Open Source Summit North America 2023

Requirements are at the heart of designing a system with safety considerations. When building the system, having a detailed and accurate record of all the components and build information is necessary for safety analysis. When a component vulnerability fix comes in though, how do you know the system conforms with the safety claims after applying the fix? This talk will go into some approaches for leveraging the SBOM data to improve the automation and confidence in the analyis necessary to know you’re done.

Looking at system architectures for complex safety-critical systems, similarities can be observed across various industries. Beside a rich OS (such as Linux), typically an RTOS and virtualization or containers are involved. However, when it comes to prototyping such systems, the existing guidelines are limited and reproducing demos is hard and time consuming. Compared to traditional (safety-critical) systems, created by strictly following the v-model, existing open source software can boost the system creation & understanding by fast and iterative prototyping. The ELISA project’s systems working group focuses on creating such an exemplary system architecture using Linux, Xen and Zephyr in a reproducible form. This includes step-by-step documentation for users on different expert levels and various entry points to approach these systems. It also includes picking up new requirements such as a system SBOM and a strong interaction as well as collaboration with other open source projects. Beside the state of the previously mentioned activities, the talk highlights other ELISA working groups focusing on Linux Kernel, processes, tools, and use cases. A basic understanding about challenges and chances of using open-source projects for safety-critical workloads rounds up the talk.

Safety is important to software everywhere human lives are at risk. In these environments often safety-certifications are required to ensure that the quality of the software is high enough to minimize the risk of harm to humans. Safety-certifications such as ISO 26262 come with a series of requirements and processes that sometimes clash with well-established Open Source software development practices. How do we reconcile safety-certifications with Open Source? This presentation will provide an answer to that question. Taking Xen as an example of an Open Source project with a rich 15+ years history, this presentation will explain the best way to match Open Source activities with safety-certification requirements. It will discuss the role of the upstream community and downstream vendors in achieving compliance with ISO 26262 and IEC 61508. It will go through the changes to Xen Project processes already underway and the ones planned for the future to align the Xen hypervisor with safety-certifications. The talk will cover MISRA, traceability, testing, etc., and the latest updates from the Xen FuSa working group.

This talk will feature the use of Yocto/OpenEmbedded as a tool for managing a distributed development environment, automated build and test, and ultimately delivering a DO-178C level D certified Linux platform into revenue service. It will also touch upon generalized aspects of traceability, team dynamics, "day one developer", and extensibility.

To improve the integration of renewable energy sources into the grid, there is a need to simplify the connection process, which currently takes place at substations. These substations play a crucial role in the intelligence of the grid, but their functions are limited in terms of evolvability due to hardware constraints. The virtualization of these systems can enhance their adaptability and increase evolvability, but they remain critical real-time systems that require precise data acquisition with a precision of 100 microseconds and a response time within a few milliseconds, along with a high level of availability. SEAPATH is an open-source configuration project under the LF_ENERGY umbrella aimed at building an industrial-grade platform to host real-time critical applications. This presentation introduces the various features of SEAPATH, including virtualization, real-time operations, clusterization, time synchronization, tooling, and more. The project philosophy and long-term vision are also discussed.

There are increasing demands placed on embedded device and IoT manufactures to deliver a Software Bill of Materials (SBOM) that represents a list of all the software components (software parts) from which their devices are comprised. A part can be an application, library, software package, container and/or an entire Linux runtime. The effective management of these parts is a requirement regardless of whether one is generating SBOMs for license compliance, security assurance, export controls, or safety certification. Creating a SBOM requires a manufacturer to 1) define, 2) identify, 3) store and 4) retrieve core data about each of the 1000s (if not 10,000s) of software parts they use (often across multiple products). We present an open source solution, data model and workflow that enables manufactures to maintain a software parts catalog for all their devices. Once this is achieved, the generation of SBOMs using industry standards such as SPDX becomes both seamless and cost effective.

Banks traditionally have used mainframes for running mission-critical loads such as managing financial transactions and customer management. The banks trusted mainframes to run mission-critical due to reliability, data consistency, security, and performance. Recently, U.S. Bank migrated workloads to open-source distributed systems due to high operating costs and the necessity for the rapid addition of new features.  

U.S. Bank moved workloads from mainframes to Cassandra. The streaming solution (Spring boot, Kakfa, Spark) synchronized data between Cassandra and the mainframes in less than 500 milli seconds. Using this solution U.S. Bank (5th largest bank) able to move to 60% of requests to the new solution and reduce the mainframe utilization. The entire new infrastructure was based on open source and had to earn the bank's trust regarding reliability, data loss & consistency, security, and performance. 

In the talk, we would like to present the challenges and learnings in proving open-source-based solutions to match the gold standard of the mainframe in being mission-critical in terms of resiliency, data consistency, scale and performance. We also want to show how open-source exceeded expectations in cost savings, scale, and performance.

Hundreds of thousands of human hours are invested every year in finding security vulnerabilities with relatively simple fixes. These vulnerabilities aren’t sexy, cool, or new. We’ve known about them for years, but they’re everywhere! The scale of GitHub & tools like CodeQL (GitHub's code query language) enable scanning of vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn’t useful, and would be a burden on volunteer OSS maintainers. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request. When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We’ll discuss the practical applications of this technique on real-world OSS projects. We’ll also cover technologies like CodeQL & OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne). Let’s not just talk about vulnerabilities, let’s actually fix them at scale.