Open Source Summit India 2026

The Linux ecosystem powers many, if not most, devices these days. Having a well designed sustainable way to build and maintain one – and not having to rely on a hodge-podge collection of hacky scripts – is critical. This talk introduces the Yocto Project - _the_ industry standard way to build and maintain your custom Linux.

With Yocto, one can build a custom (embedded or otherwise) Linux in an efficient and completely reproducible manner, along with several related advantages; it's a 100% open source, has the ability to build-in security features, all/most major BSP layers are already available, and more.

This session will show you exactly how to get started on building such a custom system with Yocto; it will of course include leveraging Yocto/OE’s famed layer+recipes model.

We all believe in open source - or we wouldn't be attending this conference. But although open source may be a "nice to have" property for software in general, this talk will try to convince you that security software really _must_ be open source. With nearly 30 years of open source and security experience, Mike will address some of the key ways in which the open source community does security - and also debunk a dangerous myth. We will ensure we have lots of times for questions - open source and security should both be two-way conversations!

Open source used to mean something simple: the code is open, the community builds it, and everyone benefits. That world is gone. Today, billion-dollar companies release model weights and call it "open source"

Projects launch with permissive licenses but lock their APIs behind paywalls. Foundations host projects where one vendor controls 95% of the commits. And a new generation of developers is entering open source through AI-generated pull requests they barely understand.

I've spent 7 consecutive Kubernetes release cycles on the release team, helped build and maintain Kargo - a OSS project for GitOps continuous delivery and worked as a CNCF Ambassador helping new contributors navigate this ecosystem

I've watched the definition of "open source" stretch, bend & sometimes break in real time.

This talk is about the real problems developers face today when they try to contribute to, depend on, or build careers around open source projects that don't play by the old rules. I'll share what I've learned about spotting "open-washing" evaluating project health beyond the GitHub star count, and building genuine community in an era where the incentives have fundamentally shifted.

Building modern applications in the cloud is exciting—but also overwhelming. You need CI/CD to ship fast, APIs to connect everything, and scalability to handle growth. But where do you start?

This session will break down the essentials of cloud-native development, covering CI/CD pipelines, API-driven architectures, and scalable deployments— while also showcasing how open-source cloud-native projects can accelerate your journey from beginner to pro.

You will learn:
1. CI/CD without confusion – Automate deployments with ArgoCD, Tekton & more.
2. APIs made simple – REST, GraphQL & event-driven APIs for cloud-native apps.
3. Scaling smartly – Kubernetes, Knative & serverless for effortless growth.
4. Open-source power-ups – CNCF projects that accelerate your development.
5. Best practices – The tools & workflows every cloud-native dev must know.

Join us to get a clear roadmap, hands-on tools, and the confidence to build, deploy, and scale like a pro!

If you feel overwhelmed by jargon thrown around in forums, conferences, and headlines focussed on containers and the cloud, you’re not alone. In 2026, image hardening, provenance, secure supply chains—oops, it’s happening again, isn’t it? Let’s step back.

This session takes a hands-on, bottom-up approach to understand containerization. Build along as we containerize a simple app and run it, starting with a naive approach and iteratively improving it until we have a production-grade image. At each step, new concepts are introduced only once we've understood the need for them. We'll work with Docker, understand container runtimes, even touch upon new-age tools like Rockcraft and Chisel.

To make this fun, we’ll use baking as a guiding analogy: images as recipes, dependencies as ingredients, and runtime environments as kitchens!

By the end, you’ll be able to walk confidently into real-world discussions about containers, ready to participate and learn better.

Every time one Pod talks to another in Kubernetes, the Linux kernel does a surprising amount of work.

Engineers know Pods get IP addresses. They know Services like ClusterIP and NodePort make workloads reachable. And they trust that traffic somehow finds the right destination.

But what actually happens to a packet once it leaves a Pod, especially when it needs to reach another Pod on a different node?

In this session, we trace that journey across a live Kubernetes cluster. We follow real Pod-to-Pod traffic, observe how packets move across nodes using native Linux networking primitives, and examine what enables flat, routable Pod networking without NAT between workloads.

Rather than treating Kubernetes networking as magic, we connect what we see to the underlying constructs like network namespaces, veth pairs, bridges, routing tables, and packet filtering rules.

Through live demos, attendees will build a clear, practical mental model of how Kubernetes moves packets and leave with a clear mental model for explaining, observing, and debugging Pod-to-Pod traffic in Kubernetes.

PyTorch is a widely adopted library for deploying ML workloads. It provides robust support for resource optimization, including CPU offload capabilities, memory and distributed workload management. The primary objective of any ML workload is to achieve maximum performance during inference or training. PyTorch enables acceleration of these workloads through support for torch.compile and distributed library capabilities. This session will cover the internals of the torch.compile stack, including the reasons for performance improvements such as internal graph representation optimization. These benefits will be demonstrated in the hands-on part of the session. While torch.compile can provide performance improvements on a single GPU, most production workloads require multiple GPUs to significantly reduce overall execution time. This session will examine how tensor distribution across GPUs is performed using various parallelization techniques, including data, tensor, and pipeline parallelism. The hands-on part of the session will involve implementing these parallelization techniques within a mini-PyTorch implementation, enabling practical understanding of distributed training strategies.

