The tech Industry has relied heavily on Free and Open Source Software for 20 years but under-investing in its security and maintenance has increased global cybersecurity risk. Æva Black will reflect on this history and show how regulations could improve security across the ecosystem.

Policy debates often assume FOSS adoption delivers digital sovereignty. But does it? Sovereignty stems not from license freedoms but from technical capacity and community influence. Active participation in FOSS development—not mere adoption—determines whether nations achieve independence from proprietary lock-in and foreign control.

Improved security in open source is more than a theoretical goal but a plausible reality as shown by nonprofit Open Source Technology Improvement Fund, Inc. Following a best practice of independent code review with a process specifically tailored to open source projects and communities, OSTIF is turning funds into positive security outcomes.

Discover how European local governments successfully collaborate on open source solutions. Based on 5 in-depth case studies including Consul Democracy, Digitransit, and Golemio, learn proven governance models, collaboration archetypes, and actionable strategies for scaling sustainable cross-border digital public services.

Security can fail even when code is correct. Drawing on work with SecureDrop, Qubes OS, and Mailvelope, this talk defines “usability vulnerabilities,” design flaws that cause unsafe behavior, and shows how open-source teams can detect and address them before release.

The CRA’s Open-Source Software Steward (OSSS) status offers legal recognition and hidden traps for non-profits and volunteer communities. This talk unpacks benefits, duties, liability, and tax effects, helping NPOs use the status safely and avoid accidental burdens.

Between major updates for Log4J, substantially increasing test coverage for SystemD, updating hundreds of CVE reports at NIST for Yocto and providing a new infrastructure-as-code solution for PHP, work on FOSS projects for the Sovereign Tech Agency is as varied as it is impactful. This talk recaps the highlights from that past two and half years.

Open source licenses like GPL or MIT matter, but ecosystem is what truly defines how open and sustainable a project is. Open source isn't always as open as it seems! There are many tactics beyond licensing to lock you in - and copyleft isn't always better than permissive, or vice-versa.

Digital sovereignty is becoming a key objective of societies and nations. Learn how Digital Public Goods (DPG) like Mastodon can build a decentralised internet and challenge big tech. A joint talk by DPGA & Mastodon—we'll unpack the concept, analyse EU policy, and offer concrete strategies for a sovereign digital future.

We talk about license changes and risk management for open source companies all the time, but what about how open source companies can use their open source project as a competitive advantage to win in their market? That's what this talk is about.

Open source projects already power citizen science — from mapping air quality to tracking food data. This RIECS-Concept workshop invites developers and community leads to share stories and map what support, tools, and governance are needed to build sustainable, open, and trusted citizen science infrastructures.

Due to the changed global political situation, digital sovereignty is a priority goal for every organization. The city of Munich has developed a simple method for measuring digital sovereignty and has derived measures based on this. In our talk, we will present the measurement method, planned measures, and how FOSS can help achieve this goal.

Anyone who still puts AI-generated code into circulation today has conditional intent to infringe the law – how to limit or at least defer the risk.

Inner Source success hinges on easy contributions. However, complex frameworks can be a barrier. We simplified our process by removing bureaucratic hurdles, automating compliance, and simplifying project involvement. Discover how to create a frictionless Inner Source experience and unlock your company's collaborative potential!

The ORT Server is a platform building on the renown OSS Review Toolkit to automate software compliance checks in a scalable and enterprise-ready way. This talk gives an overview of how to use the ORT Server to deal with obligations of the Cyber Resilience Act (CRA) specifically.

This workshop explores funding and resource models for sustaining FOSS projects. We look at grants, donations, sales, licenses, corporate and student contributions, and more — evaluating the models pros, cons, and fit for different project stages. The goal is to refine a shared, open resource and identify unmet needs.

The InnerSource commons promotes the adoption of open source practices to accelerate development within a company's culture. It's also said that it prepares the ground for those companies to begin contributing and releasing open source software... but can we prove it?

Around the world, governments are building and exporting their own “open” technology stacks — from India Stack to the emerging Deutschland Stack — blending open-source ideals with national strategy. This talk dives into how states are curating open technologies to reflect political philosophies, advance digital sovereignty, and shape global norm.

