Open Source Summit India 2026

The Linux ecosystem powers many, if not most, devices these days. Having a well designed sustainable way to build and maintain one – and not having to rely on a hodge-podge collection of hacky scripts – is critical. This talk introduces the Yocto Project - _the_ industry standard way to build and maintain your custom Linux.

With Yocto, one can build a custom (embedded or otherwise) Linux in an efficient and completely reproducible manner, along with several related advantages; it's a 100% open source, has the ability to build-in security features, all/most major BSP layers are already available, and more.

This session will show you exactly how to get started on building such a custom system with Yocto; it will of course include leveraging Yocto/OE’s famed layer+recipes model.

Practical guide to writing Devicetree sources (DTS) and bindings for the Linux kernel. Jump in if you want to know:
1. What compatibility means between devices and how to express it in DTS.
2. What can be in DTS and what cannot.
3. Fastest way to upstream your DTS (no need for 10 iterations!).
4. Validate your DTS and live error-free ever after.

The talk will focus on Devicetree (DTS and bindings) in the context of Linux kernel, which is also applicable to several other projects like U-boot.

This talk presents an overview of FOSS United's mission to promote and support the FOSS ecosystem in India. The Foundation was registered in India in 2020 and is supported by thousands of volunteers nationwide throughout the year.

Our programs operate on three orthogonal directions-

- Individual creators and maintainers (by giving them a platform to talk about their work, or direct support)
- Communities (by either directly creating FOSS communities in India or supporting existing ones)
- Organizations (to adopt, acknowledge use of, contribute to, and create FOSS projects)

The talk aims to share insights into the programs we have developed to foster collaboration, innovation, and community engagement within the tech ecosystem. Attendees will learn about the challenges and successes of building FOSS communities, increasing awareness about open-source tools, and strengthening industry-academia-government partnerships. The session will also highlight the broader implications of these efforts on promoting digital inclusivity and shaping India's position in the global free & open-source landscape.

We will also showcase some Indian FOSS projects that have come out of the community!

Zephyr is officially 10 years old and many silicon manufacturers are moving towards it as a de-facto RTOS. With over 3000+ contributors and 15,000+ commits per release, Zephyr is one of the fastest moving open source RTOS projects today.
Linumiz is a software partner with silicon manufacturers like Infineon and Texas Instruments, maintaining open source downstream Zephyr releases for their customers. This involves backporting bug fixes, security fixes, rebasing, and moving to new release cycles to keep up with Zephyr's upstream development pace.
In this talk, I will walk through how we manage these downstream releases and cope with upstream pace - what works, what doesn't, and what product developers should keep in mind when building long-term products on Zephyr.

Ten years ago, the Zephyr Project set out to build an open, scalable real-time operating system for connected and resource-constrained devices. Today, Zephyr powers a rapidly growing ecosystem spanning IoT, industrial systems, automotive platforms, and edge computing.

This session celebrates Zephyr’s first decade and explores what has driven its success—from technical architecture and open governance to a vibrant global contributor community. Drawing on insights from a new Linux Foundation Research study, the discussion will highlight key milestones, ecosystem growth, and the forces shaping Zephyr’s future.

In this session, we’ll explore:

-The Zephyr features that are most valued
-How open collaboration accelerates RTOS innovation
-Growth of the global Zephyr developer ecosystem
-Real-world Zephyr practitioner use cases & insights

Key questions:
-How is Zephyr being used across embedded products?
-What are the defining features of Zephyr that have contributed to its adoption?
-What are the attributes of the Zephyr community that contribute to the project's growth and health?

This session compares how camera support is built in the Zephyr Project and in the Linux kernel camera subsystem.

Zephyr focuses on real-time behavior, low memory usage, and simple system design, making it suitable for small, low-power vision devices. Linux, through frameworks such as Video4Linux2 and the Media Controller subsystem, provides a more structured and scalable approach capable of handling complex camera pipelines, multiple cameras, and advanced processing.

The session examines architectural trade offs between the two camera subsystems, comparing their design approaches and highlighting differences in driver structure, pipeline design, and overall system integration. It also explores how Zephyr’s camera architecture can evolve to support more advanced and scalable vision needs, moving closer to Linux capabilities.

The Linux kernel is now a CVE Numbering Authority, a change that has driven an unprecedented increase in reported kernel vulnerabilities. In Kubernetes environments, this shift has amplified compliance requirements that mandate per-CVE tracking, remediation, or justification.

This talk presents a methodology for kernel CVE pruning via static code reachability analysis. We map CVEs to vulnerable kernel functions and evaluate whether those functions are reachable under a specific kernel configuration and execution environment. The analysis incorporates build-time configuration (Kconfig), loadable modules, and inter-procedural call graphs to approximate practical exploitability.

We present an open-source tool that automates this analysis and evaluate it with representative workloads. Our results show that many kernel CVEs are in unreachable code, yielding a high reduction in reported exposure. We also discuss limitations and implications for compliance-driven vulnerability management.

