Trip report from FOSDEM and CfgMgmtCamp
Hi everyone,
I wanted to share some thoughts and observations from FOSDEM and CfgMgmtCamp. So here’s my trip report, if you’d like to read through it.
There were some definite themes this year. AI seemed ubiquitous, especially in the keynotes. There seemed to be extreme perspectives as well as some very thoughtful takes. A lot of it was scary and some of it was kind of sad. There were calls to arms. There was also optimism.
This year also featured an ongoing conversation around digital sovereignty. Mitigating the risk of technological dependence is a topic that has many facets. I attended several sessions dedicated to the topic as well as listening to a panel discussion. Not to mention the many lively chats that took place in hallways and at dinners.
Digital sovereignty really boils down to choice and the freedom to migrate. This is absolutely vital for the resilience of the digital infrastructure of our modern world. How much comes down to us-east-1 at the end of the day? And is that really a good thing?
For the Ansible community, CfgMgmtCamp presents a fantastic opportunity to get together with each other and Ansible at Red Hat engineers to share ideas, plan work for the year ahead, and define priorities.
CfgMgmtCamp has a special tone, a vibe, and I left inspired and energized. I hope that my findings, as I describe them here, can pass on some of those CfgMgmtCamp vibes and give you some of that same inspiration and energy.
AI Native Automation: How I learned to stop worrying and love Claude
Adam Jacob: Monday, Feb 02. Session link. YouTube video. (inappropriate language warning)
I’ve seen Adam Jacob present before when introducing System Initiative in 2023. As a speaker, he has the most rock and roll energy that you’ll probably get at a tech conference. This year he turned it up to 11.
About 6 months ago, Adam claims he saw a glimpse of what’s coming to infrastructure automation. He contends that the velocity gains from AI in software development are so high that it has too much utility as a technology to be anything other than the future of software development.
When software development accelerates, operations and infrastructure always follow. Software needs services to run on and infrastructure is the bottleneck.
If he’s right then only the design and planning phases of software development are where humans are in the loop. The velocity is already here, Adam says. Trust your agents on implementation, test, and review and let them rip.
50k lines of working code a day sounds wild. According to Adam, “good is good” though and agents give teams all the velocity they’ll ever need.
But what happens if we lock out contributors by narrowing the activities of software development to only those who can express software architecture designs in precise technical terms?
Limiting participation restricts the diversity of view and opinion that ultimately gives a better result, especially when you’re solving problems for humans.
There’s a lot you can say about Adam’s talk. But I think he’s right. We need to figure this out.
The exploitation paradox in open source
Richard Fontana: Monday, Feb 02. Session link. YouTube video.
I enjoyed this talk a lot and decided to put it second in my trip report. Richard delivered his talk before Adam Jacob. However I feel like Adam gives a vivid description of the concentration of power that is at the center of what Richard Fontana’s talk was about.
If you don’t know him, Richard Fontana is a legend (he even has a Wikipedia page). As Red Hat legal counsel Richard has provided guidance and assistance to the Ansible community and countless others. He also gave some very insightful, and useful, feedback on a lunch and learn presentation that I gave on the topic of the open source development model once. So I was really excited to hear him speak at the event and couldn’t wait to hear his thoughts.
In his talk, he explores how open source has experienced various crises and how we’ve adapted to preserve freedom.
Richard’s entire session is worth listening to. He delves into open source history a little and shares some interesting insights about the legal side of things. Richard himself admits that his talk was a little half-baked. Maybe his points are a bit fuzzy in places. However he sees a major challenge facing open source clearly.
Within AI the word “open” is mostly a meaningless signal with no substance. The only thing AI really has to do with open source is that it is technology built on ecosystems of open source projects. Richard also highlights the main issue is that AI models just simply cannot meet the normative definition of “open” like software can. There is an extreme lack of transparency with the training data for AI models, although there are models that are open weighted and publish their weights and architecture for training.
Richard shows us that the way we conceptualize open source is rooted in the past. To deal with the complex problems that we’re facing, we need to totally rethink the traditional notion of freedom. Richard goes on to say that the notion of freedom is a static concept and proposes what he calls “mobile freedoms”.
Richard’s mobile freedoms redefine the original four freedoms of the FSF as follows:
- The freedom to run software is redefined as the freedom to reproduce.
If you can’t recreate the environment and conditions to run code, the freedom to run is meaningless.
- The freedom to study software becomes the freedom to verify.
Without verification, claims about governance, security, or behaviour are simply performative.
- The freedom to modify source code changes to the freedom to participate.
It’s not enough to have the technical ability to change code. You need the ability to meaningfully shape the direction of the project itself.
