Open Source Summit + Embedded Linux Conference North America 2026

Open Source Program Offices (OSPOs) are becoming essential for organizations of all sizes, yet many struggle with where to start and how to scale effectively. In this session, we will share a practical framework for building an OSPO based on real enterprise experience.

The talk begins with establishing an enterprise open source policy that aligns engineering, legal, and security stakeholders while enabling innovation. From there, it breaks down the two core OSPO pillars: contribution and compliance. Within compliance, the session dives deeper into managing distributed versus non-distributed software and explains why treating these use cases differently reduces friction and improves outcomes.

Attendees will gain a clear, adaptable model for designing an OSPO that works for large enterprises and can scale down for smaller organizations. The session focuses on real-world lessons learned, common pitfalls, and actionable guidance that teams can apply immediately.

In today’s rapidly evolving tech landscape, aligning open source initiatives with product-focused R&D remains critical to achieving strategic business goals. We will share how Ericsson’s Open Source Program Office (OSPO) and R&D organizations collaborate on concrete challenges such as tightening cyber security requirements.

In this talk, David will present how we have ramped up a team to build and operate a Yocto Linux distribution, and how improved upstream engagement and ways-of-working allow us to better articulate and validate the business value behind this strategic investment. We will discuss the impact on developer productivity, product quality, security, CRA-readiness, and long-term maintainability.

At the same time, the EU Cyber Resilience Act (CRA) has become a major driver of change across our organization. Georg will share how the Ericsson OSPO and R&D have started to collaborate more tightly in response to the CRA. We will spotlight how the in-house Linux team addresses upcoming CRA requirements - and how their upstream work supports CRA compliance.

Stewardship of open source software extends beyond code contribution; it also requires a proactive commitment to security. In this session, a lead for Google's Open Source Software Vulnerability Rewards Program (OSS VRP) shares insights from managing a program that secures a vast and rapidly evolving portfolio of open source projects.

We will explore the complexities inherent in operating a VRP with such a broad scope. The session will cover lessons learned on identifying common vulnerability patterns, executing remediations at scale, and managing security incentives across an extensive landscape of diverse, unconnected projects.

As a call to action, we will encourage other organizations to invest in similar rewards programs for the projects they maintain, supporting and incentivizing security researchers to build a more resilient open source ecosystem for everyone.

The EU Cyber Resilience Act (CRA), US Executive Order 14028, and CISA SBOM guidelines demand efficient FOSS license compliance in automotive software. Manual compliance analysis typically requires 25-50 hours per 100 components, creating significant release bottlenecks.
This talk presents an automated compliance workflow integrating n8n workflow automation, multi-LLM repository discovery (supporting Gemini, Claude, Perplexity, ChatGPT and Ollama), and FOSSology license scanning achieving an 80% reduction in compliance analysis time.
Our multi-LLM fallback architecture achieved 94% success in automated repository discovery, while FOSSology's agent suite provided license and copyright analysis superior to manual review. The system generates industry-standard artifacts including SPDX 2.3, CycloneDX SBOM, unified reports and ReadmeOSS formats.
Attendees will learn how to build AI-assisted compliance automation for regulated environments and take away a replicable framework for industrial FOSS governance at scale.

In the world of Open Source there are plenty of talks, resources, and guides about where to begin, and how to grow your project. But what happens at the end? How do you know when It Is Time? And how do you say goodbye with compassion and dignity?

In this talk, members of the CHAOSS.community and the Open Source Program Office at the Digital Service at CMS.gov will be sharing their latest practitioner’s guide on archival. This talk will be highlighting use cases from the private and public sector, and demonstrating how to use repository metrics, maturity models, and archival checklists for succession planning, stewardship, and sunsetting of Open Source projects.

Projects are not valuable solely based upon the utility of their results or outputs, they reflect the record of our progress. Archives provide transparency, accountability, and attribution. Archives build trust, reduce duplicate work, and reduce risk. The work saved in our archived repositories allows historians and practitioners to more accurately and completely understand the story of open source.