{"hits":[{"url":"https://nlnet.nl/workshops/","title":"Community workshops","description":" Community workshops During the fall of 2025 we organised six community workshops with the aim of bringing people with common interests together. There are currently no new workshops planned. Each workshop focused on a specific theme or field. The aim of the workshops is to weave communities and people together who are working on or interested in the same theme. The format is a 2 hour workshop in which we will explore shared challenges and questions, exchanging ideas, and aligning on potential concrete next steps. We'll have workshops on the following topics: Open Publishing, Distributed, Open Source Chip Design, Web Browsers and Large Language Models. (And previously did workshops on Search.) When & where Sessions took place online on Mondays at 14.00 CEST (Amsterdam, Berlin, Rome) and were be hosted on a BigBlueButton platform. Who was invited and what was the goal With these community workshops we aim to bring together people who are working on similar topics and problems. The goal is to foster collaboration and create communities of practice. We are directly inviting participants in the Next Generation Internet (NGI) initiative but anyone who is interested is welcome. Although we hope people will be able to build meaningful relationships, joining a workshop does not commit you to anything, of course. Stay informed about future NGI community events? The community workshops are a continuation of the NGI Innovater meetups. Perhaps we will organize other NGI community activities in the future. If you would like to be informed if we do so, you can leave your email in this form. Previous workshops Peer-4-peer (hybrid)Co-organized with DWebThe community workshop on P4P was held online on November 24, 2025. It brought together around 17 participants. P4P stands for Peer-4-Peer, or Peer-for-Peer, and is a category of protocols which combine the qualities of local-first with Peer-2-Peer (P2P) and open source ethos. Characterized by protocols such as NextGraph, Scuttlebutt, P2Panda, PZP, Earthstar, Willow, Radicle.xyz and many more, the networks provide routing agnostic features enabling offline as well as online usage. The term has relatively recently gained popularity as opposed to longer descriptives such as “offline-first, peer-to-peer and open source networks ” and it’s origins stem back to a conference in 2023 by the same name which gathered protocol developers and enthusiasts. (Source: Z. Elfen 2025) The workshop was hosted by Zenna from NGI Search with support from Lwenn and Tessel from NLnet. Offical launch of the P4P wiki The workshop was also the place for the official launch of the www.p4p.wiki. The wiki is initiated by Zenna and some of the participants had already contributed by populating the wiki. Everyone on the P4P space is invited to contribute to the wiki. Web Browsers The community workshop on web browsers was held online on November 17, 2025. It brought together around 12 participants. Questions that were discussed were: 'what comes after the web browser?', 'Will there be an alternative to Chromium?' and 'Sustainability models for browsers, including non-ad revenue and, more broadly, funding the web ecosystem. The workshop was hosted by Lwenn and Tessel from NLnet. Open Source Chip DesignCo-organized with The Free Silicon FoundationThe community workshop on Open Source Chip Design took place on November 3, 2025. It brought together around 20 participants. Topics discussed were Documentation & knowledge, community building, compliance with regulations, introducing FOSS tools in universities, and toolchain integration and interoperability. Possible next steps are logging the ongoing debate and creating a knowledge base on the wiki of the Free Silicon Foundation The workshop was hosted by Lwenn and Tessel from NLnet with support from Zenna on behalf of NGI Search. Open Publishing The community workshop on Open Publishing took place on October 6, 2025. It brought together around 20 participants. Topics discussed were web-to-print, community building, funding, collaboration of toolmakers and more. Possible next steps that were discussed are organizing a follow-up event for which one of the participants is taking the lead. Another participant is considering to organize CSSPrintCon, a conference for web-to-print. The formation of a matrix channel or joining an existing one, was also discussed. The workshop was hosted by Lwenn and Tessel from NLnet with support from Zenna on behalf of NGI Search. Future of SearchCo-organized with Open Search FoundationThe community workshop on the Future of Search took place on September 17, 2025. It brought together 22 participants who exchanged ideas and got to know from each other what they are working on. Participants who wish to continue the conversation with others who are interested in Open Web Search were invited to join the Open Web Search Community on Mattermost. The workshop was hosted by Zenna (NGI Search) & Ursula (Open Search Foundation) with support from Lwenn and Tessel, both from NLnet. Large Language Models The community workshop on Large Language Models (LLMs) was planned to take place on December 1, 2025. However, the workshop did not take place because there were too few participants. Acknowledgements The workshops are organized by NLnet on behalf of NGI Zero in collaboration with our sister NGI programme NGI Search. Some workshops have third collaborator specific to the topic. Innovator meetups The community workshops are a continuation of the Innovator meetups started by the NGI Outreach Office spearheaded by Thomas Wilczek and Fernando Rullan, and supported by the NGI Impact Working Group. The meetups addresed the question: What does it take to build a sustainable, impactful, and collaborative open-source ecosystem in Europe? The first Innovator meetup took place onine on November 12, 2024. The second was an in-person meeting during OW2 con on June 18, 2025. Next Generation Internet initiative The community workshops are made possible with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology. "},{"title":"NGI0 Webinars","url":"https://nlnet.nl/webinars/","description":" NGI0 Webinars Join us for the NGI0 Webinars where we discuss topics relevant to supporting and sustaining the Next Generation Internet. These are typically 90 minute sessions, starting with a 45-minute talk by the presenter followed by a Q&A. The webinars are recorded and you can find the videos of previous sessions below. How to join Sessions take place on Thursday starting at 13.00 CET (Amsterdam, Berlin, Rome). You can join the session on the BigBlueButton platform via the following link: https://vc.ngi-0.eu/rooms/ahq-y96-uhs-jka/join. No need to subscribe, the room is open. Upcoming webinars There are currently no webinars planned. Previous webinars Support service: NGI0 Business Circle Date: June 26, 2025 Topic: The NGI0 Business Circle support service provides dedicated business consulting and mentorship tailored to you and your project. Speakers: Pierre-Yves Gibello, CEO of OW2 and Timo Väliharju, co-founder of APELL. Watch: the recording Ask For Help: Practical Support for NGI Beneficiaries Date: November 28, 2024 Topic: Specialized support services presented by the experts who offer them: Technical writing, Testing, Translation & localisation, User experience and Troubleshooting. Watch: the recording Andrew \"bunnie\" Huang Date: May 2, 2024 Topic: Tech talk with bunnie on IRIS: an open hardware project to verify chips Watch: the recording Charles Papon Date: April 11, 2024 Topic: Open source CPU and SoC design: The flow, the challenges and a perspective Watch: the recording Link to the slide deck. Martin Schanzenbach, Bernd Fix & Stephen Farrell Date: February 22, 2024 Topic: The GNU Name System and the road to publishing an RFC Series: Partner webinar Watch: the recording Melanie Rieback & Andrea Jegher Date: January 11, 2024 Topic: Radically Open Security on Security Audits for NGI grantees Series: Partner webinar Watch: the recording Lina Ceballos & Gabriel Ku Wei Bin Date: November 2, 2023 Topic: Free Software Legal Education Workshop Series: Partner webinar Watch: the recording Charlotte Swart Date: September 21, 2023 Topic: How To Make Your Digital Product Accessible For All Series: Partner webinar Watch: the recording Shane Martin Coughlan Date: May 11, 2023 Topic: ISO standards and certification Series: Open Software Supply Chain, part 4 Watch: the recording Carlo Piana & Alberto Pianon Date: May 4, 2023 Topic: The importance of a Software Bill of Materials in light of the upcoming Cyber Resilience Act and product liability legislation in Europe Series: Open Software Supply Chain, part 3 Watch: the recording Philippe Ombredanne Date: April 13, 2023 Topic: Tooling Series: Open Software Supply Chain, part 2 Watch: the recording Armijn Hemel Date: April 6, 2023 Topic: Open Source in (Consumer) Electronics Supply Chains Series: Open Software Supply Chain, part 1 Watch: the recording Partner webinars In Partner webinars partners of the NGI0 consortium introduce themselves and share knowledge about their area of expertise such as security, privacy, accessibility, open source licensing compliance, standardisation, packaging, etc. NGI0 does not only provide financial support to grantees but also offers that expertise as support services to improve the quality and inclusiveness of their projects. In the Partner webinars you'll learn what each partner has to offer. Partner webinars take place on the third Thursday of the month at 13.00 CET. "},{"description":" User-Operated Internet Fund More about: Guide for Applicants | Eligibility | FAQ Submission is temporarily halted Currently the UOI fund is paused due to lack of available budget, no new proposals are accepted. Please do have look at our active programmes — quite a few of the topics that would be suitable within UOI are also relevant to other programmes. Should additional donations allow us to do so, we intend to resume the fund (because we believe it is important). The best thing about the internet is that we are all connected, but hand in hand with that comes its organic and decentralised nature that caters for disruptive innovation and diversity. From the edges inwards, users themselves can collectively own, operate and rewrite every aspect of the technology and infrastructure they depend on. Once you are able to connect even to a single other user, you are free to do within that connection what you want and wherever your skills and imagination can take you. This important empowering property of self-determination is unfortunately not cast in stone — the internet has no coordinated defense mechanisms built in against hostile take-overs or unethical behaviour, so it is up to the community to organise itself and keep the internet open. A healthy, resilient, sustainable and fair internet for everyone is not created by any individual private or public entity, but by its users. Individual autonomy, permissionless innnovation and sharing are essential: to not only to have the freedom to determine which software and protocols to run wherever one wants, but to be able to learn, improve and share — not just pictures, video's, chat messages or data, but everything: the applications on our devices, the underlying software and hardware itself, even the core protocols — whatever it takes to give users the internet they deserve. Software is eating the world. Maybe the world ought to consider biting back. We need your ideas and contributions to help reshape the state of play, and to help create an open, trustworthy and reliable internet for all. And of course such contributions do not happen automatically. This is why we award small to medium-size R&D grants towards strengthening and improving the user-operated internet. We are looking for new ideas and core technologies that help society tackle hard but very very important questions, each of which has significant social and economic consequences. Obviously, your contributions have to become part of the 'technology commons': that means free and open source software, libre hardware and open standards. We are seeking project proposals up to 50.000 euro's - with the possibility to scale them up if there is proven potential. Technology should be a commons for everyone to enjoy and contribute to, without gatekeepers or persistent threats. You can only replace a black box, because you cannot meaningfully improve it. It is still early days for the internet, and we are yet to unlock its true potential. The internet in whatever shape or form it will take is already part of the social fabric of our societies and an integral part of our economies. Internet is used by humans of all ages, and if we don't put powerful new technology in the hands of future generations as building blocks for a fair and democratic society and an open economy that benefits all — who will. Have a look at projects already funded through UOI to see what we mean, but don't be afraid to send something completely different if you think you can contribute to the technology commons and the user-operated internet. Submission is temporarily halted Acknowledgements The User-operated Internet Fund is made possible with financial support from the PKT Community/ The Network Steward and stichting Technology Commons Trust. Your donation is welcome too. ","url":"https://nlnet.nl/useroperated/","title":"User-Operated Internet Fund"},{"description":" Guide for Applicants Main page | Guide for Applicants | Eligibility | FAQ This page provides some guidance for people applying to the User-operated Internet Fund. For the deadline of the calls please check the main page of the fund. If you want to know details about the type of activities that qualify for financial support, or who can apply, please check the eligibility information. This page details the entire procedure, the results to be obtained, the competitive criteria for awarding financial support, and the criteria for calculating the exact amount of the financial support. Criteria for awarding financial support Projects are judged on their technical merits, strategic relevance to the User-operated Internet and overall value for money. The key objective is to deliver potential break-through contributions to the technology commons that is the open internet including its enabling technologies. All scientific outcomes must be published as open access, and any software and hardware must be published under a recognised open source license in its entirety. First stage of the assessment Based on the submitted proposals, projects receive a first check for eligibility in terms of alignment of goals and criteria with the sub-granting call. In this stage hard eligibility (“knock-out”) criteria specific to the sub-granting call are checked. Project proposals are written in English and: should be in line with the goals of the User-operated Internet Fund should have research and development as their primary objective All projects that fail on any of these knock-out criteria, will not be further reviewed and will be marked ineligible. The rest of the projects will be given a score based on the proposal text as submitted. If multiple versions were submitted prior to the deadline, the last complete version will be used. Projects receive an initial rating on three criteria: Weight Criterion 30% Technical excellence/feasibility 40% Relevance/Impact/Strategic potential 30% Cost effectiveness/Value for money The total weighted score of projects has to be above 5 (out of 7) to pass to the next stage. The projects which are not taken into the second round are informed that their project is not selected, so that they may try to find funding elsewhere as soon as possible - or continue without additional funding. Second stage of the assessment The second stage is used to select strategic projects which not only satisfy the minimal criteria, but also have potentially a lasting impact on society. Projects are to be selected based on their potential contribution to the User-operated Internet, which is aligned with the larger vision of the Next Generation Internet. In the second stage, the reviewers are able to ask additional clarifying questions and make (minor) suggestions to improve the quality and impact of the project. This typically involves questions such as: what is the difference in approach to existing projects U, V and W how will you approach complicating factor X can you back up or validate claim Y have you considered collaborating with complementary effort Z or using standard A the rate you have applied for task B is very high compared to the perceived value of that task. Can you explain, or would you like to reconsider? can you clarify how you intend to make the outcome of the project (self)sustainable how does upstream project D feel about your application In addition, the review team will do independent verification of facts, methods and claims. If necessary they verify relevant information through their expert network. This is done without revealing personally identifiable information, unless there is explicit consent from the submitter. The second stage typically lasts three weeks. If a project is unable to prepare all the answers to the questions and/or a modified proposal within the allocated time frame, the project may be moved to the next call. Note that the proposed project budget may change during this phase due to e.g. added or deleted project milestones. After the interactive part of the second stage is completed, new ratings are calculated based on the revised plan. If the revised plan scores lower than the original proposal, the original proposal is rated. The result is a ranking of projects that reflects the overall expected value and the relative impact in the context of the User-operated Internet, starting with the project with the highest weighted rating and going down to the lowest weighted score. The cut off point is a weighted score of 5/7, unless there is not enough remaining budget left to fund all projects that have received this ranking - in which case the ranking is followed until there is no more available budget. The projects that fall below the cut are (similar to the first round) informed that their project is not selected, so that they may try to find funding elsewhere as soon as possible - or continue with their current funding. Criteria for calculating the exact amount of the financial support, The amount to be granted to each third party should be the amount necessary to achieve the key objectives of the action. During the two stage review process, the overall ‘value for money’ and strategic potential of the proposal are part of the review, and thus of the ranking. We have a rapid succession of project funding opportunities, so we can grow the talent instead of having a 'leap of faith' with a select few projects. Excellent teams that have successfully completed their project, can apply for additional funding again - provided that higher amount is necessary and delivers enough additional value. They are judged along the same criteria as the rest of the people in the grant round they are entering. Proposals must adhere to the following boundary conditions: a first proposal MAY request a maximum grant allocation between 0 and 50 kEuro. In other words, a proposal larger than 50 kEuro MUST be preceded by one or more smaller projects supported by NLnet, which MUST have been successfully concluded before a new project can be granted: this means that the project deliverables have been made publicly available under recognised open/free licenses, and other conditions may apply (e.g. that any software artefacts delivered were WCAG compliant, and that the outcomes of the independent security audit have been satisfactorily dealt with). Any project larger than 50 kEuro MAY be subject to a full independent security audit at the end, by an independent party allocated by or agreed with NLnet. Payment of parts of the project grant may be made conditional to the outcome of such an audit, and subsequent adequate handling of issues identified. The exact amount of financial support offered is determined by NLnet based on the projected cost and estimated value of the proposed project. Any proposed amount is to be adjusted for costs that are deemed ineligible as well as for the cost of any additional activities recommended by NLnet. The final amount is established in the memorandum of understanding between NLnet and the grantee. If the grantee does not agree with the height of the grant offered, he or she may revoke the proposal prior to signing the MoU at any time. NLnet as the grant handling organisation is a recognised public benefit organisation, and the goals of the User-operated internet are within its statutory mission. Any grants that will be handed out, to individuals, companies, NGO's or other types of legal entities are donations that may fall under beneficial tax conditions as 'philanthropic gifts'. Example Memorandum of Understanding Curious what a typical Memorandum of Understanding looks like? Of course every MoU is specific, but do feel free to quickly glance over an example MoU to get an idea of what it looks like. Example Memorandum of Understanding Did not find what you were looking for? You may want to check the Frequently Asked/Anticipated Questions ","title":"Guide for Applicants","url":"https://nlnet.nl/useroperated/guideforapplicants/"},{"description":" Frequently Asked (and/or Anticipated) Questions Main page | Guide for Applicants | Eligibility | FAQ What kind of projects are you looking for? This is really an open call. If you have an idea that contributes to the general idea of an internet operated by and for end-users, we invite you to propose. Do you have examples of granted projects? We have an overview of the projects currently funded by NLnet, with background information on all the projects and links to their websites. Go to the overview of projects Can we send you a proposal upfront to check its eligibility? Unfortunately, you can't. This would move the whole structured procedure to a flood of unstructured and intransparent private dialogues, which would be unfair to other participants (and very inefficient as well). Luckily there is no need for this: the application procedure is very light-weight, and so you can just put in your proposal. If the project is not selected, you can iterate with the proposal as the cycle is quite fast (every two months a new call). Do I need to work for an university or research institute to apply? No, you don't. Application is open to all. The thing that counts is a good project proposal. Do I need to have a legal entity like a company to apply? No, you don't. You can apply as an individual, or as a formal or informal organisation of any type. Or even a collaboration of the two. Each of the persons and legal entities which are part of the grant can be paid directly by us. The internal allocation of payment is decided upon by the project lead, and can be done after the work is completed. Can I remain anonymous? You don't need to reveal your real name to us, prior to the project being selected. After that, we need to have this for compliance reasons - but we do not need to make it public. We can use a pseudonym in all outgoing communication, should this be desirable or necessary at your end. Can young people apply? Yes, you can. Note that you do not have to reveal your real identity to us prior to the project being selected, so we have no way of even knowing anyway. And we very much welcome upcoming talent. Young people that have not yet reached the age of legal consent in their country of origin (typically 18 years old) on the date of the deadline may apply without any constraints; consent from a legal guardian such as a parent does not have to be provided prior to initial submission, but will be required to enter any further negotiations. Use of a pseudonym also after that is recommended. Is there a special programme for under-represented social groups? Inclusiveness is important to us. Projects are reviewed on a number of criteria, one of which is the strategic dimensions of the project. Creating strong role models for under-represented groups can help expand the relevance and impact of our work and thus is considered a strategic dimension, and as such is taken into account during the review - alongside other strategic dimensions such as the effect of the project on the technology landscape, standardisation efforts which are under way, human rights aspects, contribution to societal dialogue, etc. If you represent an unrepresented group, consider yourself invited to pay attention to this in your application. Of course this is not mandatory in any way, if you feel it is too much effort or distracts from the project contents itself. Can you sponsor our event, which is about X which falls within the scope of the call? No we cannot, unfortunately, and to our regret. At current we can only financially contribute to events that meaningfully contribute in a direct way to an actual R&D project within the fund. E.g. a sprint or a hackathon. Please check the information on eligible costs. Of course you can still mention good opportunities in your application, and we encourage you to do so: this will increase our understanding, and perhaps we can think of others that might be interested. I read that all projects should be released under an open source license. I'm developing a proprietary application, and want to open source only a small part. Is that allowed in a proposal? If the part you want to develop and release as free and open source is relevant and is not itself dependent on your (or other) proprietary technology, sure. Technology that can only be used with an individual closed source application will not adequately scale to the global internet, certainly not in the long run. If the fate of a certain technology depends on leadership decisions and the internal economy of a single commercial entity this should probably not be considered 'sustainably open'. Spending public funding for building private monopolies isn't in the public interest. So in short: you can submit a proposal that fits snugly within a closed commercial environment, as long as that project itself is open source and doesn't depend on that closed environment - which would get in the way of permissionfree innovation and fair opportunities for all. Am I allowed to offer additional, non-open licenses? All projects are supposed to be released under a suitable free/libre/open source license. This allows for incremental innovation on top of your results, and as we explained is non-negotiable. We recommend you set up good governance processes for handling rights attached to your work, to make sure you and the users of your research retain agency in the future. This condition however does not in any way exclude the legitimate holders of copyrights and other associated rights of dealing with your project results under additional licenses, even proprietary ones: there may be legitimate reasons (such as license incompatibility with third party complementary FLOSS efforts) for alternative licenses beyond the license you use for the project. Can I apply with multiple projects in one single round Yes, theoretically you probably could - but there are some conditions to that. Note that if you submit multiple proposals in a single round, these typically have to be independent from each other. You cannot bypass the size conditions of the call by submitting a string of proposals that are tightly coupled to each other. If project B and C can only happen if project A is successful, you should probably be well under way finishing project A first before you block money for two more projects. Each proposal also costs time to write and submit - and we cannot give that time back to you. The limits with regards to the maximum amount you can receive during the lifetime of the fund stay the same - whether or not you contribute to multiple projects. I have patents assigned or pending on my idea. Can I meanwhile propose a project involving those patents? Should I disclose this in my application? Yes, you must certainly disclose this. Patents can hinder other people and organisations from freely working and innovating with the technologies you may be creating, in different and sometimes unpredictable ways. Free and open source software licensing is based on copyright law, and may or may not have provisions with regards to patents. The interaction with patent law can be complex. We would prefer to understand potential patent situations at the application stage, given that we are talking about technologies which are to be created inside publicly funded research and development. The final selection of projects is competitive. If the patents involved do not interfere with the relevance of your contribution, and the technology you develop becomes available under suitable open source licenses, your project may still be eligible. I only heard about this call recently, can you postpone the deadline? We get this question surprisingly regular. We are sympathetic to your need. Unfortunately, the deadline of such a large concerted effort really is a deadline and there is nothing we can do about this. That means when you submit after the deadline, you will submit to the next call. The deadline of which, fortunately, is just a mere two months away since we have a bimonthly cycle. Meanwhile, of course, you can just submit a preliminary proposal — unlike most procedures you should be able to complete a proposal in less than an hour. I submitted to the wrong fund, now what? I apparently did not look well enough when I submitted my project, but when looking at the mail copy of the application I got from you, I submitted to the wrong fund. Can you fix this for me? By far the quickest variant is to resubmit to the right call. Just copy and paste your application details from the confirmation email. At your request, we can just discard the earlier submission. If the call you wanted to submit to is already closed, resubmission would of course not possible without unnecessary delay. In that case, please contact us as soon as possible to arrange for a manual alteration - and please include the assigned number in your mail to ease processing. What happens if there are not enough good projects submitted? From our long experience we know there are a lot of people with awesome ideas that need funding, and the funding is there to enable them to actually carry out this work in the public benefit. We believe we can give people a once-in-a-lifetime opportunity to do their part in fixing the internet. However, we also happen to have rather high quality standards, and intend to stick to them. We are not running a lottery where weak projects can submit in the hope of running away with leftover budget. As a public benefit organisation, we have a moral obligation to spend that money frugally and effectively. So unspent budget is just pushed to the next rounds. Can anyone in the whole world submit? Yes How sustainable is all this? Does all of it stop when project funding goes away? We certainly hope not! One of the huge benefits of the design decision that all projects release their results under free/libre/open source licenses, means that we allow for incremental permissionless innovation. We invest in ideas and technology commons, not in individual businesses or particular business models. Free software allow literally anyone to use whatever they want in whatever way fits their needs. As long as there is someone interested in developing or using the software, they can do so without asking anyone. Obviously, under those rather unique conditions, evolutionary sustainability is much improved over the situation where the 'owner' restricts development and may pull the plug at any time. Furthermore, we spend a lot of effort in working with the technical and operational internet community as well as with other relevant stakeholders - preferably as early in the process of each project. This means not only that they get relevant feedback, but also that they are more likely to adhere to quality standards and operational practises that make it more likely that results are actually deployed. What services do you offer to projects besides money? One of our key objectives is to set a new global standard for supporting R&D projects. We are setting up a best-of-breed \"greenhouse environment\" (analogous to what an \"accelerator\" does for for-profit initiatives) for the projects and teams that are funded by the User-operated Internet Fund. Researchers and developers are mere humans, and the grasp of all relevant best practises they bring along initially is by definition limited. No matter how brilliant a researcher is: the demands on technology that should actually run at scale on the modern internet today are huge, and continuously changing. Having a really good idea does not automatically mean that you know how to make your solution accessible to blind people, how to set up continuous integration and reproducible builds, how to orchestrate a responsible disclosure procedure, how to make sure that your application can be used with different languages and be properly localised to be compatible with different cultures, how to engineer secure software and what state of the art attack vectors you'd better deal with, how to engage with standards setting organisations, how to nurture and grow a developer community, how to write end user documentation, which software license best fits the goals of the project, how to deal with software patent trolling, how to support diversity with regards to gender and social identity, what considerations to take into account for software to be packaged by distributions, etcetera. Adding these requirements post-development is many times more expensive, and in some cases can be impossible. We aim to complement the knowledge and skill set of the project proposers with leading domain experts in the respective fields. We can't do all the work for you, but we can provide guidance and mentoring to tackle each of these topics. Can I ask my users for a subscription fee to sustain my income? Sure, as long as you also make the results of your project available under a free and open source license for other researchers and developers to work with. Such a license allows people to reuse it for any purpose they see fit. That in turn allows for incremental innovation and reuse. Free and open source software makes what you develop a technology commons, meaning complete strangers will spontaneously care about making what you have created go far and wide - something they would never do for a proprietary product restricted to a single commercial entity ... Of course most ordinary people don't directly work with code themselves - they tend to leave that to experts like hosting companies and app stores. Very few people might be more qualified than you (as the creator of your technology) to provide services around your 'brain child' - and you might actually do some of your target user base a large favour by providing a hosted service they can pay for. It is therefore perfectly okay to (for instance) provide a hosted version with a monthly subscription fee attached. Running software is not R&D but a service and comes at a cost in terms of operational expenditure (e.g. electrical power, hardware, etc) and human labour. Part of the user community is interested to outsource that work and pay for convenience and not having to worry. Others want or need to run the software you create themselves, for good reasons such as privacy or confidentiality. Some of the users would contribute back in code, some of which you can use for your customers. And of course others will just download the software and use it. However, every single user is proof that your project provides something worthwhile. You do not have customer lock-in, but as long as you provide enough value (innovation, operational excellence, etc) - people are likely to come to you again and again. You are after all the brains behind the software they depend on. And of course you can apply for follow up funding to continue 'working for the internet', based on the utility of your software and the relevance of your new plans. Hosted services are not the only way to make a future living. Another type of users may want you to provide paid consultancy to add features they need, or to have you help out set up their own instance. The best model for sustainability depends really on the nature of your project, and will be specific to the problem you are solving and the target group(s) you address with your work. You can in fact make money from what you build in any way, as long as the result of the work funded by us is at least available under a free and open source license. There are many examples of free and open source projects that result in a sustainable income for their creators in very different ways, and also many that don't. This is no different from any other enterprise you may undertake. The grant we provide typically pays your entire income (and those of people you may involve) during the development of the project itself. So consider that you work for the internet, and that is its own reward. If the project is picked up by a wider community, that will give you an excellent position going forward. You could do worse than having a revolutionary internet technology on your resume... The topic of this call doesn't really fit, are there other topics I could apply to? If your research doesn't fit with the topic of the \"User-operated Internet\", please do check out our other funds like NGI Assure, which is similar to this call but addresses research and innovation in the area of technical assurances that make security and trustworthiness easier. Also, you can check the website of the NGI initiative for open calls by other organisations. When I receive donations, what happens? Your grants take the form of a donation from NLnet Foundation. NLnet is a recognised public benefit organisation according to the Netherlands tax office, a status which translates in full or to some degree to many other parts of the planet - which may or many not include your country of residence and/or work. Taxation in a global context is a pleasantly complex, dynamic and inspiring issue that has intellectually challenged many great minds. It has damaged some of those (and many others too). There are unfortunately significant differences across countries, and even across regions within a single tax system you may find notable variations in treatment. If you are from Europe, you might benefit from an initiative by the Philantropy Europe Association (Philea) called Legal Environment for Philanthropy in Europe. With the help of a network of local experts, they have crafted a very overview per country of key legal provisions that apply. This should help get you started. Obviously, your local tax authority is the authoritative answer to all matters concerning taxation, and if you are in doubt you are advised to contact them for guidance. Go to: Legal Environment for Philanthropy in Europe (warning: trackers present, unfortunately.) My question is not here? Well, if you've read all this and still have a burning question: let us know. We are happy to help! ","title":"Frequently Asked (and/or Anticipated) Questions","url":"https://nlnet.nl/useroperated/faq/"},{"description":" Eligibility information Main page | Guide for Applicants | Eligibility | FAQ Eligibility Projects are judged on their technical merits, strategic relevance to the User-operated Internet and overall value for money. The key objective is to deliver potential break-through contributions to the open internet. All scientific outcomes must be published as open access, and any software and hardware must be published under a recognised free or open source license in its entirety. Weight Criterion 30% Technical excellence/feasibility 40% Relevance/Impact/Strategic potential 30% Cost effectiveness/Value for money Requirements Project proposals are written in English and: should be in line with the NGI vision and the call applied for should have research and development as their primary objective should be complete and concise (think: no longer than two pages for the main application) should satisfy any other hard eligibility criteria specific to the call All projects that fail on any of these knock-out criteria, will not be further reviewed and will be marked ineligible. List of different types of activities The following types of activities qualify for financial support, provided they are cost effective and have a clear link to the topics directly relevant to the open internet and the objectives set out in the UOI call: scientific research design and development of free and open source software and hardware validation or constructive inquiry into existing or novel technical solutions software engineering aimed at adapting to new usage areas or improving software quality formal security proofs, security audits, setup and design of software testing and continuous integration documentation for researchers, developers and end users standardisation activities, including membership fees of standards bodies understanding user requirements and improving usability/inclusive design necessary measures in support of (broad)er deployability, e.g. packaging participation in technical, developer and community events like hackathons, IETF, W3C, RIPE meetings, FOSDEM, etc. (admission fee, travel and subsistence costs) other activities that are relevant to adhering to robust software development and deployment practices project management out-of-pocket costs for infrastructure essential to achieving the above Definition of persons or categories of persons which may receive financial support There are no categorical exclusions of persons or entities who may not receive support from this fund. There are no geographical restrictions. Young people that have not yet reached the age of legal consent in their country of origin (typically 18 years old) on the date of the deadline may apply without any constraints; consent from a legal guardian such as a parent does not have to be provided prior to initial submission, but will be required to enter any further negotiations. ","url":"https://nlnet.nl/useroperated/eligibility/","title":"Eligibility information"},{"description":" NGI Zero Tour Schedule The NGI Zero Tour Schedule lists events where people involved in NGI Zero are present. That's people who are working on supported projects and those working with the NGI Zero coalition partners. The list includes all forms of participation including speaker, participant and organizer.About NGI Zero Paving the way to the Next Generation Internet NGI Zero is a joint not-for-profit effort by a coalition of organisations that support the development of technology commons as building blocks for the Next Generation Internet initiative. By supporting the development of free/libre/open source software and hardware, and the establishment of open standards and open data we contribute to an open, resilient and human-centered internet for all. NGI Zero is made possible with financial support from the European Commission's Next Generation Internet programme. ","title":"NGI Zero Tour Schedule","url":"https://nlnet.nl/tour-schedule/"},{"url":"https://nlnet.nl/themes/vpn/","title":"VPN Fund","description":" VPN Fund \"Today we make the internet of tomorrow Going online through wifi hotspots (such as commonly found in schools, hotels, restaurants, public transport and libraries) is a daily habit of many internet users, but without proper security measures is completely insecure. This is due to the combination of the technology used and the open character of hotspots: anyone can put up a wifi access point and name it whichever way they like (including intentionally picking a name someone else uses). That makes it trivial to eavesdrop traffic by a third party, and to act as a 'man in the middle'. This major gap in our security habits has been known and shown to be easily exploitable for a long time, with demonstrated attacks like Firesheep. Yet users - in urgent need of connectivity to continue their work and leisure needs - continue to connect to unknown hotspots - in spite of the proven lack of trustworthiness. Virtual Private Networks make it possible to avoid these risks by establishing opaque channels through which the internet traffic can be transported across the untrusted network to a known environment (e.g. ones private/school/corporate network or a commercial gateway) where the traffic subsequently continues its path as regular internet packets. Unfortunately, the use of VPN's is not as widespread as it should be by far. Only a fraction of internet users are protected by VPN technology. This lack of adoption is to no small extent due to the fact that setting up VPN's is cumbersome. The VPN fund (established in collaboration with [ The Commons Conservancy ] ) , is aimed at public benefit initiatives that contribute to the advancement of Virtual Private Networking. It invites proposals on all relevant aspects of VPN technology, including better user experience and ease of use. Current projects and activities within this theme EduVPN is a comprehensive project addressing mobile apps and ease of use A collaboration of: "},{"description":" Areas of special interest Since 1997 NLnet has been providing funding to a large diversity of efforts that all somehow improve the internet. These strategic efforts take place at many different layers of technology — from better software that offers security by design to more trustworthy (open) hardware, from differential privacy to redesigning core technical protocols. NLnet believes the internet is for end users, but there are many interests and invisible hands in the market that push it in other directions — meaning continuous effort is needed to take care the internet evolves in the right direction. In order to cater for that wide spectrum of ideas and challenges, our preferred instrument is the competitive open call. (your donation helps to fuel those open calls!) Sometimes a more targeted approach is required. Pending availability of such funds we may put in targetted effort in areas of specific interest. Such a focus can help increase critical mass, and increase the impact of projects even further. We also can operate regional funds, donor advised funds as well as Named Funds. Current thematic funds NGI Zero Commons Fund The goal of the NGI0 Commons Fund is to help deliver, mature and scale building blocks for the digital commons to help restore public ownership of the internet. We support free and open source projects across the whole technology spectrum, from libre silicon to middleware, from P2P infrastructure to convenient end user applications. We need your contributions to help reshape the state of play, and create an open, trustworthy and reliable internet for all. Between February 2024 and 2027 we offer R&D grants between 5.000 to 50.000 euro with rolling open calls every two months. A scale-up programme is available for projects with proven potential. Interested? Continue reading about NGI0 Commons Fund, or propose a project. Open Social Fund The goal of the Open Social Fund is to help to restore balance in the social media landscape of today and tomorrow. By redecentralising this part of the internet and handling the functionality required as a native part of the world wide web, we help make this technology to be more robust and healthier for users. NLnet has historically supported research and development of many W3C ActivityPub related efforts, and will continue to do so in the foreseeable future. The Open Social Fund is intended to be complementary to the funding of R&D work, funding auxiliary efforts not within the scope of our larger funds like NGI0 Commons Fund, and the work done in Fediversity. NGI Fediversity Fund NGI Fediversity aims to bring easy-to-use, hosting/cloud services with service portability and personal freedom at their core to everyone. As a pilot from the Next Generation Internet initiative, Fediversity wants to provide everyone with high-quality, secure IT systems for everyday use. Without tracking, without exploitation, in a way that runs everywhere and scales effortlessly. Fediversity is based on NixOS, a disruptive Linux distribution with a unique approach to package and configuration management. Built on top of the functional Nix package manager, NixOS can be configured in a completely declarative manner, which makes upgrading systems reliable, and has many other advantages. Because it is reproducible, it is ideally suited for complex deployment scenario's where consistent behaviour, stability and configurability matter. As a part of the NGI Fediversity pilot, a dedicated grant programme is available. NGI TALER Fund In the digital economy, payments play a critical role. Yet online payment systems tend to allow for far less privacy than paying with a bank note or coins, especially when using proprietary solutions like Google Pay or Apple Pay. When interacting with the offline economy comes into play, the alternative of paying with all kind of volatile cryptocurrencies isn't a viable option either. NGI TALER is a programme funded by the European Commission and the Swiss State to roll out a new electronic payment system that benefits everyone: people, merchants, banks, financial authorities, auditors and anti-corruption researchers. The project doesn't have to start from scratch either, but builds on the strong foundations of GNU Taler — the privacy-preserving digital payment system developed by the GNU community and Taler Systems SA. This offers privacy for those that make payments, while enforcing transparency on those that sell. By providing micro payments at very low overhead, GNU Taler permits internet business models to shift away from advertising revenue or subscription models, especially for online publishers. No-risk transactions can lower transaction fees and open online payments for the underbanked population and citizens marginalized from digitalisation. As a part of the NGI TALER pilot, a dedicated grant programme is available. NGI Zero Review NGI Zero Review is a three year support programme not offering money, but various targeted services to free and open source projects within the Next Generation Internet initiative. Goal is to improve the quality and inclusiveness of these projects, and make them more sustainable where possible by supporting the most promising ideas to live up to high standards (sometimes called 'walk the talk') in terms of security, privacy, accessibility, open source licensing compliance, standardisation, etc. NGI Zero Review runs until 2025 Research and Higher Education Technology Fund Financial cuts and the 'publish or perish' paradigm are increasingly impacting the capability of the research and education community to contribute to the future of the internet - while the internet needs their talent and ideas more than ever. The Research and Higher Education Technology Fund was created to help fund small initiatives that can make a noticeable difference to the users and providers of Research and Education networks. more > Funds in concluding phase The following thematic funds are still active in the sense that there are ongoing projects but they are no longer accepting new proposals. NGI Mobifree Fund (Running but no more open calls) Mobile devices like phones and tablets have become pervasive: they are our gateway to the world at large, function as an external brain and are increasingly part of even our most intimate moments. People should therefore be far more empowered when it comes to such a critical dependency. As a pilot from the Next Generation Internet initiative, Mobifree is designed to push more openness into the Android ecosystem, hopefully contributing to a virtuous cycle of innovation through free and open source software, libre hardware and open standards. Mobifree is an R&D programme bringing together a number of \"movers and shakers\" of the Android ecosystem, in order to deliver a comprensive development effort and advance a number of free and open source technologies. As a part of the NGI Mobifree pilot, a dedicated grant programme is available. NGI Zero Core Fund (Running but no more open calls) Do you want to help create an open, trustworthy and reliable internet for all, and have an idea to for instance develop alternatives and improvements to core internet hardware, software and protocols which make the internet more robust, or which removes gatekeepers, choke points and surveillance capabilities? Are you working on security, privacy, interoperability, high availability and scalability of decentralised technologies which will allow everyone to benefit from both 'local first' and from economies of scale without unnecessary centralisation? NGI Zero Core runs from 2023 to December 2026. There are ongoing projects but there will be no more open calls. User-operated Internet Fund — paused The best thing about the internet is that we are all connected, but hand in hand with that comes its organic and decentralised nature that caters for disruptive innovation and diversity. From the edges inwards, users themselves can collectively own, operate and rewrite every aspect of the technology and infrastructure they depend on. Once you are able to connect even to a single other user, you are free to do within that connection what you want and wherever your skills and imagination can take you. This important empowering property of self-determination is unfortunately not cast in stone — the internet has no coordinated defense mechanisms built in against hostile take-overs or unethical behaviour, so it is up to the community to organise itself and keep the internet open. A healthy, resilient, sustainable and fair internet for everyone is not created by any individual private or public entity, but by its users. Want to contribute? Please donate to the User-Operated Internet Fund. Due to the lack of available budget, no new project proposals are accepted. Please consider one of our other funds. Retired funds The following thematic funds have been completed, and there are neither projects running nor new projects being accepted. Not because the topics are not important anymore in this day and age, but because we do not currently have any budget specifically earmarked for proposals within these topics. We do welcome proposals for our open call, as well as donations that would allow us to revitalise one or more of these thematic funds. NGI Zero Entrust Fund (NGI Zero) — until 2026 Reliability, confidentiality, integrity, security and data portability should be the 'new normal' of the internet, something ordinary users should not have to worry about ߞ users should be in control. But how do we achieve trustworthiness and data sovereignty? Can your idea help strengthen the position of end users, do you have ideas on how to improve the status quo on the internet and make it more resilient, transparent and open? NGI Zero Entrust ran from 2022 to 2026 supporting 242 projects. Check out the supported projects. NGI0 Entrust was made possible with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. NGI Assure Fund — until 2024 The internet lies at the heart of our modern economies and societies, but it was not designed to be used in the way we use it now. Additional innovations are needed, in particular to make usage of remote resources on the internet more trustworthy and secure. The goal of NGI Assure is to support projects that design and engineer reusable building blocks for the Next Generation Internet as part of a complete, strong chain of assurances for all stakeholders regarding the source and integrity of identities, identifiers, data, cyberphysical systems, service components and processes. NGI Assure ran from 2020 to 2024 supporting 152 projects. Check out the supported projects. NGI Assure was made possible with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. Internet Hardening — until 2023 Whistleblower Edward Snowden in 2013 revealed a whole new dark dimension of the internet, where pervasive monitoring at a scale that was unimaginable is just the starting point of many other threats. In response, the IETF (the standards body behind the internet) firmly stated that it considers the internet to be \"under technical attack\". In other circumstances, one might want to drop the whole technology, but this is not easy because the internet has become a critical infrastructure for society. It is therefore vital to adequately address that attack, and revisit the security and privacy properties of the internets underpinning standards. The Internet Hardening Fund is aimed at funding such efforts to help the internet forward - by improving its security, reliability and trustworthiness. By rewriting or replacing standards where necessary, and by make sure that those standards are actually deployed. For that, you can apply to the Internet Hardening Fund. Privacy & Trust Fund (NGI Zero) — until 2022 Many technologies in popular use were never designed with privacy, security or even extensibility in mind, or failed to fundamentally address key issues at the design phase. The research topic of Privacy and Trust enhancing technologies is aimed at providing people with new instruments that allow them more agency - and assist us with fulfilling the human need of keeping some private and confidential context and information private and confidential. Read more about the Privacy & Trust Fund or check out the projects which were supported between 2018 and 2022. NGI0 PET was made possible with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology, under Horizon 2020 grant agreement No 825310. Search and Discovery Fund (NGI Zero) — until 2022 How we store, annotate, retrieve and analyse information shapes our societies and economies in a very concrete and systematic sense of the term, and has a major impact on our collective and individual view of the world. How do we make sure that the core human values we hold high as society are strengthened by technology rather than anything else? Do you have an idea in the area of search and discovery? Between 2018 and 2022 we were able to award projects 5.000 to 50.000 euro (and potentially even more) to contribute to research and open source development in this field. Interested to see what the outcomes were? Continue reading about the Search & Discovery Fund or check out the projects currently supported within this topic.NGI0 Discovery was made possible with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology, under Horizon 2020 grant agreement No 825322. Real-time communication There are many separate high-quality techologies and services available for people to communicate across the internet live, but the development is significantly hindered by the fragmentation of the market. We need the internet model applied to unlock the potential of the internet for this crucial human need. more > Open Document Format The Open Document Format is an important enabler for innovation in the area of productivity and security. Open Standards are the only way to retain our documents for the future. more > DNSSEC Domain name technology is at the core of the way people use the internet. DNSSEC is a core technology for safer internet usage, and the key to new exciting technologies for years to come. more > Establish your own fund We have more excellent projects requesting money than we can afford. If you or your organisation have means to support these activities, let us know. NLnet welcomes your targeted donations of any size to let us help more projects. We have many interesting projects coming to us outside of our current themes (courtesy of a really open call), but we understand that not every project fits with every donor. By supporting a dedicated fund, NLnet guarantees that your money will only go to projects in your specific area of interest. NLnet is a charity established since 1997, with its head office in Amsterdam. NLnet foundation is recognised by the Netherlands tax authorities, and your donations are likely tax deductible. Please contact us for more information. Regional funds NLnet itself chooses to fund globally, because technology is a global phenomenon — stimulating open technology is important for humans across all geographic, social and cultural barriers. However, building local capacity and skills in your own commuity can be a very legimitate concern of a donor. If you want to give back to your own community by means of your will, and yet want to maximise the benefit for the rest of the planet, NLnet can help by creating a regional fund. NLnet will earmark the money you bequeath, and guarantees it will be spent on projects in the region of your choice. Because NLnet is a registered charity, your donation gets the most friendly fiscal treatment. There is a good legal basis in EU case law for cross-border charitable donation and tax-relief — Persche (C-318/07, also Official Journal of the EU): Where a taxpayer claims, in a Member State, the deduction for tax purposes of gifts to bodies established and recognised as charitable in another Member State, such gifts come within the compass of the provisions of the EC Treaty relating to the free movement of capital, even if they are made in kind in the form of everyday consumer goods. If you want to establish a regionally focussed fund related to open technnology, or donate to an existing regional fund, please contact Bob Goudriaan or Michiel Leenaars. Named funds Do you want to promote the technical and social values you have after your life? If you want to \"pay it forward\" and enable exiting new ideas and talented and dedicated people of all ages to contribute to the open internet and open source technology, NLnet can help by creating a Named fund. Because NLnet is a registered charity, the legacy you leave benefits from very favourable tax conditions allowing to maximise the impact of your fund. There is a good legal basis in EU case law for cross-border charitable donation and tax-relief — Persche (C-318/07, also Official Journal of the EU): Where a taxpayer claims, in a Member State, the deduction for tax purposes of gifts to bodies established and recognised as charitable in another Member State, such gifts come within the compass of the provisions of the EC Treaty relating to the free movement of capital, even if they are made in kind in the form of everyday consumer goods. If you want to establish a Named fund related to open technnology, or donate to an existing Named fund in honour of that person, please contact Bob Goudriaan or Michiel Leenaars. ","title":"Areas of special interest","url":"https://nlnet.nl/themes/"},{"url":"https://nlnet.nl/thema/","title":"Thematic index","description":" Thematic index Stichting NLnet is a recognised public benefit organisation that works towards an open and inclusive information society. NLnet believes that the most effective way to achieve this, is through providing microgrants to talented individuals and to organisations that are aligned with its mission. An important focus of NLnet lies with research and development in the domain of network technology and the internet, in particular those that serve the end user and the long-term interests of end users. NLnet has funded many projects throughout the years, in many different areas. The quite dense index below is probably not the most convenient way to browse our portfolio, but if you already know what you are looking for it can be helpful to navigate themes and funds in this way. Click on the theme or fund name to navigate to a more readable page with more elaborate project descriptions, or visit the overview of all projects and use the live filter to drill down to topics or funds of interest. Application protocols Network application protocols0cpm — SIPproxy64/6bed4 — PSYC2 — Ambulant — Decibel — Internet of Coins — Jingle Nodes — Jitsi — Jitsi-DNSSEC — LEAP/Torbirdy — MU-Jingle — OCS-Asterisk — openMSRP — openMSRP(2) — openMSRP(3) — Parselov — PKCS#11 v3 — realXtend — SecuShare — Secushare Box — Jitsi (SIP Comm Phone) — Jitsi (SIP-Communicator) Desktop — SIP-GUI — SPEAR — Swirl — SylkRTC — Wormhole — Jabber/XMMP Binary Analysis Fund Derive knowledge from binary blobs such as firmwaresAutomated clearing of source code files — binary-analysis-ng improvements — Serialization in Kaitai Struct for Java and Python — ZIP file format description Community Programs Support for advancing research and development internet communitiesGDPR Compliance — Bits of Freedom — CAcert — CAIEC — The Commons Conservancy — Donations — FFII — FLOSS — FSF — FSF Europe — GPLv3 — HWIOS — MAPS — OpenDoc-Soc — ReX — TOS;DR Conferences Sponsored conferences and other events aiming at dissemination of internet knowledge and technology.Conferences — Hackathons and sprints — SANE Data and AI Data and AIAI Horde — AI-VPN — AVantGaRDe — OCCRP Aleph disambiguation — Atomic Data — Atomic Tables — CRAVEX — CityBikes — Condensation Data System — Conzept encyclopedia — Dat Private Network — DATALISP — DatamiPods — DeviceCode — Dokieli — Encoding for Robust Immutable Storage (ERIS) — Earthstar (Encryption, Safety, and Local Sync) — Etebase - protocol and encryption enhancements — EteSync - iOS application — Every Door — Explain — Friendly Forge Format (F3) — FastScan — Software metadata — Federated Task-Tracking with Live Data — First Classify Documents — Fleetbase on Solid: A production-ready supply chain solution — Wikirate Frameworks — Data packages — Geolexica reverse — ISCC-CORE typescript implementation library — Icosa Gallery — In-document search — Practical Tools to Build the Context Web — Inventaire Self-hosted — Threat intelligence sharing — Knowledge Graph Portal Generator — LabPlot — LiberaForms — LinkedDataHub — LumoSQL — MWoffliner — MaDada — Manas — MapComplete — NEFUSI — Nextcloud — NextGraph — Nominatim as a library — OpenStreetMap Speed Limits — Ontogen — Ontogen and Mud — Open Cloud Mesh — Open Everything Facts — Personal Food Facts — OpenStreetMap-NG — Open Web Calendar Stack — Organic Maps сonvergent UI with Qt Quick/Kirigami — p2panda: group encryption and capabilities — PRESC Classifier Copies Package — Panoramax — PeerDB Search — Poliscoops — Polyglot jaq — Pomme d’API — Private Searx — PyCM — PyCM — Re-isearch Schmate — SCION-enabled IPFS and libp2p — SCION-Pathdiscovery — Geographic tagging of Routing and Forwarding — SES - SimplyEdit Spaces — SOLID Data Workers — SWH package manager Data Ingestion — Storing Efficiently Our Software Heritage — SeedVault Integrity — SensifAI — Smart lookup & inference for Semantic Data — Software Heritage — Peer-to-Peer Access to Our Software Heritage — Solid NC 2024 — Solid Compound — Solid Data Modules — Solid Application Interoperability — Solid Usable App Tools Project — Secure User Interfaces (Spritely) — Standards Grammar Catalog/Toolchain — Stencila v2 for ERA and EPP — StreetComplete — StreetComplete/AllThePlaces — StreetComplete — StreetComplete UX — GNU Taler Wallet ID Lookup Service — TypeCell — URL Frontier — variation graph (vgteam) — VersaTiles — Vouivre — Independent captions and transcript augmentation — WebXray Discovery — WikiRate: More Sites, More Cites — WikiRate Insights — WikiRate Insights 2 — Winden/Magic Wormhole dilation — iTowns — jaq — openEngiadina — Privacy Preserving Disease Tracking — PurlValidator — uMap — uMap Vector Tiles Decentralised solutions Decentralised solutions, including blockchain/distributed ledgerAI Horde — AVantGaRDe — ActivityPods 3.0 — Arcan-A12 — Automerge — Bana — Blink RELOAD — Briar — Briar Desktop — Discover and move your coins by yourself — Privacy Infrastructure for Corteza Federations — CryptPad Auth — CryptPad for communities — DeltaBot — Encoding for Robust Immutable Storage (ERIS) — Earthstar — Federated Timesheets — Fleetbase on Solid: A production-ready supply chain solution — ForgeFed Frontend — ForgeFlux — Fix the Pitch Black Attack in Freenet routing — GNU Taler — Layer-2-Overlay — GNUnet Messenger API — Galene — Federated software forges with Gitea — Gosling — Hyper Hyper Space Sync Engine and adapters — Hyper Hyper Space — Icebreaker — Interpeer — Threat intelligence sharing — json-joy — JSON-Joy Peritext — Katzen — Katzen Metadata Minimizing Messenger — Private Key Operations for Keyoxide — Keyoxide v2 — LiberaForms — XMPP-ActivityPub gateway — Librecast — LibreOffice CRDT — Librecast Live — LumoSQL at-rest data security — Distributed Trust for Web Servers — MTE - the MirageOS Taler Exchange — Manyverse — Manyverse Private Groups — Practical Decentralised Search and Discovery — SecSync — Namecoin: Electrum-NMC — Namecoin: ZeroNet and Packaging — Namecoin: Core Infrastructure — NeoChat — neuropil — neuropil — NextGraph — NodeBB — Adopting the Noise Key Exchange in Tox — Nym Credentials — Off-the-Record messaging version 4 — Open MLS Infrastructure — Interoperable Certificate Store for OpenPGP — Hardening OpenPGP CA deployments — p2panda: group encryption and capabilities — P2Pcollab — Adding Web-of-Trust Support to PGPainless — Statime — PeerDB Search — Peertube-Desktop — Extending PeerTube — peermaps — Yrs persistent documents — Pijul Hybrid — Pleroma — ProveThis — R5N-DHT — Ricochet Refresh — SCION-Pathdiscovery — Geographic tagging of Routing and Forwarding — SES - SimplyEdit Spaces — A Secret Key Store for Sequoia PGP — Sequoia PGP — Sequoia GPG Chameleon — Peer-to-Peer Access to Our Software Heritage — Solid-NextCloud app — Solid Control — Sonar: a modular peer-to-peer search engine — Secure User Interfaces (Spritely) — Spritely — Sustainable web apps with m-ld — TALER Bullion — GNU Taler Wallet ID Lookup Service — Road Signs for Digital Payments — Taler-Odoo Payment System — Great Black Swamp — Tasteweb — Titanic — Trustix — TypeCell — ValOS Cryptographic Content Security project — Enhancing vula with IPv6 and REUNION rendezvous — webxdc PUSH — Willow Sync — Yrs — Yrs Undo — Yrs weak links — Quantum-Proof Zenroom — Distributed Mechanism Learning — dweb-search — elRepo.io - Resilient, distributed content sharing — libresilient — Securing Decentralised Live Information with m-ld — Minedive — node-Tor — p3pch4t Deployability Making sure applications can be put to use in a sane, convenient wayNixcloud Mail — Nixcloud Webservices — Nixcloud Educational Programs Projects aiming at using Internet technology within the educational sector.How AdTech works — CodeYard — Democratic SendComm — Explain Direct — GO-FOSS — SchoolLan — ThinkQuest — TOS;DR — TwinSite-2000 FileSender Server application to send files of arbitrary sizeFileSender — FileSender Multistage — FileSender UX ZIP — FileSender IDOR and Rate Limiting — FileSender UX/UI — FileSender — FileSender secure passwords — FileSender GetEduroam A modern way to manage and deploy federated wifi roamingLetswifi/Geteduroam Portal — Letswifi/Geteduroam Hardware Trustworthy hardware and manufacturing.Hardware 2D graphics engine — AALT (Accelerated Analog Layout Tool) — Analog/Mixed-Signal Library — ARMify — Apicula — Apicula IO primitives — BB3-CM4 — Balthazar — Balthazar Casing — Balthazar - One laptop for the new internet age. — Betrusted OS — Betrusted Storage — BrailleRAP — Libre-SOC Cavatools: Power ISA Simulator — LibrEDA — Zerocat Chipflasher Flashrom Interface — Chips4Makers ASICs — Supersizing the Gun — Coloquinte — Libre-SOC, Coriolis2 ASIC Layout Collaboration — DMT — DUT Control — EEZ DIB — Edalize ASIC backend — EDeA — FABulous Demo SoC — FPGA-ISP-UVC-USB2 — FPGA Fault Injection Testing — FastWave — FemtoStar Project — Flashkeeper — Fobnail — Frugal EDA — Libre/OpenCores FuseSoc backend — Collection of Verified multi-platform Gatewares — Verilog-AMS in Gnucap (cont'd) — Verilog-AMS in Gnucap — Porting Guix to Riscv64 — Hardware accelerated 2D graphics — Open Hardware Manuals — IC workspace — Icestudio — YunoHost and the Internet Cube — JellyfishOPP — KiCad-IPC — KiKit — Kintex-nextpnr — Wireguard-1GE FPGA — Langsec in Pectore — Libre-SOC — Libre-SOC HPC — Libre-SOC OpenPOWER ISA WG — LibreCellular — LibrePCB — LibrePCB 2.0 — The Libre-SOC Gigabit Router — LibreSilicon — Libre Silicon compiler — Standard Cell Library — Port of AMDVLK/RADV 3D Driver to the Libre-SOC — Libre-SOC Formal Correctness Proofs — Libre-SOC Formal Standards Development — Libre-SOC Video Acceleration — LiteX — LunaPnR Phase 2 — MEGA65 Phone Modular MVP — MNT Reform — MNT Reform Next — Test Procedures for MOSFET SPICE Model Validation — Machdyne — MEGA65 Phone — Caster — Mosaic — Naja — Naja DNL — NaxRiscv core improvements — Nitrokey — Nitrokey 3 — Trussed — O-ESD — Open Know-How Search — OVT 13 — OpenCryptoHW — OpenCryptoLinux — OpenCryptoTester — DRTM implementation for AMD processors — OpenEMSH — Open Energy Profiler Toolset — OpenQRNG — openwifi: 802.11a/g/n maturity — Ordie — Securing PLCs via embedded protocol adapters — PTP gateware with openXC7 — Patchouli — Py2HWSW — RA-Sentinel — RAIJIN — RISC-V Phone — Radio-Meshnet — Real Time Litex Extension — Redox Flow Battery — pcb-rnd, sch-rnd — SDCC — SpinalHDL, VexRiscv, SaxonSoc — SiCl4 — Silicon verification — Simmel — Spade — Squishy — Transitioning SMM Ownership to Linuxboot — Surfer Waveform Viewer — Timing-Driven Place-and-Route (TDPR)  — TISG trustable image sensor gateware — TerosHDL — TerosHDL: OSS, GHDL, NVC — Tiliqua — Topola — TwPM — ULX4M — UberDDR3 — Reverse Engineering Toolkit — LIP6 VLSI Tools — Verilog-A distiller — VexiiRiscv — video box — WireGuard on FPGA — Wishbone Streaming — ZSWatch — ZSipOs — ZeroPhone Next — betrusted — f8 — foaHandler — lpnTPM — mikroPhone — nextpnr for GW-5 — openCologne — openPCIe2 Root Complex — openXC7 — S-SATA for openXC7 — pcb-rnd — scalePNR — uFork — uFork/FPGA — uberClock Information Retrieval Projects primarily related to internet information retrieval technologies.AGFL — AHA! — ALIAS — CPAN6 — Global Directories — Globule — LCC — Parselov — Searsia — Sesame — SIRS — ARPA2 Steamworks Internet Hardening Fund Projects funded from the Internet Hardening FundCertbot ECDSA support — Improving Matrix E2E encryption UX — Namecoin: TLS — ARPA2 Steamworks — GnuTLS — DIME — GetDNS — Pretty Easy Privacy — GUN P2P Encryption — Key Management — lib25519: Secure and efficient computation of X25519 and Ed25519 — Namecoin — Faster and configurable datapath/Linux xfrm — Pitchfork — Pitchfork PKCS#11 — Modular CA — Remote PKCS#11 — SecuShare — Secushare Box — Magic Wormhole/SPAKE2 — Stubby — TLS-KDH — Vita — Nixcloud — WireGuard — WPIA CA Infrastructure Internet Infrastructure Protocols and software for managing and advancing low-level internet infrastructureARPA2 — Atom-Based Routing — BIND DLZ — Bricophone — CeroWRT — CuteHIP — DNSCCM — Dowse — eduVPN app — eduVPN on Apple — eduVPN on Apple part II — eduVPN multi-protocol — eduVPN — Fairwaves — FTEproxy — GetDNS — GISS — IIDS — ISC BIND 9 — iuh-openbsc — Koruza — LOAP — Meshtool — Namecoin — nat64 — NetEventKit — nftables — Faster and configurable datapath/Linux xfrm — NLnet Labs — Nodewatcher — OpenBTS-HW — Cryptech.is — OSLD — Palea — RaptorJIT — RPKI-RTRlib — SCTP-Linux — SDR PHY — Serval — Serval-LR — SnabbWall — SocketHUB — Magic Wormhole/SPAKE2 — Stratosphere IPS — Stubby — TCP-multipath — Timesheets — TLS-KDH — Uberflow — UmTRX — WireGuard — Wisper Measurement Measurement, monitoring, analysis and abuse handling0WM — Firmwire full-system 5G baseband emulation — Yama Analytics — Detecting Forged-Origin BGP hijacks — BIDS: Binary Identification of Dependencies with Search — Back2Source next — CRAVEX — CRAVEX integration — CRAVEX 2 Code Reachability — Supersizing the Gun — Darkstar — EDeA — EEZ Studio — EEZ flow for EEZ Studio — Tracking the Trackers — FPGA Fault Injection Testing — FederatedCode Next — GoatCounter — Lightmeter — LANShield — MPTCP — Massive FOSS scan — MobileAtlas — MobileAtlas — NoScript Contextual Policies & LAN protection — O-ESD — OWASP dep-scan — OnBaSca — Pijul ecosystem — Reaction — Servo: Benchmarking and Statistics — Sniffnet — Statime PTP Master — Timing-Driven Place-and-Route (TDPR)  — Tracking weasel — Trustix — Enhance the vulnerability database — WebXray Discovery — XWiki — badkeys — happyDomain — Handling Data from IPv6 Scanning — iso14229 — Software vulnerability discovery — offen — purl2all — purl2sym — PurlValidator — rrdnsd Middleware and identity Middleware + identity, including DNS, authorisation, authentication, distribution/deployment, operations, reputation systems0KNOW — Aerogramme — Automating mobile app interception with Frida — Autocrypt for Thunderbird — Back to source: trust but verify all the packages — Bonfire Framework — Charon — Cloud hosting service portability — Coko Docs — Connect by Name — Record Federation for Corteza Clouds — CryptPad Auth — CryptPad Blueprints — CryptoLyzer — CryptPad — GNU Guix - Cuirass — Securing Internet protocols with DIDs — DNSvizor — Anonymisation for Data Donations — Distributed Private Trust — Dolphin authorisation — dream2nix — Python supply-chain with dream2nix — EGIL SCIM client — The search for ethical Apps — FOSS Code Supply Chain Assurance — FOSS Code Supply Chain Assurance II — Federated software forges with Forgejo — ForgeFed — GNU Name System — GNS Migration and Zone Management — GNU Taler KYC — Garage — Garage Administration UI — Nix Integration for Hop3 — A proof of concept of identity-based encryption — IRMA made easy — Icebreaker — YunoHost and the Internet Cube — Interpeer SDKs — Keyoxide — Private Key Operations for Keyoxide — Keyoxide v2 — Improve Email Encryption in KMail — LDAP Synchronization Connector — ARPA2 LDAP Middleware — SCIM integrations — Distributed Trust for Web Servers — MTE - the MirageOS Taler Exchange — MoboSearch — Namecoin: ZeroNet and Packaging — Namecoin: Core Infrastructure — NixOS/Clevis — Securing NixOS services with systemd — Nym Credentials — Opaque Sphinx — Opaque Sphinx Server and Clients — OpenPGP Certificate Authority — Improving OpenSSH's Authentication and PKI — Interoperable Certificate Store for OpenPGP — Hardening OpenPGP CA deployments — Owncast — Adding Web-of-Trust Support to PGPainless — Peppol for the masses — Privacy Enhancements for PowerDNS and DNSdist — Prosody IM — Python bindings to the rattler library — Rauthy — Redwax — Reproducible F-Droid — Robur private DNS resolver and DHCP server — Rocket CWMP — SASL Works for the InternetWide Architecture — SCION-RAINS — Geographic tagging of Routing and Forwarding — Software Heritage listers + tooling — Subliminal Messaging — Secure Web Tokens for Linux — SeedVault Integrity — SelfPrivacy — A Secret Key Store for Sequoia PGP — Adding TPM Support to Sequoia PGP — SignRoom — Solid Application Interoperability — Solid Application Interoperability — Solid Wallet — Dual-level Specification Inference — Statime PTP Master — Client Proof-of-Work in TLS — Threadiverse Reproducible Deployment — TrustING — Trust semantic learning and monitoring — Tvix — Universal DID Resolver and Registrar — XWiki — Wispwot — MLS for XMPP — ARPA2 resource ACL and HTTP SASL modules for NGINX — Bitmask — Distributed Mechanism Learning — django-allauth — imap-codec library — DNSSEC Key Signing Suite — Maintenance and portability of sudo-rs NGI Assure Projects that make security and trustworthiness easier NGI Assure was a grant programme that ran from 2020-2024, funding projects making security and trustworthiness easier, as part of the Next Generation Internet initiative of the European Commission. For a more complete description see the home page of the fund: NGI Assure.0KNOW — Aerogramme — Ari — Atomic Data — Authenticated DNSSEC bootstrapping — Heads-OpenPGP — Bertie — Blink Qt Messaging — Briar Desktop — CNSPRCY — Converged Security Suite Improvements — Cable — Libre-SOC Cavatools: Power ISA Simulator — Choreographic Programming: From Theory To Practice — Coko Docs — Conversations 3.0 — CryptPad Auth — CryptPad Quality Test Suite — CryptPad WCAG — CryptoLyzer — CryptPad Auth Improvements — Securing Internet protocols with DIDs — DATALISP — dream2nix — Python supply-chain with dream2nix — Encoding for Robust Immutable Storage (ERIS) — Earthstar — Earthstar (Encryption, Safety, and Local Sync) — Friendly Forge Format (F3) — FOSS Code Supply Chain Assurance — Federated Task-Tracking with Live Data — Federated Timesheets — Fobnail — Full-source GNU Mes on ARM and RISC-V — GNU Mes RISC-V — RISC-V bootstrapping effort via GNU Mes — GNU Mes Tower — GNU Taler KYC — Layer-2-Overlay — GNUnet Messenger API — Gash — Gosling — Porting Guix to Riscv64 — TPM 2.0 for HEADS — Himalaya — Hyper Hyper Space — IPDL — Interpeer SDKs — json-joy — KDE Connect — Standardizing KEMTLS — Kaidan — Kaidan Mediasharing — Katzen — Keyoxide Mobile — Private Key Operations for Keyoxide — Keyoxide v2 — Kintex-nextpnr — Let's Connect! Client-Server to P2P — LiberaForms — Audio/Video Calls in Libervia — Librecast — The Libre-SOC Gigabit Router — LumoSQL at-rest data security — Maemo Leste Telepathy — Manyverse Private Groups — Mellium — MirageVPN — Monal IM — SecSync — Namecoin: Electrum-NMC — NeoChat — Packet classification extensions for Netfilter — neuropil — NextGraph — Type Inference for Nix — NixOS/Clevis — Securing NixOS services with systemd — UEFI Secure Boot support for NixOS — Adopting the Noise Key Exchange in Tox — Oil Shell — Oil Shell — Improve Okular digital signature support — Ontogen — OpenCryptoHW — OpenCryptoLinux — OpenCryptoTester — Open MLS Infrastructure — Improving OpenSSH's Authentication and PKI — Hardening OpenPGP CA deployments — OpenQRNG — p2panda — Adding Web-of-Trust Support to PGPainless — Post-Quantum Crypto in DNSSEC — Statime — Peppol for the masses — Probabilistic NAT Traversal — Prosody IM — ProveThis — PyCM — R5N-DHT — rasn — Rosenpass — Rosenpass API — SES - SimplyEdit Spaces — Subliminal Messaging — A Secret Key Store for Sequoia PGP — Adding TPM Support to Sequoia PGP — Sequoia PGP — Sequoia GPG Chameleon — Servo Developer Experience Improvements — Multi browsing context support in Servo — Signature PDF — SignRoom — smoltcp RPL — Peer-to-Peer Access to Our Software Heritage — Solid Wallet — Dual-level Specification Inference — Spritely (and OCapN) — Statime PTP Master — Sustainable web apps with m-ld — Great Black Swamp — Tauri Apps — Servo Webview for Tauri — TerosHDL — FIDO 2.2 — TrustING — Trust semantic learning and monitoring — Trustix — Tvix — TwPM — TypeCell — UEFI isolation in VM from non UEFI firmware — LIP6 VLSI Tools — Servo improvements for Tauri — Next Generation Browser Profile Workflow — Vula — WikiRate: More Sites, More Cites — Winden/Magic Wormhole dilation — Wispwot — Yrs — Yrs Undo — Quantum-Proof Zenroom — Reinstatement of crypto.signText() — Distributed Mechanism Learning — imap-codec library — libresilient — lpnTPM — Securing Decentralised Live Information with m-ld — oqsprovider — p4-nix NGI Fediversity Fund Creating the hosting stack of the futureNixOS Agent-Based Deployment Stack — Drupal ActivityPub integration — Source-based Nextcloud + Onlyoffice — NixEdgeOpt — End-to-end NixOS boot security — Nixpkgs Clarity — SelfPrivacy Catalog — bewCloud NGI Mobifree Fund More ethical and human mobile softwareAPKpatcher/PyAxml — Android translation layer (ATL) — Androguard — Bugbane — Easy Transit 2 — F-Droid App Overhaul — LambdaNative F-Droid integration — FMD — Gesture Typing for AOSP-derived Keyboards — IsMyPhonePwned — IzzyOnDroid — Opening up Apple’s Low Latency Wi-Fi Protocol — OWASP blint — Offline Translator — OpenAGPS — PiRogue Tool Suite — Pithus — RTranslator 3.0 — SIMcurity: Tools for Securing the SIM interface — Solid Share — Termux — Unexpected Keyboard Autocomplete/Correct — VirtuAndroid — VoWiFi Watchdog — CanIWebView — Weblate Android SDK NGI TALER Fund Privacy-preserving digital paymentsAbelujo — Contributron — MTE - the MirageOS Taler Exchange — Maho — Taler OpenAPI specification — TALER Bullion — ERPnext TALER payment gateway — Taler Integration into F-Droid Ecosystem — Taler plugin for Fastify — Interledger interoperability inquiry — Taler in Liberapay — GNU Taler Wallet ID Lookup Service — Road Signs for Digital Payments — Taler-Odoo Payment System — Open Banking Gateway Taler Wallet Top-Up/Merchant Verification — Libre Payments in Ruby — GNU Taler Tryton/GNUHealth integration — GNU Taler Payment Provider for be-BOP — TALER integration in flohmarkt — Payment Module for Nuxt/Vue.js — Taler-Kivitendo Integration — Taler-Dolibarr Integration — xBSD porting and packaging — TalerPHP NGI Zero Core NGI0 core is a grant programme funding projects moving the internet forward, at the architecture level and above, as part of the Next Generation Internet initiative of the European Commission. For a more complete description see the home page of the fund: NGI Zero Core.0WM — Hardware 2D graphics engine — Firmwire full-system 5G baseband emulation — AI Horde — AlekSIS: Integration and Communication — Alive2 — Arcan-A12 Directory — Arcan-A12 Tools — Automerge — Interpretation feature for Big Blue Button — Detecting Forged-Origin BGP hijacks — BIDS: Binary Identification of Dependencies with Search — Back2Source next — Blitz - a modular web renderer — BrowserAudit — Tracing and rebuilding packages — CAKE-MAINT — CRAVEX integration — CRAVEX 2 Code Reachability — Cartes — COCOLIGHT — Cross-root ARIA — CryptoLyzer IKE — Darkstar — DataLab — Diesel — Draupnir — Open source ESP32 802.11 MAC — Email <=> XMPP gateway — Encaya — EventFahrplan — Exter — FOSS Warn — FPGA-ISP-UVC-USB2 — FastScan — Feather UI — Fediverse Test Framework — Fediverse Test Suite — Enhancing Firefox for Linux on Mobile — Flashkeeper — ForgeFed Frontend — Frugal EDA — Namespace-specified imports in GHC — GNU Mes interpreter speedup effort — GNUnet on Android — GPGPU Playground — Galene — Gancio — Collection of Verified multi-platform Gatewares — Persistent Storage for Goblins — Goupile — Grate project — Guix-Daemon — Hardware Bill-of-Materials (HBOM) generator — Hyper Hyper Space Sync Engine and adapters — Open Hardware Manuals — SCE, DelTiC and Antler — Hockeypuck — Holo Routing — IPDL II — IPv6-monostack - upstream Linux SIIT/NAT64 — ISCC-CORE typescript implementation library — Optimized Image Codecs — Micro25519 — Irdest IP Traffic Proxy — IronCalc — Ironclad — JSON-Joy Peritext — AppBundler — KDE Plasma Wayland — Knowledge Graph Portal Generator — Kami — Keyhive — KiCad-IPC — LDAP Synchronization Connector — LO/CODE Book project — LabPlot — Lemmy Scale — Libre Diagnostic — LibreQoS 2.1 — Librecast Overlay Multicast — Automate FOSS license compatibility determination — LANShield — Loops — MEGA65 Phone Modular MVP — MNT Reform QCS6490 Module — Improving the deployability of Multipath TCP — Improving the deployability of Multipath TCP, part 2 — MWoffliner — MailBox renewal — Mapterhorn — Multilingual Marginalia — Miru — postmarketOS/phosh-mobile-settings integration — Mobilizon UX — Mollymawk — Mosaic Simulation — Movim — Mox management and automation — Collation + i18n support in musl libc — Control plane for Nix-based systems — NixBox — NodeBB — Nova JavaScript engine — NovyWave — O-ESD — OCaml direct style transition — OCaml-QUIC — OPERA-DSP — OWASP dep-scan — owi — Omnom — OpenCarLink — Open Cloud Mesh — OpenEMSH — OpenHarbors — Open Web Calendar Stack — Open Web Calendar Stack II — Extensive openwifi support for OpenWRT — openwifi: 802.11a/g/n maturity — Openfire Next-Gen Connectivity — Openfire IPv6 support — Organic Maps сonvergent UI with Qt Quick/Kirigami — Organic Maps bookmarks, hike and bike — Overte Visual Scripting — PTT — Patchouli — Better support for display notches and cutouts in Phosh — Pijul ecosystem — Pijul Hybrid — Pimalaya PIM — Plasma Mobile powermanagement improvements — Pleroma — Pre-Scheme — Protomaps — Py2HWSW — Py3DTiles - Textured Mesh tiling — Proper Webcam support in Qemu — RVVM — Rackweaver — Rauthy — Reaction — Real Time Litex Extension — Redox OS Unix-style Signals — Renderling — NetBSD Reproducibility — Rivista — Free and open source NPU Drivers — Rosenpass Broker — Rust crate auditing and source correspondence checks — SCION Open Source Implementation — SCION-enabled IPFS and libp2p — Toward a Fully-Verified SCION Router II — SMAesH-Mode — Security audit of Sailfish FOSS components — Scheme Testing Framework — SelfHostBlocks — Servo: Benchmarking and Statistics — Multiprocess Mode in Servo — Servo Script Improvement — Slint port for Android — Slint on iOS — Slixfeed — Snix-{Store/Build} — SoCLinux — SocksTrace — Solid NC 2024 — Solid Application Interoperability — Spade — Spritely Oaken — Stalwart Collaboration Server — Transitioning SMM Ownership to Linuxboot — Standards Grammar Catalog/Toolchain — Stencila v2 for ERA and EPP — Structured Email for Roundcube — Surfer Waveform Viewer — Client Proof-of-Work in TLS — TSCH-rs — Tau — Teamtype — Threadiverse Reproducible Deployment — Titanic — TrenchBoot as Anti Evil Maid - UEFI boot mode support — Tusky — HTML export for Typst — UnifiedPush — UnifiedPush — Toward a Fully-Verified SCION Router — VersatAI — Verso Views — Webview library with Verso for Tauri — VexiiRiscv — OpenIMSd — Vouivre — Enhance the vulnerability database — WPE Android — WPT automatic testing for platform accessibility mappings — Wax — Integration of Waydroid on mobile GNU/Linux — Wayland input method support — WeasyPrint — Webxdc evolve — WgMath — Whippet — Willow Sync — Wobble Web — MLS for XMPP — XMPP Interoperability + Conformance Testing — YAWS - Yet Another Web Server — Zero-allocation web servers in roc — ZeroPhone Next — Zilch — Zip linting and bzip2 in Rust — badkeys — bluetuith — Federated eIDAS-compatible signing portal — Federated webinars for eduMEET — f8 — fdtshim — foaHandler — happyDomain — iso14229 — k3lp — lib1305 — lib25519 using NEON for ARM64 — libnix — libvips — Verifying and documenting live-bootstrap — Lychee — machine-check — Multisoni — nextpnr for GW-5 — openPCIe2 Root Complex — p3pch4t — postmarketOS: v23.12 and v24.06 Releases — postmarketOS daemons — Support for OpenPGP v6 in rPGP — reqwest — rrdnsd — s6-rc — Maintenance and portability of sudo-rs — synit-nixos — tslib — uFork/FPGA — uberClock — vm-builder NGI Zero Discovery NGI0 Discovery was a grant programme that ran from 2018-2022, funding projects enabling search and discovery as part of the Next Generation Internet initiative of the European Commission. For a more complete description see the home page of the fund: NGI Zero Discovery.OCCRP Aleph disambiguation — AREXERA Crawler — Babelia — Blink RELOAD — Bonfire Search & Discovery — Castopod — Castopod Mobile — Discover and move your coins by yourself — Connect by Name — Conzept encyclopedia — Record Federation for Corteza Clouds — Corteza Discovery — Privacy Infrastructure for Corteza Federations — ArtistHub — DeltaBot — Extend EFI support in BSDs — EDeA — AEAP — Email for expert news — The search for ethical Apps — FairSync — searx — First Classify Documents — Folksonomy engine for the food ecosystem — ForgeFed — Funkwhale — GNU Name System — GNU social — Tooling to improve security and trust in GNU Guix — Geolexica reverse — Federated software forges with Gitea — Real time graph database search engine — The Open Green Web — Haketilo/Hydrilla — Great scanning and OCR for mobile devices — Hubzilla — ipfs-search.com — Icebreaker — IN COMMON — In-document search — Practical Tools to Build the Context Web — Indigenous — Interpeer — Inventaire — Inventaire recommender — Irdest — Karrot — Kazarma — Keyoxide — Collabora Online and LibreOffice — lemmur — Lemmy — Lemmy Federation — XMPP-ActivityPub gateway — Librecast Live — LinkedDataHub — MaDada — Mailpile Search Integration — Mangaki — Mastodon - groups, filtering, moderation — Mepo — Practical Decentralised Search and Discovery — Meta-Press.es — Meta-Press.es — Mobilizon — MoboSearch — Mynij — NEFUSI — Namecoin: ZeroNet and Packaging — Namecoin: Core Infrastructure — neuropil — Nextcloud — Nominatim — Nyxt — Nyxt — Open Know-How Search — OSF Crawler Cooperation — OpenStreetMap Speed Limits — Offen — Omnom — Personal Food Facts — Open Hospitality Network — Openki.net — Owncast — P2Pcollab — PRESC Classifier Copies Package — The PeARS app — PeerDB Search — PeerTube — Extending PeerTube — peermaps — A Distributed Software Stack For Co-operation — PixelDroid — Pixelfed Live — Pixelfed — Plaudit — Poliscoops — PrivateRecSys — Private Searx — Re-isearch — Great OCR for SANE — SCION-RAINS — SCION-Pathdiscovery — Geographic tagging of Routing and Forwarding — SWH package manager Data Ingestion — Storing Efficiently Our Software Heritage — Adera — SEARXR — searx — Dynamic indexing for real time graph database — SensifAI — Simmel — Software Heritage — Solid Application Interoperability — Solid-NextCloud app — Solid-Search — Solid Application Interoperability — Sonar: a modular peer-to-peer search engine — sourcehut — Spritely — StreetComplete — StreetComplete — StreetComplete UX — URL Frontier 2.0 — URL Frontier — variation graph (vgteam) — Web Annotation — WebXray Discovery — XWiki — WikiRate Insights — WikiRate Insights 2 — WordPress ActivityPub — XWiki ActivityPub — YaCy Grid SaaS — ZetaOffice — dweb-search — elRepo.io - Resilient, distributed content sharing — fediverse.space — fwupd — Handling Data from IPv6 Scanning — Minedive — Software vulnerability discovery — openEngiadina — Privacy Preserving Disease Tracking — Search and Displace — Free Software Vulnerability Database NGI Zero PET NGI0 PET was a grant programme that ran from 2018-2022, funding projects working on enhancing privacy and trust of internet and related technologies as part of the Next Generation Internet initiative of the European Commission. For a more complete description see the home page of the fund: NGI Zero PET.LibreCellular — AI-VPN — Analog/Mixed-Signal Library — Accessible security — Alder Lake Desktop — Autocrypt for Thunderbird — BBBsecureChat — Balthazar — Balthazar - One laptop for the new internet age. — Betrusted OS — Betrusted software — Betrusted Storage — Briar — LibrEDA — Zerocat Chipflasher Flashrom Interface — Chips4Makers ASICs — Conversations — Libre-SOC, Coriolis2 ASIC Layout Collaboration — CryptPad: Project Dialogue — CryptPad — CryptPad for communities — GNU Guix - Cuirass — DCnets — Dat Private Network — Structuring the System Layer with Dataspaces — Dino — Distributed Private Trust — EEZ DIB — EGIL SCIM client — Edalize ASIC backend — Etebase - protocol and encryption enhancements — EteSync - iOS application — Tracking the Trackers — Fractal — Fix the Pitch Black Attack in Freenet routing — GNU Mes — GNU Mes on ARM — GNU Mes: Full Source bootstrap — GNU Taler — GPG Lacre project — GoatCounter — Implement sound support in the Hurd — A proof of concept of identity-based encryption — IMSI Pseudonymization — IRMA made easy — YunoHost and the Internet Cube — JavaScript Restrictor — JShelter — End-To-End Encryption for Jitsi Meet — Verified Differential Privacy for Julia — Kaidan — Kaidan A/V — Improve Email Encryption in KMail — ARPA2 LDAP Middleware — Liberaforms — Libre-SOC — LibreSilicon — Libre Silicon compiler — Standard Cell Library — Port of AMDVLK/RADV 3D Driver to the Libre-SOC — Libre-SOC Formal Correctness Proofs — Libre-SOC Formal Standards Development — Libre-SOC Video Acceleration — Lightmeter — Usability of Linux firewall userspace tools — LumoSQL — Luna PnR — MNT Reform — Maemo Leste — Manyverse — MEGA65 Phone — MobileAtlas — Mobile Test Farm — Mosaic — Movim — Nitrokey — NoScript Contextual Policies & LAN protection — Nym Credentials — Off-the-Record messaging version 4 — OnBaSca — Opaque Sphinx — Opaque Sphinx Server and Clients — DRTM implementation for