The Free and Open source Software Developers’ European Meeting (FOSDEM) is a non-commercial, volunteer-organized European event centered on free and open source software development. It is aimed at developers and anyone interested in the open source software movement.
Open Source Security Foundation (OpenSSF) had a community presence at FOSDEM 2025, engaging with the open source community through insightful sessions, collaborative discussions, and the announcement of a major global cybersecurity initiative.
Major Announcement: Global Cybersecurity Legislation Preparedness Initiative
One of the major highlights of FOSDEM 2025 was the announcement of a global joint initiative led by Linux Foundation Europe and OpenSSF. This initiative aims to prepare open source maintainers, manufacturers, and software stewards for the implementation of the EU Cyber Resilience Act (CRA) and other upcoming global cybersecurity regulations.
Key focus areas of the initiative include:
- Developing community-driven cybersecurity specifications to help projects align with regulatory requirements.
- Providing compliance guidance and tools for open source maintainers and manufacturers.
- Implementing processes and tooling to simplify CRA compliance across open source ecosystems.
Mirko Boehm, Senior Director for Community Development at Linux Foundation Europe, emphasized the importance of this initiative in reducing compliance friction for maintainers and software manufacturers.Â
Meanwhile, Christopher “CRob” Robinson, Chief Security Architect at OpenSSF, highlighted the responsibility of commercial entities in implementing security measures, ensuring that open source maintainers are not overburdened by regulatory demands.
With cybersecurity regulations evolving worldwide, this initiative is a significant step toward equipping open source communities with the necessary tools and frameworks to navigate compliance effectively. OpenSSF remains committed to fostering secure and sustainable open source ecosystems through collaboration and innovation.
Get involved and stay updated:
- Visit the WG Repository: Global Cyber Policy WG GitHub
- Join Our Slack Channel: #wg-globalcyberpolicy on Slack
- Subscribe to Mailing Lists:
Sessions on Open Source Security:
OpenSSF community members led several sessions covering critical topics in open source security, SBOMs, Sigstore, and supply chain resilience. Here are some key highlights:
Airflow Beach Cleaning – Securing Supply Chain
This presentation by Jarek Potiuk, Munawar Hafiz (OpenRefactory, Inc.), and Michael Winser (Alpha-Omega) explored securing supply chains in open source projects. The talk focused on the real-world application of SBOMs at scale, moving beyond their creation to practical usage. It highlighted a collaborative effort between the Python Software Foundation (PSF), Apache Software Foundation (ASF), Airflow Project Management Committee (PMC), and Alpha-Omega Fund to enhance security across the Airflow ecosystem. This session provided insights into strengthening open source security through community-driven initiatives and proactive supply chain protection.
How FreeBSD security audits have improved our security culture
Michael Winser (Alpha-Omega) and Pierre Pronchery (Senior IT-Security Consultant) explored how recent security audits of the Bhyve and Capsicum subsystems have strengthened FreeBSD’s security culture. The talk reviewed key findings from these audits, lessons learned, and the long-term impact on FreeBSD’s approach to security. Additionally, it highlighted how public and private funding efforts have supported this critical work, showcasing a collaborative model for sustaining open source security improvements.
Funding FOSS together
Mirko Swillus (Sovereign Tech Agency) and Michael Winser (Alpha-Omega) shared their thoughts and learnings from several years of funding open source sustainability and security in the packed “Funding the FOSS Ecosystem” devroom. The session explained how each organization approaches funding and how they hope to collaborate more in the future.
Discover Dependency License Information Using SBOMs and ClearlyDefinedÂ
SBOMs offer powerful capabilities for tracking license and legal information, but gaps often remain due to missing or incomplete data. This talk by Jeff Mendoza (Kusari) explored how ClearlyDefined, a community-driven project, enhances license clarity by leveraging deep scanning tools like ScanCode to uncover legal details that may not be explicitly declared by package authors.
Jeff introduced new SBOM tooling built with Protobom, which enables querying licenses, generating NOTICE files, and enhancing SBOMs with high-fidelity legal information from ClearlyDefined. Attendees learned how these advancements improve software transparency and compliance, ensuring more accurate and complete SBOMs for open source projects.
The Breadth and Depth of SBOMs
Tracking multiple SBOMs over time provides deeper insights into vulnerabilities, licensing risks, and dependency changes. Michael Lieberman (Kusari) explored how analyzing SBOMs across versions and environments helps organizations answer key security questions, such as when vulnerabilities were fixed and shared risks across software.
The talk highlighted how tools like jq, DuckDB, and GUAC can be used to track and analyze SBOMs, improving software security and supply chain management.
Hunting for GitHub Actions Bugs with Zizmor
GitHub Actions powers critical workflows for open source projects, but how secure are they? This talk by William Woodruff (Trail of Bits) explored the security model of GitHub Actions, revealing real-world vulnerabilities and common exploitation patterns found in widely used actions and workflows.
William Woodruff introduced Zizmor, a Rust-based static analysis tool designed to detect security flaws in GitHub Actions. Attendees learned how to identify risks, follow best practices, and use Zizmor to enhance security both locally and in CI environments
Enhancing Artifact Security with GitHub Artifact Attestations
Ensuring the integrity of build artifacts, such as container images, is essential in modern software development. This talk introduced GitHub Artifact Attestations, a signing solution built on open source security frameworks like TUF and Sigstore.
Fredrik Skogman (Github) demonstrated how to generate signed SLSA attestations, verify their authenticity, and enhance supply chain security. Attendees gained insights into leveraging tools like Sigstore, in-toto, SLSA, and TUF to strengthen artifact security and improve trust in the software development lifecycle.
Zephyr: Open Source Project Best Practices Over Time
Kate Stewart (The Linux Foundation) delivered multiple sessions focused on open source security, best practices, and Software Bill of Materials (SBOMs) – key areas of interest for OpenSSF and the broader security community.
The Zephyr project has become one of the most active open source initiatives, surpassing 100,000 commits in 2024. A key factor in its success has been its commitment to security and best practices from the start. Drawing lessons from the Linux Kernel Community, Zephyr integrated secure development processes early on, ensuring a strong foundation for safety certification. This talk by Kate, explored how these practices have led to a sustainable and secure ecosystem, providing insights for other open source projects.
Software Bill of Materials (SBOM)
SBOMs are becoming a critical component of software security and supply chain transparency. The devroom brought together experts to share advancements and best practices in using SBOMs to enhance software security. Check out the devroom sessions here.
In an open Q&A session, Kate Stewart facilitated discussions around SBOM implementation, security risks, and regulatory compliance. This interactive forum allowed participants to address real-world challenges, explore security implications of SBOMs, and engage with industry experts.
Across these sessions, the emphasis was on security, transparency, and best practices – all core values of OpenSSF. The talks highlighted how secure open source development and supply chain security measures like SBOMs are shaping the future of software security.
Community Meetups and Discussions
In addition to technical talks, the Global Cyber Policy Working Group hosted two in-person meetup sessions. These meetups provided an opportunity for community members to discuss critical cybersecurity topics, exchange ideas, and explore ways to improve open source security practices collectively.
Thank you to everyone who participated in FOSDEM 2025! We look forward to continuing these discussions and advancing open source security together.
Stay Updated! Follow us on LinkedIn and join our mailing list for the latest news!