Open Source Summit India 2026

Valkey (forked from Redis) is expected to be fast and correct under an enormous variety of workloads, yet many of the nastiest bugs live outside the reach of traditional unit and integration tests. In this talk, we’ll demonstrate the Chaos Fuzzer for Valkey, built to systematically explore edge cases in the Valkey’s cluster bus, a fundamental part of valkey’s cluster communication model. We’ll show how introducing controlled and uncontrolled chaos into Valkey uncovers correctness issues, subtle crashes, and regression risks that only emerge under common real-world scenarios.

Additionally, we’ll explore how we used Agentic AI to scale fuzzing effectiveness. We will discuss how we leveraged custom AI agents to read, summarize and validate logs from the nodes in Valkey cluster to automatically identify the reasons for cluster failures and expose new bugs in Valkey. We’ll also discuss how AI can be used to generate new fuzzing inputs and scenarios based on prior failures, allowing the fuzzer to iteratively focus on the most error-prone scenarios.

In the end, we will close the talk by discussing how contributors can use this framework to deliver quality features and fixes.

The Linux kernel is now a CVE Numbering Authority, a change that has driven an unprecedented increase in reported kernel vulnerabilities. In Kubernetes environments, this shift has amplified compliance requirements that mandate per-CVE tracking, remediation, or justification.

This talk presents a methodology for kernel CVE pruning via static code reachability analysis. We map CVEs to vulnerable kernel functions and evaluate whether those functions are reachable under a specific kernel configuration and execution environment. The analysis incorporates build-time configuration (Kconfig), loadable modules, and inter-procedural call graphs to approximate practical exploitability.

We present an open-source tool that automates this analysis and evaluate it with representative workloads. Our results show that many kernel CVEs are in unreachable code, yielding a high reduction in reported exposure. We also discuss limitations and implications for compliance-driven vulnerability management.

Docker popularized containers as the solution to the classic “it works on my machine” problem by packaging applications with their environments. Ironically, while containers make runtime environments reproducible, images builds often are not. Docker builds tend to have unrestricted network access, depend on unpinned packages, and may produce different results over time—leading to inconsistent environments, fragile CI/CD pipelines, and difficult-to-reproduce failures.

Deterministic software builds are a well-understood problem in the broader build systems world. From a build perspective, container images are simply artifacts—no different from compiled binaries—and follow the same principles of
reproducibility.

The Nix build system was designed to produce hermetic, reproducible builds. By using Nix to construct OCI images, we can eliminate many sources of non-determinism while enabling the same environment definitions to be reused across development, CI, and containers.

In this talk, we’ll explore common sources of non-determinism in Docker builds and show how Nix can produce deterministic OCI images, from augmenting existing Docker workflows to building images entirely with Nix.

As proprietary models like GPT-5 and Gemini assert dominance in professional domains, the open source community faces a critical challenge: how do we verify their claims without access to their weights? We cannot inspect their code, but we can rigorously audit their reasoning using open source benchmarks.

In this session, 16-year-old researcher Kannan Murugapandian presents a technical evaluation of state-of-the-art LLMs using the LegalBench open dataset.

Moving beyond simple Q&A, this session explores:

1. The Evaluation Harness: A deep dive into the custom Python-based testing asynchronous pipeline designed to standardize prompts, manage vector retrieval, and score outputs across disparate model APIs.
2. Open vs. Closed: A data-driven comparison of how open weights models (e.g., DeepSeek/Llama) stack up against closed giants when tasked with complex legal logic.
3. The "Persona" Myth: Quantitative results testing whether "lawyer personas" actually reduce hallucination rates or merely change the output tone.

Writing a Kubernetes operator looks easy with Kubebuilder and controller-runtime, until production traffic hits. Then the real problems begin.

This session dives into the hard parts of building production-grade operators, focusing on the reconciliation loop and managing stateful workloads safely.

Operators inherently "live in the past" because they read from a cache populated by watch events. This stale view can cause subtle race conditions, over-creation bugs, and inconsistent state. We’ll explore how to handle this safely using optimistic concurrency, resource versions, and the memory expectations pattern used by core Kubernetes controllers.

I’ll also cover designing idempotent reconciliations, deterministic resource naming, spec-hash comparisons instead of brittle DeepEqual checks, safe pod template customization, and the realities of StatefulSets and persistent volumes, including update strategies like OnDelete and volume binding pitfalls.

If you’re building or operating controllers in real clusters, this talk will help you avoid painful production mistakes.

For decades, Linux servers have been maintained using package managers, configuration management, and patching cycles. But what if the operating system itself behaved like a container image?

bootc introduces a new model where a full Linux host is delivered, updated, and rolled back using OCI images — bringing application deployment semantics to operating systems.

In this talk, I explore what changes when the host becomes immutable: updates, drift management, disaster recovery, and fleet consistency. Through hands-on experimentation, I compare traditional configuration management approaches with image-based host delivery and highlight where each model succeeds or fails.

Rather than a product introduction, this session focuses on operational impact: how platform engineers can rethink provisioning, patching, and rollback strategies in data center and edge environments.

Attendees will leave with a clear mental model of when this approach simplifies infrastructure — and when it does not.