AMD processors — OpenPGP Certificate Authority — 802.11n feature of openwifi — PGP4civiCRM — Securing PLCs via embedded protocol adapters — Privacy Enhancements for PowerDNS and DNSdist — Qubes OS — RISC-V Phone — RNP Confium — Redwax — Reowolf — Graphics acceleration on Replicant — Finish porting Replicant to newer Android version — Ricochet Refresh — Ripple — Robotnix — Rust Threadpool — SASL XMSS — SASL Works for the InternetWide Architecture — SpinalHDL, VexRiscv, SaxonSoc — SeedVault — Solid Control — Spectrum — Secure User Interfaces (Spritely) — Suhosin-NG — Sylk chat — Sylk Client — Sylk Mobile — RETETRA — TLS-KDH mbed — Padding Machines for Tor — Build Transparency (Trustix) — ULX4M — Universal DID Resolver and Registrar — ValOS Cryptographic Content Security project — Noise Explorer-VerifPal — Verifpal — VFRAME: Visual Defense Tools — video box — Video chat privacy — Free Software Vulnerability Database — Waasabi Framework — Web Shell — WireGuard — Wireguard Windows client — Wireguard Rust Implementation — Wishbone Streaming — ZSipOs — ARPA2 resource ACL and HTTP SASL modules for NGINX — betrusted — Bitmask — Katzenpost — DNSSEC Key Signing Suite — libspng — mobile-nixos — node-Tor — offen — pcb-rnd — postmarketOS — x86-64 VM Monitor for seL4 verified microkernel — Vita — Wireguard NGI0 Commons Fund NGI0 Commons Fund is a grant programme funding projects about reclaiming the public nature of the internet, as part of the Next Generation Internet initiative of the European Commission. For a more complete description see the home page of the fund: NGI Zero Commons Fund.5C — Adno — iOS support for AccessKit — ActivityPods 3.0 — Ada Bootstrap Compiler — Aerogramme 1.0 — Aiohttp type checking — Alaveteli GDPR and Search — Alps Webmail — Amaranth HDL — Yama Analytics — Mifos X (Apache Fineract) — Arcan-A12 Endpoints — Archiyou — Arkin — AtomicServer Local-First — Authlib — Autogram 2.0 — BB3-CM5 — Bab — BeaconDB — BigBlueButton server-side plugins — Borg - European Graphics Processing Unit — Bottles — BrailleRAP — Bromal — Bubble-up — C/C++ Package Registry — CARGO — TramaBOL — Pushing forward for CSS Print — CalDAV Notes — Capability-based security for Redox — Circuit Painter — CityBikes — Implement inline Verilog/VHDL through Yosys — ClassQuiz — Clearance — Code Genetics — Miru Collaborative Video Editor — Upstreaming Sailfish OS ConnMan improvements — OpenPGP refresh for Conversations — Support for Microblogging and Social Feeds to Converse — Converse XMPP Chat on Mobile — Latest OMEMO support to Converse.js with libomemo.js — Convo XMPP client — Coreblocks RISC-V processor core — Open-source firmware for modern AMD boards — Open-source firmware for modern AMD boards part 2 — Fully Open Chip Design — Adding redaction to Cpdf — CryptPad Notes — CryptPad Scalable Server — CurveForge — Securing Internet protocols with decentralized identity — DataLab Experimental Web interface (DEW) — Data Package implementation in TypeScript — DatamiPods — Decidim revamp — Diesel CLI — Dino — DjNRO upgrade and wifi mapping — DocSpec to Rust/WASM — Dokieli Collaborative — Domino: Security Proofs that Scale — Drupal ActivityPub Social Recipe — Drupal ActivityPub module usability enhancements — Embeddable Common Lisp — EMerge — EPE (Ecran-Papier-Editer | Screen-Paper-Editing) — E-Paper Open Standards (EPOS) — Asynchronous ESP32 802.11 MAC — EVQI — EcoNet Linux — Empowering Mobilizon — Erik Synchronization Protocol for RPKI — Every Door — F-Droid Architecture for Reproducible Apps — F3D — F3D Animations, Rendering and Integrations — FederatedCode Next — Interoperability of Events in the Fediverse — Expanding the Felix86 emulator — Fidus Writer modularisation — Filling the Gaps in Testing Open-Source Firmware — Flatline Server — Flock XR — Flock XR: Keyboard + Mobile/Touchscreen UX — flohmarkt — flop! — Follow-me slideshow for Collabora Online — Forgejo — Formulas — Wikirate Frameworks — Frictionless libraries — KiCad Frontpanel Generator — Funfedi.dev — Funkwhale Federation — FuseSoc-compatible Web Catalog — GLOW-SG13G2 (Gate Library for Open Flow - SG13G2) — New data types for GNU Octave — Galene — Maturing the Gancio back-end — Garage Administration UI — Garage reliability and performance — USB 3 PHY implementation on GateMate FPGAs — Geoloquent — SIP improvements for GNOME Calls — Verilog-AMS in Gnucap — GoActivityPub — GoToSocial performance & connectivity — Graphite 2D graphics editor — (H)IDE for Guile Hoot — Bring x86_64-gnu (the 64bit Hurd) to Guix — Reproducible bootstrap path for 'Node.js' based on GNU Guix — Blind crypto and OAuth2 for ARPA2 — Heavy Compiler Collection — Nix Integration for Hop3 — Hubzilla performance improvements — Husk — Hyper 8 Video System — Universal Sensor Libraries — Space grade Instrumentation Amplifier ASIC — Incroxigraph — Icosa Gallery — Federating pedagogical immersive experiences — Collabora Online Multi-user Infinite Canvas — IronCalc for Nextcloud — IronCalc — Ironclad - Networking developments — JShelter UX — Accessible KDE File Management — KDE Plasma Gestures — Kaidan MUC + legacy OMEMO — Support for 64-bit integer expressions in Kaitai Struct — Kdenlive — KiCad-10 — Linked Data Objects (LDO) Upkeep and Upgrade — LLM2FPGA — LUNA SuperSpeed USB Improvements — Domain-specific LabPlot — Land — LeanFTL — LeanFTL Extreme Wear Leveling — Lens/FreeCAD integration — LiberaForms — Libre-Chip CPU with proof of No Spectre bugs — LibreCellular 5G — Portable Libre Diagnostic — LibrePCB 2.0 — LibreSilicon: Pad Cell Generator — Librecast Studio — Updating Solid test harnesses for Linked Web Storage — Dual SIM for Mobile Linux — LinuxBoot for all — Livebook — Loops Live — MetaMorph — Porting the Lucid Language to Open Platforms — Open source MILAN hardware and software stack — MNT Reform Touch — Test Procedures for MOSFET SPICE Model Validation — MOTIS — Multipath TCP on Linux — Mainline Linux on ARM Chromebooks — Macaw Instant Messenger Web/Desktop — Machine Usable Output for Sequoia — Maemo Leste Daedalus — Web on Managarm: Usability, Stability, Security — Manyfold — Manyfold; Printing, Customisation, and Versioning — Mapterhorn Imagery — Massive FOSS scan — Mastodon for institutions — Matridge spaces — Mautic Portability Phase 2 — Mautic Portability — Maven Heaven — WireGuard as a MirageOS unikernel — Federating Mirlo — Mobile Typst editor — Open Terms Archive vendor lock-in break — muchrooms — Multitenant CAS — Mustang - UI components — Mustang UX — NVE — Timing Modeling and Integrated Verification in Naja — Nanoarguments — NextGraph Framework — Nitrokey 3 Storage — Nitrokey 3 FIDO2 Level 2 — NoScript Commons Library: Surrogate Scripts — NodeBB context discovery — Noise Nugget — Open Beam Interface Lite — Distributed object programming in Dart — E2EE OCapN Federated Relays — ORION — Oils for Unix — Owi 2 — Ontogen and Mud — Open Source Battery Management System (OpenBMS) — WPA3 support for OpenBSD 802.11 wireless — OpenCartoCam — OpenCloud Federation — openCologne/PCIe — OpenEPT Ecosystem — Open Everything Facts — OpenFlexure Microscope — Open Logic - Signal Processing Elements — Modern High-Level Python OpenPGP library — Open Prices - Scaling price collection — OpenStreetMap-NG — OpenTough — Open Virtual File System (VFS) for Linux — OpenVoiceOS - From Beta to Breakthrough — Openki Roles — Reduce osm2pgsql resource usage — Configurable Communication Channels for qaul — Open-source accelerator platform for large FPGAs — Open PCIe and M.2 hardware and software platform — Native DTLS 1.3 implementation in Go — Secure Apache PLC4J — Padne — Modernizing Paged.js Web-to-Print — Panoramax — Panoramax video uploads — Papis — Parley — Parley - rich text layout library — PdfDing — Peertube plugin livechat — PeerTube for Institutions — Hassle-free Peppol bootstrapping and onboarding — Yrs persistent documents — Port Phosh to GTK4/libadwaita — pimsync — Pinbot — Pnut — Pnut everywhere — PodOS — Podlibre — Polyglot jaq — Pomme d’API — PowerCommons — Provability Fabric — PyCM — PyUVM SPI Verification Component — Adding 32-bit ARM support to QBE and Hare — QGIS Panoramax Plugin — Vector based similarity search index for QLever database — Qryptr — RA-Sentinel AoA — RA-Sentinel Code Liberation — Reduced Feature-set Packet Filter — RIVET — Lix RPC — Re-isearch Schmate — Reach — io_uring-like IO for Redox — Redwax Server Modernisation — Renderling ecosystem — Repath Studio — Reproducible Builds in the Scala ecosystem — Ricochet Refresh UX — Element Call on Cisco Room hardware — Rusted Platform Module (RPM) — SDCC — SSH Stamp — An OpenScience flavour of Bonfire on NixOS for preprints — SecurEAP: Secure Enterprise Wi-Fi on Linux — SelectCast: Anycast in Path Aware Networks — Quantum-Safe Cryptography in Sequoia PGP — Serverless and Metadata Reduction for XMPP — Project SERVFAIL — Servo Editability and Interactivity Enhancements — Servo WebAPIs for Service Worker — ShapeThing SHACL renderer — Shinobi — Signature PDF — Internationalization (i18n) for Silex — Herbees — Slint Visual Editor — Slintify LibrePCB 2.0 — Slips Immune I — Slipshow — Smart lookup & inference for Semantic Data — Sniffnet — Remote Sniffnet — Solar FemtoTX motherboard — Solid-ActivityPub Interop — FedCM for Solid — SolidOS — solidtime — Sortix os-test — Spacylize — Spectrum: Virtualisation Platform — SpinalWaves & SpinalTrace — StreetComplete Multiplatform — Sylk Contacts — T-Rust - In Rust we Trust — TBD DSP toolkit — The Ultimate Bookkeeping System — Tenzu — TerosHDL usability — TeXlyre — Tiliqua — Tin Snipe DAQ — TinkerFlow — Automatic component and via placement for Topola — Torch Lens Maker — TouchUp — TrailBase — TrenchBoot - DRTM launch between coreboot and UEFI payload — Typed Nix — Typst PDF Accessibility — Advanced UEFI Capsule Update for coreboot with EDK II — uberDDR4 — Universal EInk Solutions — VACASK — Verified Credentials with zero-knowledge SPARQL queries — VeriBench — Verilog-A distiller — VersaTiles — SWD Debug support in VexRiscv — Vivliostyle — Enhancing vula and related libraries — ActivityPub Polls for WordPress — Wsdr — Waytale — Waterfall — Wiktionary QA tools — XR Fragments Teamware — Yanartas — Privacy-friendly online age verification — YunoHost Packaging + Declarative Settings — ZSWatch — Zosimos — Zrythm — allowd — Bcachefs userspace integration — bhyve idle load mitigation — cables.gl editor features — claim.li — ePoc — Ejabberd Great Invitations — embedded-cal — iTowns — Kernel DMA Protection Patcher (kdmap-patcher) — Improving asynchronous execution in GNUnet — librice — Machine-check usability — mgmt config — minipgp6 — Nix Store disk usage improvements — Building blocks for Resilient Time — openENOC — p2panda System Service — postmarketOS v25.12 + v26.06 — Project Unnamed — PurlValidator — raylib — rust-query — schc-rs — Ties — uMap Vector Tiles — uberWAVE — wcoord (wireless-coordination) NGI0 Entrust Trustworthiness and data sovereignty NGI0 Entrust was a grant programme that ran from 2022-2026, funding projects working towards trustworthiness and data sovereignty, as part of the Next Generation Internet initiative of the European Commission. For a more complete description see the home page of the fund: NGI Zero Entrust.ARMify — AVantGaRDe — ActivityPods — Agorakit — AlekSIS — Apicula — Apicula IO primitives — Automating mobile app interception with Frida — Perspectives: Making Models — Arcan-A12 — Atomic Tables — BB3-CM4 — Back to source: trust but verify all the packages — Balthazar Casing — Bana — Blink for Windows — BlockNote — Bonfire federated groups — Bonfire Framework — BrailleRAP — CRAVEX — Converged Security Suite +AMD — Canaille — Castopod Plugins — Charon — Anchorboot — Cloud hosting service portability — Coloquinte — Commune — CryptPad Blueprints — DANCE4All — DAVx⁵ WebDAV Push — DMT — DNSvizor — DUT Control — Delta Tauri — DeltaTouch — DeviceCode — Distributed GNU Shepherd — Dokieli — Dolphin authorisation — EDeA — EEZ Studio — EEZ flow for EEZ Studio — ELF tools in Rust — EduLuanti — Elm Matrix SDK — EventFahrplan — FABulous Demo SoC — FOSS Code Supply Chain Assurance II — FPGA Fault Injection Testing — Faircamp 1.0 — FastWave — Federated software forges with Forgejo — Software metadata — FediMod FIRES — Fidus Writer — Flarum — Fleetbase on Solid: A production-ready supply chain solution — ForgeFed — ForgeFlux — Forgejo — Native IFC for FreeCAD — Data packages — Funkwhale — GNS Migration and Zone Management — Taler for local currencies. — GNUnet CONG — Garage — Genealogos — Verilog-AMS in Gnucap (cont'd) — Verilog-AMS in Gnucap — GoToSocial — GoToSocial — Gorgon CI — Haphaestus — Hardware accelerated 2D graphics — OCap layer for Haskell actor library — Icestudio — Icosa Gallery — Inko — Inochi2D — Inventaire Self-hosted — Irdest - OpenWRT Image and Bluetooth LE — Irdest spec, db, route scoring — Threat intelligence sharing — JShelter Manifest V3 — JellyfishOPP — Kaidan Auth + portability — Improving and extending Kaitai Struct — Karrot — Katzen Metadata Minimizing Messenger — Kazarma Release — Kbin — /kbin — KiKit — Wireguard-1GE FPGA — Krill High Availability — Collabora Online/LibreOffice Accessibility — LibreOffice/Collabora Online typography — Lemmy private communities — Libre-SOC HPC — Libre-SOC OpenPOWER ISA WG — SCIM integrations — Libre Car Control — LibreCellular — LibreOffice CRDT — LibrePCB — LibreQoS — Liminix — LiteX — LunaPnR Phase 2 — Mainstreaming Anonymity for Developers (MAD) — MNT Reform Next — The MacBook Liberation Project — Machdyne — Mailpile 2 (moggie) — Makatea — Manas — MapComplete — Marginalia Search — Catalogs in MariaDB — ActivityPub Quote Posts — Modular Meta-Press.es — MobileAtlas — Mobroute — Caster — Monal IM UI — Mox — Naja — Naja DNL — NaxRiscv core improvements — Nitrokey 3 — Nitter — Debug Adapter with Nix — Nominatim as a library — Nyxt Webextensions — OVT 13 — Oils for Unix — Oku — Open Energy Profiler Toolset — Ordie — Organic Maps — Overte — p2panda: group encryption and capabilities — PTP gateware with openXC7 — Passthrough Authentication — Popularizing PeerTube — Peertube plugin livechat — PeerTube - Remote Transcoding — Manyfold — Pimalaya: email — PixelDroid/Media editor — Pixelfed — pretalx — Pythonic Slint — RA-Sentinel — RADIUSdesk Multi WAN — RAIJIN — RETETRA3 — Fast RSA + PQ Blind Signatures — Raptor Lake Desktop — Python bindings to the rattler library — ReOxide — Redox Flow Battery — Replicant on Pinephone 1.2 — Reproducible F-Droid — Reproducible-openSUSE — pcb-rnd, sch-rnd — Rotonda Secure Extensions — WWW SCION — SDCC — SIP RELOAD — Cell broadcast support for the Linux Mobile Stack — Software Heritage listers + tooling — SeedVault Integrity — SelfPrivacy — #Seppo! — Servo — Servo CSS — SiCl4 — Silicon verification — FuSa proven Slint — Solid Compound — Solid Data Modules — Solid Application Interoperability — Solid Usable App Tools Project — Space Tube — Spectrum Applications — Squishy — Stalwart Mail Server — Stract — StreetComplete/AllThePlaces — TISG trustable image sensor gateware — TOS;DR OTA backend — GNU Taler wallet app for iOS — TerosHDL: OSS, GHDL, NVC — Threshold OPRFs — Topola — Tracking weasel — TrenchBoot for AMD platform in Linux kernel — Trenchboot as Anti Evil Maid — UEFI Capsule Update for coreboot with EDK II — UberDDR3 — Reverse Engineering Toolkit — Enhancing vula with IPv6 and REUNION rendezvous — DeltaChat/WebXDC — webxdc PUSH — WebXDC XMPP — Whisperfish — WireGuard on FPGA — Wolvic — Wolvic User Interface — Event Federation Plugin for WordPress — XR Fragments — Yrs weak links — Bcachefs — Cpdf Accessibility — cables.gl — Elliptic curve encryption speed-up using SIMD — django-allauth — it — jaq — lib25519 for ARM — libspng APNG — mCaptcha — mikroPhone — mitmproxy — Improvements for next generation Linux firewalling — Strengthening NTP and NTS in ntpd-rs — openCologne — openXC7 — S-SATA for openXC7 — purl2all — purl2sym — scalePNR — Σ-protocols — uFork — uMap — vdirsyncer/pimsync — xrsh NREN Projects relevant to the research and higher education communityHow AdTech works — Democratic SendComm Network Applications Software application development projects based upon Internet technology.A-A-P — BlenderWeb — CP2PC — CUGAR — Dowse — FileSender — FreeBSD-3G — FSF Priority — JigLibJS — LogReport — Mail::Box — Meemoo — Morphle — NILO — Parrot — Proxy App — PulseAudio — Sabayon — TimeWalker — VDD — VirtNet Network infrastructure Network infrastructure incl. routing, P2P and VPN0WM — AI-VPN — Accessible security — Detecting Forged-Origin BGP hijacks — CAKE-MAINT — CNSPRCY — CryptPad: Project Dialogue — Distributed GNU Shepherd — Open source ESP32 802.11 MAC — Fix the Pitch Black Attack in Freenet routing — GNUnet CONG — Layer-2-Overlay — GNUnet Messenger API — Gosling — OCap layer for Haskell actor library — SCE, DelTiC and Antler — Holo Routing — Hypermachines: Realtime and Collaborative P2P Search — IPv6-monostack - upstream Linux SIIT/NAT64 — Interpeer — Irdest - OpenWRT Image and Bluetooth LE — Irdest IP Traffic Proxy — Irdest spec, db, route scoring — Verified Differential Privacy for Julia — Standardizing KEMTLS — Katzen — Wireguard-1GE FPGA — Krill High Availability — Let's Connect! Client-Server to P2P — Librecast — LibreQoS — LibreQoS 2.1 — The Libre-SOC Gigabit Router — Librecast Overlay Multicast — Mainstreaming Anonymity for Developers (MAD) — MPTCP — Improving the deployability of Multipath TCP — Improving the deployability of Multipath TCP, part 2 — Practical Decentralised Search and Discovery — MirageVPN — Movedata — Packet classification extensions for Netfilter — neuropil — NixBox — Adopting the Noise Key Exchange in Tox — Nyxt — OpenHarbors — Securing PLCs via embedded protocol adapters — Statime — PeerTube — Peertube-Desktop — Privacy Enhancements for PowerDNS and DNSdist — Probabilistic NAT Traversal — R5N-DHT — Radio-Meshnet — Robur private DNS resolver and DHCP server — Rosenpass Broker — Rotonda Secure Extensions — SCION Open Source Implementation — WWW SCION — Toward a Fully-Verified SCION Router II — SES - SimplyEdit Spaces — Cell broadcast support for the Linux Mobile Stack — smoltcp RPL — SocksTrace — Peer-to-Peer Access to Our Software Heritage — Spritely (and OCapN) — Statime PTP Master — RETETRA — TSCH-rs — TrustING — Build Transparency (Trustix) — Toward a Fully-Verified SCION Router — Vula — Waasabi Framework — Winden/Magic Wormhole dilation — WireGuard on FPGA — WireGuard — Wireguard Windows client — Wireguard Rust Implementation — Yrs — Yrs Undo — Yrs weak links — Bitmask — dhcpcanon — it — Katzenpost — libresilient — librice — Securing Decentralised Live Information with m-ld — Minedive — mitmproxy — Improvements for next generation Linux firewalling — node-Tor — Strengthening NTP and NTS in ntpd-rs — reqwest — Vita — Wireguard Open Social Fund Promoting the healthy development of the FediverseActivityPub community steward — Progressive Web App - ActivityPub API — Betula — Connected Places — EU Voice-Video case study — Fediverser — Govdirectory — Nitro Porter support expansion OpenData Projects to facilitate the creation, collection and curation of free information.Record Federation for Corteza Clouds — Folksonomy engine for the food ecosystem — The Open Green Web — Nominatim — Personal Food Facts — Plaudit — Software Heritage — Solid-Search — StreetComplete — WebXray Discovery — Fashion Freedom — LTSP Deskop — OpenStreetMapNL — Searsia — TOS;DR — Free Software Vulnerability Database OpenDocument Format Enable future proof office documents.AbiCollab — AbiMacOS — AbiRDF — AbiRDF2 — Calligra-SVG — Calligra-Windows — FLOSS-manuals — Kolab-Sync — LibreDocs — Lokalize — ODF-AbiChanges — ODF-AbiChanges2 — ODF-AbiWord — ODF-changes — ODF-changes2 — ODF-compare — ODF-DocMod — ODF-KOffice — ODF-KOffice2 — ODF-KOffice3 — ODF-KOffice4 — ODF-Numbertext — ODF-Recipes — ODF-Symbian — ODF-Valid — ODF-XLIFF — ODF Autotests — OdfKit — odfsvn — OfficeShots — SIPcollab — ViewerJS — WebODF — WebODF-Dissem Operating Systems Operating Systems, firmware and virtualisationFirmwire full-system 5G baseband emulation — Android translation layer (ATL) — Accessible security — Alder Lake Desktop — Arcan-A12 Directory — Arcan-A12 Tools — Heads-OpenPGP — Betrusted OS — Betrusted software — Converged Security Suite Improvements — Converged Security Suite +AMD — Anchorboot — Cloud hosting service portability — GNU Guix - Cuirass — Structuring the System Layer with Dataspaces — DeviceCode — Extend EFI support in BSDs — Open source ESP32 802.11 MAC — Fobnail — GNU Mes — Full-source GNU Mes on ARM and RISC-V — GNU Mes RISC-V — RISC-V bootstrapping effort via GNU Mes — GNU Mes on ARM — GNU Mes: Full Source bootstrap — GNU Mes Tower — GNU Guix — Tooling to improve security and trust in GNU Guix — Gash — Genealogos — Genodepkgs — Grate project — Guix Peer-to-Peer substitutes — Porting Guix to Riscv64 — Guix-Daemon — TPM 2.0 for HEADS — Nix Integration for Hop3 — Implement sound support in the Hurd — Ironclad — KDE Plasma Wayland — KWin and Wayland input — Liminix — Usability of Linux firewall userspace tools — Mainline Linux on ARM Chromebooks — The MacBook Liberation Project — Maemo Leste — Maemo Leste Telepathy — Makatea — Mobile Test Farm — Mollymawk — Securing NixOS services with systemd — UEFI Secure Boot support for NixOS — Nominatim — Oil Shell — Oil Shell — Oils for Unix — OpenCryptoLinux — Better support for display notches and cutouts in Phosh — Proper Webcam support in Qemu — Qubes OS — Raptor Lake Desktop — Redox OS Unix-style Signals — Replicant on Guix — Replicant on Pinephone 1.2 — Graphics acceleration on Replicant — Finish porting Replicant to newer Android version — NetBSD Reproducibility — Reproducible-openSUSE — Robotnix — Free and open source NPU Drivers — Rocket CWMP — Storing Efficiently Our Software Heritage — Security audit of Sailfish FOSS components — SpinalHDL, VexRiscv, SaxonSoc — Secure Web Tokens for Linux — SelfPrivacy — Adding TPM Support to Sequoia PGP — Multiprocess Mode in Servo — SiCl4 — Snix-{Store/Build} — Spectrum — Spectrum Applications — Transitioning SMM Ownership to Linuxboot — Servo Webview for Tauri — Termux — TrenchBoot as Anti Evil Maid - UEFI boot mode support — TrenchBoot for AMD platform in Linux kernel — Trenchboot as Anti Evil Maid — Trustix — Tvix — UEFI isolation in VM from non UEFI firmware — UEFI Capsule Update for coreboot with EDK II — Verso Views — Webview library with Verso for Tauri — video box — OpenIMSd — Free Software Vulnerability Database — Integration of Waydroid on mobile GNU/Linux — Wayland input method support — Web Shell — XWiki — ZSipOs — Bcachefs — fwupd — libnix — Verifying and documenting live-bootstrap — mobile-nixos — Multisoni — Software vulnerability discovery — openXC7 — p4-nix — postmarketOS: v23.12 and v24.06 Releases — postmarketOS — postmarketOS daemons — Reproducible Builds — x86-64 VM Monitor for seL4 verified microkernel — tslib — Free Software Vulnerability Database — xrsh Privacy and security Projects to understand, safeguard and/or improve privacy and security in communication.ELF Linking — PSYC2 — Anomos — Deep Firmware — DIFR-TSPM — DNSSEC-mail — e-Passports — FileSender — FTEproxy — Global Directories — GNUnet — GoogleSharing — GSM-Sec — HTTPS-Obs — Jitsi-FMJ — Ksplice — Ksplice2 — Lantern — LEAP/Torbirdy — Mailman-SSLS — NetAidKit — Faster and configurable datapath/Linux xfrm — NoScriptABE — NoScript-Andr — NoScript-Mob — NoScript-Mob2 — Cryptech.is — OSN-PPCP — OV-Chipkaart — Pitchfork — Qubes — RFID Guardian — RFID Guardian(2) — Samizdat — Seahorse SmartCard — Searsia — Searx — SecuShare — Online Self-defence in Ten Minutes — Shadow Internet — Magic Wormhole/SPAKE2 — Stratosphere IPS — Stubby — Tor hidden services — Tor low-bandwidth — Tracking Exposed — Trusted Boot Module — Turtle — Unhosted — Unhosted — XSSer Reports and studies Research to advance the knowledge on themes relevant to NLnetAssessing Cyber Security — The third mainport — NOMA Services + Applications Services + Applications (e.g. email, instant messaging, video chat, collaboration)ActivityPods — AlekSIS — AlekSIS: Integration and Communication — Perspectives: Making Models — AREXERA Crawler — Autocrypt for Thunderbird — Interpretation feature for Big Blue Button — BBBsecureChat — Bana — Betrusted software — Blink Qt Messaging — Blink for Windows — Blink RELOAD — BlockNote — Bonfire Search & Discovery — Bonfire federated groups — Bonfire Framework — Briar — Briar Desktop — Castopod — Castopod Mobile — Castopod Plugins — Discover and move your coins by yourself — Commune — Conversations — Conversations 3.0 — Privacy Infrastructure for Corteza Federations — ArtistHub — Cross-root ARIA — CryptPad Auth — CryptPad — CryptPad for communities — Redash — DatamiPods — Decidim revamp — DeltaBot — DeltaTouch — Dino — Dokieli — Draupnir — EDeA — Encoding for Robust Immutable Storage (ERIS) — Elm Matrix SDK — AEAP — Email <=> XMPP gateway — Thunderbird - native EteSync integration — EventFahrplan — Exter — F3D — FairSync — Federated Timesheets — FediMod FIRES — Fediverse Test Framework — Fidus Writer — Enhancing Firefox for Linux on Mobile — Flarum — Follow-me slideshow for Collabora Online — ForgeFed — ForgeFed — Fractal — Native IFC for FreeCAD — Funkwhale — Funkwhale — GNU social — GNU Taler — GNUnet Messenger API — GPG Lacre project — Galene — Gancio — GoToSocial — GoToSocial — Gosling — Goupile — Haketilo/Hydrilla — Haphaestus — Hubzilla — Indigenous — Collabora Online Multi-user Infinite Canvas — Inventaire — Inventaire Self-hosted — IronCalc — JShelter Manifest V3 — End-To-End Encryption for Jitsi Meet — Knowledge Graph Portal Generator — Kaidan — Kaidan A/V — Kaidan Auth + portability — Kaidan — Karrot — Katzen — Katzen Metadata Minimizing Messenger — Kazarma Release — Kbin — /kbin — Keyoxide Mobile — Kiwi IRC — Improve Email Encryption in KMail — Collabora Online/LibreOffice Accessibility — LO/CODE Book project — Collabora Online and LibreOffice — LibreOffice/Collabora Online typography — Land — lemmur — Lemmy — Lemmy private communities — Lemmy Scale — Lemmy Federation — LiberaForms — Liberaforms — XMPP-ActivityPub gateway — Audio/Video Calls in Libervia — Librecast — Lightmeter — Lizard — Loops — Mailpile Search Integration — Mailpile 2 (moggie) — Manyfold — Manyverse — Manyverse Private Groups — Mastodon - groups, filtering, moderation — ActivityPub Quote Posts — MeiliSearch — Mellium — Miru — Misskey — postmarketOS/phosh-mobile-settings integration — Mobilizon — Mobilizon UX — MoboSearch — Mobroute — Monal IM — Monal IM UI — Movim — Movim — Mox — Mox management and automation — Mustang - UI components — Mustang UX — Mynij — NeoChat — Nextcloud — NextGraph Framework — Nitter — NodeBB — Adopting the Noise Key Exchange in Tox — Nyxt Webextensions — Nyxt — Nyxt — Open Know-How Search — Off-the-Record messaging version 4 — Oku — Improve Okular digital signature support — Omnom — Omnom — Opaque Sphinx — OpenAGPS — Open Web Calendar Stack — Openfire IPv6 support — Organic Maps — Overte — Owncast — P2Pcollab — PGP4civiCRM — Popularizing PeerTube — Peertube-Desktop — Extending PeerTube — Peertube plugin livechat — Peppol for the masses — Manyfold — A Distributed Software Stack For Co-operation — PixelDroid — PixelDroid/Media editor — Pixelfed Live — Pixelfed — Pixelfed — Prosody IM — Protomaps — Ricochet Refresh — SES - SimplyEdit Spaces — SensifAI — #Seppo! — Servo — Servo: Benchmarking and Statistics — Servo CSS — Multiprocess Mode in Servo — Signature PDF — Slipshow — Solid NC 2024 — Solid-NextCloud app — Solid-Search — Solid Control — Secure User Interfaces (Spritely) — Spritely — StreetComplete UX — Structured Email for Roundcube — Sylk chat — Sylk Client — Sylk Mobile — Road Signs for Digital Payments — Taler-Odoo Payment System — Tantum Search — Tau — Tauri Apps — Teamtype — TypeCell — ValOS Cryptographic Content Security project — VersaTiles — Next Generation Browser Profile Workflow — VFRAME: Visual Defense Tools — Video chat privacy — WPE Android — Waasabi Framework — Independent captions and transcript augmentation — Wax — Improving WebKit on Windows — DeltaChat/WebXDC — Webxdc evolve — Whisperfish — XWiki — Wobble Web — Wolvic — Wolvic User Interface — Event Federation Plugin for WordPress — WordPress ActivityPub — XWiki ActivityPub — Yrs — Yrs Undo — bluetuith — Reinstatement of crypto.signText() — fediverse.space — it — Securing Decentralised Live Information with m-ld — Minedive — Search and Displace — uMap — uMap Vector Tiles SimpleSAMLphp Fund Authentication and Identity ProvisioningSimpleSAMLphp — SimpleSAMLphp 2.6 Software engineering Software engineering, protocols, interoperability, cryptography, algorithms, proofs0KNOW — Accessible security — Aiohttp type checking — Alive2 — Ari — Authenticated DNSSEC bootstrapping — Autocrypt for Thunderbird — BIDS: Binary Identification of Dependencies with Search — Back to source: trust but verify all the packages — Bertie — Betrusted Storage — Blink Qt Messaging — BrowserAudit — Bubble-up — Tracing and rebuilding packages — Cable — Canaille — Choreographic Programming: From Theory To Practice — Coko Docs — CryptoLyzer — GNU Guix - Cuirass — DANCE4All — DAVx⁵ WebDAV Push — DCnets — Securing Internet protocols with DIDs — Dat Private Network — DATALISP — Structuring the System Layer with Dataspaces — Delta Tauri — Diesel — dream2nix — ELF tools in Rust — Encoding for Robust Immutable Storage (ERIS) — Edalize ASIC backend — LambdaNative F-Droid integration — Friendly Forge Format (F3) — FOSS Code Supply Chain Assurance — FOSS Code Supply Chain Assurance II — FastScan — Feather UI — Federated software forges with Forgejo — FederatedCode Next — Fediverse Test Framework — Fediverse Test Suite — FemtoStar Project — ForgeFlux — Forgejo — GNU Mes — Full-source GNU Mes on ARM and RISC-V — GNU Mes RISC-V — GNU Mes: Full Source bootstrap — GNU Mes Tower — GPG Lacre project — GPGPU Playground — Gash — Gorgon CI — Real time graph database search engine — Open Hardware Manuals — Himalaya — A proof of concept of identity-based encryption — IPDL — IPDL II — Optimized Image Codecs — Inko — Micro25519 — KDE Connect — Standardizing KEMTLS — Improving and extending Kaitai Struct — Kami — Katzen Metadata Minimizing Messenger — Kazarma — Private Key Operations for Keyoxide — Keyoxide v2 — Kiwi IRC — Improve Email Encryption in KMail — ARPA2 LDAP Middleware — XMPP-ActivityPub gateway — The Libre-SOC Gigabit Router — Libre-SOC Formal Correctness Proofs — Librecast Live — Lizard — LumoSQL — LumoSQL at-rest data security — Distributed Trust for Web Servers — MailBox renewal — Mailpile 2 (moggie) — Catalogs in MariaDB — Mellium — Monal IM — Movim — Mox — Mox management and automation — SecSync — NeoChat — neuropil — NextGraph Framework — Nitrokey — Nitrokey 3 — Trussed — Type Inference for Nix — Debug Adapter with Nix — NixOS/Clevis — UEFI Secure Boot support for NixOS — Nyxt — OCaml direct style transition — OCaml-QUIC — Off-the-Record messaging version 4 — owi — Improve Okular digital signature support — Opaque Sphinx Server and Clients — OpenCryptoHW — OpenCryptoLinux — DRTM implementation for AMD processors — Open MLS Infrastructure — Improving OpenSSH's Authentication and PKI — Interoperable Certificate Store for OpenPGP — Hardening OpenPGP CA deployments — p2panda — Adding Web-of-Trust Support to PGPainless — Post-Quantum Crypto in DNSSEC — Statime — PTT — Passthrough Authentication — Pijul ecosystem — Pijul Hybrid — Pimalaya: email — Pimalaya PIM — Polyglot jaq — Pre-Scheme — Prosody IM — ProveThis — Pythonic Slint — RADIUSdesk Multi WAN — rasn — RETETRA3 — RNP Confium — Fast RSA + PQ Blind Signatures — ReOxide — Renderling — Reowolf — Replicant on Guix — Ripple — Robotnix — Rosenpass — Rust Threadpool — Rusted Platform Module (RPM) — SASL XMSS — SpinalHDL, VexRiscv, SaxonSoc — Secure Web Tokens for Linux — A Secret Key Store for Sequoia PGP — Adding TPM Support to Sequoia PGP — Sequoia PGP — Sequoia GPG Chameleon — Slint port for Android — Slips Immune I — Solid Wallet — Dual-level Specification Inference — Secure User Interfaces (Spritely) — Spritely Oaken — Stalwart Mail Server — Standards Grammar Catalog/Toolchain — Suhosin-NG — Interledger interoperability inquiry — Timing-Driven Place-and-Route (TDPR)  — RETETRA — TLS-KDH mbed — Great Black Swamp — Tauri Apps — Threshold OPRFs — TrustING — Trustix — UnifiedPush — Noise Explorer-VerifPal — Verifpal — Verified Reowolf — Enhancing vula with IPv6 and REUNION rendezvous — webxdc PUSH — WebXDC XMPP — Whippet — XWiki — XMPP Interoperability + Conformance Testing — Zero-allocation web servers in roc — Zilch — Zip linting and bzip2 in Rust — Reinstatement of crypto.signText() — Elliptic curve encryption speed-up using SIMD — imap-codec library — iso14229 — jaq — Katzenpost — lib1305 — lib25519 for ARM — libspng — libspng APNG — libvips — lpnTPM — machine-check — oqsprovider — purl2all — purl2sym — Support for OpenPGP v6 in rPGP — Reproducible Builds — x86-64 VM Monitor for seL4 verified microkernel — Σ-protocols — vdirsyncer/pimsync — Virtualizing device firmware — vm-builder — xqerl User-operated Internet Fund Allow users to collectively own, operate and rewrite every aspect of the technology and network infrastructure they depend on.Armbian — Canarytail — CeroWRT II — Telecommunication in HF over Internet Protocol (IPoHF) — KiCad — Local Production of Antennas for LibreRouter (LoPaLiR) — LTE support in OsmoCBC (Cell Broadcast Centre) — GPRS/EGPRS support in Osmocom CNI for Ericsson RBS — Open source ePDG for VoWiFi — Pion — RADIUSdesk VPN Fund Supporting the development of reliable, libre VPN technologiesLet's Connect VPN provisioning — VPN Vulnerability Testing Suite — eduP2P Test Suite — eduVPN Accessibility & UX Improvements — eduVPN app — eduVPN on Apple — eduVPN on Apple part II — eduVPN multi-protocol Verticals + Search Vertical use cases, Search, CommunityAgorakit — Mifos X (Apache Fineract) — Bonfire Search & Discovery — Castopod — COCOLIGHT — Conzept encyclopedia — ArtistHub — Decidim revamp — DeltaBot — Discourse ActivityPub — EGIL SCIM client — EduLuanti — EDeA — Email for expert news — Empowering Mobilizon — Explain — FOSS Warn — FairSync — Faircamp 1.0 — searx — First Classify Documents — Folksonomy engine for the food ecosystem — Funkwhale — Funkwhale — GNU social — Taler for local currencies. — Geolexica reverse — Real time graph database search engine — The Open Green Web — Great scanning and OCR for mobile devices — Hypermachines: Realtime and Collaborative P2P Search — ipfs-search.com — IN COMMON — In-document search — Practical Tools to Build the Context Web — Indigenous — Inochi2D — Inventaire — Inventaire recommender — Karrot — LO/CODE Book project — Lemmy — Lemmy private communities — librarian — Libre Car Control — MaDada — Mangaki — Manyfold — Marginalia Search — Mautic Portability — MeiliSearch — Mepo — Modular Meta-Press.es — Meta-Press.es — Meta-Press.es — Mobilizon — MoboSearch — OSF Crawler Cooperation — OpenCarLink — Personal Food Facts — Open Hospitality Network — Openki.net — OpenStreetMap-NG — Openki Roles — Organic Maps сonvergent UI with Qt Quick/Kirigami — Organic Maps bookmarks, hike and bike — PRESC Classifier Copies Package — The PeARS app — Peertube-Desktop — peermaps — PeerTube - Remote Transcoding — A Distributed Software Stack For Co-operation — PixelDroid — Pixelfed — Plaudit — Poliscoops — Pomme d’API — pretalx — Private Searx — Protomaps — Re-isearch Schmate — Re-isearch — Great OCR for SANE — SIP RELOAD — SWH package manager Data Ingestion — Storing Efficiently Our Software Heritage — Adera — searx — Dynamic indexing for real time graph database — Software Heritage — Sonar: a modular peer-to-peer search engine — sourcehut — Space Tube — Stract — TALER Bullion — GNU Taler Tryton/GNUHealth integration — TOS;DR OTA backend — GNU Taler wallet app for iOS — Transparency Toolkit — HTML export for Typst — URL Frontier 2.0 — URL Frontier — variation graph (vgteam) — WeasyPrint — Web Annotation — XWiki — XR Fragments — YaCy Grid SaaS — Cpdf Accessibility — cables.gl — dweb-search — elRepo.io - Resilient, distributed content sharing — mCaptcha e-Commons Fund Contributing to digital commons and digital public goodsIn-memory Krill — Mox API — OpaqueStore/Sphinx 2.0 — bzip2 in Rust — FreeBSD sudo-rs "},{"title":"e-Commons Fund","url":"https://nlnet.nl/thema/e-CommonsFund.html","description":" e-Commons Fund Contributing to digital commons and digital public goods This page contains a concise overview of projects funded by NLnet foundation that belong to e-Commons Fund (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. In-memory Krill — Integrate kvx store in Krill RPKI daemon Krill shows users which announcements are seen in BGP based on the resources on their certificate, and uses this information to give suggestions about ROA configurations. Krill stores its data in a simple key-value store. It initially used the file system for this purpose. The kvx library was envisioned as an abstract version of the store that can use different technologies as the backend. Initially, in addition to the file system, kvx provided an in-memory store which is already used by Krill for testing, and a store using the PostgreSQL database management system. >> Read more about In-memory Krill Mox API — Modern full-featured open source secure mail server Email is one of the most ubiquitous communication tools of the last several decades, but has accumulated a complexity that makes it hard for people to join the network as a first class citizen. Most email server software is hard to set up, maintain, and improve, hence there is an opportunity for a new generation of email implementations. Mox is a modern email server implementation that makes it easy for people and organizations to run their own mail server, allowing them to stay in control of their own email communication, and keeping email decentralized. All important protocols/mechanisms needed for a modern email setup have been implemented in mox, including: IMAP4, SMTP, SPF, DKIM, DMARC, MTA-STS, TLSRPT, automatic TLS with ACME and Let's Encrypt, IP/domain/bayesian spam filtering, internationalized email, account autoconfiguration. This project will bring an HTTP-based API for sending email, as well as a number of other worthwhile improvements ranging from sending email over SMTP, a better admin web interface and more documentation. >> Read more about Mox API OpaqueStore/Sphinx 2.0 — Store arbitrary sized secrets + IRTF/CFRG compliant SPHINX implementation Most cryptography in current use on the internet depends on a single key held by a single actor, while threshold encryption allows for key material to be split up in multiple parts and kept by different actors - allowing to better hedge risks and create more resilient and more secure ways of working. This project levers so called Oblivious Pseudo-random Functions (OPRFs) to deliver a number of unique building blocks for a more secure internet: OPAQUEstore, a server that can store arbitrary sized secrets using only a password for decrypting them. And new OPRF-powered implementations of SPHINX client and server which are compliant with the IRTF/CFRG specifications. >> Read more about OpaqueStore/Sphinx 2.0 bzip2 in Rust — Memory safe implementation of bzip2 compression algorithm The `bzip2` compression format is still used in many legacy settings. onsequently, it is part of the supply chain of many projects. To mitigate these risks, this project will deliver a memory-safe implementation of bzip2 through drop-in replacements of the libraries and a safe Rust `bzip2` binary. >> Read more about bzip2 in Rust FreeBSD sudo-rs — Port to FreeBSD and legacy compatibility Sudo is a small but critical system tool allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. As such, it guard a critical privilege boundary on just about every free and open-source operating system that powers the Internet. sudo-rs is a drop-in replacement for sudo written in Rust. This project will port the tool to FreeBSD, and will address some known bugs and incompatibilities between sudo-rs and sudo. >> Read more about FreeBSD sudo-rs "},{"url":"https://nlnet.nl/thema/Verticals+Search.html","title":"Verticals + Search","description":" Verticals + Search Vertical use cases, Search, Community This page contains a concise overview of projects funded by NLnet foundation that belong to Verticals + Search (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Agorakit — Groupware which is a friendly online home to communities Agorakit is a web-based, open source organization tool for collectives. By creating collaborative groups, people can discuss topics, organize events, store files and keep everyone updated as needed. The tool is very easy to use, participants only need to register with an email, the very low barrier of entry and easy to use user interface make it an ideal tool for heterogeneous groups with people of broadly different backgrounds and skills. Those seem like simple features, but to have access to all those in the same product without friction is in our very humble opinion unique to Agorakit. The scope of this project is to enhance documentation, ease use and installation, and allow external communication (including federation). >> Read more about Agorakit Mifos X (Apache Fineract) — Type safety for/refactoring of Apache Fineract banking software Apache Fineract is a sophisticated core banking system that provides comprehensive financial technology solutions. It offers features for client data management, loan and savings portfolio management, integrated real-time accounting, as well as extensive reporting capabilities. By commoditising core banking infrastructure, Fineract empowers communities and organisations of any size to integrate financial services everywhere. Mifos X includes a payment orchestration engine and mobile banking apps, lowering the threshold to participate in the digital economy. In the scope of this project, type-safety is added to the software, QueryDSL is introduced to generate code and a significant amount of technical debt is resolved. >> Read more about Mifos X (Apache Fineract) Bonfire Search & Discovery — Improving search and discoverability in the Fediverse Bonfire is a modular ecosystem for federated networks. The project creates interoperable toolkits that people can use to easily build their own apps to meet their specific needs. Users are then free to interact with multiple people and groups using these apps hosted on their own device, regardless of what federated software these other people use. Federated topics within the Bonfire ecosystem can consist of a hashtag, a category in a taxonomy, a location, etc. This enables users to find a topic they are interested in, see everything that was tagged with that (publicly or in their network), and follow it to receive any new tagged content. This will be interoperable with existing fediverse apps like Mastodon without requiring extra development on their end, and will create a decentralised graph of topics that can help relevant information flow from instance to instance. All content on a Bonfire instance (including remote content coming in via follows or federated topics) will also be aggregated in a local search index with which the user can search their own data, information from people or groups they follow, as well as content from topics or locations they are interested in from around the fediverse. This search will happen locally on their device (which is a plus for privacy), with results appearing instantly while typing a query, and being able to filter the results (e.g., by object or activity type, hashtags, topics, or language). Every line of Bonfire’s code is available to be used or forked, in a collection of libraries that can be assembled and re-assembled to create all kinds of full-featured apps. One example is Bonfire's mutual aid extension where users can post and search for requests and offers across different instances according to topic and/or geographical location. >> Read more about Bonfire Search & Discovery Castopod — Podcasting in the fediverse Castopod is an open-source podcast hosting solution for everyone, that can connect to the Fediverse through the W3C ActivityPub standard (Pixelfed, Mastodon, Pleroma…). Castopod is user friendly, and allows for easy discovery everywhere. Whether you are a beginner, an amateur or a professional, you will get everything you need: you can create, upload, publish, manage server subscriptions (WebSub embedded server). You can allow users to listen to your podcast directly, but just as easily connect to commercial directories (Apple, Google, Spotify…). Take back control: interact with your audience on your platform (like, share, comment), the social network IS the podcast. In addition to supporting W3C ActivityPub, you can also export to proprietary social networks (Twitter, Instagram, Youtube, Facebook). Castopod is easily hosted on any PHP/MySQL server: unzip it and you and other podcasters are ready to broadcast professionally. >> Read more about Castopod COCOLIGHT — Lightweight version of Communecter COmmunecter is an open source social and societal platform. COCOLIGHT is an low tech light weight client able to connects to any COmmunecter server, allowing both read and contribution modes. Easy to Install, fully Activity Pub compliant, federating organizations, events, projects and open badges. It allows to create networks of many COPI instances interconnected together and exchanging information and data. >> Read more about COCOLIGHT Conzept encyclopedia — An alternative encyclopedia The Conzept encyclopedia is an attempt to create an encyclopedia for the 21st century. A modern topic-exploration tool based on: Wikipedia, Wikidata, the Open Library, Archive.org, YouTube, the Global Biodiversity Information Facility and many other information sources. A semantic web app build for fun, education and research. Conzept allows you to explore any of the millions of topics on Wikipedia from many different angles - such as science, art, digital books and education - both as a defined semantic entity (\"thing\") as well as a string. Client-side topic-classification in addition allows for a fast, higher-level logic throughout the whole user experience. Conzept also has an uniquely integrated user-interface, which gives you a single well-designed view of all this information (in any of the 300+ Wikipedia languages), without cognitive overload. >> Read more about Conzept encyclopedia ArtistHub — Allow creative artists to gain visibility and build reputation on the web The Artist Hub is a progressive web app developed by The Creative Passport MTU, that allows users - Music makers - to connect different data sources and display their feeds all in the same global wall arranged in chronological order. Music makers will be able to create a custom fan page on a self-hostable server where all their music and related content can be placed and shared with their fans. The underlying architecture for subscribing to and receiving posts/updates from connected services will be built using ActivityPub. The idea behind this architecture is a free and open-source way for music makers to share their content without needing to post to a number of different websites and social media and for fans to have the freedom to choose their platform of choice for engaging with that content. We will use ActivityPub to aggregate data from a number of platforms. This will enable us to offer support for video (using PeerTube), audio (using Funkwhale), images (using PixelFed) and text (using Mastodon). >> Read more about ArtistHub Decidim revamp — Tools for participatory democracy Decidim is a free and open, digital infrastructure for participatory democracy. Decidim allows to create and configure a web platform to be used as a political network for democratic participation. The platform is freely available for organisations and institutions seeking to initiate participatory processes such as deliberation, decision-making, collaboration, direct democracy and co-design. In order for the project to reach a new stage of technical maturity, the project will overhaul the user experience through a complete redesign of its interface. It is necessary to review, order and, if necessary, remove features. This project is focused on doing the less visible, but necessary work, to make the code clean and sustainable in the long term. >> Read more about Decidim revamp DeltaBot — Social discovery over mail-based chat Why make humans be the only ones to search new content that is relevant to you, if bots can be made to do the same on your behalf? The DeltaBot project will research and develop decentralized, e2e-encrypting and socially trustworthy bots for Delta Chat (https://delta.chat). Bots will bridge with messaging platforms like IRC and Matrix, offer media archiving for its users and provide ActivityPub and RSS/Atom integration to allow users to discover new content. Our project is not only to provide well tested and documented Chat Bots in Python but also help others to write and deploy their own custom bots. Bots will perform e2e-encryption by default and we'll explore seamless ways to resist active MITM attacks. >> Read more about DeltaBot Discourse ActivityPub — Connecting internet discussions with ActivityPub Discourse is a modern open source discussion platform. In some ways it can work similar to email but it much better suited to large scale group discussions that in turn become searchable (i.e. indexable) items of knowledge on the world wide web (given that the forum is publicly viewable). We are building a two-way mirror for Discourse topics, compatible with the ActivityPub standard. The first iteration of this will be \"Live Topic Links\": When a topic is created on Forum A by pasting a URL to a topic on another Discourse instance (Forum B), the user is prompted \"would you like to sync replies between this forum and the forum you're linking to?\" If the user clicks \"yes,\" replies to the mirror topic on Forum B would be synced back to the topic on Forum A, and vice versa (if Forum B has \"whitelisted\"rum A). >> Read more about Discourse ActivityPub EGIL SCIM client — System for Cross-domain Identity Management Managing student information in an effective, secure and GDPR compliant way is crucial for the digitalized school. EGIL is an open source client that facilitates the exchange of student information to external providers of study material or administrative services in a standardized way. It supports attributes based on SCIM (RFC 7642-7644) and extensions, it provides an interface to common directory services and supports federated solutions between a large number of school principals and service providers. This project will improve EGIL's federative capabilities, submit an Internet-Draft on the subject federated accounts provisioning, as well as providing a proof of concept for using SCIM as the standard for exchange of student information. This will eliminate the problems caused by using several different exchange protocols and formats between school principals and service providers. >> Read more about EGIL SCIM client EduLuanti — Education platform centered around 3D/cube world Luanti EduLuanti (previously known as the MinetestEdu project) is an open-source initiative designed to provide French teachers with tools for using the Minetest video game in the classroom. The aim is to encourage the adoption of open-source tools among educators and students in France and abroad, while contributing to the Luanti community with the development of educational features and customisable graphical elements with a focus on improved filtering of educational mods and enhanced manipulation of 3D data. This initiative follows on from the UNEJ (Urbanités Numériques En Jeux) project, which was developed in the north of Paris and is one of several projects using Luanti for education. >> Read more about EduLuanti EDeA — A forge suitable for open hardware development The short version: EDeA is a novel approach to allow exploration of and improve discovery within the open hardware ecosystem - in order to help make open hardware designs and components discoverable and reusable. At this moment in time, pretty much everything surrounding open hardware development is manual. Beyond just typing something into a generic search engine there isn't really suitable tooling available to search across what already exists. Accessible and usable distributions, collaboration tools and version control are what drove the free and open source software revolution, now open hardware needs to take the same leap forward. Open hardware electronics projects are growing in numbers, thanks to crowdfunding, a strong developer community, and sophisticated open source electronic design automation (EDA) tools like KiCad. Between circuit schematic and printed circuit board (PCB) layout there is a logical association, but are being handled by separate programs, and therefore one can’t simply copy-paste design blocks. In 2020 it is still next to impossible to reuse proven parts of different designs without needless reimplementation. By leveraging KiCad’s pcbnew and eeschema scripting, a new way of building modular, reusable electronics opens. We are creating a catalog and community portal for discovery and development of proven circuit modules: power management, signal conditioning, data conversion, micro-controllers, etc. >> Read more about EDeA Email for expert news — Keep up to date with a flow of publication Full text search can help locate text within a certain corpus, but it doesn't help much with staying up to date with the continuous development of a certain field. Ingesting the daily flood of potentially relevant publications is time-consuming, and so sharing and delegating effort makes a lot of sense. Bims (Biomed News) and NEP (New Economics Papers) are long standing projects in this vein, based on PubMed and RePEc, respectively. They are early examples of expertise sharing systems that deliver digests - human curated sets of the most relevant new publications. Dedicated experts filter the flow of incoming publications in different domains, allowing everyone to stay up to date with the latest developments through publicly available periodic reports on a variety of topics. This project aims to build a new software tool to allow users to subscribe to these report across different fields of interest. Subscribers get a fully personalised report meaning they will not have to deal with distractions such as duplicate items. The software aims to be generic, so it may be applied to any serial data of records formatted in a structured way. >> Read more about Email for expert news Empowering Mobilizon — Find, create, organise and curate events Mobilizon empowers users to create collaborative platforms for promoting local events, activities, and groups. Utilizing the ActivityPub protocol, these platforms facilitate information sharing, allowing users to publish their events on one Mobilizon instance and broadcast them across others when appropriate. Designed with user-friendliness in mind, Mobilizon aims to reduce local advertisers' reliance on major tech companies. Currently, dozens of Mobilizon instances are operational, collectively attracting thousands of users. However, this is not enough to harness the full potential of the network effect and drive meaningful societal change. Numerous enhancement requests and areas for improvement have been identified, and it is crucial to refine and prioritize these initiatives. Should we enhance federation with ActivityPub? Develop solutions to combat spam? Allow users to join a waiting list for fully booked events? Improve categorization and search functionalities? Address persistent bugs? Optimize response times? To tackle these challenges, we aim to establish a governance structure involving other instance administrators. Together, we can prioritize the most impactful changes and integrate them into our roadmap, ultimately making it easier for the community to discover and engage with local activities. >> Read more about Empowering Mobilizon Explain — Deep search on open educational resources The Explain project aims to bring open educational resources to the masses. Many disparate locations of learning material exist, but as of yet there isn’t a single place which combines these resources to make them easily discoverable for learners. Using a broad array of deep content metadata extraction techniques developed in conjunction with the Delft University of Technology, the Explain search engine indexes content from a wide variety of sources. With this search engine, learners can then discover the learning material they need through a fine-grained topic search or through uploading their own content (eg. exams, rubrics, excerpts) for which learners require additional educational resources. The project focuses on usability and discoverability of resources. >> Read more about Explain FOSS Warn — Aggregate source of emergency alerts The FOSS Public Alert Server lets clients receive Push Notification (via UnifiedPush) about official emergency alerts worldwide. Besides infrastructure like sirens, radio, and Cell-Broadcast, CAP (Common Alerting Protocol) alerts are another way of alerting the public. CAP alerts are used for a wide variety of emergencies. From alerts about extreme weather to alerts about contaminated drinking water to pandemics. Our server bundles over 280 official CAP alert publishers worldwide and can easily extend to more sources. This project aims to bundle the underlying alerting infrastructure into a single trustworthy source of information, not to replace it. Having a shared global public source of information reduces the user's dependency on local emergency apps - which are often only available for the two largest mobile platforms. Furthermore such a converged effort makes it much simpler to develop clients for devices other than cell phones (like desktop PCs or smart speakers). Thirdly it can make traveling safer. Finding and installing the right local emergency apps to receive emergency alerts when traveling is quite the hurdle. With our solution, it would suffice to install one app for the world. One such app is FOSS Warn, an Android app that for now receives alerts for Germany and Switzerland. Within this project, FOSS Warn will be extended to work worldwide with the new server infrastructure. >> Read more about FOSS Warn FairSync — Simplify aggregation and discovery of places and events How can we make it possible to search across different maps and lists of events maintained by different organisations? By connecting them, of course! FairSync develops and collects best practices to synchronize maps and events and to federate messengers and identities active in the global movement for sustainability. System integrators are faced with fast evolving APIs and protocols when they try to discover and connect systems and make search more easy. We will work on master-master replication frameworks of metadata enriched data sets and test with platform providers for sustainability affairs. One approach is the \"lazy master scheme\": a common update propagation strategy where changes on a primary copy are first committed at the master node, afterwards the secondary copy is updated in a separate transaction at slave nodes. We will try to advance such immediate update propagation in this project using protocols such as ActivityPub or the InCommon API. Federation of identities will be managed with SAML or oAuth2 protocols with fairlogin as a common identity provider. >> Read more about FairSync Faircamp 1.0 — Self-hostable, maintenance-free websites for audio producers Faircamp is a static site generator for audio producers, empowering artists, labels and everyone else working with sound to distribute their work on their own, with low resource requirements and little to no maintenance effort. The aims within this project are to address usability, accessibility and cultural concerns, to improve documentation, to implement missing core architecture components and complete the embedding functionality, as well as complementary bugfixing and smaller feature additions. >> Read more about Faircamp 1.0 searx — Federating self-hosted search hubs Searx is a popular meta-search engine, with the aim of protecting the privacy of its users. In the typical use case, few users trust one instance. However, a third-party services can easily fingerprint the users using the IP address of the searx instance and the user's queries. The project aims to create a searx federation to solve this issue. First, a protocol needs to be defined to allow the instances to discover themselves. Then, each instance will be able to proxy the HTTPS requests through other instances, so the user only has to trust one instance. Also, each instance will spread the requests to other instance according to their response time, and make that IP addresses are evenly used, or at least in the best possible way. To ensure the latter, the statistics page will be enhanced and available through an API that other instances will use. The federation will make sure that bots can't abuse this pool of IP address. >> Read more about searx First Classify Documents — Categorise different types of official documents With governments all over the world turning to digital filing systems, millions of paper files still wait to be digitized. One major challenge in this process is a structured approach to classifying and ordering documents. It is an unfortunate fact that many public documents are bitmap images of texts. For instance, tenders are published digitally but the actual resulting contracts are not published in a way that allows them to be indexed and queried - which hinders civil society in their ability to access these documents. Open source OCR software needs to become better to get good results with this. This project developed a system for models to distinguish between different types of official documents. able to classify state documents according to structure, keywords, document name, word and page count, metadata and context. >> Read more about First Classify Documents Folksonomy engine for the food ecosystem — Data modelling by the community Everybody is interested in the food they eat, by many different aspects, ranging from taste, cost, ingredients and nutrition to its impact on health, the environment and society. We also happen to have many different names for the same food, the way we prepare it and other properties - sometimes only used very locally. That means it is not always easy for everyone to effectively search open data sets like OpenFoodFacts. Open Food Facts - sometimes referred to as the \"wikipedia for food products\" - is the biggest open food-database in the world. The Folksonomy engine for the food ecosystem created within this project will unleash an ocean of new data and uses regarding food. Citizens, researchers, journalists, professionals, artists, communities, and innovators will be able to define and add new properties of their choice to food products on Open Food Facts for their own use or to enrich the shared knowledge. Open Food Facts already feeds hundreds of data reuses. Thousands more will become possible thanks to the new user defined properties. >> Read more about Folksonomy engine for the food ecosystem Funkwhale — ActivityPub-driven audio streaming and sharing Funkwhale is a federated platform that provides tools for managing, publishing, and sharing audio content using the ActivityPub protocol. In this project, the team will expand the use of ActivityPub and extend the integrations with other ActivityPub-powered platforms. The flagship web app will be redesigned, adding support for more content types in its API, creating new features that integrate with MusicBrainz, and making the mobile Android offering feature-complete as well as adding a (Tauri based cross-desktop app. >> Read more about Funkwhale Funkwhale — ActivityPub-driven audio streaming and sharing Funkwhale is a free, decentralized and open-source audio streaming and sharing platform, built on top of the ActivityPub protocol. It enables users to create communities of interest around music and audio content in general, listen to their private music library or distribute their own productions on the network. Each Funkwhale pod, or server, can communicate with other pods to exchange audio content, metadata or for user interactions. In this project, Funkwhale will improve the publication experience for creators, release its first stable version, improve content discovery inside the platform through better sharing and search mechanisms. We will also continue research and development for Retribute, a community wealth sharing platform meant to support creators on Funkwhale or any other platform. >> Read more about Funkwhale GNU social — Modernizing the original FOSS Social Network GNU social is a free social networking platform, easily self-hostable and highly accessible, that enables both private and public decentralized communications. With NLnet NGI Zero's support, the project is undergoing a change of main focus from microblogging to groups and tags. With this, GNU social will be a space for communities where users can express their passions and explore new ones. Users will be able to immerse themselves in easily filterable content relevant to their interests, and to create and join communities. It's hard to pinpoint an existing alternative service that promotes the same level of functionality in terms of tagging, filtering and connecting with people that share common interests. Especially considering the available degree of accessibility, customization and expansion via plugins. >> Read more about GNU social Taler for local currencies. — Free software banking backend for local currencies This project is about extending GNU Taler’s LibEuFin software to make it suitable as a core banking system for local or regional currencies, in combination with the Taler payment system. The innovation comes from employing FLOSS technology, and having a centrally managed and yet privacy-preserving payment system. Our focus will be on creating interfaces to allow regional currency administrators to control the platform, including account creation, controlling money supply, analyzing transactions, and setting of relevant policies. Additionally, we will support onboarding of customers, including offering them a way to trade fiat currency (e.g. EUR) for the local currency or vice versa (if permitted by the currency conversion policies of the platform). We will work with cities and regions that have deployed regional currencies (or are planning to do so) to better understand their needs and adapt our plans according to their use-cases. >> Read more about Taler for local currencies. Geolexica reverse — Reverse Semantic Search and Ontology Discovery via Machine Learning Ever forgotten a specific word but could describe its meaning? Internet search engines more than often return unrelated entries. The solution is reverse semantic search: given an input of the meaning of the word (search phrase), provide an output with dictionary words that match the meaning. The key to accurate reverse search lies in the machine’s ability to understand semantics. We employ deep learning approaches in natural language processing (NLP) to enable better comparison of meanings between the search phrases with word definitions. Accuracy will be significantly increased. The project outcome will be employed on Geolexica as a pilot application and testbed for evaluation. The ability to identify entities with similar semantics facilitates ontology discovery in the Semantic Web and in Technical Language Processing (TLP). >> Read more about Geolexica reverse Real time graph database search engine — Live filtering on graph database streams Based is the world's first open source pub/sub real time graph database. It allows for millions of concurrent connections to changes in data or relationships, and offers built-in features such as authentication, internationalisation, server-side scripts for automation, time-series data, and user management. This saves money, complexity, and maintenance. In this project we will work on a full text indexing engine, that will give developers and end users the ability to query text in real time – and get back any updates in text instantly. The search engine is geared toward working with our database, but is applicable to any database in which users are interested in text search that updates in real time and indexes dynamically. >> Read more about Real time graph database search engine The Open Green Web — Ethical meta-search filter on green hosted websites The world wide web has become a mainstay of our modern society, but it is also responsible for a significant use of natural resources. Over the last ten years, The Green Web Foundation (TGWF) has developed a global database of around 1000 hosters in 62 countries that deliver green hosting to their customers, to help speed a transition away from a fossil fuel powered web. This has resulted in roughly 1.5 billion lookups since 2011 - through its browser based plugins, manual checks on the TGWF website and its API, provided by an open source platform. But what if you want to take things one step further? This project will create the world's first search engine with ethical filtering, that will exclusively show green hosted results. In addition to giving a new choice of search engine to environmentally conscious web users, all the code and data will be open sourced. This creates a reference implementation for wider adoption across industry of search providers, increasing demand and visibility around how we power the web. The project build upon the open source search engine Searx, and will collaborate with the developers of that search tool to make \"green\" search an optional feature for all installs of Searx. >> Read more about The Open Green Web Great scanning and OCR for mobile devices — The aim of this project is to improve the scanning and optical character recognition on mobile devices. Currently the cameras of many mobile devices have relatively noisy output whenever lighting conditions are less than optimal. Additionally, it's almost impossible to achieve scans that are distortion free as mobile devices don't have a surface to which the document under scan could be pressed to reliably. These two problems lead to difficulties in performing optical character recognition over acquired images as most recognition algorithms require an input that is noise and distortion free. The solution that will be developed by this project will solve both of these problems by acquiring multiple scan images from different angles. Same objects can then be matched across the source images providing two benefits: the noise can be cancelled out and 3D shape of the document under scan can be derived. Such information can then be used to unfold the document to 2D space and provide a noise and distortion-free image to optical character recognition algorithms. The solution will be implemented taking into account the performance limitations of mobile devices and a major optimization effort will be spent to achieve an acceptable latency of the complex image processing algorithms. >> Read more about Great scanning and OCR for mobile devices Hypermachines: Realtime and Collaborative P2P Search — Realtime and Collaborative P2P Search Modern search systems don't work offline, rely on proprietary indexes, and give users limited interfaces for content discovery. Our earlier work on the Hypercore Protocol produced a collection of data structures and networking modules for building low-latency, secure P2P applications. With this project, we will extend the Hypercore Protocol with a novel mechanism for distributing sandboxed computation, called Hypermachines, that can be combined with the existing data structures in our stack to power a next-generation search system. Hypermachines are deterministic Javascript programs, akin to lightweight smart contracts, that introduce algorithmic transparency and compositionality into our ecosystem. Users can create powerful indexing pipelines that merge their Hypermachine datasets together, yielding a highly-composable, collaborative search engine. By storing indexing logic directly alongside data structures, users can see exactly how indexes are produced, verify that they were produced correctly, and modify them according to their needs. We imagine a future in which Hypermachines power a decentralized marketplace for collaborative, transparent, and fast search engines. >> Read more about Hypermachines: Realtime and Collaborative P2P Search ipfs-search.com — Search engine for the Interplanetary File System ipfs-search.com is a Free and Open Source (FOSS) search engine for directories, documents, videos, music on the Interplanetary Filesystem (IPFS), supporting the creation of a decentralized web where privacy is possible, censorship is difficult, and the internet can remain open to all. >> Read more about ipfs-search.com IN COMMON — Public platform to map and act together for the Commons IN COMMON emerged as a transnational European collective from a network of non-profit actors to identify, promote, and defend the Commons. We decided to start a common pool for Information Technologies with the aim to create, maintain, and share with the public geo-localized data that belong to our constituents and to articulate citizen movements around a free, public and common platform to map and act together for the Commons. IN COMMON forms a cooperative data library that provides collective maintenance to ensure data is always accurate. >> Read more about IN COMMON In-document search — Interoperable Rich Text Changes for Search There is a relatively unexplored layer of metadata inside the document formats we use, such as Office documents. This allows to answer queries like: show me all the reports with edits made within a timespan, by a certain user or by a group of users. Or: Show me all the hyperlinks inside documents pointing to a web resource that is about to be moved. Or: list all presentations that contain this copyrighted image. Such embedded information could be better exposed to and used by search engines than is now the case. The project expands the ODF toolkit library to dissect file formats, and will potentially have a very useful side effect of maturing the understanding of document metadata at large and for collaborative editing of documents in particular. >> Read more about In-document search Practical Tools to Build the Context Web — Declarative setup of P2P collaboration In a nutshell, the Perspectives project makes collaboration behaviour reusable, and workflows searchable. It provides the conceptual building blocks for co-operation, laying the groundwork for a federated, fully distributed infrastructure that supports endless varieties of co-operation and reuse. The declarative Perspectives Language allows a model to translate instantly in an application that supports multiple users to contribute to a shared process, each with her own unique perspective. The project will extend the existing Alpha version of the reference implementation into a solid Beta, with useful models/apps, aspiring to community adoption to further the growth of applications for citizen end users. Furthermore, necessary services such as a model repository will be provided. This will bring Perspectives out of the lab, and into the field. For users, it will provide support in well-known IDE's for the modelling language, providing syntax colouring, go-to definition and autocomplete. Real life is an endless affair of interlocking activities. Likewise, Perspectives models of services can overlap and build on common concepts, thus forming a federated conceptual space that allows users to move from one service to another as the need arises in a most natural way. Such an infrastructure functions as a map, promoting discovery, decreasing dependency on explicit search. However, rather than being an on-line information source to be searched, such the traditional Yellow Pages, Perspectives models allow their users (individuals and organisations alike) to interact and deal with each other on-line. Supply-demand matching in specific domains (e.g. local transport) integrates readily with such an infrastructure. Other patterns of integrating search with co-operation support form a promising area for further research. >> Read more about Practical Tools to Build the Context Web Indigenous — Indieweb mobile clients Indigenous is a collection of native, web and desktop applications which allows you to engage with the Internet as you do on social media sites, but posts it all on your website. Use the built-in reader to read and respond to posts across the internet. Indigenous doesn't track or store any of your information, instead you choose a service you trust or host it yourself. Posts are collected on your website or service which supports W3C Microsub, writing posts uses the W3C Micropub specification. Popular services that support both are Wordpress, Micro.blog and Drupal, with more coming soon. >> Read more about Indigenous Inochi2D — Open source 2D animation/puppeteering framework Inochi2D is an open source, BSD 2-clause licensed toolkit and ecosystem for real-time 2D puppet animation, for use in game development, virtual avatars and other multimedia applications. Our ecosystem features a SDK and two tools: Inochi Creator, which allows the user to create a puppet by rigging layered 2D art via warping meshes, physics, dynamic masking and real-time lighting, in order to create the illusion of depth and liveliness. And Inochi Session, which allows the use of Inochi2D puppets for livestreaming, teleconferencing and more, by mapping external tracking data to a puppet's rigging. The SDK and tools together allows anyone to express themselves without restrictive licensing terms. With this grant our goal is to improve the user experience and portability of our tooling via the creation of a new UI toolkit which is purpose-built just for Inochi2D, called libsoba. We also plan to finish and release a major update to Inochi2D, version 0.9, which aims to make Inochi2D more future proof and portable, making it viable to use in game engines such as Godot and Unity, and on the web via WebASM, WebGL and WebGPU. >> Read more about Inochi2D Inventaire — Wikidata-based social sharing of reading experiences The Inventaire Project is an effort to move forward on the front of accessing information on resources using libre software powered by open knowledge. This ideal is being materialized in the form of inventaire.io, a libre book sharing webapp, inviting everyone to make the inventory of their physical books, declare what they want to do with it (giving, sharing, selling), as well as who should be able to see it (shared publicly through e.g. ActivityPub, or only visible by your friends and groups). To power those inventories with structured bibliographic data, inventaire.io is also playing the role of a Wikidata-federated open and contributive bibliographic database, extending wikidata.org data with Wikidata-compatible entities (CC0, shared data schema) tailored to our needs, but ready to be pushed to Wikidata when the data contributor deems it appropriate. This linked open data architecture allows users to build their inventories on a huge open knowledge graph, that we believe will, in time, offer exceptional discovery capabilities. This project addresses many features, such as improved privacy settings, accessibility, creating publisher collections and data federation. >> Read more about Inventaire Inventaire recommender — Book recommendations in Inventaire The Inventaire Project is an effort to move forward on the front of accessing information on resources using libre software powered by open knowledge. This ideal is being materialized in the form of inventaire.io, a libre book sharing webapp, inviting everyone to make the inventory of their physical books, declare what they want to do with it (giving, sharing, selling), as well as who should be able to see it (shared publicly through e.g. ActivityPub, or only visible by your friends and groups). To power those inventories with structured bibliographic data, inventaire.io is also playing the role of a Wikidata-federated open and contributive bibliographic database, extending wikidata.org data with Wikidata-compatible entities (CC0, shared data schema) tailored to our needs, but ready to be pushed to Wikidata when the data contributor deems it appropriate. This linked open data architecture allows users to build their inventories on a huge open knowledge graph, that we believe will, in time, offer exceptional discovery capabilities. Now that this first base of inventories and contributive bibliographic data has reached a certain level of maturity, we want to start moving forward on the next challenges: introduce curation and recommendation mechanisms, improve search tools, offer finer privacy settings, and move forward on decentralization. >> Read more about Inventaire recommender Karrot — Save and share food waste Karrot started as a free and open-source tool to support grassroots initiatives that save and share food waste, but it has been gradually re-designed to become a more general purpose tool to support various groups of people in their face-to-face activities on a local, autonomous, solidarity-driven and voluntary basis. Some of its defining features are the self-assignment of tasks, full transparency of members' actions and no admin roles, using a trust-based system instead. In order to better support the diverse ways in which people self-organize and practice commoning, this project will further develop features focused in the needs of end users through a participatory design process. We will work with the themes of collective agreements, role assignment and going beyond group boundaries for organising, which includes exploring options for federating. The same way we envision the software to be used, we will continue to work for the governance and organisation of Karrot project itself to be community-driven, transparent and democratic. >> Read more about Karrot LO/CODE Book project — Professional typography inside LibreOffice The project enhances readability of text documents by adding highly customizable paragraph-level line breaking and microtypography to the LibreOffice/Collabora Online Writer word processors. It creates a new type of software, with the print quality of proprietary DTP programs and with productivity of word processors. It saves paper and screen area with a compact paragraph layout and readable multi-column pagination. It should result in proposals to enhance the OpenDocument format standard (ISO/IEC 26300) which will be submitted for standardization, encouraging future standards to support enhanced readability, especially for people with reading difficulties. >> Read more about LO/CODE Book project Lemmy — ActivityPub for link aggregation Lemmy is an open-source, easily self-hostable link aggregator that you can use to share and discover interesting new ideas - and discuss them with the world. Its designed to work in the Fediverse, and communicate natively with other ActivityPub services, such as Mastodon, Funkwhale and Peertube. Lemmy aim to create a decentralized alternative to widely used proprietary services like Reddit. For a link aggregator, this means a user registered on one server can subscribe to communities on any other server, and have discussions with users registered elsewhere. The front page of popular link aggregators is where many people get their daily news, so Lemmy has the potential to help alter the social media landscape. >> Read more about Lemmy Lemmy private communities — Add private communities to Lemmy federated link aggregator Lemmy is an open-source, easily self-hostable link aggregator that you can use to share, discover and discuss interesting new ideas - and discuss them with the world. Lemmy is a good decentralized alternative to widely used proprietary services like Reddit. It is designed to work in the Fediverse by virtue of its implementation of the W3C ActivityPub standard, and communicate natively with other ActivityPub services such as Mastodon, Funkwhale and Peertube. User registered on one server from one of these services should be able to effortlessly subscribe to communities on any other server, where they can have discussions with users registered elsewhere. In this project, the team will deliver many noteworthy upgrades ranging from a more stable API, to group federation, two-factor authentication and improved moderation. In addition the project will work on the new native client Jerboa (for the Android OS). Also for the nostalgically inclined, the project is working on a new frontend inspired by traditional web forums like phpBB. >> Read more about Lemmy private communities librarian — Custom meta-search Search engines are the default way of finding information on the internet. Although there is a host of search engines for users to choose - from library catalogs to cooking portals - there is currently only a small number of dominant search engines that practically decide who finds what on the internet. This situation has the following disadvantages: 1) by designing their algorithms these dominant search engines influence our world view, 2) the huge amounts of user data they record, creates sever risks of data leaks and misuse, finally 3) search engines can misuse their market power to gain advantages in other lines of business (e.g. the mobile phone market). Federated web search is a technology where users connect to a so-called broker which forwards their search request to suitable search engines and combines the results. Using federated search lessens the risks of few dominant search engines: it shows a blend of search results created by different algorithms, it prevents the search engine to record data of individual users, and its search results are usually more divers. Still, for federated web search to become widely used, it faces the following challenges: 1) while exploiting user behavior is known to improve search effectiveness, brokers exploiting this data also risk leaks and misuse, 2) as brokers typically serve many users, they are not able to include search engines for personal content, such as email, social media or cloud storage because the public broker cannot know the user’s credentials to access these services, finally 3) brokers consider for every user the same base set of search engines, while considering a more focused set of engines could improve search results, given the diversity of users. To improve upon these challenges, while avoiding the disadvantages of dominant search engines, this project will investigate a radical change to the federated search architecture: users run a broker on their own computer using a browser plugin. In this architecture the broker can safely analyze the user's behavior to improve search results as the data is accumulated on a per-user basis on disconnected computers. Furthermore, the search requests forwarded to search engines use the user's credentials and thus can access search engines for personal data, such as email etc. Finally, starting from sensible defaults, each user can configure its broker with his or her individual needs. >> Read more about librarian Libre Car Control — Automotive development platform, protocol analyzer and hacking multi-tool The Engine Control Unit (ECU) is a microprocessor-based system that receives input from various sensors, analyzes the data, and controls various driving functions based on the input. LibreCar is a small and affordable device which can emulate an actual ECU as an electronic control module that manages control of an automotive vehicle. Acting as an all-in-one device for building, testing, monitoring, and experimenting with Automotive ECUs, LibreCar is built around a unique FPGA-based architecture making its digital hardware fully customized to suit the application at hand. As a result, it can act as a no-compromise Automotive protocol analyzer, an Automotive-hacking multi-tool, or an Automotive development platform. It is a fully reconfigurable test instrument that provides all the hardware, gateware, firmware, and software you will need to work with—and, indeed, to master Automotive domain such as rapid prototyping of compliant and non-compliant Automotive devices, Protocol analysis for Automotive protocols like Diagnostics, XCP and DLT for security research etc. >> Read more about Libre Car Control MaDada — Using LinkedData to improve FOI processes MaDada is a free open source platform that simplifies and opens up the process of access by the general public to data and information held by the French government. Making use of the Freedom Of Information (FOI) law, the platform guides citizens to file requests, but also acts as an open data archive and platform for right-to-know or transparency campaigns, by publishing the whole process : the requests history, the resulting correspondence, and the data obtained through it. Launched in October 2019 by Open Knowledge Foundation France members, MaDada has helped 250+ users make over 1200 FOI requests to French public bodies, and is beginning to play an important role in the right-to-know, need for transparency and open government problems. MaDada is based on the open source software Alaveteli (https://alaveteli.org), which has been adapted and deployed to more than 25 countries in 20 different languages and jurisdictions. Alaveteli offers efficient functions for users to request and manage FOI requests. The NLnet funding will help the project develop and improve discovery and search features of public bodies on madada.fr and Alaveteli software - for instance, in France alone there are more than 60,000 public authorities. This will take advantage of existing digital commons such as Wikidata, and open standards such as schema.org and DCAT. >> Read more about MaDada Mangaki — Advanced group recommendations Within a set of search results, what should you do to find the optimal solution for not just a single user but a group? Mangaki is building an open source library for privacy-preserving group recommendations of items. While many content providers suggest recommendations at a personal level, these are often directed to a single user, or are restricted to a generic “family” category. Whenever say a group of friends want to watch a movie, it is often hard to decide what to watch, because people can have really different tastes. Recommendations are also very privacy-sensitive. A straightforward way might be to share our complete viewing history, but that certainly can lead to embarrassing and awkward situations. So how can we collectively compute a list of relevant items without disclose all of our data unencrypted. The Mangaki project is making an open source library for group recommendations that works in a scalable and distributed way. >> Read more about Mangaki Manyfold — ActivityPub-powered tool for storing and sharing 3d models Manyfold is a web application for managing collections of 3d models, with a focus on the needs of the 3d printing community. It is designed to be self-hosted, and lets users browse, organise, and analyse their downloaded models. With NLNet’s support, the project has recently launched federation features using ActivityPub, progressive transmission of 3d models, and a wide range of core feature enhancements. The next phase of the project will build on this base to create richer social features, better ways to get models into and out of the system, features to help financially support creators, and improvements to search and discovery features, all of which will help build an open, decentralised ecosystem for 3d model hosting. >> Read more about Manyfold Marginalia Search — A fresh take on search Marginalia Search is an experimental Internet search engine for the independent web designed and optimized to run on cheap consumer hardware. The overarching goal of the development effort is to bring the project into a more mature state; to improve search quality and range, reduce the amount of manual operations, and to produce and offer portable data in order to bolster adjacent efforts in the search and discovery space. >> Read more about Marginalia Search Mautic Portability — Portable marketing campaigns for Mautic Mautic is an open source marketing automation platform. It helps organizations to better understand their customers throughout their lifecycle, and, combined with what they already know about the customer and how they interact with marketing campaigns, enables full personalization of the digital experience across multiple channels. This project lays the foundation for an important feature which is much-requested and much-needed, to create a library of example campaign workflows and associated resources which marketers can install with a single click, saving time and improving best practice adoption. This project sees the establishment of an export and import functionality for campaigns and all associated resources. This project will also enable the export and import of this data between Mautic instances, further improving data portability. >> Read more about Mautic Portability MeiliSearch — Modern and responsive search Advanced content search for apps and websites has become an increasingly protected craft. When owners of big content repositories need search at scale, they have to choose between hiring expensive search specialists or outsourcing search in its entirety. Search doesn’t need to be this complicated. It should be simple enough to be self-hosted with the developers you already have, and it should be understandable & open enough that you can resort to a managed cloud without fear of lock-in. MeiliSearch is blazing fast and very light on resources. It packs advanced search capabilities like search-as-you-type, relevancy , typo-tolerance, synonyms and filters, all set up and configured in minutes. Our primary path to widespread adoption is integration with other developer ecosystems. Every new language, framework, platform or application that’s supported brings in a new audience of developers that wouldn’t otherwise know we even exist. >> Read more about MeiliSearch Mepo — Lightweight mobile map search Mepo is a fast, simple, and hackable OSM map viewer for desktop linux & mobile linux devices (like the Pinephone, Librem 5, and postmarketOS devices) and both environments' various user interfaces (Wayland & X inclusive). Mepo works both offline and online, features a minimalist both touch/mouse and keyboard compatible interface, and offers a UNIX-philosophy inspired underlying design, exposing a powerful command language called mepolang capable of being scripted to provide and customize functionality such as bounding-box search scripts, bookmarks, routing, and more. >> Read more about Mepo Modular Meta-Press.es — Reusable decentralised meta-search engine Meta-Press.es is a search engine dedicated to online press. It can work from your computer being shaped as browser WebExtension and gives you back the control of your information sources allowing to choose (and pin-point) the newspapers to search in. Sources can be contributed by users, covering any domain where it's the chronological order that matters : press (TV, radios…), scientific press, online agendas… Using Meta-Press.es is free, avoid ads and does not trigger the tracking mechanisms of online newspapers when discovering the results. With the new developments within this project, Meta-Press.es will break out of web browsers to become available server-side and for mobile users. Also, contributions for your