2018, DataKind and the the Science for Nature and People Partnership, built two free and open-access, web-based workflows for computer-assisted paper screening and evidence management, integrated into a single collaborative application (colandrapp.com). The platform combines active-learning prioritization, reproducible labeling, and interactive visualization to help teams rapidly identify relevant studies from tens of thousands of documents, extract key metadata, and generate portable, shareable review outputs. All components are designed to support open research practices: auditable decision trails, exportable datasets, and interoperability with downstream synthesis and visualization tools. Now, in 2026, we are releasing a significant update to Colandr that ensures the tool continues to be functional and sustainable. Colandr is supported by a global community of researchers and volunteers (colandrcommunity.com) and this session will highlight the additional open source solutions that have been built on top of the Colandr stack in addition to the Colandr product updates.

We aim to engage the FOSDEM community around a concrete open research challenge: building trustworthy, extensible tools that keep evidence synthesis fast, reproducible, and accessible. Participants will leave with a clear view of the platform’s capabilities, the design decisions behind it, and a set of well-scoped technical and research directions where open-source contributors can meaningfully push the state of practice forward.

Isn’t monitoring DNS queries a really bad idea? If the monitoring crosses the line to surveillance, we agree. Monitoring for bad actors is still needed and valuable for cybersecurity. Building such a platform in Open Source and running it as a non-profit is much better than letting commercial actors consume this data without making it an open data commons. For sure many won’t protect the user’s privacy the way we do.

This is the story about the DNS TAPIR Open Source project - the reason we started it, our core principles and the architecture .

Since the first Microkernel OS Devroom at FOSDEM 2012 and culminating today, there have been exactly 15 devrooms in 15 years dedicated to microkernel-based operating systems at each FOSDEM. As surprising or shocking this may sound to somebody who has been there all along, this time period already constitutes a small piece of history. While the computing world of today is not dramatically different or unrecognizable compared to 2012, maybe except for a few "minor" technologies such as HTML5 and LLMs ;), there have definitively been some changes and shifts of priorities.

Let us take this opportunity for a small retrospective of the last 15 years in the context of open-source microkernel-based operating systems. What problems have we been facing back then and how do they relate to the problems we face today? What have been the ups and downs? What are the important lessons learned?

Windows 10 is now end of life!

... but not dead. Yet.

The prospect of that alone should be enough to motivate change to Linux desktops - but various governments are providing a lot more reasons to move, such as...

• tariffs (on goods and possibly services)
• unreliability (in trade and defence partnerships)
• increased need for data sovereignty ....to name a few.

I've been part of migration projects most of my career, so in this talk I'll present some of the big picture items to consider when you are promoting the idea of migrations to Linux - such as politics, cost and practicality.

Thankfully the growing movement to cloud based applications has reduced Windows dependencies, so it is now easier than ever to migrate to a Linux based desktop solution.

I'll introduce you to someone called Horace and help you to get him to YES.

In recent decades, the internet has increasingly become centralized, shifting from its hacker-driven origins into a cartel of advertising companies. It won't get better if we allow these same companies to drive the design of the web browsers and their protocols.

Within hacker communities, many solutions have been developed to mitigate centralization, but their adoption has been limited, often because they require specialized expertise to be operated safely.

In this talk I'll introduce you to a new open-source project that aims to provide an accessible alternative by building a web browser that is able to fetch web content using the BitTorrent protocol in tandem with the Tor network.

We will dive into the ethical, security, and privacy trade-offs at play when designing such an alternative web.

The IvI Project: https://ivi.eco

Historically, peer-to-peer communication has been at the heart of the internet since its early days, reaching its peak in the late 90s when the web truly became a platform for sharing knowledge and art. For a moment it felt like we could exchange freely with anyone else. Unfortunately, that did not last long: legal restrictions, centralization and the emergence of commercial streaming services did eventually reshape the internet.

But the peer-to-peer spirit did not die. Over times many tools have been developed to try to keep the web decentralized and open. They are all contributing to forge a vision in which the internet network must be owned and operated by its users.

The project "IvI" that I'm introducing to you tries to bring those pieces together in a way that makes it accessible to anyone: a web browser that streams web content using BitTorrent while guarding privacy using the Tor network. It allows people in different parts of the world to help each other access content freely, even when local internet providers or policies impose restrictions on torrenting.

Rebuilding the web using this model allow us to mitigate the risks of mass surveillance and censorship by design. Though seeding activity is public, the decentralized nature of the network makes it difficult to trace who is accessing what, or from where. It also builds solidarity into the web itself: users helping users across borders through open technology... but it does also raise complex ethical questions.

When users set up their "Akoopa" browser, they will have the choice to operate under a public or private (cloaked) profile.

By choosing a public profile, the node will communicate with the BitTorrent mainline DHT, it participates as an active node in traditional BitTorrent swarms. But here's the twist: a public node also exposes itself using an onion service which is only advertised to peers running the IvI stack. On the other hand, all the HTTP browsing traffic goes through Tor, effectively preventing websites (or their advertisers) from correlating the torrenting activity.

Alternatively, by choosing a private profile, all communications will go through Tor. This means that the node can not directly communicate with BitTorrent mainline DHT. Instead, it relies on the overlay network of public IvI nodes to proxy its requests. In such situation it can participate only passively with the traditional BitTorrent nodes, but it is actively supported by the other IvI nodes in the swarm.

With this design in mind, and a carefully hardened BitTorrent client implementation which is respectful of Tor bandwidth and exit policies, we should be able to work around the issues traditionally encountered when torrenting with Tor.

