Open Source Summit India 2026

Running global, self-managed k8s for stateful apps is notoriously complex. Most teams opt for managed platforms or VMs to mask the difficulty.

For platform engineers and SREs, this talk reveals how to confidently run mission-critical StatefulSets on bare-metal k8s. We share how we sustain 99.99% availability SLAs and sub-second recovery. We also explain why bare-metal drastically outperforms VM or managed setups by eliminating hypervisor overhead and granting direct hardware access.

We will dive into the architectural decisions behind:

Cluster-of-clusters: Scaling geographically with isolated regions.
Intent-driven placement: Hardware isolation for predictable performance.
Blast-radius containment: Limiting fallout via dedicated failure domains.
Automated recovery: Software, not humans at 2 a.m., handles failures.
Continuous reconciliation: Shifting operational burden to code.

This is not a "Kubernetes solves everything" pitch. It’s a candid, numbers-driven account of engineering a multi-region bare-metal k8s platform where performance and reliability are non-negotiable.

Kubernetes supports OIDC login, but in real life it often becomes painful: users can’t log in, TLS trust breaks with private Keycloak, usernames don’t match RBAC rules, and people end up sharing kubeconfigs or using long‑lived tokens.

In this talk I’ll show a practical way to run Kubernetes access with Keycloak: configure OIDC the right way, bind users/groups to Kubernetes RBAC, and use kubelogin (kubectl exec plugin) so tokens are short‑lived and refresh is handled automatically on the client side.
I’ll also cover the “boring” but important part: handling the Keycloak CA certificate so the login works from admin machines without manual steps.
You’ll leave with a clear checklist and a working “golden path” setup you can copy for your own clusters, that eliminate manual day‑2 steps while keeping security and auditability intact.

As India transitions from being the world’s largest consumer of open-source software to a leading creator of digital public infrastructure, a new mandate has emerged: Sovereign AI. To achieve true digital autonomy, Indian enterprises and public institutions must build AI ecosystems that protect data residency, reflect local context, and avoid vendor lock-in. But how do we practically build this sovereign stack?

This session provides an end-to-end technical blueprint for building enterprise-grade sovereign AI infrastructure entirely on open-source technologies. Using a homegrown, production-ready AI coding assistant as a practical case study, we will deconstruct the architectural layers required for AI independence. We will explore how to orchestrate scalable infrastructure with OpenStack, abstract complex multi-vendor GPU environments using Kubernetes, and deploy high-throughput inference for open-weight models using vLLM.

Beyond the architecture, we will discuss how Indian firms can adopt this open-source stack to implement highly secure, air-gapped environments, protect intellectual property, and empower local engineering talent to shift from consuming global AI to building it.

This talk presents an overview of FOSS United's mission to promote and support the FOSS ecosystem in India. The Foundation was registered in India in 2020 and is supported by thousands of volunteers nationwide throughout the year.

Our programs operate on three orthogonal directions-

- Individual creators and maintainers (by giving them a platform to talk about their work, or direct support)
- Communities (by either directly creating FOSS communities in India or supporting existing ones)
- Organizations (to adopt, acknowledge use of, contribute to, and create FOSS projects)

The talk aims to share insights into the programs we have developed to foster collaboration, innovation, and community engagement within the tech ecosystem. Attendees will learn about the challenges and successes of building FOSS communities, increasing awareness about open-source tools, and strengthening industry-academia-government partnerships. The session will also highlight the broader implications of these efforts on promoting digital inclusivity and shaping India's position in the global free & open-source landscape.

We will also showcase some Indian FOSS projects that have come out of the community!

Murphy's Law states, "Anything that can go wrong will go wrong." For an Open-Source project, this can be a daunting task. Imagine you are in between a major architectural change, trying to decouple a monolith and your community itself starts to decouple. This is what happened recently in our decade old community and we would like to share the raw behind-the-scenes of our journey, hoping it will be helpful for others who're going through the same.

Our story will portray, how we lost our veteran leaders and architects departing the community, placing an unprecedented load on the remaining maintainers to bridge a massive gap in expertise, institutional knowledge and maintain stability while executing a high-stakes architectural migration. We will also touch bases on how the GenAI can work as a double-edge sword when you are in short of contributors.

Key Takeaways:
1. Practical strategies for project survival when veteran institutional memory departs mid-migration.
2. Why Next.js was a strategic necessity and not just a nice-to-have upgrade.
3. Navigating the influx of high-volume, variable-quality contributions and managing the burnout.
4. Lessons on building a new leadership.

In October 2024, we announced floss.fund as a big experiment to fund critical Free/Libre Open Source projects globally, which in turn was the culmination of a series of ad-hoc funding attempts over the years. It is the first of its kind in India, and one of the few in the world.

Over the last year, some of the biggest FOSS projects globally applied to the fund - from devtools, programming languages, libraries, critical FOSS infrastructure, to humanitarian and social-impact projects, all via word of mouth and volunteer outreach.

While the experiment itself has done well, there have been many disappointments and learnings owing to legal and compliance-related challenges

In this talk, we will share our experience from running the program, what other projects and funders should know, and our plans for the future (making FLOSS/fund a community driven effort, pushing for the creation of an Indian sovereign FOSS fund)

We will also introduce funding.json - an open JSON manifest for describing FOSS funding requirements that we launched as an experiment with FLOSS/fund. It has been adopted by some of the biggest projects globally, and platforms like GitHub, f-droid, thanks.dev

Open source projects are rapidly adopting AI agents for code review, issue triage, PR merging, and sprint planning. But most projects bolt agents on without asking: who audits what the agent did? What happens when an agent merges malicious code? Who is liable when an AI recommendation violates a contributor agreement?

