We need to talk about war. And we need to talk about companies building bots that propose to rewrite our source code. And about the people behind both, and how we preserve what is great about FOSS while avoiding disruption. How do geopolitical conflicts on the one hand and the risk of bot-generated (adversarial) code on the other influence the global community working together on Free and Open Source software?
The immense corpus of free and open source software created by a global community of researchers and engineers, developers, architects and designers is an impressive achievement of human collaboration at an unprecedented scale. An even bigger circle of users, translators, writers, creatives, civil society advocates, public servants and private sector stakeholders has helped to further develop and spread this technological Gesammtkunstwerk far and wide - with the help of the internet and the web. With individual freedoms and user empowerment at its center, these jointly created digital public goods have removed many economic and societal barriers for a large part of the world's population. Users are not just allowed to benefit from technology, but each and every user can in principle actively help shape it. On top of the FOSS ecosystem our global economy has been propelled to unprecedented levels.
Much of this incredible growth was achieved within a (relatively) calm geopolitical situation, in the wake of the cold war which ended in the very same year that also saw the genesis of the World Wide Web at CERN in Switzerland. Economists, philosophers and other observers at the time spoke of the 'end of history' and expected no more big conflicts at the superpower level. We could now globalise the economy and all work together. The flood of innovation taking place all around us promised a bright future for all, with room for altruism and collaboration. In retrospect it certainly was an ideal situation for an optimistic and constructive global movement like the FOSS community to take over the helm.
But apart from the fact that under the surface that narrative was already flawed (with some actors like the USA having a double agenda, as the Snowden and Shadowbrokers revelations exposed) history didn't end. To some ironic extent we are now becoming victim of our own success. In recent years we've seen geopolitical stability punctured by war effort levering low cost technology that includes heaps of FOSS. Social media powered by FOSS infrastructure promote disinformation and have successfully stirred large scale polarisation. Within some of the largest and most populous countries on the planet authoritarian regimes have successfully used technology to break oppression in a new race towards totalitarianism. While for instance Europe has tried to regulate 'dual use' technology, "any use" technology (which our libre licenses guarantee) has escaped our attention. Even in countries which had stable non-authoritarian regimes there is a visible technology-assisted relapse towards anti-democratic movements. On the back of a tech stack which consists of FOSS with a thin crust of proprietary special sauce, unprecedented private capital (sometimes referred to as 'hypercapitalism') is interfering with global politics at an alarming rate. Apart from the direct democratic disbalance the resulting oligarchy is giving rise to overt nepotism, corruption and a new global protectorate for predatory business models and unethical extractive behaviour. Expecting peace in cyberspace any time soon is probably naive, and free and open source technology stands to make up for a significant part of the battleground.
At the same time we are facing other challenges, such as climate change and an imminent scarcity of non-renewable resources. We have more people living on the surface of the planet than ever before, and they are consuming more raw materials and more energy than ever. This won't go on indefinitely. And right at that point we see an army of next generation Trojan horses galloping through the gates of our global commons villages, accelerating our use of both. Generative pre-trained transformers (also known as Large Language Models) kindly offer to take cumbersome and boring coding work off our hands. They can liberate us from responsibility and allow us to do other things or move even faster.
But is it really wise to accept this apparent gift, or should we be a little more suspicious? Just as it has proven way too easy for AI to poison the web with fake content, our software supply chain is vulnerable to manipulation. The attack surface is immense. Due to the inherent complexity of software it is easier to achieve and harder to detect manipulation before it is too late. While many talented and committed people have spent years reverse engineering binary blobs to avoid the associated risks, those blobs were at least isolated and clearly marked. AI is the ultimate black box and it introduces significantly more uncertainty: it rewrites the truth from the inside.
AI in its current form has no actual sense of truth or ethics. Like with Russian roulette, once in a while the models completely bork up and create phantom code and real risk - and that is even in a best case scenario, without assuming malicious intent and manipulation from the outside. In an adversarial scenario (and this adversity can come from traditional nation state actors with non-aligned interests but also from corporate or even private individuals with some determination - like Cambridge Analytica illustrated so vividly) manipulation only requires subtle changes. At the frantic scale at which any available learning content is ingested from the internet these days one can expect targeted adversarial training to manipulate specific code with subtle triggers to go unnoticed.
As a community we have spent billions of hours of careful coding and software engineering to make free and open source technology as trustworthy as it is today. Geopolitical conflict is an incentive to hollow out that trust. AI is an additional leap of faith, and if you look at the forces driving its adoption and their interests, are we really sure those black boxes are safe to invite into our trusted coding base? It is clear that the end game of AI coding is not a healthy FOSS ecosystem, but its total displacement. The threat of machine crafted and man-crafted malicious code in war-time FOSS are equally realistic. Perhaps we can find a middle ground, where we combine some of AI and human skill - and add enough checks and balances, and a variety of assurances through compartementalisatoin, formal and symbolical proofs and other traditional means of quality assurance.
This talk is an open exploration of some of the challenges the FOSS community will have in the years ahead, working towards a hopeful notion of maximal defendable FOSS.