- The freedom to share and distribute software becomes the freedom to exit.
When exit is too costly, forking becomes purely symbolic. If you don’t have expertise or resources, the freedom to fork is too costly to exercise.
Finally Richard also introduces a fifth new freedom in stewardship. He explains this as the counterweight to his reimagined four freedoms. It’s important to take care of open source communities. The work that is needed to sustain them should be elevated to the foundational level.
Richard closes his session on a positive note saying that open source has survived as long as it has because it is self-correcting. While asymmetry in the balance of power is inevitable, we need to keep open source moving by coming up with new ways of alleviating those concentrations of power.
I really like how Richard reimagines freedoms based around real human activities and characteristics too. I think he’s on the right track.
The Gilded Age of Open Source is over
Joe Brockmeier: Tuesday, Feb 03. Session link. YouTube video.
Like Richard Fontana, Joe takes on some of the challenges facing open source and examines what the future might hold. Joe draws a few interesting parallels from history to examine how we’re shifting into a new era where developers are no longer “kingmakers” and AI is everywhere, whether you want it or not.
He makes a pretty solid case to back up his claim that the salad days are over. It’s something everyone should pay attention to, especially if you are passionate about open source.
The most compelling section of Joe’s talk is close to the end, though, when he asks “Do we care?” Do we care if open source fades into a niche activity for hobbyists like ham radio? Because if we do care, and don’t want to see that happen, then it’s up to us to get involved.
Almost referring to Richard Fontana’s session the day before, Joe explains how it is necessary to redefine open source beyond licenses. He also talks about the need to mentor others and impart open source values. Get involved and participate. Joe ends his talk with a quote from a Dr Seuss book, The Lorax:
Unless someone like you cares a whole awful lot, nothing is going to get better. It’s not.
At a couple of points Joe references the Log4Shell experience at the Apache Software Foundation (ASF) and points out that the burden of responsibility isn’t just individuals. It’s not enough for organizations to pay maintainers and walk away. A progressive era for open source is possible. But we all have to participate and build together.
Digital sovereignty at FOSDEM
I’m going to rewind to FOSDEM and pick up on the topic of digital sovereignty.
Yes, it’s political. But, as Joe Brockmeier put it in his session, if you don’t think open source is political then you haven’t been paying attention.
Back in Brussels, on the Saturday before CfgMgmtCamp, I made it into the DevRoom for Building Europe’s Public Digital Infrastructure. As a conversation, digital sovereignty covers a lot of ground. It can start getting emotive when addressing the motivations to pursue digital sovereignty. There is the immediate alarm of statements such as von der Leyen’s caution on weaponised dependencies. You can also find longer term strategic investments from public institutions in Africa who aim to avoid colonial schemes.
In all these cases, though, digital sovereignty is really a discussion about choice. It’s about the freedom to move.
Digital sovereignty is about much more than building out cloud stacks, it’s about educating humans and lifting each other up. Getting involved and imparting skills and enabling others. It’s also about defining open standards that hold everything together. What if we can reimagine software development models as something different than the venture capital, Silicon Valley unicorn approach where the winner takes all to a sustainable foundation? What if software was recognized as culture like humanities such as art, music, or theatre?
If these things interest you, then consider checking out these sessions:
- Kurt Garloff goes into some detail about this in his session, Digital Public Infrastructure for the World. You can find a PDF of his slides in that session. No recording (there were some technical issues at the start). Kurt introduces the Sovereign Cloud Stack (SCS) as a form of resilient cloud computing built on knowledge sharing and operational skills as well as technical standards that make it easy to move or to federate.
- Ben Cerveny’s session, The Public Product Organization as a Vehicle for International Collaboration & Stewardship for DPI, was thankfully recorded. Ben is president and co-founder of a non-profit that provides collaboration frameworks between public administrations that are building digital public infrastructure and various open source projects. Ben’s talk explores how the wider, unstructured open source community can gain representation in the world of government policy through a new type of NGO called a Public Product Organization.
- Sebastian Kawelke and Frederic Noppe held a session titled, Securing the software supply chain for the public sector. I was interested in this talk because, as a security topic, it relates to the Cyber Resilience Act (CRA) and how the increase of incidents of malicious packages has been skyrocketing in the past couple of years. The speakers gave a good overview of DevSecOps and Shift-Left concepts and then explained how they have worked with public institutions in Germany to share hardened images (available here) that have already been assessed for dependency vulnerabilities. I found this to be a pretty inspiring example of how open source values played a strong role in protecting critical public digital infrastructure.
You can also find more in the DevRoom page for Building Europe’s Public Digital Infrastructure. Now let’s get back to CfgMgmtCamp.
