Open Source Summit + Embedded Linux Conference North America 2026

Open Source Program Offices are maturing. What started as license compliance and governance functions have evolved into strategic enablers of security, AI adoption, developer productivity, and ecosystem engagement. At the same time, budgets are tighter and expectations are higher.

In this moderated panel, OSPO leaders from Ford, GEICO, Comcast, Cisco and GitHub will discuss how modern OSPOs are scaling impact. We’ll explore practical approaches to automation, policy design, internal enablement, and cross-functional alignment. We’ll share how OSPOs are using metrics to demonstrate value, navigating AI-era contribution models, and leveraging communities like the TODO Group to accelerate learning.

Attendees will leave with concrete examples of how enterprise OSPOs are evolving beyond compliance, how to prioritize when resources are constrained, and how to build influence across engineering, security, and leadership teams.

Whether you're starting an OSPO or leading a mature one, this session offers candid lessons from practitioners operating at scale.

We’ve probably all had company leadership question the value of our OSS efforts. It can be difficult to frame the value in ways that resonate with leadership and clearly articulate the organizational benefits gained through continued OSS contributions. Taking a strategic approach that connects the OSS work with the broader goals and objectives of the organization can demonstrate the value of this work so that the organization can continue to allocate resources to the OSPO or other OSS teams.

Using examples from my decades of experience in OSS, this talk will provide details about how to demonstrate value by focusing on how your OSS work helps the organization achieve their strategies and goals. Every organization has unique needs and goals based on what they are trying to achieve, so there is no “one size fits all” way of demonstrating value, but aligning your OSS strategy with your organization’s goals and focusing on the most strategic projects can help show the value of your efforts. This talk will help you reason about how OSS efforts allow your organization to achieve its goals along with framing and communicating that value in ways that resonate with your leadership team.

As open source adoption grows, the role of the OSPO expands with it. At GitHub, we saw an opportunity to scale our capabilities by automating the repetitive work—like checklists, scans, reports, and audits—that every program office handles.

In this session, I’ll outline how we evaluated AI agents to handle the heavy lifting of data gathering and analysis. We’ll look at practical use cases for automating OSPO activities like review, compliance, reporting, including dependency analysis and license detection, using data from sources like ClearlyDefined and OpenSSF Scorecard.

Join me as we explore the patterns that worked, the surprises we encountered, and how these workflows provide a comprehensive view of project health for OSPOs. You’ll leave with a framework for applying AI, agents, agentic workflows to your own OSPO’s challenges, helping you scale your operations efficiently across the entire open source lifecycle.

As AI agents transition from pilots to production systems, enterprises are rapidly adopting the open source Model Context Protocol (MCP) to connect models with tools, data, and services. But this flexibility introduces a new challenge: MCP server sprawl. Proliferating endpoints, inconsistent trust models, weak identity controls, and unclear governance can quickly create operational and security risk. This session explains what MCP is, why its adoption is accelerating, and where architectural pitfalls emerge at scale. Developers will learn key design principles for secure deployment, including authentication patterns, authorization boundaries, observability, lifecycle management, and policy enforcement. Attendees will leave with a practical mental model for building MCP integrations that remain composable, governable, and production-ready as ecosystems evolve.

Some people claim that open source and cybersecurity are two things that don't mix. Come join this informative session to learn how the truth is very much the opposite!

Established in 2020, the OpenSSF is the security subject matter experts for the Linux Foundation. While some might claim that security is a Dark Art, hop onto our lazy river as we show you about all the amazing initiatives our community has to offer open source developers and downstream OSS consumers! Don't forget your towel and some sunscreen, and be careful if you sit in the splash-zone... you MAY get wet! HONK!

The EU Cyber Resilience Act (CRA) is reshaping how manufacturers and developers must secure their products—but what does it mean for your Developer platforms, DevOps pipelines, and DevTeams? In this session, we’ll share a real-world implementation for SBOMs (Technical Guideline TR-03183 from the Federal Office of Information Security). We demonstrate how to technically address CRA mandates without drowning in compliance overhead.

You will leave with
- Understand the CRA’s impact on your Developers and Management even outside the EU (and why ignoring it isn’t an option).
- See a production-ready workflow for SBOMs, vulnerability management, and compliance automation with OpenSource-Tools (DependencyTrack, CentralCyclone, GitOps).
- Actionable insights on integrating CRA requirements with SBOM handling into your CI/CD pipelines.
- A clear "why this matters" for your org., and lessons from the trenches of securing critical infrastructure with Kubernetes.
- Get a checklist for team adoption - because compliance is a cultural challenge, not just a technical one.