In 2025, the Git project has turned 20 years old, and in these 20 years it has taken over the world of version control systems by storm: nowadays, almost every developer uses Git. But that doesn't mean that Git is perfect and "done", or even close to it. It still has many warts: user experience, arbitrary limitations, performance issues and no good support for large binary files are just some of the issues that users commonly complain about.
In this talk you'll learn what is happening in the Git project to address these issues. The talk will cover both recent additions to Git that make your life easier, as well as ongoing development that is expected to land in the not-too-distant future.
Mercurial is a Distributed Version Control System created in 2005.
The project has been constantly active since then, fostering modern tooling, introducing new ideas, spawning multiple recent tools from its community, keeping itself competitive, and with sustained funding for its development. However nowadays, most people we encounter remember Mercurial for losing the popularity battle to its sibling Git in the 2010s and think the project dead.
This talk confronts this paradox. How did Mercurial get itself in such a situation? What can everyone learn from it? What does this mean for the future of version control?
Using our first hand knowledge of Mercurial's history, we look at a selection of events, contributor profiles, technical and community aspects, to see how they've affected the project's course.
We will focus on topics that we have been asked about most frequently, such as: * How has Mercurial weathered the Git storm? * Which impacts has Mercurial had on your life, unbeknownst to you? * How has the involvement from behemoth companies reshaped the project? * What brings people to Mercurial in 2025?
Finally, we leverage the knowledge extracted from our past, to assess the present state of version control, try to predict its future, and highlight how community-based open-source remains as relevant as ever.
Git is a tool most programmers rely on, whether for work or personal projects. It’s far more than just a method for syncing local and remote changes. Git embodies a way of thinking that serves as the foundation for development workflows and steers project evolution.
At its core, Git has essential concepts such as commits, change history, branching, rebasing, and merging. While Git offers many features, these are its heart. Misusing them can lead to significant opportunity costs, while striking the right balance simplifies development at all levels and benefits the project’s community (if it has any).
In this talk I am sharing my own experience how applying these core concepts in real projects significantly accelerates development, especially in mission-critical systems. I’ll cover specifically the following topics with true examples from my work places, both open and closed source:
All of that combined into a framework that I call "Atomic Flow".
Many teams enforce strict Git practices based on these key principles, and for good reason. I’ve worked on projects that fully harnessed Git’s potential from the outset, as well as those that initially overlooked its strengths but later embraced them. My goal is to help more teams achieve greater efficiency by adopting these best practices, provided their project highly depends on uncompromising code quality and easy maintenance. This is what "Atomic Flow" is about.
Does your project get pull requests that you dread reviewing? Have you ever submitted a pull request that got ignored by project maintainers?
Putting together a pull request that presents proposed changes in a clear, well-organized way is nearly impossible for newer contributors to do on their own. Maintainers must take the lead in providing specific guidelines for pull requests for their project.
This talk will give maintainers a toolkit for teaching contributors how to produce PRs they’ll love to review. It’s derived from our experience onboarding hundreds of contributors to the Zulip open-source team chat project (https://github.com/zulip). I’ll cover:
Key takeaways for current and future project maintainers:
Key takeaways for contributors:
There are certain expected norms of Open Source projects. Not just that the code is open, but also that there is free and public discourse. The public discourse in particular allows for:
The goals "are simple" in that they are easy to write. There are many goals for open source, not the least of which is the above.
Now let's talk about if what we're seeing is in alignment with those goals.
In this talk, we'll explore the hot debated terminology and meaning around "sovereign AI". We'll look at what the major AI vendors say, what open source communities are producing and how EU stakeholders, politicians and activists are navigating the debate. At the end, we'll address significant open questions and calls for action as to how to better create and support open-source, private and secure AI systems.
The regular FOSDEM lightning talk track isn't chaotic enough, so this year we're doubling down on Lightning Lightning Talks (now with added lightning!).
Thought of a last minute topic you want to share? Got your interesting talk rejected? Has something exciting happened in the last few weeks you want to talk about?
Get that talk submitted to Lightning Lightning Talks!
Submitted talks will be automatically presented by our Lightning Lightning Talk System, which keeps track of the time limit for the current speaker and the order of presentations.
Presenters who attempt to speak for longer than 256 seconds risk being swept off the stage by our Lightning Lightning Talk Cleanup Crew.
I stumbled upon a forum post of Jean, tasked in 2010 with recovering text documents for a friend from their broken Windows 95 computer. Their friend used Microsoft Bob, and the Microsoft Bob letter writer exclusively.
I was fascinated by this story, and then spent months reverse-engineering the Microsoft Bob APIs. Ultimately producing the first third-party Microsoft Bob application. During this I learned that Microsoft Bob isn't only a laughable flop, (The word "only" is doing a lot of work here), it also had strong ideas on what computing should be.
We will take a tour of Bob and its history and what I discovered about its technical underpinnings while reverse engineering.
Hopefully I can convince you that these stories are still relevant today, and can inform us on how we think about the software we use. But most importantly; the software we recommend our (non-techy) friends and family to use.
Introducing Hard-working, Easy going Software Everyone Will Use
raylib began as a simple and easy-to-use graphics library to teach graphics programming. Over 12 years it has become one of the most popular C open-source graphics libraries in software world, supporting more than 20 platforms and operating systems, with bindings for over 60 programming languages. Remarkably, raylib is still actively developed and maintained by a single person: its original author.
