Open Source Summit + Embedded Linux Conference North America 2026

In February 2024, about 10% of PyPI uploads used Trusted Publishers. By October 2025, that number exceeded 25%, a massive shift toward eliminating long-lived credentials. For maintainers still using stored API tokens, this talk demonstrates why and how to modernize.

Trusted Publishing uses OpenID Connect (OIDC) to generate short-lived, automatically-scoped tokens from CI/CD environments. No passwords. No API tokens to rotate. No secrets stored in repositories.

This talk walks through setting up Trusted Publishers for GitHub Actions (as an example, but others are available), explains the security model in accessible terms, and shares case studies, including how Sigstore integration enabled forensic investigation of the 2024 Ultralytics compromise.

Attendees will learn the step-by-step setup process, common pitfalls and troubleshooting, and migration strategies for maintainers with many packages. The session also covers why token removal is critical when Trusted Publishing in place, and when restricted API tokens remain the appropriate fallback. Whether maintaining one package or a hundred, attendees will leave with everything needed to adopt credential-free publishing.

This session will demonstrate a scalable approach to testing Linux packages across multiple distributions and architectures using Molecule and QEMU/KVM.

Attendees will learn how to build automated testing pipelines that validate linux packages on diverse platforms including x86_64, ARM64, RHEL, Ubuntu, and Debian.

We'll cover practical implementation of Molecule test scenarios, integration with Jenkins CI/CD pipelines, efficient use of QEMU/KVM for multi-architecture testing, and image pre-baking strategies to significantly reduce test execution time.

The talk includes real-world examples from database and toolkit package testing at Percona, demonstration of creating optimized base images, comparisons with cloud instances, Docker and Firecracker alternatives, and best practices for maintaining test infrastructure.

Key takeaways: Setting up Molecule package testing frameworks, managing QEMU instances, implementing image pre-baking workflows, handling cross-architecture testing challenges, and achieving speed and cost savings in testing linux packages.

Package managers do more than resolve dependencies—they shape how software and its metadata are distributed across the ecosystem. While they simplify development, they also introduce large, fast-moving transitive dependency trees that are rarely inspected in depth.
Despite evolving independently, most package managers share a common model: distributing artifacts alongside metadata. Yet metadata formats, completeness, and quality vary widely across ecosystems, creating challenges for security analysis, compliance, and supply chain risk management—especially in today’s hybrid, multi-language environments.
This talk examines how package metadata is increasingly used beyond builds, powering vulnerability management, license compliance, and Software Bill of Materials (SBOM) generation through standards such as SPDX and CycloneDX.
Based on the results from the first year of work from the CHAOSS Package Metadata Working Group—an analysis of more than 40 package managers—we’ll share emerging best practices, gaps we’ve identified, and recommendations for both new and existing ecosystems to improve metadata quality, interoperability, and transparency.

Deploying apps in containers is easier than ever, but securing the image these containers come from is a dynamic security problem that on its surface has no single best answer. So when it comes to what risk you may face and what risk you are willing to accept, one of the questions that may come up is if snowflake-y multi architecture risks are something you are willing to digest?

With multi arch images, based on the system it is deployed to, its vulnerabilities profile may look different than any of the other supported systems. So in this talk I will be demonstrating a security tool agnostic way to handle identifying and remediating these threats. I will go through how anyone (at any level of security experience) can automate container security across pipelines without slowing down development. Attendees will walk away with a new understanding of the importance of minimizing exposure to these risks, as well as a clearer understanding of the layered setup of multi arch container images (index manifest, platform manifest, and image manifest). And without a doubt, walk away with container image security and not unmanaged risk, something they are willing to digest.

Reproducibility remains one of the largest challenges in benchmarking distributed systems, especially when hardware, kernel-level parameters and dependency versions vary between tests. This talk presents a NixOS-based approach for constructing deterministic, portable benchmark environments for large-scale data infrastructure. We show how Nix’s declarative system configuration, content-addressed builds and reproducible packaging model allow engineers to isolate performance variables.

We look at how Nix offers a much more reproducible environment when producing different applications for testing. While Docker containers isolate user-space dependencies, they remain tied to the host kernel's version and configuration.

Using Apache Cassandra as the primary case study, the talk demonstrates how NixOS can define and reproduce complete cluster environments. Attendees will learn practical patterns for packaging workloads, pinning dependencies, and generating ephemeral benchmark nodes.

The session concludes with a live demo of how we can initiate benchmark tests on Nix and then kill the entire infrastructure in just a few seconds.