From Code to Compliance at FOSDEM 2026

Over the FOSDEM week, one message became unmistakably clear: attestations and due diligence are no longer optional side topics; they are becoming foundational to the sustainability of open source in a regulated world.

At Code & Compliance, this reality was already evident in the level of engagement. The event sold out with120+ participants, including maintainers, manufacturers, compliance professionals, policymakers, and tool builders. The participants actively worked through how trust, responsibility, and compliance can be implemented together, without undermining open source collaboration. For those who couldn’t join us, session recordings from Code & Compliance are now available.

The conversations continued, and the themes of attestations and due diligence kept resurfacing. These were repeatedly discussed across multiple stages and side events at FOSDEM, turning separate sessions into a single, shared dialogue.

Attestations as an opportunity to sustain open source communities

Across both Code & Compliance and FOSDEM, discussions around attestations consistently converged on one key insight: how to make them practical and proportionate. The attestations are not about adding bureaucracy to open source projects; they are about making existing community work visible, reusable, and valued.

The work being done reflects this shift, with a two-tier model designed to accommodate the diversity of the ecosystem: lightweight attestations for smaller projects and components, and more in-depth models for larger, product-like projects.

Open source communities already invest significant effort in secure development practices, documentation, release processes, and vulnerability handling. Attestations provide a structured way to surface this work, allowing downstream users to understand how software is built and maintained, not just what it contains. This visibility is essential for long-term sustainability.

One particularly engaging session was the panel on sustaining FOSS, which brought together perspectives from open source foundations, industry, and public policy, including representation from the European Commission. The discussion explored what long-term sustainability looks like for open source in an increasingly regulated landscape and how responsibility can be shared across the ecosystem rather than concentrated in any one place.

Within the ORC community, attestation work is already taking shape through a collaborative, open process, with draft attestation models openly available for review and discussion. Community input remains essential at this stage, and maintainers, manufacturers, and other stakeholders are actively invited to engage with the current proposals and share their perspectives through ongoing discussions and a dedicated community survey.

Due diligence as a cooperative process

The conversation on due diligence followed naturally. Under regulations such as the Cyber Resilience Act, manufacturers are required to demonstrate that they understand and manage the risks in their software supply chains. What the events made clear is that due diligence cannot be achieved through paperwork alone, and it cannot be outsourced or automated without context.

Instead, due diligence depends on shared signals of trust: clear documentation, transparent processes, traceability, and active engagement with upstream projects. Attestations provide a practical way to make this cooperation visible and reusable, turning community practices into something manufacturers can rely on with confidence.

This reframes due diligence from a compliance burden into a collective responsibility, where value flows in both directions: manufacturers gain clarity and confidence, and open source projects gain recognition, support, and sustainability.

Join the conversation about due diligence in our Vulnerability Handling meetings every other Thursday starting on Feb 12 at 15.00 CET, 14.00 UTC. See our community calendar.

Why cooperation is non-negotiable

A recurring insight across all discussions was simple but powerful: there is no sustainable path forward without cooperation.

Perhaps the most important takeaway from FOSDEM 2026 and the collocated events was the value of bringing the FOSS community together to talk openly about real use cases. Regulations like the CRA will affect everyone differently, but their success will depend on how well we understand those impacts and respond collectively.

FOSDEM reminded us that open source thrives when conversations are inclusive, grounded, and collaborative. Attestations and due diligence aren’t just compliance exercises - they’re opportunities to strengthen trust, resilience, and sustainability across our shared ecosystem.