favorite sources will finally be possible \"all by mouse\" and without computer science specific knowledge (traditional method via CSS selectors still being available). >> Read more about Modular Meta-Press.es Meta-Press.es — A press search engine in your browser Meta-Press.es is a press search engine, in the shape of a browser add-on. When using it, everything happens between the user's computer and the queried newspapers. Using Meta-Press.es, there is no data sent to third party (including our servers). We're not asking the users to believe that we respect their privacy, it's a matter of verifiable fact that we do. That means there is no single point of failure, of surveillance or of censorship. >> Read more about Meta-Press.es Meta-Press.es — Retrieve news feeds and search locally Meta-Press.es is a addon (in the standard WebExtension format) which gives super powers to your web browser. Meta-press.es equips your browser with the capacity to query hundreds of online presss sources in a few seconds and get you the relevant results. It is a drop-in replacement for centralised services like Google News, and in addition helps you to create press reviews (via selection and export of results from automatized searches). Using Meta-Press.es, it's your web browser that does the work, without any middleman between information sources and you. Your privacy is respected even against the ad or social trackers of the newspapers (as those mechanisms aren't triggered by Meta-Press.es searches). Unlike its news portal competitors, Meta-Press.es transparently shows what was queried and what was not - and you can choose your own information sources (via source selection filters and even source selection pick-up). Everything happens directly on the user device and under control of the user, avoiding single points of censorship and in support of Freedom of the Press and media diversity. >> Read more about Meta-Press.es Mobilizon — Find, create and organize events Mobilizon is a free, libre and federated groups and events management platform. Most proprietary social medias collect behavioral data and social graphs by hosting groups and events management tools (such as Facebook events, MeetUp, etc.). This can become a problem, even more when your group works on topics like activism, raising awareness and empowering citizens. Mobilizon allows for a federation of interconnected hosts, that decentralize by design data concentration while permitting interactions between users across the federation. This group and event management tool has been designed by asking and considering the needs of mobilized citizens. It includes features that has been since implemented as well by mainstream social medias (multiple profiles for each account), and does not reproduces mechanisms driven by the attention economy. As such, Mobilizon is not a social media, it does not pander to egos, but focuseson being a toolkit tomanagecommunities. On top of the eventpublishingtool, it features a group discussion tool (akin to a minimalist forum), a group page management tool (that can be used as a one-page website), a group public and private posts tool (similar to a blog), and a group link directory (to organize links to online documents, resources, etc.). With this grant, Framasoft aims to improve Mobilizon's search results (within an instance as well as throughout the federation) and recommendations. We also want to help people find groups and events close to their interests or their location, as well as allow them to import their events from other platforms when possible (Facebook, MeetUp, etc.). >> Read more about Mobilizon MoboSearch — Providing an alternative view on the Android App ecosystem Mobile phones play a major role in our society, yet they still suffer from severe limitations in how they handle apps. As a result, most people are unaware of the dangers of privacy leaks and are typically offered very constrained search capabilities within one single source of information, the app store. MoboSearch is a new search engine and information portal for apps, empowering users beyond the existing app stores. The system exposes privacy and security information, like app permissions, and gives users new easy and flexible search capabilities that allow to make an informed choice and to increase people's awareness. Openness and interoperability ensure that the system can offer and receive data, so to cooperatively enable a better and healthier app ecosystem. >> Read more about MoboSearch OSF Crawler Cooperation — Support Infrastructure for Open Search initiatives The Open Search Foundation (OSF) attempts to build a European main stream search engine alternative, under European regulations like privacy and fair participation. Our project builds on the foundations of that OSF search engine to be, in an attempt to combine existing crawling efforts of OSF participants. This is implemented on the real internet scale: petabytes of data, billions of webpages, a hundred million websites with terabytes of communication between the components per day. The scale and regulations call for a concept which has not been implemented before. Existing web-search related projects are invited to contribute their ideas into our larger concept, which could become not just an alternative for Google Search but also has many other uses - even in early stages. >> Read more about OSF Crawler Cooperation OpenCarLink — Security tooling for vehicle ODB2 ports OpenCarLink is an initiative aimed at revolutionizing vehicle diagnostics and security through the development of an open hardware device for vehicle OBD2 ports. By supporting communication protocols such as DOIP, CAN, Kline, and Single-Wire CAN, OpenCarLink enables users to perform remote diagnostics, real-time emissions tracking, enhanced vehicle security through penetration testing, and increased driver safety via behavioral data tracking. This project promotes an open and innovative future for the European mobility sector by help circumventing manufacturer limitations. By releasing the hardware design under an open-source license, OpenCarLink fosters a environment where enthusiasts, researchers, and professionals can contribute to and benefit from the advancements in vehicle diagnostics and control. With a focus on democratizing access to the DOIP protocol, OpenCarLink challenges the restrictive policies and secrecy that currently dominate the automotive industry, help paving the way for a more open and informed society. >> Read more about OpenCarLink Personal Food Facts — Privacy protecting personalized information about food Open Food Facts is a collaborative database containing data on 1 million food products from around the world, in open data. This project will allow users of our website, mobile app and our 100+ mobile apps ecosystem, to get personalized search results (food products that match their personal preferences and diet restrictions based on ingredients, allergens, nutritional quality, vegan and vegetarian products, kosher and halal foods etc.) without sacrificing their privacy and having to send those preferences to us. >> Read more about Personal Food Facts Open Hospitality Network — Federated hospitality with ActivityPub Hospitality is part of human tradition, practiced long before any software infrastructure existed. People share with others their homes, and exchange life’s stories and adventures - often without even mention of money. The internet age allowed hosts and travelers from all around the world to find each other more easily, and spontaneous communities emerged online. Nowadays, many hospitality exchange platforms exist which help travelers and hosts find each other. Open Hospitality Network wants to unify hospitality exchange communities into one federated system conveniently serving travelers and hosts. We envision a variety of platforms to exist, united in diversity, where each of them is built around their own unique culture, yet they all communicate with each other in federation. We'd like them together to create a resilient ecosystem outlasting any particular founders and exchange platforms. Following a collaborative process, we are building software from the community for the community, software that on the one hand helps connect existing communities and on the other enables new federated communities to spring up and flourish. >> Read more about Open Hospitality Network Openki.net — Make local events and meetups discoverable How do you discover what you can learn from the people around you? How do you search what other people in the same region have to offer, like a training course or a debating event? Openki is an interface between technology and culture. It provides an interactive web platform developed with the goal to remove barriers for universal education for all. The platform makes it simple to organise and manage \"peer-to-peer\" courses. The platform can be self-hosted, and integrates with OpenStreetMap. At the moment Openki is focused on facilitating learning groups and workshops. The project will improve the tool, so it can be used not only to organise courses (with the collaboration of many different actors, in a more participatory way) but much broader,for bottom-up project initiation, for grassroot organizations and facilitating societal dialogue. >> Read more about Openki.net OpenStreetMap-NG — Alternative implementation of OpenStreetMap OpenStreetMap-NG is an innovative rethinking of how open mapping platforms can be built and maintained, as an alternative to the current openstreetmap.org setup. Leveraging Python and other widely used technologies and guided by user-centric design principles, this project creates a more accessible, privacy-respecting, and developer-friendly mapping platform. By prioritizing both solid technical foundations and ease of use, OpenStreetMap-NG wants to make open-source mapping more approachable while pushing the boundaries of what's possible. >> Read more about OpenStreetMap-NG Openki Roles — Restructuring role management in libre tool for crowd-sourced education How do you discover what you can learn from the people around you? How do you search what other people in the same region have to offer, like a training course or a debating event? Openki is an interface between technology and culture. It provides an interactive web platform developed with the goal to remove barriers for universal education for all. The platform makes it simple to organise and manage \"peer-to-peer\" courses. The platform can be self-hosted, and integrates with OpenStreetMap. At the moment Openki is focused on facilitating learning groups and workshops. The project will add course templates, streamline roles when organising courses and redesign parts of the interface in order to improve the overall user experience. >> Read more about Openki Roles Organic Maps сonvergent UI with Qt Quick/Kirigami — Declarative cross-platform UI for navigation Maps navigation software is a crucial part of computer systems today, be it on Mobile, Desktop, Automotive and so on. For quite a lot time already, we have a brilliant open-source maps application, now named Organic Maps. It's features make it strong competitor to commercial-grade software, among them are: privacy, fully offline maps, low battery consumption, navigation, points of interest (POI) and much more. Currently, the application shows it's strength on mainstream mobile operating systems only. On other systems, it's ability is quite limited, mainly because of lack of proper User Interface for them. This project aims to create an Organic Maps convergent touch-friendly User Interface for Linux, backed by featured Qt Quick/QML application framework, perfectly suitable for this task. This would allow feature-parity for Mobile and Desktop Linux systems, and also creates solid ground for further unification of the User Interface among other platforms. >> Read more about Organic Maps сonvergent UI with Qt Quick/Kirigami Organic Maps bookmarks, hike and bike — Improved bookmarks, address search, map styles and driving Organic Maps is a free, open-source offline map application available for Android and iOS. It provides a privacy-focused alternative to Google and Apple Maps, empowering individuals who value their privacy and freedom from the surveillance ecosystems created by these companies. The app offers downloadable outdoor maps of the entire world, offline multi-point navigation, offline search on the map, saved bookmarks and trails, KML/KMZ/GPX interoperability, elevation contours, track recording, and more. This project focuses on enhancing core functionality: optimizing offline search, expanding bookmark management, and introducing new features for hikers and bikers. >> Read more about Organic Maps bookmarks, hike and bike PRESC Classifier Copies Package — Implementing Machine Learning Copies as a Means for Black Box Model Evaluation and Remediation The ubiquitous use over the Internet, and in particular in search engines, of often proprietary black-box machine learning models and APIs in the form of Machine Learning as a Service, makes it very difficult to control and mitigate their potential harmful effects (such as lack of transparency, privacy safeguards, robustness, reusability or fairness). Machine Learning Classifier Copying allows us to build a new model that replicates the decision behaviour of an existing one without the need of knowing its architecture nor having access to the original training data. A suitable copy allows to audit the already deployed model, mitigate its shortcomings, and even introduce improvements, without the need to build a new model from scratch, which requires access to the original data. This project aims to implement a practical solution of this innovative technique into PRESC, an existing free software tool for the evaluation of machine learning classifiers, so that classifier copies are automated and can be easily created by developers using machine learning, in order to reuse, evaluate, mitigate and improve black-box models, ensure a personal data privacy safeguard into their machine learning models, or for any other application. >> Read more about PRESC Classifier Copies Package The PeARS app — Building low-resource Web search applications from cognitive models It is widely believed that Web search engines require immense resources to operate, making it impossible for individuals to explore alternatives to the dominant information retrieval paradigms. The PeARS project aims at changing this view by providing search tools that can be used by anyone to index and share Web content on specific topics. The focus is specifically on designing algorithms that will run on entry-level hardware, producing compact but semantically rich representations of Web documents. In this project, we will use a cognitively-inspired algorithm to produce queryable representations of Web pages in a highly efficient and transparent manner. The proposed algorithm is a hashing function inspired by the olfactory system of the fruit fly, which has already been used in other computer science applications and is recognised for its simplicity and high efficiency. We will implement and evaluate the algorithm on the task of document retrieval. It will then be integrated into a Web application aimed at supporting the growing practice of 'digital gardening', allowing users to research and categorise Web content related to their interests, without requiring access to centralised search engines. >> Read more about The PeARS app Peertube-Desktop — Enjoy and share federated videos Cuttlefish is a client for PeerTube that will allow for searching and discovering new and interesting video's online with more privacy. PeerTube is a federated video hosting service based on the W3C ActivityPub standard. By using WebTorrent - a version of BitTorrent that runs in the browser - users help serve videos to other users. Cuttlefish is a desktop client for PeerTube, but will work on GNU/Linux-based phones (like the Librem 5 or Pinephone) as well. We want the experience of watching PeerTube videos and using PeerTube in general to be better, by making a native application that will become the best and most efficient way to hook into the federation of interconnected video hosting services. It will have improved search, and will allow people to continue sharing watched videos with other PeerTube users for longer periods of time, instead of discarding the video when done watching. It will also help bridge PeerTube's gap between the - now separated - BitTorrent and WebTorrent networks by speaking both of those protocols. >> Read more about Peertube-Desktop peermaps — Peer to peer cartography Peermaps is a p2p, offline-friendly way to distribute, view, and embed map data. Instead of fetching data from a centralized tile provider, you fetch data from other peers on the network. Right now we have all of OpenStreetMap processed into a 100GB archive in our p2p spatial database and rendering formats and seeded to hyperdrive and ipfs. This data is hooked up to a proof-of-concept web map viewer. For this grant, we will build on our proof-of-concept to release a user-oriented map viewer as a web application with search functionality on peermaps.org along with a developer-oriented tool to embed web maps in an iframe. In addition to (p2p) web development, this project will involve research on peer queries for offline and online location-based search, optimizations to the spatial database and p2p layer, webgl graphics improvements in addition to web development in order to produce a usable p2p mapping alternative. >> Read more about peermaps PeerTube - Remote Transcoding — Remote Transcoding for distributed video sharing network PeerTube is a free-libre and federated alternative to centralized video platforms such as YouTube, Twitch or Vimeo. It empowers content creators (institutions, video-makers and live streamers, communities, etc.) to self host their own collective video-platform without being isolated in the wide web. The technical choices behind PeerTube (ActivityPub Federation, peer-to-peer broadcasting) keep the source of this sugestion (the technical and financial bar to self & collective hosting: you no longer need Google's server farm and Amazon's money to host your own PeerTube servers (an instance) and synchronize it with other servers to share video catalogs! There is still one technical bottleneck: video transcoding. This step is essential for a smooth video broadcasting experience. Transcoding happens at every video upload or during live-streams, and consumes a lot of CPU power. Instances hosting lots of content creators or live streamers tend to rapidly need to upgrade the CPU power of their server, to avoid a bottleneck that only happens episodically. Allowing transcoding work to happen remotely could solve a number of important logistical problems in a more efficient, resilient, affordable and eco-friendly manner. >> Read more about PeerTube - Remote Transcoding A Distributed Software Stack For Co-operation — Facilitating easy ad hoc cooperation Perspectives aims to be to co-operation, what ActivityPub is to social networks. It provides the conceptual building blocks for co-operation, laying the groundwork for a federated, fully distributed infrastructure that supports endless varieties of co-operation. The declarative Perspectives Language allows a model to translate instantly in an application that supports multiple users to contribute to a shared process, each with her own unique perspective. The project builds a reference implementation of the distributed stack that executes these models of co-operation, and makes the information concerned searchable. Real life is an endless affair of interlocking activities. Likewise, Perspectives models of services can overlap and build on common concepts, thus forming a federated conceptual space that allows users to move from one service to another as the need arises in a most natural way. Such an infrastructure functions as a map, promoting discovery, decreasing dependency on explicit search. However, rather than being an on-line information source to be searched, such the traditional Yellow Pages, Perspectives models allow their users (individuals and organisations alike) to interact and deal with each other on-line. Supply-demand matching in specific domains (e.g. local transport) integrates readily with such an infrastructure. Other patterns of integrating search with co-operation support form a promising area for further research. >> Read more about A Distributed Software Stack For Co-operation PixelDroid — Share and browse photos in the fediverse with a mobile app PixelDroid is an Android client for Pixelfed, the federated image sharing platform based on W3C ActivityPub. Our goal is to bring the Pixelfed platform to Android and provide a mobile user experience that excites. We aim to provide feature-parity with the Pixelfed web client as well as add additional features - like image and video editing, capturing and uploading directly from the app. During the project we will also make it easy to use multiple accounts, even across different instances. Additionally, we want to contribute to the Pixelfed API with testing and additional documentation. >> Read more about PixelDroid Pixelfed — ActivityPub driven decentralised photo sharing platform Pixelfed is an open source and decentralised photo sharing platform, in the same vein as services like Instagram. The twist is that you can yourself run the service, or pick a reliable party to run it for you. Who better to trust with your privacy and the privacy of the people that follow you? The magic behind this is the ActivityPub protocol - which means you can comment, follow, like and share from other Pixelfed servers around the world as if you were all on the same website. Timelines are in chronological order, and there is no need to track users or sell their data. The project has many features including Discover, Hashtags, Geotagging, Photo Albums, Photo Filters and a few still in development like Ephemeral Stories. The goal of the project is among others to solidify the technical base, add new features and design and build a mobile app that is compatible with Mastodon apps like Fedilab and Tusky. >> Read more about Pixelfed Plaudit — Make good science discoverable through endorsements Plaudit is open source software that collects endorsements of scholarly content from the academic community, and leverages those to aid the discovery and rapid dissemination of scientific knowledge. Endorsements are made available as open data. The NGI Search & Discovery Grant will be used to simplify the re-use of endorsement data by third parties by exposing them through web standards. >> Read more about Plaudit Poliscoops — Make political news and online debate accessible PoliFLW is an interactive online platform that allows journalists and citizens to stay informed, and keep up to date with the growing group of political parties and politicians relevant to them - even those whose opinions they don't directly share. The prize-winning polical crowdsourcing platform makes finding hyperlocal, national and European political news relevant to the individual far easier. By aggregating the news political parties share on their websites and social media accounts, PoliFLW is a time-saving and citizen-engagement enhancing tool that brings the internet one step closer to being human-centric. In this project the platform will add the news shared by parties in the European Parliament and national parties in all EU member states. , showcasing what it can mean for access to information in Europe. There will be a built-in translation function, making it easier to read news across country borders. PoliFLW is a collaborative environment that helps to create more societal dialogue and better informed citizens, breaking down political barriers. >> Read more about Poliscoops Pomme d’API — Improvements around the Open Food Facts API Open Food Facts is an open and collaborative database of 3.5M food products from around the world. This project will improve the Open Food Facts API to make it easier for the 250+ apps and services that use it daily to access and contribute food products data. In particular, it will focus on providing easier means to contribute photos and data, better structured data, OpenAPI specifications, and extensive documentation. >> Read more about Pomme d’API pretalx — Open source tooling for events and conferences When attending events like conferences, visitors are often subjected to privacy-invading proprietary apps by organisers. With printed programmes typically no longer made available, visitors are put on the spot: either they install some unknown app and allow themselves to be tracked, or they don't know which sessions to attend. Pretalx is an open source project for events and conferences. It provides a Call for Proposals interface, tools for review (including fully double-blinded ones), scheduling, speaker communication, and attendee feedback. pretalx has a variety of plugins and can be self-hosted. This gives conference organisers, speakers and attendees complete control over the data they share. This project will completely redo the writable API of pretalx, making it a strong privacy-friendly option for any event being organised. Pretalx is one of the leading open source tools capable of handling the full organisation of events from Call for Proposals to user feedback, and is used by many large open source events already (MozFest, FOSDEM, Pycon, NSEC, etc). >> Read more about pretalx Private Searx — Add private resources to the open source Searx metasearch engine Searx is a popular meta-search engine letting people query third party services to retrieve results without giving away personal data. However, there are other sources of information stored privately, either on the computers of users themselves or on other machines in the network that are not publically accessible. To share it with others, one could upload the data to a third party hosting service. However, there are many cases in which it is unacceptable to do so, because of privacy reasons (including GPPR) or in case of sensitive or classified information. This issue can be avoided by storing and indexing data on a local server. By adding offline and private engines to searx, users can search not only on the internet, but on their local network from the same user interface. Data can be conveniently available to anyone without giving it away to untrusted services. The new offline engines would let users search in local file system, open source indexers and data bases all from the UI of searx. >> Read more about Private Searx Protomaps — Self-hostable maps based on OpenStreetMap data Protomaps is a free and open source map of the world, deployed as a single file you can host yourself. It enables interactive, zoomable mapping applications with only static storage and HTTP Range Requests. It uses the OpenStreetMap dataset as a primary source; its configurable toolchain can create maps with specific areas, custom data, and different cartographic styles. It’s used in earth science, journalism and the public sector. Protomaps has no vendor lock-in, permits end-to- end data sovereignty, and can ensure end-user privacy.  >> Read more about Protomaps Re-isearch Schmate — Extending re-Isearch with a flat vector datatype for embeddings Schmate is the development name for the evolving next iteration of re-Isearch adding vector datatypes for embeddings and applications like retrieval augmented generation (RAG). Schmate (pronounced \"SHMAH-teh\") is Yiddish for rag (שמאטע). In contrast to typical vector stores the proposed re-Isearch+ shall offer a full passage information retrieval system (index and retrieval) using a combination of dense and sparse vectors as well as structure. It is dense passage retrieval (DPR) and a whole lot more. It addresses the stumbling blocks of chunking, has a tight integration of ingest, tokenisation, a number of alternative vector stores and similarity algorithms and, above all, uses a novel combination of understanding document structure (implicit and explicit) to provide a better contextual passage retrieval to solve the problem of misaligned context. This builds on the observation that meaning is also communicated through structure so needs to be viewed in the context of structure. Since structure like the words are meant by the sender (writer) to be received and understood (reader) our approach is to exploit the original author's organization of content to determine appropriate passages rather than relying solely on the chunks. >> Read more about Re-isearch Schmate Re-isearch — Vectorise text with a flexible unit of retrieval *Project re-isearch: a novel multimodal search and retrieval engine using mathematical models and algorithms different from the all-too-common inverted index (popularized by Salton in the 1960s). The design allows it to have no limits on the frequency of words, term length, number of fields or complexity of structured data and support even overlap--- where fields or structures cross other's boundaries (common examples are quotes, line/sentences, biblical verse, annotations). Its model enables a completely flexible unit of retrieval and modes of search. Initial project outcome: a freely available and completely open-source (and multiplatform) C++ library, bindings for other languages (such as Python) and some reference sample code using the library in some of these languages. >> Read more about Re-isearch Great OCR for SANE — Integrate OCR capabilities into open source scanning tools We have become dependent on search engines, allowing us to locate a document using some specific words across billions of webpages. However, not every document is born digital - or may reach the web via an indirect way. And users with for instance visual disabilities cannot read documents that are 'just' pixels. The SANE project is a collection of open-source scanner drivers and related software. SANE tools allow the users to convert their documents, photos and any other similar material from a completely unsearchable and non-discoverable analog form into a digital representation, which can be easily shared and distributed. The SANE-OCR project enables users to close the gap right at the stage when physical documents are converted from their incoming \"analog\" form to a searchable digital form - using a completely open-source stack. While the traditional result of scanning is just the visual image (essentially a photo), but in addition contains the recognized text using optical character recognition (OCR). This outputs documents which are searchable and discoverable. >> Read more about Great OCR for SANE SIP RELOAD — REsource LOcation And Discovery, a peer-to-peer (P2P) signaling protocol SIP is a mature internet technology to establish sessions of any type across the internet. RELOAD stands for REsource LOcation And Discovery and is a peer-to-peer (P2P) signaling protocol standardised in IETF that provides its clients with an abstract storage and messaging service between a set of cooperating peers that form an overlay network. RELOAD defines a security model based on a certificate enrollment service that provides unique identities. NAT traversal is a fundamental service of the protocol. The goal is to implement a P2P communications network based on IETF standards that allows people to communicate securely without the traditional interposed third parties like SIP service providers. This is done both by establishing direct encrypted channels between the participants as well as using digital identities based on X509 certificates to identify the participants in a conversation, which will prevent third parties from inserting themselves into the conversation by attempting to impersonate one of the participants. The outcome would be a working RELOAD implementation, with a functional backend for connecting and discovering peers based on their identity which is backed by an email address that will then also function as a working SIP address. >> Read more about SIP RELOAD SWH package manager Data Ingestion — Add Package managers to Software Heritage Software Heritage's ambition is to collect, preserve, and share all software that is publicly available in source code form. In this project we improve the SWH scanner tool which compares any set of files with the SWH archive. This is very useful for detecting license violations or security issues. The goal of the project is to take the scanner from a research prototype to a widely available and usable tool. This involves work around its packaging, user interface, robustness and performance. We will be re-purposing the advanced graph-comparison algorithm from the Mercurial DVCS to minimize the load to the SWH archive. We will also expand the list of existing source code origins we will create new listers and loaders for Maven, Go, Packagist, RubyGems, Bower, CPAN and pub.dev/Dart package managers. >> Read more about SWH package manager Data Ingestion Storing Efficiently Our Software Heritage — Faster retrieval within Software Heritage Software Heritage (https://www.softwareheritage.org) is the single largest collection of software artifacts in existence. But how do you store this in a way that you can find something fast enough, taking into account that these are billions of files with a huge spread in file sizes? \"Storing Efficiently Our Software Heritage\" will build a web service that provides APIs to efficiently store and retrieve the 10 billions small objects that today comprise the Software Heritage corpus. It will be the first implementation of the innovative object storage design that was designed early 2021. It has the ability to ingest the SWH corpus in bulk: it makes building search indexes an order of magnitude faster, helps with mirroring etc. The project is the first step to a more ambitious and general purpose undertaking allowing to store, search and mirror hundreds of billions of small objects. >> Read more about Storing Efficiently Our Software Heritage Adera — Relevant scientific research results The project summary for this project is not yet available. Please come back soon! >> Read more about Adera searx — A privacy-respecting, hackable metasearch engine Searx (/sɜːrks/) is a free metasearch engine, available under the GNU Affero General Public License version 3, with the aim of protecting the privacy of its users. Across all categories, Searx can fetch and combine search results from more than 80 different engines. This includes major commercial search engines like Bing, Google, Qwant, DuckDuckGo and Reddit, as well as site-specific searches such as Wikipedia and Archive.is. Searx is a self hosted web application, meaning that every user can run it for themselves and others - and add or remove any features they want. Meanwhile, numerous publicly accessible instances are hosted by volunteer organizations and individuals alike. The project will consolidate the many suggestions and feature requests from users and operators into the first full-blown release (1.0) for Searx, as well as spend the necessary engineering effort in making the technology ready for even wider deployment. >> Read more about searx Dynamic indexing for real time graph database — Provide faster query results through algorithmic preprocessing Based is an open source real time data platform with a suite of features that help developers build more performant applications faster and with more flexibility. It’s built on a self-developed real time graph database and the WebSocket protocol to ensure performance and scaling. One of the features is an automatic indexing system that keeps track of frequently performed queries by monitoring a set of (real time) parameters and assigning values to queries, that in turn inform which parts of the graph to index. This index has to work with the Based real time graph database and optimise its performance, which means the index also has to be aware of any changes in schema structure or updates in indexed data. This is achieved through the existing subscription engine in Based. Our hope is that this project can lay the groundwork for more efficient indexing systems for all graph databases. >> Read more about Dynamic indexing for real time graph database Software Heritage — Collect, preserve and share the source code of all software ever written Software Heritage is a non profit, multi-stakeholder initiative with the stated goal to collect, preserve and share the source code of all software ever written, ensuring that current and future generations may discover its precious embedded knowledge. This ambitious mission requires to proactively harvest from a myriad source code hosting platforms over the internet, each one having its own protocol, and coping with a variety of version control systems, each one having its own data model. This project will amongst other help ingest the content of over 250000 open source software projects that use the Mercurial version control system that will be removed from the Bitbucket code hosting platform in June 2020. >> Read more about Software Heritage Sonar: a modular peer-to-peer search engine — Modular peer-to-peer search engine Sonar is a project to research and build a toolkit for decentralized search. Currently, most open-source search engines are designed to work on centralized infrastructure. This proves to be problematic when working within a decentralized environment. Sonar will try to solve some of these problems by making a search engine share its indexes incrementally over a P2P network. Thereby, Sonar will provide a base layer for the integration of full-text search into peer to peer/decentralized applications. Initially, Sonar will focus on integration with a peer-to-peer network (Dat) to expose search indexes securely in a decentralized structure. Sonar will provide a library that allows to create, share, and query search indexes. An user interface and content ingestion pipeline will be provided through integration with the peer to peer archiving tool Archipel. >> Read more about Sonar: a modular peer-to-peer search engine sourcehut — Graph query support for software development platform SourceHut is a free-software platform providing infrastructure for free-software projects, providing hosted repositories, mailing lists, bug trackers, real-time chat tools, and continuous integration infrastructure, among other services, and facilitating collaboration and project discovery via a federated project index. SourceHut focuses on performance, accessibility, and robustness, and since 2018 has provided a reliable platform supporting the thousands of FOSS projects that depend on its services. The NLnet project will expand the integration between SourceHut services, and between SourceHut and independently operated third-party services, primarily through the development of a comprehensive federation of GraphQL APIs. >> Read more about sourcehut Space Tube — Group-to-group instant messaging Space Tube is a service utilising the Matrix protocol to allow groups to communicate with other groups. A group member adds the Space Tube bot to their shared chat platform e.g. discord server, slack organisation, element space etc, then they can create a channel (or tube) that sends messages to and from another group's chat platform. This allows groups to form relationships as groups that don't rely on individual people within those groups connecting them together. These group relationships can then scale to much larger directly participatory structures. This project will automate the process of creating tubes so that it can be done in a few seconds by a non-technical user. It will also expand tube functionality by allowing tubes to connect more than two groups at once and providing links to a graphical interface to support more complex group interactions such as agreeing to proposals or sharing resources. >> Read more about Space Tube Stract — Explorative search engine Search has become an intrinsic part of the way we explore the web. Sadly as of late, most of the current search engines fail to live up to this responsibility. Stract is a fully open source, independent and user-centric search engine for the web. In short, our goal is to do web search right. The funding from NLnet will be used to improve the performance of our index, improve the performance of our web graph, adding a live index for news articles and blog posts and finally improving our currently insufficient documentation. >> Read more about Stract TALER Bullion — Infrastructure for GNU Taler Payments with non-fiat Currencies Depending on how you design a money system, its properties can be quite different. Regular currencies are typically steered towards (slight) inflation by the public bodies that steward them, by means of a gradual influx of money. This benefits \"active money\" (investors) which yields economic growth. Of course this also makes prices for consumers continually rise, and savings de-valuate over time in terms of purchasing power. The rate at which this devaluation takes place is a policy instrument, and of course one that should be used wisely. When these systems were first designed, money was backed up by physical assets such as gold and silver which offered more predictable long term purchasing power. Some users still prefer for their savings to be backed up by something of concrete value they own. GNU Taler is a well-designed system for (online) payments, and it is eminently suitable to trade (the ownership safely of) stored gold, silver and similar systems based on real value. Besides its obvious use case as a payment system for regular currencies, the system can also be used to revitalise gold and silver for storage and payment systems; they still exist today but are decoupled. The purpose of this project is to solve problems with trust relations, such as passing (the ownership of) gold or silver between vault operators, or between gold storage and payment systems so it can become practically useful money on an international scale, in service of people outside the financial industry. >> Read more about TALER Bullion GNU Taler Tryton/GNUHealth integration — GNU Taler module for Tryton ERP/GNU Health This project will develop a Tryton module which would allow users to integrate payments with GNU Taler into their financial workflow, whether from a webshop, a factory or a hospital. Tryton is a popular libre business management system used for e-commerce and enterprise resource planning. There are many modules for financial accounting, sales, inventory and stock, CRM, shipping, subscription management, etc. Existing payment provider integrations within Tryton are limited to specific proprietary payment providers, having a Taler based option would allow organisations to handle Taler based payments (incoming as well as outgoing). GNU Health (which is built on Tryton) provides a suite of libre alternatives for Hospital Management software, health information systems and electronic health records. Integration of privacy preserving payments with TALER in GNU Health will deliver a much needed contribution to medical privacy, providing the first digital alternative (next to cash payment) which allows patients to pay for their personal medical treatment and medication directly and with full discretion - keeping the doctor-patient privilege intact. >> Read more about GNU Taler Tryton/GNUHealth integration TOS;DR OTA backend — Integrate Terms of Service;Didn't Read with Open Terms Archive Open Terms Archive is a digital common that produces (since 2020) datasets of the evolution of contractual documents (Terms of Service, Privacy Policy…) over time, enabling analysis and comparison. It aims at shifting the power balance from big tech actors towards researchers, end users and regulators. The “Terms of Service; Didn't Read” (ToS;DR) project enables (since 2011) crowd-reading and rating of these same contractual documents. These documents are obtained from the web with a dedicated engine that stores them in a private database and suffers from lack of maintenance. The goal of the effort is to replace the historical ToS;DR crawler with the public Open Terms Archive datasets, thus increasing the reliability and auditability of the source data, since the annotations will be based on public datasets produced by replicable instances instead of being based on a one-off database used only by ToS;DR itself. This will also enable establishing a common data format for annotating documents. >> Read more about TOS;DR OTA backend GNU Taler wallet app for iOS — Mobile GNU Taler payments for portable Apple devices GNU Taler (Taxable Anonymous Libre Electronic Reserves) is a privacy-preserving electronic instant payment system that is fully free software. It uses electronic coins stored in wallets on customer’s device. Coins are like cash. Users can use Taler to pay in existing currencies (i.e. EUR, USD, BTC), or use it to for instance create new regional currencies. The Taler wallet is currently available as a browser-based WebExtension and as Android app, but not yet as iOS app. This project will develop a user-friendly and accessible iOS wallet app for the GNU Taler payment system. With the iOS Taler wallet app, users will be able to make payments with their iPhone -- similar to how they would use proprietary payments systems like Apple Pay. >> Read more about GNU Taler wallet app for iOS Transparency Toolkit — A decentralized hosted archiving service with search Transparency Toolkit is building a decentralized hosted archiving service that allows journalists, researchers, and activists to create censorship-resistant searchable document archives from their browser. Users can upload documents in many different file formats, run web crawlers to collect data, and manually contribute research notes from a usable interface. The documents are then OCRed (when needed) and indexed in a searchable database. Transparency Toolkit provides a variety of tools to help analyze and understand the documents with text mining, searching/filtering, and manual collaborative analysis. Once users are ready, they can make some or all of the documents available in a public searchable archive. These archives will be automatically mirrored across multiple instances of the software and the raw data will be stored in a distributed fashion. >> Read more about Transparency Toolkit HTML export for Typst — Markup based typesetting for multichannel publishing Typst is a markup-based typesetting system that is designed to be as powerful as LaTeX while being much easier to learn and use. Currently, Typst outputs documents only as PDF, yet there is strong demand for generating HTML. We want to extend Typst such that it can create high-quality HTML and PDF versions from the same document, which is currently not possible with comparable programs. As a result, Typst could be used in a variety of new scenarios, such as the generation of websites and e-books. Furthermore, this will improve the accessibility of the output documents. >> Read more about HTML export for Typst URL Frontier 2.0 — Enterprise features for URLFrontier URLFrontier provides a crawler-neutral API and service implementation for a crawl frontier, which can power various web crawlers independently from their implementation language and scalability. This API defines the operations that a web crawler typically does when communicating with a web frontier e.g. get the next N URLs to crawl, update the information about URLs already processed, change the crawl rate for a particular hostname, get the list of active hosts, get stats, etc… The aim of this project is to turn what is currently a working piece of software (the result of an earlier grant from NGI Zero Discovery) into an enterprise-grade solution. The improvements will mainly concern the service implementation, eg. monitoring/reporting, clustering/discovery and robustness/resilience. The project will improve the usability of the system by adding configurable logging and metrics reporting, improve the performance of the service for very large volumes of data by adding efficient parallelization across multiple nodes; and improve the overall robustness through more graceful failure modes and more efficient restarts . >> Read more about URL Frontier 2.0 URL Frontier — Develop a API between web crawler and frontier Discovering content on the web is possible thanks to web crawlers, luckily there are many excellent open source solutions for this; however, most of them have their own way of storing and accessing the information about the URLs. The aim of the URL Frontier project is to develop a crawler-neutral API for the operations that a web crawler when communicating with a web frontier e.g. get the next URLs to crawl, update the information about URLs already processed, change the crawl rate for a particular hostname, get the list of active hosts, get statistics, etcetera. It aims to serve a variety of open source web crawlers, such as StormCrawler, Heritrix and Apache Nutch. The outcomes of the project are to design a gRPC schema then provide a set of client stubs from the schema as well as a robust reference implementation and a validation suite to check that implementations behave as expected. The code and resources will be made available under Apache License as a sub-project of crawler-commons, a community that focuses on sharing code between crawlers. One of the objectives of URL Frontier is to involve as many actors in the web crawling community as possible and get real users to give continuous feedback on our proposals. >> Read more about URL Frontier variation graph (vgteam) — Privacy enhanced search within e.g. genome data sets Vgteam is pioneering privacy-preserving variation graphs, that allow to capture complex models and aggregate data resources with formal guarantees about the privacy of the individual data sources from which they were constructed. Variation graphs relate collections of sequences together as walks through a graph. They are traditionally applied to genomic data, where they support the compression and query of very large collections of genomes. But there are many types of sensitive data that can be represented in a variation graph form, including geolocation trajectory data - the trajectories of individuals and vehicles through transportation networks. Epidemiologists can use a public database of personal movement trajectories to for instance do geophylogenetic modeling of a pandemic like SARS-CoV2. The idea is that one cannot see individual movements, but rather large scale flows of people across space that would be essential for understanding the likely places where a outbreak might spread. This is essential information to understand at scientific and political level how to best act in case of a pandemic, now and in the future. The project will apply formal models of differential privacy to build variation graphs which do not leak information about the individuals whose data was used to construct them. For genomes, the techniques allow us to extend the traditional models to include phenotype and health information, maximizing their utility for biological research and clinical practice without risking the privacy of participants who shared their data to build them. For geolocation trajectory data, people can share data in the knowledge that their social graph is not exposed. The tools themselves are not limited to the above use cases, and open the doors to many other types of applications both online (web browsing histories, social media usage) and offline. . >> Read more about variation graph (vgteam) WeasyPrint — Print rendering engine for HTML and CSS WeasyPrint helps web developers create high quality print documents. It turns simple HTML pages into gorgeous statistical reports, invoices, tickets… From a technical point of view, WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF - independent from rendering engine like WebKit or Gecko. It aims to support web standards for printing. WeasyPrint is free software made available under a BSD license. The CSS layout engine is written in Python, designed for pagination, and meant to be easy to hack on. >> Read more about WeasyPrint Web Annotation — Building blocks for interoperable annotation systems The idea of web annotation is to support the creation and exchange of annotations on any visited page; thereby enabling people to make, share, and discover corrections, rebuttals, side-notes, or other contextually relevant resources. Using the W3C’s Web Annotation standard, and contributing to the incubating Apache Annotator project, this project works on modules and tools that facilitate a diverse ecosystem of interoperable annotation systems. >> Read more about Web Annotation XWiki — Bring wiki capabilities into the Fediverse XWiki is a modern and extensible open source wiki platform. Up until now, XWiki had been focusing on providing the best collaboration experience and features to its users. We're now taking this to the next level by having XWiki be part of the larger federation of collaboration and social software (a.k.a. fediverse), thus allowing users to collaborate externally. XWiki is embracing the W3C ActivityPub specification. Specifically we're implementing the server part of the specification, to be able to both view activity and content happening in external services inside XWiki itself and to make XWiki's activity and content available from these other services too. A specific but crucial use case, is to allow content collaboration between different XWiki servers, sharing content and activity. >> Read more about XWiki XR Fragments — Discover, reference, navigate and query 3D online content After the hype of early (and proprietary) virtual reality technologies like Second Life cooled down, there is recently a renewed push towards the “3D” web which uses virtual reality technologies (also marketed under new brand names like \"Metaverse\"). While many technological building blocks are meanwhile available, seamlessly surfing the 3D web however seems quite far away still for a simple reason — browsers exit fullscreen/WebXR mode when switching web addresses, essentially removing the immersive experience when navigating. While such a limitation comes from obvious security considerations, it also pushes VR/AR-Headset owners into walled gardens for a more pleasant experience. XR Fragments is developing a simple public protocol for networked 3D webrings to discover, reference, navigate and query 3D online content (read-only). This allows to enable immersive 3D navigation, liberate 3D content from being locked away inside games / walled gardens and to query objects inside a 3D asset files, without the need of serverside backends. >> Read more about XR Fragments YaCy Grid SaaS — YaCy Grid Search-as-a-Service creates document crawling indexing functionality for everyone. Users of this new platform will be able to create their custom search portal by defining their own document corpus. Such a service is an advantage as a privacy or branding tool, but also allows scientific research and annotation of semantic content. User-group specific domain knowledge can be organized for custom applications such as fueling artificial intelligence analysis. This should be a benefit i.e. for private persons, journalists, scientists and large groups of people in communities like universities and companies. Instances of the portal should be able to self-support themselves financially: there is turn-key infrastructure to handle payments for crawling/indexing amounts as a subscription on a periodical basis while search requests are free for everyone. The portal will consist of free software, and users can download the portal software itself together with the acquired search index data - so everyone can start running a portal for themselves whenever they want. >> Read more about YaCy Grid SaaS Cpdf Accessibility — Implement PDF/UA in cpdf The Cpdf accessibility project extends the popular open-source PDF processing tool Cpdf to support PDF/UA (ISO 14289), the standard for accessible PDF. PDF/UA helps those with disabilities who use screen readers and other tools to navigate documents by tagging PDFs with metadata describing the logical structure of the content. Such metadata can also help all users by allowing reliable text re-flow, and better searching within documents. There is very little open-source tooling for accessible PDF at present, so this will represent a significant step forward. The work will involve adding functionality to Cpdf for the inspection and manipulation of existing PDF/UA files, and the creation of new ones from scratch. These tools will be useful to PDF/UA developers as well as to end users. >> Read more about Cpdf Accessibility cables.gl — Creative tool for graphics and 3D content Cables is a tool which allows people to create beautiful, interactive, visual web content without knowing how to type a line of code. Your work is easily exportable at any time, so you can embed it into your website, use it an immersive VR experience, or integrate into other kinds of creative output. Cables patches can be published, shared, copied and remixed by the entire community. This allows people to constantly learn new things from each other. By developing a standalone version, that works outside of the browser, cables will open up even more for contributions from the open source community. It will be, at the same time, a development environment for contributors, and an offline version of the cables editor. As a side effect, using it with native modules on any major platform and operating system will open up a whole new area of how and where to use cables to create content. >> Read more about cables.gl dweb-search — Index DHT based distributed webs dweb-search is a Free and Open Source (FOSS) search engine for directories, documents, videos, music on the Interplanetary Filesystem (IPFS), supporting the creation of a decentralized web where privacy is possible, censorship is difficult, and the internet can remain open to all. This project implements a publicly accessible IPFS thumbnail service and creaties a UI specifically to explore music or videos. >> Read more about dweb-search elRepo.io - Resilient, distributed content sharing — Resilient, human-centered, distributed content sharing and discovery. In this project AlterMundi and NetHood collaborate to develop a critical missing part in decentralized and distributed p2p systems: content search. More specifically, this project will implement advanced search for elRepo.io, the self-hosted and distributed culturesharing platform currently under active development by AlterMundi and partners. Search functionalities will expand on the already proven coupling of thelibxapian searching and indexing library and turtle routing. The distributed search functionality will be implemented to be flexible and modular. It will become the meeting point of three complementary threads of on-going work: Libre technology and tools for building Community Networks (LibreRouter & LibreMesh), fully decentralized, secure and anonymous Friend2Friend software (Retroshare), and a transdisciplinary participatory methodology for local applications in Community Networks (netCommons). >> Read more about elRepo.io - Resilient, distributed content sharing mCaptcha — Privacy-friendly Proof of Work (PoW) based CAPTCHA system Existing CAPTCHA systems expect visitors to identify objects to prevent spam, which makes the web inaccessible to persons with cognitive, auditory, and visual special needs. They log Internet Protocol (IP) addresses and use tracking technologies, like cookies, to track and profile their users across the internet. IP logging and cookie-based tracking are privacy-invasive, inaccurate, and impossible to use with anonymizing technologies like Tor and VPNs. Censors can abuse the opaque nature of these systems to prevent certain groups from accessing certain types of information. Independent testing for bias is not possible since the documentation doesn't exist for their methods and algorithms. mCaptcha is an attempt at creating a self-hosted alternative to reCAPTCHA and hCaptcha with a focus on privacy, transparency, user experience, and accessibility. mCaptcha’s Proof of Work (PoW) mechanism uses strong cryptographic principles that guarantee idempotency and transparency. mCaptcha doesn’t log IP addresses and doesn’t require tracking user activity across the internet. Censors can’t use mCaptcha to deny access to information without detection. Also, the PoW mechanism requires minimal user interaction to solve the CAPTCHA, which will significantly improve the accessibility of the web. >> Read more about mCaptcha "},{"description":" VPN Fund Supporting the development of reliable, libre VPN technologies This page contains a concise overview of projects funded by NLnet foundation that belong to VPN Fund (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Let's Connect VPN provisioning — Preprovisioning VPN profiles for managed devices Let’s Connect VPN (aka eduVPN) is a community-driven open source software initiative to help lead the way to reliable, performant and trustworthy VPN technologies. The project provides a full open-source VPN framework currently designed on top of OpenVPN and WireGuard. If organisations or communities are interested in deploying eduVPN in a large scale environment, it should be trivial to have the software pre-installed including credential rollout. This project will examine how to better, more easily, support large scale Let's Connect and EduVPN rollouts. >> Read more about Let's Connect VPN provisioning VPN Vulnerability Testing Suite — Test VPN implementations for network based attacks Recent publications have brought attention to vulnerabilities in most VPN implementations when faced with a network-based attacker levering attacks such as TunnelVision and TunnelCrack, among others. In light of these publications, this project develops a testing suite that covers every known edge case, allowing for a one-stop straightforward yet complete evaluation of whether a particular VPN client implementation is susceptible to said vulnerabilities. The testing framework will be delivered as an open-source software component, free to be used and altered. The framework will also be extended with various attack variants that are not directly covered under the original TunnelCrack and TunnelVision research, such as behavior when operating on hostile IPv6 networks, and the recovery behavior after being subject to service interruption by an attacker. By integrating these tests into e.g. continuous integration and delivery infrastructure, developers of VPN applications can sustainably harden their software against these attacks. >> Read more about VPN Vulnerability Testing Suite eduP2P Test Suite — System, integration and performance tests for eduP2P eduP2P is a peer-to-peer (P2P) VPN solution based on WireGuard. This project will develop a comprehensive test suite for eduP2P, consisting of three types of tests: system tests (that verify whether it is possible to establish P2P connections using eduP2P when the addresses of peers have undergone Network Address Translation), integration tests (that verify the functionality of smaller components of eduP2P in isolation by testing the source code), and performance tests (that measure metrics such as the throughput, delay and packet loss of an eduP2P connection). The test suite makes the continued development of eduP2P easier by making it possible to discover and fix functionality and performance issues present in eduP2P. >> Read more about eduP2P Test Suite eduVPN Accessibility & UX Improvements — Inclusive and user-friendly design for eduVPN The goal of this project is to improve the user experience (UX) and accessibility of eduVPN and Let's Connect. This includes analysing the full digital ecosystem of both ecosystems, meaning mobile and desktop apps as well as websites. The goal is to achieve a consistent and WCAG 2.1 (AA)-compliant user experience across the various platforms. This includes expert review, small-scale in-person user testing and remote larger-scale testing to improve overall accessibility and usability. The expected outcome is a set of UI redesign ready for implementation by the developers. >> Read more about eduVPN Accessibility & UX Improvements eduVPN app — Add Wireguard protocol to federated VPN suite Let's Connect aims to provide a comprehensive and reliable, open source VPN solution for all platforms. For the codebase containing the Mac/iOS implementation of the EduVPN app a continuous integration setup is needed, which should be inspectable by the wider internet community and based on open and/or freely available tooling. Furthermore, the iOS and Mac apps of Let's Connect/EduVPN should rely on as few third party dependencies as possible - as such dependencies introduce risk, for example due to bugs or dependency poisoning. This project will set up the CI infrastructure and prune the dependency to reduce the attack surface on the app. >> Read more about eduVPN app eduVPN on Apple — eduVPN for Apple devices eduVPN is a program under the Commons Conservancy, a non-for-profit foundation focusing on free and open source projects. The goal of the project is to provide a comprehensive and reliable, open source VPN solution for all platforms. This project aims to improve the security and usability of the macOS- and iOS-apps. >> Read more about eduVPN on Apple eduVPN on Apple part II — Improved version of eduVPN for Apple devices eduVPN is a program under the Commons Conservancy, a non-for-profit foundation focusing on free and open source projects. The goal of the project is to provide a comprehensive and reliable, open source VPN solution for all platforms. The project is plagued by some nasty bugs that have been found hard to fix by the community. This particular project aims to deliver a new and more user-friendly user interface for the macOS and iOS-app, as well as implement a new server discovery mechanism in these apps. >> Read more about eduVPN on Apple part II eduVPN multi-protocol — Review of the eduVPN multi-protocol project. The eduVPN framework is currently build on top of OpenVPN 2.x. A new design will be delivered in order to accommodate WireGuard next to OpenVPN. WireGuard is a very simple, fast and modern VPN that utilizes state-of-the-art cryptography. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployable. >> Read more about eduVPN multi-protocol ","url":"https://nlnet.nl/thema/VPNFund.html","title":"VPN Fund"},{"title":"User-operated Internet Fund","url":"https://nlnet.nl/thema/User-operatedInternetFund.html","description":" User-operated Internet Fund Allow users to collectively own, operate and rewrite every aspect of the technology and network infrastructure they depend on. This page contains a concise overview of projects funded by NLnet foundation that belong to User-operated Internet Fund (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. The User-Operated Internet fund is aimed at establishing technology commons which allow users of the internet to operate and improve every part of the technologies they depend on. This ranges from free and open source software to open hardware, so feel free to check them out and use whatever you find in whatever way you need - everything is licensed in such a way that you can study, use, modify and share them. The User-operated Internet Fund is made possible with financial support from the PKT Community/ The Network Steward and stichting Technology Commons Trust. Interesting in applying for a grant yourself? Check our active theme funds, such as NGI Zero Commons Fund, NGI Fediversity or NGI TALER. Applications to this particular fund are currently closed and no new projects are accepted for now. Donate to help us fund more projects like these. Armbian — Versatile OS for ARM-based single board computers ARM-based single board computers, first popularised by the Raspberry Pi, have resulted in an ever increasing ecosystem of small computing platforms that are low-cost yet increasingly powerful. This makes them popular with many computer enthusiasts and electronics tinkerers, also in low-income regions of the world. Armbian Linux provides an actively maintained and optimised Linux operating system for these devices, based on the Debian family of operating systems. This uniform base allows the devices to function as e.g. a router, the core of a 3d printer or as the heart of a low-cost laptop. Armbian has a unique custom image building tool. In this project, the Armbian community will create a new generation of armbian-config - the critical core component that configures the hardware and software features. >> Read more about Armbian Canarytail — Warrant canary standardization and automation As decentralised internet access provisioning and cloud services become more widely available and user-operated, more and more people will be forced to compromise the security of their users through various forms of legal coercion. A common form of such coercion across the world is a so called 'gag order' : an operator of an infrastructure of interest (for instance a community network or small ISP) is secretly forced into give wiretap access, and their lips are sealed because of the risk of a severe penalty of sometimes years of imprisonment. In other cases, raids may have been conducted on hardware and operating premises, meaning a service is no longer trustworthy at all. Obviously, depending on where you live or what you do, such a compromise can endanger the lives and safety of many. In most countries it may be the case that one can be legally forced not to speak or write about such a violation of the integrity of a service or network, but one cannot be forced to actively lie either (\"you have the right to remain silent\"). One proven effective means of countering this kind of attack on services is therefore to continually publish \"all is well\" statements, until something happens - at which point the reassuring statements dry up, and users are warned. Canarytail tracks, documents and automates these statements, and is an attempt to standardise this important safety net for users of any service - decentralised or not. >> Read more about Canarytail CeroWRT II — Make Wi-Fi routers faster and more reliable When we go on the internet these days, we often forget or even don't know what gets us there. Hidden in our broom closets and underneath the sofa, there are physical devices like wireless home routers that can make a big difference in how good our internet connection really is. This project is about upgrading the quality, security, and queue management of home routers - continuing the work of Cerowrt that successfully re-architected the Linux WiFi stack to include pioneering new Flow Queueing (RFC8290) algorithms that successfully reduced working latencies for WiFi at all rates and ranges by 10x or more. This improved throughput under contention by a lot. Since then, in addition to support in all 3rd party linux based router firmwares, like OpenWrt, a multiplicity of commercial products such as those from eero and Evenroute appeared based on these technologies, and the same algorithm was also adopted by Apple in iOS and OSX. Meanwhile there have been two new generations of WiFi, dozens of Linux kernel releases, new drivers and abstraction support for new chipsets, vendor offloads (such as those from Qualcomm) and other separate re-implementations, and many new features added elsewhere in the stack, since. The core make-wifi-fast project members, led by Dave Taht, will investigate and explore and extend the state of WiFi anno 2021, and investigate whether these algorithms are still working as intended, what new problems have cropped up, and to add in new features and methods polished since the last release cycle. >> Read more about CeroWRT II Telecommunication in HF over Internet Protocol (IPoHF) — High-throughput software-defined wireless telecommunications This project will develop a software-defined wireless telecommunications system optimized for IP transport on the High Frequency (HF) band for very long distance links using ionospheric propagation. The system will be composed of a software-defined modem with different bandwidth options and modulation variations, which can adapt to propagation conditions and spectrum availability. The media access control and data-link layer will be developed with a focus on optimizing the transport of IP packets for lower latency and higher throughput. IP-based services performance on top of the proposed system will be evaluated and tuned. Also, security aspects will be considered for a secure automatic link establishment procedure. In order to provide the highest possible throughput when considering the available spectrum, a cognitive channel selection and link aggregation sub-system will be implemented. The software stack will be designed to be easily integrated to any wideband HF transceiver paired with an embedded processing unit, while the IP-based network applications will need no modification. Rhizomatica has designed a wideband HF transceiver to take advantage of the proposed software. >> Read more about Telecommunication in HF over Internet Protocol (IPoHF) KiCad — Professional open source electronics design application KiCad is a free and open source electronics design application (EDA) that can handle everything from the most basic schematic to a complex hierarchical design with hundreds of sheets. It allows electronics designers to use a toolchain that itself is technically transparent, and that can be customised when needed. KiCad has already been successfully used for key open hardware projects such as the LibreRouter, the HackRF, MNT Reform and UPSAT. This project will contribute to furthering the mission of providing professional level tools for users who design electronics for a living. >> Read more about KiCad Local Production of Antennas for LibreRouter (LoPaLiR) — Reliable open hardware Antennas for LibreRouter Community networks are telecommunication networks that are owned and operated by their users, which is probably the only way forward for the half of the worlds population that has so far remained unconnected because of lack of market or state interest. The LibreRouter.org, an open source hardware and software wireless router for inclusive community networks, represents a leap forward in the adoption of community networks, as networking skills are usually not present and difficult to achieve in these regions. One aspect of successful deployment - and thus a more rich and diverse internet - is reliable, low cost antennas. This project aims to fill this niche, as isn't currently a suitable open hardware MiMo antenna design with the right gain and manufacturing features. Most open designs are not MiMo. By creating this design under the CERN-OHL license and collaborating with INTI (the Argentina National institute of industrial technology) a reliable design will be made that allows for replicable local production of high quality antennas. >> Read more about Local Production of Antennas for LibreRouter (LoPaLiR) LTE support in OsmoCBC (Cell Broadcast Centre) — Open source Cell Broadcast Centre for mobile networks While having decent internet access is a commodity in some countries, in other parts of the world this is certainly not the case. When you want to run your own telecom infrastructure to change that, there are not that many options. The Osmocom project (Open Source Mobile Communications) is probably the most advanced open source solution available today. Reaching basic connectivity was a major step, but as users start to depend on this they need other facilities. Once such facility is a Cell Broadcast Centre (CBC), which is the central entity in 3GPP wireless networks taking care of all Cell Broadcast and Emergency Warning messages. This includes messages for WEA (Wireless Emergency Alert), KPAS (Korean Public Alerting System), ETWS (Earthquake and Tsunami Warning System), EU-ALERT, NL-ALERT and other related systems. OsmoCBC is the only open source CBC ever implemented - but it only implements support for 2G/GSM networks, and not for 4G/LTE. Through this project 4G/LTE support will be added to OsmoCBC. so that operators of at least research, private or rural autonomous networks built on FOSS can notify their subscribers in case of emergencies. >> Read more about LTE support in OsmoCBC (Cell Broadcast Centre) GPRS/EGPRS support in Osmocom CNI for Ericsson RBS — While some parts of the world are phasing out 2G and 3G networks, the deprecated base stations get a second life in other parts. However, usage patterns have changed: while at the time people were mostly satisfied with phone calls, these days internet access is key. The Osmocom project allows to run a fully open source stack on old base stations. This project will implement GPRS and EDGE support. Especially the latter is important as it allows to deliver much higher bit-rates per radio channel, resulting in a threefold increase in capacity and performance compared with an ordinary GSM/GPRS connection. These refurbished and decommissioned base stations are the primary platform for community-owned-and-operated rural cellular networks such as those operated by Telecomunicaciones Indigenas Communitarias (TIC AC) and Rhizomatica. >> Read more about GPRS/EGPRS support in Osmocom CNI for Ericsson RBS Open source ePDG for VoWiFi — Enhanced Packet Data Gateway for mobile infrastructure This project from the Osmocom community delivers an important contribution towards a fully open source mobile infrastructure, by implementing the first open source Enhanced Packet Data Gateway or ePDG. Inside the 3GPP cellular network architecture, the ePDG is the interface between the operator network and the public internet. Phones connect to the gateway in order to use VoWiFi (voice over WiFi) services. ePDG sits between the phone and the IMS core (same for VoLTE, VoWiFi and VoNR in 5G), and acts primarily as an IPsec gateway with ISIM card based authentication and key generation. With efforts underway to create a fully open source FOSS based 4G network with a FOSS based IMS core with VoLTE functionality, having a FOSS ePDG is the only missing part for operating VoWifi from FOSS. >> Read more about Open source ePDG for VoWiFi Pion — Network congestion measurement for adaptive real-time applications Network congestion heavily impacts real-time applications such as the popular video conferencing tools based on WebRTC, which we all have come to rely on during the SARS-CoV-2 pandemic. WebRTC is an IETF protocol that allows bi-direction P2P communication. Two peers find the best route to connect, even if they are both using a browser. This allows users to host their own conferences and share files directly from their browser. WebRTC is used by projects like Tor, IPFS and Galene. Open source efforts in this space lack good congestion control which allows to adjust quality to available bandwidth, meaning that all users will have a better experience. Large companies consider their proprietary congestion controller a strategic asset, and don't readily share information on how it works. Pion is a fast and performant implementation of WebRTC, written in Go. This project will provide a way to measure the network quality, and adjust it to available bandwidth - and will document all the steps needed in order to empower other Open Source WebRTC projects. >> Read more about Pion RADIUSdesk — Open wifi mesh deployment application RADIUSdesk and MESHdesk help to set up and manage mesh networks at scale, and are open source from top to bottom. They can be used in tandem to provide public wifi, or set up mesh networks as well as community networks. Allowing someone to flash a cheap access point and then managing it irrespective of the hardware vendor offers great opportunity for poorer communities to enable themselves in terms of providing Internet access. Existing hardware that reached end-of-life can be managed in a similar way (often much simpler) than what the vendors offer. Because there is a RADIUS server included, there is a single integrated system which is able to manage connections as well as the hardware. This enables anyone to set up an end-to-end system that can provide Internet access, with OpenStreetmap integration, alerts, and other advanced features. >> Read more about RADIUSdesk "},{"url":"https://nlnet.nl/thema/Softwareengineering.html","title":"Software engineering","description":" Software engineering Software engineering, protocols, interoperability, cryptography, algorithms, proofs This page contains a concise overview of projects funded by NLnet foundation that belong to Software engineering (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. 0KNOW — Group Theoretic Zero-knowledge Proofs (0KNOW) Zero-knowledge proof (ZKP) systems help principals verify the veracity of a piece of information without sharing the data. The overall goal of 0KNOW is to develop a lightweight group-theoretic zero-knowledge proof (GT-ZKP) system that can be employed as a cryptographic primitive in many security protocols such as identification, authentication, or credential ownership. They are widely used to preserve confidentiality and ownership of data. GT-ZKP can be seen as a reusable building block for making the future internet trustworthy and secure. In 0KNOW, we will focus on NP group-theoretic problems and design GT-ZKP by finding an appropriate platform group based on the selected difficult problem considering its applicability in the post-quantum era and we will develop an open-source implementation of GT-ZKP. >> Read more about 0KNOW Accessible security — Integration effort of independent security efforts like Qubes, Heads, coreboot, etc The \"Accessible security\" project's initiative was sparked by the need for usable security made available to the average citizen. Several projects are contributing a part of this bigger puzzle: QubesOS, coreboot, Heads, me_cleaner, Whonix and others. Yet the average person does not have the sophistication to integrate these software projects. With some effort we can add some missing parts, help the effected projects usability, and facilitate access to cutting-edge developments, currently only usable by developers and more sophisticated users. Bringing these projects together will reduce the amount of expertise and effort required to benefit from these projects. >> Read more about Accessible security Aiohttp type checking — Improve typechecking for Aiohttp HTTP Client/Server framework aiohttp is a widely used asynchronous HTTP Client/Server framework for async IO within the popular Python language ecosystem. The advantage of asynchronous frameworks is that they don't block the client while the server process HTTP requests. Instead, the user can do other operations client side. This grant will improve the coverage for type annotation of the Python test code of its dependencies, providing a more robust framework to downstream users and developers alike. >> Read more about Aiohttp type checking Alive2 — Translation validation for LLVM Modern compilers, such as LLVM, perform advanced optimizations to improve performance and reduce binary size of programs. However, getting these optimizations correct is very challenging: there are many corner cases, tricky issues with undefined behavior, modular arithmetic, and so on. On the other hand, programs rely on compilers being correct. A single bug in the compiler may introduce security vulnerabilities in the compiled programs. Alive2 aims to solve this issue by verifying that LLVM is correct. It is an indispensable tool for compiler developers and for anyone that wishes to validate the compilation of their program. >> Read more about Alive2 Ari — Purely functional programming language designed to \"type\" binary files Ari is an early research project designed to make binary files more accessible. It's a purely functional programming language and library intended to act as foundation for building developer tools that can manipulate arbitrary binary files. It can be used as a basis for building a structural binary differ, or a tree-based editor for directly editing binary files. It aims to reach this goal by tackling the biggest obstacle with binary data: the need for implicit format-specific knowledge to understand how binary files are structured. Over time, we'll build up a repository of file formats encoded in Ari (called \"Ari types\"), which can then be used to compile a \"type radix tree\" from any given set of Ari types. This \"type radix tree\" will be used as an efficient way to interpret a single file as multiple formats at once, while trimming out invalid interpretations along the way of parsing. Ari fundamentally differs from existing approaches like Kaitai Struct, GNU poke, and even parser generator tools like Tree-sitter in that it's heavily based around the combination of algebraic type theory & set theory and sits in-between a data specification language that doesn't have support for functions, and a fully Turing complete language that has no guarantee of halting. The plan is to work together with these other projects as they each have their own unique approach that Ari isn't focused on, whereas Ari is more of a research project intended to explore what's possible. >> Read more about Ari Authenticated DNSSEC bootstrapping — Secure in-band announcements of DNSSEC parameters Turning on DNSSEC for a domain involves (1) signing the domain's DNS zone content and (2) adding the signature public key to the chain of trust. The second step has long posed a problem, as it requires (often manual) transfer of information from the domain's operator to the parent (usually the top-level domain). It is largely due to this \"DNSSEC bootstrapping problem\" that only about 6% of the Top 1M domains are securely delegated (Tranco, 06/2022). The project extends commonly used authoritative nameserver software with native support for authenticated DNSSEC bootstrapping (draft-ietf-dnsop-dnssec-bootstrapping, ). This protocol, meanwhile published as RFC 9615 by IETF, allows DNSSEC parameters to be communicated automatically and securely, enabling DNS operators and parent registries to turn on DNSSEC automatically. To measure the protocol's impact on real-world DNSSEC deployment, measurements of protocol adoption over time will be made available. >> Read more about Authenticated DNSSEC bootstrapping Autocrypt for Thunderbird — Make email encryption extremely simple Autocrypt is a specification that provides guidance for e-mail clients on how to achieve a seamless user experience. It does so by transparently exchanging keys, almost entirely automating public key management. This reduces the UI to \"single click for encryption\". The project will create an extension for the Thunderbird e-mail client that brings this experience to its users. The goal is to provide a new extension with a streamlined user experience that requires as little user interaction as possible, without \"poweruser\" features and performing practical user testing to identify open pain points. The extension will be based on OpenPGP.js, since this can be packaged directly. This will simplify installation and maintenance a great deal. >> Read more about Autocrypt for Thunderbird BIDS: Binary Identification of Dependencies with Search — Identify known open source elements present in binaries Embedded device firmware is assembled from many FOSS package dependencies. Knowing which dependencies have been used is essential for security and licence compliance. However this is a complex task for native ELF binaries built from languages such as C/C++ that do not have package managers for metadata and simpler conventions for bytecode like Java or Python. The BIDS (Binary Identification of Dependencies with Search) project will build a tool (in Python) to analyse ELF binaries and find dependencies contained and built in these binaries. The BIDS project will deliver tooling to analyse ELF binaries and extract key features and store these for indexing, tooling to index these binary features in a search engine using inverted indexing, and a query tool and library to process large binaries to query this inverted index. The latter will return results as lists of ranked FOSS packages and files found to be present in the analysed binary. The data and tools will also be packaged to allow for further integration and reuse by other FOSS tools and analysis pipelines. >> Read more about BIDS: Binary Identification of Dependencies with Search Back to source: trust but verify all the packages — Analysis pipeline for mapping and cross-referencing binaries with source code Sometimes, the released binaries of an open source package do not match its source code. Or the source code does not match the code in a version control repo. There are many reasons for this discrepancy, but in all cases, this is a potential serious issue as the binary cannot be trusted. Additional (or different) code in the binary could be malware or a vector for unknown software vulnerabilities, or create FOSS license compliance issues. Back to source creates analysis pipelines to systematically map and cross-reference the binaries of a FOSS package to its source code and source repository and report discrepancies. We call this the deployment to development analysis (d2d) to map deployed code (binaries) to the development code (the sources) and plan to apply this \"trust but verify\" approach to all the binaries! >> Read more about Back to source: trust but verify all the packages Bertie — Formally verified TLS 1.3 implementation The security of the Web ecosystem relies crucially on Transport Layer Security (TLS) protocol, but despite years of study, cryptographic weaknesses and implementation bugs in TLS implementations continue to be found on a regular basis. Bertie is a high-assurance TLS 1.3 implementation written in a subset of Rust called hacspec. Bertie uses the formally verified HACL* cryptographic library and its protocol code can be verified using the F* framework. Hence, it offers strong guarantees from the crypto layer up to the protocol API. The funding from NLnet will be used to stabilise Bertie, add documentation and tests, improve its performance, maintain its proofs, and set it up as an open source project with best practices and long-term software support. >> Read more about Bertie Betrusted Storage — Plausably deniable encrypted storage Betrusted aims to be a secure communications device that is suitable for everyday use by non-technical users of diverse backgrounds. We believe users shouldn’t have to be experts in supply chain or cryptography to gain access to our ultimate goal: privacy and security one can count on. Today’s “private key only” secure enclave chips are vulnerable to I/O manipulation. This means there is no essential correlation between what a user is told, and what is actually going on. Betrusted will build a full technology stack, including silicon, device, OS, and UX that is open for inspection and verification. We've passed the first hurdle of creating an FPGA-based device, which we have spun out into a development platform we call Precursor. We are now advancing deeper into the technology stack to improve FPGA, drivers, OS, and UX elements, all driving toward the common goal of making Betrusted a simple, secure, and strong device that aims to advance Internet freedom. >> Read more about Betrusted Storage Blink Qt Messaging — Add modern encryption to SIP softphone Blink is a mature open source real-time communication application that can be used on different operating systems, based on the IETF SIP standard. It offers audio, video, instant messaging and desktop sharing. This project will extend its capability to support end-to-end asynchronous messaging and end-to-end encryption that works both online (OTR) and offline (OpenPGP). Additional features to be developed include end-to-end delivery and read notifications, and a searchable history database. >> Read more about Blink Qt Messaging BrowserAudit — Test common security standards and features in browsers The web depends on security standards to safeguard your data as you navigate online. The effectiveness of your browser in protecting this data depends on how well it implements these standards. BrowserAudit is a free, open-source tool designed to assess your browser’s compliance with common security protocols. By running hundreds of tests, it generates a detailed report highlighting the strengths and weaknesses of your browser's security. This report can help you select a more secure browser, notify developers of potential issues, or, if you’re a developer, address these vulnerabilities directly. >> Read more about BrowserAudit Bubble-up — Declaritive schema migrations for sqlite databases SQLite is widely regarded as the most-used database engine, with sqlite.org even suggesting that it surpasses all other engines combined. One of its main advantages is its simplicity—operating on a single file. However, while getting started with SQLite is straightforward, modifying the database schema can be more complex due to its limited support for ALTER commands compared to other databases. Bubble-up is a command-line tool designed to ease this challenge. It enables seamless schema migrations for SQLite databases by comparing your desired schema (written in a simple SQL file with standard DDL statements) to the current database structure, and performing the necessary changes. >> Read more about Bubble-up Tracing and rebuilding packages — Improved metadata/provenance for build artifacts For many end users the smallest unit of software is the \"package\": a collection of programs and configuration files bundled in a single file, typically shipped as a single archive. Examples are \"util-linux\", \"glibc\", \"bash\", \"ffmpeg\" and so on. Open source distributions install packages using their package management systems. The package management system writes the contents of a package to disk when the package is installed or updated and removes the contents if the package is removed. The packages themselves contain metadata maintained by the distribution maintainers. This information includes the name of the package, project URL, description, dependency information and license information, etc. This granularity can be too coarse. For example, the license information is aggregated at the package level. If there are separate files that are under different licenses, then this will not always be clear from the license information at the package level. This project will make it more easy to understand by looking at what goes into each individual binary in a package, and assign metadata to the individual binaries instead of to a package. It will do so by tracing the build of a package and recording which files are actually used. By building packages in a minimal (container) environment, capturing the build trace, processing the build trace to see exactly what goes into which binary it becomes much easier to zoom in and answer specific questions such as \"what license does this binary have\" or \"which binaries use vulnerable file X\" and combining it with efforts like VulnerableCode and PurlDB. >> Read more about Tracing and rebuilding packages Cable — A new wire protocol for cabal (and beyond) Distributed systems development is hard. Doubly so when you have adopted a complicated technological stack in order to achieve the goals of a peer-to-peer group chat like Cabal. Some problems inherent in an