In this talk, we will explore this 12-year adventure directly from its creator. We will look at how the library has evolved, how a tools ecosystem and community has been formed around it, what challenges and decisions shaped raylib direction and how the project has influenced the creator’s life. This is the story of a passionate open-source adventure.
How much do you know about Free Software, Open Source, Developers, and European meetings?
We interrupt your regularly scheduled programming to bring you a lively TV-style quiz show featuring several rounds of questions deemed too geeky for TV - about kernels, software projects, and digital culture. (Some will offer mass audience participation!)
As a fun game it will separate the Red Hat's from the Red Star's, the Linus Torvalds from "some random person in Nebraska", and is a fantastic way to enjoy our community even more.
Linux desktop is moving to a new era, ditching complex software spaghetti with years of tech debt with… a protocol? That's it? And you expect some compositor projects replace the almighty X server? Replace just the X server? When the protocol's the limit, we can do far more and far more fun stuff!
We'll explore some more-or-less obscure uses for Wayland compositors and an embedded case study how simple task of porting DOOM to a router ended up with making it run basically all modern Linux desktop apps with it for free, with Rust.
In 2026 the KDE project will turn 30, an extraordinary milestone in such a fast-paced ecosystem.
In this talk, we'll explore the challenges we have faced over the years and how the KDE community has adapted to stay relevant, continuing to deliver a good experience for people to use on their computers ranging across laptops, mobiles and even gaming consoles.
After glancing through our historical context, we'll discuss what's in store for KDE today and how we’re preparing for a bright and sustainable future in the evolving Free Software landscape.
Personal or professional - Linux on the desktop matters! It’s the daily interface between users and digital sovereignty – and it’s often put last. While Linux rules the cloud, servers, and mobile devices, the desktop is where control, compliance, and independence become tangible. This talk explores the current state of Linux on the desktop in Europe, with a focus on two real-world case studies from a leading automotive company and the German government. We’ll examine success stories, roadblocks, and new approaches like immutable Linux, zero-trust models, and EU-level OS initiatives. If we ignore the desktop, we risk leaving the front door of digital sovereignty wide open – or we can start where it matters most: every desk, every user, every day.
I've been part of migration projects most of my career, so in this talk I'll present some of the big picture items to consider when you are promoting the idea of migrations to Linux - such as politics, cost and practicality.
Thankfully the growing movement to cloud based applications has reduced Windows dependencies, so it is now easier than ever to migrate to a Linux based desktop solution.
I'll introduce you to someone called Horace and help you to get him to YES.
Why Office is not as easy as you might hope. Come and hear about office algorithms & data structures, as well as the interesting engineering challenges of interoperability from the Libre / Collabora Office experience.
Hear how many decades of accumulated backwards compatibility can make life particularly interesting. See why the temptation to start a new office suite from scratch overwhelms many people from time to time, and get some insights into the compromises that brings.
Hear about a code-base that has been loved over decades - through many tech fashions: from Java to component programming; from OS/2 to today's advertising subsidized platform of the future: the Web; from CADT methodology, to CRDT data structures; from bundled python to bundled databases.
Hear about the incredible lack of user focus that has plagued decisions and made many things worse.
Then hear our vision on driving FLOSS Office to take over the world and progress to date; see a number of pretty pixels to sooth your eyes chosen from the ergonomic beauty that is coming to make open source rock.
Finally hear how you can get involved with Collabora Online & LibreOffice.
Libreboot is a coreboot distribution — just as Debian is a Linux distribution — providing fully free (libre) boot firmware for x86 and ARM systems. It replaces proprietary BIOS/UEFI firmware, initializing hardware and starting your operating system. Linux and BSD operating systems are well supported.
Coreboot provides essential hardware initialization and then jumps to a payload program that boots your OS. Libreboot provides several payloads including, but not limited to, U-Boot, SeaBIOS and GRUB. Firmware images are provided pre-compiled, for ease of installation.
Libreboot began in 2013 and, as of September 2025, is an official Associated Project of Software in the Public Interest (SPI), joining long-established Free Software initiatives such as Debian. This talk will be presented by Leah Rowe, Libreboot’s founder and lead developer.
Firmware freedom is more critical than ever as we increasingly depend on computing, for participation in every aspect of civil society. Proprietary firmware endangers privacy, ownership, and repairability. Libreboot ensures that users truly control their hardware — protecting both user freedom and hardware longevity — while promoting a sustainable culture of hardware reuse.
Libreboot provides faster boot speeds, better security, and greater flexibility than typical proprietary firmware. Libreboot continues to provide updates — including security updates — long after vendors have dropped official support. The project’s philosophy is simple: you should keep using your hardware until you decide otherwise. Planned obsolescence is only a lack of imagination. Unlike the vendors, we will not try to control the users; our goal is to set you free!
This talk will trace Libreboot’s long-term development history, its current progress, and its future roadmap. This talk will also include a live demonstration showing how easy and affordable it is for non-technical users to build and install Libreboot via automation. Libreboot makes free firmware accessible, practical, and even fun, empowering even non-technical users to take back control.
