Adam Harvey

Adam is a software developer who has worked on a number of interesting and occasionally even useful things in his two decade career. These include prototyping the worst mesh network of all time (based on Android phones), discovering how to reliably lock up a Windows computer by writing an in-browser video editor, and (most usefully) removing the original mysql_* API from PHP.

Today he works for the Rust Foundation to help improve ecosystem security. In his spare time, he plays cricket, kayaks, throws tennis balls for his golden retriever, and tries to convince people that his Australian accent is actually flawless Canadian.

  • What's in a name(space)?
Adam Korczynski
  • Build your own SLSA 3+ provenance builder on GitHub Actions
Adrian Mouat

Adrian has been building containers from the early days of Docker and authored the O’Reilly book “Using Docker” . He is a Technical Community Advocate at Chainguard ( whose mission is to make the software lifecycle secure by default.

  • Wolfi: Building a New Linux (Un)distro
Bas Zalmstra

Building awesome tools

  • How we used Rust to modernize the conda ecosystem
Bjorn Neergaard
  • BoF: WASM Packaging
Christoph Herzog
  • Universal packages, powered by WebAssembly Interfaces - WAI
Christopher Baines

Software developer interested in package managers. Previously interested in Debian/Apt but using and contributing to GNU Guix for the last 7 years.

  • Quality Assurance for 20,000+ packages in GNU Guix
Daniel Liszka

Co-founder and CEO at Chainloop and one of the maintainers of Chainloop OSS. Product Leader with over a decade of expertise building applications around Open Source and Software Supply Chain Security at Bitnami (Engineering) and VMware (Product Management). Dad, biker, and backcountry skier, tunning his campervan in his free time.

  • Untangling Software Supply Chain sBO(O)M
Daniel Nichols

Daniel Nichols is a Computer Science PhD student at the University of Maryland, College Park studying topics in high performance computing, applied machine learning, and performance modeling.

  • Probabilistic Package Builds: Guiding Spack's Concretizer with Predicted Build Outcomes
Daniel Thompson-Yvetot
  • Code Signing is Critical Infrastructure
Danny McClanahan

Typing free software to break the shoulders of giants from golden handcuffs. Working on extending the Signal protocol to replace gpg.

Have previously worked on:
- spack at LLNL (
- pants at Twitter

Can be found at:
- @hipsterelectron on Twitter,
- @[email protected] on Mastodon,
- @cosmicexplorer on GitHub.

  • Python Resolution Evolution: Decoupling Metadata from Downloads in Pip
Dave Lester
  • Conference Closing
Elad Pticha

Elad Pticha is a passionate security researcher with a focus on software supply chain and API security. Elad specializes in finding vulnerabilities in SDLC-related software. In his free time, Elad loves to code, hunt for vulnerable technologies, and use his skills to help companies mitigate their security risks. Before his current work at Cycode, Elad dedicated his time to finding critical vulnerabilities in web applications, IoT devices, and pretty much anything with an IP address, but his recent focus has shifted towards software supply chain security vulnerabilities. Elad is committed to staying up-to-date with the latest security trends and technologies and always seeking new challenges to tackle.

  • Securing Software Package Releases with SLSA v1.0
  • Secure the Build, Secure the Cloud: Using OIDC Tokens in CI/CD Pipelines
Eric Myhre
  • Shared Objects and Content Addressing: a Survey of Techniques
Gary O'Neall
  • BoF: Supply Chain Security, SBOMs and Package Managers
Gary O'Neall

Gary is a contributor to the Software Package Data Exchange® (SPDX™) - an open standard for communicating software bill of material information, including components, licenses, copyrights, and security references. Gary has contributed several open source tools including the SPDX Java Libraries and Tools which can be found at
Gary O’Neall is responsible for product development and technology for Source Auditor Inc., a software and service company helping software companies manage the technical and legal risks of open-source software.

  • Package Managers, Software Security and Functional Safety
Graham Christensen
  • Flakes: Nix Unshackled
Gregory Becker

Gregory Becker is a computer scientist at Lawrence Livermore National Laboratory. His focus is on bridging the gap between research and production software at LLNL. He works on Spack, a package manager for high performance computing, and on research projects around ABI compatibility and software modeling. Gregory has been at LLNL since 2015. He received his B.A. in Computer Science and Mathematics from Williams College in 2015.

