State of Open Con 2025

Although I'd previously helped maintain more well-maintained projects, moving into this project, with one other overworked maintainer who was largely working in the very little spare time they had, I found that my work was cut out for me.

It didn't help that this was also one of the most widely used Go libraries in a fairly well used niche, and a very regularly discussed and recommended option, but the complexity of the domain led to a lot of difficulty in predicting the way that the library is used, and we (as maintainers) are actively driven by the use-cases from our users.

It's taken a couple of years of work to improve our triage process, documentation and re-testing old issues to see if they had been fixed in the meantime, and we've still got _so much_ more to do.

You'll hear some first-hand examples of the difficulty of being an Open Source maintainer, and some tips you can follow as a good Open Source citizen, to improve life for the maintainers of projects you use.

For seasoned maintainers, this will all be very familiar. For folks who are primarily users of Open Source, you'll learn some behind-the-scenes insights into what it's actually like behind the issues/PRs.

What is the impact on contributors when maintainers fight, aren't welcoming, or don't lead inclusively? We are a community of doers who enable open source projects including Kubernetes, Prometheus, Envoy, and many others, but conflict between maintainers and contributors can negatively impact our projects and lead to resentment, drive contributors away, and in the worst of cases can escalate to code of conduct issues. When we maintainers don't have each other to lean on, what can we do? Sunlight is the best disinfectant and reflecting on these interactions can help us all do better and help our projects be more successful. In this talk, Kat and Jeremy will share some examples where communications went wrong, talk about the impact on contributors, and share a framework we can all use to do better.

With a month's notice to transition to a new workflow for managing incoming security reports for our open source project, join us to learn how we implemented GitHub's built-in security reporting feature in the Mautic project, and explore the highs and lows of collaborating with researchers, contributors and our security team using this system.

The European Commission has clearly identified open source as an strategic tool for bringing some balance to an EU cloud market currently dominated by a handful of non-EU hyperscalers. Part of that commitment comes through a series of ambitious, multi-million EU projects like the COGNIT project and the multi-country “Important Project of Common European Interest on Next Generation Cloud Infrastructure and Services” (IPCEI-CIS).

For the first time in the history of the European Union, it is the EU industry who will be leading large-scale open source projects aimed at building European strategic technologies.

In this talk we will explain in detail how specific European open source technologies are being brought together as part of some of those projects to start building Sovereign Multi-Cloud solutions that ensure interoperability and digital sovereignty for European users while preventing vendor lock-in in the cloud market, opening up competition in the emerging 5G/edge.

As platform engineering continues to gain traction within the tech industry, the role of internal developer platforms (IDPs) is becoming essential in streamlining application delivery. According to Gartner, by 2026, 80% of large software engineering organisations will have established platform engineering teams. This prediction is already materialising, with the latest State of DevOps Report by DORA revealing that 89% of organisations are using some form of internal developer platform.

However, as Gartner positions platform engineering at the peak of its hype cycle, it raises the question: what comes next? Will the industry face the "trough of disillusionment," or will platform engineering continue to evolve and mature? This panel discussion will explore the future trajectory of platform engineering, examining current trends and their implications for the industry.

Key questions we will address include:
- Where are current trends in platform engineering taking us?
- Will the market see a proliferation of new tools, or will we see more consolidation?
- Will organisations move toward a single, unified platform, or will multiple, specialised platforms emerge to meet different needs?

Join our expert panelists as they share their insights and discuss what the future holds for platform engineering.

Regulators are coming for you if you're not looking after your customers' (or your employees'!) Personally Identifiable Information (PII). Luckily, Open Source, coupled with Confidential Computing, can give you a chance to be star baker. And while this session doesn't promise a Paul Hollywood handshake, let's at least try to avoid a soggy bottom to your security and risk policy.

In the past few years, the open source ecosystem has seen transformational innovation in the way we measure and analyze open source world - from development to community engagement, usage, economic impact, and beyond. In this panel, we gather the experts to discuss the state of open source from the hard numbers. We will discuss which indicators to watch, what we can learn from them, and what they might suggest about the future of open source as we know it.