At the time of this talk, Libreboot 25.12 (December 2025) also includes a Tianocore UEFI payload and extensive new hardware support — including hundreds of Chromebooks, several Intel Alder Lake platforms, and numerous Kaby Lake and Skylake ThinkPads. These additions, the result of sustained work throughout 2024 and 2025, mark a major expansion of Libreboot’s scope and capability.
Libreboot’s main code repositories are hosted at: https://codeberg.org/libreboot
Libreboot’s SPI association provides fiscal sponsorship, ensuring transparent management and legal protection for the project. Libreboot also receives corporate support from Minifree Ltd, operated by Leah Rowe, which provides computers pre-installed with Libreboot firmware.
Libreboot is a community project and we welcome every new contributor. Join us on Libera IRC (#libreboot) or via our SourceHut mailing list to participate.
At Wikimedia Foundation, we run Wikipedia, the world's favourite encyclopædia and one of the top ten websites of the Internet! No unicorns, just hardware, open source, and a small engineering org.
This talk pulls back the curtain on the stack that keeps Wikipedia fast, reliable, and resilient at global scale. Caching layers, databases, microservices, and Kubernetes are all stitched together to serve the world.
We'll also touch on how we've brought our 25-year-old monolith into the cloud-native era, and discuss the challenges we're navigating as the ongoing ~~rise of the machines~~ surge in LLM traffic changes the game.
In September and October 2025, RubyGems and Bundler, the clients and package registry for the Ruby language, had most of their maintainers removed by RubyCentral, the non-profit foundation that claimed ownership of these repositories. Since then, some of these repositories have been moved into the Ruby organisation and some of the ex-RubyGems maintainers have created an alternative hosting service, gem.coop.
I was a neutral party involved with initial mediation between RubyCentral and the maintainers before and during this transition and helped gem.coop bootstrap a governance process.
These events have much for non-Ruby projects to learn about non-profits, governance, money and access in open-source and I will share my learnings without taking any particular side in the disputes.
Upgrading high load PostgreSQL databases is a challenge on its own. When having customers around the globe with tight SLAs, the requirement arises to execute these upgrades with minimal or even no downtime at all. This talk shares GitLab's journey from multi-hour maintenance windows to truly zero-downtime upgrades for our PostgreSQL infrastructure. You'll learn the battle-tested techniques we've developed over the last 4 years, like how we execute PostgreSQL major upgrades and OS (glibc) upgrades at the same time, prevent data corruption, as well as always keeping a rollback path via reverse replication. We'll walk through real production examples, the gotchas we discovered, and the tooling we built. Whether you're managing a single HA cluster or a global fleet, you'll leave with actionable strategies to minimize (or eliminate) downtime during your next major upgrade.
1000 years ago in the Package Management devroom at FOSDEM 2018 I gave a talk entitled "How To Make Package Managers Cry", where I presented a range of techniques that open source software projects can apply to make the life of package managers utterly miserable.
In many ways, the world is a different place since then... Never in my wildest dreams could I have imagined that this was just the tip of the iceberg. Open source enthusiasts have come up with many more and even better ideas!
Come and learn about the creative yet tremendously effective ways in which open source software projects (and the broader ecosystem) have taken things to the next level to make package managers scream.
You may also get to know a couple of tools that (for some reason) try to counter these best practices, to great dismay of the open source software community.
If you too want to make package managers scream, don't miss this talk...
The integration of Open Source Software (OSS) in functionally safe systems represents a critical intersection of innovation and compliance requirements across multiple industries. This talk examines two complementary aspects of this evolving landscape: the current state of OSS in functional safety applications and the persistent barriers hindering wider adoption.
2024/2025 have marked significant acceleration in the visibility and adoption of OSS in safety-critical environments, with diverse projects demonstrating varying levels of maturity. Foundation-backed initiatives like the ELISA project within the Linux Foundation are establishing frameworks for Linux in safety applications, while specialized operating systems such as Zephyr and Xen continue to gain traction. The Eclipse Foundation's Safe Open Vehicle Core (S-Core) project represents another significant advancement, aiming to create a common certifiable automotive middleware stack that addresses critical safety requirements. The ecosystem now spans from microkernel solutions like L4Re and seL4 to full-featured platforms, with Linux serving as a prime example of the opportunities and challenges in this space. Infrastructure improvements like the SPDX safety profile address critical aspects of safety documentation in Software Bill of Materials (SBOMs), while safety-certified components like the Ferrocene Rust compiler create new possibilities for language-level safety guarantees.
Despite this progress, substantial barriers impede broader OSS adoption in functionally safe systems. A particularly persistent challenge remains the confusion around terminology and approaches - exemplified by the distinctions between "safety Linux" versus "safe Linux" that illustrate broader issues in how safety responsibility is allocated between OSS components and system-level mitigations. By examining architectural concepts currently implemented in production systems or under development, this talk cuts through marketing rhetoric to provide clear distinctions between approaches across various open source technologies.
The author will address uncertainty around certification pathways, challenges in establishing sufficient evidence for safety arguments, fragmented governance models, and incomplete understanding of OSS development processes among safety assessors.
Attendees will gain practical insights for evaluating safety approaches in OSS-based systems, including key questions to ask when assessing different safety concepts across industries, with particular emphasis on applications where both manufacturers and suppliers are seeking to implement open source software in safety-critical production systems.
