FOSDEM 2026 Sets Open Source Agenda Around Supply Chain Security and EU Compliance

FOSDEM 2026, held January 31 through February 1 at the Université Libre de Bruxelles, put software supply chain security at the center of Europe's largest open source conference. The two-day event, preceded by the EU Open Source Policy Summit on January 30, drew thousands of developers, maintainers, and policy stakeholders to discuss the practical challenges of securing the open source ecosystem in the context of new European regulatory requirements.

Supply Chain Security Tracks

The software supply chain security track featured sessions on attestation and provenance verification across the major package ecosystems. Sigstore, the open-source project that provides keyless code signing for software artifacts, was the dominant technical thread. Presenters from npm, PyPI, RubyGems, and Maven Central demonstrated how their ecosystems are adopting Sigstore-based attestations to provide cryptographic proof that a published package was built from a specific source commit by an authenticated maintainer.

The economics of package registries received dedicated attention in sessions organized by the Alpha-Omega initiative and the Open Source Security Foundation (OpenSSF). These sessions examined the sustainability challenges facing package registry operators — the organizations that maintain the infrastructure for distributing open source packages — and the funding models that might ensure their long-term viability. The XZ Utils backdoor incident in 2024 highlighted how a single compromised maintainer can threaten the integrity of widely-used packages, and FOSDEM sessions explored both technical and governance responses to that class of risk.

EU Cyber Resilience Act Readiness

The EU Open Source Policy Summit, held on January 30 as a pre-FOSDEM event, focused on the practical implications of the EU Cyber Resilience Act (CRA) for open source projects and the companies that depend on them. The CRA, which establishes cybersecurity requirements for products with digital elements sold in the EU market, has generated significant concern in the open source community about potential liability for volunteer maintainers and the compliance burden on small projects.

Sessions at the policy summit addressed digital sovereignty — the EU's strategic interest in maintaining control over its technology infrastructure — and the role of open source software in trusted AI infrastructure. The intersection of AI regulation and open source licensing is a growing area of policy complexity, as AI models increasingly depend on open source training frameworks, inference engines, and deployment tools.

Technical Highlights

Beyond supply chain security, FOSDEM 2026 featured notable technical demonstrations. XCP-ng, the open-source Xen-based hypervisor, showcased an Android virtual machine running on XCP-ng hardware and accessible from any device — a demonstration of desktop virtualization capabilities that extend the platform's reach beyond traditional server workloads. The OpenSSL Corporation and OpenSSF both maintained significant presences at the event, reflecting the ongoing investment in cryptographic infrastructure and security tooling that underpins the broader open source ecosystem.

FOSDEM's role as a barometer for open source community priorities is well-established. The strong 2026 focus on supply chain security, regulatory compliance, and ecosystem sustainability signals that these concerns have moved from niche governance discussions to mainstream engineering priorities for the open source community.