Open source projects often attract many new contributors, but only a small percentage stay long enough to become long-term community members. What makes some communities different?

In this talk, I share lessons from my journey from a first-time contributor to a maintainer and community manager in the CircuitVerse ecosystem. Through mentoring contributors, reviewing pull requests, and helping grow a community used by hundreds of thousands of learners, I discovered that retention in open source is less about technical complexity and more about belonging.

This session explores practical strategies for building communities where contributors feel welcomed, supported, and empowered. From responsive communication and mentorship to giving contributors ownership and encouraging collaboration, small actions can significantly impact contributor retention.

Attendees will leave with actionable practices that maintainers and community leaders can apply to build open source communities where contributors not only participate, but choose to stay.

Quantum computing is moving from theory to practice, but getting started can feel challenging. This session offers an accessible, open‑source path to writing and running quantum programs. We begin by explaining how quantum computing differs from classical computing starting with bits, then introducing qubits, superposition, and entanglement using clear, intuitive descriptions rather than heavy math.

We then explore why quantum computing matters, highlighting problems where classical methods struggle and quantum techniques may help. Next, we shift to hands‑on work: participants will build simple circuits with Qiskit, run them on simulators, and learn how to execute the same code on real quantum hardware. We also demonstrate hybrid quantum‑classical workflows for practical use.

Throughout, we focus on intuition, visuals, and step‑by‑step guidance. By the end, attendees will understand how quantum programs are structured and feel confident continuing their exploration—whether they’re developers, students, researchers, or curious learners.

Every npm install or pip install pulls in dozens of packages which includes transitive dependencies no one has reviewed. This is the most unguarded moment in the software supply chain: malicious code enters a developer's machine before any CI/CD check or SBOM scan even runs.

Attackers know this. Typosquatting, dependency confusion, and pre/post-install script exploitation all target the install step specifically, because that's where defences are weakest.

In this talk, I'll discuss a different approach: guarding the package manager itself. Instead of scanning after installation, what if we could analyse packages in real-time and block threats before they execute? I'll walk through real attack patterns, explain how combining malware analysis with OS-native sandboxing makes this practical, and share what we've learned building open source tooling in this space.

You'll get to know about:
- Why install-time is the critical gap in dependency security
- How real supply chain attacks bypass pipeline-stage scanning
- Practical ways to add real-time package protection using open source tools

What if two independent builds of the same source code produced byte-identical artifacts every time? That’s the goal of reproducible builds and one of the strongest guarantees we can provide for software supply chain integrity. Yet in many CI/CD systems, builds still include hidden sources of nondeterminism.

In this session we’ll break down what reproducible builds actually mean, why they matter beyond simple bit-for-bit equality, and the common pitfalls that quietly break reproducibility—embedded timestamps, non-deterministic file ordering, and environment leakage.

As a Tekton maintainer, I’ll show how Tekton pipeline primitives such as hermetic execution, parameterized TaskRuns, and provenance via Tekton Chains can make deterministic builds practical in real pipelines. Through a live demo, we’ll build a container image, verify identical digests across independent pipeline runs, and generate SLSA-compliant provenance.

Attendees will leave with a clear mental model of reproducibility and concrete patterns for auditing and improving their own pipelines.

Securing software supply chains requires more than just standard formats like SBOMs or SLSA Provenance. Organizations often need custom attestations, metadata that proves how an artifact was built, what dependencies were used, and whether policies like vulnerability scans or unit tests were executed.

In this session, I will show how to extend supply chain security using open-source tools such as Cosign, InToto, and Witness to generate, ingest, and verify these custom attestations.

You’ll learn:

- How to produce attestations for builds, tests, and security checks.

- Methods to sign and verify artifacts, ensuring integrity and authenticity.

- Ways to maintain provenance and chain-of-custody for all artifacts.

- How to enforce custom compliance policies in CI/CD pipelines using OPA.

Through an end-to-end practical demo, you will gain actionable strategies to go beyond standard attestations, giving full visibility and trust in your software supply chains.

Last week, a developer's AI coding agent was asked to refactor a module. Instead, it read .env files, ran git push --force on main, and made 300 API calls costing $47. The agent worked exactly as designed - there were just no guardrails with teeth.

AI agents can now execute shell commands, access secrets, call APIs, and spawn sub-agents. But today's safety approaches are just filters - they can't prove an agent actually stayed within bounds.

Aflock is an open source framework built on Witness and in-toto that treats agent permissions like a lockfile treats dependencies - signed, immutable, and verifiable.
No trusted hardware needed. Just policy files and attestations.

https://github.com/aflock-ai/aflock (Apache 2.0)