Links to relevant example projects as part of the talk are available in the resources.
Open Source powers nearly everything in our digital lives, from web servers to smartphones. In many ways, we could say Open Source has "won". But can we really celebrate that victory when so many maintainers are burning out, while users and companies continue to depend on their unpaid labor? The current sustainability models, from corporate sponsorships to paid support, often fall short, leaving creators overwhelmed and users with unrealistic expectations. In this talk, we’ll take a critical look at how Open Source has been funded (or not funded), why many existing models are failing, and what new paths we might explore to ensure the long-term health of the ecosystem. We’ll dissect funding approaches like donations, sponsorships, and open core, and ask some uncomfortable questions: Why are we still relying on volunteers to power global infrastructure? Is it time for an Open Source tax? Would paying volunteers actually motivate or demotivate them? This is not just a talk about money. It’s a call to radically rethink what sustainability really means for Open Source, and how we can build a future that doesn’t run on burnout.
In today's world everyone just gets open source ... at least you don't have to explain what it is any more. However, the way a corporation runs is based on transaction needs rather than deep philosophical beliefs, so Open Source and your place within a corporation (and often your value to it) depend on your ability to translate between these two positions. This talk aims to equip modern open source developers with the ability to navigate this translation effectively. And, although the transaction nature means trust is fleeting, constantly adjusting to the transactional needs can build fleeting trust into a longer term reliance.
Although Linux isn't the first open source project, it is the first one to begin successfully co-opting corporations into its development model. In the beginning Linux was a wholly volunteer operation that leaked into corporate data centres via subversive means. When the leak became a flood those in charge of the data centres reluctantly blessed Linux deployment to avoid being swept away. This meant that all the ancillary producers (drivers for hardware, databases, industrial applications etc.) all had to come to Linux on its own terms (which we, the Linux community hadn't actually thought about at the time). It also meant that relationships that began completely antagonistically usually ended up being harmonious (yesterday's enemy almost always became today's friend). The result was a years long somewhat collaborative project to develop rules of engagement between open source projects and corporations.
This talk will cover three things that came out of these rules of engagement:
agency: a corporation deals with open source through its developers at the code face. They are empowered to make decisions on its behalf way beyond any proprietary developer ever was and this empowerment changes the internal as well as external dynamics of employer to employee interaction.
Mutual Development: As an open source contributor you become responsible for deciding what's best for the project (and persuading your employer to agree).
Strategic misalignment: although corporations understand that they have to do open source, internally there's often an uneven penetration of how to do it. Thus a significant part of a good open source employees time is spent doing internal alignment to make sure internal lack of comprehension doesn't get it the way of sound execution.
We'll give examples of how to leverage these rules, an understanding of which will allow you to build a shifting transactional trust between you want your employer.
“Who pays your bills?” was the first question my now-CTO asked me,when we didn’t even know each other. Years later, we co-founded OPENGIS.ch, a 40-person company that thrives on geospatial open-source software and gives back by contributing heavily to the projects we build upon.
In this talk, I’ll share our journey building QField, an open-source mobile app with more than 2 million downloads, and creating a sustainable business model around it and QGIS. I’ll explain how the QGIS.org community works, and show why open source is not just a philosophy, but a real business opportunity.
We’ll explore sustainability, community, and business, the three pillars that allow open-source software to flourish and its contributors to make a living from it.
Every successful open source project starts small, but not every small project gets the chance to succeed. Here’s the paradox: funders prefer to back proven impact, yet impact requires early support. If new initiatives can’t access resources until they already “look successful,” we risk starving the very ecosystem that keeps open source innovative and diverse.
This talk explores this chicken-and-egg dilemma and proposes ways to flip the script. What would it look like if we invested not only in impact already proven, but also in potential?
Drawing from my experience building Pre-Seeds: Research 101, I’ll share insights into the struggles early-stage projects face (e.g., limited visibility, lack of credibility, and difficulty accessing networks). I'll also highlight the kinds of support that make a difference, sharing lessons on how these projects can be supported beyond grants. From spotlighting them on community stages and amplifying their voice online, to connecting them with mentors and fellowships — these “non-monetary investments” can bridge the gap until traditional funding becomes viable.
Attendees will leave with concrete ideas for how they — as individuals, organisations, or communities — can sustain the pipeline of emerging projects, ensuring the long-term resilience of open source.
If we want an open, thriving, and continuously renewing FOSS ecosystem, we need to get better at nurturing the eggs, not just celebrating the chickens.
How do we find and nurture the next generation of open source contributors? Unlike commercial companies, open source projects don’t have legions of recruiters to bring people into the fold—and yet our projects need a steady stream of new contributors. Or should open source projects assume that new contributors (and future committers) will continue to “self-select” onto the project?
The PostgreSQL open source project turns 30 in 2026 (Happy Birthday!). It has evolved from a small project that some referred to as “just a toy”—to today, where Postgres is thriving with an active community and a vast ecosystem of extensions and tooling. The project has clearly done some things right. Postgres is hugely popular, with a healthy upstream open source community plus a host of companies and products built around Postgres itself.
