tecosystems

What the OSS Summit Says About OSS in 2026

By | @sogrady |

Share via Twitter Share via Facebook Share via Linkedin Share via Reddit

In the wake of O’Reilly’s decision to exit their events business, including OSCON, a void was created. Among its other functions, OSCON served as the de facto annual gathering of forces within open source. While it’s distinct in some critical ways and can’t necessarily replicate the traction of its spiritual ancestor (in part because of OSCON’s densely packed venue), the Linux Foundation’s (LF) OSS Summit is arguably the best approximation of OSCON that exists in 2026. It transcends product categories, corporate boundaries and seniority levels to attract a mixed audience of young, old and everything in between.

It also, as mentioned, serves as a nexus for various powers within open source to meet – often accidentally – and exchange notes. It is, in the words of several open source people this week, a “favorite event.”

It’s also, by virtue of its attendees and focus, a valuable vantage point for observing macro trends and issues across open source at scale. Here are five takeaways from this year’s event.

AI and Data

When the OSI and other parties attempted to determine how and whether the term open source should be applied to AI models, data inevitably was the sticking point. The relationship of open source licenses to the source code components of the models was well understood. With data, not so much. Data licensing, unfortunately, is fractally more complex than for mere code.

It was not surprising, therefore, to see data singled out as one of the last holdouts to an open AI landscape. The LF has targeted this as an area of research and investment, with its CDLA family of licenses as one example.

There is, however, no consensus around data licenses, or even which entity should be the arbiter of same. The LF is appropriately focused on this as an area of necessary attention and investment, but how data licensing does or does not progress will certainly not be up to them alone.

Open Models

Research from the LF has apparently reached a similar conclusion to RedMonk’s own analysis: specifically that open models not only continue to compete with their closed, frontier counterparts, but that the gap between the two is closing over time.

This is interesting in the abstract, because having open alternatives to closed products has generally been beneficial to users. But it is of particular interest because of the stakes involved. Building and advancing frontier models, to date, has been fantastically expensive, and pushed startups in the space to pursue private capital investments in amounts previously unheard of. The return on these investments is predicated on several expectations, among them that the private models will become so indispensable that not paying the cost – even as costs rise – is unthinkable.

Open models that are becoming aggressively more capable at faster and faster rates introduce questions around these valuations, and the expectations of return. It will be interesting to monitor the tension between open and closed models in the year ahead, because it’s possible there’s a threshold of capability at which users individual and enterprise alike regard as “good enough,” and that that threshold may be met by open models soon.

Security

Casting a pall over the success of open source more broadly were questions of security. As Jim Zemlin’s keynote quoted, the bill for deferred security investments for the industry as a whole is coming due. And we are not collectively prepared to pay it.

AI is both sides of the blade here. Via Project Glasswing, enabled by early access to Anthropic’s most capable model, security researchers are attempting to stay one step ahead and identify and patch vulnerabilities faster than they can be exploited.

But that is not scaling across the industry. AI is being used and used well by attackers, who are able to dial back the cost of creating exploits to near zero and – coupled with decades of social engineering expertise – to attack broadly, at scale and with velocity.

This has led to fundamentally misguided efforts like that of the NHS to close source hundreds of open repositories in an effort to protect them. Notwithstanding the fact that this type of action both doesn’t work and has no defensible academic foundation underneath it, it is inevitable that we’ll see more of it.

Open source is likely, in other words, to have to prove its security bona fides all over again.

Maintainer Burnout

One popular topic of conversation at this event was maintainer burnout. From user entitlement to security worries to infrastructure not built for the volume of inbound AI contributions, life for project maintainers has never been more challenging. Asked if AI was helping to mitigate that, one maintainer bluntly answered, “No.”

Maybe it will in time, or perhaps other process and infrastructure adjustments will ultimately result in improvements, but for now maintainers are faced with an increasing number of challenges with no commensurate adjustments in the resources at their disposal. The number of would be contributors has skyrocketed in many cases; the number of maintainers has not.

This isn’t an LF problem, or at least it’s not strictly their’s to solve, but it is and remains very much an industry problem. One that does not get nearly the attention it deserves.

Who is the Next Generation of Open Source Defenders?

For decades, open source has found for itself new generations of advocates and defenders. Drawn to it by different paths, whether that was personal benefit, commercial opportunities or garden variety idealism, generations of technologists metaphorically handed off the responsibility for actively protecting open source to those coming up behind them who shared their sentiment.

It’s not clear, however, how much longer that shared responsibility can be sustained.

Open source has become, to a degree, a victim of its own success. Its ascension and then dominance made it something to take for granted, not something that needed to be cared for, nurtured and actively defended. Many developers today cannot remember a world not only in which open source didn’t exist, but one in which it wasn’t the dominant approach to building software. As a result, things like the ardent and assiduous defense of the literal definition of the term open source itself seems quaint at best and pedantic at worst. ”Ok, boomer,” is one common response.

As those who have been around long enough to understand that, like democracy, open source needs to be guarded with vigilance age out and retire, the question is who will step up to take their place? The OSS Summit didn’t provide many answers in that regard, but if would be defenders are out there, it’s presumably where they will first appear.

And if they don’t, maybe the event will have to recruit them more actively.

About

Hi, I'm Stephen O'Grady. I live in Maine, but travel a lot.

I helped found RedMonk in 2002, and I was born and raised a Red Sox fan.

My job is to help companies understand developers better, and to help developers, period. There's more bio stuff here.

The Book

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 332 other subscribers

Archives

The Book

Search

Recent Posts

Categories

Archives