The Linux kernel can feel impenetrable to newcomers — millions of lines of code and a mailing-list workflow unlike anything else in open source. But what if there was a repeatable, beginner-friendly path in?
During my LFX Mentorship (Fall 2025), which I successfully graduated from, I merged 21 patches across 15+ kernel subsystems — including ext4, gfs2, btrfs, ocfs2, f2fs, mm, tracing, networking, and BPF — all using syzbot bug reports as my starting point.
This lightning talk distills that experience into a practical playbook for first-time contributors:

Finding your first bug: navigating the syzbot dashboard and picking approachable reports like memory leaks and missing validations.
Understanding the bug: reading KASAN/KMSAN reports, tracing call stacks, and using git blame.
Writing the fix: structuring kernel patches with good commit messages following kernel conventions.
Surviving code review: handling v2/v3 revisions and learning from maintainer feedback.

If you have ever wanted to contribute to the kernel but did not know where to start, this talk gives you a concrete, battle-tested roadmap.

Quantum computing is moving from theory to practice, but getting started can feel challenging. This session offers an accessible, open‑source path to writing and running quantum programs. We begin by explaining how quantum computing differs from classical computing starting with bits, then introducing qubits, superposition, and entanglement using clear, intuitive descriptions rather than heavy math.

We then explore why quantum computing matters, highlighting problems where classical methods struggle and quantum techniques may help. Next, we shift to hands‑on work: participants will build simple circuits with Qiskit, run them on simulators, and learn how to execute the same code on real quantum hardware. We also demonstrate hybrid quantum‑classical workflows for practical use.

Throughout, we focus on intuition, visuals, and step‑by‑step guidance. By the end, attendees will understand how quantum programs are structured and feel confident continuing their exploration—whether they’re developers, students, researchers, or curious learners.

This hands-on workshop gives attendees a ground-up understanding of post-quantum cryptography and then puts that knowledge to work immediately. We start with the essentials: why classical public-key cryptography breaks under quantum attack, what NIST's post-quantum standardization process produced (ML-KEM, ML-DSA, SLH-DSA), and how hybrid key exchange lets you transition incrementally without abandoning classical security. Then, a hands-on using the Open Quantum Safe project's oqs-provider plugin for OpenSSL 3, attendees will:
Install and configure oqs-provider against a standard OpenSSL 3 installation
Generate post-quantum and hybrid X.509 certificates using ML-KEM and ML-DSA
Spin up a TLS 1.3 server and connect to it with a PQ-enabled openssl s_client
Inspect negotiated ciphersuites and key exchange algorithms in live TLS handshakes
Benchmark classical vs. hybrid vs. pure PQ handshake performance and understand the tradeoffs
Explore the algorithm catalogue — KEMs, signature schemes, and their NIST standardization status
No prior post-quantum knowledge is assumed. Attendees should be comfortable with Linux CLI and have a basic understanding of TLS.

As proprietary models like GPT-5 and Gemini assert dominance in professional domains, the open source community faces a critical challenge: how do we verify their claims without access to their weights? We cannot inspect their code, but we can rigorously audit their reasoning using open source benchmarks.

In this session, 16-year-old researcher Kannan Murugapandian presents a technical evaluation of state-of-the-art LLMs using the LegalBench open dataset.

Moving beyond simple Q&A, this session explores:

1. The Evaluation Harness: A deep dive into the custom Python-based testing asynchronous pipeline designed to standardize prompts, manage vector retrieval, and score outputs across disparate model APIs.
2. Open vs. Closed: A data-driven comparison of how open weights models (e.g., DeepSeek/Llama) stack up against closed giants when tasked with complex legal logic.
3. The "Persona" Myth: Quantitative results testing whether "lawyer personas" actually reduce hallucination rates or merely change the output tone.

Protecting privacy for customers and business partners is a key requirement across jurisdictions and sectors, but proving that privacy is preserved can be extremely difficult. Confidential Computing, available as a chip-level capability across servers and clouds, provides not only isolation for sensitive data and applications, but also cryptographic assurances that it is in place.
This session explains how Confidential Computing can be used as the basis for privacy-centric systems and processes, and the types of assurance that can be derived using remote attestation.
Confidential Computing also has uses across supply chain, collaboration, AI and blockchain - we will touch on these topics as well.

Last week, a developer's AI coding agent was asked to refactor a module. Instead, it read .env files, ran git push --force on main, and made 300 API calls costing $47. The agent worked exactly as designed - there were just no guardrails with teeth.

AI agents can now execute shell commands, access secrets, call APIs, and spawn sub-agents. But today's safety approaches are just filters - they can't prove an agent actually stayed within bounds.

Aflock is an open source framework built on Witness and in-toto that treats agent permissions like a lockfile treats dependencies - signed, immutable, and verifiable.
No trusted hardware needed. Just policy files and attestations.

https://github.com/aflock-ai/aflock (Apache 2.0)