Open Source Summit North America 2026 and Embedded Linux Conference brought together the open source community in Minneapolis from May 18–20, 2026.
According to the event report, the event welcomed 1,231 attendees from 524 organizations, with 68% of attendees in technical positions. The program included 210 conference talks selected from 977 talks submitted, reflecting strong interest and participation across the open source ecosystem.
For the ELISA Project community, the event was an important opportunity to continue the conversation around safety-critical software, open source safety standards, regulatory compliance, requirements traceability, verification, software supply chains, and safety engineering.
The Safety-Critical Software Track highlighted practical work across several domains, including aerospace, embedded systems, medical devices, robotics, avionics, automotive, and industrial systems. Sessions explored how open source communities are addressing the technical, process, and compliance needs of safety-critical systems.
Over the next few weeks, we will highlight selected session recordings from the track and share key takeaways with the community.
Session Spotlight: Software Supply Chain Management With the Yocto Project
This week, we are highlighting Software Supply Chain Management With the Yocto Project by Joshua Watt, Garmin.
Managing software supply chains is an important part of safety-critical software. In this session, Joshua described the technologies, methods, and lessons learned that the embedded software space uses to manage software supply chains with the Yocto Project.
The talk began with a core supply chain question: what is inside the binaries being shipped, and can those binaries be traced back to the source code that produced them? Joshua explained that teams need visibility into software versions, origin, licenses, possible tampering, vulnerabilities, and the build infrastructure used to produce final outputs.
Joshua also discussed the role of SBOMs. While the session was not primarily about SBOMs, he explained how SBOMs provide visibility into the software supply chain and offer a standardized format for sharing information with customers, regulators, internal teams, and other stakeholders.
The session then introduced the OpenEmbedded and Yocto Project build flow. Joshua explained the relationship between OpenEmbedded, BitBake, and the Yocto Project, and showed how source code, recipe metadata, and policy information are processed to produce target images, packages, SDKs, firmware, containers, package feeds, and build tools.
A key point in the talk was how BitBake tracks dependencies using task hashes. These hashes connect build inputs, recipe metadata, source code, native tools, cross compilers, target packages, and final images. Because of this, the Yocto Project has a strong link between the software output and the inputs that produced it.
Joshua explained how this information is expressed through SPDX documents generated during the build and merged into a final SBOM. These SBOMs can include runtime dependencies, build-time dependencies, native tools, cross compilers, source files, package outputs, and other build information that the Yocto Project directly knows from its metadata and build process.
The talk also covered static library tracking. Static libraries can be difficult to identify after they are linked into an application, but because the Yocto Project builds from source and can use debug information, it can connect applications back to the static libraries, recipes, and source code that produced them.
Another major topic was reproducible builds. Joshua explained why reproducibility matters for supply chain management, including detecting unexpected changes, identifying possible tampering, improving quality assurance, supporting delta updates, and avoiding unnecessary rebuilds. He also described how the Yocto Project autobuilder tests reproducibility across package formats and host distributions, while encouraging teams to test reproducibility in their own configurations.
The session closed by looking at the build tools tarball, which can replace many host tools and extend supply chain traceability into the build infrastructure itself. Joshua described how this can help teams trace target images back through the tools used to build them and, potentially, to a known trusted host.
For safety-critical software, this session reinforced that supply chain management is about more than producing a list of components. It is about understanding how software is built, where it comes from, what it depends on, and how confidently teams can trace final binaries back to their sources and build process.
Watch the session recording here.
Stay tuned for more Safety-Critical Software Track session highlights from Open Source Summit North America 2026. Check the playlist here.








