Call for Devrooms for IndiaFOSS 2025

IndiaFOSS Conference
25

Title: FOSS Licensing and Security Compliance

Managers:

@Ayan_Mahapatra and @Lakshmiteja

Volunteers:

Intro:

The scale of open source software reused in products is ever increasing.
And US, EU, Indian, and other governments introduced cybersecurity compliance
regulations for anyone distributing software. So, what does this mean for developers?

Any software maintainer, producer, developer, and contributor needs to be aware of their
software dependencies and any associated risk, and how to efficiently manage software components.
This is most often – and now regulated – with SBOMs. FOSS compliance – both licensing and security
– is simplified by generating SBOMs and checkmarks in the compliance process.

Our goal is for open source developers, users, and contributors to exchange requirements, plans,
and collaboration opportunities around FOSS tools for software license and provenance detection,
vulnerability management, regulatory compliance like SEBI regulations/CERT guidelines,
code scanning, container and package dependency analysis, SBOM creation and consumption,
and license or vulnerability databases - basically, all the tools you need to figure out
which FOSS code you use, where it is from, what is its license, how to comply with the
license, and whether it contains vulnerable code.

Proof of Feasibility:

We’ve had multiple well received talks/sessions on similar topics at individual FOSSUnited
chapters and IndiaFOSS conferences, to name a few:

At IndiaFOSS 2024, there was a Birds of a Feather (BoF) session on OSPOs and Organisations
which we attended and there were lively and well attended discussions there on all things
OSPOs, SBOMs and Security/License compliance. We had a participation of around ~30 people
and 1 hour wasn’t enough for all the interesting discussions we had there. We had to
relocate to a different area in the convention center to continue our discussions since
there were other sessions after that.

Some of the volunteers have also been a part of the team that organised the full-day FOSDEM fringe event:
FOSS license and security compliance tools workshop by AboutCode, and we have attended/there were similar devrooms
being organised every year at FOSDEM:

We have also community partners at IndiaFOSS 2024, hosted two booths for community
organisations that we are a part of:

  • OpenChain India WG
  • AboutCode

Source Code Control also managed a booth at OSI 2024.

Number of volunteers requested for the devroom:

Proposal reviewers: 2

CFP:

Scope of talks:

  • FOSS tooling and open data projects on licensing, vulnerabilities, community health metrics, compliance, software supply chain management
  • Demonstrations of FOSS Software Composition Analysis (SCA) tools, OSS security solutions, and Application Security Posture Management (ASPM) platforms
  • FOSS compliance tooling users and common issues
  • SBOMs (Software Bill of Materials): tools that produce or consume SBOMs
  • Use of different types of SBOMs (Source, Build, Deployed, Runtime, etc.) in the software supply chain
  • Indian policy landscape on SBOMs/Compliance
  • Case studies and lessons from OSPOs (Open Source Program Offices)
  • Case studies and lessons from Security/Compliance teams
  • Software supply chain problems and security issues
  • Best practices and open standards in software supply chain
  • Developer advocacy and open source communities in compliance
  • Vulnerability advisories, open data, reporting and reachability
  • Open source licensing, copyrights, patents
  • Collaborative strategies to enhance OSS sustainability and security
  • Best practices in AI deployment that align with FOSS compliance

Talks from open source communities, on community-driven innovation and real-world applications will be preferred.

We welcome both technical talks and practical demos, with preferred durations of:

  • 5 min (Lightning Talks)
  • 20+5 min (Standard Sessions)
  • 40 min (Panel Discussions)

This is after merging the CFPs for the following devrooms proposed above: