Speakers and Talks

Open source is rightfully popular, but succeeding may not be as easy as it sounds. In this talk, I'll highlight a number of common pitfalls that I have observed maintainers of a codebase create for themselves. I will go through why it might seem like a good idea, what harm it actually makes and how to repair mistakes and even better, how to avoid making them in the first place.

The Digital Freedoms and Rights are constantly evolving, legally, technically and socially. However they are not always improving for the benefit of the individual nor the general public. One example is the current EU Commission’s proposal on Chat Control 2.0 which would introduce a complete and total scan and mass surveillance of all EU citizen private communications - effectively the ending of end-to-end encrypted communications.

During this presentation I will share some perspectives of the current states of digital policy in relation to digital freedoms and digital rights. The case study will be Sweden as it currently holds the Presidency of the Council of the European Union. I will focus on areas of interest to citizens as well as free software and open source advocates such as GDPR, Schrems II, open data, Freedom of Information and Freedom of Speech, e-identifcation and building political opinion in these matters.

Wikidata and OpenStreetMap are collaborative open data projects that contain structured data for real world places and things. Adding links between the projects makes the data more useful, but doing this by hand is laborious. I've written a software tool that automates much of the process.

Editors of OpenStreetMap can use my software to search for a place or region, generating a list of candidate matches from Wikidata, which can then be checked and saved to OpenStreetMap.

Linking the two projects isn't without controversy. They use different licenses which raises questions about what information from one project can be copied to the other.

In the presentation I will give details of a new version of the editing tool.

I will talk about the benefits of linking, the process of finding matches, the community response - including the controversy - and how people can get involved.

Interoperability is a core element of the ongoing digitalisation. With the Interoperable Europe Act (IEA), the EU is aiming to create a dedicated legal framework on interoperability that to date has been non-binding. This talk will provide an overview of the state of play of the existing interoperability frameworks and guidelines in the EU, to then delve into the proposed IEA and the role of Free Software, from both an EU but also Member States perspective. We will take a closer look at some of the IEA’s loopholes and flaws that could undermine its goal of becoming the real game changer for an interoperable Europe.

The Ansible project and community have been going through tremendous amounts of change and growth in the past couple of years to adapt and scale with its adoption and uses. This session will provide an overview of the Ansible community strategy for 2023 in response to some of these changes, highlight new parts of the project such as Event-Driven Ansible and Project Wisdom, plus outreach plans as we welcome back in-person events.

This presentation will focus on the importance of validating license compliance when using AI-assisted coding, and how to identify undeclared open source components with Open Source compliance tools such as SCANOSS, FOSSology, FOSSlight, Scancode, and OSS Review Toolkit.

With the proliferation of AI in software development, the coding process has become faster and more efficient, but it has also created new risks associated with non-compliance if open source components are used without proper license assessment. Attendees will gain insights into how to enable the detection of undeclared AI-generated, open source components, and how this process helps organizations to mitigate compliance risks.

The OpenChain License Compliance (ISO/IEC 5230) and Security Assurance standards provide simple and effective ways for companies in the supply chain to improve open source software management. Organizations around the world have engaged with these standards over the last five years for cost reduction, time optimization and to allow staff to work on tasks directly related to improving products and services. Data suggests significant traction in adoption, with an example being a recent PwC-sponsored survey showing 20% of German companies with more than 2,000 employees using ISO/IEC 5230. This talk will explain how the OpenChain Project is building the support structures needs to accomplish ever broader market adoption, ranging from community activities to reference material to a commercial ecosystem. It will focus on recent developments, especially around expanding work in security, in editing the next generations of the standards, and in lessons learned to revise our supplier education material. Attendees will leave this talk knowing current options for assessment, deployment and - in the case of customer companies - encouraging suppliers to use these standards too.

GNU poke is an interactive, extensible editor for binary data. Not limited to editing basic entities such as bits and bytes, it provides a full-fledged procedural, interactive programming language designed to describe data structures and to operate on them.