This initiative is not commercial, not governmental; it is just a community effort to reclaim the web’s original spirit. It’s a simple idea that poses this question: What if we delivered the web itself through torrents? The technology exists; now it’s about putting it together and doing so collectively to figure out how to make it work for everyone.

In an era where our identities and rights are increasingly mediated by devices we call “phones”, the boundaries between digital citizenship and corporate feudalism are blurring. This talk explores the intersection of technology, autonomy, and community within the unique context of transformational festivals, temporary autonomous zones (TAZs) (or future isolated neightborhoods and local communities?) where experimentation and reappropriation of tools take center stage.

Starting from a cyberpunk reflection — high tech, low life — the talk questions how much of that dystopian vision has already become reality: from algorithmic control to the loss of privacy and digital dependency. Drawing on the legacy of radio as an anarchic medium and the new rise of mesh networks such as Meshtastic/Meshcore/Reticulum, The Things Network, and Helium, Davide Gomba connects past and future: from Marconi lighting up the Cristo Redentor in 1931 to today’s decentralized communication protocols.

Through examples from Lutopia’s “Ozorian Experiment” (2024) and the ongoing Burning Mesh initiative, the talk presents how off-grid communication can become both a poetic and political act - reclaiming connection, rebuilding resilience, and teaching new forms of digital literacy. Between cyberpunk dystopia and techno-anarchic optimism, “The Meshiverse OR The Revolution of the Little Radios” is a manifesto for the right to communicate freely - even, and especially, when the network goes dark.

In today's world everyone just gets open source ... at least you don't have to explain what it is any more. However, the way a corporation runs is based on transaction needs rather than deep philosophical beliefs, so Open Source and your place within a corporation (and often your value to it) depend on your ability to translate between these two positions. This talk aims to equip modern open source developers with the ability to navigate this translation effectively. And, although the transaction nature means trust is fleeting, constantly adjusting to the transactional needs can build fleeting trust into a longer term reliance.

Although Linux isn't the first open source project, it is the first one to begin successfully co-opting corporations into its development model. In the beginning Linux was a wholly volunteer operation that leaked into corporate data centres via subversive means. When the leak became a flood those in charge of the data centres reluctantly blessed Linux deployment to avoid being swept away. This meant that all the ancillary producers (drivers for hardware, databases, industrial applications etc.) all had to come to Linux on its own terms (which we, the Linux community hadn't actually thought about at the time). It also meant that relationships that began completely antagonistically usually ended up being harmonious (yesterday's enemy almost always became today's friend). The result was a years long somewhat collaborative project to develop rules of engagement between open source projects and corporations.

This talk will cover three things that came out of these rules of engagement:

1. agency: a corporation deals with open source through its developers at the code face. They are empowered to make decisions on its behalf way beyond any proprietary developer ever was and this empowerment changes the internal as well as external dynamics of employer to employee interaction.

2. Mutual Development: As an open source contributor you become responsible for deciding what's best for the project (and persuading your employer to agree).

3. Strategic misalignment: although corporations understand that they have to do open source, internally there's often an uneven penetration of how to do it. Thus a significant part of a good open source employees time is spent doing internal alignment to make sure internal lack of comprehension doesn't get it the way of sound execution.

We'll give examples of how to leverage these rules, an understanding of which will allow you to build a shifting transactional trust between you want your employer.

Mercurial is a Distributed Version Control System created in 2005.

The project has been constantly active since then, fostering modern tooling, introducing new ideas, spawning multiple recent tools from its community, keeping itself competitive, and with sustained funding for its development. However nowadays, most people we encounter remember Mercurial for losing the popularity battle to its sibling Git in the 2010s and think the project dead.

This talk confronts this paradox. How did Mercurial get itself in such a situation? What can everyone learn from it? What does this mean for the future of version control?

Using our first hand knowledge of Mercurial's history, we look at a selection of events, contributor profiles, technical and community aspects, to see how they've affected the project's course.

We will focus on topics that we have been asked about most frequently, such as: * How has Mercurial weathered the Git storm? * Which impacts has Mercurial had on your life, unbeknownst to you? * How has the involvement from behemoth companies reshaped the project? * What brings people to Mercurial in 2025?

Finally, we leverage the knowledge extracted from our past, to assess the present state of version control, try to predict its future, and highlight how community-based open-source remains as relevant as ever.

2025 has been a crazy year for open source, self hosted collaboration. As in, everyone has woken up to the risks of having an entire economy depend on 3-4 big American tech firms. Well, we at Nextcloud have been working to solve that since we started in 2016 and the large roll-outs recently, of millions of users at various public sector organizations across Europe. And now suddenly everyone else starts talking about it?

Well, we’re at FOSDEM, so all we care about is… features. That, and self hosting of course. It is more fun. And who doesn’t want to stay in control?

So, like every year, I will go over everything we did in Nextcloud in the last year. Is it feasible to do that in a single talk? Of course not, but I’ll try anyway, and you can judge me.

See you in Brussels!

The curl project has been bombarded by large volumes of low quality AI slop security reports and Daniel shows examples. Sloppy humans causing Denial-of-Service attacks by overloading maintainers with quickly produced almost-real-looking rubbish.

At the same time, upcoming new AI powered tools find flaws and mistakes in existing code in ways no previous code analyzers have been able to. Daniel names names and shows examples of findings, some that even feels almost human. Next level bug-hunting for sure.

AI now simultaneously brings us the worst and the best.