And Postgres is owned by no one company; instead, a multitude of competing interests align as people from different countries and continents roll up their sleeves to get the work done. But what happens when the current generation of Postgres committers step back or retire—where will the next generation of Postgres contributors come from?
Postgres isn’t special in needing new contributors. It just happens to be a 30-year-old project whose successes, experiments, and failures might apply to other communities too. In this talk, we’ll look at how contributors find their way into Postgres: what worked, what didn’t, and where we’re still struggling. And having the conversation at FOSDEM will help us think together about a challenge common to all of us—how successful open source projects need to evolve as they get older.
Introduction – Why FOSS compliance matters today: legal exposure, rising regulatory demands under the Cyber Resilience Act (CRA), and growing supply chain accountability.
Legal Framework – Overview of license obligations, liability risks, and the intersection of open source compliance with regulatory requirements (CRA, AI Act, product safety law).
Risk-Based Approach – How organizations can tailor the depth and scope of compliance to project risk, software use, and supply chain complexity.
Practice and Tools – SBOMs, scanning tools, policy frameworks, and OpenChain implementation: what actually works to make compliance efficient and auditable.
CRA Integration – How FOSS compliance measures support CRA obligations, especially regarding documentation, security updates, and traceability.
Conclusion and Outlook – From obligation to opportunity: compliance as a mark of quality and a driver of market trust.
In 2024 we gave a talk called "The Regulators are Coming". This year, the regulators are here! This would be a talk to update the broader community on how the implementation of the CRA is advancing, and how we have made efforts to include the open source community so far. The concept would involve a short update from EC, the european standardisation organisations and representatives of the open source community who have been participating in the standardisation efforts.
Open source represents 70% to 90% of modern software codebases and this is today seen as as a crucial global public infrastructure by many players. Given its ubiquity, this is increasingly part of geopolitical discussions and national-security agendas. This presentation will analyze the risks and governance challenges at the intersection of open source and global politics, with a focus on the recent European discourse on digital sovereignty and supply-chain security.
The core dilemma is that open source's power lies in the mutualization of risk (collective maintenance and faster vulnerability detection), but this is being undermined by fragmentation along national and corporate lines. We will explore:
The Weaponization of Open Source: How jurisdictional control over key platforms (like GitHub and PyPI, largely hosted by US entities) translates into geopolitical tools (the "Panopticon" and "Chokepoint" effects), as seen in the 2019 GitHub sanctions.
Lack of Investment: The crisis of critical components being maintained by small, under-resourced teams, creating an ecosystem that powers the global economy but lacks the resources to secure itself (e.g., the Log4j incident, XZ, and others).
The Fragmentation Trend: The response from nations like China, which are building domestic repositories (Gitee, OpenAtom Foundation) as part of a plan for technological self-sufficiency. This fragmentation reduces interoperability and shared visibility. This makes open source more weak and less resilient.
The presentation will conclude by openly discussing a shared call to action for the FOSS community: How can we forge a stronger shared responsibility between developers, policymakers, and industry to mitigate these losses and keep open source secure, interoperable, and globally accessible?.
Over the past twenty years, I've written about esolangs as a hacker folk art for the blog esoteric.codes, bringing the voice of many esolangers together, to find crossover in their approach to computation as a medium. Meanwhile, I've produced esolangs of my own, recently brought together by MIT Press in Forty-Four Esolangs.
This talk brings together both projects, to show the potential of this hacker folk art to go far beyond the listicles of puzzle languages and joke languages with which it is often associated. Its languages ask programmers to write code as a series of photographs, or by two programmers typing in tandem, or using global variables that are global across the world. It presents esolangs as challenges to conventional ideas about code: everything from "the cognitive gap between the text and performance of code should be as small possible" to "languages should lead to runnable programs" or even "code should be written with intent."
This talk emphasizes esolangs as a community form built on dialogue between esolangers and the esoprogrammers who explore their ideas and find the limits of their languages. I hope to inspire more programmers to recognize esolangs as our own space of play and embrace it as an experimental medium. In this moment, when AI tools help reinforce a particular, corporatized vision of how code should look, esolangs offer resistance to this monostyle and against the de-skilling of programming as art.
The regular FOSDEM lightning talk track isn't chaotic enough, so this year we're doubling down on Lightning Lightning Talks (now with added lightning!).
Thought of a last minute topic you want to share? Got your interesting talk rejected? Has something exciting happened in the last few weeks you want to talk about?
Get that talk submitted to Lightning Lightning Talks!
Submitted talks will be automatically presented by our Lightning Lightning Talk System, which keeps track of the time limit for the current speaker and the order of presentations.
Presenters who attempt to speak for longer than 256 seconds risk being swept off the stage by our Lightning Lightning Talk Cleanup Crew.
The curl project has been bombarded by large volumes of low quality AI slop security reports and Daniel shows examples. Sloppy humans causing Denial-of-Service attacks by overloading maintainers with quickly produced almost-real-looking rubbish.
At the same time, upcoming new AI powered tools find flaws and mistakes in existing code in ways no previous code analyzers have been able to. Daniel names names and shows examples of findings, some that even feels almost human. Next level bug-hunting for sure.
AI now simultaneously brings us the worst and the best.