  • Explainability in Spack concretization
Harshitha Menon

I am a Research Scientist in the Center for Applied Scientific Computing (CASC) at Lawrence Livermore National Laboratory. I joined CASC as a postdoctoral research staff in 2016. My research focuses on approximate computing, floating-point mixed-precision, machine learning, and fault tolerance of HPC applications. I also have expertise in load balancing algorithms, cosmology simulations application, and HPC runtime systems.

I received my Ph.D. (2016) and M.S. (2012) in Computer Science from University of Illinois Urbana Champaign (UIUC). Prior to enrolling for graduate studies, I was a software engineer at Google.

  • Learning to Predict and Improve Build Successes in Package Ecosystems
Jaime Rodríguez-Guerra

Jaime holds a PhD in Biotechnology and believes that packaging is one of the pillars for reproducible research. He became a conda enthusiast while working on molecular modelling frameworks and machine learning pipelines for drug design.

  • Ensuring Runtime Reproducibility in the Python Ecosystem
Kairo de Araujo

Kairo is a Senior Open Source Software Engineer at VMware Open Source Program Office (OSPO) on the Security Supply Chain team. He contributed to python-tuf and is the author of Repository Service for TUF (RSTUF). Prior roles include System Engineer Specialist and Senior Software Engineer at IBM, ING, and Forescout.

  • “Our stuff” - how to protect users from package compromise with RSTUF
Kat Marchán

Kat is the former lead architect/maintainer for the NPM CLI, and is currently the lead dev for the Orogene package manager. They have been a JavaScript/TypeScript tooling engineer for a decade or so, and is currently part of the JavaScript/TypeScript tooling team at Microsoft's Developer Division.

  • Gotta Go Fast
Kenneth Hoste

Kenneth Hoste, a.k.a. 'boegel', is a computer scientist and FOSS enthusiast from Belgium. He holds a Masters (2005) and PhD (2010) in Computer Science from Ghent University. His dissertation topic was "Analysis, Estimation and Optimization of Computer System Performance Using Machine Learning".

Since October 2010, he is a member of the HPC team at Ghent University (Belgium) where he is mainly responsible for user support & training. As a part of his job, he is also the lead developer and release manager of EasyBuild (, a software build and installation framework for (scientific) software on High Performance Computing (HPC) systems.
He is also actively involved in EESSI (, the European Environment for Scientific Software Installations, and in MultiXscale (, a EuroHPC JU Centre of Excellence in multiscale modelling.

In his free time, he is a family guy and a fan of loud music, frequently attending gigs and festivals.
He enjoys helping people & sharing his expertise, and likes joking around.
He has a weak spot for stickers and beer.

  • Streaming optimized scientific software installations on any Linux distro with EESSI
Kevin Mittman

Guten Tag! I work @ NVIDIA on packaging for CUDA Toolkit, NVIDIA driver, cuDNN, cuQuantum, nvTIFF, etc. into various formats: Binary Archives (tarball), Conda, Debian, RPM, Runfile, Windows exe

At PackagingCon 2021, presented about Debian and RPM repository management.

In a past life, contributed Debian packages for the Maemo community and maintained an ArchLinux-based kiosk LiveUSB distro & AUR helper.

  • BoF: CUDA Packaging
Lara Peeters

Lara Peeters is a Digital Art Historian, who holds master degrees in Art History (2021) and Digital Humanities (2022) from the KU Leuven (Belgium).

Since May 2023, she is a member of the HPC team at Ghent University (Belgium) where she was hired to work on the EESSI project (, the European Environment for Scientific Software Installations, and the MultiXscale project (, a EuroHPC JU Centre of Excellence in multiscale modelling.

In her free time she plays the double bass in an orchestra, rides horses, goes sailing, loves going to musea and listening to music.

  • Streaming optimized scientific software installations on any Linux distro with EESSI
Laurent Simon

Laurent is a security engineer in the Open Source Security Team (GOSST) at Google. His team works in collaboration with the open-source community and the OpenSSF on novel security solutions, such as Scorecards, Allstar, Sigstore, SLSA, OSS-Fuzz, OSV, etc.