Everyday I’m hustling
Ben Ford: Tuesday, Feb 03. Session link. YouTube video.
I’ve got to know Ben as a co-organizer for CfgMgmtCamp and always look forward to hearing what he has to say. He draws from his knowledge gained as a Puppet community manager.
At the 2025 conference, Ben delivered one of the best keynotes (It’s all about the ecosystem, bby). And you should go listen to it if you missed it last year.
It has been interesting, and encouraging, to see how Ben has found his feet after the community rugpull, after which he launched OverlookInfratech and got heavily involved in the OpenVox fork.
This year Ben was back with an update on his company and shared some insights on what he has learned about making a business work. You start with a problem that people have, not an idea. To build a solution it has to be better than everybody else’s out there. This requires a lot of people with money to invest.
Ben and his team have reached $1m in revenue and are continuing to climb. But Ben defines success as sustainability, not a moonshot. He’s making a genuine effort to build a better future and out there hustling to somehow make a difference in the world. It’s good to see.
Dopamine, Dunning-Kruger, and a Life in Technology: Why We’re All Confidently Wrong About Everything (And That’s Okay)
James Freeman: Tuesday, Feb 03. Session link. YouTube video.
Ignite talks are a really difficult format for even the most seasoned public speaker. You have 5 minutes in which to establish context, build a narrative arch, and then deliver some kind of point or resolution.
James Freeman is a regular at Ansible events, whether in his official capacity or as someone who is plainly enthusiastic about open source. James is always there to share knowledge openly and challenge everyone’s thinking, including his own.
In the end it doesn’t really matter whether James nails the ignite format or not. What does matter is that he got out of his comfort zone and delivered a message that is worth listening to.
Technology grows relentlessly and there are constantly new things to learn. We’re constantly on this rollercoaster where we’re either overconfident in what we can do or suffering from imposter syndrome. All the ups and downs, benchmarks, performance reviews, and awards can also feed into our dopamine cycles making it hard to ever feel satisfied in our work.
James ran short on time and ended with an abrupt “you’re doing a lot better than you think”. You could dismiss that as a ham-fisted platitude. Or you could embrace it, maybe express it in a different way, and remember to occasionally remind yourself, and people on your team.
How automation games can make us better engineers
Greg Sutcliffe and David Moreau-Simard: Monday, Feb 02. Session link. YouTube video.
Greg and David, who you should all know, got together for a really fun talk about how automation games can teach us important skills as software engineers.
If you like automation games, or games in general, you should check out this talk. Seriously a lot of fun.
Composing systems in an automated way with Ansible, Podman, and bootc
Fabio Alessandro “Fale” Locati: Monday, Feb 02. Session link. YouTube video.
Fale is another regular at CfgMgmtCamp and other open source conferences that my team and I help organise. Fale brings a lot of technical knowledge to share but also provides a lot of deep insight.
In that regard I think Fale is an invaluable presence at conferences. Fale has hands-on experience solving complex problems at scale but also has plenty of tips and tricks for the homelab. In the past he has helped us run Dev Tools workshops at DevConf and participated in panel-style discussions. He is a true friend to the Ansible community.
In his talk, Fale shows how to use Ansible and Podman together with bootc as an alternative to Kubernetes. I had to choose between this talk and another speaker that I really wanted to catch. Fale’s topic was a bit too compelling for me in the end. I missed a very similar talk last year that featured a project called Quadlet.
As he explains, Kubernetes is really good when you have a “Kubernetes-shaped problem” but in a lot of other cases, as we’re all aware, it’s overkill. In his approach, Containerfiles are the inputs that you give to bootc so it can generate a bootable rootfs. You get flexibility to choose whichever artifacts you need like qcow2 or an ISO if you’re doing pxe boot. You use systemd services as the runtime and Ansible for straightforward container management. It’s all the stuff we know and love.
I’ve seen talks like this in the past. In the hands of other speakers, the approach of using Ansible and Podman as a Kubernetes alternative can get lost in the woods. Ansible isn’t the right tool to use for container orchestration.
But Fale knocks it out of the park in my opinion. I enjoyed all the insights he brings from more than 20 years of (frankly impressive) experience. I learned a few tidbits, like how to really use Podman’s --squash flag. Best of all, Fale inspired me to get hands on and try something new out.
Ansible for Beginners: What I Wish Someone Had Told Me Before I Learned the Hard Way
James Freeman: Monday, Feb 02. Session link. YouTube video.
I’ve already mentioned James Freeman in this trip report, specifically his ignite talk about the Dunning-Kruger effect and so on. Well, here he is once again but doing one of the things he does best. That happens to be sharing knowledge he has gained from years of experience using Ansible in production.