approach can only be seen in hindsight, and repaired with foresight. Enter Cable, a new lightweight binary communication protocol originally specified to be the upcoming backbone of the peer-to-peer group chat Cabal. The Cable protocol is pull-based, with message authenticity through cryptographic hashes, where peers receive messages by sending queries into the network: \"give me the most recent week of chat messages in channel main\". Peer-to-peer query-forwarding is built into the design to enable message retrieval outside any given peer's direct connections. Its logless approach enables message deletion and allows the many devices owned by a single person to use the same cryptographic identity in communication. The binary specification combined with the pull-based design minimizes system resources in transport and storage alike. Cable's goals as a protocol: to be compact over the wire, easy to implement from scratch with libsodium bindings as the only dependency, to enable bridging across any network transport, and to be agnostic with regard to how data is stored. In addition to unlocking new capabilities in Cabal's future, we also hope to pave the way for a multitude of other protocols to be hosted on Cable's agnostic wire format. >> Read more about Cable Canaille — Zero-knowledge opinionated OpenID Connect (OIDC) server. Canaille is a zero-knowledge opinionated identity server. Canaille aims to lower the barrier to entry for identity management, by providing a simple lightweight interoperable software focused on accessibility for end-users, administrators and contributors. It provides user and group management for small and medium sized organizations. It has authorization management and Single Sign-On features based on the OpenID Connect standard. >> Read more about Canaille Choreographic Programming: From Theory To Practice — Generating a standard library of core distributed algorithms with formal proofs To safely leverage the next-generation internet for mission-critical apps, it is crucial to assure that communications among distributed processes are deadlock-free (i.e., processes never get stuck waiting for a message that will never be sent) and behaviourally-compliant (i.e., processes never send messages that violate the intended application-level protocols). Choreographic programming is a promising new method to build distributed systems that assures the absence of deadlock and compliant behaviour by construction (vs. testing, which is notoriously difficult in the presence of concurrency and distribution). The aim of this project is to take advantage of recent scientific progress in programming language theory for distributed systems, and develop a new choreographic programming language (Klor) as an embedded DSL in Clojure, including a standard library of core distributed algorithms. >> Read more about Choreographic Programming: From Theory To Practice Coko Docs — A modern, open source replacement for Google Docs and Drive Coko Docs is an open source solution for storing and editing documents using Coko’s publishing technologies. It is the first part of an Open Suite, which will be integrated with professional Open Publishing products. Coko Docs will have a modern collaborative environment for creating, sharing and hosting files in various formats. We aim to build inclusive tools as powerful as Google Drive and Docs, our initial target audience ranges from individuals to small organisations. Our primary goal is an Open Source product with strong Privacy and Security protocols and elegant accessible design. We will utilize the NLnet funding for the first phase of development where we are adding collaborative editing to the integrated document editor, with offline support (for low-bandwidth scenario's). >> Read more about Coko Docs CryptoLyzer — Cryptographic settings analyzer library CryptoLyzer is a cybersecurity tool that can analyze the cryptography-related settings of clients and servers in the case of several different protocols. The tool’s primary purpose is to support end users as well as system administrators, security engineers, auditors, etc., in their work by telling them the details of the currently applied setting and informing them about the potential weaknesses and vulnerabilities. Unlike many other notable free software projects that focus on just one protocol family, CryptoLyzer wants to be as comprehensive as possible. On the one hand, users can analyze several cryptographic mechanisms (e.g., SSH, HTTP security headers, JA3 tag, and later OpenVPN), not just the most popular TLS protocol. On the other hand, it is possible to test both the standard and special or corner cases. Latter means the tool can test hardly supported, experimental, obsoleted, or even deprecated mechanisms or algorithms, which may carry significant risks. The project intends to learn from the existing projects and integrate their solutions to lower the barrier to good cryptographic settings making communication on private and public networks more secure. >> Read more about CryptoLyzer GNU Guix - Cuirass — Continuous integration system for GNU Guix/Linux + Hurd GNU Guix is a universal functional package manager and operating system which respects the freedom of computer users. The number of supported packages, almost 15.000 on 5 different architectures, is constantly increasing. With the recent efforts adding support for the GNU Hurd operating system, and the ongoing work to easily provide Guix System images for various boards, the need for a strong continuous integration system is critical. This project aims to improve Cuirass, the GNU Guix continuous integration software to provide binary substitutes for every package or system image within the shortest time. This way, the user won't have to allocate important time and computation power resources into package building. The plan is to add to Cuirass an efficient offloading and work-balancing mechanism between build machines, an improved web interface allowing to monitor machine loads and other build related metrics. A user account section to setup customized monitoring dashboards and subscribe to build failures notifications will also be developed. >> Read more about GNU Guix - Cuirass DANCE4All — Implement DANCE specification in GnuTLS and MbedTLS DANE (which stands for \"DNS-Based Authentication of Named Entities\") is a set of mechanisms and techniques standardised within the IETF that allow Internet applications to establish cryptographically secured communications by using information made available through the domain name system. By binding key information to a domain name and protecting that binding with DNSSEC, applications can easily discover authenticated keys for services. The original DANE specification was built around server authentication. Recently a new initiative called DANCE (https://datatracker.ietf.org/wg/dance/about) emerged, extending DANE to include client authentication. The DANCE4All project's goal is to implement the DANCE specification in two major TLS libraries (GnuTLS and MbedTLS) such that client DANE will become widely available. >> Read more about DANCE4All DAVx⁵ WebDAV Push — Share Contacts, Calendars, Tasks, Notes & Journals This project is about drafting an internet standard for push functionality in the WebDAV/CalDav/CardDAV protocols, and implementing it server-side (in NextCloud) and client-side (in DAVx⁵ and NextCloud Calendar). This standard should greatly benefit the already widely available WebDAV/CalDAV/CardDAV ecosystem in general. DAVx⁵ is a two-way sync tool for Android that gives people the power of choice where to store their data, instead of being locked-in to big tech. Besides Google FCM we also want to use UnifiedPush as Push backend, so that this can be used without any Google services. >> Read more about DAVx⁵ WebDAV Push DCnets — Implementation of Dining Cryptographers Network The aim of the proposed project is to design and implement an open source library that implements the so-called Dining Cryptographer's network or DCnet (first proposed by David Chaum in 1998). Existing implementations suffer from poor efficiency (e.g. high computation and/or communication cost) or limited security (e.g. when a malicious participant can disrupt the communication). The project will produce cryptographic primitives and protocols that help to bring untraceable communication (e.g. untraceable instant messaging, file transfer, IP telephony) closer to practice. We will implement the most recent advances in cryptographic research (e.g. zero-knowledge proofs) and engineering (e.g. highly optimized arithmetic on elliptic curves and finite fields) into account to maximize both security and efficiency. >> Read more about DCnets Securing Internet protocols with DIDs — Bridge Decentralized Identifiers with standardised authorisation mechanisms Many Internet protocols require authentication, e.g. when we check our email account with a username and password, when we authenticate to SSH hosts with public keys, or when we log in to websites using OpenID Connect. Decentralized Identifiers (DIDs) are a new type of identifier that have associated private keys and can be used for authentication purposes. DIDs are in practice mostly used for exchanging Verifiable Credentials (VCs) between Issuers, Holders, and Verifiers. However, on a more basic level, DIDs can also simply be used as a replacement for usernames/passwords or static public keys, to authenticate by proving control over one's DID. Unlike other identifiers such as usernames or domain names, DIDs do not require a central authority for creating and using them. In this project, we will work on integrating DIDs with existing Internet protocols that require authentication by developing a new SASL mechanism. The idea is that for example you could log in to your SSH host, email account, IRC server, XMPP server, etc. using your DID, which can improve both usability and security. >> Read more about Securing Internet protocols with DIDs Dat Private Network — Private storage in DAT The dat private network is a self-hosted server that is easy to deploy on cloud or home infrastructure. Key features include a web-based control panel for administration by non-developers, as well as on-disk encryption. These no-knowledge storage services will ensure backup and high availability of distributed datasets, while also providing trust that unauthorized third-parties won’t have access to content. By creating a turnkey backup solution, we’ll be able to address two of our users’ most pressing questions about dat: who serves my data when I’m offline, and how do I archive and secure important files? The idea for this module came from the community, and reflects a dire need in the storage space -- no-knowledge backup and sync across devices. A properly-designed backup service will provide solutions to both of these questions, and will do so in a privacy-preserving way. This deliverable will put resources into bringing this work to a production-ready state, primarily through development towards updates that make use of the latest performance and security updates from the dat ecosystem, such as NOISE support. We plan to maintain the socio-technical infrastructure through an open working group that creates updates for the network as it matures. >> Read more about Dat Private Network DATALISP — Universal data interchange format using canonical S-expressions As society moves digital the need for thorough fundamentals becomes more prominent. Datalisp is a laboratory for decentralized collaboration built on a few well understood ideas which imply a certain architecture. The central thesis of datalisp is: \"If we agree to use a theoretically sound data interchange format then we will be able to efficiently express increasingly complicated coordination problems\", but in order to move the web to a different encoding we will need incentives on our side. A substantial improvement in user experience is needed and we aim to provide it. Ultimately our goal is to give peers the tools they need to protect themselves, and others, by collaboratively measuring the legitimacy of information and locally; by assessing whether data can be trusted as code or whether it requires user attention. Datalisp is the convergence point for all these tools (none of which is named \"datalisp\") rather than a language, join us in figuring out how to reach it! >> Read more about DATALISP Structuring the System Layer with Dataspaces — Implementing a secure and scalable system layer on mobile The system layer is an essential but often-ignored part of an operating system, mediating between user-facing programs and the kernel. Despite its importance, the concept has only been recently recognised and has not received a great deal of attention. The novel Dataspace Model of concurrency and communication combines a small number of concepts to yield succinct expression of ubiquitous system-layer features such as service naming, presence, discovery and activation; security mechanism and policy; subsystem isolation; and robust handling of partial failure. This project will evaluate the hypothesis that the Dataspace Model provides a suitable theoretical and practical foundation for system layers, since a well-founded system layer is a necessary part of any vision of secure, securable, resilient networked personal computing. >> Read more about Structuring the System Layer with Dataspaces Delta Tauri — DeltaChat implemented in Tauri The Delta Chat Desktop app is currently built with Electron and shipped to end-users on all platforms and many app stores. Delta Tauri will port it to instead use Tauri on all platforms, minimizing resource consumption and improving security. The download size is expected to decrease to around a fifth from the present situation, and the use of a system web view instead of the Electron-shipped full Chromium browser improves security because users benefit from operating-system managed security updates. Delta Tauri will also provide an important stepping stone towards a potential Delta Chat Web client, an often requested feature from users. >> Read more about Delta Tauri Diesel — Safe and performant query builder and ORM written in Rust Diesel is a safe and performant query builder and ORM written in Rust. It aims to eliminate security issues like SQL injections by providing a type safe domain specific language to express your SQL query as Rust code. This enables checking the query at compile time to turn insecure or otherwise invalid SQL queries into compile time errors. As part of this project we want to extend Diesel to provide built-in support for `WINDOW` functions, to enable the usage of secure and type safe queries in more places. >> Read more about Diesel dream2nix — Automate reproducible packaging for various language ecosystems Dream2nix is part of the overal effort to create more technical assurances, transparency and robustness within the software supply chain. Dream2nix as a framework allows more open source projects to achieve reproducible builds easier, and helps to create an auditable toolchain across different technical dependencies. The ability to reproduce software builds is of major importance when it comes to verifying if a given binary is the product of a given source code. Reproducibility also increases the maintainability and reliability of small and large software deployments. The nix build system allows for such reproducibility even for complex software systems. dream2nix integrates existing well known programming language specific package managers like npm, yarn or cargo with the nix build system, which will allow many open source projects to benefit from nix' unique properties. >> Read more about dream2nix ELF tools in Rust — Porting patchelf and install_name_tool to a flexible Rust crate The \"ELF tools in Rust\" project aims to develop a versatile command-line tool/library for manipulating ELF and Mach-O binaries, with a particular focus on enhancing patching functionalities. It will leverage the patchelf tool as a standard, alongside Rust's efficiency and safety features. Additionally, it aims to provide seamless integration with Python via bindings created with PyO3 for enhancing accessibility and usability for a wider range of developers and use cases. >> Read more about ELF tools in Rust Encoding for Robust Immutable Storage (ERIS) — Encrypted and content-addressable data blocks The Encoding for Robust Immutable Storage (ERIS) is an encoding of content into a set of uniformly sized, encrypted and content-addressed blocks as well as a short identifier (a URN). The content can be reassembled from the encrypted blocks only with this identifier (the read capability). ERIS is a form of content-addressing. The identifier of some encoded content depends on the content itself and is independent of the physical location of where the content is stored (unlike content addressed by URLs). This enables content to be replicated and cached, making systems relying on the content more robust. Unlike other forms of content-addressing (e.g. IPFS), ERIS encrypts content into uniformly sized blocks for storage and transport. This allows peers without access to the read capability to transport and cache content without being able to read the content. ERIS is defined independent of any specific protocol or application and decouples content from transport and storage layers. The project will release version 1.0.0 after handling feedback from security audit, provide implementations in popular languages to facilitate wider usage (e.g. C library, JS library on NPM), perform a number of core integrations into various transport and storage layers (e.g. GNUNet, HTTP, CoAP, S3), and deliver Block Storage Management (quotas, garbage collection and synchronization for caching peers). >> Read more about Encoding for Robust Immutable Storage (ERIS) Edalize ASIC backend — Create open hardware silicon with a fully free software toolchain Affordable Open Source ASIC development and custom silicon has been a long-standing goal in the community. This will unlock innovation that has previously only been possible for the largest tech companies, allowing for the creation of deployable, trusted Open Source based hardware. Step by step, this goal has come closer in the last few years as individuals, companies and academic institutions have filled in the missing pieces. Today we have a fully open source end-to-end flow for building open source ASIC - but the effort of on-boarding existing designs remains high. This project aims to provide an easy way to onboard existing gateware and full designs to an open source ASIC flow by creating a FuseSoC backend that targets this toolchain. This will enable a smoother transition from projects already running on FPGAs to also be targeting ASIC flows. It will also allow easier switching between different open source ASIC flows at the point when there are several alternatives to choose from. In addition to the backend itself, a reference design containing SERV, the world’s smallest RISC-V CPU, will be run through the flow and committed to actual silicon. This will provide a way to guarantee a working flow and provide a simple but usable reference for everyone else looking to onboard their designs. Enabling and demonstrating this path will allow a fully trustworthy path for the fabrication of system-on-a-chip ICs, with no proprietary or closed tools as part of the flow and hence completely inspectable at all stages. This paves the road for other more complex FuseSoC-based open source silicon projects such as OpenTitan and SweRVolf. >> Read more about Edalize ASIC backend LambdaNative F-Droid integration — Portable, Productive and Performant App Development with Scheme LambdaNative is an free and open source framework that allows for creation of cross-platform applications, in particular on Android and general desktop operating systems such as Linux, BSD's, OS X or Windows. With LambdaNative, even someone with minimal programming background can create nice applications ranging from basic to advanced, using the Scheme programming language. This makes it very suitable for those that do not have a computer science background but still need to create a custom app - such as most researchers, educators and people working in the public sector. The aim of the project is to add a LambdaNative pipeline to publish apps on the free and open source F-Droid app store. The second part of the project will create educational materials to teach people how to work with LambdaNative mobile application and how to publish their app. >> Read more about LambdaNative F-Droid integration Friendly Forge Format (F3) — Proposed Standard for secure communication between software forges The Friendly Forge Format (abbreviated F3) is an Open File Format for storing the information from a forge such as issues, pull/merge requests, milestones, release assets, etc. as well as the associated VCS (Git, Mercurial, etc.). F3 is designed to exchange the state of a software project between GitHub, GitLab, Gitea, etc. for backup, mirroring or federation. F3 is essential for a forge to provide key requirements. (i) Portability: the entire state of a software project can be dumped and restored at a later time, on a different development environment (ii) Versatility: when published and updated as a F3 archive, a software project effectively is Open Data on which an unlimited range of applications can rely, even outside of the forge domain (iii) Consistency: it provides a common language to use when talking about the forge related domains (iv) Trust: cryptographic signatures on each F3 dump guard against malicious or unintentional tampering that could compromise the integrity of a software project. >> Read more about Friendly Forge Format (F3) FOSS Code Supply Chain Assurance — Mitigate attacks through software dependencies It is of the utmost importance to ensure that FOSS packages from public repositories have not been tampered with by malicious actors. This type of compromise is described as an open source \"supply chain attack\" and these have been increasing significantly. This project is building a new system (which is FOSS itself) to help verify the integrity of deployed code packages and validate their origin with external data sources, with the potential to mitigate attacks on open source packages supply chains such as: detecting if a package in use is matching verified code by matching source and binaries exactly and approximately. Or detecting abnormal code changes that may be signs of malicious modifications and possible attacks on a package. The key components of this open code and data solution are a Package and File Fingerprints Database, a Code Similarity and Changes Detection Engine, utilities to detect possibly malicious changes in upstream projects, and integration in build system(s). While existing approaches may require a tight control of the whole code supply chain, the approach of this project is designed for practical usage with limited changes to a build and CI/CD pipeline. >> Read more about FOSS Code Supply Chain Assurance FOSS Code Supply Chain Assurance II — Add approximate matching capabilities to software vulnerability discovery It is of the utmost importance to ensure that FOSS packages from public repositories have not been tampered with by malicious actors. This type of compromise is described as an open source \"supply chain attack\" and these have been increasing significantly. This project is building a new system (which is FOSS itself) to help verify the integrity of deployed code packages and validate their origin with external data sources, with the potential to mitigate attacks on open source packages supply chains such as: detecting if a package in use is matching verified code by matching source and binaries exactly and approximately. Or detecting abnormal code changes that may be signs of malicious modifications and possible attacks on a package. The key components of this open code and data solution are a Package and File Fingerprints Database, a Code Similarity and Changes Detection Engine, utilities to detect possibly malicious changes in upstream projects, and integration in build system(s). While existing approaches may require a tight control of the whole code supply chain, the approach of this project is designed for practical usage with limited changes to a build and CI/CD pipeline. This is the second phase of this ambitious project, the focus of which is to enable approximate matching between a database of FOSS packages resources and an actual FOSS package or other code. Moreover, various architectural improvements will be performed to support use at larger scale. >> Read more about FOSS Code Supply Chain Assurance II FastScan — Performance improvements for ScanCode Toolkit/ScanCode.io ScanCode is a powerful free and open source software composition analysis (SCA) code scanner. It can be used to analyze a complete virtual machine image, or a single application package with customizable pipelines. It integrates into DevOps workflows with comprehensive APIs, and helps to generate correct SBOMs. It can be used with all programming languages and environments. One weakness so far has been througput. ScanCode could be much faster, and this is the topic of this grant: it improves the performance for both ScanCode Toolkit and ScanCode.io. By profiling ScanCode.io performance and identifying hotspots and issues using benchmarks, and subsequently improving performance in a targeted manner this project stands to make software composition analysis more easy and more accessible. >> Read more about FastScan Feather UI — Declarative cross-platform UI toolkit Feather is a universal UI library that applies user inputs to application state, and maps application state to an interactive visualization using a custom graphics rendering language capable of compiling to arbitrary GPU code or vectorized CPU code. By building on top of a well-typed graphics abstraction, it is possible to make custom shaders \"write once, run anywhere\" with confidence and no overhead. This allows the creation of UI Fragments, which no longer need to be built on top of a library of UI widget elements, allowing the creation of arbitrarily complex UI elements that are no longer bound to traditional widget designs. This level of abstraction allows targeting anything from embedded devices to webpages, or even mixed-reality devices. >> Read more about Feather UI Federated software forges with Forgejo — Add ActivityPub based federation to Forgejo Forgejo is a self hosted software forge where developers can work together on software projects and users can report bugs or request features. As of Forgejo version 1.20, when a project is hosted on a Forgejo instance, every developer is expected to create an account on that instance in order to participate. Compared to email, it is as if it was necessary to create an account on gmail.com to send a message to someone with an @gmail.com email address and another on yahoo.fr to send a message to someone with an @yahoo.fr email address. But in 2022 there are two: the W3C ActivityPub protocol published in 2017 and forgefed, an emerging standard (since 2019) to describe activities happening on software forges. They can be used by Forgejo instances to communicate with each other and create a federation of forges continuously communicating with one another instead of a constellation of isolated silos. A federated Forgejo will enable software developers to work on the same project even when they use different Forgejo instances. There will be bridges between isolated Forgejo instances that software projects can use to synchronize in real time. >> Read more about Federated software forges with Forgejo FederatedCode Next — UI and curation queue for VulnerableCode data enrichment VulnerableCode is an open-source database that aggregates and enriches data concerning CVE with metadata to make it easier to track CVEs across packages and dependencies. VulnerableCode was designed from its inception to correlate and aggregate multiple data sources and not have a single point of failure. The FederatedCode Next project aims to create a UI and curation queue for VulnerableCode in order to take the next step towards an open, peer-to-peer federated database of code vulnerabilities. This allows to to ensure cybersecurity professionals have the essential information they need to do their work when new vulnerabilities are unveiled - such as PURL and VERS version ranges for impacted and fixed package versions, Common Weakness Enumeration details to qualify the weakness exposed by a CVE, severity scoring, mitigation possibilities beside updating and patching, the actual commits/patches that introduce/fix a vulnerability for reachability analysis, related PoC for exploits, etcetera. >> Read more about FederatedCode Next Fediverse Test Framework — Test bench for ActivityPub implementations The Fediverse consists of individual servers, possibly running different software, that talk to each other. One of the challenges in developing for the Fediverse is to stay interoperable with all the different deployed software. As the message format standard, ActivityStreams, is extensible through JSON-LD, judging how a message is parsed, can be a hard task. By using ideas from automated testing, we provide an application that determines a baseline how messages are processed and rendered. The process being simply: run end to end tests and record their result. From the test results a webpage is generated that provides developers the information how a message is rendered in different applications. We aim to make the framework extensible so new applications can be included. >> Read more about Fediverse Test Framework Fediverse Test Suite — Interoperability effort for W3C ActivityPub The Fediverse is a global, standards-based, decentralized social network accessible to all and not subject to algorithmic manipulation or platform surveillance. While best known for Mastodon, an open-source alternative to X/Twitter, it already successfully connects dozens of independently developed software applications running on tens of thousands of independently operated servers and implementing feature sets that go far beyond traditional social networking. To enable even more innovative developers to successfully connect their applications to the Fediverse, and their users to successfully interoperate with users using different software, it needs to become much simpler and cost-effective for developers to 1) know that they have implemented the relevant standards (notably ActivityPub) correctly, that their implementation is not regressing and that 2) their software indeed delivers the experience users expect from interoperability with other software developed independently by other developers. This project brings together a group of fediverse developers to set up an automated test framework and initial test cases in an open-source project that will systematically test standards conformance, ensure meeting user expectations for interoperability of Fediverse apps, and enable a new wave of innovation based on more trustworthy infrastructure. >> Read more about Fediverse Test Suite FemtoStar Project — Open Hardware Communications Satellite The FemtoStar Project is developing a low-cost communications satellite, intended for use as part of a scalable, decentralized network enabling verifiably anonymous, geolocation-resistant communications on a global scale. While many anonymizer services are currently available to users of existing communications systems, these serve simply to separate knowledge of identity (which still lies with the communications service provider) from knowledge of activity (which lies at the exit of the anonymizer service). All current wide-area communications networks are fundamentally identifying (users and their hardware are, at minimum, pseudonymous to the network) and no two-way communications system offers any meaningful degree of resistance to geolocation of the user. The FemtoStar Project intends to use a constellation of FemtoStar satellites to provide global, space-based open communications infrastructure linking users to services (which can be operated by anyone, and require no special ground station installation beyond a regular FemtoStar user terminal) or directly to other users, and requiring no identification or geolocation of user terminals. We are seeking funding for the development of a prototype satellite and user terminal, implementation and testing of the FemtoStar protocol on this hardware, and, dependent on funding amount and regulatory approval, the licensing and launch of one FemtoStar satellite to low earth orbit for system testing and, possibly, for use in a limited open beta service. With prototype hardware and, ideally, with one production satellite in orbit, the FemtoStar Project will be able to validate the FemtoStar system and move towards our goal of operating a scalable constellation for global, verifiably-private communications service - a world-first in privacy technology. >> Read more about FemtoStar Project ForgeFlux — Software Forge independent federation with ActivityPub and F3 Federation accurately models the way free software dynamics work: people and organizations across the globe come together to work on a software project. However, current software forging tools do not reflect this model, which has resulted in centralization in a few software forge instances. This issue is further complicated since a limited amount of tooling creators is committed to implementing federation. ForgeFlux is a project in the forge federation domain that is trying to make forges federate by building external adapters. We use the forge's native APIs and create a translation layer to talk to other nodes on the federating forge network. We aim to make Forgejo and GitHub federate for the first stable release. We are also working on other supporting areas in the forge federation domain, name in search and discovery of software projects, and in developing testing and debugging tools. >> Read more about ForgeFlux Forgejo — An open source software forge with a focus on federation In order to collaborate among global FOSS communities, free and open source software projects need to make their software repositories available somewhere online. Running such repositories on top of a third party proprietary service introduces significant liabilities, including stability and privacy risks. There are also geopolitical issues of depending on such pseudo-infrastructure, where the political situation in one country can have an impact on the availability of technology in other countries. Forgejo is a new software forge designed to scale to millions of users and projects by combining ActivityPub based federated features developed for Gitea and optimizations developed for Codeberg. Forgejo helps to decentralise by enabling many independent forges to emerge, and allow them to federae. Forgejo aims at lowering the technical barrier, facilitate moderation in a federated environment and provide the expected security updates. >> Read more about Forgejo GNU Mes — Help create an operating system we can trust GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large, unauditable binary blobs, which is common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme and comes with a small, bootstrappable C library. The Mes bootstrap has halved the size of opaque binaries that were needed to bootstrap GNU Guix, a functional GNU/Linux distribution that focusses on user freedom, reproducibility and security. That reduction was achieved by replacing GNU Binutils, GNU GCC and the GNU C Library with Mes. The final goal is to help create a full source bootstrap for any interested UNIX-like operating system. After three years of volunteer work this funding will enable us to take another big step forward and reach an important new milestone in creating more auditable secure software distributions. >> Read more about GNU Mes Full-source GNU Mes on ARM and RISC-V — Expand full-source bootstrap to other CPU platforms GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large binary blobs of several 100s of megabytes, which (incredibly so!) is common practice for the software supply chains in use today. While these days users can reproducibly build software with modern functional package managers like Guix and Nix, the presence of potentially toxic code in these unauditable blobs or the propagation into binaries cannot be excluded. Users have no technical assurance that the executable they use corresponds with the source code - or whether the tool chain which compiled the source code introduce weaknesses or undefined behaviour. By making the toolchain 'bootstrappable' (as per bootstrappable.org), users can verify themselves for every step what happens - in the case of GNU Mes from one tiny (and orders of magnitude more easily verifiable) 357-byte file upwards. The final goal is to help create a \"full source\" bootstrap for any interested UNIX-like operating system and any type of architectures. In this project the project will add ARM and RISC-V, with other architectures on the roadmap. >> Read more about Full-source GNU Mes on ARM and RISC-V GNU Mes RISC-V — Bringing the trustworthy bootstrap to RISC-V GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large, unauditable binary blobs, which is common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme that comes with a small, bootstrappable C library. The final goal is to help create a full source bootstrap for any interested UNIX-like operating system. This funding will enable GNU Mes to work on the RISC-V platform, an instruction set architecture (ISA) that is provided under open licenses. Combining GNU Mes with an open ISA will provide an extra level of security and trust by extending the auditability of the system from the software to also the hardware. RISC-V is a relatively new architecture so this effort requires the backport of many tools that were already available for GNU Mes in other architectures. Also the modular nature of RISC-V makes it an specially complex bootstrap target, because it needs to support all the possible RISC-V implementations. This project aims to overcome the current limitations to prepare GNU Mes and all the associated projects for a full RISC-V port. >> Read more about GNU Mes RISC-V GNU Mes: Full Source bootstrap — GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large, unauditable binary blobs, which is common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme and comes with a small, bootstrappable C library. The Mes bootstrap has greatly reduced the size of opaque binaries that were needed to bootstrap GNU Guix, a functional GNU/Linux distribution that focusses on user freedom, reproducibility and security. That reduction (from ~250MB to ~60MB) was achieved by first replacing GNU Binutils, GNU GCC and the GNU C Library with Mes. The second step was funded by NLnet (https://nlnet.nl/project/GNUMes) and replaced GNU Awk, GNU Bash, the GNU Core Utilities, GNU Grep, GNU Gzip, GNU SED, and GNU Tar with a more mature Mes, Gash and Gash-Utils. The final goal is to help create a full source bootstrap for any interested UNIX-like operating system and non-intel architectures (see https://nlnet.nl/project/GNUMes-arm) This funding will enable us to take another big step forward and reach an important new milestone in creating more auditable secure software distributions. >> Read more about GNU Mes: Full Source bootstrap GNU Mes Tower — GNU Mes with alternative scheme implementations and WASM GNU Mes was created to provide transparency and strong technical assurances when bootstrapping an operating system - instead of using large, unauditable binary blobs that bring the risk of \"reproducibly malicious\" behaviour within the software toolchain. GNU Mes provides a transparent alternative: starting from a Scheme implementation of a C compiler, and a minimal Scheme interpreter written in C, to bootstrap the full GNU toolchain capable of building the rest of all open-source software. The GNU Mes Tower projects will add the option to stay on the \"Scheme\" path without having to resort to C, starting from either same minimal Scheme interpreter with a specializer as a Scheme compiler capable of generating native binaries. To achieve self-hosting, a series of bootstrapping steps will be implemented to add features to each interpretation level one-by-one, maintaining specialization to native code. The sequence of more and more capable Scheme compilers will allow operating systems like Guix to be bootstrapped without C, and move from a minimal Scheme interpreter to full-blown modern scheme dialects to allow much more advanced features and optimisations during the bootstrap. >> Read more about GNU Mes Tower GPG Lacre project — Best effort encryption of mail flows with OpenPGP This project is the continuation of the work on providing open source, GnuPG based email encryption for emails at rest. All incoming emails are automatically encrypted with user's public key before they are saved on the server. It is a server side encryption solution while the control of the encryption keys are fully at the hands of the end-user and private keys are never stored on the server. The scope of the project is to improve on the already existing code, provide easy to use key upload system (standalone as well as Roundcube plugin) and key discoverability. Beside providing a solution that is easy to use we will also provide easy to digest material about encryption, how it works and how to make use of it in situations other the just mailbox encryption. Understanding how encryption works is the key to self-determination and is therefore an important part of the project. GPG Mailgate will be battle tested on the email infrastructure of Disroot.org (an ethical non-profit service provider). >> Read more about GPG Lacre project GPGPU Playground — A virtual GPU to learn GPU programming GPUs are an extremely effective and widely deployed vector co-processor, and yet those interested in adapting their capabilities are faced with a very high barrier to entry. Tools like OpenCL, CUDA, and WebGL all require a broad background to get started solving even simple problems, and mistakes in larger programs can be nearly impossible to identify without an even deeper level of experience. This project takes advantage of WebAssembly and Vulkan's SPIR-V format to deliver a safe, on-demand toolkit for exploring the potential of GPUs, focused on applications outside the bounds of traditional graphics acceleration. >> Read more about GPGPU Playground Gash — Port Gash to GNU Mes for auditable bootstrap For several years, the GNU Guix project has been reducing the amount of unauditable binary blobs used in bootstrapping its operating system, through efforts such as GNU Mes. This is needed to avoid \"reproducibly malicious\" behaviour within the software toolchain. Gash is a POSIX-compatible shell written in Guile Scheme. Gash provides both the traditional shell interface, as well as a Guile library for parsing shell scripts. Once this project is completed, Guix (and other operating systems) can be bootstrapped from legible source, without depending on already compiled compilers or C standard libraries. This will allow to move step by step from a minimal Scheme interpreter to full-blown modern scheme dialects to subsequently much more advanced features and optimisations required during the bootstrap. >> Read more about Gash Gorgon CI — Continuous integration testing for PRs against software dependencies A longstanding challenge of open source development is that few users test development versions of software. This means that bugs make it into stable releases, annoying thousands of downstream users. In extreme but common cases, this results in downstream software getting stuck on outdated versions of dependencies because they missed the opportunity to participate in the upstream release cycle. This is despite the fact that many of those downstream users will have their own CI setups that might have caught the bug had they been run against the development version of the upstream library. Gorgon is a CI system that will test PRs for your project, but it will run your project's tests against PRs for your dependencies as well. By leveraging Nix, Gorgon can make smart decisions about which PRs to test. Changes affecting few derivations will be prioritized over mass rebuilds, to test as many PRs as possible despite limited hardware. This will let you identify which changes to your upstream dependencies you should care about. You'll be able to find and report bugs before they make it into a release, and know which upstream discussions to get involved in. >> Read more about Gorgon CI Real time graph database search engine — Live filtering on graph database streams Based is the world's first open source pub/sub real time graph database. It allows for millions of concurrent connections to changes in data or relationships, and offers built-in features such as authentication, internationalisation, server-side scripts for automation, time-series data, and user management. This saves money, complexity, and maintenance. In this project we will work on a full text indexing engine, that will give developers and end users the ability to query text in real time – and get back any updates in text instantly. The search engine is geared toward working with our database, but is applicable to any database in which users are interested in text search that updates in real time and indexes dynamically. >> Read more about Real time graph database search engine Open Hardware Manuals — Automatically generate user-friendly documentation for open hardware elements This project will create a tool that automatically generates Computer-Aided Design (CAD) models, assembly documentation, graphics, and user guides based on user provided configurations. These documents can be continuously updated, localized, and are shareable - akin to an always up-to-date Ikea-style assembly guide. The tools developed during this project will also be applicable to other open hardware projects, empowering designers to produce hardware that is more adapted to specific contexts, without creating fragile documentation that always goes out of date when a change is made to the design. >> Read more about Open Hardware Manuals Himalaya — End-to-end encryption capable scriptable email Himalaya is a cross platform and open source toolsuite for managing emails. Its aim is to extract the email business logic into a safe and secure Rust library, so it can be consumed by any compatible client. This architecture makes the tool very flexible and versatile: move batch of emails from the command-line input, automatically sign or decrypt emails levering OpenPGP's web of trust, view HTML version of emails from the terminal, write emails with your favourite text editor, set up a new message notifier in a systemd daemon, view emails from a graphical user interface alla Thunderbird… possibilities are endless! The funding from NLnet will be used to release the first production-ready version of the library and to release few compatible clients like a CLI, a TUI, a GUI, a Vim plugin and an Emacs plugin. Himalaya also plans to extend the concept to other email-related domains, like contact management, events/calendar management, tasks management etc. >> Read more about Himalaya A proof of concept of identity-based encryption — Make encryption simpler The project aims to extend the existing attribute-based identity platform IRMA with easy-to-use encryption. The kind of encryption is called Identity-Based. Its main advantage is that key management is simple, so that encryption becomes easy to use, via a plugin to an email client (only Thunderbird in this proof of concept project). The plugin computes the public key of the recipient of a message, from some uniquely identifying attribute of the recipient (typically an email address, but phone number, or citizen registration number could work as well). The receiver of the message will have to prove, via IRMA, possession of the uniquely identifying attribute to some Trusted Third Party (TTP), which will then provide the corresponding private key. Within this project a working set-up will be built. Turning it into a widely usable product will require more work, in follow-up projects. >> Read more about A proof of concept of identity-based encryption IPDL — Equational Proofs for Distributed Cryptographic Protocols In cryptography, interactive, distributed cryptographic protocols are most often proved secure using the simulation paradigm, wherein the protocol of interest is proved (approximately) equivalent to an idealization. The simulation paradigm is extremely powerful, as it allows a wide range of security properties to be captured under one definition. On the other hand, while expressive, the simulation paradigm presents extra complications for formally verifying security proofs. Proving equivalences between distributed protocols in general requires heavyweight techniques based on manually constructing so-called bisimulations (suitable relational invariants), which creates a barrier to entry for formal methods. We lower this barrier to entry with IPDL, or Interactive Probabilistic Dependency Logic, a new process calculus for cryptographic protocols. IPDL includes an approximate equational logic that allows computationally sound reasoning about protocols in a manner both close to the simulation paradigm and amenable for formal verification. Using IPDL, we deliver short, simulation-based proofs of variety of cryptographic protocols. Our most complex and very general case study verifies the n-party GMW protocol for secure function evaluation. >> Read more about IPDL IPDL II — A new process logic aimed at formal proofs for cryptographic algorithm Our project IPDL aims to increase the trustworthiness of large cryptographic systems by designing and implementing a natural and principled way of thinking about them. IPDL, short for Interactive Probabilistic Dependency Logic, is a process calculus and software implementation for formally verifying message-passing cryptographic protocols. Our goal is to use IPDL to develop cryptographic foundations that are both composable and concurrent. Concurrency means that our model of computation natively allows processes to run at the same time; composability allows us to prove the system secure by verifying the security of its subparts. In this setting, formal proofs closely resemble the thinking of a cryptographer. >> Read more about IPDL II Optimized Image Codecs — More efficient image handling for embedded systems The Optimized Image Codecs project aims to bring portable, efficient image and video codecs to all platforms. It is primarily focused on enabling them on devices that previously were assumed to be incapable of using standard compressed images or video due to their limited memory and speed. The efficiency of the code also means that energy usage is reduced on systems large and small. This code represents state of the art efficiency combined with a careful design to minimize the memory requirements. This enables their use on the widest possible set of devices. This project started with the release of a JPEG decoder and now consists of mature JPEG, PNG, GIF and TIFF G4 codecs used by thousands of developers in projects large and small. Within the scope of this project, the aim is to release software MPEG-1 and H.263 video decoders which will run well on low cost microcontrollers. This should dramatically improve the efficiency of products which had to settle for MJPEG (Motion-JPEG) as a substitute for a true video codec. >> Read more about Optimized Image Codecs Inko — Programming language with deterministic automatic memory management Inko is a statically typed programming language, aiming to make it easy to write concurrent, reliable, deterministic, and memory safe software. Memory is managed automatically, without the use of a garbage collector. Instead, Inko uses a form of single ownership and runtime reference counting, and memory management is deterministic. Inko's type system makes data race conditions impossible, without the need to use locks and similar synchronisation methods, and without the need to copy data structures when sharing them between threads. As part of this project, we'll finish work on our upcoming native code compiler, overhaul and improve the compilation of generic types and functions, implement a type-safe C FFI, add support for cross-compilation, and expand the standard library with various networking protocols. >> Read more about Inko Micro25519 — Lightweight Elliptic Curve Cryptography for microcontrollers This project is building an open-source software library for modern Elliptic Curve Cryptography (ECC). To achieve this, the project aims for a unique trade-off between three different (and partly conflicting) goals that is currently not offered by any of the existing ECC libraries for small 8/16/32-bit microcontrollers. The first goal is efficiency, which includes not only fast execution times, but also small code size and low RAM usage. Equally important as efficiency is the second goal, namely security, and this includes not only the absence of subtle bugs that could leak secret information, but also robustness against timing-based side-channel attacks. The third goal is usability, which is achieved by a simple and intuitive API, an easily readable and well-commented source code, and a rich documentation with examples for common use cases. Micro25519 will come with highly-optimized Assembly functions for the low-level field-arithmetic for 8-bit AVR, 16-bit MSP430, as well as 32-bit ARM Cortex-M3 and RISC-V microcontrollers. The higher-level functions are written in C and shared among the different platforms to minimize the code base and reduce complexity. >> Read more about Micro25519 KDE Connect — KDE Connect discovery and transport protocol improvements KDE Connect allows devices on a local network to discover each other and, after an initial pairing process, exchange data over an encrypted connection. Leveraging this abstraction, the KDE Connect desktop and phone apps provide cross-device syncing features like sharing files, notifications, input devices, multimedia controls and more. There are multiple independent implementations of the KDE Connect protocol written in C++, Java, Swift, Javascript, and more; as well as various applications using the protocol targeting different operating systems. The aim of this project is to reimplement KDE Connect's discovery process and transport protocol, which were shaped by the limitations of the smartphones of 10 years ago, using multicast and modern TLS. >> Read more about KDE Connect Standardizing KEMTLS — Post-quantum TLS without handshake signatures KEMTLS is a recent academic proposal for an alternative way of adding authentication to the Transport Layer Security (TLS) protocol. The project is motivated by the need to migrate public key cryptography to new algorithms that resist attacks by quantum computers. Compared to traditional cryptography, post-quantum signature schemes generally have larger public keys and/or signatures, and need more computational effort. KEMTLS, published at the ACM Computer and Communications Security Conference in 2020, replaces signature-based authentication for web servers with a post-quantum key exchange (called a KEM) in a way that saves communication and computation. In this project we aim to prepare KEMTLS for standardization by the Internet Engineering Task Force (IETF). To that end we will implement KEMTLS in a few different open source TLS software libraries and demonstrate the viability and interoperability of these implementations. This software will assist later implementers of KEMTLS by allowing to validate their implementations against our reference. We will also investigate optimizations for using KEMTLS in specialized environments like IoT, and will investigate issues involving certification of KEM keys. >> Read more about Standardizing KEMTLS Improving and extending Kaitai Struct — Rust parsing for binary analysis tool Kaitai Struct Kaitai Struct (KS) is a tool for working with binary formats. It introduces a declarative domain-specific language for describing the structure of arbitrary binary formats. Based on any specification, KS can automatically generate a ready-to-use parsing module in one of 11 programming languages (C++/STL, C#, Go, Java, JavaScript, Lua, Nim, Perl, PHP, Python, Ruby). Serialization is supported in Java and Python. This project aims to add Rust as a target language for parsing and to port the JavaScript runtime library to TypeScript, which will allow type checking and better IDE autocompletion in users' projects. Web IDE has a severe limitation that parsing errors prevent any results from being displayed. This is planned to be fixed, along with several other nuisances that limit user-friendliness. Compiler will be improved too. Support for multi-byte terminators (needed for null-terminated UTF-16 strings) will be added in all target languages, GraphViz generation failures will be resolved by updating to support newer KS features. The `valid` key will be extended by the capability to validate whether a value is part of an enum. The support for imports and unused types will be enhanced. >> Read more about Improving and extending Kaitai Struct Kami — Choreography programming language integrated with the Rust ecosystem Kami is a new programming language, based on the Rust ecosystem, designed from the ground up for correct-by-construction distributed systems. In its core it is pure and functional, thus ideal for building complex concurrent systems. It takes cues from multiparty session types and choreographic programming language research: The behaviour of all roles in a distributed application can be implemented at once from a global point of view. This high-level description is compiled to rust code for all participating roles, with the guarantee that the system will be deadlock-free. Developers can seamlessly drop down to using rust, and all of its ecosystem, for writing local code, while using Kami for composing the local computations into a coherent distributed system. In this project we implement the type-checker, compiler and other developer tools for Kami, to provide for a similarly friendly developer experience as Rust. >> Read more about Kami Katzen Metadata Minimizing Messenger — Privacy preserving instant messaging using a modern mixnet Katzen is a multi-platform messenger application that works with Katzenpost, a mix network framework for building anonymity-enhancing communication services. Katzen minimizes metadata that could potentially be used to reveal the identities, locations, and relationships of its users. Katzen currently supports one-to-one messages between paired users, while also not revealing who is speaking to whom. This project aims to improve Katzen by adding group messaging, multimedia file transfers, and voice chat. These features require a new encrypted-at-rest database, additional UI for file transfers and push-to-talk voice messaging, and implementation of group messaging using the multiparty REUNION protocol, which allows group members to discover each other using a shared passphrase. >> Read more about Katzen Metadata Minimizing Messenger Kazarma — Bridge ActivityPub and Matrix realms Matrix-Appservice-CommonsPub is a bridge between two decentralized protocols: Matrix and ActivityPub. The development includes polishing CommonsPub, an Elixir generic ActivityPub implementation, and creating an Elixir library to build Matrix bridges. We will first focus on private messages between Matrix users and users of an ActivityPub-enabled platform, like PeerTube or Funkwhale, then explore the possibilities of synchronizing ActivityPub feeds (e.g. \"toots\" feeds) in Matrix. The bridge comes as an easy-to-deploy, secure and scalable solution. >> Read more about Kazarma Private Key Operations for Keyoxide — Implement Private Key Store design in Keyoxide Keyoxide is one of the open-source success stories when it comes to providing an alternative to the proprietary product (Keybase). The UI is straightforward so that the interaction with the site is available to all kinds of users. Unfortunately there is one critical part that differentiates Keyoxide from Keybase - no support for private key operations. Adding proofs requires a complex maze of command line invocations. This project will implement best of both worlds: simple, UI centric way of interaction without technical knowledge required and the strong security of Keyoxide. >> Read more about Private Key Operations for Keyoxide Keyoxide v2 — Add cryptographic signature based to Keyoxide How do you discover which other online accounts across different services and service providers actually belong to the same person? Keyoxide is a secure, privacy-friendly and decentralized platform to manage online identities, uncompromisingly driven by what the user herself wants to share. Keyoxide is a new type of service to allow proving linked account ownership on a variety of platforms. Keyoxide levers existing and battle-tested cryptographic primitives. The goal is to give users more control over their online presence, independent from dominant internet actors - without in fact having to depend on any centralised services or third parties. The project will build on top of the existing OpenPGP Identity Proofs to add other types of profiles based on various cryptographic signature mechanisms from a variety of new tools. To maintain linkable profiles, a new signature-hosting infrastructure needs to be designed and developed. Other improvements are aimed at safeguarding privacy and achieving plausible deniability. >> Read more about Keyoxide v2 Kiwi IRC — Self-hosted web IRC environment Kiwi IRC is an open messaging platform that any online organisation or community can use. We do not believe that any community should be locked into a single vendor for their communication tools as this restricts how the community grows and develops - the community itself should dictate how they develop over time. Working with other open source projects in the IRC world, we are expanding the generally available privacy tools and making them usable for mainstream use. This will see tools such as end-to-end encryption and mobile applications being brought to users taking advantage of open messaging, improving the privacy of millions of existing IRC users and pushing for open platforms. >> Read more about Kiwi IRC Improve Email Encryption in KMail — Adopt improvements in Email Encryption in KMail The goal of this project is to make it more simple for inexperienced users to just use encrypted mails, at the click of a button. Autocrypt is a new method for email encryption, that needs nearly no user interaction. It performs the needed key exchange transparently in the background, and does key management automatically. Encrypted Headers is a protocol to send mail headers in the encrypted mail part. Traditional encryption methods leaked meta-data, which could be used for mass surveillance purposes. The result will be part of the KDEPIM codebase, so you don't have to install anything else than KMail to use these improvements. >> Read more about Improve Email Encryption in KMail ARPA2 LDAP Middleware — Privacy enhancing middleware Some protocols are far better known than others. Everyone will recognise the HTTP protocol we use to transfer web pages. LDAP is not as well known, but it is also a key technology we use on a daily basis - in fact it shapes how most organisations are organised online. LDAP is a proven technology but can be cumbersome to work with, and as a result it has seen little innovation in recent years. This project develops a number of innovatie middleware components from the ARPA2 project. This includes a privacy enhancing middleware for LDAP (LEAF), which allows to do attribute filtering and selectively transforming of LDAP; SteamWorks, which allows for responsive large scale configuration and trust delegation; and Lillydap, a library that can be used to easily add LDAP to any application. The project also delivers on (broad)er deployability of these building blocks, by providing tools for distropackaging the innovative solutions produced by the project. >> Read more about ARPA2 LDAP Middleware XMPP-ActivityPub gateway — XMPP, ActivityPub and E2EE Pubsub XMPP (aka Jabber) is the vendor-netural internet standard for instant messaging. ActivityPub is a web standard for federated social networking, used in software like Mastodon, Pleroma, PeerTube, Pixelfed and Funkwhale. The project consists of two components: an ActivityPub-XMPP gateway, which will be a component bridging these protocols - enabling ActivityPub users to access XMPP blogs, comments and other features, and vice versa. And adding state of the art end-to-end encryption (E2EE) for PubSub and filesharing, which entails proposing a new XMPP standard which can provide a secure way to publish, retrieve and subscribe to all sorts of data over XMPP. The project is built on Libervia (previously known as \"Salut à Toi\"), a communication ecosystem based on XMPP. Libervia offers several interfaces (web, desktop, mobile, command line, text UI) and explores the XMPP protocol beyond instant messaging. Libervia features chat, blogging, file sharing, photo albums, events, forums, etc. Libervia's goal is to develop an all-in-one, easy to use \"familial and personal social network\", i.e. a tool to communicate with the people close to you securely - and that lets your personal data stay within your control (as it should be). >> Read more about XMPP-ActivityPub gateway The Libre-SOC Gigabit Router — Native Open Hardware chip implementation of crypto primitives The Libre-SOC Project is developing a Libre System-on-a-Chip in a transparent fashion to engender end-user trust. Based on the OpenPOWER ISA, the next logical step is to extend and modernise OpenPOWER into the cryptographic and blockchain realm, and to do so in a practical way: design a Router ASIC. Whilst many commercial ASICs would do this using hard-coded non-transparent blocks or instructions, true transparency really only exists if the ISA has general-purpose primitives that can be Formally (mathematically) validated. The Libre-SOC Crypto-router Project therefore goes back to mathematical \"first principles\" to provide general-purpose Galois-Field, Matrix abstraction and more, on top of Simple-V Vectorisation. This provides flexibility for future cryptographic and blockchain algorithms on a firm transparent foundation. >> Read more about The Libre-SOC Gigabit Router Libre-SOC Formal Correctness Proofs — Mathematical unit tests for open hardware System-on-Chip Hardware projects like the Libre-SOC Project involve writing an inordinate amount of comprehensive unit tests to make sure everything functions the way it should. This is a critical and expensive part of the overall design process. Formal Mathematical Proofs (already quite popular in secure software development) provide an interesting alternative for several reasons: they're mathematically inviolate, which we believe makes them more trustworthy. And they are simpler to read and much more comprehensive (100% coverage), saving hugely on development and maintenance. From a security and trust perspective, both aspects are extremely important. Security mistakes are often accidental due to complexity: a reduction in complexity helps avoid mistakes. Secondly: independent auditing of the processor is a matter of running the formal proofs. The project aims to provide proofs for every module of the Libre RISC-V SoC, and therefore contributes significantly with the larger goal of developing a privacy-respecting processor in a way that is independently verifiable. >> Read more about Libre-SOC Formal Correctness Proofs Librecast Live — Live streaming with multicast The Librecast Live project contributes to decentralizing the Internet by enabling multicast. Multicast is a major network capability for a secure, decentralized and private by default Next Generation Internet. The original design goals of the Internet do not match today's privacy and security needs, and this is evident in the technologies in use today. There are many situations where multicast can already be deployed on the Internet, but also some that are not. This project will build transitional protocols and software to extend the reach of multicast and enable easy deployment by software developers. Amongst others it will produce a C library and POC code using a tunneling method to make multicast available to the entire Internet, regardless of upstream support. We will then use these multicast libraries, WebRTC and the W3C-approved ActivityPub protocol to build a live streaming video service similar to twitch.tv. This will be a complement to the existing decentralised Mastodon and Peertube projects, and will integrate with these services using ActivePub. By doing so we can bring live video streaming services to these existing decentralised userbases and demonstrate the power of multicast at the same time. Users will be able to chat and comment in realtime during streaming (similar to YouTube live streaming). This fills an important gap in the Open Source decentralised space. All video and chat messages will be transmitted over encrypted channels. >> Read more about Librecast Live Lizard — E2E Rendez-vous and discovery The Lizard project aims to develop a common protocol for end-to-end encrypted social applications using Tor as underlying transport mechanism, with the addition of store-and-forward servers discovered through the Tor hidden service directory. The protocol takes care of confidentiality and anonymity concerns, and adds mechanisms for easily synchronising application-level state on top. All communications are done \"off the grid\" using Tor, but identities can be publicly attested to using existing social media profiles. Using a small marker in your social profiles, you can signal to other Lizard users that they can transparently message you over Lizard instead. By taking care of these common discovery and privacy concerns in one easy-to-use software suite, we hope that more applications will opt for end-to-end encryption by default without compromising on anonymity. >> Read more about Lizard LumoSQL — Create more reliable, distributed embedded databases The most widely-used database (SQLite) is not as reliable as it could be, and is missing essential features like encryption and safe usage in networked environments. Billions of people unknowingly depend on SQLite in their applications for critical tasks throughout the day, and this embedded database is used in many internet applications - including in some core internet and technology infrastructure. This project wants to create a viable alternative ('rip and replace'), using the battle tested LMDB produced by the LDAP community. This effort allow to address a number of other shortcomings, and make many applications more trustworthy and by means of adding cryptography also more private. Given the wide range of use cases and heavy operational demands of this class of embedded databases, a serious effort is needed to execute this plan in a way where users can massively switch. The project will extensively test, and will validate its efforts with a number of critical applications. >> Read more about LumoSQL LumoSQL at-rest data security — Modern embedded database with encryption and signed data LumoSQL is an embedded database that combines various modern database technologies into a single powerful abstraction while remaining a drop-in replacement for the most-used database worldwide, SQLite. LumoSQL brings to embedded databases features including built-in encryption, per-row checksum verifiability of all data (without the overhead of e.g. a blockchain), and a choice of storage backends. In this project the LumoSQL community works towards the 1.0 version which will add a slew of attractive features such as encrypted embedded data at-rest (which can be unlocked either through role based access control or even outside of unmodified apps with a hardware token like Nitrokey), signed data rows and data tables (so users can cryptographically verify the integrity of data), as well as improved documentation and cross-platform availability. In addition the project is producing valuable tools such as the not-forking project, which addresses the root cause of many real-world security issues as customisation without such a tool requires hard-to-maintain forking. >> Read more about LumoSQL at-rest data security Distributed Trust for Web Servers — Establishing a Distributed Trust Authority The M-Pin protocol, and its implementation in the Milagro project currently incubating at Apache, provides cryptographic security using a distributed trust model. In place of the single point of failure (and high-value target for social engineering attacks) of today's Certificate Authorities (CAs), cryptographic verification is assembled from two or more mutually independent authorities, all of which would need to be subverted at once to break security. This project helps bring distributed trust to the Web, by implementing M-Pin support via Milagro's libraries in leading Open Source web servers. This will pave the way both to a distributed trust alternative to monolithic CAs and browser trust lists, and to a distributed trust alternative to protocols such as OpenID for user identification. >> Read more about Distributed Trust for Web Servers MailBox renewal — Performance upgrade of MailBox mail modules Email is still the workhorse of the internet, and behind the screens some of the heavy lifting is by applications like the Mailbox modules. Under the hood, this software is processing billions of emails every day at some of the largest players in the industry. The project will deliver a major update of the code after two decades. This is not only long overdue, but actually offers interesting opportunities to take into account new email related RFCs, investigate new possibilities for code optimisation as well as tackling new threats like SMTP smuggling. As a bonus, the project will work on a standalone tool to be able to once more properly forward emails in the SPF/DMARC era - a very welcome capability, the lack of which is currently causing a lot of headache and lost email for users. >> Read more about MailBox renewal Mailpile 2 (moggie) — Building a secure, modern e-mail client for self-hosting Mailpile's mission is to empower users to be more autonomous and private in how they manage, store and communicate over e-mail, simplifying the use of relevant encryption technology (OpenPGP, Tor and encrypted local storage). Mailpile 2 will be an Open Source, secure web-mail application, usable and powerful enough to be a compelling alternative to both mainstream desktop e-mail clients and proprietary web-mail services. Mailpile 2 will offer both local and remote access to an elegant, mobile-friendly web interface, built on web-APIs exposed by Moggie. Moggie is the project's technical toolkit for searching and working with e-mail. This stage of the project is about developing Moggie to the point where it is useful as a stand-alone tool in its own right, and feature complete enough that work on the Mailpile 2 user-interface can commence. >> Read more about Mailpile 2 (moggie) Catalogs in MariaDB — Enable true multi-tenacy in the MariaDB database MariaDB Server is the open source database powering most of the internet. Many deployments of MariaDB are done as part of a shared hosting solution, where the underlying hardware is shared by many different tenants. To achieve scalability, hosting providers typically start a single MariaDB Server instance and impose artificial limitations to tenants, such as disallowing any new user creation, modifications, passwords, access control changes etc. The alternative of starting up dedicated database servers incurs a significant resource overhead, limiting the number of total tenants and implies wasted energy and compute power. Catalogs is a feature built for MariaDB Server to eliminate the need for artificial restrictions, all while maintaining high scalability and user density. Catalogs introduce an extra separation on the SQL layer, allowing a user experience that is almost 100% identical to running a dedicated MariaDB Server instance, without the overhead of starting up multiple servers. With catalogs, hosting providers will be able to optimize hardware usage while their users will be able to modify their own dedicated system tables, without impacting other tenants. >> Read more about Catalogs in MariaDB Mellium — Add OMEMO support to XMPP library Mellium is an XMPP library that helps other projects safely interoperate using the most widely used, federated, real-time communication protocol in use today. Unfortunately, it does not currently provide a mechanism to enable projects using it to communicate in an end-to-end encrypted manner, meaning those projects must do the hard (and potentially dangerous) work of implementing encryption themselves. This project aims to create an easy to use implementation of the OMEMO encryption standard (XEP-0384: OMEMO Encryption) that is compatible with popular instant messaging clients. This will encourage projects depending on Mellium to implement strong privacy protections by lowering the barrier to entry for end-to-end encryption. >> Read more about Mellium Monal IM — Free Jabber/XMPP client for iOS and macOS Monal is a open source XMPP instant messaging client for MacOS and iOS which strives to be the go-to client for these platforms just like the app Conversations is for Android. XMPP in general is an open and standardized protocol for real time communication. Anyone can host their own server and communicate freely with each other, just like with email and just like email the used addresses are of the form \"user@domain.tld\". In this project, Monal will among others add end-to-end encryption to its chat interface, in this case the OMEMO XEP which uses a so call double ratchet mechanism to provide strong protection of the confidentiality of messages.Within the project, the team will also implement various other XEPs such as audio and Video (A/V calls), adding modern functionality and improving interoperability with other clients. >> Read more about Monal IM Movim — Add OMEMO encryption to Movim XMPP client Movim is a web platform that delivers social and IM features on top of the mature XMPP standard (aka Jabber). Unlike other chat apps, with XMPP you have a choice of both servers and clients - and the ability to add any features you want, and restrict your trust to those that deserve it. Movim is a user-friendly communication platform aimed at small and medium structures (up to a hundred simultaneous users), and sports a number of unique social features beyond instant messaging. And because it sits on XMPP, Movim users can explore the whole global instant messaging network from a single account. In this project, Movim will add end-to-end encryption to its chat interface, in this case the OMEMO XEP. Since Movim is browser based, the implementation will be have to put the encryption layer client-side - or in other words, inside the browser. Because users can connect simultaneously on the same XMPP account using different browsers with Movim, each browsers will be seen as a different \"device\". Decrypted messages will be saved in a browser database, using IndexedDB. The web server will just take care of handling public keys to the XMPP network and store the encrypted messages, same as the user's XMPP server does when using archiving methods. The project will deal with both the one-to-one chat implementation and the Multi-User Chat part of Movim. This is part of a concerted effort to create reliable end-to-end encryption for XMPP based real time communications. At present growth of the wider network is hampered by lack of interoperability. >> Read more about Movim Mox — Modern full-featured open source secure mail server Mox is a modern email server implementation that makes it easy for people and organizations to run their own mail server, allowing them to stay in control of their own email communication, and keeping email decentralized. While high-quality open source mail server software components exist, their code bases are growing old, and getting a working setup involves configuring at least half a dozen of them to work together. That complexity has turned people to a few (centralized) email providers. Mox gives users their power back! All important protocols/mechanisms needed for a modern email setup have been implemented in mox, including: IMAP4, SMTP, SPF, DKIM, DMARC, MTA-STS, TLSRPT, automatic TLS with ACME and Let's Encrypt, IP/domain/bayesian spam filtering, internationalized email, account autoconfiguration. Setting up mox takes just minutes with the quickstart, with no additional tools/dependencies required. The code base is lean, coherent, self-contained, well-tested, cross-referenced with specifications, liberally MIT-licensed, trivially reproducibly built and is defensively written in Go, a modern, safe programming language. Mox's integrated approach has allowed for novel functionality. Development continues on supporting more protocols and extensions, as well as quality improvements such as more automated tests. On the roadmap at the time of writing (but check the project site!): IMAP4 CONDSTORE, QRESYNC, THREAD extensions, DANE and DNSSEC, sending DMARC and TLS reports, OAUTH2, Sieve, JMAP, Webmail, Calendaring and more. >> Read more about Mox Mox management and automation — Automated email server management and administration Mox is a modern email server implementation that makes it easy for people and organizations to run their own mail server, allowing them to stay in control of their own email communication, and keeping email decentralized. While high-quality open source mail server software components exist, their code bases are growing old, and getting a working setup involves configuring at least half a dozen of them to work together. That complexity has turned people to a few (centralized) email providers. Within this grant the team will add a number of missing key features such as server-side email filtering (Sieve) and encrypted storage, among others. >> Read more about Mox management and automation SecSync — Efficiently combine end-to-end encryption with CRDTs While popular CRDT implementations like Yjs or Automerge offer several designs and even implementations on how to asynchronously exchange data using servers, there is no plug & play implementation serving end-to-end encrypted systems. Focus of the first version of SecSync is to provide a protocol to efficiently exchange and resolve e2e encrypted CRDTs. It comes with a plug and play reference implementation on top of Yjs and should be well documented. By leveraging snapshots as well as operations logs referencing snapshots the load times should reduced while still offering real-time collaboration. >> Read more about SecSync NeoChat — Native Matrix encrypted instant messaging client NeoChat is a client for Matrix, an open and decentralized chat protocol. NeoChat is using Qt and KDE technologies to run on many platforms: Linux, Windows, macOS, Plasma Mobile and Android. One of the biggest missing features for NeoChat is support for end-to-end encryption. Currently, all the messages are sent unencrypted and encrypted conversation can't be read in NeoChat. This is not a problem for public rooms since they are usually not encrypted, but it makes NeoChat unsuitable for usage in a private or professional context. The goal of this project is to enable support for encryption in NeoChat. Since NeoChat uses libQuotient, a client library for the matrix protocol, most of the work will take place in libQuotient. This means that the work done in the project will also help other Matrix clients and bots built with Quotient, in particular Spectral and Quaternion. >> Read more about NeoChat neuropil — Privacy by design P2P search including IoT Neuropil is an open-source de-centralized messaging layer that focuses on security and privacy by design. Persons, machines, and applications first have to identify their respective partners and/or content before real information can be sent. The discovery is handled internally and is based on so called \"intent messages\" that are secured by cryptographic primitives. This project aims to create distributed search engine capabilities based on neuropil, that enable the discovery and sharing of information with significantly higher levels of trust and privacy and with more control over the search content for data owners than today's standard. As of now large search engines have implemented \"crawlers\", that constantly visit webpages and categorize their content. The only way to somehow influence the information that is used by search engines is by using a file called „robots.txt“. Other algorithms are only known to the search engine provider. By using a highly standardized \"intents\" format that protects the real content of users, this model is reversed: data owners define the searchable public content. As an example we seek to implement the neuropil messaging layer with its extended search capabilities into a standard web server to become one actor and to handle and maintain the search index contents of participating data owners. By using the Neuropil messaging layer it is thus possible to build a distributed search engine database that is able to contain and reveal any kind of information in a distributed, concise and privacy preserving manner, without the need for any central search engine provider. >> Read more about neuropil NextGraph Framework — SDK's and API's for the NextGraph Framework NextGraph is an open source ecosystem that provides solutions for end-users (a platform) and software developers (a framework), wishing to use or create decentralized apps featuring: real-time collaboration, peer to peer communication with end-to-end encryption, local-first, portable and interoperable data, total ownership of data and software, security and privacy. Centered on repositories containing semantic data (RDF), rich text, and structured data formats like JSON, synced between peers belonging to permissioned groups of users, it offers strong eventual consistency, thanks to the use of CRDTs. Documents can be linked together, signed, shared with others, queried using the SPARQL language and organized into sites and containers. Using our framework, SDK and APIs, developers will be able to create standalone or embedded apps that can make capability-based access requests on the user's data, define smart-contracts and implement any business logic within cross-document transactions. With NextGraph, users and apps can securely access and traverse their authenticated data graph (web of data) and social graph (social network), while enabling resilience and data integrity, and preserving privacy and decentralization. >> Read more about NextGraph Framework Nitrokey — Open hardware for encryption and authentication Nitrokey is an open source hardware USB key for data encryption and two-factor authentication with FIDO. While FIDO is supported by web browsers, using Nitrokey as a secure key store for email and (arbitrary) data encryption requires a native software. Therefore email encryption in webmail isn’t possible with Nitrokey. At the same time strong end-to-end encryption in web applications all share the same challenge: To store users' private keys securely and conveniently. Therefore secure end-to-end encryption usually requires native software too (e.g. instant messenger app) or - less secure - store the user keys password-encrypted on servers. Nitrokey aims to solve these issues by developing a way to use Nitrokey with web applications. To avoid the necessity of device driver, browser add-on or separate software this project is going to utilize the FIDO (CTAP) protocol. As a result the solution will work with any modern browser (which all support WebAuthn), on any operating system even on Android. This will give any web application the option to store private keys on ones own Nitrokey devices. >> Read more about Nitrokey Nitrokey 3 — PIV/FIPS 201-3 and extended hardware support for Trussed/Nitrokey Nitrokey 3 is an open source hardware USB/NFC key aiming for data encryption and two-factor authentication. Currently it supports FIDO2 authentication and WebCrypt. This project will allow it to extend its Rust firmware, developing additional functionality which makes it into a full-featured open hardware security key. By adding support for new so called 'secure elements' to Trussed, any device using Trussed can benefit from more hardware options. Within the project we will also develop PIV support for Nitrokey 3. PIV is a smart card standard which is used in enterprises and also popular among users of some operating systems like Microsoft Windows. PIV allows for data encryption, signing and authentication. >> Read more about Nitrokey 3 Trussed — Open hardware for encryption and authentication The project summary for this project is not yet available. Please come back soon! >> Read more about Trussed Type Inference for Nix — Adding static typing and type inference to Nix Nix is a tool to configure systems and manage packages. It comes with a programming language, also called Nix, to describe packages and configurations. Typically, when a change is made to the configuration of a system, the new configuration is evaluated and then applied. However, configuration errors are only reported after the failure of the evaluation. So, users often have to edit the configuration, evaluate it, understand the evaluation errors, fix the errors and try again. This feedback loop is very inefficient and frustrating for users. Similarly, developing the abstractions to make the Nix package collection (nixpkgs) work can be challenging. Indeed, dynamically typed languages with reflection like Nix do not provide many safeguards. This project aims to retrofit a static type system, with type inference, on the existing Nix language while being backwards compatible with existing code. Types provide timely feedback to developers to help them during development, thanks to localized error messages. Furthermore, a type system for Nix would supercharge language server protocols and provide immediate feedback to Nix programmers. In addition to acting as some form of documentation, static types enable new exiting possibilities like better optimizations for Tvix in order to get faster evaluation and more advanced type-based function search with Noogle. >> Read more about Type Inference for Nix Debug Adapter with Nix — Implement the Debug Adaptor Protocol for Nix The DAWN (Debug Adaptor with Nix) project intends to improve the Nix developer experience by making debugging Nix code easier. As with most programming languages, writing Nix code may be difficult and confusing for those both new to and experienced with Nix, so having a good debugger experience is essential. Today, debugging Nix may be performed either via the Nix debugger's repl or by print statements (builtins.trace). DAWN improves this debugging experience by implementing the adapter portion of Microsoft's Debug Adapter Protocol on top of the Nix debugger. DAWN will provide an ergonomic and first class debugging experience directly from all editors supporting the Debug Adaptor Protocol. >> Read more about Debug Adapter with Nix NixOS/Clevis — Unattented disk decryption with Clevis on NixOS Whether they should or not, organisations are moving their data to third party servers (aka the \"cloud\"). While full disk encryption of servers should be an everywhere standard in order to protect the sensitive data that they inevitably hold, its adoption is still lagging. This isn't just lack of awareness, but also part of the tooling is missing. With full disk encryption comes a big pain point: restarting the server needs for the root file system to be unlocked before booting the OS. While it is possible to remotely log into a server to unlock it remotely, this does create a dependency on a human operation in order to boot a server without compromising security. This is sometimes a non-acceptable drawback : it rules out unattended reboots, recovery from power loss, and it doesn’t scale well with the number of servers. This project will make on disk encryption with remote unlocking part of NixOS - bringing together a number of innovative mechanisms such as system extensions images and stage1-networkd. While this does not make using the cloud safe and private in and by itself (this is impossible), it will contribute to make it somewhat more safe and more private. Additionally the project will port the Proxmox Hypervisor on NixOS, in order to benefit from NixOS-style declarative host configuration and deployment (which is very valuable when managing a cluster of machines to avoid configuration rot). ProxMox is a hypervisor that can run little to middle sized VM clusters and is capable of handling multi-node clusters. >> Read more about NixOS/Clevis UEFI Secure Boot support for NixOS — Add a self-sovereign root of trust as part of supply chain security This project combines the power of the reproducible package manager Nix with the cryptographic protections of UEFI Secure Boot to provide concrete assurances about the authenticity of the software being booted into. Supply chain security works upward from a root of trust, which has to be in place before the very first bytes of code are even executed by a host’s CPU. UEFI Secure Boot helps provide this root of trust. Using UEFI Secure Boot, the host’s firmware will only boot the operating system if it is signed by a key stored in the firmware. This key may be issued by Microsoft, or in this project’s case, be generated by the user. This can help resist attacks from malware or other attacks against the system’s integrity. Obviously, when people use a commodity operating system commercially available to everyone (like Microsoft Windows) the security protection is far less and the risks are far greater than when someone generates a custom operating system with a reproducible tool like Nix. The Host and signing service will use TPM-backed attestation keys to mutually attest the authenticity of the requests. This tool will initially support systemd-boot and uboot, however the project will be specifically designed with the intention of supporting additional bootloaders. >> Read more about UEFI Secure Boot support for NixOS Nyxt — A programmable browser with advanced search integration Nyxt is a new type of web browser designed to empower users to find and filter information on the Internet. Web browsers today, largely compete on performance in rendering, all whilst maintaining similar UIs. The common UI they employ is easy to learn, though unfortunately it is not effective for traversing the internet due to its limited capabilities. This presents itself as a problem when a user is trying to navigate the large amounts of data on the Internet and in their open tabs. To deal with this problem, Nyxt offers a set of powerful tools to index and jump around one's open tabs, through search results and the wider Internet. For example, Nyxt offers the ability for the user to filter and process their open tabs by semantic content search. Because each workflow and discipline is unique, the real