GNU poke tries to overcome the typical limitations of simpler classical binary editors. Examples are bit orientation, support for defining dynamic structures, and the Poke language which has been specifically designed for both describing binary layouts and to work with the corresponding data.

In this activity I will do a general introduction to the program and the Poke programming language, using little practical examples. We will see how poke can also be used in order to implement binary utilities, and fast prototypes.

This talk is oriented to software developers, security and reverse-engineering folk. But it shall be accessible enough for anyone wanting to venture into poking at binary files, memory of processes, protocols, and the like.

Web analytics technologies provide opportunities for organisations to obtain information about users visiting their websites in order to understand and optimise web usage. Use of such technologies often leads to issues related to data privacy and potential lock-in to specific suppliers and proprietary technologies. Use of open source software (OSS) for web analytics can create conditions for avoiding issues related to data privacy and lock-in, and thereby provides opportunities for a long-term sustainable solution for organisations both in the public and private sectors. This talk describes use of and engagement with OSS projects for web analytics. Specifically, the focus is on use of OSS licensed web analytics technologies in Swedish government authorities and on organisational engagement with the Matomo OSS project for web analytics. The talk also includes practitioner experiences and recommendations concerning use and provision of services related to Matomo.

Free software platforms for citizen participation has spread rapidly the last few years and enabled participatory budgets and citizen involvement for millions of people. Petter Joelson from Swedish Digidem Lab shares their experiences of working with the Decidim platform for the Future of Europe conference, New York City as well as small cities in Sweden. He also shows how the model of free software being developed by larger cities together with local companies has given Decidim an international reach and ability to adapt to local needs.

D-Bus is an IPC mechanism that is very ubiquitous on Linux desktop and embedded systems. It is the mechanism you'd use to communicate with many of the core Linux userspace subsystems, such as systemd, NetworkManager etc. Traditionally, most of these services have been written in C, a language known for its lack of safety.

In the past years, Zeeshan has developed a library, called zbus for enabling implementation of D-Bus services and clients in a programming language designed for safety: Rust. While that is major step forward, the communication typically still happens through the D-Bus broker, which is written in C. A significant percentage of CVEs reported against the D-Bus brokers over the years could have been avoided if they were written in Rust. This is why Zeeshan has recently started working on writing a D-Bus broker in Rust, called dbuz.

In this talk, Zeeshan will walk us through a summary of his journey so far, starting with an introduction to D-Bus. He will conclude with his plans and dreams for the future of D-Bus.

Rust have emerged as a good fit for building new tooling, it's both fast and have a strong focus on safety. And the popularity of the language is currently growing.

One way we can help fuel this trend is by making sure that software built in rust is well packaged and easily available for consumption.

This talk will be an introduction to the practical work on how rust packaging works in Debian. By exploring the journey from developer to end user I hope to shine some light on the design choices that has been made by Debian, and how that interacts with the Rust ecosystem.

In this talk Holger Levsen will give an overview about reproducible builds. How it started with a small BoF at DebConf13 (and before), how it grew from being a Debian effort to something many projects work on together, until in 2021 it was mentioned in an executive order of the president of the United States. And of course the talk will not end there but rather outline where we are today and where we still need to be going, until Debian stable will be 100% reproducible, verified by many.

And while this talk will have a Debian focus, reproducible builds in other project will be featured and not be left behind. Holger Levsen has been involved in reproducible builds since 2014 and has worked on reproducing Fedora, Arch Linux, NetBSD, coreboot and others.