Michelin, a 136-year-old industrial giant, is building its open source culture. This talk is a feedback from our OSPO, detailing our strategy, governance, and change management programs. We'll share our progress and achievements, our key lessons, and the significant challenges still ahead on our journey.

Decidim, once reliant on Barcelona’s funding, faced a 2022 crisis that spurred a Sustainability Plan to diversify income. Three years on, we share strategies, challenges, and lessons in securing funding from public, private, and philanthropic sources for FLOSS project sustainability.

With this discussion following the Chatham House Rule format, we wish to invite FOSS Backstage attendees to come together to explore how communities could issue risk-based attestations sufficient to reduce downstream compliance burdens in ways that support (rather than burden) open source communities.

The W3C integrates accessibility, security, and ethics into web standards. Inspired by UN human rights recommendations, this talk explores the W3C’s review process, its vital importance, and how these principles can be applied to other domains.

Wikidata is a CC 0 licensed, semantic knowledge base of linked data. This talk argues for its use in apps, highlighting its diverse data types and strengths. It concludes with a showcase of existing applications to demonstrate Wikidata’s practical potential.

Public institutions increasingly rely on open-source software but lack direct ties to its maintainers. This talk proposes institutionalizing exchange channels to share roadmaps and report bugs. By bridging this gap, both developers and the public sector can better align their goals and strengthen critical digital infrastructure.

Shared educational efforts need more than static files; they require a scalable, community-driven approach. This talk introduces Eclipse OSILK, a "Training-as-Code" project using AsciiDoc for modular, maintainable training. It enables organizations to tailor content easily while keeping it as evergreen as the software itself.

Gemini hat gesagt
The 2021–2024 xz backdoor attack exploited social engineering to target critical SSH infrastructure. This talk warns that, fueled by LLMs, similar attacks will rise, and the traditional profile of "undermaintained" projects being the only targets no longer applies. Security models must adapt to these sophisticated new threats.

We'll host a five minute mini debate on stage on the exciting question of whether or not you should do your homework with the help
of AI. The debate will be supported by FOSS maintainers, former and current students.
We'll stay strictly within the humorous topic, parallels to FOSS development are entirely incidental and not by intention at all ;)

Join us for a drink and a chat at our Get Together directly after the conference!

Do you dare to visit a space-station under Berlin?
Do you want to visit Germanys oldest Hackerspace?
Do you want to enjoy decent food and a mate with fellow FOSS Backstage attendes?

The join us!

We will send an expedition team from FOSS Backstage to explore c-base and meet the local population.

500,000 SBOMs – that’s the scale of Deutsche Bahn’s software supply chain. How do we make sense of this as a small OSPO in a large non-IT organization? Our strategy: turn this data into actionable tasks. We’ll share practical learnings on prioritizing risks, applying sensible automated compliance, and considering ecosystem sustainability.

Open source security is often overlooked until a crisis hits. This talk compares the impact of volunteers versus dedicated full-time security engineers in the Python and Ruby ecosystems. It highlights how consistent investment strengthens community resilience, reduces risk, and proves that security isn’t a cost but an essential strategy.

"Why aren’t more people contributing?"

Contributors are the lifeblood of open source, yet many projects struggle to grow beyond a small core team.

In this workshop, you will learn simple, hands-on techniques to get more people contributing to open source projects.

What happens when a federal state truly supports open source? Granted by the state of Saxony, our funding project FOCIS helps ALASCA - Association for operational, open cloud-infrastructures e.V. grow into a more stable, independent home for FOSS projects. We’ll show how public support strengthens open source and what others can learn from Saxony.

The largest users of the Open Collective Platform set up a coup and ousted the initial investors. We are now a 501(c)(6) membership nonprofit. We would love to share how our governance has evolved, our current challenges in achieving financial sustainability, and how we have contributed to the open-source ecosystem. https://blog.opencollective.com

What happens when a developer-first open source project tries UX research for the first time? This talk tells the story of Prometheus's first UX mentorship and explores the reality of introducing research to a dev-first community. Was it worth it? Will they do it again? And what can other OSS projects learn from their experience?

Compliance with legislation is not sufficient to build a good user experience, especially when maintaining an operating system used by millions. In this talk, we will share how we are building an accessibility practice that addresses the obvious and the non-obvious, and our learnings from this journey.