EQUIP (Ensuring Quality in Psychological Support) is a World Health Organization & UNICEF project using Drupal to deliver mental health support training and assessments in low and middle-income settings with low connectivity. As of March 2024, EQUIP's digital platform had been used in 794 training programmes in 36 countries with 3,760 trainees resulting in 10,001 competency assessments.
This case study will show how EQUIP was built using an human-centred approach to product design and Drupal-based open source technology, to provide an open-access platform for NGOs around the world.

Delivering software fast is one piece of the deployment puzzle, but delivering it securely is the glue that keeps your puzzle from falling apart. Software supply chain attacks are on the rise with security exploits directly targeting open source projects, central repositories, and software package managers. With 90% of enterprise companies using open source software in their builds no one is immune to these attacks and now more than ever the community is working hard to create safeguards and tooling to prevent potential attacks. The question then becomes who should you look to for best in class security protocols?

Thankfully the open source community is banding together and foundations like OpenSSF, CNCF and OWASP and companies are working to solve security problems. To help ensure a secure SDLC, these developer focused communities are investing time, energy, money and innovation in projects that provide security solutions. This talk will give a brief overview of some major attacks in the last decade, it will underscore the importance of securing your software supply chain at the source and will highlight a some open source projects that are on the market that are helping to close the security gaps.

In recent years, NIST has published several Special Publications focused on cloud application and network security. These documents provide comprehensive guidance and standards for security best practices. They address cloud security controls, Zero-Trust Architectures, and microservice security, while also examining the security implications of various cloud network topologies.

In this talk, Matt will summarize the key recommendations from these publications and outline practical steps for implementation. He'll also demonstrate how to maintain ongoing compliance with these controls using OSCAL and Lula.

Your models are running, your clusters are purring, and everything seems ready to sail smoothly across the vast seas of AI. Everything’s good, right? Attacks targeting GPUs, especially those aimed at poisoning AI models during training and inference, represent a growing frontier—much discussed but rarely explored.
In this hands-on talk, we’ll dive deep into how GPUs can be attacked and, more importantly, how to defend against these threats. You’ll discover best practices and learn how open-source tools you already know—like Falco, Cilium, and others—can protect your precious models. Get ready for an adventure into the open field of GPU security in AI. See it, Hack It, Sort It.

As our reliance on cloud-native infrastructure grows, so does the complexity of protecting sensitive data in multi-tenant and untrusted environments. This talk explores the core principles of secure isolation and trust boundaries to provide a practical understanding of how these concepts safeguard data during processing, enabling compliance, reducing risk, and building user trust. With a focus on real-world applications and accessible insights, this session demystifies the evolving security landscape and empowers engineers, policymakers, and technologists to collaboratively shape a more secure digital future.

Along with the benefits of AI are newly developed threats it enables. This talk spotlights new threats AI will create in 2025 as well as ways AI can be used to catch malicious activities.

In today’s world, security without tool and information harmonization is impossible.

Sadly and understandably, most security projects excel at doing one thing very well, however this is insufficient for most projects and organizations who need a combination of tooling in order to efficiently implement a cybersecurity strategy.

This is why we built and open-sourced Smithy.

Smithy is a framework/SDK and an optional execution engine that allows practitioners to orchestrate any security tool and translate its information to the popular security results standard OCSF. Translating outputs to OCSF format is not an easy process as the standard can be loose in some parts.

In this talk we will walk the audience through our context, why we built Smithy, how the SDK works and our design decisions. We’ll also talk about how we leveraged protobuf to extend the OCSF format and accelerate our development thanks to its strong types, code generation capabilities and built in versioning.

Further we will show participants what are the supported components, how to create a sample component and of course pitfalls, tips and tricks.

At the end of the talk, participants will be able to orchestrate any security tool that provides an api or some sort of way to gather its results into any cybersecurity programme, for free.