Abstract: Market concentration with a few dominant global providers of cloud-based Software-as-a-Service (SaaS) solutions causes concern amongst competition authorities and public sector organisations which aim to maintain control of its data processing and long-term maintenance of digital assets. This imposes a range of technical and legal challenges, which in turn may inhibit opportunities for usage of FOSS. When a public sector organisation (PSO) acquires and uses a cloud-based SaaS solution, such as Microsoft 365 and Google Workspace, this implies that data processing and maintenance of the organisation’s digital assets will be exposed to a range of different types of lock-in effects. For example, format lock-in causes technical and legal challenges which may prevent establishment of FOSS projects and impose risks for unlawful and inappropriate data processing. Further, two of the most talked about obstacles for use of US SaaS solutions are about to be addressed by the legislators: (1) by proposed revisions to the domestic Secrecy Act (SFS 2009:400) issued by the Swedish Government on 26 January 2023, and (2) by the EU commissions proposed adequacy decision for the EU-U.S. Data Privacy Framework of 13 December 2022. Moreover, there are also several other factors which need to be assessed in order to conclude that data processing and maintenance of digital assets is lawful.

This presentation addresses widespread practices with illustrative examples concerning how PSOs express mandatory requirements in public procurement projects which inhibit FOSS usage. Specifically, the presentation elaborates issues concerning lawfulness and appropriateness related to a PSO’s procurement and use a cloud-based SaaS solution without having identified and obtained all relevant contract terms, all applicable licences, and all applicable FOSS that would allow for ensuring long-term maintenance of digital assets independently of the SaaS solution initially used. In particular, we highlight the necessity of ensuring availability of appropriate FOSS in order to allow for lawful and appropriate data processing and maintenance of digital assets over a life-cycle beyond the SaaS solution currently used.

By drawing from extensive research in the area, this presentation provides a brief overview and illustrative examples concerning how current practice amongst public sector organisations discriminate against FOSS usage. In particular, we elaborate how adoption and use of a cloud-based SaaS solution in each PSO cause format lock-in, which in turn may prevent data sovereignty. From this presentation we hope to open up the floor for a broader discussion amongst participants of fundamental challenges concerning how to avoid discrimination of FOSS.

References:

Lundell B., Gamalielsson, J., Butler, S., Brax, C., Persson, T., Mattsson, A., Gustavsson, T., Feist, J. & Öberg, J. (2021) Enabling OSS usage through procurement projects: How can lock-in effects be avoided?, In Taibi, D. et al. (Eds.), The 13th International Conference on Open Source Systems (OSS 2021), IFIP Advances in Information and Communication Technology, Vol. 624, Springer, Cham, pp. 16-27. https://doi.org/10.1007/978-3-030-75251-4_2

Lundell, B., Gamalielsson, J. & Katz, A. (2023) Implementing the HEVC standard in software: Challenges and Recommendations for organisations planning development and deployment of software, Journal of Standardisation, Vol. 2. https://doi.org/10.18757/jos.2022.6695

Lundell, B., Gamalielsson, J., Katz, A. & Lindroth, M. (2022a) Use of Commercial SaaS Solutions in Swedish Public Sector Organisations under Unknown Contract Terms, In Janssen, M. et al. (Eds.) EGOV 2022: Electronic Government, Lecture Notes in Computer Science, Vol 13391, Springer, Cham, pp. 73-92. https://doi.org/10.1007/978-3-031-15086-9_6

Lundell, B., Gamalielsson, J., Katz, A., & Lindroth, M. (2022b) Data Processing and Maintenance in Different Jurisdictions When Using a SaaS Solution in a Public Sector Organisation, JeDEM – EJournal of EDemocracy and Open Government, Vol. 14(2), pp. 214-234. https://doi.org/10.29379/jedem.v14i2.749

Open Source Software (OSS) is today widely adopted as a means of collaboration and building commercial offerings and software supply-chains in the industry. Cost-sharing and open innovation, avoiding lock-ins, driving technological change, and establishing shared standards are commonly referred to as incentives, of which many also apply to Public Sector Organizations (PSOs). Yet, uptake and institutional capacity have thus far been limited and disproportionate to the potential upside in economic terms.

Explanations may be found in PSOs’ dependence on acquiring and outsourcing technical capabilities and, by extension, their limited competency regarding OSS and software development. Additional challenges are implied by public procurement regulations and practices, which impact conditions for how PSOs can procure OSS. Symptomatic organizational barriers for PSOs, such as bureaucratic processes, short-term planning, and risk-aversive culture, further add to the mix.