  • Build your own SLSA 3+ provenance builder on GitHub Actions
  • Secure packaging for AI models
Lukas Pühringer

Lukas Pühringer is a research scholar and software developer at the NYU Center for Cyber Security (CCS), where he leads the development of The Update Framework (TUF), and has been co-maintaining several of Prof. Justin Cappos’ software projects, most notably the supply chain security framework in-toto. Lukas also supervises students and gives talks about TUF and in-toto.

  • “Our stuff” - how to protect users from package compromise with RSTUF
Matthew Suozzo

Matthew Suozzo is a Software Engineer at Google working on supply chain security.

  • Rebuilding Trust: Asserting Integrity in Language Package Ecosystems
Max McDonnell

Max McDonnell is a packaging system enthusiast and hobbyist. He is a Staff Engineer at Voltus Inc where he is responsible for the existence of an internal packaging system that is on its way to feature parity with more mature software that probably should have been used in the first place.

He has created a Nix-inspired package manager and build system called Bramble. It is not intended for adoption, but is a fun exploration of Nix's functionality in Go if that is of interest to others.

  • How fast can we brew?
Maximilian Huber

Maximilian Huber is a open source compliance nerd and principal consultant at TNG Technology Consulting, where he is specialized on building and integrating Open Source compliance solutions from Open Source.

He is a commiter and maintainer in several Open Source projects like FOSSology, SW360, LDBcollector, yacp and the license-compliance-toolbox. His activity can be found on

Maximilian other most prominent interests are functional programming languages like Haskell and functional package managing with NixOS.

  • Package Managers, Software Security and Functional Safety
  • BoF: Supply Chain Security, SBOMs and Package Managers
May McEntee

May comes from a software development and cyber security background, with an interest in how infrastructure and software supply chains can be made both simpler and more secure.

  • Stop Shipping Systems: Homogenising Software Supply Chains
Mihai Maruseac

Mihai Maruseac is a member of Google Open Source Security team (GOSST), working on Supply Chain Security, mainly on GUAC. Before joining GOSST, Mihai created the TensorFlow Security team after joining Google, moving from a startup to incorporate Differential Privacy (DP) within Machine Learning (ML) algorithms. Mihai has a PhD in Differential Privacy from UMass Boston.

  • Secure packaging for AI models
Mike Landau

Mike Landau is a full-stack software engineer with 13+ years of experience. He's worked at large companies (Facebook, Airbnb), started several startups (Storylane, Cut+Dry,, and contributed to open source projects (devbox, launchpad, graphp). Some of Mike's areas of focus include improving developer productivity, helping engineering teams scale, and making writing code in large companies as productive and enjoyable as it is in small teams.

  • Devbox: reproducible project-based environments or why global packages considered harmful
Mikola Lysenko
  • Securing Open Source Supply Chains with LLMs
Paul Broadwith

Paul is an Engineer at heart, with a love of PowerShell, Automation, Chocolatey, Scottish single malt whisky and wireless earphones. He has given workshops and spoken at many events across the UK, Europe and the US. He has a real passion for passing on knowledge and loves to talk with aspiring techies.

He is an MVP in Cloud and Datacenter for his work in PowerShell, a Microsoft Certified Trainer (MCT), Lead Engineer on the Boxstarter and DSC cChoco Chocolatey projects and is an organiser of the DATA:Scotland event. His career has seen him work in many sectors for over 30 years. As somebody kindly put it, he's been about a bit.

In his spare time, he usually continues to stare at computer screens and works on his own or Chocolatey projects. But on those rare occasions, when he is not staring at computer screens and listening to a strange mix of music on his wireless earphones, you can find him relaxing with a nice single malt whisky and reading ... usually ancient, medieval or military history books.

  • WinGet and Chocolatey: A Real-World Look at Package Management Tools on Windows
Philip Harrison

Software engineer on the package security team at GitHub helping secure open source packages, previously worked on automating dependency updates with Dependabot.

  • Build provenance for package registries
Philipp Burckhardt

Philipp Burckhardt is Lead Data Scientist at Socket (, where he is helping to secure software supply chains by utilizing artificial intelligence.

Together with Athan Reines, he is engaged in the development of a standard library for JavaScript bringing numerical and statistical computing to the web ( An avid open-source contributor, he has spoken at various international conferences on topics ranging from political science, health-care informatics to machine learning and software engineering.

