Open Source Summit + Embedded Linux Conference North America 2026

As computing systems evolve, memory-safety exploits such as return-oriented programming (ROP) and jump-oriented programming (JOP) remain a serious threat. These attacks manipulate control flow within valid address space, reusing existing code “gadgets” to achieve the attackers desired results. Arm AArch64 provides architectural defenses against these attacks through Pointer Authentication Codes (PAC), Guarded Control Stack (GCS), and Branch Target Identification (BTI).

This talk explains how these technologies work and, more importantly, what Linux developers, distributions, packagers, and toolchains must do to deploy them correctly. We cover the AArch64 Linux ABI implications, including requirements for hand-written assembly, use of BTI and PAC instructions, and PAC key management. We dive into real-world toolchain and language impacts, including changes to C code generation, C++ exception unwinding, DWARF metadata updates, and use of Arm's hint space instructions. Attendees will also learn common pitfalls, debugging challenges, and deployment trade-offs observed in practice.

By the end of this session, participants will understand how to deploy PAC, GCS, and BTI across Linux.

We optimize LLM inference around compute—faster kernels, better batching, smarter parallelism. But in production, the real bottleneck is state. The KV‑cache holds precomputed attention data that turns a multi‑second prefill into a sub‑second cache hit. Lose it to eviction, isolate it on one node, or route away from it, and you pay the full compute cost again for work you already did.

llm-d is an open-source distributed inference platform, co-founded by Google, IBM Research, Red Hat, NVIDIA, and CoreWeave, that treats the KV‑cache as the core of the system rather than a byproduct. That enables tiered memory management—offloading KV blocks from GPU to CPU to shared storage—cross‑replica reuse so cached state computed anywhere is usable everywhere, and cache‑aware scheduling that routes requests to the replica most likely to hold their prefix.

This session walks through how llm-d and vLLM implement each layer of this stack, how they combine into a production system, and what the open‑source community can build on top. We’ll share benchmarks, Kubernetes deployment patterns, and practical guidance for operators running LLM workloads at scale.

The OpenSSF BEAR (Belonging, Empowerment, Allyship, and Representation) Working Group is on a mission to make cybersecurity a place where everyone belongs! We knock down barriers and crank up the volume for underrepresented voices. We've learned that true representation is about building fun, lasting paths for participation.

In this session, we'll take you on a journey through the evolution of BEAR, culminating in the exciting launch of our newest global family member, SIG OSSAfrica (Open Source Security Africa)! We'll share some insights and "Aha!" moments from our monthly Community Office Hours - including those unexpected successful strategies - and get honest about the triumphs and challenges of our mentorship program.

Looking to level up your community game? Whether you want to understand the real-world challenges facing diverse groups in security or just need some practical, battle-tested frameworks for building vibrant community programs, this session is your toolkit. Get ready for an open, fun look at building a truly inclusive open source security community!

Note: Open to presenting as Lightning Talk

Secure provisioning is a foundational step in productizing embedded Linux systems, especially when enabling secure boot and establishing silicon identity through eFuses or one-time programmable (OTP) memory. Yet many teams still rely on manual fuse programming flows that are error-prone and difficult to scale particularly when dealing with complex, vendor-specific fuse maps. This talk explores how modern U-Boot capabilities streamline secure device provisioning in real manufacturing workflows. It introduces an upstream enhancement to U-Boot’s fuse subsystem that supports bulk, structured eFuse programming. This approach makes fuse provisioning more automation-friendly, and suitable for production use. Attendees will gain practical insights on integrating U-Boot-based provisioning into factory flows.
Agenda:
1. Challenges in Traditional eFuse Programming on Embedded Systems
2. U-Boot’s Existing Fuse Subsystem and Its Limitations in Production Flows
3. Design and Upstream Integration of the 'fuse writebuff' command
4. Structured, Automated Provisioning using Memory Buffers
5. Practical Provisioning and Production Workflow Considerations

Traditional infrastructure GitOps workflows, commonly built on tools like Terraform or OpenTofu, often struggle with state management, limited reconciliation, and delayed drift detection. Because these systems operate outside the Kubernetes control plane, infrastructure changes follow different lifecycle and failure semantics than applications, making it difficult to reason about system-wide correctness and safety.

We’ll present a unified approach for managing both applications and infrastructure through the Kubernetes control plane. This approach brings together GitOps controllers and Crossplane to extend the Kubernetes API to infrastructure via an ecosystem of community-supported providers spanning major clouds, alternative clouds, and on-prem. The result is a vendor-neutral foundation where applications and infrastructure follow the same review, lifecycle, and reconciliation model.

Where are the Open Source techs of tomorrow right now? They're in class!

In this session, Stu Keroff shares real-world lessons from launching and leading school-based Linux clubs that introduce students to open source through hands-on exploration, community building, and authentic technical problem-solving.

Drawing on firsthand experience, this talk covers:

1. How to start a Linux club from scratch in a school environment.
2. Structuring meetings to balance curiosity, chaos, and meaningful learning.
3. Working with school administrators and navigating policy constraints.
4. Keeping students engaged across skill levels.
5. Connecting students to the broader open source ecosystem
6. Using Open Source to help your community.