Unfortunately the session from James conflicted with Fale’s but I did check the room to make sure each of the first talks were set up. James had a pretty crowded room for his session, which is pitched at beginners. The room size provided a good indicator that there are still plenty of novice users at this conference.
I was glad to get a sense of excitement from the room. Having watched the recording, I’m also delighted in retrospect that James delivered this talk. He really is good at breaking things down and imparting the lessons that he has learned. Some of the content could even be translated into helpful documentation.
It was a solid win to have a beginner’s session this year. It means CfgMgmtCamp continues to be a place where new Ansible users can get started.
Using antsibull-nox to test your Ansible collection
Felix Fontein: Monday, Feb 02. Session link. YouTube video.
There’s a whole lot more that I’d like to say about Felix’s project, antsibull-nox, and I plan to do that in a separate post. The main point I want to make about Felix’s talk is that he seemed to strike on a recurrent theme this year. It’s true that collection developers and maintainers have some problems and technical challenges to overcome. But it is possible to abstract that stuff then just sort of layer over it and move on. As opposed to too much debate about how to fix things that are stuck. This is the very nature of open source and IT fundamentally, working around and finding ways to move forward. It’s always kind of great to see when it happens.
If you’re a collection developer or maintainer and haven’t checked out antsibull-nox yet, listen to Felix’s talk.
ansible-docsmith - ultimate tool to document ansible roles
Kirill Satarin: Monday, Feb 02. Session link. YouTube video.
Last year, Kirill gave a talk entitled Functional programming design patterns in Ansible code. In his talk last year, Kirill discussed how writing YAML is straightforward but there can be lots of challenges with maintaining, debugging, and testing that can be improved if we view those issues from the perspective of functional programming. It was an insightful take based on his years of experience creating SAP content. We had some lively discussions on the topic at several points last year too. So I was looking forward to hearing what Kirill had to say this year.
Kirill’s core problem statement is that Ansible roles are prone to documentation fragmentation and drift. There are multiple sources for role documentation, such as README files, argument_specs.yml files, ansible-doc output. There is a lot of manual overhead that causes misalignment with role documentation. Roles also do not have a lot of the same doc attributes that modules have.
Enter ansible-docsmith, a tool that generates role README files from the arg specs file as a single source of truth. During his talk, Kirill gives a comparison of ansible-docsmith against antsibull-docs noting the pros and cons of each tool. Kirill also breaks down use case scenarios to help clarify when you should choose one tool versus the other.
Kirill also shows how using ansible-docsmith in CI/CD can automatically update README files on merge and can keep docs in sync using pre-commit hooks. This approach to automating the process of documentation updates makes it much more effortless, which appears to solve a long-standing pain point with role maintenance. Maybe another way forward with some of the community pain points has emerged!
Cyber Resiliency Act at FOSDEM
At FOSDEM there was a CRA in Practice DevRoom that provided some very useful resources and a lot of context about the CRA. Of the sessions in the CRA DevRoom, I found these ones to be the most interesting:
- Harald Fischer presented a practical introduction to cybersecurity risk management. Harald explains that the CRA requires manufacturers of digital products on the European market to conduct comprehensive cybersecurity risk assessments by December 11, 2027. The risk-based approach mandates documented assessments that cover the entire product lifecycle from design through maintenance. When saying these assessments are comprehensive, they really do mean comprehensive. Assessments are not limited to information security but must address health and safety implications for users. Manufacturers must demonstrate which cybersecurity requirements apply to their products, define product context and user profiles, explain foreseeable use cases, describe operational environments and assets that must be protected. The assessments must also outline acceptable risk levels. These risk assessments present significant documentation burdens for development teams as well as the need to plan for long lifecycles that can include future threats such as post-quantum cryptography.
- Cynthia Lo and Cassie Jiun seo presented a session on Building CRA-Ready Open Source Communities: The Critical Role of Community Managers. They start with another overview of what the CRA entails, describing it as a collective supply chain responsibility that transforms cybersecurity from a post-market issue to a regulatory obligation. Manufacturers will need to integrate cybersecurity into planning, design, and development and continue to make security updates available for a defined period after going to market. These updates will be required to have clear and understandable user instructions with specific reporting obligations. For open source communities, and especially people who act as community managers, there are concerns around uncertainty for maintainers and contributors and increased burden on open source development. This session also outlines practical steps for CRA readiness such as:
- Creating dedicated space for CRA documentation in the repository.
- Making CRA requirements visible to new contributors through guidelines.
- Using standardized templates for reporting vulnerabilities.
- Establishing standard verbiage and processes across projects.