Drawing from GitMesh - an LF-incubated project running production AI agents for engineering workflows - this talk covers the three non-negotiable pillars every open source project needs before deploying agents:

• Audit trails: every AI decision logged, attributed, and reversible
• Policy enforcement: agents operating within explicitly defined
contributor permissions and DCO boundaries
• Human-in-the-loop gates: approval workflows that preserve maintainer accountability without killing automation speed

I'll share what broke when we skipped these, how we fixed it, and the open-source tools (OPA, Sigstore, audit logging patterns) any project can adopt today. Attendees leave with a practical compliance checklist for AI-assisted open source governance.

As banks shift from traditional software to LLMs, the threat landscape is evolving from "bugs in code" to "poison in data." Traditional vulnerability management (CVEs) cannot detect a model that has been trained to have a backdoor. This lightning talk explores the critical risk of Data Poisoning and Indirect Prompt Injection in a regulated fintech environment.

We will walk through concrete examples—from "hidden" instructions in customer documents to "Trojan Horse" models downloaded from public repositories—that can lead to unauthorized transfers or massive reputational damage. The session provides a 3-step governance framework for OSPOs to move beyond SCA and toward Model Integrity:

Implementing Data Lineage for fine-tuning sets,

Adopting Adversarial Red-Teaming as a standard release gate, a
Leveraging open-source frameworks like MITRE ATLAS to map AI-specific threats and tools like garak, augustus to detect the vulnerabilities
Learn why the OSPO is the natural home for AI Safety and how to protect your organization's "Intelligence Supply Chain" from being poisoned at the source.

Mumbai means money!

All the money in all the businesses within India seems to move from within the city. The financial pulse of the nation can be felt here. Many BFSI institutions consider Mumbai their home.

That being said, BFSI & open source share a complicated relationship. Join this panel of OSPO heads who tackle open source concerns in their organizations. The panelists span a diverse range of institutions ranging from nationalized, national, and international institutions.

While their love for OSS is clear, as technology adopters, the ability of software teams within these orgs can be tiring on a good day, to trembling. The opportunity to consume open source is available for them, yet the sheer number of hoops they have to jump through can be daunting.

What's it like belonging to a highly regulated industry, and yet keeping up with various innovative technology within the software world? Come to the panel to find out.

This hands-on workshop gives attendees a ground-up understanding of post-quantum cryptography and then puts that knowledge to work immediately. We start with the essentials: why classical public-key cryptography breaks under quantum attack, what NIST's post-quantum standardization process produced (ML-KEM, ML-DSA, SLH-DSA), and how hybrid key exchange lets you transition incrementally without abandoning classical security. Then, a hands-on using the Open Quantum Safe project's oqs-provider plugin for OpenSSL 3, attendees will:
Install and configure oqs-provider against a standard OpenSSL 3 installation
Generate post-quantum and hybrid X.509 certificates using ML-KEM and ML-DSA
Spin up a TLS 1.3 server and connect to it with a PQ-enabled openssl s_client
Inspect negotiated ciphersuites and key exchange algorithms in live TLS handshakes
Benchmark classical vs. hybrid vs. pure PQ handshake performance and understand the tradeoffs
Explore the algorithm catalogue — KEMs, signature schemes, and their NIST standardization status
No prior post-quantum knowledge is assumed. Attendees should be comfortable with Linux CLI and have a basic understanding of TLS.

The rapid growth of AI data centres is placing unprecedented demands on Ethernet, pushing the 53 year old technology beyond its legacy of best effort delivery. While Ethernet has continuously evolved, modern AI workloads introduce unique challenges such as RDMA driven traffic patterns, network congestion, and the need for lossless, ultra-low latency communication. These demands are critical across both scale-up and scale-out AI fabrics, which must support high-throughput training and latency-sensitive distributed inference between tightly coupled GPUs or xPUs.

This session explores how the ecosystem is addressing these challenges, highlighting key advances in open standards including:

The Ultra Ethernet Transport (UET) protocol from the Ultra Ethernet Consortium (UEC), a Linux Foundation project.
The SUE-T protocol associated with the UA Link industry initiative.
The Ethernet for Scale-Up Networking (ESUN) work-stream within the Open Compute Project (OCP).

Open collaboration is reinventing Ethernet as the scalable, interoperable backbone for the next generation of computing.

Most organizations are running IAM infrastructure designed for a different era — built around human users and browser-based logins, then grown through procurement until it became fragmented and misaligned with how modern enterprises actually work.
Three forces are about to stress this model beyond its limits. AI agents need identities and governance just like humans but operate nothing like them. Converged identity platforms are replacing tool sprawl with unified architectures where governance, access management, and privileged access share a common foundation. And verifiable credentials are introducing decentralized trust models where identity claims can be carried and verified across organizational boundaries without a central provider.
This session maps what IAM needs to look like to handle all three, grounded in practical implementation experience rather than analyst predictions. Attendees will leave with a clear picture of where IAM is heading and how to start evolving today's infrastructure without rebuilding from scratch.

6G isn't just faster 5G it's a paradigm shift toward semantic and goal-oriented communications, where networks transmit meaning rather than raw bits. The ITU IMT-2030 framework positions native AI and semantic layers as first-class network citizens. But what does this look like in open source? This talk breaks down the semantic communication stack: the AI encoder/decoder models, the task-oriented transmission protocols, and the Linux-based infrastructure that will run 6G network functions. We'll explore how eBPF provides the programmable observability layer for semantic pipelines , tracing inference latency, enforcing semantic QoS policies, and monitoring model-level telemetry at the kernel boundary. Attendees will walk away with a concrete mental model of the open 6G architecture and where open source communities need to build next.