Ericsson was strongly represented at the Linux Foundation Open-Source Summit Europe 2025 in Amsterdam, with 22 participants and 7 speakers contributing across key tracks such as Yocto & Embedded Linux, Open-Source Program Office (OSPO), OpenSSF, and cloud/container technologies. As a team we'd love to share some of our thoughts and experiences as we traversed the vast range of diverse topics.
Diverse sessions
There was a vast number of sessions addressing pressing topics including the sustainability of mature open source projects (highlighted by Daniel Stenberg’s talk on curl), the balance between growing commercial interest and keeping open source truly open, and advances in security — from CVE triage automation in Yocto to compliance with the EU Cyber Resilience Act (CRA). Highlights also included ARM SoC lifecycle discussions, Sony’s ESSTRA license tracing tool, supply chain security best practices from CNCF, and the continued evolution of Industrial Grade Linux. AI, especially agentic AI and open-source AI models, was a recurring theme throughout. Full schedule and materials are available at https://osseu2025.sched.com/. Recordings are available at Linux Foundation YouTube Channel.
Ericsson presenters covered topics on the tracks for Yocto and Embedded Linux, Open-Source Program Office (OSPO), OpenSSF and Cloud and containers topics. The whole program can be found in https://osseu2025.sched.com/. Slides are available from the talks, and the recordings are now available at Linux Foundation YouTube Channel.
Keynotes
On one keynote session, Daniel Stenberg (curl) shares what it’s like to run curl in 2025 - an almost 30-year-old Open-Source project installed in over 20 billion instances. He reflects on the realities of maintaining widely used software in a shifting landscape and offers a candid look at what it really takes to keep Open Source sustainable for the long haul. This talk made a big impression on the conference and was referred to in numerous other presentations and discussions during the week. (Recording)
From various keynotes and sessions, we learnt that there is an increased commercial interest in open source, as venture capitalists invest in commercial open-source companies. Such companies develop their software up to 100% in the open source but provide added features or services on top of them like commercial offerings. The open-source communities can gain from this as well, with increased funding and an increased number of contributors. But with commercial interests knocking on the door, there is a need to guard the open-source software to stay open, and a conference like this plays a critical role in enforcing that.
Jonathan Corbet presented the history of the Linux kernel project that has been going well for over 30 years. From its beginnings on floppy diskettes and beige boxes through to its current home in pockets and unseen data centers, the kernel project has been a constant exercise in rapid development and adaptation. (Recording)
Embedded Linux
In the Embedded Linux track multiple presentations were focusing on security, from secure boot, testing, experiences from other big companies and CRA (the EU Cyber Resilience Act).
Ericsson became a gold member of the Yocto Project, and we have already started contributing to the project. We have been part of the conversations within the community to synchronize security work in the embedded world to focus efforts with other companies to backport vulnerabilities. Part of the effort on CVE was presented in Improving CVE Triage for the Linux Kernel using the Yocto Project where multiple members appreciated the contribution to be able to triage kernel CVES automatically for part of the kernel that are not compiled reducing triage work by 80%.
Arnd Bergmann, the Arm SoC kernel maintainer, gave an overview of which 32-bit systems are still supported, and how long that is going to be the case. This covers modern ARMv7/v8 hardware, older ARMv4/v5/v6 machines, and other embedded CPU architectures. Specific issues include MMU-less microcontrollers, large memory, small memory, 32-bit userland on 64-bit hardware and the state of the 2038 apocalypse. Some functionality needed for 32-bit kernels are deprecated, and some architecture and functionality will start to be removed as early as 2027 after the LTS from that year. (Slides, Recording)
Developments in tooling
Sony has developed ESSTRA. It is a tool that traces the details of which files are included in the binaries used in your product or service, and which OSS licenses to comply with based on this data. It is available now as open source itself and includes both a GCC plugin to record source files during a build and embed it into resulting binaries, as well as a tool to manage the information. Whether this idea of integrating the file details into the binary, as opposed to storing it as a separate SBOM file will fly or not, remains to be seen. (Slides, Recording)
CNCF has quite recently published an updated version of their guide for Supply Chain Security, intended to give guidance on securing software supply chains, both from an open-source developer perspective and from a downstream open-source consumer perspective. The updated version clarifies the role of SBOMs, attestations, and policies backed by robust tooling that teams can use today (Slides, Recording).
Security, compliance and more
With the CRA deadlines coming, it is important to ensure that you can comply with the Software Bill of Material (SBoM) requirements that it stipulates. Fortunately, Yocto has a robust and comprehensive SBoM integrated into it, which can aid in ensuring compliance. In Complying with CRA SBoM Requirements using the Yocto Project, Joshua Watt (Garmin) provide information and tips about how to configure your Yocto builds for CRA compliance and justification of compliance. (Slides)
Open-source project repositories often expose more than developers intend - and not just the occasional leaked password. In many cases, careful analysis of public Git histories can uncover traces of vulnerabilities being fixed days or even weeks before an official security advisory is published. In this talk, Marta Rybczynska presented findings from research into the repositories of several high-impact open-source projects, revealing how fixed commits often hint at upcoming security disclosures. (Slides, Recording)
The Civil Infrastructure Platform (CIP) project continues to advance Industrial Grade Linux for mission-critical systems requiring long-term reliability, security, and regulatory alignment. The talk provided the latest updates across CIP’s core activities, extending security patches on old LTS kernels, making them Super Long-Term Support (SLTS). (Slides, Recording)
Multiple talks about bootloaders and secure boot and the need to keep them up to date, since they can become a vulnerable point in the hole secure boot chain. The bootloader plays a crucial role in establishing the chain of trust for embedded Linux systems. Bootloader Security An Underestimated Risk To Embedded Linux Security explores security vulnerabilities in popular bootloaders that can undermine the effectiveness of verified boot. (Slides) (Recording). Or Bootloaders Under Fire: Real-World Threats and Practical Defenses (Slides) (Recording)
There were a number of talks about security throughout supply chains. In particular, a presentation from GitLab highlighting many unhealthy habits that have been observed throughout many projects, both open source and closed source. While linking everything to poor physical health was used as an analogy, it highlights a lot of the risks observed in projects with poor dependency management, security policies and other key risks to be avoided. (Slides) (Recording)
Marta Rybczynska from Ygreky highlighted the information attackers can extract from a git repo to exploit CVEs that have been patch but, in the majority of cases, haven’t been published. (Slides Recording)
The OpenSSF Community Day included a lot of talks about open-source security, and about the regulations the software industry is facing. It’s important to collaborate in open source on securing the needs of the Cyber Resilience Act, as the time schedule is noticeably short. OpenSSF has provided a Security Baseline, explaining the minimum requirements to be fulfilled to show a strong security posture and help, for example maintainers in the CRA definition to comply with the regulation.
Don't forget AI ;)
We didn’t mention any AI related talk in this report so far but almost every talk had some AI twist on it. And agentic AI seems to be this year’s buzzword, where there are frameworks and even a new language (BAML) to help create AI agents for any application with easy access to models and their data. It was also presented that open-source AI models are the way to stay competitive in the rushing AI world.
Finally
This was just a small glimpse of the >300 sessions and keynotes held during the conference, but we hope it gave you some valuable insights into what is happening in the open-source world.