Open Source Summit + Embedded Linux Conference North America 2026

The pervasive presence  of generative AI presents a paradigm shift for open source development and community building. Tools like Copilot, Claude Code, and other large language models (LLMs) are fundamentally changing how code is created, documentation is generated, and, to some extent, how contributions are onboarded and managed. In this presentation, Red Hat’s Brian Proffitt will explore the challenges and opportunities for cultivating vibrant, sustainable open source communities in this new technological landscape.

Brian will examine the core questions facing maintainers and contributors: How do we foster human connection and mentorship when AI can start handling routine coding tasks? What ethical and legal frameworks must be established regarding AI-generated code contributions, licensing compliance, and attribution? Using real-world examples such as the Fedora Project, this session will delve into practical strategies for leveraging GenAI as an enabler rather than a disruptor.
Key Takeaways:

• Use AI to accelerate developers, not replace them. Human judgment, review, and accountability remain essential.
• Stay committed to open source and transparency. Transparency, collaboration, and trust matter even more in an AI world.
• Keep humans accountable for quality and compliance. AI-generated code must be reviewed for quality, security, and licensing.

This session is designed for open source maintainers, community managers, developers, and anyone interested in the future of collaborative software development, offering a roadmap for thriving in an AI-integrated ecosystem where the emphasis shifts from code production to collective innovation.


In order to facilitate networking and business relationships at the event, you may choose to visit a third party's booth or access sponsored content. You are never required to visit third party booths or to access sponsored content. When visiting a booth or participating in sponsored activities, the third party will receive some of your registration data. This data includes your first name, last name, title, company, address, email, standard demographics questions (i.e. job function, industry), consenting to receipt and use of such data by the third-party recipients, which will be subject to their own privacy policies. 

For many users, open source tools have provided a dependable-yet-innovative foundation for a wide array of search and observability applications. To get the most out AI agents, these tools must evolve, with new approaches to development and deployment and new ways for users to interact. With the right foundation, agentic search and observability can accelerate innovation, supercharge applications, and achieve faster time-to-results.

In this talk, Bobby Mohammed, OpenSearch Principal Product Manager for Amazon Web Services, will demonstrate how open source, agent-powered tools can empower developers to build production-ready applications in minutes, democratize the complex work of designing and provisioning workloads, and deliver the next generation of search and observability applications.


In order to facilitate networking and business relationships at the event, you may choose to visit a third party's booth or access sponsored content. You are never required to visit third party booths or to access sponsored content. When visiting a booth or participating in sponsored activities, the third party will receive some of your registration data. This data includes your first name, last name, title, company, address, email, standard demographics questions (i.e. job function, industry), consenting to receipt and use of such data by the third-party recipients, which will be subject to their own privacy policies. 

Open source has become key to blockchain development, especially for public, permissionless blockchains such as Cardano. This session will share insights into the Cardano Foundation’s "Infrastructure-First" strategy. We will discuss how to sustain a diverse suite of open-source solutions designed for institutional and community use. Key case studies include:

• A financial reporting and accounting system that creates immutable, easy to audit records
• A scalable solution for verifiable proof of origin and product integrity
• An identity and access management platform focusing on fraud prevention and digital sovereignty
• A secure yet transparent voting infrastructure for decentralized governance.

Your AI agents can read your code, call external APIs, and hold credentials to production. Your security controls assume they're either a human or a deterministic app. They're neither.

I'll walk through the patterns enterprise teams are actually using to deploy coding agents without getting burned: workspace isolation, network egress controls, model gateways, and credentials that die when the workspace dies.
Real incidents. Real deployments. No hand-waving about what might work someday.


In order to facilitate networking and business relationships at the event, you may choose to visit a third party's booth or access sponsored content. You are never required to visit third party booths or to access sponsored content. When visiting a booth or participating in sponsored activities, the third party will receive some of your registration data. This data includes your first name, last name, title, company, address, email, standard demographics questions (i.e. job function, industry), consenting to receipt and use of such data by the third-party recipients, which will be subject to their own privacy policies. 

SGL is graduating from ELISA incubation and launching as its own foundation. This BoF is a working discussion on three things: the structure of the new Technical Advisory Council, the near-term roadmap emerging from our mailing list, and where attendees want to plug in. New faces and long-time contributors equally welcome. Bring questions, bring priorities, bring pushback.

Implementing a cloud-native AI stack often leads to operational and security issues. This session will provide attendees with an analysis of production-ready Cloud Native AI stacks, integrating community insights and the latest Cloud Native AI Conformance guidelines. We will showcase practical implementation methods through reference architectures and key projects, and define key metrics for benchmarking Cloud Native AI environments against established community standards.


In order to facilitate networking and business relationships at the event, you may choose to visit a third party's booth or access sponsored content. You are never required to visit third party booths or to access sponsored content. When visiting a booth or participating in sponsored activities, the third party will receive some of your registration data. This data includes your first name, last name, title, company, address, email, standard demographics questions (i.e. job function, industry), consenting to receipt and use of such data by the third-party recipients, which will be subject to their own privacy policies. 

