The last few days of January and the first days of February were intense. I participated in several events leading up to FOSDEM 2025. SCANOSS generously sponsored my trip, allowing me to attend, represent them at various meetings, and share the Software Transparency Foundation‘s work in helping upstream developers create complete and accurate SBOMs. Besides my professional duties, I also volunteered. It was a busy and rewarding week.
Here’s a quick rundown of the events I attended:
- Software Heritage Symposium (Jan 28-29, Paris), representing SCANOSS as a SwH sponsor
- Open Regulatory Compliance WG Workshop on the CRA (Jan 30, Brussels), representing SCANOSS as an Eclipse Foundation member
- FOSS License and Security Compliance Tools Workshop (Jan 31, Brussels), representing the Software Transparency Foundation
- FOSDEM (Feb 1–2, Brussels)
Software Heritage Symposium 2025
My week started in Paris with the 2025 Software Heritage Symposium, an event that brings together its vibrant community and ecosystem. Hosted under the umbrellas of Inria and UNESCO, Software Heritage (SwH) relies on the support of sponsors like SCANOSS—not only for funding but also for guidance in its various strategic areas. I attended there in my double condition of SwH Ambassador and deputy of Julian Coccia, CTO at SCANOSS, which is a SwH sponsor, representing the company
I joined the sponsor dinner and participated in a dedicated session highlighting SwH key achievements from 2024 and upcoming priorities for 2025. We wrapped up the session with a collaborative prioritization exercise which I found very interesting. Having represented companies (including my own) in open source foundations and trade associations before, I’m a firm believer in involving the ecosystem in shaping technical and product roadmaps. Everyone benefits.
The public portion of the Symposium was well-attended, with an excellent lineup of speakers. Stefano Zacchiroli gave a very interesting presentation about how vulnerabilities propagate across dependency trees, based on a research he participated on. At scale, this type of work could be highly valuable for the broader industry. I suggest you also watch the endorsement to SwH activities made by Tawfik Jelassi, Assistant Director-General for Communication and Information, Policies and Transformation, UNESCO during the event opening. It was passionate.
The event clearly showed the wide range of work SwH does, both independently and with partners, in many different areas. Their results are important not only for software developers but for all industries.
Eclipse ORC WG Workshop
SCANOSS is a member of the Eclipse Foundation, the Open Regulatory Compliance Working Group (ORC WG), and the CRA Special Interest Group (CRA SIG). I support SCANOSS CTO, Julián Coccia, in representing the company there too.
As part of “FOSDEM Week”, the ORC WG hosted a workshop to push the CRA SIG’s agenda. This SIG includes many organizations, particularly those behind well-known open source projects, with deep experience in open source governance and compliance. Aligning such a diverse group takes time, patience, and, above all, trust.
Participants worked on several items, including the CRA FAQ, and we had the chance to engage with representatives from the European Commission and CEN-CENELEC. It was also a great moment to connect with others, including Eclipse Foundation staff and leaders. The workshop aligned this heterogeneous group around a few high-impact actions to raise awareness of the CRA and its implications. It’s encouraging to see so many open source foundations and projects actively participating and giving voice to developers and stakeholders alike.
Thank you to the Eclipse Foundation for making this happen. It was a modest yet significant step on a long road, I believe.
FOSS License and Security Compliance Tools Workshop
Unfortunately, I couldn’t attend the morning session of this workshop, led by Philippe Ombredanne, but I did participate in the afternoon session, focused on user requirements. As in previous years, the event brought together open source SCA tool developers and users to exchange ideas, roadmaps, needs, etc.
One of the standout moments was a talk by Daniel Stenberg, the creator of CURL, who shared the project’s experience handling CVEs. His critique of the CVE scoring system led to a lively discussion. There was strong agreement in the room that the current scoring mechanism can encourage inflated scores, which in turn distorts risk perception for both users and open source projects.
It was great to see so many developers of open source SCA tools gathered in one place. Matias D’aloia, a developer from SCANOSS, was among them. Seeing SCANOSS engineers engaging directly open source forums is something I value deeply. Expect to see more of that in the coming months.
FOSDEM
By the time I arrived at ULB for FOSDEM on Saturday, I was already out of energy. The concept of “FOSDEM week” is expanding. More than four consecutive days of meetings and events is very tiring.
After my usual rounds through the booths (and picking up some KDE t-shirts), I had several meaningful conversations—both professionally and personally that day.
I was there representing the Software Transparency Foundation, a relatively new non-profit that few attendees had heard of, which led to some great conversations. At the same time, SCANOSS continues doing important work in the open while growing its customer base, and supporting that effort is always energizing.
This year, Matias D’aloia gave a talk in the SBOM track on one of SCANOSS’s open data sets: the crypto_algorithms_open_dataset. This resource helps developers implement cryptographic algorithm detection in their open source SCA tooling (like scanners). It’s also an initial point for what will become the SPDX Crypto Algorithms List—similar in concept to the well-known SPDX License List.
Matias did a solid job with the presentation, and I had the opportunity to respond to an audience question about the Software Transparency Foundation.
By Sunday afternoon, I was completely exhausted. Although I stayed in Brussels until Monday, I skipped the usual Sunday night social gatherings.
Wrapping Up
Originally, I had planned to fly to London right after FOSDEM to attend OpenUK’s State of Open Conference 2025. Thankfully, I saw this coming long before and coordinated with SCANOSS to send another person instead—a wise move. I haven’t attended that event yet, but I will eventually.
This week was long, intense, and productive. Next year, I’ll try to organize my schedule better to remain effective during all the events. I came back with more than enough notes, follow-ups, and new topics to explore—so many that I could skip the rest of this year’s conferences and still stay busy. That said, I’m glad I made it to FOSDEM. See you there in 2026.
toscalix 