Another year, another FOSDEM. I think my first one was 2014, but I’m not sure. I can conclude that just like myself, the hotel I usually stay at has started to be in a small need of renovation, and Brussels nowadays feels a tiny bit like another home. With that, let’s head into a summary of FOSDEM 2026.
The theme this year was policy, security and regulation. A lot of developers nowadays are very interested in these aspects, so much in fact that you had to line up early to have a chance of attending the crowded rooms. This is good — software engineering is far much more than about the code. The public was the general mix of youngsters, old gray beards, people from the EU departments, academia, companies, public sector, hobbyists. Although the high interest in policy, there were still talks that deep dived into more obscure topics, so I don’t feel FOSDEM is losing its grassroots spirit, even though the talks are evolving.
Were there 10,000 visitors? I can only guess.
Saturday
My Saturday started with a strong brew coffee I luckily found at a coffee shop, near the corner of the big university park. At the same time I was a bit stressed, as I started to fill in the bookmarks for the talks of the day. The reality is - You can’t make a plan to stick to for FOSDEM, but you can at least think that you are making one. So in the FOSDEM app, I just ticked off interesting talks during the day, knowing my schedule would be changed many times. And yes it did.
Heading into the lovely chaos, me and my friends went to the welcome talk first. And… it was the first time for me that the room was so full we could not attend. A sign there were more visitors than ever at FOSDEM 2026? I don’t know. For sure, it was the first time that I missed it. Talk
I headed off to a quick talk about “with what and how should we sign our artefacts”. It pointed at the problems with current solutions, and that the infrastructure of Sigstore etc might not be the optimal from a sovereignty aspect. It gave no clear answers to these, but asked for more participation in solving them. It was a call for action. Talk
Next up was a talk about the current attestations ecosystem across different programming languages. It gave an overview of what is working and what the current challenges are. One insight was that most package systems have the provenance data, but might not have a standardized easy way to consume it, and it surprised me. Talk
The package name resolution talk came next, and this was the first one where I did not really engage as was doing a bit of coding meanwhile. It’s one of those foundational layers and the talk compared different ecosystems with their assumptions. Talk
Signing commits—yes I’m all for it! Here we were presented a solution that adds policy files to the project, instead of outsourcing it to a code hosting platform. An interesting idea, but still not sure yet if I will use the spec in practice. How about signing commits with other standards like SSH-signing. Talk
Then I made my way to a talk on package registry economics, and while we take these for granted, they are often a sensitive part of our critical infrastructure. Security is not just a technical problem but a sustainability problem. Talk
Time for lunch, and I don’t recall much. I said hi to some people and had a veggie burger from one of the booths. Quite ok and The FOSDEM way of getting energy.
Up next for me was a talk on using fuzzing to detect backdoors. It was about applying fuzzing in smarter ways to notice when code behavior starts getting off. Suspicious patterns, unexpected side effects, and highly interesting. Talk
I ended the FOSDEM day with a talk on VEX (Vulnerability Exploitability eXchange). We can just accept that vulnerabilities are going to keep being discovered, so how can we communicate “what matters in all the information” in a way that both tools and humans can act on? Talk
After that, food, long walk admiring the architecture of Brussels. Me and my friends ended up for a brief stint at a local pub, and then with a buzzing brain off to the hotel for a well-deserved sleep.:)
Sunday
Same place as Saturday, same brew coffee, energy restored. Filled out the schedule and off I went.
I started with a talk on Contextual SBOMs where the core idea is to build relationships between SBOMs so they have a deeper context beyond being these massive, flat ingredient lists. “What matters in this particular situation?” Often we generate SBOMs but the important thing is really, how do we use them and how do they improve our processes of handling security and license issues. Talk
Right after that was a talk on integrating VEX into open source workflows. Again it focused on how we can diminish the load of CVEs—and with VEX how we can improve our update flows. Talk
From a focus on supply chain security into CRA. First up was a session on the Cyber Resilience Act, FOSS, and compliance. This first talk was about things I already knew and was just giving an overview, without too much detail. This was for someone new to CRA more than if you’ve had a look already. Talk
After this CRA-focused talk came a really good one, watch this. Clear answers, detailed answers. What does it mean for A) a commercial actor, B) a public sector or NGO actor, Open Source Steward, C) a hobbyist maintainer with only sponsorships for basic costs? This was people from the commission’s behalf and I left there with the feeling that CRA is great for citizen safety and great for Open Source developers. I think they succeeded in ensuring that this has the potential to be really good for open source. Talk
A short talk and crowded talk on SSH logins comparing certificate-based authentication versus OPKSSH. Talk
After that I was running low on battery. That was it. Everything caught up and I just wanted a bit of silence, and to relax with some coding, coffee and chatted a bit with people. I found a corner and improved my commitlint tool Gommitlint (please test it:). My friends also started to get tired so we just left… another FOSDEM done. Have you booked your next one?
Top comments (1)
Wow. Nice overview. Thanks!