Attendees will leave with a practical framework for starting similar programs in their own communities—whether as educators, parents, open source maintainers, or industry professionals looking to strengthen the next generation of contributors.

Meet the techs of tomorrow where they are right now: in school.

The transition from passive RAG to autonomous agentic workflows forces a dangerous trade-off: to be useful, agents need access; to be safe, they need restrictions. Giving a non-deterministic LLM distinct permissions to your Kubernetes cluster is a security nightmare, yet agentic tool execution demands real-world access to be effective.

This session introduces a battle-tested architecture for Zero Trust Agents. We will demonstrate how to secure Model Context Protocol (MCP) servers within private networks, replacing risky static credentials with a dynamic control plane that enforces strict safety guardrails.

Attendees will learn:

Identity for Autonomy: How to integrate OpenBao (LF Edge) to issue Just-In-Time (JIT) credentials, ensuring agents only hold permissions during active tool use.

Bounding Agency: Implementing "Read/Write Separation" at the protocol level, preventing stochastic errors or misinterpretations from causing deterministic outages.

Secure Orchestration: A blueprint for deploying MCP servers as secure bridges between AI reasoning and internal infrastructure.

Stop building toys. Learn how to deploy autonomous systems that your security team will actually approve.

The NAO robotics platform has been around for some time, originally developed by Aldebaran and SoftBank, and now by Maxtronics. Its OpenNAO operating system is based on the Gentoo embedded Linux OS, and uses the NAOqi API for autonomous robot control. We also used the OpenCV computer vision library as part of our open source software stack to program our NAO humanoid robot.

In this talk, I will present our work to engineer an autonomous behavior system that fuses real-time vision detection with motion planning and closed-loop control. We implemented a perception-to-action pipeline using NAOqi, OpenCV, and camera and motion calibration to detect targets, estimate relative pose, and drive head movement, walking, and task actions through a finite-state controller. We designed the system for robust target search, alignment, and approach under real hardware constraints. I will present a summary of our work, our results from participation in a robot golf tournament, and some thoughts on using open source to develop next-generation robotics platforms.

S3 APIs power modern Linux infrastructure, yet most object storage traffic still relies on TCP/IP. Under high concurrency and large transfers, TCP becomes CPU-intensive and limits throughput. RDMA promises Accelerated I/O through kernel bypass and zero-copy data movement—but applying RDMA to S3 workloads is not the same as NFS or block storage.

This session explores how RDMA can accelerate S3-style object transfers in distributed storage systems. We examine memory registration strategies, connection scalability, and what changes when dealing with multipart uploads, HTTP range reads, and parallel clients.

Through real validation scenarios, we compare throughput, latency, and CPU usage across TCP and RDMA paths. We’ll also highlight where RDMA excels, and where it falls short, such as in small-object or metadata-heavy workloads.

Attendees will gain a practical framework for evaluating Accelerated I/O in their own Linux storage environments: what to measure, what to tune, and what performance gains to realistically expect.

Stewardship of open source software extends beyond code contribution; it also requires a proactive commitment to security. In this session, a lead for Google's Open Source Software Vulnerability Rewards Program (OSS VRP) shares insights from managing a program that secures a vast and rapidly evolving portfolio of open source projects.

We will explore the complexities inherent in operating a VRP with such a broad scope. The session will cover lessons learned on identifying common vulnerability patterns, executing remediations at scale, and managing security incentives across an extensive landscape of diverse, unconnected projects.

As a call to action, we will encourage other organizations to invest in similar rewards programs for the projects they maintain, supporting and incentivizing security researchers to build a more resilient open source ecosystem for everyone.

When software can directly affect whether someone lives or dies, "move fast and break things" isn't an option. But does that mean safety-critical software can't be open source? Tidepool's experience building Tidepool Loop - an FDA-cleared, open-source automated insulin delivery (AID) system for people with Type 1 diabetes - proves it can.

This talk explores how Tidepool developed an open-source quality management system (QMS) that achieves full requirements traceability and testability while preserving the collaborative, transparent ethos of open-source development. We'll walk through the real-world challenges of mapping regulatory requirements to code contributions, maintaining traceability across a distributed contributor base, and building test infrastructure that satisfies both FDA expectations and open-source community standards.

Attendees will leave with a practical framework for applying requirements traceability and verification practices to open-source projects operating in regulated or safety-critical domains from medical devices to automotive systems to critical infrastructure.

Open source inclusion strategies often overlook the unique business goals and scaling complexities of large organizations. This talk addresses that disconnect, offering experience-led guidance on establishing effective cross-functional communication channels.
While many programs exist to encourage community inclusiveness, they rarely translate to corporate environments "as-is." Based on challenges observed in previous BoF sessions - although many people were interested in adopting open source, they were also frustrated with the same issues, yet did not have a functioning cross-BU channel in which to discuss. To close this gap I ran several programs to execute that:
• Connect and learn: Align teams through shared interests
• Shift mindsets: Instill an "upstream first" culture and environment
• Break barriers: Identify and remove obstacles preventing contributions
• Drive strategy: Leverage market and company trends to support decision-making
Participants will walk away with actionable strategies to enhance inclusiveness, ensuring that engagement efforts benefit both the organization’s bottom line and the wider open source ecosystem.