advantage of Nyxt is in its fully programmable and open API. The user is free to modify Nyxt in any way they wish, even whilst it is running. >> Read more about Nyxt OCaml direct style transition — Helping with the transition of OCaml programs from Lwt to Eio OCaml traditionally uses monadic style for concurrent programming, offering advantages like reduced data races and efficiency but requiring all code to be written in this style and leading to frequent allocations. OCaml 5 is one of the first languages to implement algebraic effects, enabling direct-style concurrency with multiple stacks, addressing these drawbacks. However, the transition to effects-based concurrency can lead to incompatibility between libraries written in different styles, putting the whole OCaml ecosystem at risk. This project aims to mitigate these risks by developing tools to automatically rewrite code and identify potential issues during the transition from monadic to direct-style concurrency, specifically focusing on the complex case of the Ocsigen Web framework. >> Read more about OCaml direct style transition OCaml-QUIC — Implement QUIC/QUIC-TLS/QPACK and HTTP/3 in OCAML HTTP/3 is the most recent version of the Hypertext Transfer Protocol used to exchange information on the World Wide Web. Like the QUIC transport layer protocol it uses, it is standardized by the Internet Engineering Task Force (IETF). OCaml-QUIC is an implementation of QUIC (RFC9000), QPACK (RFC9204), HTTP/3 (RFC9114) and associated protocols in OCaml, an industrial, functional, memory safe programming language, used in sectors ranging from finance and research to social media and web application. The project aims to provide an open, complete implementation of the aforementioned protocols to be used and deployed in embedded devices, POSIX/UNIX operating systems and unikernels (self-contained, library operating systems). >> Read more about OCaml-QUIC Off-the-Record messaging version 4 — Advanced protocol for secure messaging OTRv4 is the newest version of the Off-The-Record messaging protocol. It is a protocol where the newest academic research intertwines with real-world implementations. It's aim is to give end-to-end encryption, deniability, authentication, forward secrecy and post-compromise security for any kind of messaging (online or offline). The goal of this new version is to give the most secure privacy and security properties that have a real impact on the world. This new version aims to be available in different desktop clients (that use XMPP or other messaging protocol) and in mobile clients. >> Read more about Off-the-Record messaging version 4 owi — Symbolic evaluator and fuzzing of WASM software WebAssembly (Wasm) is a post-JavaScript code format for the web, enabling efficient computing, with built-in sandboxed execution. Its usage is expanding: it is now used in online services, in embedded systems and to create portable binaries. Owi is a toolkit tailored for Wasm. In particular it can perform efficient symbolic program execution. That is to say, for a given program, it is able to find input values leading to a crash. Many languages are compiling to Wasm, e.g. C/C++/Rust. Owi can thus be used as a bug-finding tool working on any of these languages. We're currently improving the usability of the tool as a part of the testing workflow for developers, the first step of this work is to provide an interface making Owi a drop-in replacement for AFL. >> Read more about owi Improve Okular digital signature support — Improve open source tooling for digital signatures Okular is a Free Software document viewer that supports multiple file formats such as PDF and OpenDocument Format, and besides viewing allows for annotation and digital signatures. It was initially created for desktop Linux and UNIX operating systems but meanwhile has grown into a universal, vendor-neutral document tool for all platforms - including an increasing amount of mobile operating systems such as Android, postmarketOS and pureOS. Digital signatures allow people to establish the source of documents, but can also be used to enter into legally binding agreements or contracts - so having a reliable and transparent solution is important. The aim of this project is to improve the support of PDF digital signatures in Okular both from the point of view of features and usability, making it easier for users to interact with this crucial privacy and security functionality. >> Read more about Improve Okular digital signature support Opaque Sphinx Server and Clients — Server and tools for modern authentication Passwords are probably the most common way to remotely use private services, which makes them a major liability - humans on average find it very hard to memorize strong passwords. Luckily, passwords - or more particularly tools to work with passwords more safely - are evolving as well. SPHINX is a novel approach to password storage that is information theoretically secure. And unlike most online password managers, the user does not even have to trust the server. OPAQUE is a novel protocol that can be used to eliminate phishing as an attack vector when authenticating to servers. The combination of SPHINX and OPAQUE provides some very strong guarantees while still allowing users to only need to remember one or just a few passwords. This project will develop a SPHINX server in a safe, compiled language, with ample tests. It will also further develop and refine a protocol above SPHINX, handling creation, deletion, backup and changing of data. In addition it will add the OPAQUE protocol to various free software ecosystems such as PHP, java, nodejs, ruby, golang, erlang and rust, as well as to the two most used webservers: nginx and apache2. >> Read more about Opaque Sphinx Server and Clients OpenCryptoHW — CGRA- based reconfigurable open-source cryptographic IP cores OpenCryptoHW aims to develop reconfigurable open-source cryptographic hardware IP cores for Next Generation Internet. With the Internet of Things (IoT) upon us, security and privacy are more important than ever. On the one hand, if the security and privacy features are exclusively implemented in software, the risk of breaches is high. On the other hand, if implemented solely in hardware, it is impossible to fix bugs or deploy critical updates, which is also a threat to security and privacy. Hence, we propose to use reconfigurable hardware, providing the flexibility of software and the trustworthiness of hardware. Hacking into it requires first hacking the device’s configuration infrastructure and then hacking the algorithm itself, which is way more complicated. There have been proposals to implement cryptographic IP cores using Field Programmable Gate Array (FPGAs). However, the FPGA configuration infrastructure is cumbersome and proprietary, increasing device cost and compromising safety. Therefore, we propose to use open-source Coarse-Grained Reconfigurable Arrays (CGRAs) instead of FPGAs. CGRAs have much lighter configuration circuits and are not controlled by any private entity. With OpenCryptoHW, hardware and system designers will be able to download CGRA-based cryptography IP cores for free and under a permissive license, ready to integrate into their silicon designs. >> Read more about OpenCryptoHW OpenCryptoLinux — Make Linux run on OpenCryptoHW OpenCryptoLinux aims to develop an open, secure, and user-friendly SoC template capable of running the Linux operating system, with cryptography functions running on a RISC-V processor. The processor will control a low-cost Coarse-Grained Reconfigurable Arrays (CGRAS) for enhanced security, performance, and energy efficiency. Running Linux on this SoC allows non-hardware experts to use this platform, democratizing it. This project will help build an Internet of Things (IoT) that does not compromise security and privacy. The project will be fully open-source, which guarantees public scrutiny and quality. It will use other open-source solutions funded by the NLnet Foundation, such as the RISC-V processors from SpinalHDL and the OpenCryptoHW project. >> Read more about OpenCryptoLinux DRTM implementation for AMD processors — Unified framework for dynamic RTM The Trenchboot project aims to create a unified framework for dynamic RTM (DRTM) implementation for all platforms. (D)RTM is used to verify if bugs or vulnerabilities have compromised a system, and as such is an important component to get to advanced stages of trustworthiness for our hardware. >> Read more about DRTM implementation for AMD processors Open MLS Infrastructure — End-to-end encrypted group messaging The Open MLS infrastructure project aims at designing and implementing infrastructure components for the MLS (Messaging Layer Security) protocol currently under development by the IETF (https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/). While it is theoretically possible to run MLS peer-to-peer, most use-cases will require central components that take care of ordering and queueing messages, as well as managing group state. Our goal is to create components that are secure, metadata-minimizing, modular, and that allow for federation. This lays a foundation for improving existing and future messaging applications, and will allow to validate a potential future application-layer specification. >> Read more about Open MLS Infrastructure Improving OpenSSH's Authentication and PKI — Improving SSH Authentication with OpenPGP transitive trust It would not be a stretch to say that ssh secures the Internet - it is the protocol most relied on to log into servers of any type. Yet, its authentication model is inflexible, rarely used properly, and inadequate. OpenPGP's transitive trust (aka \"web of trust\") mechanisms and revocation certificates can help to provided additional automated assurances. By publishing and certifying OpenPGP keys for servers, an ssh client may be able to automatically check whether an encrypted connection is not only encrypted, but also authenticated. Similarly, server administrators can automatically find the right public key for users. And when a server key or user key is compromised, using OpenPGP, it is straightforward to ensure that it won't be trusted: just publish a revocation certificate. This project will add OpenPGP support to OpenSSH to improve and simplify these workflows. >> Read more about Improving OpenSSH's Authentication and PKI Interoperable Certificate Store for OpenPGP — Standardisation effort for shared OpenPGP certificate storage This project will build a public cert store for OpenPGP keys, with well defined data structures and access mechanisms to facilitate interoperability between OpenPGP implementations. It builds on pgp-cert.d, which stores certs, and has an API to access them. Beyond the common format and API, the project will also add Sequoia-specific indices, where standardization doesn't make sense. sq, Sequoia's command line tool, will be adapted to use the cert store. In addition the project aims to develop a privacy-preserving way to update the certs from keyservers. >> Read more about Interoperable Certificate Store for OpenPGP Hardening OpenPGP CA deployments — HSM support for OpenPGP key infrastructure OpenPGP CA is a tool for managing and certifying OpenPGP keys in organizations. Today, the private key material of OpenPGP CA instances is stored and used locally. This project will add support for two hardened modes of operation: 1) Using a hardware-token OpenPGP Card) based key for the CA, and 2) Split OpenPGP CA deployments, in which critical operations are performed on a highly protected machine (e.g. air-gapped), while regular operation can take place conveniently on an online CA instance. In addition the project will build an OpenPGP CA based tool for version control signing workflows (e.g. git), with a focus on providing a smooth user experience for signing with OpenPGP card devices. >> Read more about Hardening OpenPGP CA deployments p2panda — p2p protocol and event-driven data store p2panda is a peer-to-peer protocol and framework for building local-first applications that store and exchange user data in a distributed database. p2panda’s goal is to drastically extend the range of software projects that can be realized with a decentralised architecture by providing a wide range of features that alleviate common issues with this approach. A focus is set on data sovereignty, developer friendliness and supporting collaborative software. This project will validate these claims by applying p2panda to a real-world use case and improve p2p networking by extending data replication capabilities. >> Read more about p2panda Adding Web-of-Trust Support to PGPainless — Web-of-Trust specification support for Java Reliable authentication of public key certificates is a hard requirement for strong and effective end-to-end encryption. The \"Web-of-Trust\" (WoT) serves as an example of a decentralized authentication mechanism for OpenPGP. While there are some existing implementations of the WoT in applications such as GnuPG, their algorithms are often poorly documented. As a result, WoT support in client applications is often missing or inadequate. PGPainless is an easy-to-use, secure-by-default OpenPGP library for Java and Android. This project will extend PGPainless with an implementation of a recently published, new Web of Trust specification. The goal is to make the Web of Trust more interoperable and accessible to client applications, overall increasing the usability and ergonomics of OpenPGP for the end-user. >> Read more about Adding Web-of-Trust Support to PGPainless Post-Quantum Crypto in DNSSEC — Experimental platform for DNSSEC with post-quantum cryptography PQ-DNSSEC is an open-source tool set for exploring DNSSEC based on post-quantum cryptography. It includes implementations of authoritative DNS servers and DNS resolvers that support various post-quantum signature schemes as well as tools to evaluate performance and the compatibility of these implementations with the existing DNS infrastructure in the global Internet. PQ-DNSSEC also provides a collection of example zones to the general public. This way, the project will help the DNS community to prepare for transitioning to post-quantum secure DNSSEC. >> Read more about Post-Quantum Crypto in DNSSEC Statime — Memory-safe high-precision clock synchronization Of all severe software security bugs, a big chunk (50-70%) has one single source: memory corruption. The underlying cause is that, traditionally, systems software is implemented in languages that are not memory-safe. The way forward is to replace these pieces of software with memory-safe alternatives, one by one. Doing so will not just mitigate, but eliminate this category of bugs entirely. This project picks out one piece: the Precision Time Protocol (PTP). High-precision clock synchronization plays a crucial role in networking, with application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. Our proof-of-concept implementation will conform to the IEEE standard for PTP and will focus on the software implementation of a slave-only PTP ordinary clock. In the future, our work is expected to become part of a wider open-source roadmap for reliable and memory-safe keeping of network time, that will seek to expand the feature set of our implementation and work towards growing its adoption. Statime is part of Project Pendulum. >> Read more about Statime PTT — Unikernel Mailing list server in OCAML Email is still one of the main channel of communication.Setting up and maintaining something as simple as a reliable mailing list in-house is significantly more complex than it ought to be. Out of convenience, many organisations and communities outsource running their maiilng lists service to third-party agents. However, this not only creates an unnecessary dependency but also reduces confidentiality, which can be a critical aspect. This project has the ambition to win back the means of communication, developing a new mailing list application service that is easier to maintain securely (through unikernels using MirageOS), and is efficient in terms of resource usage. The service should integrate into existing infrastructures seamlessly. >> Read more about PTT Passthrough Authentication — Authentication proxy using Kerberos and SPNEGO Adding authentication to an application is an ungrateful part of development - users don't like to log in and there is a lot of duplication of effort. This project proposes an interesting alternative which benefits from the fact that browsers have retained built-in support for HTTP SPNEGO (with Kerberos included) for many years: by forwarding Kerberos tokens through a lightweight proxy to a \"kerberized\" authentication server that is part of the same Kerberos realm where the user logged in at the beginning of the day. The goal of this project is to make web modules, such as Apache, for the proxy and implement the authenticator using Diameter or another broker, and do the same for SASL using GSSAPI. >> Read more about Passthrough Authentication Pijul ecosystem — A modern patch-based version control system Pijul is a modern patch-based version control system that addresses many shortcomings found in existing tools. While its foundations are already mature and well-tested, it lacks many conveniences users expect from the ecosystems of popular tools such as Git. This project aims to significantly reduce Pijul's barrier to adoption by addressing common areas of user feedback - documentation, usability, robustness, and integration into other tools such as text editors or CLI prompts. We believe this will improve the workflow of existing users, and enable many more to adopt Pijul and its benefits without sacrificing other parts of their workflow. >> Read more about Pijul ecosystem Pijul Hybrid — Hybrid patch-based/snapshot-based system for distributed versioning Pijul is a modern patch-based version control system that addresses many shortcomings found in existing tools, based on a mathematical theory of collaborative work. In order to ease the transition from existing tools, and increase utility in a wider set of use cases, this project will work on a better transition story from other tools like Git and Mercurial, and improve tooling around it. In particular, it will deliver a hosting platform called Nest which has features which will be quite different from other hosting services. Pijul is able to apply patches independently from each other, meaning that (reorderable) patches can be used in place of legacy pull/merge requests everywhere. This should makes most workflows vastly simpler, as well as result in cleaner code bases. >> Read more about Pijul Hybrid Pimalaya: email — Open source personal information management Pimalaya aims to improve open-source tools related to Personal Information Management (PIM) which includes emails, contacts, calendars, tasks and more. Its first goal is to provide Rust libraries dedicated to the PIM domain. They serve as a basis for all sorts of top-level applications, which prevents developers to reinvent the wheel. Its second goal is to provide quality house-made applications built on top of these libraries, gathered into projects. Among others this includes Neverest, a command-line synchronisation tool. This grant will help Pimalaya to cover the email domain: improve lib structure, improve synchronization, implement autoconfiguration, implement thread view and initialize a REPL. >> Read more about Pimalaya: email Pimalaya PIM — Memory-safe emails, contacts, calendars, tasks and more Pimalaya aims to improve open-source tooling related to Personal Information Management (PIM). Pimalaya has two objectives: to provide solid Rust libraries dedicated to the PIM domain, which serve as a basis for all sorts of top-level applications (meaning their developers can focus on functionality) and to develop a number of quality applications on top of these libraries. Within the scope of this project, Pimalaya will release additional production-grade libraries and tools, expanding its scope to contacts and calendars — through contact and calendar libraries, command line interfaces and plugins. At the end of this grant, the Pimalaya project covers not just email but also contacts, events, alarm and tasks. >> Read more about Pimalaya PIM Polyglot jaq — Data wrangling tool focusing on correctness, speed, and simplicity. Data often needs to be processed going from one tool to another. Doing that is potentially a point of failure, as 'quick and dirty' solutions often fail to take into account edge cases. This project will build on top of Jaq, a Rust re-implementation of the widely popular jq syntax with rigorously defined semantics, and extend its approach to other data formats - from legible formats such as XML, YAML, TOML, CSV and Markdown to binary formats. For the latter, the project builds on the versatile parsing toolbox of Kaitai Struct. >> Read more about Polyglot jaq Pre-Scheme — Compile Scheme directly to portable C Pre-Scheme is a statically-typed dialect of the Scheme programming language which compiles to C, suitable for low-level systems programming. Pre-Scheme is implemented using a sophisticated general-purpose compiler, written in Scheme, with demonstrated applications to other programming languages and compilation targets. This project aims to port the compiler to R7RS, the latest Scheme standard, so that it can run on a variety of modern Scheme implementations. The Pre-Scheme language and tooling will also be updated to meet the expectations of a contemporary developer audience, and the compiler framework will be documented and exposed to support future innovations in programming language development and research. >> Read more about Pre-Scheme Prosody IM — Implement SASL authentication mechanism for XMPP XMPP is the most widely deployed standard protocol for real-time messaging today, and is a very popular choice among individuals and organizations who wish to manage their own internet communications, instead of submitting to other (e.g. commercial/data-driven) communication platforms. For an XMPP user to log in to their account today, two things are required: a username and a password. This has remained unchanged for many years, while other technologies have been steadily advancing to support security-enhancing features such as multi-factor authentication or even self-sovereign identities. XMPP uses an authentication umbrella standard known as SASL to authenticate all connections.The way XMPP integrates SASL is defined in RFC 6120 and assumes a very simple challenge-response flow, which has worked well in allowing us to upgrade the network from older SASL mechanisms such as DIGEST-MD5 and onto more modern mechanisms such as SCRAM-SHA-1 and SCRAM-SHA-256. To gain new authentication features beyond simple password authentication, we need to evolve XMPP’s relationship with SASL. This project will deliver just that, and will be the first complete implementation of a proposed standard (XEP-0388: Extensible SASL Profile) into the popular Prosody XMPP server. It will also implement support for per-session access control throughout Prosody, and support for XEP-0386 (Bind 2.0). >> Read more about Prosody IM ProveThis — Prove statements about authenticated API resources ProveThis allows users to prove statements from websites and APIs using TLS without revealing private information. Although efforts like TLSNotary can currently be used to prove the authenticity and origin of a full HTML page, we extend the capabilities of TLSNotary and allow users to make zk-SNARK based zero knowledge proofs about statements in complexity class NP. More concretely, this can allow users to prove statements about e.g. their banking data (how many transactions did you send in a certain period), social media data (how many friends are you away from knowing Barack Obama) or other data sources. Such proofs can generally be used to reduce fraud without compromising privacy and confidentiality. >> Read more about ProveThis Pythonic Slint — Add a full-blown Python API to Slint Slint is a next generation declarative GUI toolkit that supports multiple programming languages such as Rust, C++, and JavaScript. Implemented in Rust, a language known for its memory safety and performance, Slint can run on platforms such as Windows, Linux, Mac, QNX, and microcontrollers. Next to JavaScript, Python is the most popular programming language. While Python developers already have a number of options when it comes to GUI frameworks, most of these are in the form of wrappers or bindings. We aim to make Python a first-class citizen with a dedicated and idiomatic API, to empower developers to create amazing user interfaces for their applications. Python developers will benefit from a modern open source GUI framework that is well-supported. >> Read more about Pythonic Slint RADIUSdesk Multi WAN — Add Multiwan to RADIUSdesk RADIUSdesk is a complete, open source solution for the provision and management of Internet connectivity. The main component is a feature-rich RADIUS server that includes features such as vouchers, BYOD and permanent users. Permanent users have support for Private PSKs and versatile Fair Usage Policies (FUP). MESHdesk allows you to quickly roll out WLAN connectivity over a large area. APdesk can be deployed in enterprise environments and offers support for guest networks and dynamic VLAN assignment. Bandwidth and data usage can be managed via one of the following options: a captive portal, a PPPeE server or private PSKs with RADIUS. MESHdesk and APdesk can be managed via your phone or a desktop browser. The system has an intuitive API that eases integration with other systems. In this project, Multiwan support will be added, together with private Pre-Shared Key (PPSK), Multi-Dwelling Units (MDUs) and Software-defined Wide Area Network capabilities which will allow to support more VPN technologies. >> Read more about RADIUSdesk Multi WAN rasn — Safe ASN.1 codec framework for Rust ASN.1 is a suite of protocols and data formats first introduced nearly 40 years ago, and is used extensively throughout the industry, from SIM cards to satellites, from web certificates to 5G radios, all of these are using ASN.1 in their communication stack. However parsing ASN.1 remains a large source of security vulnerabilities due its complexity and needing to be written in traditionally memory unsafe languages for speed and portability. Rasn is a codec framework for writing safe ASN.1 code in Rust, that encodes ASN.1's data model into Rust's type system, empowering developers to write Rust code that is as safe, portable, and as easy to write as the original ASN.1 module. Rasn supports BER, CER, and DER encoding rules, and can be extended to support custom data formats. Rasn also provides a number standards out of the box including LDAP, PKIX, and SNMP. >> Read more about rasn RETETRA3 — Security research into TETRA standard Terrestrial Trunked Radio (TETRA) is a European standard for trunked radio used globally by government agencies, emergency services and critical infrastructure. Apart from most European police agencies (such as BOSNET in Germany or RAKEL in Sweden), military operators and emergency services, TETRA is also widely used for SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities. Prior research extracted the secret cryptographic functions underpinning TETRA security and made them available for public scrutiny, resulting in the first public in-depth security analysis of TETRA - uncovering five vulnerabilities including a backdoor. We contributed various improvements and bugfixes to the open-source osmocom-tetra stack, as well as adding support for cryptography. This new project has two main components: developing support for uplink demodulation/decoding and message parsing and implementing a stack able to monitor both downlink and uplink traffic simultaneously, as well as working towards FOSS TETRA base station functionality. And investigate the obscure TETRA E2EE, an optional proprietary solution on top of the standard used in the most sensitive of use cases for TETRA networks, and provide a security analysis as well as a FOSS implementation. This research should shed light on its suitability for mitigating the previously uncovered security issues. Also, we will dig deeper into the security of TETRA as a whole, with a special focus on message injection vulnerabilities. We aim to provide definitive insight in to which extent adversaries are able to compromise confidentiality and integrity (particularly important when used in critical infrastructure) of traffic, and which mitigations can be considered in order to be able to use TETRA securely and safely. >> Read more about RETETRA3 RNP Confium — Distributed trust store enabling threshold encryption Confium is an open-source distributed trust store framework that enables usage of the new paradigm of threshold encryption, powering new modes such as cryptographic secure multi-factor authentication. It aims to provide a generalized API and an extensible architecture for the usage of trust stores and future cryptographic families, to support standardization efforts of threshold cryptography, and to bridge cryptographers with the practical usage of cryptography. The current project enables implementation of the Confium framework with a 2-out-of-3 threshold RSA signature scheme. >> Read more about RNP Confium Fast RSA + PQ Blind Signatures — Fast multiprecision integers for blind RSA and Post-Quantum signatures We observed significant performance differences between the different implementations of classic RSA signatures in various widely used Free Software cryptographic libraries. Each of the libraries takes a different approach to implementing modular exponentiation, the core operation when generating and verifying RSA signatures. Naturally, RSA signatures would also not be safe in presence of large-scale quantum computers. In this project, we improve the performance of libgcrypt, mbedTLS, GNU nettle and libgmp to ensure that they are on par with the best secure implementations available today. Furthermore, we implement one of the academic post-quantum blind signature schemes, make it available as Free Software and integrate it with GNU Taler. >> Read more about Fast RSA + PQ Blind Signatures ReOxide — Improving Rust Decompilation Modern compiled languages such as Rust and Go are notorious for producing binaries that are difficult to reverse engineer by default. As these languages grow in popularity, they are increasingly being used in proprietary products and are also attracting malware developers. In order to audit binary software and analyze malware, it is therefore necessary to improve reverse engineering tools with special support for specific languages. To fill this gap, we are developing the ReOxide framework, which targets the reverse engineering of Rust programs. In the presence of extensive compile-time code generation and strong memory optimizations, existing decompilers reach their limits when trying to recreate C-like languages. The design goal of ReOxide is therefore to build on top of the Ghidra decompiler and make it extensible for custom analysis passes. This will allow us to gather information that is readily available during decompilation itself, but not through Ghidra's public plugin API. We will use this information to address Rust specific language features, but also try to keep the extensions general enough for other languages. >> Read more about ReOxide Renderling — Real-time rendering library on top of WebGPU Renderling is an innovative, GPU-driven real-time renderer designed for efficient scene rendering with a focus on leveraging GPU capabilities for nearly all rendering operations. Utilizing Rust for shader development, it ensures memory safety and cross-platform compatibility, including web platforms. The project, currently in the alpha stage, aims for rapid loading of GLTF files and handling large, animated scenes with many lighting effects. Development emphasises performance, safety, observability, and the use of modern rendering techniques like forward+ rendering and physically based shading. >> Read more about Renderling Reowolf — Rip and replace for BSD socket insecurity The Reowolf project aims to replace a decades-old application programming interface (BSD-style sockets) for communication on the Internet. In this project, a novel programming interface is implemented at the systems level that is interoperable with existing Internet applications. Currently, to increase quality of service (e.g. intrusion detection, latency and throughput) non-standard techniques are applied. Internet service providers resort to deep packet inspection to guess applications intent, and BSD-style socket programming is error-prone and tweaking is fragile. This project resolves these problems: it provides support to middleware to further improve quality of service without having to give up on privacy, and makes programming of Internet applications easier to do correctly and thus more reliable. >> Read more about Reowolf Replicant on Guix — Reproducible build infrastructure for Replicant The project summary for this project is not yet available. Please come back soon! >> Read more about Replicant on Guix Ripple — Safer and faster incremental software builds As it stands, reproducible builds are not accessible to the average developer. Existing projects tackling this problem come with significant caveats: some rebuild packages from scratch, making them practically useless for interactive development, while discouraging users from hacking on the core parts of their system due to cascading rebuilds; others are drastically more efficient, but come with fewer correctness guarantees, and require build scripts to be re-implemented in custom DSLs, making them costly to adopt. This is further exacerbated by frustrating, flaky tooling, and the proliferation of compatibility issues arising from inherent constraints of these solutions. Ripple is a hermetic, incremental, meta build system. It provides stronger purity guarantees and improved efficiency over existing solutions, while being completely ecosystem-agnostic. In effect, Ripple can memoize arbitrary programs. This lets users migrate gradually, opting into ecosystem-specific optimizations and abstractions at their own pace, and opens up a huge number of creative possibilities. Ripple aims to make reproducible builds not only easy, but fun — encouraging mainstream adoption, so we might together put to rest the ghost of bygone builds. >> Read more about Ripple Robotnix — Reproducible Builds of Android with NIX Robotnix enables a user to easily build Android (AOSP) images using the Nix package manager. AOSP projects often contain long and complicated build instructions requiring a variety of tools for fetching source code and executing the build. This applies not only to Android itself, but also to projects which are to be included in the Android build, such as the Linux kernel, Chromium webview, and others. Robotnix orchestrates the diverse build tools across these multiple projects using Nix, inheriting its reliability and reproducibility benefits, and consequently making the build and signing process very simple for an end-user. >> Read more about Robotnix Rosenpass — Post Quantum Security Add-On for WireGuard Rosenpass is a formally verified, post-quantum secure VPN that uses WireGuard to transport the actual data. The implementation does not create a VPN connection itself, instead it performs a key exchange and hands this key to WireGuard; i.e. it *enhances* WireGuard's security without replacing it. This reduces the complexity of implementing the protocol and ensures that all the performance-advantages of WireGuard are available with Rosenpass. There is some extra latency to make a connection, but after that, WireGuard and Rosenpass are as fast. The protocol used by Rosenpass is based on the handshake designed by Hülsing, Ning, Schwabe, Weber and Zimmermann and improves upon the protocol by using cookies to provide resistance against state-disruption attacks. State-disruption attacks exist against the first version of the post-quantum WireGuard protocol and against classic WireGuard when NTP is used to synchronize the system-clock. Internally, the protocol uses two post-quantum KEMs (key exchange methods) and no post-quantum signature schemes to provide ephemeral secrecy and deniability. >> Read more about Rosenpass Rust Threadpool — Improve privacy of Rust threading library ThreadPool is a free and open-source library that provides a simple and intuitive interface for programmers to multi-threaded programming. ThreadPool aims to make parallel programming accessible to the general public. Running tasks in parallel is a vital building block for building efficient solutions on modern hardware. Combined with Rust's type-system this library allows programmers to parallelize their applications without introducing unsafe behaviour while managing the administrative tasks of interacting with the operating system. >> Read more about Rust Threadpool Rusted Platform Module (RPM) — Programming TPMs in pure Rust The Rusted Platform Module (RPM) project strives to improve and advance Trusted Platform Module (TPM) v2 support and ease of use for the Rust programming language. This includes programming the TPM in pure Rust, without C-based libraries in the background, as well as (commandline) tools for common tasks, etc. This project strives to increase adoption of memory-safe languages for programming of security components like the TPM. >> Read more about Rusted Platform Module (RPM) SASL XMSS — Make SASL work with XMSS protocol Simple Authentication and Security Layer (SASL) is an authentication and data security framework. The framework defines a structured interface to which SASL mechanisms must comply. These mechanisms can then be used by application protocols in a uniform manner. XMSS provides cryptographic digital signatures without relying on the conjectured hardness of mathematical problems. Instead, it is proven that it only relies on the properties of cryptographic hash functions. XMSS provides strong security guarantees and is even secure when the collision resistance of the underlying hash function is broken. It is suitable for compact implementations, is relatively simple to implement, and naturally resists side-channel attacks. Unlike most other signature systems, hash-based signatures can so far withstand known attacks using quantum computers. The SASL XMSS project's goal is to implement the XMSS system as a SASL mechanism in one of the publicly available open source SASL libraries. >> Read more about SASL XMSS SpinalHDL, VexRiscv, SaxonSoc — Open Hardware System-on-Chip design framework based on SpinalHDL The goal of SaxonSoc is to design a fully open source SoC, based on RISC-V, capable of running linux and optimized for FPGA to allow its efficient deployment on cheap and already purchasable chips and development boards. This would provide a very accessible platform for individuals and industrials to use directly or to extend with their own specific hardware/software requirements, while providing an answer to hardware trust. Its hardware technology stack is based on 3 projects. SpinalHDL (which provides an advanced hardware description language), VexRiscv (providing the CPU design) and SaxonSoC (providing the facilities to assemble the SoC). In this project, we will extend SpinalHDL, VexRiscv and SaxonSoc with USB, I2S audio, AES and Floating point hardware capabilities to extend the SoC applications to new horizons while keeping the hardware and software stack open. >> Read more about SpinalHDL, VexRiscv, SaxonSoc Secure Web Tokens for Linux — TPM 2.0 backed FIDO2/U2F tokens on Linux This project aims to develop a systemd daemon that utilizes the TPM 2.0 security chip to provide FIDO2/U2F tokens for web browsers and operating system applications on Linux. Leveraging the ubiquitous presence of TPM2 in modern PCs, the daemon will enhance security and usability for Linux users. It will allow the integration of security chips as access tokens with web extensions, secure local passwords and HOTP/TOTP managers, and enable hardware-based lock screen authentication mechanisms. The daemon will interface with the TPM2 chip to manage FIDO2 token generation. It includes support for the \"uhid\" kernel driver for button press emulation when no fingerprint reader is available for authentication. The project involves developing the daemon, ensuring seamless integration with systemd, and conducting extensive testing for functionality and security. Comprehensive documentation will be provided for setup and use, along with user guides for web extension integration. The outcome will be a robust, secure, and user-friendly solution for Linux users, elevating the baseline security and leveraging existing hardware capabilities to the fullest. >> Read more about Secure Web Tokens for Linux A Secret Key Store for Sequoia PGP — Standards-compliant private key store for OpenPGP This project implements a private key store for Sequoia, a new OpenPGP implementation. Currently, Sequoia-using programs use private keys directly. A private key store mediates applications' access to private keys, and offers three major advantages relative to the status quo. First, a private key store is in a separate address space. This means that private keys that are in memory are in a different address space from the application. This was underlying cause of the Heartbleed vulnerability. Second, a private key store can provide a uniform interface for accessing keys stored on different backends, e.g., an in-memory key, a key on a smart card, or a key on a remote computer, which is accessed via ssh. This simplifies applications. Third, this architecture simplifies sharing private key material among multiple applications. Only the private key store needs to worry about managing the private key material, which improves security. And, when a user unlocks a key in one application, it is potentially unlocked in all applications, which improves usability. >> Read more about A Secret Key Store for Sequoia PGP Adding TPM Support to Sequoia PGP — Implement use of TPM 2.0 crypto hardware for OpenPGP Protecting cryptographic keys is hard. If they are stored in a file, an attacker can exfiltrate them - even if the harddrive is encrypted at rest. A good practical solution is a hardware token like a Nitrokey, which stores keys and exposes a limited API to the host. For most end users, a token is a hassle: one needs to carry it around, it needs to be inserted, and it is not possible to work if it is left at home. And, it needs to be purchased. There is a better solution, which doesn't cost anything. A trusted computing module (TPM) is like an always-connected hardware token only more powerful (the keys can be bound to a particular OS installation, it can store nearly an unlimited number of keys, not just three) and TPMs are already present in most computers. This project will add support for TPMs to Sequoia PGP including comprehensive test suites and in-depth documentation for both software engineers: as an API and end-users as a way to use TPM bound keys through Sequoia's command-line interface (sq) for decryption and signing. >> Read more about Adding TPM Support to Sequoia PGP Sequoia PGP — Improve interface of Sequoia PGP commandline Sequoia PGP is a new OpenPGP implementation, which is written in Rust and focuses on ease of use. To date, the main product is a library. This project will focus on sq, Sequoia's command line tool. The project consists of three parts. First, useful functionality will be added to sq making sq comparable to gpg. Second, the human-readable interface will be augmented with a JSON interface. This will make it easier and robuster to use sq from scripts. Finally, this project will add an acceptance test suite to sq thereby strengthen the foundation for future changes. >> Read more about Sequoia PGP Sequoia GPG Chameleon — Implement well-known API's for using OpenPGP Sequoia's GnuPG Chameleon is a drop-in replacement for the widely-used encryption software GnuPG. It offers the same interface, while at the same time replacing the underlying OpenPGP implementation. This approach brings security benefits to everyone directly or indirectly using GnuPG before, while providing a smooth migration path that does not require changes to existing software. >> Read more about Sequoia GPG Chameleon Slint port for Android — Port the Rust-based Slint UI toolkit to Android Slint is a next generation declarative GUI toolkit that supports multiple programming languages such as Rust, C++, and JavaScript. Implemented in Rust, a language known for its memory safety and performance, Slint can run on platforms such as Windows, Linux, Mac, QNX, and microcontrollers. The popularity of Android as a mobile phone operating system has influenced the standardisation of drivers on embedded systems to the extent that its possible to easily procure off-of-the-shelf embedded hardware that can run Android. Slint will be the first native (non-web based technology) Rust based toolkit for creating applications on Android and will allow designers and developers an alternative open source option to build the user interface for their applications. >> Read more about Slint port for Android Slips Immune I — Active IDP using ARP poisoning The \"Slips Immune I\" proposal marks the initial step in building an \"Immune System for the Internet,\" aimed at enhancing cybersecurity by fostering collaboration among computers using local and global decentralized P2P technology. The project focuses on improving the Slips Intrusion Detection System on local networks using Raspberry Pi devices, incorporating advanced detection ML models, isolation capabilities, and blocking techniques to mitigate cyberattacks. Key goals include implementing defense mechanisms, such as ARP poisoning for isolation and firewall-based protection, as well as training a Large Language Model (LLM) assistant to support security orchestration and decision-making. By leveraging machine learning and a collaborative architecture, Slips aims to evolve into a comprehensive, resilient Internet Immune System, where interconnected devices collectively detect, share information, and defend against cyber threats, enhancing protection through shared knowledge and adaptive responses. >> Read more about Slips Immune I Solid Wallet — Authorization reasoning, rule-based controls and fluid integration for Solid Solid Apps display information collected by following linked data across the World Wide Web, writing changes to Solid Personal Online Data Stores (PODs). Following links can land an App on a protected resource somewhere on the Web, accessible only to a select group of actors specified in an associated Web Access Control Resource. Solid Wallet aims to build core libraries to reason over Solid Access Control Rules, limit access to what clients can request, publish keys and sign transactions. The same libraries will also be useable by servers to verify such claims. Finally, we will use these libraries to build a flexible prototype Wallet for Solid apps that run in the browser or server. >> Read more about Solid Wallet Dual-level Specification Inference — Make formal verification more practical with dual-level Specification Inference While formal verification of smart contracts gains traction, writing formal specifications can be equally if not more costly than writing code. Spec^2 is a specification inference framework that aims to automatically deduce a high-quality set of specs based on the code only. The inferred specs include both per-transaction pre-post conditions (low-level specs) and invariants on the blockchain-backed storage (high-level specs). Furthermore, the inferred specs should be similar to what experts might develop manually and can be easily examined by people without formal verification training. The funding from NLnet and NGI Assure will be used to prototype Spec^2 against the Move language and infer specifications for Move-based smart contracts. >> Read more about Dual-level Specification Inference Secure User Interfaces (Spritely) — Usability of decentralised social media Spritely is a project to advance the federated social network by adding richer communication and privacy/security features to the network. This particular sub-project aims to demonstrate how user interfaces can and should play an important role in user security. The core elements necessary for secure interaction are shown through a simple chat interface which integrates a contact list as an easy-to-use implementation of a \"petname interface\". Information from this contact list is integrated throughout the implementation in such a way that helps reduce phishing risk, aids discovery of meeting other users, and requires no centralized naming authority. As an additional benefit, this project will demonstrate some of the asynchronous network programming features of the Spritely development stack. >> Read more about Secure User Interfaces (Spritely) Spritely Oaken — Secure 3rd party extensibility with capability-based Scheme Spritely Oaken is a new programming system in the Scheme family, designed to provide strong security with a capability-based architecture. It will make it possible to safely add untrusted third-party code to programs without the usual risks of malicious code. Oaken builds on established ideas from the Scheme implementation ‘Scheme 48’, and will both extend this functionality and bring it to an actively maintained platform, Guile. This will eventually provide simple integration with Spritely’s Goblins system for distributed applications, which is also built on Guile. Oaken will play an important role towards enabling distributed and democratic internet platforms. >> Read more about Spritely Oaken Stalwart Mail Server — Robust full featured mail infrastructure in Rust Self-hosting an e-mail server is notoriously difficult. While privacy is a top concern for many individuals and businesses, the complexities of self-hosting a mail server often outweigh the benefits, leading many to choose to sacrifice some privacy and pay a third-party provider to manage their email instead. One of the key challenges of self-hosting an email server is the outdated and complex nature of most available open-source mail server software. Stalwart Mail Server is an open-source email server written in Rust that aims to help modernize, democratize, and promote decentralization of email. The server offers a robust and privacy-focused solution that is easy for individuals and businesses to set up and maintain on their own. Stalwart Mail Server consists of three components: a JMAP server, an IMAP4 server with support for ManageSieve as well as many extensions, and an SMTP server with support for DMARC, DKIM, ARC, and SPF. The server does not require any external software or databases to run and can easily scale to multiple servers thanks to its native Raft support. Furthermore, the use of Rust in Stalwart Mail Server allows it to offer improved performance, safety, and concurrency compared to other solutions, making it a versatile and robust choice for those looking to self-host their own email server. >> Read more about Stalwart Mail Server Standards Grammar Catalog/Toolchain — Open Standards Grammar Catalog/Toolchain The Open Standards Grammar Catalog/Toolchain makes it easier to implement a format or protocol by translating its machine-readable definition, usually in a language such as ABNF, into forms readily compatible with popular programming languages, like regular expressions, YACC, ANTLR, and native code. By providing a toolchain for making these translations, assembling a catalog of commonly used formats & protocols, and publishing a developer-friendly website for browsing the grammars and generating translations, these tools will reduce the need to manually write a parser, ultimately reducing errors due to hand-written code, and enhancing interoperability. >> Read more about Standards Grammar Catalog/Toolchain Suhosin-NG — Harden PHP 7 and PHP 8 applications The PHP programming language was invented by Danish programmer Rasmus Lerdorf in 1994. The language is actively used by millions of websites through popular tools such as WordPress, Owncloud and Wikimedia. Suhosin-NG (next generation) will significantly improve the security of web applications running with PHP 7, and help thwart popular web attack vectors aimed at PHP based websites. Already existing ideas from the Suhosin project for PHP 5 will be gathered in addition to implementing a number of new ideas to improve the overall security stature of PHP 7. This concerns harnessing new features of the language, mitigating security risks in the default configuration and improvements to the runtime behaviour. In practical terms the project will implement these by extending the PHP extension Snuffleupagus, that already provides a good basis for hardening PHP 7. The project's goal is to provide software and documentation for setting up a PHP 7 environment in the most secure way possible. >> Read more about Suhosin-NG Interledger interoperability inquiry — Investigate synergy between Interledger and GNU Taler The Interledger Protocol and Open Payments API specification are the payment protocols used for an online tipping specification being proposed in the W3C Web Platform Incubator Community Group called Web Monetization. The Web Monetization specification allows for automatic streaming micropayments and low-friction on-demand tipping to online creators who specify an Open Payments wallet address in their HTML or respective metadata of the online experience (e.g. JSON-LD in Activity Streams/ActivityPub, XML attribute in podcast RSS). This project proposal will investigate the technical feasibility of using Taler as a payment method on the Interledger payment network to support Web Monetization. The outcome will be a an overview of potential approaches for integrating Taler using the Interledger Protocol or as a payment method in Interledger’s Open Payments API reference implementation (Rafiki). >> Read more about Interledger interoperability inquiry Timing-Driven Place-and-Route (TDPR)  — Open hardware tool to synthesize digital silicon circuits The lack of an open-source timing-driven place-and-route tool is one of the major barriers to creating technically fully transparent digital integrated circuits such as microprocessors. The most popular open-source place-and-route tools available today are not timing-driven, hence the generated layouts are generally not guaranteed to satisfy the timing constraints. This requires tedious and time-consuming manual interventions. This project will combine published algorithms with existing open-source projects to fill this gap. The tool will be released with the free/libre AGPLv3 licence together with extensive documentation and tutorials. >> Read more about Timing-Driven Place-and-Route (TDPR)  RETETRA — Security Analysis of Proprietary Cryptography in Terrestrial Trunked Radio Terrestrial Trunked Radio (TETRA) is a European standard for trunked radio used globally by government agencies, emergency services and critical infrastructure. Apart from most European police agencies (such as BOSNET in Germany or RAKEL in Sweden), military operators and emergency services, TETRA is also widely used for SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities. TETRA authentication and encryption are handled by secret, proprietary cryptographic cipher-suites known as TAA1 and TEA which are only available to select parties under strict NDAs which runs counter to both the spirit of open technologies and Kerckhoffs's principle. The latter's potential consequences are illustrated by the fate of A5/1, A5/2 and their GMR variants in cellular and satellite communications, allowing ciphers that can be broken in practice to fester in public and critical infrastructure for far too long. This project aims to reverse-engineer and subsequently perform cryptanalysis on these cipher-suites and finally formulate a hardening roadmap in order to provide a research-oriented FOSS implementation of the cipher-suites and aid affected parties in moving away from unexamined, proprietary security mechanisms towards open standards. >> Read more about RETETRA TLS-KDH mbed — Implement TLS-KDH into mbed TLS-KDH (http://tls-kdh.arpa2.net/) is a mechanism that adds Kerberos authentication to the Transport Layer Security (TLS) network protocol. TLS-KDH is developed under the flag of ARPA2 (www.arpa2.net) and is formalized in the form of a draft Internet specification. Furthermore, a successful prototype implementation has been built and integrated into GnuTLS. Making this prototype code production ready is well underway and in its final stage. In order for TLS-KDH to become an Internet Standard the IETF requires at least two working implementations. To provide the IETF with two TLS-KDH implementations and to address the embedded world with a TLS-KDH capable TLS library we chose MbedTLS as our second library. The TLS-KDH mbed project's goal is to implement the TLS-KDH functionality in the MbedTLS library. But why do we want to implement Kerberos authentication in the first place? Well first of all, the Kerberos protocol is quantum computer proof. That means that we can use this mechanism in the (future) presence of quantum computers. Since TLS is one of the most widely used security protocols on the present Internet having such mechanism would be a welcome addition. Secondly, Kerberos employs a centralized architecture as opposed to X.509 which is distributed. Adding TLS-KDH gives the user a choice which architecture (and implied pros and cons) to use. For a more extensive overview of advantages of TLS-KDH we refer to the project's homepage (http://tls-kdh.arpa2.net/). >> Read more about TLS-KDH mbed Great Black Swamp — Decentralized cloud storage with provider-independent security Tahoe-LAFS is a well-known open source distributed storage solution based on DHT, suited for sharing critical data in production. Currently, Tahoe-LAFS uses the Foolscap protocol for communication between client nodes and storage nodes. Foolscap has a small developer community, is only implemented in Python, and Tahoe-LAFS only uses a small subset of its features. This project will implement an HTTP-based storage node protocol for Tahoe-LAFS (Great Black Swamp, or GBS in short) which will help to eliminate unnecessary complexity, increase the pool of potential contributors, open the door to new implementations and improve runtime performance. >> Read more about Great Black Swamp Tauri Apps — A safer run-time for web technology based apps Tauri is a toolkit that helps developers make more trustworthy applications for the major desktop platforms - using virtually any frontend framework in existence. A popular use case is to create a desktop or mobile version of a web app, rather than wasting effort on creating native clients for each platform. Unlike other solutions (e.g. Microsoft's Electron), it is built in the type-safe language Rust - and the team has a focus on strong isolation, shielding the user from malicious or untrusted code downloaded \"live\" from the internet. After all, once breached, such an app can for instance siphon off cryptocurrencies or bootstrap other more persistent malware. In this project, the team works among others on a particularly innovative feature, to prevent JS injection for all application types. In this approach Rust Code Injection is used alongside dependency-free EcmaScript, Object.freeze(), and a filtering iFrame that is the only subsystem permitted to communicate with the API. This will help to create more secure applications, >> Read more about Tauri Apps Threshold OPRFs — Bringing the power of Threshold OPRFs to the people \"Bringing the power of Threshold OPRFs to the people\" is a project trying to jump the gap between academic research and robust free software implementations. Oblivious Pseudo-random Functions (OPRFs) and Threshold constructions bring some very interesting and strong security properties that go beyond the state-of-the-art. Besides low-level implementations, reusable libraries, servers, and command-line clients, also concrete applications will be delivered, such as password and secret storages, encrypted data-at-rest, authentication, and secure channel setup. >> Read more about Threshold OPRFs TrustING — Ultrafast AS-level Public-Key Infrastructure TrustING is a human-transparent and agile Trust Infrastructure for a Next-Generation Internet. This infrastructure enables any two entities to establish secret keys that can be used to encrypt and authenticate data. The foundation of TrustING is the AS-level Public-Key Infrastructure (PKI) of the SCION Internet Architecture that provides sovereignty (ensuring absence of global kill switches), trust transparency, and algorithm agility, among others. The TrustING service establishes symmetric keys with other domains in advance, and then relies on those keys to derive keys for local hosts. The core novelty of this approach is the ability to derive keys purely locally on both sides of the communication, without even requiring key transport. By making TrustING a control-plane mechanism offered by the network infrastructure, higher-level applications can make use of it without having to worry about complexities such as exchanging key material or establishing trust. To show the viability of TrustING, we will implement TLS trust bootstrapping using TrustING and additionally demonstrate the efficiency of TrustING by using it to authenticate SCMP (SCION's equivalent of ICMP) messages. >> Read more about TrustING Trustix — Make build logs available as publicly verifiable, tamper-proof Merkle trees Software build infrastructure is vastly underestimated in terms of its potential security impact. When we install a computer program, we usually trust downloaded software binaries. But even in the case of open source software: how do we know that we aren't installing something malicious which is different from the source code we are looking at - for instance to put us in a botnet or siphon away cryptocurrencies? Typically, we have confidence in the binaries we install because we get them from a trusted provider. But once the provider itself is compromised, the binaries can be anything. This makes depending on individual providers a single point of failure in a software supply chain. Trustix is a tool that compares build outputs across a group of providers - it decentralizes trust. Multiple providers independently build the software, each in their own isolated environment, and then can vouch for the content of binaries that are the outcome of reproducible builds - while non-reproducible builds can be automatically detected. In this project the team will work on further enabling trust delegation, by offloading log verification to trusted third parties - heavily inspired by the Delegated Proof of Stake consensus algorithm. It will bring Trustix into the Nix and the Guix ecosystems that are most amenable to Trustix' approach. The ultimate goal is for Trustix to integrate seamlessly into the entirely decentralized software supply chain so we can securely distribute software without any central corruptible entity. >> Read more about Trustix UnifiedPush — Decentralized and open-source push notification protocol Push notifications are essential to the modern mobile experience, as they enable applications to communicate with users in real time, even when not in active use. Major mobile operating systems provide a centralized service that they control, but depending on a centralized push notification system controlled by one company raises issues of privacy and independence. UnifiedPush is a decentralized and open-source push notification protocol. It is a set of specifications and libraries that allow the user to choose how push notifications are delivered. It is compatible with WebPush, the standard for web applications. >> Read more about UnifiedPush Noise Explorer-VerifPal — Automated proofs and code generation for secure protocols Noise Explorer is an online engine for reasoning about Noise Protocol Framework (revision 34) Handshake Patterns. Noise Explorer allows you to design Noise Handshake Patterns, and immediately obtain validity checks that verify if your design conforms to the specification. For visually oriented people, it provides a convenient visualisation in your browser. Noise Explorer can also generate Formal Verification Models and Software Implementations. This allows to instantly generate full symbolic models in the applied pi calculus for any Noise Handshake Pattern that you enter. Using ProVerif, these models can be analyzed against passive and active attackers with malicious principals. The model's top-level process and sophisticated queries are specifically generated to be relevant to your Noise Handshake Pattern, including tests for strong vs. weak forward secrecy and resistance to key compromise impersonation Noise Explorer also automatically generates a secure implementation of your chosen Noise Handshake Pattern design, written in Go. In addition the users can explore a Compendium of Formal Verification Results. Since formal verification for complex Noise Handshake Patterns can take time and require fast CPU hardware, Noise Explorer comes with a compendium detailing the full results of all Noise Handshake Patterns described in the original specification. These results are presented with a security model that is even more comprehensive than the original specification, since it includes the participation of a malicious principal. >> Read more about Noise Explorer-VerifPal Verifpal — Prove soundness of verification in Verifpal Verifpal is new software for verifying the security of cryptographic protocols. Building upon contemporary research in symbolic formal verification, Verifpal’s main aim is to appeal more to real-world practitioners, students and engineers without sacrificing comprehensive formal verification features. In order to achieve this, Verifpal introduces a new, intuitive language for modeling protocols that is much easier to write and understand than the languages employed by existing tools. At the same time, Verifpal is able to model protocols under an active attacker with unbounded sessions and fresh values, and supports queries for advanced security properties such as forward secrecy or key compromise impersonation. Verifpal has already been used to verify security properties for Signal, Scuttlebutt, TLS 1.3, Telegram and other protocols. It is a community-focused project, and available under a GPLv3 license. >> Read more about Verifpal Verified Reowolf — Formal protocol verification with Reowolf Using formal methods, we rigorously validate and verify functionality and security properties of essential Internet protocols. In this project, we unambiguously specify Internet protocols using Reowolf's Protocol Description Language (PDL). We research and develop validation tools for certifying the compliance of software/hardware implementations of essential Internet protocols with respect to PDL specifications; and, we research and develop a mathematical formalism, using the state-of-the-art theorem prover Coq, for the verification of properties of protocols specified in PDL that identify precisely under what conditions important properties, such as network integrity and service availability, remain to hold or when they break. The results are important for long-term stability of the Internet, and will be published open access & open source. >> Read more about Verified Reowolf Enhancing vula with IPv6 and REUNION rendezvous — IPv6, hybrid post-quantum improvements & REUNION support for Vula With zero configuration, Vula automatically encrypts IP (v4) communication between hosts on a local area network (LAN) in a forward-secret and transitionally post-quantum manner to protect against passive eavesdropping. When the local gateway to the internet is a Vula peer, internet-destined traffic will also be encrypted on the LAN. With simple verification using QR codes or other peer verification methods, Vula is also able to disrupt active surveillance adversaries. Vula combines WireGuard for forward-secret point-to-point tunnels with cryptographically enhanced mDNS and DNS-SD for local peer discovery. Vula enhances the confidentiality of WireGuard tunnels by using CSIDH as provided by highctidh, a post-quantum non-interactive key exchange primitive, to generate a peer-wise pre-shared key for each tunnel configuration. Vula avoids the need for any Single Point of Failure (SPOF) such as a trusted third party. Vula is equally functional on otherwise air-gapped networks. >> Read more about Enhancing vula with IPv6 and REUNION rendezvous webxdc PUSH — Towards an usable, interoperable and trustworthy web app ecosystem Webxdc PUSH advances a new paradigm for writing and distributing web apps, majorly improving interoperability, usability, reliability, trustworthiness and and interactivity of chat-shared web apps (webxdc) across messengers and platforms. PUSH enables webxdc app developers to use new P2P real-time messaging facilities, new notification, deeplinking and context APIs, majorly leveling up the cross-messenger webxdc effort and specifications. >> Read more about webxdc PUSH WebXDC XMPP — Standardisation effort for WebXDC integration in XMPP WebXDC is a fresh and still evolving effort to explore \"private apps\", essentially 'portable' web apps through which users can interact in any number of ways outside of the traditional client-server paradigm, e.g. over E2EE chat. Originally developed for Delta Chat over SMTP, we will bring the latest version of this experience to the XMPP ecosystem, including a standardized interchange format for other XMPP clients to use, and a gateway for communication with existing Delta Chat WebXDC users. >> Read more about WebXDC XMPP Whippet — A new local maximum in safe, managed memory Whippet is a new automatic memory manager (garbage collector) which is designed to be incorporated into the Guile Scheme programming language implementation. Switching to Whippet should improve the speed and scalability of Guix and other Guile-based software while also lowering total system memory usage. This project aims to push Whippet over the finish line, filling in missing functionality and doing the last-mile work to incorporate Whippet into Guile. The anticipated results should also give confidence to other language run-times looking for a state-of-the-art, embeddable, minimal, no-dependency garbage collector. >> Read more about Whippet XWiki — Bring wiki capabilities into the Fediverse XWiki is a modern and extensible open source wiki platform. Up until now, XWiki had been focusing on providing the best collaboration experience and features to its users. We're now taking this to the next level by having XWiki be part of the larger federation of collaboration and social software (a.k.a. fediverse), thus allowing users to collaborate externally. XWiki is embracing the W3C ActivityPub specification. Specifically we're implementing the server part of the specification, to be able to both view activity and content happening in external services inside XWiki itself and to make XWiki's activity and content available from these other services too. A specific but crucial use case, is to allow content collaboration between different XWiki servers, sharing content and activity. >> Read more about XWiki XMPP Interoperability + Conformance Testing — Development of an XMPP Test Suite XMPP is the Extensible Messaging and Presence Protocol. XMPP offers an open, extensible, standardised and mature set of open technologies designed for decentralised communication. With its flexible design and rich history, its utilisation is widespread. To advance interoperability in its diverse ecosystem of developers and implementations of server software, this project will create an implementation-agnostic test suite for XMPP servers, testing for conformance with the XMPP protocol standards. The suite will be designed to be integrated with various third-party CI components to minimise the complexity of including the suite in development processes of the various and varied parties that are developing XMPP server implementations. >> Read more about XMPP Interoperability + Conformance Testing Zero-allocation web servers in roc — Web server framework with constant memory usage Memory consumption in web servers is hard to predict and control. Our zero-allocation web server guarantees constant memory usage and per-request memory caps. These guarantees and capabilities make web infrastructure more reliable, because it is actually possible to calculate how much server capacity is required for a certain amount of traffic. The vast majority of webservers are written in a language with automatic memory management. They cannot provide the guarantees that our webserver can, and often have other downsides like poor general performance and GC pauses. The core of our webserver is written in rust, and while it works in a rust-only context, is meant to be used in combination with the roc programming language, a fast, friendly, functional language with automatic memory management, but without GC pauses. Users will be able to write web applications using roc, without having to consider how memory is allocated. At the same time, we manage the memory as efficiently as possible under the hood. >> Read more about Zero-allocation web servers in roc Zilch — Tools for efficient granular builds and introspection Zilch is an experimental test bed for alternative approaches to building programs, services, and full Linux distributions. Being built on top of Nix, it is entirely compatible with NixOS. The goal of this project is to research and develop a set of tools that allow a developer to write programs and patch existing upstream projects, while keeping the reproducibility and sandboxing afforded to them by Nix. >> Read more about Zilch Zip linting and bzip2 in Rust — More secure handling of popular archive formats Zip is a widely used format for distributing files. It is a rather permissive file format, opening the door to various attacks such as zip bombs. The `bzip2` compression format is still used in many legacy settings. Consequently, it is part of the supply chain of many projects. To mitigate these risks, this project will deliver a) a zip linter checking for suspicious file contents in zip files and b) a memory-safe implementation of bzip2 through drop-in replacements of the libraries and a safe Rust `bzip2` binary. >> Read more about Zip linting and bzip2 in Rust Reinstatement of crypto.signText() — Cryptographic signatures brought back to the browser Since the 1990s Netscape and Firefox supported the ability to sign an arbitrary piece of text with a digital certificate, and have that signature returned to the webserver. The texts being signed have historically ranged from transaction records, financial declarations, and court documents. This project implements a set of Native Browser Web Extensions that bring the digital signing of text to all modern browsers that support the NMBE standard. The process of choosing the certificates and generating the signatures is performed outside of the browser, using APIs native to each operating system. Web pages communicate with the extensions using the Javascript crypto.signText() function, and the signed documents are returned packaged as a PKCS7 response. The project aims to make digital signing accessible, while being browser agnostic. >> Read more about Reinstatement of crypto.signText() Elliptic curve encryption speed-up using SIMD — Low-level instructin optimisation for curve25519-dalek & Arkworks This project aims to enhance the speed and security of elliptic curve cryptography using the Rust programming language, with a particular focus on mobile and IoT devices. Leveraging SIMD instructions, specifically ARM NEON, we can speed up elliptic curve cryptography in existing libraries such as curve25519-dalek with the goal to optimise encryption processes in software such as Signal. Additionally, we implement double-odd curves in Arkworks to bolster zero-knowledge protocols, and aim to abstract our optimisations to work on any CPU architecture and elliptic curve. By implementing improvements in these libraries, this project seeks to address the growing demand for efficient and secure cryptographic solutions, especially in mobile and IoT environments. >> Read more about Elliptic curve encryption speed-up using SIMD imap-codec library — Release version 1.0 of the imap-codec library With an expected volume of 333 billion messages per day in 2022, email is one of today's most common methods to exchange information on the Internet. For better or worse, email is unlikely to go away soon, meaning that even the latest software needs to support it in a trustworthy and resilient way. imap-codec is a misuse-resistant IMAP parsing and serialization library focusing on correctness and security. It should pave the way for a new generation of email clients, servers, and utilities written in Rust and become a reusable building block for the Next Generation Internet. To archive that, it is essential to stabilize the API, improve testing, provide excellent documentation, and establish a welcoming and sustainable open-source environment for imap-codec. >> Read more about imap-codec library iso14229 — Universal Diagnostic Services for automotive diagnostics iso14229 is an open-source portable C implementation of Universal Diagnostic Services (ISO 14229-1:2020). UDS is a communications protocol used for diagnostics, tuning and firmware updates on embedded devices such as those in your car, tractor, robot, IoT device, or renewable energy system. Insecure UDS implementations expose software to security exploits. By providing an open source implementations including the security features of UDS, this project addresses an important gap. Within the scope of this grant, the team will work on the integration of static analysis, improve documentation and develop a number of security-focused examples. >> Read more about iso14229 jaq — Implementation of jq in Rust with formal semantics JSON is a data format that is frequently used to publish Open Data. jq is a widely used programming language that allows citizens to easily process JSON data. There are several tools to run jq programs, including jq, gojq, and jaq. Of these three tools, jaq is the fastest (judging from several benchmarks), despite having the smallest code base. This project centers on improving jaq and the wider jq ecosystem: First, we want to advance the development of jaq, in particular to support more features of jq. Next, we want to make jaq more accessible, by creating JavaScript bindings for jaq. This will allow developers to integrate jaq into websites. Furthermore, this will allow users to run jaq from a browser, respecting their privacy by processing data on their machines. Finally, we want to create formal semantics for jq, based on jaq's execution approach. This will allow users to better understand how jq programs behave. >> Read more about jaq Katzenpost — Observation resistant secure messaging layer Secure messaging is among the most fundamental privacy challenges of today. While there are meanwhile several widely used offerings that can encrypt instant messages you send to others, there are very few reliable options that are able to keep others from finding out who you were communicating with - and when. The most popular end-to-end messaging application do not adequately protect the identities of who-is-talking-to-who from the infrastructure operators. Katzenpost aims to offer a traffic analysis resistant messaging layer that allows all the participants in the network to have significantly more privacy than other mechanisms. It offers a decentralized mixnet architecture that works similarly to onion routing, where message routing information is encrypted, and differs in that each message is a fixed size, has random forwarding delays, and is accompanied by cover traffic messages to frustrate passive traffic analysis. The project aims to be a building block for other to build applications on, lowering the threshold for existing applications to benefit from increased privacy and confidentiality. >> Read more about Katzenpost lib1305 — Microlibrary for Poly1305 hashing In modern network protocols, every packet is authenticated using a message-authentication code (MAC). Any data modified by an attacker is immediately caught and rejected by the MAC. The most popular MAC algorithms are Poly1305, normally used with the ChaCha20 cipher as part of ChaCha20-Poly1305, and GMAC, normally used with the AES cipher as part of AES-GCM. Many applications, such as WireGuard, require specifically Poly1305. This project will develop and release a new software library, lib1305, for Poly1305. The library will provide comprehensive and well-optimized software exploiting the 64-bit assembly instructions of Intel CPUs to provide top speeds for those CPUs, while meeting the security constraint of not leaking secret information through timing. >> Read more about lib1305 lib25519 for ARM — Add 64bit ARM optimisations to lib25519 Modern network protocols rely on elliptic-curve cryptography (ECC) to protect communication against espionage and sabotage. lib25519 is a new software library for the Curve25519 elliptic curve, including the X25519 encryption system and the Ed25519 signature system. Curve25519 is the fastest curve in TLS 1.3, and the only curve in Wireguard, Signal, and many other applications. So far lib25519 has exploited the features of Intel CPUs to provide top speeds for those CPUs, while meeting the security constraint of not leaking secret information through timing. This project will extend lib25519 to target 64-bit ARM CPUs, and in particular the Cortex-A53 CPU, which for instance powers the Raspberry Pi 3. >> Read more about lib25519 for ARM libspng — A fast and safe implementation of Portable Network Graphics libspng is a platform-independent C library for handling IETF's Portable Network Graphics (PNG) images. The goal of this project is to provide a robust and fast library with an easy to use API. It is designed to be a modern alternative to the reference implementation, written from scratch using secure coding standards. It comes with an extensive test suite and is fuzz tested, it is also fastest decoder overall. The NGI Zero grant will be used to develop complete PNG write support, architecture-specific performance optimizations, including improvements to testing, decoding and documentation. >> Read more about libspng libspng APNG — Add Animated PNG (APNG) image read- and write support to libspng libspng is a modern C library for reading and writing images in the Portable Network Graphics (PNG) file format. Created from the ground up with security and ease of use in mind, it provides an alternative to the reference implementation and a migration path to a simpler API, an extensive test suite ensures interoperability. The goal of this project is to implement Animated PNG (APNG) support and make it a more viable alternative to the reference implementation. >> Read more about libspng APNG libvips — Add animated PNG and enhanced JPEG XL support to libvips libvips is an image processing meta-library, whose development the European Commission funded back in the 1990s. Applications can outsource the heavy lifting of handling a variety of image types to this library. The library has meanwhile grown very popular with web developers around the world; the node binding, for example, is downloaded more than 5 million times a week at the time of writing. In addition to scrutinizing the security of the library, this project will implement two key improvements to libvips: animated PNG support, and enhanced JXL support. The former capability (the addition of animated PNG support) can be gained from another NGI Zero project, libspng. libvips uses libspng for PNG read and write, so by extending libvips to use these new libspng features, they will become available to a large developer community very quickly. Second, libvips has had preliminary support for the JXL format since libjxl v0.4. Since then, the libjxl API has evolved considerably and the libvips connector needs updating, especially in the areas of large image support and HDR, both increasingly important with the steady improvement of smartphone cameras. >> Read more about libvips lpnTPM — TPM 2.0 compliant open hardware Trusted Platform Module lpnTPM is Open Source Software (OSS), and Open Source Hardware (OSHW) Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. What makes lpnTPM different from generally available solutions is openness. Software and hardware of lpnTPM can, without limits, be audited, fixed, and customized by communities and businesses. Open design address the lack of trustworthiness of proprietary closed source TPM products, which currently dominate the whole market. lpnTPM in production mode protects software by secure boot technology, and only the lpnTPM owner will update it. TPM modules enable measured boot and support verified boot, Dynamic Root of Trust for Measurement, and other security features. Another benefit of lpnTPM would be physical design, which solves the lack of standardization around pinout and connector. The ultimate goal of lpnTPM is to provide a trustworthy platform for future open evolution of Trusted Platform Module software and its application to various computing devices, resulting in better adoption of platform security. >> Read more about lpnTPM machine-check — Tool for formal verification for machine-code Common bug-finding approaches like software testing do not guarantee the absence of bugs. Formal verification can prove the absence of bugs, but the added description and proving complexity means it only tends to be used for critical systems. The current state-of-the-art tools are complex to use and hard to reason around when they fail. Machine-check aims to bring scalable yet intuitive formal verification to non-experts, leveraging the Rust ecosystem for description of digital machines including processors with machine-code programs loaded into memory. Ultimately, this should lead to increased reliability, safety, and security of programs and systems. >> Read more about machine-check oqsprovider — Post-quantum/quantum-safe cryptographic algorithms for OpenSSL Quantum computers will bring to an end integrity and confidentiality provided by \"classic\" public key cryptography such as RSA and implemented in security application frameworks such as OpenSSL. Therefore, a new class of \"post-quantum\" or quantum safe crypto algorithms (QSC) is being standardized by NIST. In order to bring QSC to easy deployment, these algorithms need to be added to existing security installations: oqs-provider is a standalone integration of QSC into the OpenSSL software framework. By simply inserting an oqs-provider binary, any OpenSSL installation as well as all applications built on top of OpenSSL permitting crypto-providers is (to be) automatically enabled to use any QSC algorithm supported by the liboqs open source framework. liboqs in turn provides the QSC algorithms that are either finalists or candidates of the NIST Post-Quantum Cryptography standardization competition. This way, users of oqs-provider-enabled OpenSSL installations can cease to be concerned about the risk that quantum computers create. The Open Source communities working on OpenSSL and OpenQuantumSafe can benefit in turn from mutual validation and re-use of their respective work efforts. >> Read more about oqsprovider purl2all — Discover metadata for software packages While we often simplify our mental model of the software supply chain by only looking at how source code is maintained and compiled with other source code into binaries which are distributed, in reality there are many more stakeholders that provide or curate information about software which is used by others as part of their decision process - and there are many supply chains concurrently, some of which are intertwined. The purl (package-url) initiative allows this information to be aggregated from all the different stakeholders in the software supply chains. The purl2all project aims to build a real-time, on-demand, decentralized and distributed knowledge base for all kinds of software packages metadata that can be used by other services that need the metadata; such as ScanCode, VulnerableCode, or any system, application or library using package-url (purl) as a way to identify packages and versions to lookup this data. The outcome will be a decentralized, on-demand software metadata collection system that will complement or replace centralized batch systems. >> Read more about purl2all purl2sym — FOSS code symbols indexing system Identifying corresponding source code compiled in natively compiled binaries is complex and important – only by knowing the code origin can one know if the code is subject to known vulnerabilities or licensing issues. In IoT and embedded devices, most of the code is composed of natively compiled binaries, with a significant Android-based ecosystem using Java with specific constraints: multiple programming languages (Java and Kotlin) and bytecode-compiled binaries. Many devices also embed secondary code (typically for admin and UI), such as Lua, JavaScript, Python, or PHP. To help with identification of binaries, it is important to aggregate collection of identifiers and symbols from FOSS code and index them to easily retrieve the data in efficient detection engines, based on automations and binary scanners. These symbols or identifiers are essential to software identification tools such as BANG that can match symbols in source and binaries and determine the corresponding source code for a given binary code input. purl2sym is a new data collection and indexing system to collect code symbols from FOSS source packages (and binaries in the future) and store them for reuse in other software analysis processes. >> Read more about purl2sym Support for OpenPGP v6 in rPGP — Implement draft-ietf-openpgp-crypto-refresh in rPGP rPGP is a high-quality implementation of OpenPGP in pure Rust (OpenPGP is a standard for encryption, digital signatures and key management). rPGP is used in production in different contexts, among them the popular \"Delta Chat\" decentralized and secure messenger that is used by hundreds of thousands of users, worldwide. The OpenPGP standard has recently been revised to reflect current best cryptographic practices. The revision of the standard defines \"OpenPGP version 6\" and is currently being finalized  for publication as RFC 9580. This project will implement the new formats and features of OpenPGP v6 for rPGP. This will bring the new features of OpenPGP v6 to users of rPGP, and ensures future interoperability with all other modern OpenPGP implementations. >> Read more about Support for OpenPGP v6 in rPGP Reproducible Builds — Make the build processes behind software distributions reproducible Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code. >> Read more about Reproducible Builds x86-64 VM Monitor for seL4 verified microkernel — Very restricted virtualized environment for higher security The security of any software system depends on its underlying Operating System (OS). However, even OSes such as Qubes, which are \"reasonably secure\" depend on large trusted computing bases (e.g. hypervisors) with hundreds of thousands of lines of code. For example, the Qubes' Xen Security Advisory Tracker reports that 53/283 (18%) of Xen vulnerabilities over the last eight years affected Qubes. As a step towards facilitating the implementation of more secure, Qubes-like systems, we propose to retarget it to the seL4 microkernel. seL4 is an open-source, formally-verified microkernel that has matured and been maintained for over a decade. seL4's small size (10,000 Lines of Code) and formal verification make it an appealing Xen replacement for Qubes, however, its virtualization support is currently limited. As a first step to enabling Qubes on seL4 we will implement a hardened, open-source, x86 64-bit Virtual Machine Monitor (VMM) for the seL4 microkernel capable of hosting the core Qubes OS virtual machines. >> Read more about x86-64 VM Monitor for seL4 verified microkernel Σ-protocols — Formalise and implement zero-knowledge proof Σ-protocol Σ-protocols are mature and widely-used cryptographic protocols used for digital signatures and for zero-knowledge proofs. This project is centered around their standardization and the development of a comprehensive specification and reference implementation. The main goal is to create a detailed and accessible specification for Σ-protocols and the Fiat-Shamir heuristic, to be presented in formats like HTML or PDF, along with a reference implementation. This effort aims to make these technologies understandable and usable by a broad audience, including developers, practitioners, students, and engineers. The end goal is to make this technology more accessible for privacy-preserving applications and non-cryptographers. >> Read more about Σ-protocols vdirsyncer/pimsync — Synchronise calendars and contacts In this digital age, we all have digital address books with the phones and addresses of our loved ones, friends, and those with whom we work. We keep calendars with meetings we need to attend and places we are expected to be. And we need to keep this information synchronised across devices, shared with others, but only with those whom we choose to collaborate. Like its predecessor Vdirsyncer, Pimsync synchronises address books and calendars between webcal, caldav, and local vdir collections. This empowers users to manage their own data, synchronising with servers of their choice - and take their data offline to their own devices at any point, to interact with it any way they please. Pimsync is written in Rust. >> Read more about vdirsyncer/pimsync Virtualizing device firmware — Creating digital twins for auditing and testing appliances Recent targets of attacks on infrastructure did not come from powerful computers, but instead from consumer electronics devices. The most widely known example of this is the Mirai botnet, where consumer grade IP cameras were infected, added to a botnet and then used in wide scale attacks in a rather devious way: the original functionality of the device was left untouched, meaning that users either didn’t notice that their device had been taken over, or weren’t bothered by it. This projects aims to provide a way to virtualise such an IoT device and integrate it with an existing honeypot framework to see how the malware is inserted and how botnets operate. The goal is to extract a firmware from an existing device and use that as the base for the virtualisation. The same setup can also be used to systematically check for undocumented behaviour of firmware. >> Read more about Virtualizing device firmware vm-builder — Virtual Machine Build, Life Cycle and Integration in monolithic and microkernel platforms As each piece of software is built using other software, it is difficult to ensure that a program is not accidentally infected through malicious code interfering anywhere in this process. An important defence is reducing the amount of code one relies upon and strictly isolating the build from any other processes that could influence it, typically by using a virtual machine. However, the are currently no