FOSDEM 2026 ran last weekend in Brussels with its usual dense schedule of talks across open source projects and communities. Package management had a strong presence again this year, with a dedicated devroom plus related content scattered across the Distributions, Nix and NixOS, and SBOMs and Supply Chains tracks.
Main Track Talks
Kenneth Hoste presented How to Make Package Managers Scream, a follow-up to his FOSDEM 2018 talk about making package managers cry. Hoste showcased creative and effective ways open source software projects take things to the next level to make package managers scream, along with tools that try to counter these practices.
Mike McQuaid gave What happened to RubyGems and what can we learn? examining the February 2024 RubyGems and Bundler infrastructure incident.
Package Management Devroom
The Package Management devroom, which I organized with Wolf Vollprecht, ran on Saturday with nine talks covering security, standards, and practical implementation challenges.
Adam Harvey opened with A phishy case study about the September 2024 phishing attack on crates.io. The attack targeted popular crate owners as part of a wider campaign across language ecosystems. Harvey detailed how the Rust Project, Rust Foundation, and Alpha-Omega collaborated to mitigate it rapidly. Mike Fiedler posted a follow-up on Mastodon describing how attackers were able to circumvent 2FA. In short, TOTP 2FA does not include phishing resistance (compared to WebAuthn or Passkeys), so the TOTP codes can be collected and forwarded to the target service the same way that passwords are.
Zach Steindler presented Current state of attestations in programming language ecosystems, comparing how npm, PyPI, RubyGems, and Maven Central have implemented attestations over the past few years. These attestations provide build provenance by linking packages to exact source code and build instructions, distributed as Sigstore bundles. Steindler covered the APIs for accessing attestations in each ecosystem and discussed implementation tradeoffs.
Gábor Boskovits explored Name resolution in package management systems - A reproducibility perspective, comparing how different systems handle package dependencies. He looked at language-specific package managers with lock files (Cargo), typical distributions (Debian), and functional package managers (Nix and Guix), then reflected on these approaches from a reproducible builds angle.
Ryan Gibb presented Package managers à la carte: A Formal Model of Dependency Resolution, introducing the Package Calculus. This formalism aims to unify the core semantics of diverse package managers, showing how real-world features reduce to the core calculus. Gibb demonstrated Pac, a language for translating between distinct package managers and performing dependency resolution across ecosystems.
Matthew Suozzo gave Trust Nothing, Trace Everything: Auditing Package Builds at Scale with OSS Rebuild. While reproducible builds confirm artifacts match expectations, they treat the build process as a black box. OSS Rebuild instruments the build environment to detect malicious behavior in real-time using a transparent network proxy for uncovering hidden remote dependencies and an eBPF-based system analyzer for examining build behavior.
Philippe Ombredanne returned with PURL: From FOSDEM 2018 to international standard. Package-URL was first presented at FOSDEM eight years ago and has now become an international standard for referencing packages across ecosystems. Ombredanne highlighted PURL’s adoption in CVE format, security tools, and SCA platforms, and its journey from community project to Ecma standard with plans for ISO standardization.
Vlad-Stefan Harbuz spoke about Binary Dependencies: Identifying the Hidden Packages We All Depend On, examining dependencies that don’t appear in standard package manager manifests. Related: the C-shaped hole in package management.
Michael Winser discussed The terrible economics of package registries and how to fix them, looking at the sustainability challenges facing package registry infrastructure.
Mike McQuaid closed the devroom with Package Management Learnings from Homebrew, covering lessons from 16 years of maintaining Homebrew and the recent v5.0.0 release.
Distributions Devroom
The Distributions devroom on Sunday covered 16 talks about building and maintaining Linux distributions.
Daniel Mellado and Mikel Olasagasti tackled Packaging eBPF Programs in a Linux Distribution: Challenges & Solutions. eBPF introduces unique challenges including kernel dependencies, CO-RE relocations, pinning behavior, and version-aligned tooling. They explored specific issues in Fedora like pinned maps, privilege models, reproducible builds, SELinux implications, and managing kernel updates.
František Lachman and Cristian Le presented From Code to Distribution: Building a Complete Testing Pipeline about the Packaging and Testing Experience (PTE) project. The project bridges upstream-to-downstream testing with tmt (test management framework), Testing Farm (on-demand test infrastructure), and Packit (integration glue).
Robin Candau discussed Relying on more transparent & trustworthy sources for Arch Linux packages. Recent supply chain attacks prompted Arch Linux to establish updated guidelines for selecting trustworthy package sources to prevent or mitigate security threats.
Fabio Valentini presented Distributing Rust in RPMs for fun (relatively speaking) and profit, covering his work as the main maintainer of Rust packages in Fedora and primary developer of the tooling for packaging Rust crates as RPMs.
Till Wegmüller discussed (Re)Building a next gen system package Manager and Image management tool about IPS (Image Packaging System), a component from OpenSolaris used extensively in OpenIndiana. Wegmüller covered IPS history, current capabilities, core concepts including repositories, packages, FMRI, facets, variants, and manifests, plus plans to port IPS to Rust.
Nix and NixOS Devroom
The Nix devroom on Saturday packed in 19 talks about the functional package manager and operating system.
Philippe Ombredanne presented Nixpkgs Clarity: Correcting Nix package license metadata on improving package license metadata quality.
Julien Malka and Arnout Engelen introduced LILA: decentralized reproducible-builds verification for the NixOS ecosystem, a system for verifying reproducible builds across the Nix ecosystem.
TheComputerGuy spoke about Describing Nix closures using SBOMs, bridging Nix’s dependency model with SBOM standards.
Ryan Gibb also presented Opam’s Nix system dependency mechanism, exploring how OCaml’s opam package manager integrates with Nix for system dependencies.
SBOMs and Supply Chains
Philippe Ombredanne and Steve Springett presented Forget SBOMs, use PURLs in the SBOMs and supply chains devroom, arguing that Package URLs provide a more practical foundation for identifying software components than full SBOMs in many contexts.
Karen Bennet discussed What is new in SPDX 3.1 which is now a Living Knowledge Graph, covering the latest SPDX specification updates and its evolution into a knowledge graph model.
Ariadne Conill presented C/C++ Build-time SBOMs with pkgconf, showing how to generate SBOMs during the build process for C/C++ projects.
Ev Cheng and Sam Khouri spoke about Enhancing Swift’s Supply Chain Security: Build-time SBOM Generation in Swift Package Manager, demonstrating similar capabilities for Swift.
HPC and Scientific Computing
Harmen Stoppels presented Spack v1.0 and Beyond: Managing HPC Software Stacks, covering the first stable release of Spack, a package manager for supercomputers that now handles builds for systems with tens of thousands of cores.
Ludovic Courtès spoke about Package management in the hands of users: dream and reality, discussing Guix deployment in high-performance computing environments.
Helena Vela Beltran gave Status update on EESSI, the European Environment for Scientific Software Installations, covering the project that builds on EasyBuild and Spack to provide a shared software stack for HPC systems across Europe.
Other Tracks
The Python track included Jarek Potiuk’s Modern Python monorepo with uv, workspaces, prek and shared libraries, covering uv, the new Python package manager that’s been gaining adoption.
Simon Josefsson presented Guix Container Images - and what you can do with them in the declarative computing track, showing how to build and use container images with Guix.
The Security track included Using Capslock analysis to develop seccomp filters for Rust (and other) services by Adam Harvey, connecting package build analysis with security policies.
The Design track featured Designing attestations UI: The Security and Safety of OSS package supply chain, examining user interface design for package attestation systems.
I also presented git blame for your dependencies in the /dev/random track about git-pkgs.