He holds a PhD ins Statistics & Data Science from Carnegie Mellon University,

  • Securing Open Source Supply Chains with LLMs
Pradyun Gedam

Maintainer of ETOOMANYTHINGS, including CPython, pip, TOML, resolvelib, Furo, and more.

  • Python packaging and Bloomberg
Randy Döring

In my spare time, I have been one of the Poetry maintainers since spring 2022.

At my day job, I am a software developer at TraceTronic, working on a large multiplatform Python application.

  • Poetry's dependency resolver and its environment-independent lockfile

I'm a Software Engineer and Devrel at . I help around the WASIX ecosystem and promote WebAssembly. I recently graduated from Trinity College Dublin. I love cooking, culture exploration, reading history and playing guitar whenever I find the time.

  • Universal packages, powered by WebAssembly Interfaces - WAI
Rui Chen

I am currently working as Senior Staff Software Engineer at Meetup. And I am also helping out as maintainer for Homebrew.

  • How does homebrew handle licensing data
Ryan Lahfa

Student at ENS Ulm in computer science, interested in formal verification and programming languages, NixOS developer and contributor in UEFI (Secure Boot) and boot ecosystems, NixOS release manager for 23.05 and 23.11.

Slightly addicted to Nixpkgs packaging and fascinated by the treasure induced by all of this data.

  • BuildXYZ: Automatic on-demand dependency dispenser
Samuel Cochran

I'm a Principal Engineer at Buildkite, plugging together pipelines, artifacts, and packages, constantly looking for better ways to ship more reliable software to production.

  • Reverse Engineering Package Registries In The Middle Of Nowhere
Samuel Giddins

Samuel is a developer well-versed in the rituals of writing software that occasionally work. By day, Samuel is doing random interesting things for Nerdsniped LLC; by night he can be found breaking open source projects such as, Bundler, and Bazel (let’s be honest, the day and night activities are starting to converge). Before this whole "developer" thing, Samuel studied in the highly impractical Mathematics & Economics departments at UChicago, learning subjects such as "numbers", "social theory", and "memes". When not coding, Samuel is often in the kitchen, marveling at the fact that dinner smells better than it looks.

  • Helping an Ecosystem Fade Away
Sebastian Schuberth

Sebastian Schuberth is an Open Source enthusiast and automation freak. He has more than 20 years of experience with professional software development and DevOps topics, and recurrently contributes to Open Source projects like the Gradle package manager, Package URL, or SPDX.

  • Package management analysis in the OSS Review Toolkit
Thorsten Beier

I am a scientific software dev at QuantStack

  • emscripten-forge, a conda-forge like distribtuion for wasm in the browser
Todd Gamblin

Todd Gamblin is a Distinguished Member of Technical Staff in the Livermore Computing division at Lawrence Livermore National Laboratory. He created Spack, a popular open source HPC package management tool with a rapidly growing community of contributors. He leads the Packaging Technologies Project in the U.S. Exascale Computing Project, LLNL's DevRAMP project on developer productivity, and an LLNL Strategic Initiative on software integration. His research interests include dependency management, software engineering, parallel computing, performance measurement, and performance analysis.

  • Optimizing Dependency Solves in Spack
  • Day 2 Welcome
Trishank Karthik Kuppusamy

Software supply chain security expert with 10+ years of knowledge. SLSA v1.0 and in-toto steering committee, Uptane advisor, TUF and SBOMit maintainer, Sigstore contributor.

  • Transparent compromise-resilience: How to bootstrap trust for the open-source ecosystem
William Woodruff

William Woodruff is an Engineering Director at Trail of Bits, a NYC-based cybersecurity consultancy. He currently splits his time between open source engineering (primarily supply chain and cryptographic engineering) and running the Ecosystem Security group, which is responsible for contributing security and usability improvements to a wide range of open source tools and services (PyPI, Homebrew, pip-audit, Sigstore, LLVM, PyCA Cryptography, etc.).

Outside of work, William is a member of the Homebrew project and is a contributor to a wide variety of open source projects. He maintains a personal blog at

  • Securing your Package Ecosystem with Trusted Publishing
Wolf Vollprecht
  • Conference Opening and Welcome
Yun Peng

Software engineer at Google, I have been working on Bazel since 2016.

  • Bzlmod: the package manager for Bazel