Our new software factory framework adopts the reconciliation pattern and includes numerous bots that use traditional and agentic AI eval approaches. And since we are open sourcing the framework, reliable use of your own agentic reconciliation automation at massive scale could be your future too.

At Chainguard we build and maintain over 2000 unique containers, hundreds of thousands of package versions, and hundreds of CVE patch backports. Our old event-driven architecture was complex and brittle. We drowned in event notifications, brittle queues, duplicate build failures, work item conflicts and losses, and other problems. We had to rethink our approach.

In this session Manfred, open source veteran and author, shares details about a new specification-driven system called “Driftless” that increases efficiency and reliability at scale. A work queue is fed by events and tackled by a large number of bots. They constantly reconcile the discovered state changes from code repositories, security feeds, and other sources to the desired state - up to date containers with zero known CVEs. Manfred talks about our hard-earned lessons and how you can make the bots work for you as well.


In order to facilitate networking and business relationships at the event, you may choose to visit a third party's booth or access sponsored content. You are never required to visit third party booths or to access sponsored content. When visiting a booth or participating in sponsored activities, the third party will receive some of your registration data. This data includes your first name, last name, title, company, address, email, standard demographics questions (i.e. job function, industry), consenting to receipt and use of such data by the third-party recipients, which will be subject to their own privacy policies. 

Open Source Program Offices (OSPOs) are becoming essential for organizations of all sizes, yet many struggle with where to start and how to scale effectively. In this session, we will share a practical framework for building an OSPO based on real enterprise experience.

The talk begins with establishing an enterprise open source policy that aligns engineering, legal, and security stakeholders while enabling innovation. From there, it breaks down the two core OSPO pillars: contribution and compliance. Within compliance, the session dives deeper into managing distributed versus non-distributed software and explains why treating these use cases differently reduces friction and improves outcomes.

Attendees will gain a clear, adaptable model for designing an OSPO that works for large enterprises and can scale down for smaller organizations. The session focuses on real-world lessons learned, common pitfalls, and actionable guidance that teams can apply immediately.

In today’s rapidly evolving tech landscape, aligning open source initiatives with product-focused R&D remains critical to achieving strategic business goals. We will share how Ericsson’s Open Source Program Office (OSPO) and R&D organizations collaborate on concrete challenges such as tightening cyber security requirements.

In this talk, David will present how we have ramped up a team to build and operate a Yocto Linux distribution, and how improved upstream engagement and ways-of-working allow us to better articulate and validate the business value behind this strategic investment. We will discuss the impact on developer productivity, product quality, security, CRA-readiness, and long-term maintainability.

At the same time, the EU Cyber Resilience Act (CRA) has become a major driver of change across our organization. Georg will share how the Ericsson OSPO and R&D have started to collaborate more tightly in response to the CRA. We will spotlight how the in-house Linux team addresses upcoming CRA requirements - and how their upstream work supports CRA compliance.

Stewardship of open source software extends beyond code contribution; it also requires a proactive commitment to security. In this session, a lead for Google's Open Source Software Vulnerability Rewards Program (OSS VRP) shares insights from managing a program that secures a vast and rapidly evolving portfolio of open source projects.

We will explore the complexities inherent in operating a VRP with such a broad scope. The session will cover lessons learned on identifying common vulnerability patterns, executing remediations at scale, and managing security incentives across an extensive landscape of diverse, unconnected projects.

As a call to action, we will encourage other organizations to invest in similar rewards programs for the projects they maintain, supporting and incentivizing security researchers to build a more resilient open source ecosystem for everyone.

The EU Cyber Resilience Act (CRA), US Executive Order 14028, and CISA SBOM guidelines demand efficient FOSS license compliance in automotive software. Manual compliance analysis typically requires 25-50 hours per 100 components, creating significant release bottlenecks.
This talk presents an automated compliance workflow integrating n8n workflow automation, multi-LLM repository discovery (supporting Gemini, Claude, Perplexity, ChatGPT and Ollama), and FOSSology license scanning achieving an 80% reduction in compliance analysis time.
Our multi-LLM fallback architecture achieved 94% success in automated repository discovery, while FOSSology's agent suite provided license and copyright analysis superior to manual review. The system generates industry-standard artifacts including SPDX 2.3, CycloneDX SBOM, unified reports and ReadmeOSS formats.
Attendees will learn how to build AI-assisted compliance automation for regulated environments and take away a replicable framework for industrial FOSS governance at scale.

In the world of Open Source there are plenty of talks, resources, and guides about where to begin, and how to grow your project. But what happens at the end? How do you know when It Is Time? And how do you say goodbye with compassion and dignity?

In this talk, members of the CHAOSS.community and the Open Source Program Office at the Digital Service at CMS.gov will be sharing their latest practitioner’s guide on archival. This talk will be highlighting use cases from the private and public sector, and demonstrating how to use repository metrics, maturity models, and archival checklists for succession planning, stewardship, and sunsetting of Open Source projects.

Projects are not valuable solely based upon the utility of their results or outputs, they reflect the record of our progress. Archives provide transparency, accountability, and attribution. Archives build trust, reduce duplicate work, and reduce risk. The work saved in our archived repositories allows historians and practitioners to more accurately and completely understand the story of open source.