For municipalities, these challenges are accentuated due to their limited size and resources. However, so is the potential for collective action due to the type of public services they are required to provide. In Sweden, for example, we have 290 municipalities, all with the responsibility (among many) to provide elderly and daycare, school, and social services. As in industry, there is, hence, the potential for shared and standardized platforms and infrastructure, on which tailoring of specific needs can be applied in a modular structure.

In this talk, we will look at previous and ongoing municipal collaborations in Sweden and on a European level and walk through both challenges, their consequences, and how they may be addressed and mitigated. The aim is to provide food for thought and practical advice for PSOs and software suppliers regarding how they can find a basis for a fruitful and mutually beneficial collaboration based on openness and transparency.

Abstract: Market concentration with a few dominant global providers of cloud-based Software-as-a-Service (SaaS) solutions causes concern amongst competition authorities and public sector organisations which aim to maintain control of its data processing and long-term maintenance of digital assets. This imposes a range of technical and legal challenges, which in turn may inhibit opportunities for usage of FOSS. When a public sector organisation (PSO) acquires and uses a cloud-based SaaS solution, such as Microsoft 365 and Google Workspace, this implies that data processing and maintenance of the organisation’s digital assets will be exposed to a range of different types of lock-in effects. For example, format lock-in causes technical and legal challenges which may prevent establishment of FOSS projects and impose risks for unlawful and inappropriate data processing. Further, two of the most talked about obstacles for use of US SaaS solutions are about to be addressed by the legislators: (1) by proposed revisions to the domestic Secrecy Act (SFS 2009:400) issued by the Swedish Government on 26 January 2023, and (2) by the EU commissions proposed adequacy decision for the EU-U.S. Data Privacy Framework of 13 December 2022. Moreover, there are also several other factors which need to be assessed in order to conclude that data processing and maintenance of digital assets is lawful.

This presentation addresses widespread practices with illustrative examples concerning how PSOs express mandatory requirements in public procurement projects which inhibit FOSS usage. Specifically, the presentation elaborates issues concerning lawfulness and appropriateness related to a PSO’s procurement and use a cloud-based SaaS solution without having identified and obtained all relevant contract terms, all applicable licences, and all applicable FOSS that would allow for ensuring long-term maintenance of digital assets independently of the SaaS solution initially used. In particular, we highlight the necessity of ensuring availability of appropriate FOSS in order to allow for lawful and appropriate data processing and maintenance of digital assets over a life-cycle beyond the SaaS solution currently used.

By drawing from extensive research in the area, this presentation provides a brief overview and illustrative examples concerning how current practice amongst public sector organisations discriminate against FOSS usage. In particular, we elaborate how adoption and use of a cloud-based SaaS solution in each PSO cause format lock-in, which in turn may prevent data sovereignty. From this presentation we hope to open up the floor for a broader discussion amongst participants of fundamental challenges concerning how to avoid discrimination of FOSS.

References:

Lundell B., Gamalielsson, J., Butler, S., Brax, C., Persson, T., Mattsson, A., Gustavsson, T., Feist, J. & Öberg, J. (2021) Enabling OSS usage through procurement projects: How can lock-in effects be avoided?, In Taibi, D. et al. (Eds.), The 13th International Conference on Open Source Systems (OSS 2021), IFIP Advances in Information and Communication Technology, Vol. 624, Springer, Cham, pp. 16-27. https://doi.org/10.1007/978-3-030-75251-4_2

Lundell, B., Gamalielsson, J. & Katz, A. (2023) Implementing the HEVC standard in software: Challenges and Recommendations for organisations planning development and deployment of software, Journal of Standardisation, Vol. 2. https://doi.org/10.18757/jos.2022.6695

