Open Source Summit + Embedded Linux Conference North America 2026

Long-running embedded projects inevitably accumulate build-system and host-platform debt. Team turnover, drifting documentation, and “crunch mode” shortcuts compound over time until onboarding a new engineer takes weeks and even experienced developers struggle to make safe changes. These problems are especially acute in Linux-based and cross-platform environments, where host variability and undocumented assumptions undermine reproducibility.

This session distills lessons learned from modernizing embedded firmware build environments across Linux hosts and CI systems. Attendees will learn practical techniques for eliminating “it works on my machine” failures, accelerating incremental and clean builds, and making build behavior explicit and reproducible using open-source tooling. Topics include scripting and automation patterns, modern command runners, and structuring build systems to be CI-friendly and maintainable.

Joe Schneider, embedded systems veteran and CEO of Dojo Five, will share concrete practices that reduce onboarding time, improve build reliability, and restore developer productivity by systematically attacking build-system and host-level technical debt.

Docker popularized the container; OCI standardized the artifact. That shift, from a specific format to a global specification, is what allowed us to expand beyond just 'running apps.' Now, whether it's Cosign for security, OpenTofu for infrastructure, or Zarf for air-gapped distribution, the ecosystem is leveraging a common foundation to solve complex supply chain problems. Additionally, Kubernetes’ recent work on OCI read-only volumes signifies a paradigm shift: we are now using images as a pure data transfer mechanism rather than just a runtime environment. Yet the elegant design that enables the OCI images is mostly hidden from users.

In this session, we'll create our own custom OCI artifact from scratch. Along the way, we'll learn the benefits of the OCI specification: the efficiency of its storage model, its simple cross-platform experience, and its secure-by-default design. Developers will walk away with a starting point for packaging their own custom artifacts, while practitioners will gain a deeper understanding of the OCI artifacts powering their workflows.

Apache Maven’s central role in the Java ecosystem is undeniable, however its flexible plugin framework creates significant hurdles for adopting modern secure software practices. Securing the Java software supply chain to meet CRA and other regulatory requirements can feel like a daunting, if not impossible task.

This session will dive deep into the technical complexities of producing secured Maven builds through the practical experiences of two open source redistributors. You will learn strategies for producing SLSA artifacts for Maven builds, approaches for signing Java artifacts with Sigstore Cosign, and barriers to producing complete and accurate Software Bills of Materials (SBOMs) with Maven. We will also explore newer developments in the Maven ecosystem for cataloging dependencies and establishing trust in the Maven build process. This talk will conclude with a discussion of current gaps in Maven that could be addressed with the upcoming release of Maven 4.