Open software thrives through open tools and collaboration. Hardware remains trapped behind prohibitively expensive tool licenses and limited foundry access. Why? This talk explores the structural barriers preventing hardware from following software's path, and why solving them requires entirely new institutional forms, not just better policies.

Open-source ecosystems run on more than code, they run on story. Beyond commits, shared narratives sustain trust and belonging. At WriteTech Hub, we turned storytelling into infrastructure, every doc review, milestone, and mentor invite reinforced one truth, you belong here, and what you build matters.

How the Hare programming language community grew from one BDFL and a ragtag group of early hackers to a productive, sociable, and egalitarian community of happy hackers with a lightweight and effective model of participatory governance.

The Cyber Resilience Act (CRA) will require FOSS projects to step up their security and, following the logic of the FOSS ecosystem, produce attestation for their software.

This talk introduces fair-share cost tokens - a feature which supports financial flows along open source software supply chains. (No blockchain)

Africa is rich in tech talent, many of whom are eager to contribute to open-source projects. However, due to the technical requirements needed to get started with open source and a lack of proper mentoring and guidance from these communities, many talents are discouraged. This talk explores ways to mitigate this problem.

Corporate users, volunteer maintainers, and everything in between, how can they work together? In this panel, we bring together different voices to explore: What does each side intend, expect, and need? And how can we bridge tensions in today’s open source supply chain?

A brand isn’t just a logo, it’s the story people tell each other about what you stand for. In open source, that story builds trust, sparks curiosity, and inspires contribution. This talk explores how storytelling and brand design can create welcoming open source projects.

There are so many open source projects and not enough contributors to sustain them all over the long term. With many open source projects desperate for contributors, how do we educate the next generation of open source contributors to grow the contributor base for all of us?

Your code is FOSS, but the project uses all the famous and fancy proprietary platforms. Does it matter? Yes. Relying on non-free tools contradicts open source values and hurts your project. This talk pulls the curtain from the damages it makes, busts myths and gives you a director's cut commentary on how to be the hero your story needs.

Free and open standards, and the open processes behind them, can lay the foundation for innovation, interoperability, and compliance across EU digital, environmental, and industrial policies. Drawing on the Linux Foundation’s State of Open Standards report, this talk explores their potential to strengthen regulation, trust, and competitiveness.

In this hands-on workshop, we’ll create a No-Code Contribution Map to show how skills like writing, design, outreach, and accessibility promote adoption and inclusion. Leave with strategies to grow diverse, welcoming, and sustainable communities.

How can designers navigate in engineering-focused environments? This panel explores approaches for integrating UX into developer workflows and showcasing how design contributions are valuable assets for greater impact in engineering circles.

This talk explores the BBC’s experience maintaining a fork of dash.js for media playback. It covers the motivations, trade-offs, and strategies to reduce maintenance overhead - such as upstream contributions and community engagement.

Over the last 20 years the OpenStreetMap (OSM) project has collected an enormous amount of data about our planet and written a lot of Open Source software. OSM-based maps and apps are everywhere. How do you organize two million contributors in a mostly volunteer project to work on a common goal? And what exactly is that common goal?

We have conducted an in-depth study into the political, legal and economic feasibility of an EU Sovereign Tech Fund (EU-STF), a fund for the maintenance of open source infrastructure, building on the successful example of the German Sovereign Tech Agency. Learn about our findings and how you can help us make the EU-STF a reality.

"It's free as in speech, not free as in beer." But is 'free speech' the kind of freedom FOSS projects should aim for? Should we instead focus on positive freedoms—not just the right, but the ability to achieve our aims? This talk argues for the latter, and charts a course for how to do so, drawing from the psychology framework of intersubjectivity.

Writing a detailed plan to fork, as a disaster recovery plan for tomorrow, is a great way to identify places where you sould be investing more deeply in an open source project, today.

Companies that develop Free Software face a problem: competitors disguising proprietary software as “open” and undercutting Free Software products in public tenders. Such practices distort competition and undermine strategic procurement and digital sovereignty. Which openwashing methods are used, and what can be done about it?

Over the past decade, the Open Source Hardware Association has certified thousands of pieces of hardware from almost 70 countries as open. We've learned some things and want to share!

Most open source software is not maintained by a large community but by a single person in limited time. For them, best practices developed in large projects might not be feasible to apply – but what can be done instead?