minimal, portable and final virtual machine build systems which enable effective bootstrapping of operating systems. Delegating this task to container build systems is insufficient, since they are primarily available to the Linux kernel and provide weak isolation properties. Delivering those with a high portability and even (or especially) on low TCB microkernels is key to secure bootstrapping of operating systems and applications on (to be) trusted infrastructure. The current prototype has proven successfully applicable to nowadays general purpose OSs, templating/inheritance and reproducible builds are to be implemented. An implementation in a more robust programming language like Rust is still lacking and will be completed in the course of this project. The long term goal is to easily build and provide legacy platforms and software especially on microkernels — allowing for a migration path towards operating systems with effectively manageable complexity. >> Read more about vm-builder xqerl — Performant (Erlang) implementation of W3C XQuery and XML database The xqerl project is an open-source XQuery 3.1 implementation. It attempts to combine the simplicity of the W3C XQuery 3.1 language for querying and building XML and JSON, with the powers of the Erlang language for building massively concurrent, fault-tolerant, distributed applications. Many optional language features have already been added to xqerl, including the RESTXQ specification for building REST endpoints directly from code annotations. To further enhance user experience and the feature-set of xqerl, the \"Schema Aware\" and \"Typed Data Features\" will be added. These features will allow for XML Schema documents to be directly referenced from queries and the query statically analyzed at compile time using the schema to either build better query plans or return errors back to the user before running time consuming queries. >> Read more about xqerl "},{"description":" SimpleSAMLphp Fund Authentication and Identity Provisioning This page contains a concise overview of projects funded by NLnet foundation that belong to SimpleSAMLphp Fund (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. SimpleSAMLphp — SAML 2.0 Service + Identity Provider SimpleSAMLphp is an application written in native PHP that deals with authentication. It provides Single Sign-On, Federated identity, and uses Web services and other industry standards. SimpleSAMLphp can be used as both a SAML Service Provider and a SAML Identity Provider. SimpleSAMLphp allows for scalable authentication, from only a few users to hundreds of thousands. SimpleSAMLphp allows Single Sign On (SSO), removing the burden of authentication and identity management - and allowing for more secure environments where service providers can focus on what they want to do, provide a service, delegation authentication and identity management to others. >> Read more about SimpleSAMLphp SimpleSAMLphp 2.6 — Extendable Authentication + Identity Provider SimpleSAMLphp is an application written in native PHP that deals with authentication. It provides Single Sign-On, Federated identity, and uses Web services and other industry standards. SimpleSAMLphp can be used as a SAML Service Provider and SAML Identity Provider, but also also supports many other identity protocols and frameworks, such as CAS, OpenID Connect, WS-Federation and OAuth. SimpleSAMLphp allows for scalable authentication, from only a few users to hundreds of thousands. Through Single Sign On (SSO) it removes the burden of authentication and identity management - and allows for more secure environments where service providers can focus on what they want to do, provide a service, delegation authentication and identity management to others. >> Read more about SimpleSAMLphp 2.6 ","title":"SimpleSAMLphp Fund","url":"https://nlnet.nl/thema/SimpleSAMLphpFund.html"},{"description":" Services + Applications Services + Applications (e.g. email, instant messaging, video chat, collaboration) This page contains a concise overview of projects funded by NLnet foundation that belong to Services + Applications (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. ActivityPods — Framework for fully-decentralized social apps, combining ActivityPub and Solid Pods ActivityPods brings together two game-changing protocols, ActivityPub and Solid Pods. The goal is to empower developers to create fully-decentralized social apps thanks to an easy-to-use framework. Following the Solid project's principles, ActivityPods apps store all data directly in the user's Pod (Personal Online Datastore). But since these Pods are also ActivityPub actors, they can easily exchange with other Pods and any other ActivityPub-compatible software. Lightweight bots can access the Pod's data, listen to ActivityPub activities and act accordingly. This novel architecture gives users the freedom (1) to choose where they store their data, (2) to share their data with anyone on the web, (3) to switch apps at any time without losing data. The overall benefit is a more resilient and innovative web, where privacy and interoperability are guaranteed by design. >> Read more about ActivityPods AlekSIS — All-libre extensible kit for school information systems AlekSIS' – short for All-libre extensible kit for school information systems – goal is to digitise educational institutions' organizational tasks in a sustainable, individual and independent manner. Educational institutions are complex and diverse places: A fair bit of information has to be managed and made accessible in a way that serves the needs of all groups involved. Furthermore, the needs of schools differ considerably, making a one-size-fits-all solution infeasible. Originating in and being built in close collaboration with schools, the AlekSIS project provides the missing FOSS solution for this application area. It aims to deliver a fully fledged, highly customizable software suite that gives schools full control over operation, data and privacy, while integrating existing FOSS projects. From displaying timetables to providing digital class records or person and group management, AlekSIS already includes a great deal of the features the people involved in education, students and teachers, need in their daily routine. Designed as a web application built around the Django and Vue.js frameworks, its responsive design and offline capabilities cater to various devices and user groups. A further aspect of AlekSIS' FOSS architecture is to provide learning opportunities to its student users by facilitating the creation of extensions and contributions to the project itself. The goals of this project are to further strengthen our efforts in porting the whole legacy frontend to the newer, Vue.js based one, to finish making AlekSIS capable of timetable and substitution planning and to extend AlekSIS' functionality making it even more competitively viable. >> Read more about AlekSIS AlekSIS: Integration and Communication — SCIM, timetabes and other features for AlekSIS AlekSIS is a free school information system that helps with school organisation as an interactive web application. It is a central platform for students, teachers, and parents to manage any information related to everyday school life. The software's functions include lesson planning, creating timetables, managing absences and substitution planning, the digital class register, inventory management, payment systems, and student ID cards. AlekSIS is completely modular and can therefore be flexibly adapted to individual needs. Within this grant, the goals is to improve and add integrations with other software, make the timetable and substitution planning easier by providing assistance tools, integrate parents in daily school workflows and provide advanced attendance tracking. Additionally the aim is to get rid of several legacy technologies and update all AlekSIS apps to a more modern technology stack, and improve documentation and demo data accordingly. >> Read more about AlekSIS: Integration and Communication Perspectives: Making Models — Generate software from open models for human interaction patterns The Perspectives project provides a distributed runtime that allows people to collaboratively run a model that supports them in some form of co-operation. This can be as simple as playing a game of chess or as extensive as coordinating parent's cars to transport a junior sports team to away matches. To completely model the latter is the main scope of this grant. The automatic screens generated by the runtime, based on the model, will be customised to provide a pleasant user experience. The end result will be a usable little app, run within the InPlace end user program (that itself runs in the browser as a WebApp). It will also provide a reasonably extensive model that showcases a realistic application of the Perspectives Modelling language, making the distributed runtime better and the modelling language stronger. Perspectives is built on a figure-ground reversal of the structure underlying much of today's internet. Data is not concentrated in a few heaps of similar-looking cases (commonly called databases) but instead on the devices of the people that are its source, subject and users. It is conceived of such that functionality builds upon other functionality, creating a network effect not in terms of numbers of users but in terms of functionality. The more of that, the better, stronger and more useful it becomes. The current project will deliver the first end user functionality that goes beyond maintaining the system environment itself (such as developing models, hooking up to communication services, etc). >> Read more about Perspectives: Making Models AREXERA Crawler — C++ based web crawler The AREXERA web crawler dates back to the early 2000's when AREXERA GmbH (former TECOMAC GmbH) wrote it as part of a toolset to run public search engines like Seekport in Germany and some other European countries. The AREXERA crawler is written in C++ and was designed from the ground up for speed. The crawler supports the common features, like TLS support, robots.txt, politeness rules and WARC file output. The tool was in full production use until the company went out of business, and subsequently development stopped for a while. Recently the code resurfaced, and AREXERA was reborn as a free and open source project. Recent first tests showed still promising performance compared to other widely crawlers. The aim of the project is to bring the crawler up to date with modern requirements and clean up the code, so it can be properly benchmarked with a representative workload - after all, high crawling speed means faster throughput and a lower power consumption per fetched web page. >> Read more about AREXERA Crawler Autocrypt for Thunderbird — Make email encryption extremely simple Autocrypt is a specification that provides guidance for e-mail clients on how to achieve a seamless user experience. It does so by transparently exchanging keys, almost entirely automating public key management. This reduces the UI to \"single click for encryption\". The project will create an extension for the Thunderbird e-mail client that brings this experience to its users. The goal is to provide a new extension with a streamlined user experience that requires as little user interaction as possible, without \"poweruser\" features and performing practical user testing to identify open pain points. The extension will be based on OpenPGP.js, since this can be packaged directly. This will simplify installation and maintenance a great deal. >> Read more about Autocrypt for Thunderbird Interpretation feature for Big Blue Button — Adding translator streams for live interpretation to BBB conference software BigBlueButton is one of the leading open source videoconference solutions. The project will add support for simultaneous interpretation to BigBlueButton. Participants of a meeting will be able to choose the language they would like to listen to. Interpreters can choose which language they listen to and into which language they interpret. The solution can be combined with classical radio setups for interpretation already used in grassroot events to enable interpretation in hybrid situations. >> Read more about Interpretation feature for Big Blue Button BBBsecureChat — Add E2EE instant messaging to Big Blue Button meetings BigBlueButton is a video conferencing framework built on open source components. It is being used worldwide for education, events and training, and gained a lot of usage during the Covid-19 pandemic. Whilst audio and video are being handled by scalable components (notably Freeswitch and Kurento), the chat currently integrated in BBB is a single node.js thread for all conferences. This causes performance problems if used heavily in conferences, and lacks features such as E2EE and emoji support. In this project we will be trying to create an alternative chat service component based on mature open source solutions which have a richer feature set and offer end-to-end encryption. Some of the challenges are: respecting privacy in recordings, allowing chats 1:1 and in break-out rooms, automatic exchange of encryption keys, authentication, SingleSignOn and handling file exchange among chat users. We will be testing the enhanced chat with selected BBB users and will offer the result to the BBB developer and user community. >> Read more about BBBsecureChat Bana — Personal network oriented ActivityPub powered social networking Bana is aimed at private social networking. It is both a server and a mobile Web app, and is federated: anyone can operate a server and people on one server can communicate with people on any other Bana server. Bana uses ActivityPub, ActivityStreams, and the Activity Vocabulary protocols. Anthropologist Robin Dunbar speculated humans could only comfortably maintain 150 stable relationships. Bana limits you to 150 connections: the closest friends and family members in your life. The connections are reciprocal, meaning both people follow each other. Bana offers a digital journal shared with only the closest people in your life. Bana allows you to post text, photos, videos, audio, location check-ins, workouts, and media consumption - capturing what you want to remember about this particular day in your life. >> Read more about Bana Betrusted software — A minimalist and secure OS for embedded communication devices The Betrusted software project utilizes the strongly typed Rust programming language to build the first applications and libraries for the open hardware Betrusted.io project. Betrusted is pioneering a new class of open hardware communications device, with a grant by NGI Zero. The project will set up a virtual environment for betrusted (e.g. QEMU / RISC-V) in order to develop and test software as close to target as possible and unlock community collaboration and contributions. The second main task in the project is to write a Matrix protocol command line client in order to analyze the memory characteristics in the highly constrained betrusted environment. The additional time is to be allocated to development support for the Bestrusted OS, develop glue layers and verify necessary interfaces for applications, provide unit/integration tests and develop (test) applications for it. >> Read more about Betrusted software Blink Qt Messaging — Add modern encryption to SIP softphone Blink is a mature open source real-time communication application that can be used on different operating systems, based on the IETF SIP standard. It offers audio, video, instant messaging and desktop sharing. This project will extend its capability to support end-to-end asynchronous messaging and end-to-end encryption that works both online (OTR) and offline (OpenPGP). Additional features to be developed include end-to-end delivery and read notifications, and a searchable history database. >> Read more about Blink Qt Messaging Blink for Windows — Modern cross-platform SIP client Blink is a mature open source real-time communication application that can be used on different operating systems, based on the IETF SIP standard. It offers audio, video, instant messaging and desktop sharing. It supports end-to-end asynchronous messaging and end-to-end encryption which works both online (OTR) and offline (OpenPGP). Within the scope of the effort, the team will continue the migration to a more modern toolkit based on Qt6, and add support for the still widely used Microsoft Windows platform that currently lacks a high quality, standards compliant FOSS softphone. Additional work is done on OpenXCAP, which allows to manage buddy lists and policy for subscriptions to presence or other type of events published using the SIP protocol. >> Read more about Blink for Windows Blink RELOAD — Secure P2P real-time communications with RELOAD REsource LOcation And Discovery specification (RELOAD) is a standard produced by the IETF standard to (as the name indicates) describe how people can search within a local network to discover other people and devices they can then exchange video and voice calls with, send messages etc. Why make every discovery depend on the availability of a global DNS system, if you are actually near each other... Blink is a mature open source real-time communication application that can be used on different operating systems, based on the IETF SIP standard. It offers audio, video, instant messaging and desktop sharing. Blink RELOAD aims to implement RELOAD (RFC 7904) , which describes a peer-to-peer network that allows participants to discover each other and to communicate using the IETF SIP protocol. This offers an alternative discovery mechanism, one that does not rely on server infrastructure, in order to allow participants to connect with each other and communicate. In addition, the RELOAD specification describes means by which participants can store, publish and share information, in a way that is secure and fully under the control of the user, without a third party controlling the sharing process or the information being shared. >> Read more about Blink RELOAD BlockNote — An modern, open source Block-based editor blocknotejs.org is an open-source block-based rich text editor. BlockNote makes it easier for developers to add user-friendly, modern and collaborative (or \"multiplayer\") text-editing capabilities to their applications. Currently, adding a high-quality document editor to applications often requires deep expertise that is out of reach for many individuals or organizations. BlockNote aims to bridge this gap by offering an open source editor that’s easy-to-adopt for developers, comes with a modern and polished UX, and is block-based. This makes it easier to create structured documents and to programmatically extend the editor and document. Enabling developers to add document authoring capabilities to their software can increase data sovereignty by reducing dependence on a limited range of SaaS applications for document authoring and management. >> Read more about BlockNote Bonfire Search & Discovery — Improving search and discoverability in the Fediverse Bonfire is a modular ecosystem for federated networks. The project creates interoperable toolkits that people can use to easily build their own apps to meet their specific needs. Users are then free to interact with multiple people and groups using these apps hosted on their own device, regardless of what federated software these other people use. Federated topics within the Bonfire ecosystem can consist of a hashtag, a category in a taxonomy, a location, etc. This enables users to find a topic they are interested in, see everything that was tagged with that (publicly or in their network), and follow it to receive any new tagged content. This will be interoperable with existing fediverse apps like Mastodon without requiring extra development on their end, and will create a decentralised graph of topics that can help relevant information flow from instance to instance. All content on a Bonfire instance (including remote content coming in via follows or federated topics) will also be aggregated in a local search index with which the user can search their own data, information from people or groups they follow, as well as content from topics or locations they are interested in from around the fediverse. This search will happen locally on their device (which is a plus for privacy), with results appearing instantly while typing a query, and being able to filter the results (e.g., by object or activity type, hashtags, topics, or language). Every line of Bonfire’s code is available to be used or forked, in a collection of libraries that can be assembled and re-assembled to create all kinds of full-featured apps. One example is Bonfire's mutual aid extension where users can post and search for requests and offers across different instances according to topic and/or geographical location. >> Read more about Bonfire Search & Discovery Bonfire federated groups — Create, join and manage federated groups across instances Bonfire is an extensible open source federated community platform, that empowers groups to easily configure their spaces from the ground up, according to a variety of needs and visions. Bonfire envisions a web of independent but interconnected social networks (using a wide definition, since we consider the social components of activities in the economic, educational, and political spheres as well) - able to speak and transfer information among each other, according to their own boundaries and preferences. The scope of this project is to give users the tools to create, join and manage federated groups across instances, with their own set of rules and customisable governance. Federated groups on Bonfire will lever the flexible foundation we've recently released: circles and boundaries. Using those building blocks we will ensure that groups have the possibility to define a fine grained set of roles and permissions, with the possibility for each group to define a multitude of roles that fit with how they want to manage membership and participation, and distribute power and responsibility. >> Read more about Bonfire federated groups Bonfire Framework — Elixir-based ActivityPub implementation and library with groups and RBAC Bonfire is an open-source, federated social networking toolkit, designed to empower communities to build custom and federated social networks. The current focus of our project is to improve the stability, performance, and documentation of our codebase, honing a solid framework that enhances user experience and encourages wider adoption. We aim to catch bugs, enhance platform performance, and enrich the developer experience by crafting comprehensive tutorials and documentation. A key aspect of our project involves extending our ActivityPub Library, which underpins the federated nature of Bonfire, and contributing back to the ActivityPub ecosystem by releasing v1.0 of our open-source ActivityPub library. The expected outcomes include a robust, efficient Bonfire framework to be used in production, a surge in developer and community adoption, and contributions to standardize federation protocols. >> Read more about Bonfire Framework Briar — A secure messaging app with offline capabilities Briar is a secure messaging app designed for activists, journalists and civil society groups. Instead of using a central server, encrypted messages are synchronized directly between the users' devices, protecting users and their relationships from surveillance. This project will enable users of Briar to delete their private messages. Giving users control of what information their devices retain will allow them to practice defence in depth, managing their exposure if their devices are lost or compromised. >> Read more about Briar Briar Desktop — E2EE online and offline messaging and discussion Briar Desktop is a client for the peer to peer messenger Briar that runs on the typical desktop operating systems Windows, macOS and Linux. With the emergence of multiple Linux-based operating systems for phones, it will also become possible to adapt it to run on operating systems such as Manjaro, PureOS and postmarketOS. A basic version of Briar Desktop has just been implemented and released to the public, but its features are still limited to one-to-one communication. The main goal of this project is to implement the additional group-oriented modes of communication that Briar's Android client supports: groups, forums and blogs. While the first iteration of development focused on Linux, publishing for macOS and Windows are going to be stabilized from experimental to production stage within this project. To keep up with the development of the Android client, support for the upcoming Mailbox feature is also going to be implemented. >> Read more about Briar Desktop Castopod — Podcasting in the fediverse Castopod is an open-source podcast hosting solution for everyone, that can connect to the Fediverse through the W3C ActivityPub standard (Pixelfed, Mastodon, Pleroma…). Castopod is user friendly, and allows for easy discovery everywhere. Whether you are a beginner, an amateur or a professional, you will get everything you need: you can create, upload, publish, manage server subscriptions (WebSub embedded server). You can allow users to listen to your podcast directly, but just as easily connect to commercial directories (Apple, Google, Spotify…). Take back control: interact with your audience on your platform (like, share, comment), the social network IS the podcast. In addition to supporting W3C ActivityPub, you can also export to proprietary social networks (Twitter, Instagram, Youtube, Facebook). Castopod is easily hosted on any PHP/MySQL server: unzip it and you and other podcasters are ready to broadcast professionally. >> Read more about Castopod Castopod Mobile — Userfriendly mobile podcasting application Castopod Mobile is a free and open-source mobile podcast player application (GPL v3). It is intended to be installed on your mobile phone (iOS, Google Android, /e/…). You can install it from F-Droid, from your usual app store or you may compile it yourself for your own needs. Castopod Mobile is a two-in-one application: a podcast player and a Fediverse client. It serves several purposes: to provide a mobile application that takes advantages of ActivityPub features for podcasts (the ones that Castopod Server provides for instance). Secondly, to reduce the complexity of the Fediverse ecosystem during onboarding: account creation currently prevents many users into joining the Fediverse because it is difficult to guess where to begin. And thirdly: to provide a podcast application template for communities who want to build and manage their ecosystem from beginning (with your own private Castopod Server) to end (with your own Castopod Mobile based application). >> Read more about Castopod Mobile Castopod Plugins — Add plugins to the Castopod podcast server Castopod Plugins is a new modular framework which will allow anyone to develop their own plugins for the Castopod podcast hosting platform. Adding 3rd party plugins bring many advantages to Castopod, most notably a clean and versioned way to add custom features. This allows developers and users to make different tradeoffs by implementing and deploying features essential to them, whether or not these are acceptable as part of the core platform. It also helps with compliance at a global scale, without unnecessary censorship: some extensions will be legal to deploy in some jurisdictions but might be problematic in others. By further slimming down the core of Castopod server, modularity will improve overall code security. The project will allow the whole community to be an active part of future development, and will help better cater to the widely differing needs that podcasters have. >> Read more about Castopod Plugins Discover and move your coins by yourself — A safe way to explore and work with cryptocurrency forks The numerous technologies behind cryptocurrencies are probably the most difficult to understand compared to any other networks, even for technical experts - and especially bitcoin based networks. Most users, even those familiar with the technology for years, have to rely on wallets or run/sync full nodes. Empirically we can see that they usually get lost at a certain point of time, especially when said wallets dictate the use of new \"features\", like bip39 and alike, multisig, segwit and bech32. Most users don't understand where their coins are and on what addresses, what is the format of these addresses and what are their seeds and what they need to unlock their coins. This situation pushes users to give their private keys to dubious services, resulting to the loss of all of their coins. The alternative is to let exchanges manage their coins, which removes their agency and puts them at risk. The goal of this project is to correct this situation allowing people to simply discover where are their coins and what are their addresses, whatever features are used. It will allow them to discover their addresses from one coin to another, rediscover their seed if they lost a part, sign/verify addresses ownership, discover public keys from private keys and create their hierarchical deterministic addresses. In fact, all the tools needed to discover and check what is related to their coins - and this for any bitcoin based network, in addition it allows them to create their transactions by themselves and send them to the networks, or just check them. The tool is a standalone secure open source webapp inside browsers that must be used offline, this is a browserification of a nodejs module that can be also used or modified for those that have the technical knowledge. >> Read more about Discover and move your coins by yourself Commune — User-friendly persistent chat/voice rooms Commune is an open source alternative to Discord, specifically designed for public-by-default communities. Based on Matrix and built as a Synapse server extension combined with a custom client, Commune inverts a lot of Matrix norms: (1) Web-readable channels and threads that are easily shared as links and tended to in a digital garden; (2) shared interest discoverability across spaces via federated webrings; (3) opt-in encryption for ease of onboarding. The mission of Commune is to act as an accessibility layer on top of the Matrix protocol as a backbone for online community building. Commune meets users where they are by integrating tightly with Discord through two-way syncing and social logins (OAuth), allowing for incremental adoption as opposed to competing directly with the networking effects of incumbents. >> Read more about Commune Conversations — A secure mobile messaging client Conversations is an Android client for the federated, provider independent network of instant messaging servers that use the Extensible messaging and Presence Protocol (XMPP). It aims to provide a feature set and a user experience that is on par with other well known messaging services. While Conversations is capable of sending end-to-end encrypted text messages, images, short videos and voice messages it currently lacks the ability to make voice and video calls. This project is about adding A/V call capabilities to Conversations in a manner that is compatible to other XMPP clients. To achieve compatibility Conversations will implement the Jingle protocol extensions including XEP 0353 (Jingle Message Initiation) for a smooth user experience across multiple devices. >> Read more about Conversations Conversations 3.0 — Secure and standards-compliant XMPP client for Android Conversations – a popular XMPP instant messaging client for Android – has been around since 2014. Since then not only have Android development best practices changed but also user requirements on the app have shifted dramatically. Features like emoji reactions, quotations (references), edit history or simply multiple images per message weren’t on the developers mind in 2014 and are difficult or impossible to implement with the current software architecture. Conversations 3.0 is an architecture overhaul that adapts Conversations to a modern Android development style (namely Android Jetpack) and also redesigns the database to accommodate the aforementioned features. The well-functioning XMPP layer will remain intact during this refactoring in order to keep all existing features and not re-introduce bugs that have been fixed ages ago. >> Read more about Conversations 3.0 Privacy Infrastructure for Corteza Federations — Allow users to locate and browse their private data wherever The project summary for this project is not yet available. Please come back soon! >> Read more about Privacy Infrastructure for Corteza Federations ArtistHub — Allow creative artists to gain visibility and build reputation on the web The Artist Hub is a progressive web app developed by The Creative Passport MTU, that allows users - Music makers - to connect different data sources and display their feeds all in the same global wall arranged in chronological order. Music makers will be able to create a custom fan page on a self-hostable server where all their music and related content can be placed and shared with their fans. The underlying architecture for subscribing to and receiving posts/updates from connected services will be built using ActivityPub. The idea behind this architecture is a free and open-source way for music makers to share their content without needing to post to a number of different websites and social media and for fans to have the freedom to choose their platform of choice for engaging with that content. We will use ActivityPub to aggregate data from a number of platforms. This will enable us to offer support for video (using PeerTube), audio (using Funkwhale), images (using PixelFed) and text (using Mastodon). >> Read more about ArtistHub Cross-root ARIA — Standardisation for Accessibility when using Shadow DOM ARIA is a technology used by developers to add accessibility attributes to web-based user interfaces. Web Components are a set of tools which allow developers to create components which can be used in a framework-independent way across different websites. Due to the way Web Components provide encapsulation, using Shadow DOM, some parts of ARIA have become incompatible with Web Components. This project will contribute to ongoing efforts to provide web developers with mechanisms to make these technologies work together. Our goal is to contribute to the relevant specifications, as well as implementing and shipping the proposed solution in one additional browser. >> Read more about Cross-root ARIA CryptPad Auth — Implement external identity mechanisms to E2EE collaborative editor CryptPad is a real-time collaboration environment that encrypts all user-generated content in users' browsers, making it illegible to the host of the service. In this project we'll develop optional extensions to the platform to provide additional layers of protection for such data by pursuing two broad strategies in parallel. For the first, we'll take a top-down approach to security through integration with identity provider services like LDAP or SSO, allowing organizations to apply centrally managed access control policies. For the second, more bottom-up approach, we'll offer tighter control of user accounts through various secondary authentication methods like app-based TOTP or email \"magic-links\". These new features will provide more choices for the protection of data stored in CryptPad, while also making the platform more approachable for conventional organizations by leveraging their existing points of trusted infrastructure. >> Read more about CryptPad Auth CryptPad — Real-time collaboration with client-side encryption Cryptpad is a secure and encrypted open source collaboration platform. The CryptPad teams project will fund the development of a number of group-focused features to Cryptpad. We'll improve our current implementation of encrypted shared folders to display the permissions possessed by team members for different documents. The capacity to remove a member from a group is difficult in an encrypted system, as the knowledge of encryption keys cannot be taken away once given. We'll implement key-rotation protocols, and develop encrypted mailboxes to facilitate the delivery of new keys to authorized members. The same mailbox system will enable the development of notifications, allowing users to request additional permissions for documents, to invite new members to a group or session, or to inform friends that a document has been updated. Teams organize in many ways, and with the technical components available we'll focus on interfaces which support different modes of coordination, whether the team is hierarchical or self-organizing. Overall, we hope to make it so that the most intuitive way to collaborate is also the most secure. >> Read more about CryptPad CryptPad for communities — Collaborative web editor with client-side encryption CryptPad is a secure and encrypted open-source collaboration platform, that allows people to work together online on documents, spreadsheets and other types of documents. The amazing thing is that while the participants can work with these web applications as they would with any normal tool, the server has no way of telling what it is they are working on. Everything is encrypted on the device of the user, before it is sent to the server. The \"CryptPad for communities\" project will improve the experience of users adopting the platform for community management tasks. We'll spend time solving the issues most commonly reported by our users as obstacles to their broader adoption of the platform as an alternative to proprietary services. Document review is as important to many as collaborative editing, so we'll implement comment workflows that integrate our recently introduced social features into our text editors. Our Kanban and spreadsheet apps will both receive some crucial updates to better facilitate project management tasks without compromising on privacy. We'll develop extra access control features based on users' public keys for documents that require stricter protection than is currently offered. Those hosting their own CryptPad instance will benefit from new functionality for their admin panel as well as detailed documentation to make server management more accessible. Finally, we'll implement extra controls permitting admins to limit access to their instance by requiring invites for registration. Altogether we hope these tools will allow communities more determination when it comes to their data, their processes, and their ability to work together productively. >> Read more about CryptPad for communities Redash — Predictive text entry without a keyboard Dasher is an alternative text entry system that searches for suggestions without the discrete input through a keyboard. The software is invaluable to people with disabilities who use it to type or speak and who can’t control a regular physical or on-screen keyboard. Dasher is instead driven by continuous gesture using a dynamic predictive display, a concept originally developed by the University of Cambridge Inference group. The dasher project aims to help all individuals with disabilities who use similar assistive technology by developing a modular word and letter prediction engine that is allows for a range of language models to be used - and new ones be trialed out, including potentially integration with context sensitive search prediction provided by search engine providers. The new dasher will provide a fresh codebase matching the features that current users require - whilst improving on the user experience for new users. Thanks to a permissive open source software license anyone will be able to develop additional innovations on top of dasher, including commercial entities that produce bespoke systems. This will help increase the ability for employers to hire people that depend on this type of input mechanisms. >> Read more about Redash DatamiPods — Visualisations for (federated) Solid data Datami is a tool to edit, visualize and share your data. It allows to transform datasets into discoverable, understandable and reusable data. ActivityPods is a collective data space solution based on Solid and ActivityPub. The DatamiPods project creates a bridge between these two existing open source tools, and aims to simplifies the use of the datasets involved - also for less technical users. >> Read more about DatamiPods Decidim revamp — Tools for participatory democracy Decidim is a free and open, digital infrastructure for participatory democracy. Decidim allows to create and configure a web platform to be used as a political network for democratic participation. The platform is freely available for organisations and institutions seeking to initiate participatory processes such as deliberation, decision-making, collaboration, direct democracy and co-design. In order for the project to reach a new stage of technical maturity, the project will overhaul the user experience through a complete redesign of its interface. It is necessary to review, order and, if necessary, remove features. This project is focused on doing the less visible, but necessary work, to make the code clean and sustainable in the long term. >> Read more about Decidim revamp DeltaBot — Social discovery over mail-based chat Why make humans be the only ones to search new content that is relevant to you, if bots can be made to do the same on your behalf? The DeltaBot project will research and develop decentralized, e2e-encrypting and socially trustworthy bots for Delta Chat (https://delta.chat). Bots will bridge with messaging platforms like IRC and Matrix, offer media archiving for its users and provide ActivityPub and RSS/Atom integration to allow users to discover new content. Our project is not only to provide well tested and documented Chat Bots in Python but also help others to write and deploy their own custom bots. Bots will perform e2e-encryption by default and we'll explore seamless ways to resist active MITM attacks. >> Read more about DeltaBot DeltaTouch — DeltaChat on UBports mobile phones DeltaTouch is a Delta Chat compatible messenger app for the Ubuntu Touch mobile platform. In this project we will enhance Webxdc support, the last big feature missing compared to the mainline Delta Chat apps. Webxdc apps are small, portable web apps that are running inside a host application. At the moment, all official Delta Chat clients and Cheogram, an XMPP-based messenger, are able to act as a host for Webxdc apps. The DeltaTouch Webxdc implementation aims to support the current and also upcoming Webxdc specifications, allowing all existing Webxdc apps to function well with DeltaTouch. >> Read more about DeltaTouch Dino — User-friendly and secure instant messaging Dino is an open-source messaging application. It uses XMPP as an underlying protocol, which allows federated, provider-independent communication and offers a world-wide network of interconnected servers. Dino aims to be secure and privacy-friendly while at the same time offering a good user experience and a modern feature set. This project will add encrypted audio/video calling functionality between two or more parties. The implementation will rely on existing standards to interoperate with other XMPP applications. >> Read more about Dino Dokieli — Decentralised article publishing, annotations and social interactions Dokieli empowers users with full control and ownership of their content through self-publishing capabilities. As a decentralised authoring, annotation, and notification tool, dokieli enables users to create and share human-readable and machine-processable content. Users can author and annotate a wide range of creative works, including articles, reviews, technical specifications, research and academic works, resumes, journals, and slideshows. They can link significant units of information from various open sources, store their content using their preferred storage systems, and share it with their contacts. Dokieli is committed to leveraging open internet and web standards to ensure interoperability and universal access. Content produced by dokieli is decoupled from the application, allowing users the autonomy to switch to any other standards-compliant application and storage system. The project's goal is to make it usable and accessible for all. To this end, we will replace several key libraries; improve the UI; expand test coverage (including accessibility tests); increase support for offline use; perform security audits; and expand implementation of web standards, and provide implementation experience feedback to technical standards bodies. >> Read more about Dokieli Draupnir — Moderation bot for Matrix servers Draupnir is a comprehensive moderation bot for room moderators using Matrix (the open source decentralized instant messaging protocol). Draupnir assists room moderators in managing their community and provides continuous protection from spam and harmful content. This is done by utilising sharable and interoperable policy lists that allow different communities to work together to combat new threats. Draupnir also provides a plugin system that can adapt Draupnir to the different needs of every community. Our ongoing efforts to further modularise Draupnir's code base in the interests of maintainability should provide groundwork for future Trust & Safety related projects in the Matrix ecosystem. >> Read more about Draupnir EDeA — Repeatable, automated measurement data capture EDeA is a set of tools and a web portal which makes it easier for people to share and collaborate on Open Hardware sub-circuits. The scope of this project is to further improve on the collaboration aspect of the portal and to build the EDeA Measurement Server. The EDeA Measurement Server is a tool for automated scientific data capture (not only) for sub-circuits and a library which enables test & measurement as code. This makes it possible to analyze, reason about and share open hardware in a repeatable and consistent manner. >> Read more about EDeA Encoding for Robust Immutable Storage (ERIS) — Encrypted and content-addressable data blocks The Encoding for Robust Immutable Storage (ERIS) is an encoding of content into a set of uniformly sized, encrypted and content-addressed blocks as well as a short identifier (a URN). The content can be reassembled from the encrypted blocks only with this identifier (the read capability). ERIS is a form of content-addressing. The identifier of some encoded content depends on the content itself and is independent of the physical location of where the content is stored (unlike content addressed by URLs). This enables content to be replicated and cached, making systems relying on the content more robust. Unlike other forms of content-addressing (e.g. IPFS), ERIS encrypts content into uniformly sized blocks for storage and transport. This allows peers without access to the read capability to transport and cache content without being able to read the content. ERIS is defined independent of any specific protocol or application and decouples content from transport and storage layers. The project will release version 1.0.0 after handling feedback from security audit, provide implementations in popular languages to facilitate wider usage (e.g. C library, JS library on NPM), perform a number of core integrations into various transport and storage layers (e.g. GNUNet, HTTP, CoAP, S3), and deliver Block Storage Management (quotas, garbage collection and synchronization for caching peers). >> Read more about Encoding for Robust Immutable Storage (ERIS) Elm Matrix SDK — Better moderation for Matrix rooms and servers The Elm Matrix SDK project is an initiative within the Matrix protocol ecosystem, designed to streamline the functionality of Matrix bots into intuitive applications. The project, currently in its prototype stage, aims to enhance the accessibility of Matrix moderation tools, catering to users of varying expertise levels. The project focuses on developing lightweight client applications with specific use cases, ensuring a seamless and adaptable user experience. Matrix is an overlay protocol used mostly for instant messaging and audiovisual calls, but it is branching out into VR/XR and other domains as well. In its evolution, the Elm Matrix SDK intends to create tools that improve the usability and security of moderating individual Matrix rooms and entire servers. Examples include a \"suspicious users page\" for managing users banned across multiple rooms and a dedicated \"war room\" to counteract spam attacks. By prioritizing simplicity and effectiveness, the project strives to address social challenges and eliminate barriers to widespread adoption of moderation tools. >> Read more about Elm Matrix SDK AEAP — Automated e-mail address porting to a new provider There is no search for email addresses, like there was in the days long gone of the phone book. Once an old contact disappears (e.g. moves jobs, changes provider), even hough you may have exchanged many emails with that person you can not discover which new email address(es) go(es) with that old contact. The Automated E-mail Address Porting project (AEAP) wants to allows you to find the new email addresses of these existing email contacts. The project will research and develop the porting of an e-mail address to a new provider. We will implement, document, user-test and release a porting mechanism for Delta Chat, a leading end-to-end encryption mail client. Users can decide they want to use a new provider by entering credentials for a new e-mail address. The outcome of the AEAP project will be Delta Chat Desktop, Android and iOS releases to all app stores, providing seamless porting of e-mail addresses. Changing an e-mail provider will not depend on the consent of the existing one. GMail and various other \"free e-mail\" provider lock-in strategies will be weakened, also through the e2e-encryption that our AEAP effort spearheads. >> Read more about AEAP Email <=> XMPP gateway — Bridge instant messaging with email Libervia is a versatile communication ecosystem offering features like instant messaging, blogging, event planning, photo albums, file sharing, audio/video calls, and more. It can additionally function as an XMPP component, providing server-side features. This initiative focuses on creating an Email <=> XMPP gateway, enhancing file management for attachments, transforming mailing list threads into interactive, forum-style discussions with modern elements such as tags and mentions, and ensuring support for end-to-end encryption. The Libervia interface will also see improvements for a better user experience, with clear indicators of message origins and security status. This gateway is a move toward unifying various communication methods within single clients, following Libervia's philosophy as seen with its ActivityPub <=> XMPP gateway and is in harmony with other projects like Slidge, Spectrum 2, or Biboumi. With the introduction of this component, not only will Libervia's functionality be elevated, but it will also equip other XMPP ecosystem projects with the ability to connect their users with the email world, fostering deeper integration of XMPP across the spectrum of communication tools. >> Read more about Email <=> XMPP gateway Thunderbird - native EteSync integration — Add encrypted sync to Thunderbird EteSync is a secure, end-to-end encrypted and privacy respecting sync solution for contacts, calendars and tasks. It protects user data by encrypting it and decrypting it on the end user device, meaning that the user does not have to trust the service provider. Etesync is being developed with support of NGI Zero. This project is adding native sync support for EteSync to the popular Thunderbird mail client (via the existing TbSync which is about to be integrated into Thunderbird) in order to drastically lower the entry threshold. This will allow even non skilled users to fully protect their data with end-to-end encryption. Setup will just involve (auto-)installing an add-on and entering credentials, and selecting which resources should be synchronized. >> Read more about Thunderbird - native EteSync integration EventFahrplan — Conference schedule app with strong offline capabilities EventFahrplan is a privacy-friendly app for attending conferences and events running on Android devices. The development of the project happens continuously by staying up-to-date with new technologies and Android versions, adding useful features and fixing bugs. Current challenges are the migration to Compose UI, architectural refactoring, Kotlin coroutines, accessibility improvements, translation management, behavior changes with Android 13, interface changes to address large devices - and many other topics. This project helps to sustain the development of the app and to work on a selection of these topics. >> Read more about EventFahrplan Exter — Proxy-based external browser extensions Exter is a web based plugin platform which allows addons to alter websites behavior/style/functionality. Instead of trusting the browsers' plugin ecosystem, let's modify the websites before browsers receive them! The goal of this project is to provide a stable and free website-extension-platform to allow future proof and flexible addon development. As a web application, Exter opens URLs, rewrites the static content and injects client scripts to wrap default javascript functions, applies addons, then sends the sanitized/modified website to the browser. This way we have the ability to write plugins that can intercept/modify not only HTTP requests, but even client side functionalities, such as sanitizing 3rd party content or appending new DOM elements to the website or altering cookie handling from javascript and much more. >> Read more about Exter F3D — Cross-platform, fast and minimalist 3D viewer F3D is an open source, community-driven, cross-platform, fast and minimalist 3D viewer. Already integrated into many Linux distributions, F3D is packed with features that let users visualize and render their 3D models efficiently. F3D supports dozens of file formats and aims to be the go-to solution for simply taking a look at any 3D model, it also supports thumbnails and integrates well in the desktop experience on Windows and most Linux desktop environments. F3D is also the libf3d, a C++ API to simply and efficiently render 3D models, with Python, Java and Javascript bindings. As such, the libf3d is available as a python wheel on pypi and will soon be available as an npm package. The F3D community thrives to be inclusive and welcoming, with a clear contribution and maintenance process where everything is discussed openly with any interested parties. >> Read more about F3D FairSync — Simplify aggregation and discovery of places and events How can we make it possible to search across different maps and lists of events maintained by different organisations? By connecting them, of course! FairSync develops and collects best practices to synchronize maps and events and to federate messengers and identities active in the global movement for sustainability. System integrators are faced with fast evolving APIs and protocols when they try to discover and connect systems and make search more easy. We will work on master-master replication frameworks of metadata enriched data sets and test with platform providers for sustainability affairs. One approach is the \"lazy master scheme\": a common update propagation strategy where changes on a primary copy are first committed at the master node, afterwards the secondary copy is updated in a separate transaction at slave nodes. We will try to advance such immediate update propagation in this project using protocols such as ActivityPub or the InCommon API. Federation of identities will be managed with SAML or oAuth2 protocols with fairlogin as a common identity provider. >> Read more about FairSync Federated Timesheets — Interoperable machine-readable time tracking This project brings together developers from WikiSuite, m-ld.io, Muze and Ponder Source in a collaboration to deliberately research how federated machine-readable data can work between independent software projects on the user-operated internet. We want to showcase how our vision of Federated Bookkeeping can make internet users \"connected but sovereign\". Each project’s timesheet system that tracks billable hours will be extended with time tracker apps (locally or on a self-hosted server) to expose machine-readable timesheet data through a query endpoint (reader pull) or through a webhook (writer push). Furthermore a W3C interest group “federated timesheets” was started that will contain and maintain a repository of time tracker schemas and extend this continuously in an orderly fashion to enable developers to import recipients’ schemas as well as add their own to the repository. >> Read more about Federated Timesheets FediMod FIRES — Tooling for Fediverse moderation FediMod is building a set of tools to help assist in the moderation of fediverse servers, thereby reducing the need for each fediverse software to reimplement moderation tooling from scratch. FediMod FIRES (Fediverse Intelligence, Recommendations & Replication Endpoint Server) is a protocol for sharing moderation recommendations and advisories. It introduces two key ideas to the Fediverse, one being a firewall based approach to federation management, the second being that moderation decisions should be labelled using common vocabularies. The current project aims to create a reference server implementation, along with a conformance test suite that can be run by anyone implementing the FIRES protocol. We also intend to contribute features to existing fediverse software to enable the usage of these tools. >> Read more about FediMod FIRES Fediverse Test Framework — Test bench for ActivityPub implementations The Fediverse consists of individual servers, possibly running different software, that talk to each other. One of the challenges in developing for the Fediverse is to stay interoperable with all the different deployed software. As the message format standard, ActivityStreams, is extensible through JSON-LD, judging how a message is parsed, can be a hard task. By using ideas from automated testing, we provide an application that determines a baseline how messages are processed and rendered. The process being simply: run end to end tests and record their result. From the test results a webpage is generated that provides developers the information how a message is rendered in different applications. We aim to make the framework extensible so new applications can be included. >> Read more about Fediverse Test Framework Fidus Writer — Real-time collaborative web-based online editor for academia Fidus Writer is an open-source online editor that enables real-time collaboration among academic researchers. It supports exporting individual documents to various standard formats, but it lacks the ability to import and export document collections (books) to some of the most widely used formats, such as DOCX, ODT and JATS XML. This project aims to enhance the functionality and usability of Fidus Writer by adding import and export function for books (including tracked changes), as well as a generic pandoc export for documents, using the existing code base and infrastructure. This will allow Fidus Writer to reach a broader audience and increase its adoption in the academic community. >> Read more about Fidus Writer Enhancing Firefox for Linux on Mobile — Mobile native feature-complete Firefox Enhancing Firefox for Linux on Mobile aims to offer a privacy respecting alternative to Chromium-based browsers by improving the user experience (UX) of Firefox on small form factor devices (mobile, tablet) running Linux. We will update the Firefox codebase, primarily the user interface (UI) and the rendering engine. Additionally, we will collaborate with Mozilla to ensure that our modifications are included in Firefox to reduce the maintenance burden by sharing a common codebase across the different projects. As a side effect, our modifications will benefit all Firefox Desktop users including Windows when the Firefox application window is not maximized. >> Read more about Enhancing Firefox for Linux on Mobile Flarum — Add federation and much more to the extensible forum software Flarum. Flarum is a technically advanced, open and extensible discussion platform. Flarum aims to bring people interaction to a new level by how it is designed and engineered. Flarum's key features include a responsive user interface that works seamlessly across all devices, a powerful and flexible extension system that allows users to customize the forum to their specific needs, and a robust set of moderation tools to keep the forum safe and spam-free. Within this project Flarum will add among others support for the W3C ActivityPub standard, to make content accessible in a federated way. >> Read more about Flarum Follow-me slideshow for Collabora Online — Accessible slideshows for videoconferencing tools Collabora Online is an open source online office suite built on LibreOffice technology, enabling web-based collaborative real-time editing of word processing documents, spreadsheets, presentations, and vector graphics. This project improve the presentation mode with a feature where one leader can control the presentation and others can remotely follow this easily, including slide transitions, animations and other complex content. This includes some accessibility support and integration into existing open-source video call software. >> Read more about Follow-me slideshow for Collabora Online ForgeFed — Federation for software collaboration tools When you are searching for new software to use, you will have to visit many different software forges - like Gitlab, Codeberg or Sourcehut. There isn't really a tool to search for anything across the boundaries of these different software forges. ForgeFed aims to define a vocabulary and a protocol for decentralized communication and federation of websites used for hosting and collaboration on version control repositories, issue tracking and project management. Typical such websites are code forges such as GitLab and Gitea instances (and centralized services like github), but the idea also applies to applications like collaborative civic planning, publishing of creative writing (such as prose and poetry) and more. ForgeFed is to be designed as an extension of ActivityPub, and web apps implementing it would be joining the Fediverse. The world of repo and project hosting would switch from the centralized model of github (and the lonely disconnected websites running GitLab or Gitea etc.) into a network of federating websites, creating a global decentralized community. The project will publish a set of specifications and guides for implementing the federation protocol, and to work with existing projects and communities to refine and finalize the specifications and implement ForgeFed federation. >> Read more about ForgeFed ForgeFed — Federating software forges with ActivityPub The platforms that software developers use for hosting and collaborating on their projects, known as software forges, are centralized systems. And some of the most popular forge websites run proprietary software and controlled by a single company. The values, methods, policies and interfaces of the tools we use with our software projects often don't align with our values and needs, but despite having coding skills, we're powerless to change the situation. ForgeFed aims to put the power back into the hands of the Free Software community, and to allow for systems that are truly trustworthy and support inclusion, freedom, participation, censorship resistance and alignment with needs, by turning software forges into a decentralized network. ForgeFed is a protocol and vocabulary for federation of servers and services related to the Software Development Lifecycle, and an attempt to implement federation into existing free-software forges. ForgeFed has been based on the ActivityPub protocol, which is widely adopted on the Fediverse, and is augmenting it with Object Capabilities, an essential component for distributed secure flexible authorization of collaborative resource access. >> Read more about ForgeFed Fractal — Native client for the Matrix protocol Fractal is an Open Source (GPLv3) Matrix client written in Rust. It uses the GTK graphical interface toolkit and is part of the GNOME project. It was created with a big focus on usability and interface design. The objective of this project is to add end-to-end encryption support to Fractal. Fractal has two major parts: A backend part, which communicates with the Matrix server, and a part that contains the GUI and data handling. This will be achieved by first replacing the current backend with the matrix-rust-sdk that was created recently and has several advantages to the current backend, including an abstraction for handling end-to-end encryption for Matrix. Once the backend pieces are in place, Fractal's UI needs to be updated to allow users to actually use end-to-end encryption, which involves a number of non-trivial new user flows (e.g. device verification, cross-signing, key backup). >> Read more about Fractal Native IFC for FreeCAD — ISO-compliant Building Information Modeling in FreeCAD IFC, or Industry Foundation Classes, is finally providing a true, gold, open, universal data format for BIM (Building Information Modeling), the CAD paradigm nowadays widely adopted by the architecture, civil engineering and construction (AEC) industry. The IFC format is open-source, maintained by a consortium, open and text-based, and also an ISO standard. FreeCAD, a popular open-source 3D modeling application, has been supporting the IFC format for years already. This project goes one step further, and turns IFC a default file format of FreeCAD. Without the translation layer needed to import and export IFC files, FreeCAD becomes a true, native IFC editor, with a wealth of advantages, such as having minimal, identifiable and version-control-friendly change sets, access to just any piece of IFC data, etc. >> Read more about Native IFC for FreeCAD Funkwhale — ActivityPub-driven audio streaming and sharing Funkwhale is a federated platform that provides tools for managing, publishing, and sharing audio content using the ActivityPub protocol. In this project, the team will expand the use of ActivityPub and extend the integrations with other ActivityPub-powered platforms. The flagship web app will be redesigned, adding support for more content types in its API, creating new features that integrate with MusicBrainz, and making the mobile Android offering feature-complete as well as adding a (Tauri based cross-desktop app. >> Read more about Funkwhale Funkwhale — ActivityPub-driven audio streaming and sharing Funkwhale is a free, decentralized and open-source audio streaming and sharing platform, built on top of the ActivityPub protocol. It enables users to create communities of interest around music and audio content in general, listen to their private music library or distribute their own productions on the network. Each Funkwhale pod, or server, can communicate with other pods to exchange audio content, metadata or for user interactions. In this project, Funkwhale will improve the publication experience for creators, release its first stable version, improve content discovery inside the platform through better sharing and search mechanisms. We will also continue research and development for Retribute, a community wealth sharing platform meant to support creators on Funkwhale or any other platform. >> Read more about Funkwhale GNU social — Modernizing the original FOSS Social Network GNU social is a free social networking platform, easily self-hostable and highly accessible, that enables both private and public decentralized communications. With NLnet NGI Zero's support, the project is undergoing a change of main focus from microblogging to groups and tags. With this, GNU social will be a space for communities where users can express their passions and explore new ones. Users will be able to immerse themselves in easily filterable content relevant to their interests, and to create and join communities. It's hard to pinpoint an existing alternative service that promotes the same level of functionality in terms of tagging, filtering and connecting with people that share common interests. Especially considering the available degree of accessibility, customization and expansion via plugins. >> Read more about GNU social GNU Taler — Advanced electronic payment system for privacy-preserving payments GNU Taler is an advanced electronic payment system for privacy-preserving payments. Unusual for such a system, the entire Taler system is ethical, free/libre software, so there are no dependencies on third parties and no black boxes. Taler can support digital payments in any currency - existing or new, mainstream or private. Unique to the GNU Taler system is that it provides anonymity for customers, while delivering various anti-fraud measures necessary to curb abuse. If you are a central bank, you can use Taler to provision a CBDC. If you are a regular bank or payment provider, you can use it as a mature digital payment method instead of various proprietary solutions which are opaque and come with many restrictions and high costs. The technology behind Taler fully supports local or community currencies too. Taler was designed to meet all the usual regulations for electronic money issuers, and supports regulations like PCI-DSS and GDPR out of the box. The work done within this grant delivered a key regulatory requirement, an independent audit of the payment service operator (the \"exchange\"). With the third party security audit of the GNU Taler codebase completed, banks and payment providers can now switch to this new system with confidence. GNU Taler finally brings us a transparent, trustworthy and truly private payment ecosystem that operates independent from vendors. >> Read more about GNU Taler GNUnet Messenger API — API for decentralized instant messaging using CADET Communication is one of the most valuable goods, but it requires confidentiality, integrity and availability to trust it. The GNUnet Messenger API implements an encrypted translation layer based on Confidential Ad-hoc Decentralized End-to-End Transport (CADET). Through CADET the API will allow any kind of application to set up a fully decentralized form of secure and private communication between groups of users. The service uses e2e-encryption and does not require any personal information from you to be used. You are able to send text messages, share files, invite contacts to a group or delete prior messages with a custom delay. Messages and files will both be stored decentralized being only available for others in the group. GNUnet provides the possibility to use this service without relying on the typical internet structures, with a turnkey optional DHT for sharing resources. Unlike many other messengers out there the GNUnet Messenger service focuses on privacy. You decide who can contact you and who does not. You decide which information gets shared with others and which stays a secret. The whole service and its API is free and open by design to be used by many different applications without trusting any third party. >> Read more about GNUnet Messenger API GPG Lacre project — Best effort encryption of mail flows with OpenPGP This project is the continuation of the work on providing open source, GnuPG based email encryption for emails at rest. All incoming emails are automatically encrypted with user's public key before they are saved on the server. It is a server side encryption solution while the control of the encryption keys are fully at the hands of the end-user and private keys are never stored on the server. The scope of the project is to improve on the already existing code, provide easy to use key upload system (standalone as well as Roundcube plugin) and key discoverability. Beside providing a solution that is easy to use we will also provide easy to digest material about encryption, how it works and how to make use of it in situations other the just mailbox encryption. Understanding how encryption works is the key to self-determination and is therefore an important part of the project. GPG Mailgate will be battle tested on the email infrastructure of Disroot.org (an ethical non-profit service provider). >> Read more about GPG Lacre project Galene — High quality libre videoconferencing server Galene is a complete self-hosted videoconferencing system that has been designed to be easy to install and to manage, to preserve the users' privacy, and that uses very moderate server resources. Galene has been continuously used in production to host university lectures and staff meetings since September 2020, as well as to host a number of international conferences during the COVID pandemic. The goal of this project is to improve Galene to make it use state-of-the-art networking and video algorithms, to improve its management features, and to add a number of user-visible features, such as background blur and automatic subtitling. >> Read more about Galene Gancio — Shared agenda for local communities that supports Activity Pub Gancio is a shared agenda for local communities, and was the first one to support Activity Pub. Gancio focuses on cross-cutting collaboration through its decentralized instances that allow to connect communities. This enabling users to easily discover and engage in events in their neighborhood, as well as elsewhere - while avoiding attention-based business models and intrusive advertisements. The focus of this project are a numberof new features such as implementing HTTP Signatures, moderation and onion routing, as well as improving compatibility with other Fediverse event tools. In addition, the team seeks to establish a common agreed upon event format to make the interaction with such tools more streamlined. >> Read more about Gancio GoToSocial — Lightweight ActivityPub social network server GoToSocial is an ActivityPub social network server, powered by Golang. It complements existing ActivityPub implementations by providing a lightweight, customizable entryway into decentralized social media hosting. GoToSocial places a high value on ease of deployment and maintenance; this means low system requirements, minimal external dependencies, and clear documentation. GoToSocial empowers self-hosting newcomers to deploy small, personalized instances, from which they connect to others across the Fediverse, using low-powered equipment lying around at home. With GoToSocial, you can follow people and have followers, you make posts which people can favourite and reply to and share, and you scroll through posts from people you follow using a timeline. You can write long posts or short posts, or just post images, it's up to you. You can also, of course, block people or otherwise limit interactions that you don't want by posting just to your friends. >> Read more about GoToSocial GoToSocial — Improvements to ActivityPub server written in Go GoToSocial is an ActivityPub-enabled social network server. It complements existing ActivityPub implementations (Mastodon, Akkoma, etc) by providing a lightweight, customizable and privacy focused entry to decentralized social media hosting. GoToSocial places a high value on ease of deployment and maintenance; this means low power requirements, simple set up, and clear documentation. It empowers self-hosting newcomers and experts alike, to easily and reliably deploy decentralized communities at minimal cost. With something as low-power as a small single-board home server, you can deploy a personal instance to follow your favourite Fediverse users, post content and interact with the decentralized community at large, all while retaining ownership of your personal data. For more experienced and privacy conscious users we offer features like allow-list federation mode, to ensure your data is only circulated among those you explicitly permit. In this project, the team will add two factor authentication, improve interoperability, scalability and add some new features like better archiving capabilities. >> Read more about GoToSocial Gosling — Generic Onions Services Library Project One of the internet’s core infrastructural flaws is a lack of anonymity - yet anonymity is a form of privacy that many users would prefer to have. Building products which preserve this user privacy while also being featureful and easy to use is difficult. Part of this difficulty has to do with the fact that developers need to be aware of and actively counter the myriad ways users can be de-anonymised (e.g. fingerprinting, side-channels). This requires knowing many intricate details at all levels of the software stack.Project parent Blueprint for Free Speech's goal is to gradually increase the portion of the internet that offers anonymity. By creating a “generic onions services library” (Gosling), we can help developers create secure and anonymous p2p applications without having to delve too deeply into protocol design or the Tor spec, and to do so with more security assurance. >> Read more about Gosling Goupile — Secure forms including Clinical Report Forms (eCRF) Goupile is an open-source form editor designed for data collection in research, particularly in health, replacing traditional paper case report forms (CRF) with electronic versions (eCRF) accessible on computers and mobile devices. Developed by the InterHop.org association, it allows users to easily create customized forms with a programming approach using JavaScript, which enables the creation of highly dynamic and interactive forms with ease. Goupile also provides user management, data recording, synchronization, and options for online and offline data collection. Users can choose to self-host Goupile or utilize a turnkey service on certified HDS servers (Sofware As A Service SAAS), all while benefiting from InterHop's support for the development of new features. >> Read more about Goupile Haketilo/Hydrilla — Browser extension for site customisatoin Internauts today have very little control over their web browsing. Many sites are no longer simple documents meant for reading but complex in-browser applications often equipped with facilities to mistreat their users. Haketilo is a browser extension that aims to change this by giving you complete control over the resources your browser loads for websites, starting with JavaScript. One of its features is the ability to replace sites' javascript programs with user-supplied ones. There is currently no other browser extension that provides users with a secure and fully free browsing experience of this kind. Haketilo works together with its repository, Hydrilla, which it can query for community-developed custom site resources. Both tools are available as free/libre software under GNU licenses. In addition, the Hydrilla API can also be utilized by independent developers who want to increase the amount of user agency in their products. For greater website compatibility, Haketilo will work alongside other browser extensions that mitigate harmful JS. >> Read more about Haketilo/Hydrilla Haphaestus — Lightweight JavaScript-free browser engine written in Haskell In the pursuit of turning a document publishing system into an application delivery platform modern web browsers have become incredibly complex. Thus frustrating efforts to adapt and modify browsers to people's individual needs, including privacy and accessibility needs. Haphaestus aims to illustrate the potential of a more private JavaScript-free web to provide an optimal experience for any conceivable device, by building upon the dev's previous auditory web browser to prototype one that can conveniently navigate most (but the most popular) sites using a TV remote. Haphaestus will strive to deliver a working independent web browser requiring minimal TV remote button presses, as well as reusable software components for laying out, rendering, & paginating richtext documents written in a range of alphabets. >> Read more about Haphaestus Hubzilla — Federated social networking environment Hubzilla is one of the most mature stacks within the so called Fediverse, and is able to run different protocols such as ActivitPub, Diaspora and Zot. Hubzilla provides powerful tools for communities and individuals to help organise themselves, while providing a possibility to interact with each other. It is a decentralised identity, communications and permissions framework built, using common webserver technology. The software features many useful apps to enable discussions, event organisation, file sharing etc. with built-in internet-wide access control. With Hubzilla you don't have an account on a server, you own an identity that you can take with you across the network. With the help of the NGI Zero grant, the new version of the zot protocol (zot6) will be implemented as the primary communication protocol and the UX/UI will be improved to lower the entry barrier for less experienced computer users. And of course you can easily search your Hubzilla server for topics, users, fora and tags. >> Read more about Hubzilla Indigenous — Indieweb mobile clients Indigenous is a collection of native, web and desktop applications which allows you to engage with the Internet as you do on social media sites, but posts it all on your website. Use the built-in reader to read and respond to posts across the internet. Indigenous doesn't track or store any of your information, instead you choose a service you trust or host it yourself. Posts are collected on your website or service which supports W3C Microsub, writing posts uses the W3C Micropub specification. Popular services that support both are Wordpress, Micro.blog and Drupal, with more coming soon. >> Read more about Indigenous Collabora Online Multi-user Infinite Canvas — Infinite Canvas / collaborative presentation mode for Collabora Online Collabora Online is an open source online office suite built on LibreOffice technology, enabling web-based collaborative real-time editing of word processing documents, spreadsheets, presentations, and vector graphics. This project will implement an infinite canvas for presentations, a presentation mode where individual slides are positioned in a 2.5D plane - which becomes apparent when moving from one slide to another. This allows for non-linear presentation modes, as well as presenting the overall outline of the whole presentation in a visual way which users can intuitively grasp. >> Read more about Collabora Online Multi-user Infinite Canvas Inventaire — Wikidata-based social sharing of reading experiences The Inventaire Project is an effort to move forward on the front of accessing information on resources using libre software powered by open knowledge. This ideal is being materialized in the form of inventaire.io, a libre book sharing webapp, inviting everyone to make the inventory of their physical books, declare what they want to do with it (giving, sharing, selling), as well as who should be able to see it (shared publicly through e.g. ActivityPub, or only visible by your friends and groups). To power those inventories with structured bibliographic data, inventaire.io is also playing the role of a Wikidata-federated open and contributive bibliographic database, extending wikidata.org data with Wikidata-compatible entities (CC0, shared data schema) tailored to our needs, but ready to be pushed to Wikidata when the data contributor deems it appropriate. This linked open data architecture allows users to build their inventories on a huge open knowledge graph, that we believe will, in time, offer exceptional discovery capabilities. This project addresses many features, such as improved privacy settings, accessibility, creating publisher collections and data federation. >> Read more about Inventaire Inventaire Self-hosted — Self-hosted book inventories that share the wikidata-powered bibliographic database The Inventaire Association supports and promotes the use of libre/free software and open knowledge to share information on resources. This ideal results in inventaire.io: a libre book sharing webapp, inviting everyone to make the inventory of their physical books, say what they want to do with it (giving, sharing, selling) and who may see it (friends, groups, or everyone). To provide data on books, inventaire.io reuses, extends, and facilitate contribution to wikidata.org. This allows users to build their inventories on top of a huge open multilingual knowledge graph, connected to Wikipedia, national libraries, the fediverse, and many other resources. As the inventaire software becomes more mature, it is now time to deliver on a promise made years ago: decentralization. Installing and maintaining a self-hosted data-federated inventaire server should soon be as easy as (cyber-)cake! This would allow association libraries, privacy-concerned collectives, or anyone preferring self-hosting, to run their own instance: they would fully control their inventory data (\"We have this book\"), while still having the possibility to benefit from a mutualized bibliographic database (\"This author wrote this book\"). >> Read more about Inventaire Self-hosted IronCalc — Embeddable spreadsheet engine written in Rust IronCalc is a versatile open-source spreadsheet engine written in Rust from the ground up, employing modern programming best practices. It can be used from any programming language or from end-user products like Web IronCalc. Around the world, millions of spreadsheets are used for accounting, data analysis, processing, educational purposes, collaboration, sharing, etc. IronCalc aims to be an all-purpose alternative to Excel or Google Sheets, filling an important gap in the democratisation of spreadsheets. Suited for companies, individuals, and schools alike, the project aims to be feature-rich, international, fast, and lightweight. >> Read more about IronCalc JShelter Manifest V3 — Make JShelter compatible with Manifest V3 JShelter is a freely licensed anti-malware Web browser extension that informs and protects people's freedom and privacy through people's regular use of the Web. These programs often go unnoticed, but run on a user's system -- whenever the Web server says to run them. They are typically served to the user as minified JavaScript, and few provide the corresponding human readable source code, or a free license allowing users to lawfully inspect and modify the program. By definition, these programs infringe user freedom. This Free Software Foundation project started in 2020 and is continuously developing. It is currently used by thousands of users around the world as the project gears up to continue protecting users from potential threats from JavaScript, such as fingerprinting and tracking and data collection while migrating to Google's Manifest V3. Manifest V3 will restrict the capabilities of Web extensions -- especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the Web sites you visit. Because of that, Manifest V3 is a detrimental step back for Internet privacy. With the help of NLNet, JShelter will work to upgrade its functionalities and continue to protect user privacy on the Web, which is even more important after this transition. >> Read more about JShelter Manifest V3 End-To-End Encryption for Jitsi Meet — Proven strong encryption for open source video conferencing Jitsi Meet is an open-source video conferencing application that uses Jitsi Videobridge to provide high quality, secure and scalable video conferences. Traditionally, it used hop-by-hop encryption to secure the contents. The drawback of this is of course that the videobridge is able to view the unencrypted contents. With the advent of the WebRTC Insertable Streams API in Chrome it became possible to implement actual end-to-end encryption on top of WebRTC. This project will implement and verify a more complete solution that involve a key management system which establishes public keys, derives encryption keys and changes them depending on the state of the conference. >> Read more about End-To-End Encryption for Jitsi Meet Knowledge Graph Portal Generator — Automatically generate custom web interfaces for structured data The Knowledge Graph Portal Generator is a toolkit designed to create user-friendly web portals for Knowledge Graph (KG) datasets, making data from public SPARQL endpoints accessible to users without expertise in semantic technologies. Built on the LinkedDataHub framework, our solution will feature paginated collections, faceted search, and detailed entity views. It will extract RDF ontologies from datasets, generate content configurations, and use these to extend the default LinkedDataHub into a dataset-specific web application. >> Read more about Knowledge Graph Portal Generator Kaidan — Adding encryption to userfriendly cross-platform XMPP client Kaidan is a user-friendly and modern chat app for every device. It uses the open communication protocol XMPP (Jabber). Unlike other chat apps, you are not dependent on one specific service provider. Instead, you can choose between various servers and clients. Kaidan is one of those XMPP clients. In contrast to many other XMPP clients, it is easy to get started and switch devices with Kaidan. Additionally, it adapts to your operating system and device's dimensions. It runs on mobile and desktop systems including Linux, Windows, macOS, Android, Plasma Mobile and Ubuntu Touch. The user interface makes use of Kirigami and QtQuick. The back- end of Kaidan is entirely written in C++ using Qt and the Qt-based XMPP library QXmpp. >> Read more about Kaidan Kaidan A/V — Secure audio and video calls for Kaidan and QXmpp Kaidan is a user-friendly and modern chat app for every device. It uses the open communication protocol XMPP (Jabber). Unlike other chat apps, you are not dependent on one specific service provider. Instead, you can choose between various servers and clients. Kaidan is one of those XMPP clients. In contrast to many other XMPP clients, it is easy to get started and switch devices with Kaidan. Additionally, it adapts to your operating system and device's dimensions. It runs on mobile and desktop systems including Linux, Windows, macOS, Android, Plasma Mobile and Ubuntu Touch. The user interface makes use of Kirigami and QtQuick. The back-end of Kaidan is entirely written in C++ using Qt and the Qt-based XMPP library QXmpp. This project aims to add audio/video calls to Kaidan in a standards-compliant manner. >> Read more about Kaidan A/V Kaidan Auth + portability — Account portability and Client/Server Authentication for the Kaidan XMPP client Kaidan is a user-friendly and modern chat app for every device. It uses the open communication protocol XMPP (Jabber). Unlike other chat apps, you are not dependent on one specific service provider. Instead, you can choose between various servers and clients. Kaidan is one of those XMPP clients. In contrast to many other XMPP clients, it is easy to get started and switch devices with Kaidan. Additionally, it adapts to your operating system and device's dimensions. It runs on mobile and desktop systems including Linux, Windows, macOS, Android, Plasma Mobile and Ubuntu Touch. The user interface makes use of Kirigami and QtQuick. The back-end of Kaidan is entirely written in C++ using Qt and the Qt-based XMPP library QXmpp. >> Read more about Kaidan Auth + portability Kaidan — Encrypted A/V calls, group chat messaging Kaidan is a user-friendly and modern chat app for every device. It uses the open communication protocol XMPP (Jabber). Unlike other chat apps, you are not dependent on one specific service provider. Instead, you can choose between various servers and clients. Kaidan is one of those XMPP clients. In contrast to many other XMPP clients, it is easy to get started and switch devices with Kaidan. Additionally, it adapts to your operating system and device's dimensions. It runs on mobile and desktop systems including Linux, Windows, macOS, Android, Plasma Mobile and Ubuntu Touch. The user interface makes use of Kirigami and QtQuick. The back-end of Kaidan is entirely written in C++ using Qt and the Qt-based XMPP library QXmpp. >> Read more about Kaidan Karrot — Location-aware community self-organisation Karrot is a tool to support grassroots community organizing. It is designed to enable community-building and a more transparent, democratic and participatory governance of groups. Some of its defining features are the self-assignment of tasks, full transparency of members’ actions and a trust-based role system that avoids all-powerful group admins. Karrot originates in facilitating food-saving and sharing initiatives but developed a wider scope of community support. Equipped with a better understanding about the diverse ways in which people self-organize and practice commoning, we will further develop the existing roles and permissions system, add features through which groups can run polls and enact graduated sanctions according to their needs. >> Read more about Karrot Katzen — Meta-data resistant instant messaging over the Katzenpost mixnet Katzen is a new private instant messaging application built using the Katzenpost mixnet project, which is an overlay network that is able to hide communication patterns of individual users from passive network observers. This means that attackers cannot link sending and receiving of messages on the network with any of the participants. Messages between conversation parties are delivered to and read from message queues operated by the mixnet service operators. The legacy simple design maintains a per client queue and is able to see when a client is receiving a message, how often clients receive messages, and when the client is online and checking for their messages. The purpose of this project is to replace the legacy ephemeral message storage system used by Katzen with a replacement that does not link messages with a specific user or conversation, To do this, clients will include a csprng seed as part of the contact creation process that will be used to generate a deterministic sequence of message identifiers between conversation participants; these identifiers will be used by each client to query the ephemeral storage provider for the next message in the conversation. Because polling the storage service adds latency, and this design must check for new messages from each conversation partner, mechanisms to reduce the number of round trips - such as using SURBs as an asynchronous callback upon message delivery on the storage provider will be explored as a means to build a mixnet 'push' service to decrease the total round trip delay in receiving a new message. >> Read more about Katzen Katzen Metadata Minimizing Messenger — Privacy preserving instant messaging using a modern mixnet Katzen is a multi-platform messenger application that works with Katzenpost, a mix network framework for building anonymity-enhancing communication services. Katzen minimizes metadata that could potentially be used to reveal the identities, locations, and relationships of its users. Katzen currently supports one-to-one messages between paired users, while also not revealing who is speaking to whom. This project aims to improve Katzen by adding group messaging, multimedia file transfers, and voice chat. These features require a new encrypted-at-rest database, additional UI for file transfers and push-to-talk voice messaging, and