Lundell, B., Gamalielsson, J., Katz, A. & Lindroth, M. (2022a) Use of Commercial SaaS Solutions in Swedish Public Sector Organisations under Unknown Contract Terms, In Janssen, M. et al. (Eds.) EGOV 2022: Electronic Government, Lecture Notes in Computer Science, Vol 13391, Springer, Cham, pp. 73-92. https://doi.org/10.1007/978-3-031-15086-9_6

Lundell, B., Gamalielsson, J., Katz, A., & Lindroth, M. (2022b) Data Processing and Maintenance in Different Jurisdictions When Using a SaaS Solution in a Public Sector Organisation, JeDEM – EJournal of EDemocracy and Open Government, Vol. 14(2), pp. 214-234. https://doi.org/10.29379/jedem.v14i2.749

Artificial intelligence (AI) promises to bring remarkable advancements to society and solve pressing problems. However, as we have seen in recent years, AI is at the moment actually causing societal problems, like bias, discrimination, significant electricity consumption, and misinformation. At Nextcloud, we are now faced with AI taking over the productivity software space, and recognize both the potential and the challenges of AI, and we are facing a dilemma about how to integrate this technology into our products in a way that aligns with our values. In this keynote speech, we will explore the complex relationship between privacy and progress in the context of AI. We will discuss the risks associated with the collection, storage, and use of personal data in AI applications, and the potential for unintended consequences that can harm individuals and society as a whole. Furthermore, we will examine how privacy and open-source values can coexist with AI, and what measures we can take to ensure that progress is made in a way that upholds our fundamental rights and values. Join us as we delve into the complex relationship between privacy, progress, and AI, and discover how we can navigate this new era of innovation while staying true to our core principles.

The Package-URL (aka. PURL has emerged as a useful alternative software package identifier for SBOMs and beyond.

This session presents PURL, how and where in FOSS PURLs are used and the tools they enable.

The Package-URL is a simple spec that has emerged as an important way to identify package in SBOMs and in software composition analysis (SCA). It is useful to identify packages as used in SBOM, vulnerability and dependency management.

Join me for:

• a quick introduction to PURL and how they compare with other package identifiers.
• a review of PURL usage in SPDX and CycloneDX and how PURL can contribute to minimal but powerful SBOMs.
• a tour of which FOSS projects use PURL such as Anchore, ORT, Fosslight, ScanCode, VulnerableCode and many other.
• how the new "VERS" version range companion spec can normalize dealing with dependency and vulnerable version ranges.
• how to build PURLdb an open database of all the purls.
• how to automatically map PURLs with legacy identifiers.

Open Source Software (OSS) is today widely adopted as a means of collaboration and building commercial offerings and software supply-chains in the industry. Cost-sharing and open innovation, avoiding lock-ins, driving technological change, and establishing shared standards are commonly referred to as incentives, of which many also apply to Public Sector Organizations (PSOs). Yet, uptake and institutional capacity have thus far been limited and disproportionate to the potential upside in economic terms.

Explanations may be found in PSOs’ dependence on acquiring and outsourcing technical capabilities and, by extension, their limited competency regarding OSS and software development. Additional challenges are implied by public procurement regulations and practices, which impact conditions for how PSOs can procure OSS. Symptomatic organizational barriers for PSOs, such as bureaucratic processes, short-term planning, and risk-aversive culture, further add to the mix.

For municipalities, these challenges are accentuated due to their limited size and resources. However, so is the potential for collective action due to the type of public services they are required to provide. In Sweden, for example, we have 290 municipalities, all with the responsibility (among many) to provide elderly and daycare, school, and social services. As in industry, there is, hence, the potential for shared and standardized platforms and infrastructure, on which tailoring of specific needs can be applied in a modular structure.

In this talk, we will look at previous and ongoing municipal collaborations in Sweden and on a European level and walk through both challenges, their consequences, and how they may be addressed and mitigated. The aim is to provide food for thought and practical advice for PSOs and software suppliers regarding how they can find a basis for a fruitful and mutually beneficial collaboration based on openness and transparency.