All programming languages have their foundations: the engine that interprets your code and makes everything run. In PHP, this is the Zend Engine, a critical piece of software that powers millions of applications worldwide. When everything works, you don’t even think about it. You deploy to production, and the engine does its magic behind the scenes.
But what happens when something goes wrong in that core? What if a subtle bug opens the door to a full security breach? Suddenly, the invisible foundation becomes the most important part of the story.
Let’s shine a light on two such cases: a recent, real vulnerability in the PHP engine (which has since been patched), and a backdoor that, just a few years ago, actually made it into the release candidate and allowed remote code execution. We’ll walk through how each issue could be exploited and, most importantly, what lessons developers can draw from them. And yes, there will be live, local, sandboxed demos of both exploits in action. Ready to dive in?
This talk is about how risk and control moves through the computational stack, from transistors to firmware, from chip monopolies to satellite networks, from invisible maintainers to AI accelerators. We'll walk through the failures that mattered: Heartbleed. Log4Shell. Spectre. The Garmin ransomware attack. The XZ backdoor. Not because they broke things, but because they showed us where power actually lives, and how fragile those concentrations really are.
Every one of those failures revealed something: how physical constraints shape digital power, how a single unpaid maintainer can hold up half the internet, how optimization culture erodes resilience. They showed us that nations, economies, and individual freedom now depend on infrastructure most people will never see.
But here's the thing: Open Source built that infrastructure. And Open Source can reshape it. This is about understanding where we are, how we got here, and what it means to build systems that distribute power instead of concentrating it. Because the people who write the code should be the ones who decide how it works, and who it works for.
Spotify is the world's largest music streaming service, yet it has never fullfilled the flexibility and platform support needs of the ones enjoying home automation, open streamers and more. For over a decade, the librespot family of projects has been filling that void through reverse engineering of Spotify's products.
This talk takes you through one of the longest-running efforts to open up the Spotify ecosystem. We'll explore the technical approaches used to reverse engineer the official clients, the evolution of the project as Spotify's architecture changed, and the delicate balance of operating in legal grey areas while keeping the open source project alive.
All of this brought to you by the maintainer of go-librespot and memeber of librespot-org.
The promise of smartphones was freedom in your pocket. The reality? Two corporate gatekeepers controlling what software billions of users can run on devices they supposedly own. This talk examines the uncomfortable compromises FLOSS developers face when trying to distribute apps through iOS and Android app stores, where every principle we hold dear—user freedom, privacy, transparency, and community control—runs headlong into the profit-driven interests of the global mobile duopoly.
We'll explore the battleground where free software principles meet platform restrictions: mandatory code signing that undermines reproducible builds, opaque review processes that can arbitrarily reject apps exercising user freedom, 30% revenue cuts that punish sustainable FLOSS funding models, and Terms of Service that can revoke your ability to distribute software overnight. The Digital Markets Act promised to open these walled gardens, but has it? Or have we merely traded one gatekeeper's rules for slightly different ones?
This isn't just about technical hurdles—it's about fundamental questions. Should FLOSS projects compromise on GPL compliance to reach users? Is it ethical to pay fees and developer taxes when that money funds the very infrastructure restricting user freedom? When F-Droid and alternative app stores offer true freedom but reach only 2% of users, do we accept the compromise or maintain ideological purity while our potential impact dwindles?
The stakes are existential. As our digital lives increasingly occur on locked-down mobile devices, FLOSS becomes the last line of defense against surveillance capitalism, planned obsolescence, and the erosion of user agency. If we can't effectively distribute free software on the platforms where users actually are, we risk relegating FLOSS to irrelevance precisely when it's needed most.
But there's hope. New regulatory frameworks, emerging alternative stores, advances in progressive web apps, and creative technical solutions offer paths forward. We'll discuss practical strategies for maximizing reach while minimizing compromise, building communities that value freedom over convenience, and preparing for a post-duopoly future.
This talk will challenge both the compromisers and the purists, asking uncomfortable questions: Are we collaborating with platforms that fundamentally oppose our values? Or are we pragmatically meeting users where they are? The answer may determine whether free software thrives or withers in the mobile era.
The Free and Open Source ecosystem has continued to evolve and adapt itself despite an ever-changing landscape that, paradoxically, seems to find pleasure in threatening its very own fabric.
And yet our resilience won't be able to sustain another direct hit, this time coming from the fact that Open Source lives at odds with the UX/UI Design Process.
Open Source, both as a social contract and as a practice, cannot afford not to fully own the strategic space that dictates how we connect with end users.
In this talk I will explain why this has become so crucial and why, while open-source developers are the most likely audience to suffer the most if this is not dealt with, they are also the most naturally equipped to lead a new design&code worldwide alliance.
FreeSewing is an open source project that provides a core (Javascript) library for designing parametric sewing patterns, as well as a growing collection of designs and supporting tools. We've been around for more than a decade, and in that time have built a large user base among the maker community.
FreeSewing designs are implemented as code giving you unmatched power and flexibility. You can mix and match parts from different designs, extend them, or add options that turn one base design into many. Our choice for Javascript means you can run all of this in your browser. Suffice to say, these are not your grandma's sewing patterns.
