Recaps - Open Source Summit and Observability Summit 2026
18 May 2026
Table of Contents
As assigned as homework during my #OSSSummit talk, (#OSSHomework!), here are my conference highlights from the Linux Foundation’s Open Source Summit and the CNCF’s Observability Summit. Still a work in progress; keep refreshing through next week until I get a chance to fully fill it in.
Catch my talks
Be sure to catch my talks!
- 3:05 TODAY (Tue. 5/19): Bookmark “Tiny Repos, Big Impact: Level Up Through Open-Source Teaching” in Sched to make sure you don’t miss my talk at the Linux Foundation’s 2026 Open Source Summit (“#OSSummit”)! Slides to be here.
- Bookmark “Secure by Design: Rethinking Test Credentials for Synthetic Monitoring” in Sched to make sure you don’t miss it. Last talk of the day on Thursday, May 21st. Slides to be here.
Opening remarks
Jim Zemlin gave the opening remarks keynote.
Lots of polling “how many of you…?” like I learned recently from Bill Hoogterp’s “Your Perfect Presentation.”
Dad jokes about his family in attendance, which, yay, was totally already happening in my talk’s speaker notes, thanks for warming it up.
Open source let the world optimize kernel performance together.
“Frontier” open-weight LLM models thus far are from abroad, though expect a US one this year.
Exponentially growing commits, since about May 2025. (Actually, now that I think about it, me too – a lot of the reason my GitHub repository count has been exploding exponentially, besides changing into a more dilletante-oriented consulting job description, is that LLMs expedited my learning in those gigs, so I’ve suddenly got a lot more to publish about what I’m learning.)
Ay yi yi, more Tayloristic labor value extraction from its producers toward people who already have more money than they could ever need simply to be human (e.g. put food on the table and relax with loved ones). I mean, this quote from the Linux Foundation’s 2026 State of Tech Talent Report sounds great, right?
To bridge these full-stack and operational gaps, organizations prefer to look to their internal staff. Upskilling and cross-skilling existing staff is the top strategy (57%), favored over external hiring (49%). This approach offers major advantages in preserving institutional knowledge and is strongly preferred for understanding business context (7.9x) and staff retention (7.7x). Hiring externally, by contrast, is slower and riskier: new hires take 53% longer to reach productivity, and 28% resign within six months. Overall, the findings suggest that technical professionals value learning and development at least as highly as compensation when deciding whether to stay.
On the surface, I agree with this 1000% and want to say, “FINALLY!” But think about how incessantly extractively underpaid internal advancement has been, compared to what companies offer external hires, for the last half-century in America. No one keeps up with the rising cost of living except by job-hopping. As HackerNews commenter OtherShrezzing wrote last week:
“If you’re 10x more productive, someone (should be) willing to pay you 10x as much as they were last year, because you’re producing 10x as much value as before. Has your salary increased 10x?”
There’s a bit of hope, though – if Jim is right that only business context / domain experts – not external hires – even CAN properly prioritize the backlog of valuable things that can suddenly be built – well, then, now we’re talking about a situation in which underpaid employees hold all the power, and can fix the imbalance of who takes home all the spare cash from that extra value that they created, as long as they organize appropriately. As Jim said:
“Attackers are organized, well-funded, and using AI today. Defenders are larger but fragmented. Fragmentation is the bug we can fix in this room.”
I know he said that about getting companies to organize themselves (e.g. 20% tech debt Thursdays) to actually take the time to use AI coding assistant tools to, for example, write the danged tests.
I know he wasn’t talking about reducing human suffering.
But it’s the same thing, if you ask me.
When we cognitively overwork staff, we are losing the JUDGMENT that can only come from proper REST (which includes the rest you get, off the clock, by having adequate salary to not spend those hours between work and sleep insanely stressed out over money). Jim pointed out that “the bill is coming due for decades of underinvestment” in infosec quality assurance. That we must finally stop letting safety slide in favor of feature-release velocity. Well, guess what, everybody? Just like all-feature, no-tech-debt schedules (whose companies actually gave every last engineer protected 20% time – “Tech Debt Thursdays” – for the last 30 years? Not mine) squandered opportunities to focus on security quality that now we’re paying for in the form of Sha1-Hulud and Axios, so too would cognitively overworking staff squander their precious JUDGMENT by preventing them from being well-rested enough to bring it to the table. (Maybe you can “10x” them somehow, but they’re gonna show up robotic, not with the full judgment that is internal employees’ true strength.)
Labor rights are an infosec issue. Taylorism is an “externalized/socialized cost; privatized profit” problem. And it’s one that’s on the same long-term disaster order of magnitude as dumping toxic waste pollution into drinking water. The externalized/socialized cost is that we ordinary people are going to seriously suffer if power grids go down on account of poorly-cleaned-up security technical debt. And we, as humans organized into companies, can’t clean up our security technical debt unless we leverage internal employees’ expertise, which means internal employees need to be well-rested, which means we need to pay internal employees appropriately for all of this feature-value and tech-debt-cost-savings they’re producing once you put AI coding assistant tools into their skilled hands.
Unexpected use for CDEvents
I can’t remember which talk I heard it in – maybe Mihir Vora & Prem Dhayalan’s “Ending the ‘Glue Code’ Tax on Engineering Velocity” lightning talk?
But someone said something about using the up-and-coming (I hope!) CDEvents data types, and data stream, as an infosec observability tool, and … brilliant! While you’ll want some sort of registry like (Guac or Sonatype SBOM Manager?) to put your software bills of materials (“SBOMs”) into, you can observe whether your developers are bothering to generate SBOMs in the first place by treating CDEvents event types as a to-do list checklist. Neat!
Hello Microsoft
I left you a wishlist recapping what I dream-dumped at your booth.
More later
All right, out of time, gotta get back go the conference. Keep reloading through next week until I get everything added in from paper notes.