At 40 years old, FOSS has become a full citizen in modern society. By popularising and catalysing the pre-existing concepts from the free software movement, open source has moved to the heart of the connected technology revolution over the last 25 years. In Europe, it now drives nearly 100 Billion Euros of GDP. Unsurprisingly, it is now the focus of much political attention from all directions - including regulators and detractors. Today everyone wants to be FOSS - including many who really don't but want the cachet.

In 2022, the mounting wave broke and legislation affecting our movement cascaded into view in the USA and Europe. In Europe, the DSA, Data Act, AI Act, CRA, PLD, and several more major legislative works emerged from the Digital Agenda. Despite its apparent awareness of open source, this legislation appeared ill-suited for the reality of our communities. Why is that? Where do standards come into this? Where is this heading?

This talk will give an example of how a free and open-source software project can become leading it its field. Here, we will focus on Pytroll, a library to read and process earth-observing weather-satellite data. We will share our path to free and open-source software, the experience of comparing against commercial software, how multiple weather institutes internationally decided to adopt it as their main tool for processing satellite imagery, and how it is now thriving around a community of dedicated user, developers and researchers.

Modern password hashing algorithms like Argon2 have high memory and CPU requirements which make it impossible to deploy them on embedded devices and may open systems using them to DoS attacks.

The solution to this is making the client perform the computation since it is the one who should bear the burden of proving its identity. Making this happen is not trivial as it may open to new attacks.

Clipaha also aims to address other concerns like the complexity of choosing the hash security parameters.

This talk will introduce developers to Clipaha and how to use it to upgrade authentication flows using strong password hashing.

Currently, when working with Apache Kafka® and Azure Databricks® (Apache Spark®), there is a built-in mechanism to transform Apache Avro® data to Apache Parquet® files. The issue with this approach, if we think in medallion lakehouse architecture, is that AVRO with nested data, will be persisted in a single PARQUET file in the bronze layer (full, raw and unprocessed history of each dataset) relying on ArrayType, MapType and StructType to represent the nested data. This will make it a bit more tedious to post-process data respectively in the following layers: silver (validated and deduplicated data) and gold (data as knowledge).

To avoid this issue, we present an open-source library, that will help transform AVRO, with nested data, to multiple PARQUET files where each of the nested data elements will be represented as an extension table (separate file). This will allow to merge both the bronze and silver layers (full, raw and history of each dataset combined with defined structure, enforced schemas as well validated and deduplicated data), to make it easier for data engineers/scientists and business analysts to combine data with already known logic (SQL joins).

As two of the medallion layers are being combined to a single, it might lead to the possible saving of a ⅓ in disk usage. Furthermore, since we aren't relying on a naive approach, when flattening and storing data, it could further lead to greater savings and a more sustainable and environmentally friendly approach.

The Tillitis TKey device is a new authentication and application platform that can be carried in your pocket. The TKey is fully open - from circuit board to applications, and yet provides strong security foundations.

In the talk we will present what the TKey is, how it works and how it can be used to solve common and new application and authentication problems.

For more information, see: https://tillitis.se/ and https://github.com/tillitis

Welcome to my presentation on Arbetsförmedlingen's experiences with JobTech and open source. Over the past few years, we have shared 400 different source code repositories and explored the possibilities of open source to improve our operations and deliverables through open data APIs. Today, I will discuss our successes, challenges, and collaborations with other organizations within the JobTech and open source communities. We will explore how JobTech and open source have helped us to enhance our work and results, as well as the lessons we have learned along the way. I hope you will leave this presentation with a better understanding of how open source can be used in public agencies to be more open and efficient. For more information, all of our code can be found on GitLab at https://gitlab.com/arbetsformedlingen.

Developing baremetal software can be daunting, all the more when the hardware is hard to come by or evolving in parallel. Thankfully Open Source Projects can be used to build an effective and even comfortable development environment. This talk shows by example how to create such a development environment which includes testing and code coverage.