What’s hot in the open source and embedded community?

AI, robotics, IoT, autonomous vehicles, and more – 2024 is proving to be an exciting year for technology. And the open source and embedded tech community is no exception.

Throughout the first quarter, the embedded and open source communities held various demanding but also highly rewarding in-person discussions. From FOSDEM to topic-specific gatherings, here are the top observations, thoughts, and insights gathered from five in-persons events.

Welcome to the First Mender Community Meetup

Probably the most exciting way to start the year is by doing something completely new. Introducing the first-ever Mender Community Meetup!

Northern.tech hosted the Mender Community Meetup to be convenient to attend, network, and exchange ideas. What could be better than a nice dinner evening to kick-off the thrill of FOSDEM? Gathering on Friday evening, a highly diverse set of people joined to share their thoughts, time, and participate in great discussions. Needless to say, the conversation got quite technical, quite quickly!

Android in Automotive or AGL/Yocto? FreeRTOS or Zephyr? And what about that Raspberry Pi 5? Getting the RPi5 supported in the Open Source world beyond the official Raspberry Pi OS is sometimes extremely challenging, as its boot chain is highly opinionated. Konsulko's Leon Anavi joined, sharing his ongoing story of bringing support for the RPi5 to the U-Boot loader and a Mender board integration.

Image 1: (from left to right) Joël Guittet, Chris Simmons, Miroslav Petrov, Leon Anavi, Josef Holzmayr.

FOSDEM 2024: Nothing off the table

The Free and Open Source Developers European Meeting, or FOSDEM as the full name goes, is one of the prime go-to events for people interested in anything and everything free or open source – FOSS. The variety of topics is not just extraordinary, it is outright overwhelming. Embedded systems, databases, legal, linux in space, software-defined radio, open hardware – whatever one can imagine, FOSDEM has got it covered.

For me, the very special thing about FOSDEM 2024 was that it felt like it had finally “arrived”, in a philosophical sense. Not only was this year the 20th installation of the event (if one counts correctly), but it also occurred after many of the rough, and sometimes challenging, edges had finally been sorted out. Food for lunch, anybody? Not to mention this year’s combination of extraordinary spirit and knowledge paired with recognition and participation by political and high-level organizations. FOSDEM 2024 was a special event.

It is very possible that the upcoming European Union Cyber Resiliency Act (CRA) is a driving factor. What do the new regulations mean for FOSS developers in all their forms? A full track was dedicated to the legal aspects of CRA, and it was constantly packed. CRA-related topics were also a consistent theme. The Linux Foundation Europe, as a comparatively young organization, drew a lot of eyeballs on the OpenSSF project. And adjacent topics, such as software bill of materials (SBOM) generation and usage, gathered massive interest, taking rooms to their maximum capacity.

I had the great pleasure of joining the OpenEmbedded team at their table on Saturday, helping to grow awareness for custom Linux distributions, their reproducibility, and importance for long-term product maintenance. Over-the-air (OTA) updates play a crucial role for custom Linux distributions, and the new Mender stickers to spread the word did so even faster than I could put them on the table!

Image 2: OpenEmbedded, the Yocto Project, and Mender team up.

OpenEmbedded (OE) Workshop 2024

After more than 8000 hackers gathered for FOSDEM, the OpenEmbedded community joined for a successive workshop on the following Monday. And not surprisingly, the themes outlined at FOSDEM not only prevailed but were taken to great levels of detail during the OE Workshop.

What does security by design mean for an OpenEmbedded or Yocto-based project? How does one choose secure defaults? What does “secure” mean in your context?

Marta shared a plethora of findings from a security researcher's perspective. Moreover, while OE (and, therefore, also Yocto) always had a strong standing in SBOM generation, there are always new use cases, usability problems, and challenges emerging. The Software Package Data Exchange (SPDX) 3.0 standard aims to solve many issues, and Joshua gave a thorough update on its progress.

The fact that a room full of developers actively engaged on these topics, instead of asking for the latest and greatest in technology as years’ past, indicates a change is happening. The days of “it compiles, ship it!” are over. Developers are genuinely interested in creating long-lived, maintainable, and regulatory compliant solutions!

Image 3: Marta Rybczynska on secure defaults

Device Management Event

With our partner inovex GmbH, Northern.tech hosted a small event on the larger topic of device management. Anna-Lena Marx presented on USB drive based device updates and progressing to over-the-air solutions. And yours truly gave an overview of recent developments in the Mender Server 3.7 and Mender Client 4.0 releases. This was the first time that we could show a live Mender Server running on an ARM-based device!
However, the main value of the event was the discussions. Over coffee and desserts, attendees shared their current challenges in device fleet management, experiences, and more. One  takeaway: vulnerability management in particuar is an underestimated and respectively largely ignored area thus far. With the CRA coming, it’s not enough to just deploy software anymore. You must know which state of software is on which device – and react to reported vulnerabilities. 

An Excel spreadsheet definitely doesn’t scale here! So, today’s vulnerability management will need to evolve beyond the software development and maintenance teams, including the service and support teams who actually work with the devices, either remotely or on-site.

Oh, and more Mender swag and stickers!

Image 4: Mender swag at the Device Management Event

Building IoT Conference

Two days packed with insights on creating the industrial internet of things – that is the promise of the Building IoT conference. And somewhat unsurprisingly, current regulatory developments combined with the challenges of long device lifecycles raised great interest in the audience.

As opposed to the more development-oriented aspects at FOSDEM, the process side was discussed more intensely at the Building IoT event. How to issue and manage device identities? What about the release process, and how to match it to device provisioning? I presented on my understanding of modern artifact release requirements, which go way beyond just the software itself, but also includes the need to encompass license tracing, software bill of materials, source code archives, and more.

Image 5: Josef Holzmayr on the stage of the Building IoT conference

Key takeaways

Boiled down to one takeaway: software sustainability, maintenance, and security are the theme for 2024. 

Why not CRA, NIS2, or whatever keyword or regulation you feel most strongly about? Because it is not the specific standard or requirement that matters. Yes, all standards and regulations bring some aspect or factor to the table. Software supply chain management, the software bill of materials, the requirements to provide software updates for connected devices for five year – all of these are challenges of their own, each having their respective purpose and benefits. Some are very technical, but others are highly process oriented and sometimes even a bit philosophical. Yet, all of them have one thing in common: they want to make producers, vendors, and customers alike aware of the need to secure the world’s connected devices. And this is something that we, as Northern.tech, can’t just agree with. It’s why our company exists.