This talk will cover why I started FreeSewing, the pain points it aims to address, and how it works under the hood. I'll also cover our tech stack, and the choices we've made in this area, as well as how we needed to adapt as we outgrew our earlier choices. In addition, I'll cover some of the lessons learned after more than a decade of designing parametric sewing patterns for bodies in all shapes and forms. I will also include tips for running an open source project for a prolonged period of time while avoiding the pitfalls of maintainer burn-out.
I'll bring some cool swag too.
The story “Ada & Zangemann – A Tale of Software, Skateboards and Raspberry Ice Cream” inspires the software freedom community because it covers more than the simple value of learning to program. It also covers the importance of control over technology and its impact on society. In this way the story is inspiring many kids, teens, parents and many others to learn programming and shape technology.
I too was captivated by the story. Working on a Dutch translation sent me down the path of improving the automation to help others like me to translate the story and publish it in different formats. The free culture license of the book enables and compels the community to adapt it, and they have. The community keeps surprising us with new formats to convey the story. Since its release it has been translated into 30 languages, published as a book in 7 and as movie in 5. And it is available in a growing number of other formats: epub, online book, bilingual book and kamishibai.
Translation and localization is the primary purpose of the automation. More interesting and ambition is to support the increasing number of formats: from printed book, to online book, voiceover text and subtitles. This wide variety of formats presents a unique challenge for which no ready-made solution exists. By leveraging open standards (XML, Docbook, ITS) and Free Software (Scribus, itstool, gettext, xsltproc, pandoc, Weblate) we created automation that enables translators to add new languages while also enabling new formats to be added. This includes a novel method for inserting text and images into Scribus. This multi-media setup can be used as inspiration for other free culture multi-media projects.
In this presentation we will tell the story how the automation developed over time. We'll share the inspiring stories from the community that leveraged the automation and influenced its development. The technical challenge of the automation is fun, but the community stories give it meaning and motivate me to keep at it.
With this presentation we hope to inspire others to contribute to the Ada & Zangemann community by translating, adding a new format or contributing to the automation and to share own materials benefiting our community as Open Educational Resources.
At the Humanitarian OpenStreetMap Team (HOT), we envision an ecosystem of open mapping technology that enables everyone, and in particular vulnerable communities, to make open map data available in order to use in disaster response and humanitarian context. We focus on building with our community and involving our users in every step of the process.
In this session, we would like to take you on a journey in introducing the full end-to-end open mapping workflow and the open source tools enabling that process - from the newly developed Drone Tasking Manager to fAIr (our AI assisted mapping service), Field Tasking Manager, ChatMap and uMap. We will share some stories from case studies in testing the end to end mapping workflow in Indonesia and Sierra Leone and the lessons learnt.
We hope that you will leave this talk inspired and with an understanding on how YOU can become part of the open mapping ecosystem and contribute to the technology development!
HOTOSM website: https://www.hotosm.org/tech-suite HOTOSM Github: https://github.com/hotosm
Btrfs was merged into the Linux kernel in 2009, arriving with bold promises—and, let's be honest, a reputation for instability. I first tried it on my laptop in 2011. It wiped my data. Twice. On the bright side, it taught me the value of backups.
Fast forward to 2025: btrfs is no longer the experimental filesystem of the past. It's stable, mature, feature-rich, and fully part of the Linux kernel. But old reputations die hard. Even today, Google Cloud Platform doesn’t officially support it—not because of technical shortcomings, but because customer demand hasn’t pushed the issue.
At Chronosphere, we decided to take a fresh look. After months of evaluation and testing, we migrated petabytes of customer data across thousands of disks to btrfs. This talk is our story: why we made the leap, what we learned along the way, and how we’re helping bring btrfs into wider enterprise adoption—including working with Google to support it natively.
I'll share the decision-making process, key performance and reliability insights, and the quirks you only discover when running btrfs at scale. Whether you're btrfs-curious or just love a good ops tale, you'll walk away with real-world takeaways—and maybe a newfound respect for this once-maligned filesystem.
If you know what NTFS, ext4, or ZFS are, you’re ready for this journey.
In an era where our identities and rights are increasingly mediated by devices we call “phones”, the boundaries between digital citizenship and corporate feudalism are blurring. This talk explores the intersection of technology, autonomy, and community within the unique context of transformational festivals, temporary autonomous zones (TAZs) (or future isolated neightborhoods and local communities?) where experimentation and reappropriation of tools take center stage.
Starting from a cyberpunk reflection — high tech, low life — the talk questions how much of that dystopian vision has already become reality: from algorithmic control to the loss of privacy and digital dependency. Drawing on the legacy of radio as an anarchic medium and the new rise of mesh networks such as Meshtastic/Meshcore/Reticulum, The Things Network, and Helium, Davide Gomba connects past and future: from Marconi lighting up the Cristo Redentor in 1931 to today’s decentralized communication protocols.
Through examples from Lutopia’s “Ozorian Experiment” (2024) and the ongoing Burning Mesh initiative, the talk presents how off-grid communication can become both a poetic and political act - reclaiming connection, rebuilding resilience, and teaching new forms of digital literacy. Between cyberpunk dystopia and techno-anarchic optimism, “The Meshiverse OR The Revolution of the Little Radios” is a manifesto for the right to communicate freely - even, and especially, when the network goes dark.