Published: December 9, 2025
Last modified: December 9, 2025
The Yocto Project Virtual Summit 2025.12 covered a wide range of topics over three days last week. I could not attend every talk, and I am looking forward to the videos for several sessions I missed. Fortunately, the slides are already available from the conference site: https://pretalx.com/yocto-project-summit-2025-12/schedule/.
The “security track”
This year’s security track on Wednesday was new, and I think it worked really well. We covered subjects ranging from distro setup to the hardware foundations of secure boot. Some topics clearly drew more interest than others:
- three (or even four) talks about cve-check and similar tools
- one about the security implications of the RED directive, with a strong focus on vulnerability reporting
- three talks about secure boot and related tooling
- only one talk specifically on hardening and secure defaults
This breakdown shows where most of the current attention is. Talks on similar topics complemented each other nicely. For example, the secure boot talks provided an almost complete picture, from hardware up to the application layer.
But security in embedded does not end there. Far from it. There are still topics that deserve much more attention, such as secure defaults, how we choose versions and packages, and the day to day reality of secure coding practices.
Maybe next year? Or even around FOSDEM, these will get their moment too.
Other subjects
Even though only one day was officially about security, many other talks touched on maintenance, which is closely related. There was one talk about (vendor) BSP maintenance and another about genericarm64.
On the less security-centric side, we had two toolchain talks (yes, toolchains are also part of security) and one migration story.
What I would like to see more
The agenda of the Summit has a limited number of slots, of course. If there are topics to add, I would like to see something about RISC-V next year. It will be officially supported in the next LTS (Long Time Support) version…
Participation
The sessions I attended typically had more than 200 participants, which is consistent with previous years. I especially appreciate the parallel chat discussions, something that simply does not work at an in-person conference. When several people who understand the topic are present, the chat becomes a second, equally valuable conversation.
A small request to the organizers: please publish the chat logs together with the videos.
The choice of date and time
For the last several years, the Yocto Virtual Summit has taken place in late November or early December, during the week and entirely online. This year, was the week before Plumbers, that could cause an attention dispersion.
In my timezone, the talks start in the early afternoon, which makes attendance manageable despite the usual conflicts with other calls. Honestly, I think this is the best possible arrangement.
Summary
Once again, I really enjoyed the Yocto Virtual Summit. The quality of the talks was excellent, as always. Congratulations to the Program Committee and all presenters. Definitely something to repeat.
And on a personal note: no talks from train stations this year (last year I delivered a talk from a train station – this is a long story). It was also my first major online conference over fiber, which brought far less stress about plan B if the connection failed.
If you have not yet filled out my form on vulnerability reporting in embedded, here it is: https://forms.gle/8pqDRMLidfJgYswt5