implementation of group messaging using the multiparty REUNION protocol, which allows group members to discover each other using a shared passphrase. >> Read more about Katzen Metadata Minimizing Messenger Kazarma Release — Bridge between ActivityPub and Matrix protocol Matrix-Appservice-CommonsPub is a bridge between two decentralized protocols: Matrix and ActivityPub. This allows to exchange private messages between Matrix users and users of different ActivityPub-enabled platforms, like PeerTube, Pixelfed and Mastodon. The bridge comes as an easy-to-deploy, secure and scalable solution. In this project the team works on significantly improvement of interoperability with various ActivityPub-flavours, and extending the feature set - better moderation options, private bridges, internationalisation, etc. >> Read more about Kazarma Release Kbin — ActivityPub based link sharing and microblogging Kbin is a decentralized content aggregator and microblogging platform running on the Fediverse network. It can communicate with many other ActivityPub services, including Mastodon, Lemmy, Pleroma, Peertube. The initiative aims to promote a free and open internet. The platform is divided into thematic categories called magazines. By default, any user can create their own magazine and automatically become its owner. Then they receive a number of administrative tools that will help them personalize and moderate the magazine, including appointing moderators from among other users. Content from the Fediverse is also cataloged based on groups or tags. A registered user can follow magazines, other users or domains and create his own personalized homepage. There is also the option to block unwanted topics. Content can be posted on the main page - external links and more relevant articles or on microblog section - aggregating short posts. All content can be additionally categorized and labeled. Great possibilities to search for interesting topics and people easily is something that distinguishes Kbin. Platform is equally suitable for a small personal instance for friends and family, a school or university community, company platform or a general instance with thousands of active users. >> Read more about Kbin /kbin — Mobile app and feature additions to /kbin The project summary for this project is not yet available. Please come back soon! >> Read more about /kbin Keyoxide Mobile — Mobile client for identity magement tool Keyoxide The Keyoxide Mobile app is an open source keyoxide client for Android that lets you verify and manage decentralized cryptographic identities while being on the go. To verify somenone else's decentralized identity: simply enter their identifier or scan their qr-code to see the verification result generated by the app. With the funding from NLnet, the app will be able to create new Keyoxide profiles and additional features will be added such as iOS support, a design update, being able to save multiple profiles, text encryption/decryption, custom instance support, accessibility features like localization, color themes and contrast. >> Read more about Keyoxide Mobile Kiwi IRC — Self-hosted web IRC environment Kiwi IRC is an open messaging platform that any online organisation or community can use. We do not believe that any community should be locked into a single vendor for their communication tools as this restricts how the community grows and develops - the community itself should dictate how they develop over time. Working with other open source projects in the IRC world, we are expanding the generally available privacy tools and making them usable for mainstream use. This will see tools such as end-to-end encryption and mobile applications being brought to users taking advantage of open messaging, improving the privacy of millions of existing IRC users and pushing for open platforms. >> Read more about Kiwi IRC Improve Email Encryption in KMail — Adopt improvements in Email Encryption in KMail The goal of this project is to make it more simple for inexperienced users to just use encrypted mails, at the click of a button. Autocrypt is a new method for email encryption, that needs nearly no user interaction. It performs the needed key exchange transparently in the background, and does key management automatically. Encrypted Headers is a protocol to send mail headers in the encrypted mail part. Traditional encryption methods leaked meta-data, which could be used for mass surveillance purposes. The result will be part of the KDEPIM codebase, so you don't have to install anything else than KMail to use these improvements. >> Read more about Improve Email Encryption in KMail Collabora Online/LibreOffice Accessibility — Private and accessible collaborative editing with Collabora Online/LibreOffice Collaborative online text editing has become undispensable for many, but not everyone can equally benefit from it. The goal of this project is to implement improved accessibility for Collabora Online. The core of the proposal is to add accessibility to the edit view of documents, which are currently just pixels for a screen reader. This means users should be able to migrate off public cloud offerings when it comes to office document editing and this project should improve privacy for the most vulnerable in the society. >> Read more about Collabora Online/LibreOffice Accessibility LO/CODE Book project — Professional typography inside LibreOffice The project enhances readability of text documents by adding highly customizable paragraph-level line breaking and microtypography to the LibreOffice/Collabora Online Writer word processors. It creates a new type of software, with the print quality of proprietary DTP programs and with productivity of word processors. It saves paper and screen area with a compact paragraph layout and readable multi-column pagination. It should result in proposals to enhance the OpenDocument format standard (ISO/IEC 26300) which will be submitted for standardization, encouraging future standards to support enhanced readability, especially for people with reading difficulties. >> Read more about LO/CODE Book project Collabora Online and LibreOffice — Improved visual document search for cloud service Today it’s usually easier to use a search engine for information than find it locally, which is not optimal from a digital sovereignty point of view. Part of the problem is that we lack good open source tools to provide context and graphical search of local documents. These tools present plain-text lists for search results, which means people with good graphical memory find information slower. We think it’s a huge opportunity to show the context of search hits in a graphical form to find information faster. Technically, this will mean taking an existing file synchronization and sharing (FSS) solution, hosting your documents on-site. Then improving LibreOffice to index content in documents with their context. We will build a secure REST API on top of this in Collabora Online which provides good performance. Finally we will integrate with a search engine, e.g. Apache Solr to create a proof-of-concept search page that allows searching in all documents hosted in a FSS solution. This will serve as an example how to integrate our solution to other projects like Nextcloud. >> Read more about Collabora Online and LibreOffice LibreOffice/Collabora Online typography — Add interoperability and state-of-the-art web typography to LibreOffice/Collabora Online line break The project adds state-of-the-art ISO OpenDocument/web typography features and MS Office line break interoperability to LibreOffice open source office suite (reference application of ISO OpenDocument format) and Collabora Online (open source online office suite built on LibreOffice Technology). This includes the support of ISO OpenDocument text property fo:hyphenate and paragraph property fo:hyphenation-keep (same features in XSL, CSS3 and CSS4); restoring lost text layout interoperability caused by the new default line break algorithm of Microsoft Word; and improving hyphenation zone interoperability (Microsoft Word/CSS4). >> Read more about LibreOffice/Collabora Online typography Land — Code editor building on Tauri and VSCodium Land is a customisable open-source code editor that puts users in control and emphasizes rebuildability. Land in particular aims to provide a smooth and responsive alternative to VS Code™, the proprietary code editor on which many developers currently depend. Land allows you to continue to use the key features developers rely on in VS Code, but also allows to remove intrusive integrations and undesirable dependencies. Because Land is powered by Tauri instead of Electron, it won't hog your resources. Compared to VS Code it has enhanced modularity and extensibility, and obviously telemetry is disabled by default. Take back control of your code, rebuild your tools your way. >> Read more about Land lemmur — A Lemmy mobile client Lemmur is a multi-platform client for Lemmy - a federated link aggregator. It aims to bring the fediverse to the hands of regular people by providing a seamless experience across different instances. Currently lemmur implements the majority of functionalities provided by Lemmy making it competitive with existing social media apps. In this project lemmur will expand to support more Quality of Life features such as live comment updates and notifications with websockets, caching, theming system, and custom feeds. Additionally lemmur will expand its and Lemmy's reach by internationalizing the whole app, creating adaptive UI for different platforms, and creating an onboarding experience that will work as an introduction to both lemmur and the fediverse. Lastly lemmur will continue improving the seamless instance experience reducing the need of changing instances to the minimum. >> Read more about lemmur Lemmy — ActivityPub for link aggregation Lemmy is an open-source, easily self-hostable link aggregator that you can use to share and discover interesting new ideas - and discuss them with the world. Its designed to work in the Fediverse, and communicate natively with other ActivityPub services, such as Mastodon, Funkwhale and Peertube. Lemmy aim to create a decentralized alternative to widely used proprietary services like Reddit. For a link aggregator, this means a user registered on one server can subscribe to communities on any other server, and have discussions with users registered elsewhere. The front page of popular link aggregators is where many people get their daily news, so Lemmy has the potential to help alter the social media landscape. >> Read more about Lemmy Lemmy private communities — Add private communities to Lemmy federated link aggregator Lemmy is an open-source, easily self-hostable link aggregator that you can use to share, discover and discuss interesting new ideas - and discuss them with the world. Lemmy is a good decentralized alternative to widely used proprietary services like Reddit. It is designed to work in the Fediverse by virtue of its implementation of the W3C ActivityPub standard, and communicate natively with other ActivityPub services such as Mastodon, Funkwhale and Peertube. User registered on one server from one of these services should be able to effortlessly subscribe to communities on any other server, where they can have discussions with users registered elsewhere. In this project, the team will deliver many noteworthy upgrades ranging from a more stable API, to group federation, two-factor authentication and improved moderation. In addition the project will work on the new native client Jerboa (for the Android OS). Also for the nostalgically inclined, the project is working on a new frontend inspired by traditional web forums like phpBB. >> Read more about Lemmy private communities Lemmy Scale — ActivityPub-powered social link aggregation and discussion Lemmy is an open-source, easily self-hostable link aggregator that is used to share, discover and discuss whatever comes to mind. Unlinke proprietary services that welcome users only on their own terms, Lemmy instances can each determine their own course. Lemmy implements the W3C ActivityPub standard, and federates with other ActivityPub services such as Mastodon, Funkwhale and Peertube. Users registered on one server from one of these services are able to subscribe to communities on other servers where they can have discussions with users registered elsewhere. In this project, a number of noteworthy features are worked on, ranging from improving UX, federation, APIs, storage optimisation, tagging, polls, and more. >> Read more about Lemmy Scale Lemmy Federation — Lemmy Federation and ActivityPub compliance Lemmy is an open-source, easily self-hostable link aggregator that you can use to share and discover interesting new ideas - and discuss them with the world. Its designed to work in the Fediverse, and communicate natively with other ActivityPub services, such as Mastodon, Funkwhale and Peertube. Lemmy aim to create a decentralized alternative to widely used proprietary services like Reddit. For a link aggregator, this means a user registered on one server can subscribe to communities on any other server, and have discussions with users registered elsewhere. The front page of popular link aggregators is where many people get their daily news, so Lemmy has the potential to help alter the social media landscape. In this project, the team focuses on standards compliance, interoperability, internationalisation features, private communities and improving moderation. >> Read more about Lemmy Federation LiberaForms — End tot End Encrypted Forms Cloud services that offer handling of online forms are widely used by schools, associations, volunteer organisations, civil society, and even families to publish questionnaires and collect the results. While these cloud services (such as Google Forms and Microsoft Forms) can be quite convenient to create forms with, for the constituency which has to fill out these forms such practices can actually be very invasive because forms may not only include personal details such as their name, address, gender or age, but also more intimate questions including medical details, political information and life style background. In many situations there is a power asymmetry between the people creating the form and the users that have to supply the data through that form. Often there is significant time pressure. No wonder that users feel socially coerced to comply and hand over their data, even though they might be perfectly aware that their own data might be used against them. LiberaForms is a transparent alternative for proprietary online forms that you can easily host yourself. In this project, LIberaForms will add end-to-end encryption with OpenPGP, meaning that the data is encrypted on the client device and only the final recipient of the form data can read it (and not just anyone with access to a server). Also, the team will add real-time collaboration on forms, in case users need to fill out forms together. >> Read more about LiberaForms Liberaforms — Open source form server Cloud services that offer handling of online forms are widely used, for questionnaires but also for gathering data within schools, associations, volunteer organisations, civil society and even families. While these cloud services (such as Google Forms and Microsoft Forms) can be quite convenient to create forms with, for the constituency which has to fill out these forms such practices can actually be very invasive to their privacy - as many forms not only include personal details such as their name, address, gender or age, but also a lot more intimate questions - up to medical details, political information and life style background. In many situations there is a power asymmetry between the people creating the form and the users that have to supply the data through that form. Often there is significant time pressure. No wonder that users feel socially coerced to comply and hand over their data, even though they might be perfectly aware that their own data might be used against them. This project will produce a free and libre software solution to create online forms, and to manage the outcomes. The goal is to make something for regular humans: user-friendly, non-intrusive and light-weight. The project aims to make self-hosted form management easy even for novice users, so data can be kept safely on-premise or with a hosting company you can trust. Something that can be used by our neighbours, friends, colleagues and anyone else who respects privacy and understands the moral obligation of the creator of a form to protect the privacy of the people that are supposed to share data with them. >> Read more about Liberaforms XMPP-ActivityPub gateway — XMPP, ActivityPub and E2EE Pubsub XMPP (aka Jabber) is the vendor-netural internet standard for instant messaging. ActivityPub is a web standard for federated social networking, used in software like Mastodon, Pleroma, PeerTube, Pixelfed and Funkwhale. The project consists of two components: an ActivityPub-XMPP gateway, which will be a component bridging these protocols - enabling ActivityPub users to access XMPP blogs, comments and other features, and vice versa. And adding state of the art end-to-end encryption (E2EE) for PubSub and filesharing, which entails proposing a new XMPP standard which can provide a secure way to publish, retrieve and subscribe to all sorts of data over XMPP. The project is built on Libervia (previously known as \"Salut à Toi\"), a communication ecosystem based on XMPP. Libervia offers several interfaces (web, desktop, mobile, command line, text UI) and explores the XMPP protocol beyond instant messaging. Libervia features chat, blogging, file sharing, photo albums, events, forums, etc. Libervia's goal is to develop an all-in-one, easy to use \"familial and personal social network\", i.e. a tool to communicate with the people close to you securely - and that lets your personal data stay within your control (as it should be). >> Read more about XMPP-ActivityPub gateway Audio/Video Calls in Libervia — Encrypted Audio/Video Calls in multi-frontend XMPP client Libervia is a multi-frontend, multi-purpose XMPP client. It doesn't just focus on instant messaging, and uses the open standard to provide features such as blogging/microblogging, calendar events, file sharing, end-to-end encryption, etc. Some of the last major missing features include audio/video conferencing and desktop sharing. The goal of this project is to implement one2one calls first and then multi-user conferencing and desktop sharing, while using the e2e encryption mechanisms provided by the ecosystem where possible. These features will be available on the various front-ends, including web, desktop, and even command line. Compatibility will be ensured with the wider XMPP ecosystem, to ensure that calls can be made without problems with other software such as Conversations or Movim. >> Read more about Audio/Video Calls in Libervia Librecast — E2E encrypted multicast The Librecast project contributes to decentralising the Internet by enabling multicast. It builds transitional protocols and software to extend the reach of multicast and enable easy deployment by software developers. This can for instance help to synchronise large evolving datasets to many users at the same time (even hundreds of gigabytes of blockchain data) in an economic, reliable, transparent and fair way - unlike with unicast, everyone can get a copy of the same packets received by everyone else. Not depending on a centralised structure (anyone can be the upstream source), means it is very robust as well. LibreCast is energy efficient and as a next generation internet technology offers confidentiality and security - and is sustainable, has high scalability and throughput. Librecast Live is a Multicast Live Streaming, Conferencing and Remote Collaborative Work Environment. It is a versatile multicast platform flexible and scalable enough to be used for live-streaming, classrooms and conferences - using an ad hoc or previously established web of trust. While using multicast helps solve the scalability inherent with this kind of setup, actually all messages are transmitted over encrypted channels - providing strong privacy and integrity assurances through E2E encryption. >> Read more about Librecast Lightmeter — Email server configuration lifecycle management Lightmeter will make it easy to run email servers large and small by visualising, monitoring, and notifying users of problems and opportunities for improved performance and security. People will regain control of sensitive communications either directly by running their own mailservers, or indirectly via the increased diversity and trustworthiness of mail hosting services. >> Read more about Lightmeter Lizard — E2E Rendez-vous and discovery The Lizard project aims to develop a common protocol for end-to-end encrypted social applications using Tor as underlying transport mechanism, with the addition of store-and-forward servers discovered through the Tor hidden service directory. The protocol takes care of confidentiality and anonymity concerns, and adds mechanisms for easily synchronising application-level state on top. All communications are done \"off the grid\" using Tor, but identities can be publicly attested to using existing social media profiles. Using a small marker in your social profiles, you can signal to other Lizard users that they can transparently message you over Lizard instead. By taking care of these common discovery and privacy concerns in one easy-to-use software suite, we hope that more applications will opt for end-to-end encryption by default without compromising on anonymity. >> Read more about Lizard Loops — ActivityPub based sharing of short video clips Loops is an innovative Fediverse platform inspired by TikTok and powered by the decentralized ActivityPub protocol. It aims to deliver personalized short-form video content through a \"For You\" recommendation algorithm, enhancing user engagement and discovery. The platform supports interactive features like comments and video remixes, fostering a creative and collaborative community. By connecting with the Fediverse, Loops gives users more control over their data, better privacy, and the ability to interact with other platforms—making it an exciting new way to experience social media in our ever-changing world. >> Read more about Loops Mailpile Search Integration — Personal email search engine Mailpile is an e-mail client and personal e-mail search engine, with a strong focus on user autonomy and privacy. This project, \"Mailpile Search Integration\", will adapt and enhance Mailpile so other applications can make use of Mailpile's built-in search engine and e-mail store. This requires improving Mailpile in three important ways: First, the project will add fine-grained access control, so the user can control which data is and isn't exposed. Second, enabling remote access will be facilitated, allowing a Mailpile running on a personal device to communicate with applications elsewhere on the network (such as smartphones, or services in \"the cloud\"). And finally, the interoperability functions themselves (the APIs) need to be defined (building on existing standards wherever possible), implemented and documented. >> Read more about Mailpile Search Integration Mailpile 2 (moggie) — Building a secure, modern e-mail client for self-hosting Mailpile's mission is to empower users to be more autonomous and private in how they manage, store and communicate over e-mail, simplifying the use of relevant encryption technology (OpenPGP, Tor and encrypted local storage). Mailpile 2 will be an Open Source, secure web-mail application, usable and powerful enough to be a compelling alternative to both mainstream desktop e-mail clients and proprietary web-mail services. Mailpile 2 will offer both local and remote access to an elegant, mobile-friendly web interface, built on web-APIs exposed by Moggie. Moggie is the project's technical toolkit for searching and working with e-mail. This stage of the project is about developing Moggie to the point where it is useful as a stand-alone tool in its own right, and feature complete enough that work on the Mailpile 2 user-interface can commence. >> Read more about Mailpile 2 (moggie) Manyfold — ActivityPub-powered tool for storing and sharing 3d models Manyfold is a web application for managing collections of 3d models, with a focus on the needs of the 3d printing community. It is designed to be self-hosted, and lets users browse, organise, and analyse their downloaded models. With NLNet’s support, the project has recently launched federation features using ActivityPub, progressive transmission of 3d models, and a wide range of core feature enhancements. The next phase of the project will build on this base to create richer social features, better ways to get models into and out of the system, features to help financially support creators, and improvements to search and discovery features, all of which will help build an open, decentralised ecosystem for 3d model hosting. >> Read more about Manyfold Manyverse — An off-line capable privacy-centric social messaging app Manyverse is a social networking mobile app, implemented not as a typical cloud service, but instead on a peer-to-peer network: Secure Scuttlebutt (SSB). The mobile app locally hosts the user's database, allowing them to own their personal data, and also use the app when offline. Data can sync from one mobile device to another, via Bluetooth, Wi-Fi, or Internet. Free and open source software. >> Read more about Manyverse Manyverse Private Groups — Implement SSB Private Groups in Manyverse Manyverse is a peer-to-peer social network built on the SSB protocol where users themselves are responsible for the network. It is used by thousands of people, on both mobile and desktop. Users can share public posts with each other, but there is currently no way to write private messages to closed communities of a dozen members or more. With this project, we want to implement and improve SSB Private Groups for adoption in Manyverse. This is a cryptographic mechanism to ensure that communities can talk in private. Additionally, we want to make sure that these communities have the tools they need to moderate and prune their social space for safety. >> Read more about Manyverse Private Groups Mastodon - groups, filtering, moderation — Group support with ActivityPub Mastodon is a decentralized open-source social network built on the ActivityPub protocol. It allows users to launch their own instances of social networks, while allowing the instances to connect over the Fediverse. The project foresees the development of groups, advanced filtering, and improved moderation functionality. Groups functionality gives users the option to communicate with a smaller subset of their connections; improved moderation functionality will give admins a toolkit to efficiently deal with reported cases, e.g. with batch actions; advanced filtering adds more sophisticated ways to filter posts. >> Read more about Mastodon - groups, filtering, moderation ActivityPub Quote Posts — Quote Posts in ActivityPub and Mastodon Quote posts are a popular feature of online social media platforms. They offer the ability to share another persons post to ones own followers, while adding a comment. Interestingly, so far this seemingly obvious concept has not been standardised - meaning there is no agreed way to implement this feature into an W3C ActivityPub implementation in a way that is automatically interoperable with the other applications in the Fediverse. Quoting is a simple but powerful feature that can help to quickly grow audiences and convey trust and respect, but in the hands of the wrong people it can also be used for malicious purposes: to misquote people, or to intentionally quote someone out of context. Since people 'have actually said it', quotes can easily be levered to rally hate speech and harass people. This project will design an ActivityPub implementation of quote posts that tries to avoid this. It will attempt to remove some of the liabilities, and reduce the risk of weaponisation. The goals is to write an ActivityPub protocol extension proposal (a so called FEP) for quote posting, which will be implemented directly in Mastodon to see if the design holds up. Having a specification, allows everyone to efficiently implement this same feature in an interoperable way. >> Read more about ActivityPub Quote Posts MeiliSearch — Modern and responsive search Advanced content search for apps and websites has become an increasingly protected craft. When owners of big content repositories need search at scale, they have to choose between hiring expensive search specialists or outsourcing search in its entirety. Search doesn’t need to be this complicated. It should be simple enough to be self-hosted with the developers you already have, and it should be understandable & open enough that you can resort to a managed cloud without fear of lock-in. MeiliSearch is blazing fast and very light on resources. It packs advanced search capabilities like search-as-you-type, relevancy , typo-tolerance, synonyms and filters, all set up and configured in minutes. Our primary path to widespread adoption is integration with other developer ecosystems. Every new language, framework, platform or application that’s supported brings in a new audience of developers that wouldn’t otherwise know we even exist. >> Read more about MeiliSearch Mellium — Add OMEMO support to XMPP library Mellium is an XMPP library that helps other projects safely interoperate using the most widely used, federated, real-time communication protocol in use today. Unfortunately, it does not currently provide a mechanism to enable projects using it to communicate in an end-to-end encrypted manner, meaning those projects must do the hard (and potentially dangerous) work of implementing encryption themselves. This project aims to create an easy to use implementation of the OMEMO encryption standard (XEP-0384: OMEMO Encryption) that is compatible with popular instant messaging clients. This will encourage projects depending on Mellium to implement strong privacy protections by lowering the barrier to entry for end-to-end encryption. >> Read more about Mellium Miru — Multi-track video editing and real-time AR effects Miru is a new set of modular, extensible Web platform tools and components for still image and multi-track video editing and state-of-the-art, real-time AR. Using WebGL, WebAssembly, and open source, mobile-optimized machine learning models, Miru will give people on the social web the tools to edit images and apply interactive effects to recorded video without compromising on privacy and transparency. Miru aims to provide intuitive and user-friendly UIs which developers can easily integrate into their Web apps regardless of the frontend frameworks they use. >> Read more about Miru Misskey — Misskey federation and ActivityPub compliance Misskey is a decentralized and open source microblogging platform.It has \"Reactions\" that allow you to easily express your feeling, \"Drive\" that allow you to manage files in one place, and a highly customizable UI that makes it more fun to share something.Misskey also implements ActivityPub, so it can communicate with other platforms interactively. Since the code is open to the public, users can also create their own instances and create their own communities. Because Misskey uses Node.js, a non-blocking IO, performance remains lightweight even when federating with many instances.From the very beginning of its development, Misskey has been focused on being the first to incorporate the latest technologies of the web to provide an unique experience. >> Read more about Misskey postmarketOS/phosh-mobile-settings integration — Consolidate functionality of FOSS mobile settings applications Currently, there is no easy way for applications to install settings that then show up in the system's settings app on desktop Linux systems. As part of bringing desktop Linux to mobile phones in postmarketOS, we have created a \"tweaks\" app for phone-specific configuration options. With this project, the options in this tweaks app will be converted to a format described by a specification which settings apps then can implement. This in turn is part of a broader effort to make desktop Linux suitable for running on mobile phones as a means to create an operating system for phones without excessive user tracking or built-in ads, with a focus on the user instead of money. >> Read more about postmarketOS/phosh-mobile-settings integration Mobilizon — Find, create and organize events Mobilizon is a free, libre and federated groups and events management platform. Most proprietary social medias collect behavioral data and social graphs by hosting groups and events management tools (such as Facebook events, MeetUp, etc.). This can become a problem, even more when your group works on topics like activism, raising awareness and empowering citizens. Mobilizon allows for a federation of interconnected hosts, that decentralize by design data concentration while permitting interactions between users across the federation. This group and event management tool has been designed by asking and considering the needs of mobilized citizens. It includes features that has been since implemented as well by mainstream social medias (multiple profiles for each account), and does not reproduces mechanisms driven by the attention economy. As such, Mobilizon is not a social media, it does not pander to egos, but focuseson being a toolkit tomanagecommunities. On top of the eventpublishingtool, it features a group discussion tool (akin to a minimalist forum), a group page management tool (that can be used as a one-page website), a group public and private posts tool (similar to a blog), and a group link directory (to organize links to online documents, resources, etc.). With this grant, Framasoft aims to improve Mobilizon's search results (within an instance as well as throughout the federation) and recommendations. We also want to help people find groups and events close to their interests or their location, as well as allow them to import their events from other platforms when possible (Facebook, MeetUp, etc.). >> Read more about Mobilizon Mobilizon UX — Share events on the fediverse Mobilizon enables the creation of community venues for organising and promoting local and topical events, activities, and groups. These instances can share information using the ActivityPub protocol, allowing users to publish their events on one Mobilizon server and propagate these elsewhere. Mobilizon is designed to be user-friendly and empowering. In order to reach a wider audience with Mobilizon, we need to make sure we serve the needs of users well - whether they are instance administrators, event organisers, or end users. We will conduct workshops to study how each of these interacts with Mobilizon and understand their expectations, so that we can develop Mobilizon accordingly. Additionally, we will test, document and improve interoperability with other Mobilizon instances, other fediverse applications, and other websites in general. This can be achieved through plugins, APIs, and aligning on standard formats such as Ical. Ultimately, communicating about local activities will become more efficient and finding local activities easier. >> Read more about Mobilizon UX MoboSearch — Providing an alternative view on the Android App ecosystem Mobile phones play a major role in our society, yet they still suffer from severe limitations in how they handle apps. As a result, most people are unaware of the dangers of privacy leaks and are typically offered very constrained search capabilities within one single source of information, the app store. MoboSearch is a new search engine and information portal for apps, empowering users beyond the existing app stores. The system exposes privacy and security information, like app permissions, and gives users new easy and flexible search capabilities that allow to make an informed choice and to increase people's awareness. Openness and interoperability ensure that the system can offer and receive data, so to cooperatively enable a better and healthier app ecosystem. >> Read more about MoboSearch Mobroute — A minimalist FOSS public-transportation router/tool suite Mobroute is a general purpose FOSS public transportation router, enabling people to e.g. plan their trips around town. It is a Go library and command line interface (CLI) that works by directly ingesting timetable data from transit agencies themselves (in GTFS format, obtained via the Mobility Database). After this data has been fetched, route planning can be done offline, on one’s own device. Overall, Mobroute aims to offer an open source framework for integrating data-provider-agnostic GTFS public transit capabilities (integrated GTFS ETL, GTFS multisource support, and routing algorithm) into applications to get users from point A to point B via public transit, without comprising privacy or user freedoms. In addition to the Mobroute Go library & CLI, the related subproject, the Transito app offers fully integrated routing functionality on mobile devices (Android & Linux) utilizing Mobroute's Go library. >> Read more about Mobroute Monal IM — Free Jabber/XMPP client for iOS and macOS Monal is a open source XMPP instant messaging client for MacOS and iOS which strives to be the go-to client for these platforms just like the app Conversations is for Android. XMPP in general is an open and standardized protocol for real time communication. Anyone can host their own server and communicate freely with each other, just like with email and just like email the used addresses are of the form \"user@domain.tld\". In this project, Monal will among others add end-to-end encryption to its chat interface, in this case the OMEMO XEP which uses a so call double ratchet mechanism to provide strong protection of the confidentiality of messages.Within the project, the team will also implement various other XEPs such as audio and Video (A/V calls), adding modern functionality and improving interoperability with other clients. >> Read more about Monal IM Monal IM UI — Modern UI for XMPP on iOS and macOS Monal is an open source XMPP instant messaging client for MacOS and iOS which strives to be the go-to client for these platforms just like the app Conversations is for Android. Like other messaging apps on iOS and macOS Monal must deal with the limitations of these platforms. Yet, Monal is able to fully support push messages even for encrypted groupchats without resorting to non-XSF- standardized extensions to the long-lasting XMPP protocol. Since Monal has a quite mature and stable XMPP backend now, the focus is shifting to rewriting the UI of Monal. And all this while adding new features, such as voice and video calls, which have only recently been added. In this project, Monal will receive a new chat UI that provides better UX and is way more maintainable for the developers. Additionally, the audio call functionality previously funded by NLNet, will be extended by a dialpad. This will allow calls to mobile and landlines via appropriated XMPP-VoIP-bridges like jmp.chat. To speed up connection establishment support for Bind2 and FAST will be implemented. This will result in better UX, especially for users on mobile connections with low bandwidth and high latency. >> Read more about Monal IM UI Movim — Add end-to-end encrypted videocalls to Movim XMPP Movim is a web-based social and chat platform that acts as a frontend for the XMPP network. The goal of this project is to modernize and extend the long-existing audio and video conferencing features in three major steps. First, the existing UI will be completely refactored and redesigned to better integrate the conferencing features into the existing pages and flows. Secondly, Movim will support one-to-many call features and offer full compatibility with other XMPP clients building upon the step-one features but without relying on a central server to handle the media streams. And finally, to handle conference calls with a large number of participants, Movim will standardize and integrate SFU (Selective Forwarding Unit) support that will then lift the streams network bottlenecks offering a complete and scalable experience to its users. With those three steps fulfilled Movim will then be able to greatly simplify fully standard XMPP audio and video conferencing calls on the web. >> Read more about Movim Movim — Add OMEMO encryption to Movim XMPP client Movim is a web platform that delivers social and IM features on top of the mature XMPP standard (aka Jabber). Unlike other chat apps, with XMPP you have a choice of both servers and clients - and the ability to add any features you want, and restrict your trust to those that deserve it. Movim is a user-friendly communication platform aimed at small and medium structures (up to a hundred simultaneous users), and sports a number of unique social features beyond instant messaging. And because it sits on XMPP, Movim users can explore the whole global instant messaging network from a single account. In this project, Movim will add end-to-end encryption to its chat interface, in this case the OMEMO XEP. Since Movim is browser based, the implementation will be have to put the encryption layer client-side - or in other words, inside the browser. Because users can connect simultaneously on the same XMPP account using different browsers with Movim, each browsers will be seen as a different \"device\". Decrypted messages will be saved in a browser database, using IndexedDB. The web server will just take care of handling public keys to the XMPP network and store the encrypted messages, same as the user's XMPP server does when using archiving methods. The project will deal with both the one-to-one chat implementation and the Multi-User Chat part of Movim. This is part of a concerted effort to create reliable end-to-end encryption for XMPP based real time communications. At present growth of the wider network is hampered by lack of interoperability. >> Read more about Movim Mox — Modern full-featured open source secure mail server Mox is a modern email server implementation that makes it easy for people and organizations to run their own mail server, allowing them to stay in control of their own email communication, and keeping email decentralized. While high-quality open source mail server software components exist, their code bases are growing old, and getting a working setup involves configuring at least half a dozen of them to work together. That complexity has turned people to a few (centralized) email providers. Mox gives users their power back! All important protocols/mechanisms needed for a modern email setup have been implemented in mox, including: IMAP4, SMTP, SPF, DKIM, DMARC, MTA-STS, TLSRPT, automatic TLS with ACME and Let's Encrypt, IP/domain/bayesian spam filtering, internationalized email, account autoconfiguration. Setting up mox takes just minutes with the quickstart, with no additional tools/dependencies required. The code base is lean, coherent, self-contained, well-tested, cross-referenced with specifications, liberally MIT-licensed, trivially reproducibly built and is defensively written in Go, a modern, safe programming language. Mox's integrated approach has allowed for novel functionality. Development continues on supporting more protocols and extensions, as well as quality improvements such as more automated tests. On the roadmap at the time of writing (but check the project site!): IMAP4 CONDSTORE, QRESYNC, THREAD extensions, DANE and DNSSEC, sending DMARC and TLS reports, OAUTH2, Sieve, JMAP, Webmail, Calendaring and more. >> Read more about Mox Mox management and automation — Automated email server management and administration Mox is a modern email server implementation that makes it easy for people and organizations to run their own mail server, allowing them to stay in control of their own email communication, and keeping email decentralized. While high-quality open source mail server software components exist, their code bases are growing old, and getting a working setup involves configuring at least half a dozen of them to work together. That complexity has turned people to a few (centralized) email providers. Within this grant the team will add a number of missing key features such as server-side email filtering (Sieve) and encrypted storage, among others. >> Read more about Mox management and automation Mustang - UI components — Integrated email, team chat, video conference, calendar and file exchange Mustang is an Open-Source desktop and mobile app that seamlessly integrates email with team chat, video conference, calendar and file exchange into a single app for communication. It is available for Windows, macOS, Linux and planned for Android and iOS. It respects user privacy and data sovereignty, keeping the data on your own computer systems. By supporting various open protocols (and optionally through extensions also closed protocols of multiple vendors), it allows for a smooth transition to openness. In this project, certain UI components will be developed, the File Sharing UI be improved, and a prototype UI for Structured Data in email (SML) be implemented. As time permits, other components will be developed as well. >> Read more about Mustang - UI components Mustang UX — Integrated email, team chat, video conference, calendar and file exchange Mustang is an Open-Source desktop and mobile app that seamlessly integrates email with team chat, video conference, calendar and file exchange into a single app for communication. It is available for Windows, macOS, Linux and planned for Android and iOS. It respects user privacy and data sovereignty, keeping the data on your own computer systems. By supporting various open protocols (and optionally through extensions also closed protocols of multiple vendors), it allows for a smooth transition to openness. In this project, the focus is on UX design, connecting the various apps together to create a unified whole. >> Read more about Mustang UX Mynij — Portable indexing and search engine for mobile People feel lost when their connection to the internet is cut. All of a sudden, they cannot search for some reference or quickly look up something online. At the other end, hundreds of millions of servers are 'always on', awaiting the user to come online. Of course, this is neither very resilient nor economic. And it is also not necessary. In the 60s, computers used to occupy a large room. Nowadays, with smartphones, they fit in your hand. A complete copy of the Web (10 PB) already fits on 100 SSDs of 100 TB occupying a volume similar to an original IBM PC. A partial copy of the Web optimised for a single person will thus soon fit on a smartphone. Mynij believes that Web search will eventually run offline for legal, technical and economic rationale. This is why it is building a general purpose Web search engine that runs offline and fits into a smartphone. It can provide fast results with better accuracy than online search engines. It protects privacy and freedom of expression against recent forms of digital censorship. It reduces the cost of online advertising for small businesses. It brings search algorithms and information presentation under end-user control. And you control its availability: as long as you have a copy and a working device, it can work. >> Read more about Mynij NeoChat — Native Matrix encrypted instant messaging client NeoChat is a client for Matrix, an open and decentralized chat protocol. NeoChat is using Qt and KDE technologies to run on many platforms: Linux, Windows, macOS, Plasma Mobile and Android. One of the biggest missing features for NeoChat is support for end-to-end encryption. Currently, all the messages are sent unencrypted and encrypted conversation can't be read in NeoChat. This is not a problem for public rooms since they are usually not encrypted, but it makes NeoChat unsuitable for usage in a private or professional context. The goal of this project is to enable support for encryption in NeoChat. Since NeoChat uses libQuotient, a client library for the matrix protocol, most of the work will take place in libQuotient. This means that the work done in the project will also help other Matrix clients and bots built with Quotient, in particular Spectral and Quaternion. >> Read more about NeoChat Nextcloud — Unified and intelligent search within private cloud data The internet helps people to work, manage, share and access information and documents. Proprietary cloud services from large vendors like Microsoft, Google, Dropbox and others cannot offer the privacy and security guarantees users need. Nextcloud is a 100% open source solution where all information can stay on premise, with the protected users choose themselves. The Nextcloud Search project will solve the last remaining open issue which is unified, convenient and intelligent search and discoverability of data. The goal is to build a powerful but user friendly user interface for search across the entire private cloud. It will be possible to select data date, type, owner, size, keywords, tags and other metadata. The backend will offers indexing and searching of file based content, as well as integrated search for other contents like text chats, calendar entries, contacts, comments and other data. It will integrate with the private search capabilities of Searx. As a result the users will have the same powerful search functionalities they know and like elsewhere, but respecting the privacy of users and strict regulations like the GDPR. >> Read more about Nextcloud NextGraph Framework — SDK's and API's for the NextGraph Framework NextGraph is an open source ecosystem that provides solutions for end-users (a platform) and software developers (a framework), wishing to use or create decentralized apps featuring: real-time collaboration, peer to peer communication with end-to-end encryption, local-first, portable and interoperable data, total ownership of data and software, security and privacy. Centered on repositories containing semantic data (RDF), rich text, and structured data formats like JSON, synced between peers belonging to permissioned groups of users, it offers strong eventual consistency, thanks to the use of CRDTs. Documents can be linked together, signed, shared with others, queried using the SPARQL language and organized into sites and containers. Using our framework, SDK and APIs, developers will be able to create standalone or embedded apps that can make capability-based access requests on the user's data, define smart-contracts and implement any business logic within cross-document transactions. With NextGraph, users and apps can securely access and traverse their authenticated data graph (web of data) and social graph (social network), while enabling resilience and data integrity, and preserving privacy and decentralization. >> Read more about NextGraph Framework Nitter — Alternative privacy-preserving FOSS UI for Twitter Nitter is an open source alternative Twitter front-end that prioritizes privacy and performance. It acts like a proxy by requesting data on the server using internal twitter APIs, and serving a lightweight front-end without JavaScript or ads, as well as RSS feeds. This bypasses the need for login credentials, and all requests including media go through the Nitter server. It's easy to self-host, and more than 100 public ins tances are available. The scope of this project is to implement features such as an account system for following Twitter users, tweet embeds, missing Twitter features, and general maintenance. The account system will store tweets in a database, paving the way for a future tweet archival feature. >> Read more about Nitter NodeBB — ActivityPub support and accessibility improvements for forum software NodeBB is a Node.js based community forum software utilizes web sockets for instant interactions and real-time notifications. NodeBB benefits from modern features like real-time streaming discussions, mobile responsiveness, and rich RESTful read/write APIs, while staying true to the original bulletin board/forum format — categorical hierarchies, local user accounts, and asynchronous messaging. In this project, the team will be working on bringing ActivityPub integration to NodeBB, in order to allow forums to become truly interconnected with other ActivityPub-enabled applications throughout the wider Fediverse (of course including other NodeBB forums). The absolute hardest part of starting a community — forum or otherwise — is gaining a critical mass of adoption in order to sustain interest and content. What if we could bypass this hurdle altogether? >> Read more about NodeBB Adopting the Noise Key Exchange in Tox — Improved security of Tox instant messaging with NoiseIK Tox is a P2P instant messaging protocol that aims to provide secure messaging. It's implemented in a FOSS library called \"c-toxcore\" (GPLv3). The project started in the wake of Edward Snowden's disclosure of global surveillance. It's intended as an end-to-end encrypted and distributed Skype replacement. The cryptographic primitives for the key exchange (X25519), authentication (Poly1305) and symmetric encryption (XSalsa20) are state of the art peer-reviewed algorithms. Tox' authenticated key exchange (AKE) during Tox' handshake works, but it is a self-made cryptographic protocol and is known to be vulnerable to key compromise impersonation (KCI) attacks. This vulnerability enables an attacker, who compromised the static long-term private X25519 key of a Tox party Alice, to impersonate any other Tox party (with certain limitations) to Alice (reverse impersonation) and to perform Man-in-the-Middle attacks. The objective of this project is to implement a new KCI-resistant handshake based on NoiseIK in c-toxcore, which is backwards compatible to the current KCI-vulnerable handshake to enable interoperability. Further Noise's rekey feature will be evaluated for adoption. >> Read more about Adopting the Noise Key Exchange in Tox Nyxt Webextensions — Independent implementation of WebExtensions Nyxt is a web browser that seeks to empower knowledge workers with access to better browsing tools. The Internet is the single largest corpus of human knowledge available. Effective tools to navigate, browse, and index it are important for research/work/empowerment. Nyxt provides these tools. A different take on the \"browser\", Nyxt is a power-browser, designed from the ground-up for work. What was until now missing from Nyxt, and from other third party browsers, is support for common WebExtensions (such as NoScript, ad blockers, etc). In this project we'll extend Nyxt's capabilities to support WebExtensions which will allow users to customise their browsing experience and better protect themselves from abuse. Additionally, our work will pave the way for other libre WebKitGTK+ to support WebExtensions, and thus, increase adoption. >> Read more about Nyxt Webextensions Nyxt — A programmable browser with advanced search integration Nyxt is a new type of web browser designed to empower users to find and filter information on the Internet. Web browsers today, largely compete on performance in rendering, all whilst maintaining similar UIs. The common UI they employ is easy to learn, though unfortunately it is not effective for traversing the internet due to its limited capabilities. This presents itself as a problem when a user is trying to navigate the large amounts of data on the Internet and in their open tabs. To deal with this problem, Nyxt offers a set of powerful tools to index and jump around one's open tabs, through search results and the wider Internet. For example, Nyxt offers the ability for the user to filter and process their open tabs by semantic content search. Because each workflow and discipline is unique, the real advantage of Nyxt is in its fully programmable and open API. The user is free to modify Nyxt in any way they wish, even whilst it is running. >> Read more about Nyxt Nyxt — Browser integration of federated, distributed platforms Nyxt is a new type of web browser designed to empower users to find and filter information on the Internet. The information available to browsers is limited by the protocols they understand; the languages they speak. Most browsers only speak HTTP(S), a protocol designed for client/server interactions. In its latest generation, Nyxt plans to open up access to an Internet beyond HTTP, a larger, more decentralized Internet. The new versions of Nyxt will feature support for XMPP, ActivityPub, and IPFS. Together, these decentralized technologies will power much of the next generation of Internet technologies, and Nyxt will speak their language! >> Read more about Nyxt Open Know-How Search — Search Open Hardware Projects Open Know-How Search is a project to create a search engine for the open source hardware designs. We are building a modern, clean and accessible search experience for makers. Our index will span the entire internet and all existing ways to share designs. Users and platforms will be able to make use of the Open Know-How meta-data standard to help get their projects into the index and surface those that are in advanced stages of development and worth looking at and attempting to re-build. The front page and top results in the search will be a useful resource to someone looking for a new open source hardware project to build and contribute to. >> Read more about Open Know-How Search Off-the-Record messaging version 4 — Advanced protocol for secure messaging OTRv4 is the newest version of the Off-The-Record messaging protocol. It is a protocol where the newest academic research intertwines with real-world implementations. It's aim is to give end-to-end encryption, deniability, authentication, forward secrecy and post-compromise security for any kind of messaging (online or offline). The goal of this new version is to give the most secure privacy and security properties that have a real impact on the world. This new version aims to be available in different desktop clients (that use XMPP or other messaging protocol) and in mobile clients. >> Read more about Off-the-Record messaging version 4 Oku — A browser and encrypted data vault based on IPFS Oku is a free and open-source browser for the Web, which aims to bring several technologies, some new and some pre-existing, to everyday users of personal computers. It aims to promote the usage of peer-to-peer protocols, such as IPFS, onion routing (using the Arti implementation of the Tor anonymity protocols), and the WebKit browser engine. With the IPFS protocol built into the browser, users will be able to create, share, and view hypermedia without the need for servers; as a consequence, pages accessed through the IPFS protocol will require offline, local-first data storage on 'vaults' residing in the user's device. The browser facilitates the reading of data from the local storage vaults, prompting the user for a password so that the vault may be decrypted; afterwards, the 'hivepage' (a page accessible through a P2P protocol, as opposed to HTTP) is provided with the user's files residing in the relevant decrypted vault. This model will promote a more trustable alternative to the Web, while simultaneously reducing the cost of publicly sharing hypermedia on the Internet, as servers will no longer be responsible for hosting & serving the content. >> Read more about Oku Improve Okular digital signature support — Improve open source tooling for digital signatures Okular is a Free Software document viewer that supports multiple file formats such as PDF and OpenDocument Format, and besides viewing allows for annotation and digital signatures. It was initially created for desktop Linux and UNIX operating systems but meanwhile has grown into a universal, vendor-neutral document tool for all platforms - including an increasing amount of mobile operating systems such as Android, postmarketOS and pureOS. Digital signatures allow people to establish the source of documents, but can also be used to enter into legally binding agreements or contracts - so having a reliable and transparent solution is important. The aim of this project is to improve the support of PDF digital signatures in Okular both from the point of view of features and usability, making it easier for users to interact with this crucial privacy and security functionality. >> Read more about Improve Okular digital signature support Omnom — Self-hosted bookmarking and snapshotting with search Omnom is a webpage bookmarking and snapshotting service. It consists of two parts, a web application which stores and serves the snapshots and the other part is a browser addon to create and save bookmarks. Snapshots created by Omnom are searchable, secure and exact copies of the rendered webpages, even with front-end heavy sites which require multiple actions to reach the relevant content. Omnom also provides functionality to tag bookmarks and highlight key information to be able to organize and efficiently search in your bookmarks and snapshots. Omnom is a self-hosted free software which can handle multiple users with their own private and publicly visible bookmarks & snapshots. Public bookmarks are available in various formats to support feed creation or programmatic processing. >> Read more about Omnom Omnom — Add social layer to personal bookmarking Omnom is a web-based, self-hosted bookmarking and snapshotting platform that can create identical snapshots of any opened webpage to what it looks like in the browser at the time of creating the snapshot. It consists of a browser addon compatible with Firefox and Chrome based browsers and a multi-user web based application. The goal of this project is to add social features and improve user experience. >> Read more about Omnom Opaque Sphinx — Secure password-based authentication with Opaque/Sphinx Opaque Sphinx is a project that aims to secure password-based authentication by deploying the state-of-the-art SPHINX and OPAQUE cryptographic protocols to eliminate almost all common attack vectors - such as weak guessable passwords, password reuse, phishing, password databases, offline dictionary attacks, database leaks - plaguing current solutions. These protocols provide the strongest available cryptographic properties with cryptographic proofs. The project intend to port its already existing free software SPHINX implementation - besides already existing support for Linux and Windows - to Android so it can also be used on smartphones. >> Read more about Opaque Sphinx OpenAGPS — Privacy-friendly, self-hostable location service Location-specific services benefit greatly from location awareness. However, satellite signals are slow and not always reliably available in urban areas (let alone inside buildings). Hence the need for \"assisted GPS\", which uses alternate sources such as information based on mobile cell ids to determine location. While it seems obvious for such a capability to be a digital commons, there are no open services reliably providing this information- Mozilla operated something called the Mozilla Location Service, but this was retired recently. This leaves users either unserved or with a huge dependency on a few large vendors that bundle their own location service (based on non-public data sources and dark code) - with the latter users being dependent on the availability of and connectivity to specific machines on the internet. This project aims to provide a self-hostable alternative based on free and public sources, such as Galmon and OpenCellID, which would function independently from the services mentioned earlier. >> Read more about OpenAGPS Open Web Calendar Stack — Aggregate public and private web calendars The Open Web Calendar stack is an open-source set of Python libraries and programs which read and write calendars based on the iCalendar standard. The Open Web Calendar displays a highly configurable website that can be embedded to show a calendar. Currently, ICS URLs are supported and a goal is to also support CalDAV. Amongst the used libraries is the popular icalendar library to parse and write iCalendar (RFC5545) information. This cornerstone of Python's ecosystem requires some work to be up-to-date with common practice such as updating the timezone implementation. The updates to the icalendar library will be tested and also pushed up the stack to the Open Web Calendar. The recurrence calculation of events is done by the python-recurring-ical-events library. Changes to icalendar will be tested against this library to find compatibility issues. As the iCalendar standard has been updated, recurrence calculation is affected, too. These updates need to be evaluated and possibly implemented for both icalendar and the recurrence calculation. By implementing changes at the base, the whole stack is improved. We can use the Open Web Calendar project to make sure that possible transitions and updates are mapped out and communicated to other projects in the ecosystem. Improving a FOSS solution thus spreads the accessibility of iCalendar. >> Read more about Open Web Calendar Stack Openfire IPv6 support — Add IPv6 support to the Openfire XMPP server Openfire is an open-source, mature, cross-platform, real-time collaboration server based on the XMPP protocol. Originating around the turn of the century, IPv6 was not explicitly supported when it was originally created. As shown by anecdotal evidence, some IPv6 functionality already ‘works’ in Openfire. This, however, is accidental, and not by design. This project intends to add explicit IPv6 support to Openfire. >> Read more about Openfire IPv6 support Organic Maps — Privacy-focused Android & iOS offline maps application Organic Maps is a free and open-source mobile app, that offers fast detailed offline maps of the entire world based on the OpenStreetMap database maintained by millions of people across the globe. The app works with downloaded map files on your device, offering fast power-efficient map rendering, offline turn-by-turn navigation with walking/cycling/driving directions as well as robust offline search and trip planning features. Organic Maps is a community-driven app you can trust – no software bloat, no battery drain, no excessive permissions, no ads, no tracking, no personal data collection, no big tech's prying eyes. Pure and organic, made with love. >> Read more about Organic Maps Overte — Virtual reality based social platform Overte is a virtual social platform that allows its users to socialize in a more involved way than traditional digital communications, by allowing them to enter worlds using Virtual Reality. It can be used not just for recreational activities, but also education, psychotherapy, congresses, and more. The goal is to support peoples need for immersive social platforms, by providing them with something that is privacy respecting and free. As part of this project, we aim to take on bigger maintenance and development tasks that may otherwise happen slowly or remain undone. Such tasks include overhauling the build system, as one of our challenges is enabling volunteers to build, test, and contribute to a software with more than a million lines of code and many major dependencies on multiple different platforms. >> Read more about Overte Owncast — ActivityPub powered Livecasting Owncast is a self-hosted, open source live streaming platform for people to easily host and manage their own live streams. It has become an increasingly popular option for many people to break away from the large centralized services. The project will add Fediverse (ActivityPub) integration in order to provide better means of discovery, increase engagement, and to have interoperability with other applications. The goal is for Owncast to become a fully fledged member of the Fediverse, focusing on people's streams being discovered with existing timelines and search indexes. This would allow people to for instance contribute comments directly from their own ActivityPub powered website or ActivityPub-powered link aggegators like Lemmy. >> Read more about Owncast P2Pcollab — Decentralised social search and discovery This project is working towards creating a more decentralized, privacy-preserving, collaborative internet based on the end-to-end principle where users engage in peer-to-peer collaboration and have full control over their own data, enabling them to collaborate on, publish & subscribe to content in a decentralized way, as well as to discover & disseminate content based on collaborative filtering, while allowing local, offline search of all subscribed & discovered content. The project is researching & developing P2P gossip-based protocols and implementing them as composable libraries and lightweight unikernels with a focus on privacy, security, robustness, and scalability. >> Read more about P2Pcollab PGP4civiCRM — Add email encryption to CRM E-mail security and privacy is not just relevant inside organisations or between individuals. A lot of email traffic comes from the institutions we all have to deal with, including some of the most confidential emails we get. And yet there is no way for users to protect their privacy and confidentiality when sending and receiving messages from organisations using such systems. PGP4civiCRM enables automatic PGP encryption/decryption of e-mails on the server side. While the project will provide special integration for the Constituent Relation Management System CiviCRM, the basic functionality can be used also with regular mailservers like postfix. The PGP4civiCRM core will basically be a milter, that listens for input messages, then looks up PGP keys from configurable sources (local key rings, LDAP) and then, based on a local, configurable, policy, encrypts/decrypts messages (or leaves them untouched) before passing them on. This way system administrators can with tiny effort provide transparent encryption support for all their mail users. Especially for CiviCRM the project will create an extension that allows easy web-based configuration of the relevant pieces and displaying of encrypted, received e-mails using OpenPGP.js. >> Read more about PGP4civiCRM Popularizing PeerTube — Decentralised video platform powered by ActivityPub PeerTube is a software that empowers collectives to create their own video hosting and live-streaming solution, present a federated video catalog, and emancipate themselves from proprietary centralized platforms. It is nowadays used by institutions, educators, collectives of creators and citizens. This development project is aimed toward improving on PeerTube's features and ecosystem in a way that facilitates adoption, experience and usability. Such developments include: user's data export & import, a full accessibility audit (including integrations), splitting audio & video streams, comments review & moderation tools for content creators, automated filters to facilitate moderation, streaming in \"audio only\" mode, a redesign of the video management system, a new content warning/characterization system, a whole UI/UX audit and remodel. We also want to develop the first version of an official mobile app dedicated (at first) to find and enjoy content on the PeerTube vidiverse. >> Read more about Popularizing PeerTube Peertube-Desktop — Enjoy and share federated videos Cuttlefish is a client for PeerTube that will allow for searching and discovering new and interesting video's online with more privacy. PeerTube is a federated video hosting service based on the W3C ActivityPub standard. By using WebTorrent - a version of BitTorrent that runs in the browser - users help serve videos to other users. Cuttlefish is a desktop client for PeerTube, but will work on GNU/Linux-based phones (like the Librem 5 or Pinephone) as well. We want the experience of watching PeerTube videos and using PeerTube in general to be better, by making a native application that will become the best and most efficient way to hook into the federation of interconnected video hosting services. It will have improved search, and will allow people to continue sharing watched videos with other PeerTube users for longer periods of time, instead of discarding the video when done watching. It will also help bridge PeerTube's gap between the - now separated - BitTorrent and WebTorrent networks by speaking both of those protocols. >> Read more about Peertube-Desktop Extending PeerTube — Adding advanced search capabailities to PeerTube This project aims to extend PeerTube to support the availability, accessibility, and discoverability of large-scale public media collections on the next generation internet. Although PeerTube is technically capable to support the distribution of large public media collections, the platform currently lacks practical examples and extensive documentation to achieve this in a timely and cost-efficient way. This project will function as a proof-of-concept that will showcase several compelling improvements to the PeerTube software by [1] developing and demonstrating the means needed for this end by migrating a large corpus of open video content, [2] implementing trustworthy open licensing metadata standards for video publication through the PeerTube platform, [3] and emphasizing the importance of accompanying subtitle files by recommending ways to generate them. >> Read more about Extending PeerTube Peertube plugin livechat — Integrated chat for Peertube live streams The Peertube project aims to offer a free, decentralized, and sovereign alternative to video-on-demand platforms. Since its 3.0.0 version it is possible to live stream. However, the Peertube team has chosen not to integrate a chat system, but rather to offer the necessary tools so that it is possible to integrate this functionality via plugins. It is in this context that the \"Peertube Livechat\" plugin was launched in 2021. This project - already installed on nearly 250 Peertube instances - has grown with time, and already provides a serious alternative to existing proprietary systems. However, there are still some steps to be done to offer the same level of service as these commercial platforms: manage the decentralization allowed by Peertube at the chat level, possibility of automatic moderation, streamer/viewer interaction tools, improve and complete the translations of the software, improve its documentation, think about the numerous requests of the community, and so on. >> Read more about Peertube plugin livechat Peppol for the masses — Hybrid self-hosted e-invoicing with decentralized identities Peppol is an EU-backed e-Invoicing network which uses a top-down certification infrastructure to establish trust between the sender and the receiver of an invoice. In the \"Peppol for the Masses!\" project, we will implement Peppol in PHP (so far only Java and C# implementations are available), and package its core components (the AS4 sender and the AS4 receiver) as a Nextcloud app, so that users of the popular Nextcloud personal cloud server can send and receive invoices over AS4 directly into their self-hosted server. Due to the top-down nature of Peppol's trust infrastructure, it's not possible to self-host a node in the Peppol network unless you go through a reasonably heavy certification process. Therefore, we will extend our implementation with support for self-hosted identities, using the \"WebID\" identity pattern which was popularized by the Solid project. We will also develop a re-signing gateway which replaces the signature on an AS4-Direct invoice with a Peppol-certified signature. In a follow-up project, we will also host an instance of this re-signing gateway and make it available free of charge, similar to how the LetsEncrypt project has made TLS certificates available free of charge. This project will lower the (cost) barrier for machine-readable cryptographically-signed e-Invoicing messages, and at the same time increase the sovereignty of end-users, towards a human-centric internet of business documents. >> Read more about Peppol for the masses Manyfold — Manage private collections of 3D models This project will build a web application for managing collections of 3d models, with a focus on the needs of the 3d printing community. It is designed to be self-hosted, and lets users browse, organise, and analyse their downloaded models. With NLnet’s support, we aim to develop it into a decentralized multiuser platform for hosting and distributing 3d content. Using ActivityPub, we aim to build a kind of 'decentralized Thingiverse', allowing anyone to run their own instance to distribute content, and subscribe to content on other servers using any one of the many ActivityPub services out there such as Mastodon. We also aim to develop an innovative open format for progressive transmission of 3d mesh data, allowing both quick previewing of remote models, and low-quality previews for commercial content. >> Read more about Manyfold A Distributed Software Stack For Co-operation — Facilitating easy ad hoc cooperation Perspectives aims to be to co-operation, what ActivityPub is to social networks. It provides the conceptual building blocks for co-operation, laying the groundwork for a federated, fully distributed infrastructure that supports endless varieties of co-operation. The declarative Perspectives Language allows a model to translate instantly in an application that supports multiple users to contribute to a shared process, each with her own unique perspective. The project builds a reference implementation of the distributed stack that executes these models of co-operation, and makes the information concerned searchable. Real life is an endless affair of interlocking activities. Likewise, Perspectives models of services can overlap and build on common concepts, thus forming a federated conceptual space that allows users to move from one service to another as the need arises in a most natural way. Such an infrastructure functions as a map, promoting discovery, decreasing dependency on explicit search. However, rather than being an on-line information source to be searched, such the traditional Yellow Pages, Perspectives models allow their users (individuals and organisations alike) to interact and deal with each other on-line. Supply-demand matching in specific domains (e.g. local transport) integrates readily with such an infrastructure. Other patterns of integrating search with co-operation support form a promising area for further research. >> Read more about A Distributed Software Stack For Co-operation PixelDroid — Share and browse photos in the fediverse with a mobile app PixelDroid is an Android client for Pixelfed, the federated image sharing platform based on W3C ActivityPub. Our goal is to bring the Pixelfed platform to Android and provide a mobile user experience that excites. We aim to provide feature-parity with the Pixelfed web client as well as add additional features - like image and video editing, capturing and uploading directly from the app. During the project we will also make it easy to use multiple accounts, even across different instances. Additionally, we want to contribute to the Pixelfed API with testing and additional documentation. >> Read more about PixelDroid PixelDroid/Media editor — Native PixelFed/ActivityPub image sharing app PixelDroid is an Android app focused on sharing pictures and video through ActivityPub-based services such as Pixelfed and Mastodon. The scope of this project is two-fold: first to improve the application's features and make it more friendly to use for people new to the platform - we want PixelDroid to have the best onboarding experience of the fediverse. Secondly to work on photo and video editing, adding features and streamlining the editing user experience. We will also enable our work on photo and video editing to be used by others outside of the context of our app, by creating a standalone editing application and improving our 'Android media editor' library so that adding media editing to FOSS Android applications is easier than ever. >> Read more about PixelDroid/Media editor Pixelfed Live — Live streaming and other Pixelfed enhancements Pixelfed is an open source and decentralised photo sharing platform, in the same vein as services like Instagram. The twist is that you can yourself run the service, or pick a reliable party to run it for you. Who better to trust with your privacy and the privacy of the people that follow you? The magic behind this is the ActivityPub protocol - which means you can comment, follow, like and share from other Pixelfed servers around the world as if you were all on the same website. Timelines are in chronological order, and there is no need to track users or sell their data. The platform has many features including Discover, Hashtags, Geotagging, Photo Albums, Photo Filters and a few still in development like Ephemeral Stories. After supporting development of social discovery and a mobile app, NGI Zero funds this project to add a much requested live streaming feature to Pixelfed. >> Read more about Pixelfed Live Pixelfed — ActivityPub driven decentralised photo sharing platform Pixelfed is an open source and decentralised photo sharing platform, in the same vein as services like Instagram. The twist is that you can yourself run the service, or pick a reliable party to run it for you. Who better to trust with your privacy and the privacy of the people that follow you? The magic behind this is the ActivityPub protocol - which means you can comment, follow, like and share from other Pixelfed servers around the world as if you were all on the same website. Timelines are in chronological order, and there is no need to track users or sell their data. The project has many features including Discover, Hashtags, Geotagging, Photo Albums, Photo Filters and a few still in development like Ephemeral Stories. The goal of the project is among others to solidify the technical base, add new features and design and build a mobile app that is compatible with Mastodon apps like Fedilab and Tusky. >> Read more about Pixelfed Pixelfed — Open source, federated photo sharing platform using ActivityPub Pixelfed is a free and ethical photo sharing platform, powered by ActivityPub federation. The primary scope of this project is to build a federated Groups feature which will enable people to create communities across Pixelfed instances and other fediverse software. Pixelfed Groups will support text, photo and video posts on a separate Group-only timeline feed, as well as support a powerful role based membership system where admins can easily control who can join and the other actions they can perform. >> Read more about Pixelfed Prosody IM — Implement SASL authentication mechanism for XMPP XMPP is the most widely deployed standard protocol for real-time messaging today, and is a very popular choice among individuals and organizations who wish to manage their own internet communications, instead of submitting to other (e.g. commercial/data-driven) communication platforms. For an XMPP user to log in to their account today, two things are required: a username and a password. This has remained unchanged for many years, while other technologies have been steadily advancing to support security-enhancing features such as multi-factor authentication or even self-sovereign identities. XMPP uses an authentication umbrella standard known as SASL to authenticate all connections.The way XMPP integrates SASL is defined in RFC 6120 and assumes a very simple challenge-response flow, which has worked well in allowing us to upgrade the network from older SASL mechanisms such as DIGEST-MD5 and onto more modern mechanisms such as SCRAM-SHA-1 and SCRAM-SHA-256. To gain new authentication features beyond simple password authentication, we need to evolve XMPP’s relationship with SASL. This project will deliver just that, and will be the first complete implementation of a proposed standard (XEP-0388: Extensible SASL Profile) into the popular Prosody XMPP server. It will also implement support for per-session access control throughout Prosody, and support for XEP-0386 (Bind 2.0). >> Read more about Prosody IM Protomaps — Self-hostable maps based on OpenStreetMap data Protomaps is a free and open source map of the world, deployed as a single file you can host yourself. It enables interactive, zoomable mapping applications with only static storage and HTTP Range Requests. It uses the OpenStreetMap dataset as a primary source; its configurable toolchain can create maps with specific areas, custom data, and different cartographic styles. It’s used in earth science, journalism and the public sector. Protomaps has no vendor lock-in, permits end-to- end data sovereignty, and can ensure end-user privacy.  >> Read more about Protomaps Ricochet Refresh — Anonymous, meta-data free secure messaging Ricochet Refresh, is a metadataless messenger for PCs (Windows, macOS, Unix) that provides anonymity as well as security. By using Tor, it allows people at risk making public interest disclosures to communicate in chat sessions with anonymity to journalists, members of parliament, regulators protecting the environment, financial malfeasance investigators and others who have the power in society to act as corrective mechanisms to serious wrongdoing. This project will update Ricochet, reduce known security risks, and ensure continued compatibility with Tor's onion services protocol. The possibility of anonymous communication is important for everyone, but particularly vital for those who risk reprisal in their workplace or other institutions to be able to speak up. Through anonymity, Ricochet Refresh allows the focus to be on the disclosure, not on the source or whistleblower. Thus, the project provides a tool in support of evidence-based reporting in the public interest by creating a safe on-going channel for the journalist to conduct verification as the story develops. >> Read more about Ricochet Refresh SES - SimplyEdit Spaces — SimplyEdit Spaces - collaborative presentations SimplyPresent allows users to collaboratively create and deliver good looking presentation using CRDT's through Hyper Hyper Space - another project supported by NGI Assure. SimplyPresent is itself based on top of the open source SimplyEdit tool, adding advanced user-friendly presentation features. SimplyPresent allows team members to live edit a presentation and the presenter notes while the presentation is being given, control the presentation from any phone without complicated setup: all that is needed on the presenting system or with remote viewers is a URL which will sync through Hyper Hyper Space. >> Read more about SES - SimplyEdit Spaces SensifAI — AI driven image tagging Billions of users manually upload their captured videos and images to cloud storages such as Dropbox, Google Drive and Apple iCloud straight from their camera or phone. Their private pictures and video material are subsequently stored unprotected somewhere else on some remote computer, in many cases in another country with quite different legislation. Users depend on the tools from these service providers to browse their archives of often thousands and thousands of videos and photo's in search of some specific image or video of interest. The direct result of this is continuous exposure to cyber threats like extortion and an intrinsic loss of privacy towards the service providers. There is a perfectly valid user-centric approach possible in dealing with such confidential materials, which is to encrypt everything before uploading anything to the internet. At that point the user may be a lot more safe, but from now on would have a hard time locating any specific videos or images in their often very large collection. What if smart algorithms could describe the pictures for you, recognise who is in it and you can store this information and use it to conveniently search and share? This project develops an open source smart-gallery app which uses machine learning to recognize and tag all visual material automatically - and on the device itself. After that, the user can do what she or he wants with the additional information and the original source material. They can save them to local storage, using the tags for easy search and navigation. Or offload the content to the internet in encrypted form, and use the descriptions and tags to navigate this remote content. Either option makes images and videos searchable while fully preserving user privacy. >> Read more about SensifAI #Seppo! — Portable ActivityPub implementation Posting and liking self reliantly and still have a life. #Seppo! empowers you to publish short texts and images to the internet as easily as using an online service but retain full agency and responsibility. What you publish is solely subject to public law. No 3rd parties hold a stake, nobody else imposes any rules on you. This is because you publish on your own property. Which is possible because housekeeping is no more than the known follow/unfollow/block/unblock content moderation of your own single account. You do that by yourself. There are no scripting engines or databases, no technical updates required. You can focus solely on the message to deliver. You build an online presence on your own digital property, robust for decades if you decide so. #Seppo! is built on mature web standards (e.g. ActivityPub), a european technology stack, inspectable plain-text storage, is security aware and decentralised. It is made for but not limited to off-the-shelf static webspace as offered by numerous vendors all over the EU. #Seppo! targets individuals and small organisations joining the #Fediverse with max. 10k followers, optionally cross-posting to the closed platforms. >> Read more about #Seppo! Servo — Independent Rust-based browser engine Servo aims to provide an independent, modular, embeddable web rendering engine, allowing developers to deliver content and applications using web standards. Servo is written in Rust, taking advantage of the memory safety properties and concurrency features of the language. As part of this project we'll add support for more CSS features to the Servo layout. The main areas of work on this project would be support for floats, writing modes and tables; which will increase the number of web pages and applications render properly in Servo. >> Read more about Servo Servo: Benchmarking and Statistics — Infrastructure for benchmarking and testing Servo Servo is a web engine written in Rust that already provides results from the Web Platform Test Suite. However, these results may be difficult for newcomers to understand, as they lack a clear indication of the progress in supporting modern web standards. This creates challenges for the community in assessing the current state of development. When the community inquires about the support for specific features, these capabilities can often only be verified through manual testing. Moreover, finding information about Servo's performance can be equally challenging. To address these issues, this project aims to develop an infrastructure to benchmark and report on the current state of Servo, monitor performance differences between commits, and present these metrics and supported features in a more comprehensible way. This will give the community a clearer understanding of the state of the Servo project, leading to a more active and engaged contribution environment. >> Read more about Servo: Benchmarking and Statistics Servo CSS — CSS feature parity for Servo browser engine Servo is a web rendering engine written in Rust, with WebGL and WebGPU support, and adaptable to desktop, mobile, and embedded applications. Built with safety, speed, and concurrency in mind, Servo showcases the potential of Rust for modern web development. Servo's modular design allows for easy adaptation to various use cases. As part of this project we'll continue the work on adding support for more CSS features to the Servo layout. The main areas of work would be to finish Tables and Flexbox support; which will increase the number of web pages and applications render properly in Servo. >> Read more about Servo CSS Multiprocess Mode in Servo — Speed up Servo with parallelisation While Servo already has multi-process mode, it’s not enabled by default. The main reason is that it isn’t completely supported on every platform yet. Only Linux and macOS have full support. It also isn't tested in the WPT suite. In this project, we want to complete the feature set of multi-process mode in Servo, set it to default, and encourage other projects based on Servo (like the Verso browser) to use it, as they could massively benefit from this multi-process architecture. >> Read more about Multiprocess Mode in Servo Signature PDF — Self-hosted tool to add signature to PDFs PDF Signature is a free software (FLOSS) for online signing of PDF. Users can add signature, stamp, text or check marks individually, or collectively with the shared mode. The tool aims to be a free alternative to existing proprietary web services, in order to offer users more control and guarantee of what happens to the PDF processed by the software. It is easily deployable on a server, a personal machine, a nano-computer , a container image or a Yunohost instance. The future developments of this project will improve the confidentiality by encrypting the pdf stored on the server, study and improve the compatibility with the electronic signature standards (XAdEs, PAdES), internationalize the interface and add integration with Nextcloud. >> Read more about Signature PDF Slipshow — A different paradigm for presentations including flipchart style annotations Slipshow is an innovative presentation tool that moves away from the traditional slide-based approach. Instead, it provides a dynamic experience similar to using a blackboard, while leveraging the advantages of digital technology. Presentations are created from Markdown files with specific annotations, and users can interact with the content during presentations by drawing directly on it using a mouse or tablet. With the scope of this project, Slipshow will be enhanced by introducing the ability to record annotations, seamlessly integrating them into the presentation for future use. >> Read more about Slipshow Solid NC 2024 — Add more Solid capabilities to Nextcloud The Solid Nextcloud project implemented a server component with the Solid specification for Nextcloud, which makes ones Nextcloud server a Solid server as well. This allows user to user their existing server for identity and storage within the Solid eco-system. To enhance security and to enable easier cooperation and release of new versions we need to improve a number of things. The CI/CD of the project will be improved. Based on an earlier audit, we will implement a number of security enhancing features and we will release a PHP Solid Server next to the Solid Nextcloud module. These servers share a lot of code, which makes maintenance easier. The advantage is that PHP has a security maintenance cycle of three years, making it easier for users to stay secure when using a Solid server. >> Read more about Solid NC 2024 Solid-NextCloud app — Bridge Nextcloud to Solid This project connects the world of Solid with the world of Nextcloud. The aim is to develop an open source Nextcloud app that turns a Nextcloud server into a spec-compliant Solid server. It gives every user a WebID profile and allows Solid apps to store data on the user's Nextcloud account. It also exposes some of the user's existing Nextcloud data like contacts and calendar events as Solid user data, so that Solid apps can interact with the user's Nextcloud data, and allow the user to manage which Solid apps can access which specific aspects of the user's personal data. We will make our implementation compatible with the latest version of the Solid spec (including DPop tokens and the WebSockets AUTH command), and contribute the surface tests we create for this as a well-documented independent test-suite, for other Solid server implementers to benefit from. We will also publish a stand-alone version of our PHP components, which can run independently of Nextcloud. >> Read more about Solid-NextCloud app Solid-Search — Queries in a pod Solid-Search aims to provide an open source module that adds full-text search functionality to Solid pods. Solid is an emergent specification initiated by the inventor of the World Wide Web, sir Tim Berners-Lee. Solid aims to decentralize the web by decoupling applications from databases by introducing Solid Pods (personal online datastores that are in full control of the data owner). Having a way to search through your personal data on your Solid Pod is a must-have for the project to become truly successful. However, this requires technology that does not exist yet: a full-text search interface that works with schema-less RDF data. In order to maximize adoption and retain a modular, open approach, we will standardize the way in which data changes are described. By doing so, it will be relatively easy to introduce new search / query systems (such as search by location). The project will will create the open source search back-end, improve linked data synchronisation specs, link the module to two solid implementations, create a front-end for end-users, and write a tutorial for adding data sources. >> Read more about Solid-Search Solid Control — Access Control mechanism for data and services within Solid Solid-Control aims to enhance Tim Berners-Lee's Social Linked Data Project (Solid) with Attribute-Based Access Control. By extending the Linked Data Platform (LDP) with WebID based authentication and Access Control Lists (ACL), Solid has enabled the emergence of new forms of Hyper-Apps. These apps can follow data from server to server, authenticate when needed and write to the user's Personal Online Data storage (Pod), creating a decentralised social web. With relation-based access control (friend of a friend, business network, etc.), Solid can be a full alternative to centralised social networks. We also want to allow authentication based on Verifiable Claims such as age. Solid-Control will work on developing the needed logic, verify protocols, write prototype implementations and contribute to the Solid Auth Community groups, which are developing specs for standardisation. >> Read more about Solid Control Secure User Interfaces (Spritely) — Usability of decentralised social media Spritely is a project to advance the federated social network by adding richer communication and privacy/security features to the network. This particular sub-project aims to demonstrate how user interfaces can and should play an important role in user security. The core elements necessary for secure interaction are shown through a simple chat interface which integrates a contact list as an easy-to-use implementation of a \"petname interface\". Information from this contact list is integrated throughout the implementation in such a way that helps reduce phishing risk, aids discovery of meeting other users, and requires no centralized naming authority. As an additional benefit, this project will demonstrate some of the asynchronous network programming features of the Spritely development stack. >> Read more about Secure User Interfaces (Spritely) Spritely — Capability based petname system Users are currently caught between two worlds of identity solutions: prepackaged centralized identity silos (which also tend to be very phishing-vulnerable) and more decentralized naming systems that awkwardly separate the experience of secure connections from identity. What if instead users could have an experience where decentralized naming was a natural outgrowth of using the application? Spritely is a laboratory project to advance the decentralized social web founded by authors of the popular ActivityPub federated social web protocol. Spritely's approach to decentralized naming systems is to implement a \"petnames system\", where local meaning is given to \"petnames\" to otherwise non-human-meaningful decentralized identifiers (such as a hash of cryptographic key material). An important part of this design is that decentralized naming flows should be a natural part of use of the program. Petnames tend to resemble local contacts in a \"contact list\", but petnames on their own do not provide a sufficient way to discover, meet, and come to trust new contacts. A complete petname system also provides \"edge names\": for example \"CWebber=>JessicaTallon\" would show JessicaTallon as an \"edge name\" proposed by the petname CWebber. Our system also provides support for contacts introduced in a context with no existing relationships; these are called \"self-proposed names\" and are rendered in a way distinct from petnames and edge names. This has been under-implemented in existing petname systems; since Spritely is implementing decentralized communication systems, this will be a full implementation of a petname system (including edge names and self-proposed names) in an ergonomic manner that can also be applied to other decentralized systems. In addition to a specification, the project will delivered a usable chat application plus contact list. >> Read more about Spritely StreetComplete UX — Improve usability of StreetComplete OpenStreetMap is the best source of information for general purpose search engines that need a geographic data about locations and properties of various objects. The objects vary from cities and other settlements to shops, parks, roads, schools, railways, motorways, forests, beaches etc etc etc. The search engine can use the data to answer queries such as \"route to nearest wheelchair accessible greengrocer\", \"list of national parks near motorways\" or \"London weather\". Full OpenStreetMap dataset is publicly available on an open license and already used for many purposes. The project will make collecting open data for OpenStreetMap easier and more efficient, and lower the threshold for contribution by improving usability and accessibility. Any user should be able to help improve OpenStreetMap data, simply by downloading the app from F-droid or Google store and map as they walk. >> Read more about StreetComplete UX Structured Email for Roundcube — Add schema.org metadata awareness to open source email Email is probably the only open and widespread technology bridging our private information space (Mobile, Desktop) and the public Internet. It can in fact be considered our \"personal API\". Structured Email for Roundcube develops a plugin for the popular Roundcube Webmail software, which extracts Schema.org data embedded in email messages. Based on that, it allows for new ways of presenting emails and interacting with them. >> Read more about Structured Email for Roundcube Sylk chat — Add instant messaging features to Sylk Internet communications privacy is important to users, and there is a limited set of encrypted multiparty audio and videoconferencing solutions available to consumers and businesses today. The market, predominantly occupied by proprietary services that often require risky plugins, lack introspection and transparency, proved to expose users to significant security and privacy issues. This trend must be counteracted by better open source equivalents. Sylk provides a multi-party video encrypted conferencing solution meant to run on an end user computer or a mobile device. It is based on the WebRTC standard, and has a focus on user privacy and easy of use. This project will add one-to-one and group chat capabilities, allowing users to for example have end-to-end encryption or maintain long term group chats like other messaging apps do. >> Read more about Sylk chat Sylk Client — Secure multiparty videoconferencing application Internet communications privacy is important to users, and there is a limited set of encrypted multiparty audio and videoconferencing solutions available to consumers and businesses today. The market, predominantly occupied by proprietary services that often require risky plugins, lack introspection and transparency, proved to expose users to significant security and privacy issues. This trend must be counteracted by better open source equivalents. SylkSuite, composed by SylkServer and SylkClient is a clean and elegant open source multiparty conferencing solution for both the client and a server written in Python. SylkSuite allows groups of users to communicate privately with rich multimedia, accessed through different protocol stacks. SylkSuite allows bridging SIP clients, XMPP endpoints and WebRTC applications by using Janus backend. The developers have a focus on strong interoperability based on the use of open standards. >> Read more about Sylk Client Sylk Mobile — Secure real-time mobile communications Internet communications privacy is important to users, and there is a limited set of encrypted multiparty audio and videoconferencing solutions available to consumers and businesses today. The market, predominantly occupied by proprietary services that often require risky plugins, lack introspection and transparency, proved to expose users to significant security and privacy issues. This trend must be counteracted by better open source equivalents. Sylk Mobile provides a multi-party video encrypted conferencing solution mean to run on an end user computer or a mobile device. It is based on the WebRTC standard, and has a focus on user privacy and easy of use. >> Read more about Sylk Mobile Road Signs for Digital Payments — Safe, usable financial interfaces for poorly-schooled adults. GNU Taler is a digital payment protocol for privacy-preserving cash-like transactions. It improves usability by avoiding the need for the payer to authenticate to third parties. Oral Information Management (OIM) is an emerging approach of design for creating safe, usable financial interfaces for poorly-schooled adults. Worldwide UNESCO estimates over 750 million adults to be unable to read or write in any language, and hundreds of millions of more have extremely limited ability. Due to unequal schooling opportunities, most are women. In Europe millions of migrants, refugees and marginalized people cannot confidently use digital payments. Digital OIM features carefully user-tested cash scrollbars and counting tables, iconographic navigation, mnemonic cues, user-reversible transaction processes, a 0-9 (not 1-0) numeric keypad and more. Poorly-schooled app users learn how to decode place value notation, arithmetic graphs and other schooled, formal sector protocols from repetitive use. >> Read more about Road Signs for Digital Payments Taler-Odoo Payment System — Integration module for TALER in Odoo The Taler-Odoo Payment System will integrate the GNU Taler payment system within Odoo, a business management software suite that includes customer relationship management, e-commerce, billing, accounting, manufacturing, warehouse, project management, and inventory management. With Odoo, merchants can create invoices for products they sell, websites to display them and much more. This project will produce an Odoo module written in Javascript and Python, which allows users to pay with Taler. Similar to any other payment integration within the Odoo Framework, the module integrates into the functionality of other existing Odoo modules (ticket sale, online shopping, invoices, etc). It will allows merchants to offer a customer to choose a payment system that fully respects their privacy. >> Read more about Taler-Odoo Payment System Tantum Search — Context-enhanced search driven by schema.org Tantum Search’s goal is to present information in a fair and transparent context for the users. The platform lets users make an inventory of any information using schema.org schemas (like video, audio, paintings, ebooks, events, goods, services) and allows users to search through these entries on three axes: word, contextual and geo reference resolution. Providers of information can easily and without great effort add their information to the platform and make it available online – the platform automatically creates an interactive page which will be search engine optimized and users get free and unbiased access to search for goods and services. The ranking focuses on the search query and less on link popularity. Thus, ‘internet giants’ are not necessarily listed at the top due to their popularity and in addition, the ranking algorithm will be transparently released as open source so the community can optimize it. >> Read more about Tantum Search Tau — Remote sharing of terminal sessions A common problem among people working on a command-line interface is to share their terminal session with one or many other people via the internet, ideally along with an audio stream, without viewers having to install any specific software. This project creates a solution that enables anyone with a web browser to receive such a broadcast. Unlike generic screensharing alternatives, a broadcast created by .tau will not be a stream of compressed video but rather a stream of ASCII characters with preserved timing as well as the broadcaster's terminal look & feel, and giving the ability to easily copy text. The broadcaster will have a nice and easy experience installing a piece of software which accomplishes this. Upon completing a broadcast, a single resultant file is available for later viewing on the internet and or private distribution. Simple, portable and robust. >> Read more about Tau Tauri Apps — A safer run-time for web technology based apps Tauri is a toolkit that helps developers make more trustworthy applications for the major desktop platforms - using virtually any frontend framework in existence. A popular use case is to create a desktop or mobile version of a web app, rather than wasting effort on creating native clients for each platform. Unlike other solutions (e.g. Microsoft's Electron), it is built in the type-safe language Rust - and the team has a focus on strong isolation, shielding the user from malicious or untrusted code downloaded \"live\" from the internet. After all, once breached, such an app can for instance siphon off cryptocurrencies or bootstrap other more persistent malware. In this project, the team works among others on a particularly innovative feature, to prevent JS injection for all application types. In this approach Rust Code Injection is used alongside dependency-free EcmaScript, Object.freeze(), and a filtering iFrame that is the only subsystem permitted to communicate with the API. This will help to create more secure applications, >> Read more about Tauri Apps Teamtype — Real-time co-editing of local text files Teamtype (previously Ethersync) aims to enable real-time collaborative editing of local text files. Similar to Etherpads, it facilitates multiple users to work on content simultaneously, enabling applications such as shared notes or pair programming. However, following a \"local-first\" approach, all files reside on the users' computers, allowing them to use their familiar editors and workflows, and to retain user control. This design enables a kind of collaboration that is simple and direct, stable and flexible, and preserves privacy. Teamtype is a supplement to tools that track larger changes on text files, like Git, and can be used in combination with it. The project leverages CRDTs, and consists of a server component, a cross-platform local synchronization daemon, and editor plugins. >> Read more about Teamtype TypeCell — CRDT-based collaborative block-based editor TypeCell aims to make software development more open, simple and accessible. TypeCell integrates a live-programming environment as a first-class citizen in an end-user block-based document editor, forming an open source application platform where users can instantly inspect, edit and collaborate on the software they’re using. TypeCell spans a number of different projects improving and building on top of Matrix, Yjs and Prosemirror to advance local-first, distributed and collaborative software for the web. >> Read more about TypeCell ValOS Cryptographic Content Security project — Cryptographic Content Security for ValOS ValOS (Valaa Open System) is a project pushing programming to become a civic skill. It’s a decentralized software development architecture that empowers beginners with little training or prior experience to create practical web applications. ValOS applications and data are created, stored and distributed as event streams. ValOS Gateway is a JavaScript library that acts like a browser: it connects to event streams, reduces them into applications and provides means to induce new events. ValOS Cryptographic Content Security project focuses on enhancing the infrastructure level security of ValOS through event log hash chaining, end-to-end encryption and other features. >> Read more about ValOS Cryptographic Content Security project VersaTiles — Simplify vector map tile creation, hosting, and interaction VersaTiles provides vital digital infrastructure for web maps, offering a free, flexible alternative to commercial services. Web maps are essential in fields like data journalism, research, and emergency response, but current commercial solutions are often costly, proprietary, and pose privacy concerns. VersaTiles addresses this by dividing the complex process of map creation, distribution, and visualization into manageable layers, ensuring interoperability and scalability. With its open, transparent approach, VersaTiles promotes digital sovereignty in Europe, empowering public institutions, media, and developers with an accessible, high-quality map infrastructure that avoids vendor lock-in and supports free access to geospatial data. >> Read more about VersaTiles Next Generation Browser Profile Workflow — A profile system for the Verso browser Users currently do not have much ownership over their browser data, including bookmarks, history, which extensions are activated, etc… Current web browsers do not really facilitate user agency, let alone in a standardised way. And we are not even mentioning the fact that synchronisation between devices is only possible through third parties, because there is no real transit between browsers (just imports). Even worse: despite this data being rather private, data is not really encrypted. The solution is complex, and it starts with the rework of browser profiles and browser workflows conceptually. This project aims to define the standards of encapsulation of these profiles separately from the browser while keeping privacy and security in focus. The prototype would be integrated in the Verso browser, but along the way the underlying Servo engine also gets some improvements for accommodating these endeavours properly. >> Read more about Next Generation Browser Profile Workflow VFRAME: Visual Defense Tools — Use computer-vision to shield privacy in video Visible data shares many of the same risks as wireless data yet visual privacy is often overlooked in the field of information security studies as separate and less relevant. As computer vision becomes increasingly adept at understanding the visual domain, differences between existing protocols for processing wireless data and emerging protocols for processing visible data (computer vision) become less apparent. Ultimately, images and video are wireless data too, and they are exposed to an increasing number of attacks on visual information privacy with less technologies for protection. Visual Defense Tools will explore and prototype computer vision methods for visual privacy through visual obfuscation and minimization techniques, mostly related to biometrics. The goal will be to build a conceptual road map and functional open-source prototypes to stimulate future development of more accessible visual privacy technologies. >> Read more about VFRAME: Visual Defense Tools Video chat privacy — Add privacy features to video chats Making video calls can be very invasive to privacy: the camera does not only capture the face and posture of the person talking, but will in fact capture the entire environment in glorious high definition - from the books in your bookshelf to family members or laundry rack behind you. This information is of no interest to the other end, but with a camera you have little choice: once you slide open the camera cover, it takes everything within the field of view and broadcasts it to the other side. This project aims to use advanced AI technology to edit the video feed in real-time, and apply various privacy enhancements such as removal of backgrounds. >> Read more about Video chat privacy WPE Android — Embedded-friendly Webview based on WebKit WPE (Web Platform for Embedded) is a WebKit port for Linux-based embedded devices with a focus on flexibility, security and performance on lower-powered devices. Albeit less known than Chromium, Firefox or Safari, WPE is currently deployed in millions of embedded devices (e.g. set-top-boxes, smart home devices, kitchen appliances, infotainment, etc), but it hasn't yet reached those based on the Android Operating System, which has become an important actor for certain types of devices, such as phones, tablets, set-top-boxes and even IoT devices. In such environments, the only option currently available to leverage the power of the Web Platform is to use Android's WebView, which is based on Chromium and therefore problematic in cases where using that is not an option. By bringing WPE to Android in the form of an Android WebView-compatible component, we aim not just to make WPE available in more platforms but also to expand the options Android developers currently have so that they can choose between a Chromium-based WebView and a WebKit-based WebView for their applications. This would be great to cover Web rendering needs in general on Android, and particularly beneficial for multimedia-intensive use cases (e.g. set-top-boxes, digital signage...), as well as for other less conventional use cases such as QA & testing (e.g. testing WebKit-based browsers on Android based systems). Last but not least, as a side effect of widening the reach of WPE to Android-based devices, we believe that we would also be bringing more balance and diversity to the Web, by making sure that developers have a realistic alternative to the Chromium-based Web rendering engine they can use to develop their products. >> Read more about WPE Android Waasabi Framework — P2P Live Streaming for events Waasabi is a highly customizable platform for self-hosted video streaming (live broadcast) events. It is provided as a flexible open source web framework that anyone can host and integrate directly into their existing website. By focusing on quick setup, ease of use and customizability Waasabi aims to lower the barrier of entry for hosting custom live streaming events on one's own website, side-stepping the cost, compromises and limitations stemming from using various \"batteries-included\" offerings, but also removing the hassle of having to build everything from scratch. Active research into the creation of a peer-to-peer streaming backend seeks to advance the project's long-term goal of promoting the adoption of owned experiences through the use of decentralized technology. By further cutting down on dependencies, cost and infrastructure complexity this effort aims to enable broadcasts to scale as the audience size grows, which in turn will support Waasabi's continued adoption. >> Read more about Waasabi Framework Independent captions and transcript augmentation — Speech-to-text integration for Waasabi Waasabi is a highly customizable platform for self-hosted video streaming (live broadcast) events. It is provided as a flexible open source web framework that anyone can host and integrate directly into their existing website. By focusing on quick setup, ease of use and customizability Waasabi aims to lower the barrier of entry for hosting custom live streaming events on one's own website, side-stepping the cost, compromises and limitations stemming from using various \"batteries-included\" offerings, but also removing the hassle of having to build everything from scratch. In this project the team seeks to integrate tools for transcript augmentation, augmented human captioning and automatic machine-generated captions using open-source software based on machine learning and royalty-free training data and models. The primary use case is live captioning for live internet broadcasts (primarily video streaming). With such tools online event organizers will be able to create interactive transcripts and better live captions for their events anytime everywhere - and without external dependencies. >> Read more about Independent captions and transcript augmentation Wax — Add ODF, legacy office and PDF capabilities to Wax Wax (formerly known as CokoDocs) is an open-source, web-based Word Processor that is collaborative by design. In this project we're actively extending CokoDocs' use cases to include paging support (through PagedJS), OpenDocument Format import/export as well as support for some legacy file formats. In addition we will add backend system configuration, asset management, text chat and more. CokoDocs aiming to become a best in breed, highly customizable, and innovative word processor with strong privacy and security properties and elegant accessible design. >> Read more about Wax Improving WebKit on Windows — Improve Windows support for the WebKit browser engine WebKit is an open source browser engine, used by Safari and others. Such a browser engine is used to lay out web pages, graphically render the content and perform all other kinds of tasks under the hood of a browser or WebView. In recent years, one engine (Google's Blink engine, which forked from Webkit in 2013) has started to become nearly pervasive due to the market share of Google. Having a global dependency on a single piece of code maintained by a single entity is a significant liability, and isn't good for the open web either. It is important that applications on all platforms are able to choose from different engines like WebKit, Gecko or Servo. One weak part of Webkit in recent years has been its limited support for the Windows platform. This project will focus on enabling more features in WebKit’s Windows port, to make WebKit a more viable alternative choice when building a cross-platform web browser. >> Read more about Improving WebKit on Windows DeltaChat/WebXDC — Portable private apps that can be shared in e.g. chat Webxdc is a fresh and still evolving effort to explore \"private apps\", essentially 'portable' web apps through which users can interact in any number of ways outside of the traditional client-server paradigm, e.g. over E2EE chat. These mini-apps offer interesting interaction patterns -- without any dependency on centralised infrastructure, additional logins etc. It grew from Delta Chat, a highly innovative solution that uses secure email-based communication technology for social networking, protected with OpenPGP/Autocrypt. The project will further develop the concept of Webxdc apps, and make it for instance possible for users to make data portable (which is currently not possible due to missing security controls for that). >> Read more about DeltaChat/WebXDC Webxdc evolve — Comparative analysis of HTML5 app containers Webxdc.org is an evolving standard which defines a format for portable HTML5 applications and an API for local-first, peer-to-peer, end-to-end encrypted applications. For this project we will perform a comprehensive survey of historical and contemporary efforts with similar goals, including those by W3C working groups, independent open-source developers, and noteworthy proprietary platforms. We'll produce reference documents providing developers with a comprehensive overview of the space, summarizing their options for packaging portable HTML5 applications for different platforms, and highlighting affinities between closely aligned projects. As a follow-up, we'll propose additions to the webxdc API based on patterns observed in other projects, aiming to reduce the complexity of common designs and facilitate portability between or interoperability with existing platform implementations. >> Read more about Webxdc evolve Whisperfish — Cross-platform mobile client for Signal and derivatives Whisperfish is a third-party open source client for the popular Signal instant messaging network. Whisperfish is an advanced beta stage, and is available for SailfishOS. In collaboration with the Axolotl project, within this project we aim for implementing full-fledged clients for various mobile operating systems. >> Read more about Whisperfish XWiki — Bring wiki capabilities into the Fediverse XWiki is a modern and extensible open source wiki platform. Up until now, XWiki had been focusing on providing the best collaboration experience and features to its users. We're now taking this to the next level by having XWiki be part of the larger federation of collaboration and social software (a.k.a. fediverse), thus allowing users to collaborate externally. XWiki is embracing the W3C ActivityPub specification. Specifically we're implementing the server part of the specification, to be able to both view activity and content happening in external services inside XWiki itself and to make XWiki's activity and content available from these other services too. A specific but crucial use case, is to allow content collaboration between different XWiki servers, sharing content and activity. >> Read more about XWiki Wobble Web — Hybrid graphics editor and coding environment WobbleWeb is a hybrid graphics editor and coding environment for making and sharing small-scale websites. It provides a gentle and playful introduction to coding in javascript and html, where dragging something on the page changes the code, and editing the code changes what is on the screen. The project is built upon a set of open-source web components that can be used with the editor as well as independently. The web components serve as a direct wrapper to html, adding gesture-based and direct in-browser editing capabilities to existing HTML and Web APIs. The extensible custom elements allow the open-source community to build more advanced features, such as incorporating canvas elements, WebGL, or integration with backend APIs. WobbleWeb differs from existing graphical webpage builders, with its emphasis on writing javascript for beginners, as well as its modular and extensible ecosystem. >> Read more about Wobble Web Wolvic — Web browser designed for use in XR devices Everybody will meanwhile have come across people wearing strange glasses, immersed in a world beyond the here and now. But what are they looking at, and how does the web fit in there? Wolvic is a web browser dedicated to work with virtual reality (VR) and enhanced reality (XR). The goal of this project is to add a number of important features such as VR peripheral awareness (placing contextual information on the edge of the user's vision) and spatial reasoning (3D representation of navigation-related information) to the Wolvic browser. Wolvic is the only open source browser available in the XR space, and as such any device maker or other third party can create their own version of Wolvic to explore the burgeoning XR space. >> Read more about Wolvic Wolvic User Interface — Flexible windows, tabs, zooming and web rendering in Wolvic Wolvic is an Open Source Web browser developed for XR (Extended Reality) devices, focusing on delivering both traditional web browsing and immersive experiences across multiple platforms. Led by Igalia, with its significant expertise in browser engine development and standards organizations, Wolvic aims to broaden the accessibility and functionality of web browsing in the XR space. This project will further the development of Wolvic by improving its user experience and adding support for more content, standards, and platforms. We will enhance the flexibility of window management, improve browsing functionality like tabs and zoom, and refine hand tracking and related features in the 3D space. Although Wolvic currently uses the Gecko browser engine, its architecture is designed to be independent of any particular engine; for improved support and performance, we will integrate the Chromium engine and make available a Chromium-based version of Wolvic alongside the existing Gecko-based one. Furthermore, we will extend compatibility to new device formats, such as lightweight Augmented Reality (AR) glasses. Finally, we are enhancing our support of AR experiences on the Web and implementing the WebPayments standard for secure online transactions. >> Read more about Wolvic User Interface Event Federation Plugin for WordPress — Add ActivityPub to events created with most common WordPress event plugins Freedom in announcing events. The WordPress Event Federation plugin allows events created in WordPress with the most popular event plugins to be seamlessly published to Fediverse via ActivityPub. The core problem is that events need to be discoverable, listable and subscribable by potential visitors. Since organisers' personal websites do not meet this requirement, most of them publish their events on multiple (commercial) platforms, which results in people searching for events being tied to these platforms. Currently, many to most event organisers use WordPress to run their own website. With this plugin, they can make their events even more visible without changing their workflow. At the same time, they gain data sovereignty and independence from traditional search engines and platforms that give less control over how content can be filtered. The goal is to realise typical use cases, such as server-to-server federation with Mobilizon instances, or another example: to allow Fediverse users, such as those of Mastodon, to follow events directly from the organisers. >> Read more about Event Federation Plugin for WordPress WordPress ActivityPub — Bring ActivityPub social networking to the widely used Wordpress WordPress ActivityPub is a plugin that allows your site users to interact with other users in the fediverse. Currently the plugin supports Follows by remote users, sending out pubilc posts to followers, and receiving remote users public Comments on local posts. This project will develop features allowing for a more rich and typical social experience with Direct messages, Followers only posts, and Threaded comments to and from the fediverse. Moderation tools will be included and user privacy features will also be developed. >> Read more about WordPress ActivityPub XWiki ActivityPub — First class ActivityPub support in XWiki XWiki is a modern and extensible open source wiki platform. XWiki is the first wiki that is part of the larger federation of collaboration and social software (a.k.a. fediverse), allowing users to collaborate externally. XWiki is embracing the W3C ActivityPub specification. Specifically we're implementing the server part of the specification, to be able to both view activity and content happening in external services inside XWiki itself and to make XWiki's activity and content available from these other services too. A specific but crucial use case, is to allow content collaboration between different XWiki servers, sharing content and activity. >> Read more about XWiki ActivityPub Yrs — Collaborative editing with CRDT written in Rust Yrs \"wires\" will be a native port (in the Rust programming language) of the Yjs shared editing framework. Abstractly speaking, Yjs allows many users to concurrently manipulate state that eventually converges. It is a popular solution for enabling collaborative editing (Google Docs style) on the web because it is indefinitely scalable, works peer-to-peer, and has a rich ecosystem of plugins. There are plugins that allow you to connect with other peers over different network providers (WebRTC, Websocket, Dat/Hyper, IPFS, XMPP, ..) and there are many editor plugins that allow you to make existing (rich-)text editors collaborative. The Yjs project is about connecting projects with each other and providing a network-agnostic solution for syncing state. A native port will allow native applications (e.g. XI, Vi, Emacs, Android, iPhone, ..) to sync state with web-based applications. We chose Rust because it's well suited to be embedded in other languages like C/C++, PHP, Python, Swift, and Java. With Yrs, we want to connect even more projects with each other and provide a modern collaboration engine for native applications. The Rust implementation will implement the full feature set of the shared types, including the event system. This will enable users to parse existing Yjs documents, manipulate them, and implement collaborative applications. The port will make it easy to \"bind\" to another language so that the shared state is available in other languages as well. There will likely be a WASM binding, a C++ binding, and a Python binding (provided by Quantstack). Other existing features like awareness, selective Undo/Redo manager, relative positions, and differential updates will be added after the initial release. >> Read more about Yrs Yrs Undo — Rust-based CRDT framework for real-time multi-user applications Yrs \"wires\" is a native port (in the Rust programming language) of the Yjs shared editing framework. Abstractly speaking, Yjs allows many users to concurrently manipulate state that eventually converges. It is a popular solution for enabling collaborative editing (Google Docs style) on the web because it is indefinitely scalable, works peer-to-peer, and has a rich ecosystem of plugins. There are plugins that allow you to connect with other peers over different network providers (WebRTC, Websocket, Dat/Hyper, IPFS, XMPP, ..) and there are many editor plugins that allow you to make existing (rich-)text editors collaborative. This project will add a selective Undo/Redo manager, include support for other native clients and to interop with languages like Java, PHP and Swift. The goal is to reach full feature compatibility with Yjs and improve its performance even more - bringing a collaborative, decentralized experience where users' data lies in their own hands. >> Read more about Yrs Undo bluetuith — Bluetooth connection/device manager for the terminal Bluetuith is a lightweight Text User Interface (TUI) based Bluetooth manager for the terminal, which allows users to manage a multitude of different Bluetooth based functions, like pairing, connection, file transfers, handling audio playback and networking and so on seamlessly via an easy-to-use interface. The project aims to extend support to as many other platforms as possible, to achieve multiplatform support, and provide users with a familiar interface to control Bluetooth across different platforms. The project also aims to solve the issue of communication and user-friendliness of platform specific Bluetooth stacks, by creating daemons/services native to that platform, and lightly wrapping native APIs and exposing a standard set of APIs that will allow any client to be built cross-platform and to connect and control Bluetooth (Classic especially) in a much more efficient and uniform manner. >> Read more about bluetuith Reinstatement of crypto.signText() — Cryptographic signatures brought back to the browser Since the 1990s Netscape and Firefox supported the ability to sign an arbitrary piece of text with a digital certificate, and have that signature returned to the webserver. The texts being signed have historically ranged from transaction records, financial declarations, and court documents. This project implements a set of Native Browser Web Extensions that bring the digital signing of text to all modern browsers that support the NMBE standard. The process of choosing the certificates and generating the signatures is performed outside of the browser, using APIs native to each operating system. Web pages communicate with the extensions using the Javascript crypto.signText() function, and the signed documents are returned packaged as a PKCS7 response. The project aims to make digital signing accessible, while being browser agnostic. >> Read more about Reinstatement of crypto.signText() fediverse.space — Find your way in the Fediverse Fediverse.space is a tool for understanding decentralized social networks, and searching through them. The fediverse, or federated universe, is the set of social media servers, hosted by individuals across the globe, forming a libre and more democratic alternative to traditional social media. When displaying these servers in an intuitive visualization, clusters quickly emerge. For instance, servers with the same primary language will be close to each other. There are more subtle groupings, too: topics of discussion, types of users (serious vs. ironic), and political leanings all play a role. fediverse.space aims to be the best tool for understanding and discovering communities on this emerging social network. >> Read more about fediverse.space it — Radically decentralised version control with CRDTs The project summary for this project is not yet available. Please come back soon! >> Read more about it Securing Decentralised Live Information with m-ld — Collaborative editing of LInked Data based on CRDT m-ld is a software technology for live information sharing. It enables software engineers to reliably add real-time collaboration, support for offline working, and service resilience to both new and existing software architectures. It achieves this by operating at an \"information\" level, creating reusable patterns for maintaining the consistency and integrity of application content that is being edited from multiple locations at once. m-ld is built from the ground up on a W3C standard information representation, contributing ideas for its evolution, and is committed to open standards and open source. This project will research and prototype modifications to the primitives of the m-ld core protocol to natively support strong assurance of data integrity and traceability, with authority assignable to identified users or groups, so that they can be reliably assured of the integrity and controlled availability of their data. >> Read more about Securing Decentralised Live Information with m-ld Minedive — P2P search over webRTC The minedive project is building several components: first, minedive is a browser extension aiming to allow users to search the web while preserving their anonymity and privacy. The second is an open source reference implementation of its rendez-vous server. minedive instances connect each-other (via WebRTC data channels) forming a two layered P2P network. The lower layer (L1) provides routing, the upper layer (L2) provides anonymous and encrypted communication among peers acting as a MIX network. This architecture guarantees that peers which know your IP address (L1) do not know search data for (L2) and vice-versa. A central (websocket) rendez-vous server is needed to find and connect with L1 peers, and to exchange keys with L2 peers, but no search goes through it. We are running a default server which can be overridden by users who want to run their own (using our reference implementation or a custom one). Users can also set the extension to pick peers from a given community (identified by an opaque tag). Currently all requests are satisfied by letting L2 peers return results from the 1st page of mainstream search engines (as they see it, in an attempt to escape the search bubble). While this will stay as a fallback, we plan to implement web crawling on peers, doing keyword extraction from URLs in local bookmarks and history and ranking with open algorithms, being transparent with users about which techniques are used and open to suggestions. >> Read more about Minedive Search and Displace — Find and redact privacy sensitive information The goal of this project is to establish a workflow and toolchain which can address the problem of mass search and displacement for document content where the original documents are in a range of forms, including a wide variety of digital document formats, both binary and more modern compressed XML forms, and potentially even encompassing older documents where the only surviving form is printed or even handwritten. The term \"displacement\" is meant to encompass actions taken on the discovered content that are beyond straight replacement, including content tagging and redaction, as well as more complex contextual and user-refined replacement on an iterative basis. It is assumed that this process will be a server application with documents uploaded as needed, on either an individual or bulk upload basis. The solution would be built in a modular fashion so that future deployments could deploy and/or modify only the parts needed. In practical terms this involves the creation of an open source tool chain that facilitates searching for private and confidential content inside documents, for instance attachments to email messages or documents that are to be published on a website. The tool can subsequently be used for the secure and automated redaction of sensitive documents; by building this as a modular solution enables the solution to be used “standalone” with a simple GUI, or used via command line, or embedded within 3rd party systems such as document management systems, content management systems and machine learning systems. In addition a modular approach will facilitate the use of the solution both with different languages (natural and programming) and different specialities e.g. government archives, winning tenders, legal contracts, court documents etc.. >> Read more about Search and Displace uMap — Collaborative custom mapping with OpenStreetMap data uMap is an online open source application to make custom maps. It aims to make creating maps easy for anyone in a few clicks. It’s simple for basic use cases, whether you want to prepare a bike travel with your friends or communicate the current roadworks for your city. But it’s also flexible and extendable for more complex or custom ones: drawing or importing data, customizing style and interface, sharing access to a map… uMap is also easy to install and to maintain to enforce a decentralized model. It is already deployed in several European countries, and is translated in dozen of languages. Plus, it also allows to create maps anonymously. In this project, we will adding real-time collaboration on maps with local-first support - which will for instance help a lot with live events and mapping sprints - and clean up the user interface. >> Read more about uMap uMap Vector Tiles — Use vector tiles to build custom maps with OpenStreetMap data uMap is a web application which lets you quickly build custom maps with OpenStreetMap’s background layers and integrate them on your own website. Vector tiles allow two main things: less duplicated content, and data transmitted at the same time as the tiles, enabling scenarii where data and background could be styled according to the user needs, which required previously to serve custom tiles. >> Read more about uMap Vector Tiles ","title":"Services + Applications","url":"https://nlnet.nl/thema/Services+Applications.html"},{"url":"https://nlnet.nl/thema/Reportsandstudies.html","title":"Reports and studies","description":" Reports and studies Research to advance the knowledge on themes relevant to NLnet This page contains a concise overview of projects funded by NLnet foundation that belong to Reports and studies (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Assessing Cyber Security — This report aims to assessing what we know about cyber security threats based on a review of 70 studies published by public authorities, companies, and research organizations from about 15 countries over the last few years. It answers the following questions: what do we know about the number, origin, and impact of cyber attacks? What are the current and emerging cyber security trends? And how well are we prepared to face these threats? Over the years, a plethora of reports has emerged that assess the causes, dynamics, and effects of cyber threats. This proliferation of reports is an important sign of the increasing prominence of cyber attacks for organizations, both public and private, and citizens all over the world. In addition, cyber attacks are drawing more and more attention in the media. Such efforts can help to better awareness and understanding of cyber threats and pave the way to improved prevention, mitigation, and resilience. This report aims to help in this task by assessing what we know about cyber security threats based on a review of 70 studies published by public authorities, companies, and research organizations from about 15 countries over the last few years. It answers the following questions: what do we know about the number, origin, and impact of cyber attacks? What are the current and emerging cyber security trends? And how well are we prepared to face these threats? The focus of the examined reports differs widely. Some reports look at all possible cyber attacks, others zoom in on specific threats such as Distributed Denial of Service attacks or malware. Some reports focus on a specific sector, or one country, others have a global scope. Methodologies used by the reports are often inconsistent and sometimes opaque: some are based on self-reporting (e.g., surveys), while others use data generated by software. One of the main observations of our study is that the range of estimates in the examined investigations is so wide, even experts find it difficult to separate the wheat from the chaff. This leads to the conclusion that, although there is no shortage in the number of reports, well defined and comparable cyber threat data and risk assessments are missing.Download the report or view in the browser. >> Read more about Assessing Cyber Security The third mainport — Digital Infrastructure in the Netherlands - The Third Mainport Download 2013 report or view in the browser.Download the 2014 report or view in the browser. Read the press release >> Read more about The third mainport NOMA — Network Operator Measurement Activity The Network Operator Measurement Activity — NOMA — is exploring the possibility of developing operator-driven network health measurements. NOMA aims to establish a platform for collaboration on the initial definition, collection and dissemination of operator network measurements (self-instrumentation), with a goal of ensuring a better, shared understanding of what “good” Internet looks like. This will allow new networks brought online to determine that they are well aligned with that target, and will give operators a better sense of when their networks are healthy or underperforming. >> Read more about NOMA "},{"description":" Privacy and security Projects to understand, safeguard and/or improve privacy and security in communication. This page contains a concise overview of projects funded by NLnet foundation that belong to Privacy and security (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. ELF Linking — Analytic tools for UNIX' Executable and Linkable Format The Executable and Linkable Format is a common standard file format for executable files, object code, shared libraries, and core dumps. Understanding dynamic links is important but hard without the proper tools. This is a problem, because the actual details can have significant technical and legal implications. >> Read more about ELF Linking PSYC2 — Next iteration of the Protocol for SYnchronous Conferencing Protocol for SYnchronous Conferencing is an efficient text-based protocol for delivery of data to a flexible amount of recipients or people, by unicast or multicast. PSYC2 represents a next iteration of the PSYC framework in conjunction with SecuShare, another NLnet supported project that aims to build a novel social messaging system as part of the GNUnet peer-to-peer system. >> Read more about PSYC2 Anomos — a pseudonymous, encrypted multi-peer-to-peer file distribution protocol Anomos introduces a layer of security and anonymity currently absent in peer to peer file sharing protocols. Through the study of cryptography and anonymous networks such as TOR, a system is being designed which allows any individual to safely distribute files to a large audience without fear of legal or social repercussions. This technology is an important part of modern free society, and a tool which may be used around the world to bring about positive social change. With Anomos, one can distribute the file anonymously to thousands of people at once. Because Anomos is based on BitTorrent, each download makes the network faster, more robust, and harder to eliminate. This technology can benefit thousands of people all around the world, to those who live in religiously oppressive places, those to whom the mere accusation of apostasy or sexual deviance could be life threatening; to mash-up artists concerned about copyright infringement, or anyone fearful that their actions on the Internet may lead to unjust punishment. First and foremost, Anomos has been designed as a tool for free speech. >> Read more about Anomos Deep Firmware — Active discovery of known and unknown security vulnerabilities in firmware Understanding firmware is very difficult without the proper tools. The project builds an advanced prototype for scanning of security aspects of firmware based on the open source Binary Analysis Tool. >> Read more about Deep Firmware DIFR-TSPM — a demonstrator of a different way to inform consumers about the RFID tags Increasingly, products for sale in shops are being tagged by RFID tags. These tags contain a unique product or item number, which can be read out wirelessly over a short distance by an RFID reader. Their function in shops and supermarkets is similar to the ubiquitous paper barcode, except that RFID tags can also be read out if the tag is not in plain sight of the reader. This means these tags can also be read out surreptitiously when walking around the store, or afterwards when the items are in your shopping bag and you are walking on the street. This also holds true for payment cards and travel passes (e.g. the OV chipcard in the Netherlands) that people carry with them. This has raised concerns about the impact for RFID technology on the privacy in our society. The goal of the project is to develop a demonstrator of a different way to inform consumers about the RFID tags on the items they buy or the tags that surround them in their environment. Main idea is to use a mobile phone to display information about RFID tags in the vicinity. In particular, the setup of the demonstrator will operate as follows. A consumer sets his privacy preferences in a profile stored on his mobile phone. If he holds the phone close to a product in a shop containing an RFID tag, the phone will read the tag number from the tag. It will then query (over the Internet, either through GPRS, UMTS or WiFi) the backoffice to retrieve the privacy policy corresponding to the tag number. Then it will match the tag policy with the consumer policy, and present the result of the match to the consumer on the display of the mobile phone in an intuitive and appealing manner. This demonstrator will be used to show how such a concept: empowers users in deciding for themselves how their privacy is affected and how to respond to that information, and allows producers to efficiently communicate their privacy policy to consumers. >> Read more about DIFR-TSPM DNSSEC-mail — DNSSEC for OpenDKIM and OpenDMARC Until recent developments of domain name authentication, Internet mail has not had access to scalable mechanisms for validating an identity associated with a message. Any identifier could be used fraudulently. The Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are relatively new technologies that create a foundational change by validating domain identifiers. However they are only the first step. DMARC takes additional steps in allowing domain owners to publish statements about their email use of their identifiers and DMARC facilitates much easier operational reporting from mail recipients to domain owners. Thus this project will improve use of DNSSEC in the email security space. Two major upcoming applications will drive this: DMARC which relies on the DNS for advertising policy information. Domain-based reputation system that relies on DKIM, which in turn relies on secure DNS use to advertise keys and polices. OpenDKIM includes DNSSEC support via libunbound of NLnet Labs. >> Read more about DNSSEC-mail e-Passports — use of (hardware) electronic passports for user authentication over internet Over the past two years, electronic passports (e-passports) have been introduced in most countries of the world. An e-passport embeds a chip with card holder details. While there are concerns about the privacy consequences of the introduction, caused by the contactless nature of communication and the sensitive nature of contained biometric data, these also presents a unique opportunity: it provides every citizen of the world with a strong authentication token within a global Public Key Infrastructure (PKI). The technical standards which describe how to verify the authenticity of electronic passports are open and publicly available from the International Civil Aviation Organization (ICAO). Although likely not intended as such by ICAO, e-passports are ideal for authenticating users of Web services. The current proposal intends to build such an Identity 2.0 solution with open source software. We propose to create a trustworthy identity solution that allows a user to use their e-passport for authentication at regular websites or webservices (e.g. for e-government like services). Such a solution may contain a browser plug-in that integrates the software developed in JMRTD with an open source identity selector (perhaps compatible with InfoCard). Additionally, the solution may require the establishment of a central server that acts as an identity provider (perhaps compatible with OpenID). A question that will need to be answered is to what degree end-users and service providers need to trust our identity provider (in case of end-users: trust with respect to dealing with privacy sensitive data). >> Read more about e-Passports FileSender — FileSender is a secure and private way to share large files with anyone. FileSender is a self-hosted service that allows you to share very large files with anyone. >> Read more about FileSender FTEproxy — FTE enables developers to build systems resistant to surveillance and censorship. fteproxy provides transport-layer protection to resist keyword filtering, censorship and discriminatory routing policies. Its job is to relay datastreams, such as web browsing traffic, by encoding streams as messages that match a user-specified regular expression. >> Read more about FTEproxy Global Directories — Distributed contact information discovery mechanism A global directory is a way of retrieving contact information from others, using standard technology, so you can employ automatic tools that download and update contact information without manual intervention - or without any third parties snooping into your private or business social environment. Moreover, you can use the same technology to share any relevant information (such as keys for protection of your email) to anyone. >> Read more about Global Directories GNUnet — implementation and evaluation of an improved routing algorithm for GNUnet GNUnet is GNU's framework for secure peer-to-peer networking. The framework is designed to support a range of applications. The primary application at this point is anonymous and censorship-resistant file-sharing. The main thrust of the proposed research is the design, implementation, deployment and evaluation of a secure, fully decentralized P2P routing protocol. Centralization increases operational costs, creating prominent targets for attacks and single points of failure as well as raising privacy concerns. The resulting network must be open, allowing new peers to join at any time. Adversaries are assumed to participate in the network, and the protocols must gracefully degrade in the presence of adversaries. Graceful degradation means that adversaries may only reduce the efficiency of network operations, and that this reduction in eciency should be at most proportional to the resources available to the adversary. Our quest for practical protocols also implies that the design must handle real-world constraints. In particular, we want to handle connectivity issues that arise on the Internet (for example, due to firewalls). We use the term restricted-route networks to describe networks with restrictions limiting direct communications between participants. The proposed protocol also addresses the possibility of peers leaving the overlay network abruptly, joining and leaving the network frequently, and the fact that the amount of resources available to peers can differ by a few orders of magnitude. Our goal is to come up with adaptive protocols which adjust resource allocation based on automatically obtained network performance metrics that characterize the behavior of faulty or malicious nodes. Specifically, if an alternative path without faulty nodes exists, it must be possible for the routing algorithm to eventually discover it. The routing protocol must also be able to address disproportional consumption of resources. In particular, an adversary should not be able to issue a request that consumes more than a small constant factor of resources above the amount consumed by the normal operation of benign nodes. As a result, the proposed new protocol is able to prevent peers from launching asymmetric attacks, which leverage weaknesses in the system and magnify the damage caused. NLnet's contribution is used to pay a graduate student's salary for a full year (the university will waive tuition) to work on the implementation and evaluation of an improved routing algorithm for GNUnet. The routing algorithm will be implemented as a GNUnet service which means that many (existing and future) applications using the GNUnet framework will be able to take advantage of it. The specific proposed work is about a new routing algorithm that will support scalable and secure routing in a restricted-route topology. >> Read more about GNUnet GoogleSharing — GoogleSharing anonymizing proxy GoogleSharing is a special kind of anonymizing proxy service, designed for a very specific threat. It ultimately aims to provide a level of anonymity that will prevent google from tracking your searches, movements, and what websites you visit. GoogleSharing is not a full proxy service designed to anonymize all your traffic, but rather something designed exclusively for your communication with Google. The system is totally transparent, with no special \"alternative\" websites to visit. Your normal work flow should be exactly the same. GoogleSharing is different from general anonymizing proxies: Most will mask your IP address, but not the identifying information in your HTTP headers. Google will still know who you are based on your Cookies, User Agent, etc. If the proxy does attempt to anonymize HTTP headers, they will do it by completely stripping cookies from your request. Google does not like this, and will tag you as a SPAM bot (how convient for them to do), which will force you to type in a CAPTCHA every time you issue a Google search, and will prevent you from issuing Maps requests at all. These types of proxies can be slow. It's not necessary to proxy all of your internet traffic if you're just trying to protect yourself from Google. Since GoogleSharing only proxies Google traffic, our bandwidth needs are much lower and thus our performance is much greater. GoogleSharing is different from Google replacements: GoogleSharing does not require that users change their workflow by visiting different websites. GoogleSharing supports all Google services which don't require a login, so it does more than just anonymize search. As Google continues to expand its grasp of the internet, GoogleSharing will automatically expand with it, automatically anonymizing whatever new services emerge in a fully transparent way. GoogleSharing has the potential to be fully distributed. As we make the move towards distributing requests across multiple configured servers, this is a definite step in the direction of P2P. >> Read more about GoogleSharing GSM-Sec — GSM Security Project, debugging GSM transactions The popular GSM cell phone standard uses outdated security and provides much less protection than its increasing use in security applications suggests. This project aims to correct the disconnection between technical facts and security perception by creating a GSM tool that allows users to record and analyze GSM data. This project complements several other current open research projects into GSM technology. These projects --including OpenBTS, OpenBSC, and OsmoconBB-- create open re-implementations of network equipment and hand sets to make the technology more accessible and open. It builds on these insights and shows the security limits of the technology. The feedback loop, however, goes both ways: the record and decode tool, for example, will allow the OpenBTS base station to operate on multiple frequencies thereby supporting more concurrent phone calls. The target audiences of the tools are security and radio researchers. By Security Research Labs. >> Read more about GSM-Sec HTTPS-Obs — HTTPS Observatory The project collects an Internet-wide dataset of all publicly visible TLS CA certificates in order to search for CA-certified Man In The Middle (MITM) attacks against HTTPS privacy and measure the extent to which browsers really need to trust 60-200 CAs completely. Extended datasets measuring from multiple source networks (via Tor) and using SNI will also be collected. In collaboration with volunteers from security consulting firm iSEC Partners, EFF intends to write a program that accesses every Web server on the public IPv4 Internet running HTTPS on port 443. We will create a complete dataset of the certificates each server offers to visitors. Then we will analyze the data, comparing: Who is the Certificate Authority? For which domains is the certificate valid? Where is the machine issuing the certificate located? Who operates that network With these data it will be possible to answer the following questions: How many CA services are used by publicly accessible sites? Which ones are rarely used? Can one find evidence of specific MITM attacks in the form of publicly visible attack servers (that victims in the wild would have been redirected to via DNS or other mechanisms) or in the form of network-layer attacks detected against our own survey machines? Concrete evidence would be useful for motivating browser developers to adopt more secure trust models. How many domains intentionally use more than one apparently legitimate, apparently valid certificate at the same time? (This impacts on the design of enhancements to the TLS trust model) How many sites in the wild show different valid certificates to users who come from different parts of the Internet? How many CAs are used primarily or exclusively in particular countries or DNS domains? By Electronic Frontier Foundation.>> Read more about HTTPS-Obs Jitsi-FMJ — Replacing JMF with FMJ Jitsi became a focus project of NLnet as it offers free, open and secure alternative for Skype and similar communication tools. Today it offers chat, Audio/Video calls with SIP and XMPP, and Jitsi is the only tool which does it in a secure way (using ZRTP), on all three major operating systems. At the heart of Jitsi's media service lies the Java Media Framework (JMF) of SUN, which was not released under a FLOSS license. Free Media for Java (FMJ) which was founded by Ken Larson is meant to be a free and open alternative of JMF. The goal of this subproject is to continue the work on the FMJ project and take it to a stage where it can be used within Jitsi as a viable alternative of JMF. This would hugely benefit the community: It will essentially provide Java developers with an active, free media library. More importantly however, it will be an essential step toward porting Jitsi to other environments such as Android or porting it as a web application. >> Read more about Jitsi-FMJ Ksplice — update the Linux kernel without rebooting Ksplice is a new technology for protecting the security and reliability of machines on the network. Currently, all computer systems need to be rebooted regularly to apply OS updates, in order to be secure against potential attacks over the network. Ksplice makes it possible for system administrators and end-users to perform OS updates effortlessly, without a reboot. This project will make an open source Linux distribution be the first operating system in the world that does not require regular reboots for security updates. This technology also has the potential to significantly hinder network attackers by reducing the window of vulnerability during which computer systems are running software with known problems. Thus, Ksplice solves the underlying weakness in the system so that no malicious activity, no matter how it has been disguised, will be able to achieve its objective of compromising the system. >> Read more about Ksplice Ksplice2 — Ksplice for mainline Linux and Fedora With previous support from NLnet, Ksplice has made the free software Linux distribution Ubuntu be the first operating system in the world that does not require regular reboots for security updates. Ksplice Ltd has started providing rebootless OS updates to more than 10,000 users of Ubuntu -a significant step, but larger-scale deployment is needed in order for the technology to become truly mainstream. The goals of this project are: to freely provide rebootless OS updates to 100,000+ users running the major community Linux distributions, and to get the Ksplice kernel software merged into the mainstream Linux kernel. The NLnet support is used for the development required to get Ksplice tool merged into the mainstream Linux kernel and the development work on the Uptrack application required to freely bring rebootless updates to Fedora, the second most popular desktop Linux distribution behind Ubuntu. These initiatives are critical to the path of taking this open innovation to mainstream adoption. Specifically, getting Ksplice merged into the mainstream Linux kernel is the best way to ensure that Ksplice has the full support of the diverse Linux kernel community. This support will improve Ksplice’s technical quality and encourage more people to trust and use Ksplice. Bringing Ksplice beyond Ubuntu is necessary since so many Linux users use distributions other than Ubuntu. One of Linux’s strengths is the variety of choices that it provides, so it makes sense to provide Ksplice for many community Linux distributions rather than just one community Linux distribution. Fedora is the next step in this direction. >> Read more about Ksplice2 Lantern — DNSSEC in Lantern The goal of Lantern - a censorship circumvention and monitoring-prevention tool - is to build an easy-to-use, secure, and indestructible tool to keep the internet open and unfettered for anyone in the world. Lantern uses a P2P infrastructure, particularly the LittleShoot P2P stack, along with the LittleProxy HTTP proxy and the Smack XMPP client library. All of these utilize DNS in a number of areas. In environments where e.g. the government has access and control over all network traffic in and out of the country authenticity of DNS records is of paramount importance. This project aims integrating of DNSSEC into every DNS lookup in Lantern, including all DNS lookups in the LittleProxy, Smack, and LittleShoot sub-modules. >> Read more about Lantern LEAP/Torbirdy — LEAP integration into Torbirdy Due to its age and design flaws securing email is notoriously hard. Without an easy-to-use e-mail client most users will not be able to adequately protect themselves. LEAP allows easy set-up of secure e-mail providers, but currently LEAP integration into e.g. the popular Thunderbird email client requires manual configuration and does not provide anonymity of the connection from the client to the server via Tor. What if users could profit from automatically encrypting email and retain their privacy? >> Read more about LEAP/Torbirdy Mailman-SSLS — openPGP and S/MIME support in mailman Currently, there is no re-encrypting mailing list manager with support for both PGP and S/MIME. Mailman is the most popular Open Source mailing list manager. The Secure List Server project \"mailman-pgp-smime\" aims to include OpenPGP and S/MIME support in Mailman, the GNU Mailing List Manager. Adding re-encryption will enable groups of people to cooperate and communicate securely via email: mail can get distributed encrypted to a group of people, while the burden of managing individual keys is dealt with by the list software, not the sender. Furthermore, authentication is possible: the list server software takes care of checking this. This way, strong security for groups of people gets available for a wide audience. Technical specification This project will publish a patch for the official Mailman distribution. This patch handles both RFC 2633 (S/MIME) and RFC 2440 (OpenPGP) email messages. A post will be distributed only if the PGP (or S/MIME) signature on the post is from one of the list members. For sending encrypted email, a list member encrypts with the public key of the list. The mailing list server will decrypted the posting and re-encrypted it with the public keys of all list members. In order to achieve this, each list has a public and private key. (The private keys optionally protected by passphrases) Furthermore, new list settings are defined: gpg_postings_allowed: is it allowed to send to this list postings which are encrypted with the GPG list key? gpg_msg_distribution: are subscribers allowed (or even forced) to upload their GPG public key in order to receive all messages encrypted? gpg_post_sign: should posts be GPG signed with an acknowledged subscriber key before being distributed? gpg_msg_sign: should the server sign encrypted messages? Similar settings are defined for S/MIME. Finally, each subscriber can upload her PGP and S/MIME public key using the Mailman webinterface. >> Read more about Mailman-SSLS NetAidKit — The NetAidKit is a pocket size, USB powered router for safer mobile networking. The NetAidKit is a pocket size, USB powered router that connects everything to everything, designed specifically for non-technical users. The easy to use web interface will allow you to connect the NetAidKit to a wireless or wired network and share that connection with your other devices, such as a phone, laptop or tablet. >> Read more about NetAidKit Faster and configurable datapath/Linux xfrm — Rewriting nftables to optimise for xfrm The project entails rewriting nftables (which is a subsystem of the Linux kernel responsible for packet filtering and classification) to make it easier to combine with xfrm (which is the common framework to work with IPSec in Linux). IPsec was originally developed in conjunction with IPv6 but is just as often used with IPv4 as well. IPSEC encrypts traffic, providing key features absent in the regular IP layer - like data integrity, data origin authentication and confidentiality. The project is expected to make an important contribution to improving the IPSEC capabilities, usability, speed and robustness in many systems. >> Read more about Faster and configurable datapath/Linux xfrm NoScriptABE — improve the ABE (Application Boundaries Enforcer) for NoScript NoScript is a popular (over two millions active users) add-on extending the Firefox open source web browser and other products based on the Mozilla Gecko engine. NoScript increases web client security by applying a Default Deny policy to JavaScript, Java, Flash, and other active content. It provides users with an one-click interface to easily whitelist sites they trust for active content execution. The Application Boundaries Enforcer (ABE) module will attempt to harden the web application oriented protections already provided by NoScript with a firewall-like component running inside the browser. This project is specifically focused on developing a new web browser component called ABE, aimed to mitigate or defeat Cross Site Request Forgery (CSRF) attacks against sensitive web applications. This component will be built on the existing request interception, tracing and blocking framework of NoScript, and it will be integrated in NoScript's broader web security infrastructure, together with whitelist-based scripting, active content execution policies, anti-XSS filters, ClearClick anti-ClickJacking protection and HTTPS/Secure Cookies enhancements. After a working ABE implementation as a NoScript component gets completed, a refactoring and repackaging activity to deploy it as a separate “ABE Firefox Add-On” will be done. >> Read more about NoScriptABE NoScript-Andr — Android Native NoScript NoScript is a popular GPL add-on for Firefox and other Mozilla Gecko-based browsers which increases the web client security in several innovative and ground-breaking ways. NoScript was extensively supported by NLnet and active users are currently almost 3 millions, and it has pretty much no competitors. That's because it goes very far beyond simple script blocking, having established itself as the \"ultimate\" security enhancement for the web browser, even though it's available on Mozilla Gecko-based browsers only. Unfortunately, no NoScript equivalent is available on mobile platforms yet. This is intended to be the unique final result of this project. >> Read more about NoScript-Andr NoScript-Mob — NoScript Mobile NoScript is a popular GPL add-on for Firefox and other Mozilla Gecko-based browsers, which considerably increases the web client security in several innovative and ground-breaking ways. Numerous useful features make NoScript the most advanced browser security tool, used and respected by most web security experts and serving as an example and an inspiration for safety enhancements which are slowly finding their way in mainstream web browser technologies. The way people use the web is steadily moving towards mobility: we've got smart phones rivaling in power and usability with desktop PCs, and open source mobile OSes, like the Debian-derivative Maemo by Nokia or, even more prominently, Google's Android, which open exciting scenarios but also pose significant challenges. The challenge NoScript wants to accept and win is bringing the safest web browsing experience on the mobile platforms. In order to achieve this, NoScript will be re-designed and re-implemented to be compatible with the latest Firefox Mobile versions, which run both on Android and Maemo devices, trying to retain as much as possible of its core components and functionality. >> Read more about NoScript-Mob NoScript-Mob2 — NoScript Mobile part 2 NoScript is a popular GPL add-on for Firefox and other Mozilla Gecko-based browsers which considerably increases the web client security in several innovative and ground-breaking ways. Numerous useful features make NoScript the most advanced browser security tool, used and respected by most web security experts and serving as an example and an inspiration for safety enhancements which are slowly finding their way in mainstream web browser technologies. This project is the follow up of the first NoScript Mobile project, and will implement specific components: XSS Filter, ClearClick, Mobile-friendly Setup Interface, Remote Synchronization, ABE component (Application Boundaries Enforcer). The way people use the web is steadily moving towards mobility: we've got smart phones rivaling in power and usability with desktop PCs, and open source mobile OSes, like the Debian-derivative Maemo by Nokia or, even more prominently, Google's Android, which open exciting scenarios but also pose significant challenges. The challenge NoScript wants to accept and win is bringing the safest web browsing experience on the mobile platforms. In order to achieve this, NoScript will be re-designed and re-implemented to be compatible with the latest Firefox Mobile versions, which run both on Android and Maemo devices, trying to retain as much as possible of its core components and functionality. >> Read more about NoScript-Mob2 Cryptech.is — An open source open hardware security module to protect communications Cryptech.is is a project that want to design an open-source hardware cryptographic engine that can be built by anyone from public hardware specifications and open-source firmware. Anyone can then operate it without fees of any kind. >> Read more about Cryptech.is OSN-PPCP — Privacy-Preserving Communication Protocol for OSNs Today online social networks (OSNs) have become an indispensable platform for internet users to find friendship and share information. However, users are pretty much electronically naked in any OSN: (1) User’s data is in clear to the OSN service provider, and can be accessed by many other parties without any consent; (2) User’s activities are under surveillance by the OSN service provider. Numerous privacy breaches have been reported, often with disastrous consequences to the user concerned, such as getting fired by the employer, getting rejected from a job application, even leading to suicide. To mitigate the problem, most OSN service providers provide some privacy controls to users to protect their information. However, this is not the antidote and will never be, because the aforementioned problems (1) and (2) still remain. This project will design and implement a privacy-preserving communication protocol to mitigate the problems (1) and (2). In more detail, it will achieve the following features: A user always keeps his private data in encrypted form. Two users can match each other based on their respective private data sets, without revealing anything. Two friends who share some common private date, communicate in private. The communication will remain private against the OSN service provider and other users. The implementation will be based on the OpenSocial API, and programmed in javascript. The final form of the implementation will be a browser plug-in, for example for Firefox. >> Read more about OSN-PPCP OV-Chipkaart — privacy friendly chip card for public transport This project is about the OV-chipkaart, a single national chipcard for all public transport in the Netherlands, which is similar to London's Oyster card or Hong Kong's Octopus card. It is a propriatory solution being introduced by Trans Link Systems (TLS), a consortium of public transport companies. Currently the OV-chipkaart is being tested in practice in and around Rotterdam and Amsterdam. National introduction has been postponed a couple of times, but is now foreseen in 2009. Early 2008 the OV-chipkaart has come under heavy attack because of both security and privacy concerns: Individual travel movements are collected centrally and will be used for direct marketing purposes. The Dutch Data Protection Authority (College Bescherming Persoonsgegevens, CBP) has therefore described the approach as: not in accordance with the law (CBP report). The cryptographic protection in the Mifare Classic chipcard, used in the personalised cards is broken. The throw-away cards have been cloned, enabling free travel. Very little is known about how the system actually works, and about how (private) data are protected. The aims for this project are twofold: On the one hand, to concentrate documenting of the current OV-chipkaart system, make a public repository of knowledge. Factual information about the design, strengths and weaknesses of the current system; an explanation of all the things that were in the news since roughly January 2008. On the other hand, experiment with the card in order to transparently develop a new system from scratch in which RFID technology is used for ticketing in public transport. Using an open design process, the design criteria and the quality of the solutions can be evaluated by a broad audience, including scientists, hackers, but of course also stakeholders such as transport companies. This process may eventually result in an open standard. >> Read more about OV-Chipkaart Pitchfork — Open hardware for compartmentalizing key material and cryptographic operations The PITCHFORK is a free/libre hardware device for compartmentalizing key material and cryptographic operations in a small and durable USB device. It uses a minimalist Cortex-M3 processor and stores all keys in the CPU flash memory. The PITCHFORK has an embedded radio interface over which it can do secure key exchanges with other devices, including \"post-quantum\" cryptography. Over USB it can send and receive messages using various modern low-level crypto protocols, providing different aspects of overall security. >> Read more about Pitchfork Qubes — A reasonably secure operating system Qubes OS is a security-oriented operating system (OS). Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it. >> Read more about Qubes RFID Guardian — hardware prototyping of a mobile device for personal RFID security and privacy management. This Project intends to accelerate hardware prototyping of the RFID Guardian Project. All people getting in touch with the RFID technology, i.e. buyers and users of virtually any goods sold, shall have means to manage the information which is sampled and uncontrollably transmitted by the RFID chips. The RFID Guardian is a battery-powered device that represents the first-ever unied platform for RFID security and privacy administration. The RFID Guardian acts as an \"RFID Firewall\", enabling individuals to monitor and control access to their RFID tags by combining a standard-issue RFID reader with unique RFID tag emulation capabilities. Additionally, the RFID Guardian is useful as an RFID security diagnostic and auditing tool. This \"RFID Guardian Quick Start Action\" project is intended to bootstrap the larger RFID Guardian project. It is also intended to place the Quick Start Action in a larger context, and in this helping to transform the concept of the RFID Guardian into a commercial open-source hardware product. >> Read more about RFID Guardian RFID Guardian(2) — unified platform for RFID security and privacy administration The RFID Guardian is a battery-powered device that represents the first-ever unified platform for RFID security and privacy administration. The RFID Guardian acts as an 'RFID Firewall', enabling individuals to monitor and control access to their RFID tags by combining a standard-issue RFID reader with unique RFID tag emulation capabilities. Additionally, the RFID Guardian is useful as an RFID security diagnostic and auditing tool. The RFID Guardian Project is focused upon providing security and privacy in Radio Frequency Identification (RFID) systems. The goals of the project are to: Investigate the security and privacy threats faced by RFID systems Design and implement real solutions against these threats Investigate the associated technological and legal issues >> Read more about RFID Guardian(2) Samizdat — Samizdat makes public key cryptography accessible Samizdat is intended, in part, as a tool for activists -- or, generally, for anyone who desires secure communication with others who lack the computer literacy (or merely patience) to configure public key cryptography or VPNs. Samizdat would also be useful to give an outsider access to a network without being easily detected; for example, it could facilitate document leaking. Samizdat is a LiveCD intended primarily to make public key cryptography accessible: to distribute public keys securely, and to pre-configure various applications of cryptography, especially VPN-based applications. Samizdat LiveCDs are self-replicating, with the replicated system not being identical, instead having one other's public keys and various other information. The replicated systems automatically become nodes on a VPN. The LiveCD serves as a secure boot medium for a fully-functional, fully-encrypted persistent system. This project integrates many existing projects: Tor, Onioncat, GPG, LUKS, Git and others. >> Read more about Samizdat Seahorse SmartCard — Seahorse Smart Card Support Smart Cards provide solid, tamper-proof security. When used with modern web authentication technology, they can be used to provide a protection against phishing and can also be used to solve other problems facing one's identity on the web today. But, desktops ignore their existence.In order to get things rolling with better smart card support on the Desktop, users and developers need simple access to smart card technology. Seahorse is a key manager that's used on the GNOME Desktop. Currently it can manage stored passwords, PGP, and SSH keys. This project will add smart card support to the Seahorse key manager. This project will implement basic management of certificates and keys stored on smart cards in the Seahorse key manager. Users will be able to examine and use their smart card with the same management operations as available to certificates and keys stored in software key tokens. >> Read more about Seahorse SmartCard Searsia — Searsia is a protocol and implementation for large scale federated web search. Searsia provides the means to create a personal, private, and configurable search engine, that combines search results freely from a very large number of sources. Searsia enables existing sources to cooperate such that they together provide a search service that resembles today’s large search engines. In addition to using external services at will, you can also use it to integrate whatever private information from within your organisation - so your users or community can use a single search engine to serve their needs. >> Read more about Searsia Searx — Searx is an internet metasearch engine that can be easily self-hosted by anyone. Searx is a free software internet metasearch engine which aggregates results from a significant amount (currently more than 70) search services. A private (or preferably shared) instance of Searx allow you to escape from the so called 'search bubble' created by overzealous personalisation of your search results. It give you a more diverse (or at least alternatively biased) view on the world, by combining the results of a variety of sources without filtering based on your previous searches. Searx also helps to reduce the amount of tracking and passive observation search users are subject to, by offering a layer of proxying isolation. >> Read more about Searx SecuShare — A framework for sufficiently safe social interaction The SecuShare project implements a social messaging service based on the GNUnet peer-to-peer framework offering scalability, extensibility, and end-to-end encrypted communication. The scalability property is achieved through multicast message delivery, while extensibility is made possible by using PSYC (Protocol for SYnchronous Communication), which provides an extensible RPC (Remote Procedure Call) syntax that can evolve over time without having to upgrade the software on all nodes in the network. Another key feature provided by the PSYC layer are stateful multicast channels, which are used to store e.g. user profiles. End-to-end encrypted communication is provided by the mesh service of GNUnet, upon which the multicast channels are built. Pseudonymous users and social places in the system have cryptographical identities &emdash; identified by their public key &emdash; these are mapped to human memorable names using GNS (GNU Name System), where each pseudonym has a zone pointing to its places. >> Read more about SecuShare Online Self-defence in Ten Minutes — Online Self-defense in 10 minutes Bits of Freedom foundation develops an \"Online Selfdefense in ten minutes\" tool. Many people use the Internet carelessly and are not aware that such behavior entails risks for their privacy. And those who are familiar with this kind of risks often think that it is too difficult to undertake something to defend their privacy. >> Read more about Online Self-defence in Ten Minutes Shadow Internet — An alternative communication infrastructure working phone to phone. Shadow Internet is an alternative communication infrastructure developed by researchers at Technical University Delft that enables people to distribute videos by copying them from phone to phone wirelessly. So even without an Internet connection you can share content. Specifically crafted to be resilient. >> Read more about Shadow Internet Magic Wormhole/SPAKE2 — Securely send files between two computers with minimum fuss SPAKE2 is a modern academic password-authenticated key exchange mechanism, originally designed by two security researchers from Ecole Normale Superieure. It allows to set up an ad hoc encrypted channel between two users that share a combination of words in real-time. Magic Wormhole is an open source implementation of SPAKE2 (both client and server) by Brian Warner, one of the founders of the TAHOE-LAFS. The server part of Magic Wormhole can creating a rendez-vous/relay, so it can be used in a LAN, behind firewalls, NATs, etc. There are many cases in which a person wants to quickly exchange a file in an untrustworthy environment (say a presentation deck) without running either the risk of an Evil Maid attack or uploading to a trusted server and then giving someone access to that. Most people do not even have such a trusted infrastructure, which forces them to trust their data to third parties. This solution allows for very user-friendly exchange of files with modern encryption, without the need for anything else. Secure exchange of files is a critical problem of all ages, this solution has potentially disruptive qualities. This project will try to make SPAKE2 primitives available to mobile app developers and will support standardisation of SPAKE2 inside the IETF. >> Read more about Magic Wormhole/SPAKE2 Stratosphere IPS — A behavioral-based free software Intrusion Prevention System. The Stratosphere IPS is a free software Intrusion Prevention System that uses Machine Learning to detect and block known malicious behaviors in the network traffic. The behaviors are learnt from highly verified malware and normal traffic connections in our research laboratory. Its goal is to provide the community and especially vulnerable targets with low budgets such as NGO's and civil society groups with an advanced tool that can protect against targeted attacks. >> Read more about Stratosphere IPS Stubby — A local DNS Privacy stub resolver using DNS-over-TLS Stubby is an open source project to develop a DNS stub resolver for use on client devices which will provide DNS Privacy for end users by implementing DNS-over-TLS (RFC 7858). This service will provide encrypted first-hop access to DNS services protecting users’ DNS queries from eavesdropping at any point along the path between their device and a privacy-enabling DNS server. More information about DNS-over-TLS: https://tools.ietf.org /html/rfc7858 >> Read more about Stubby Tor hidden services — Protect publisher and users of the services against identification The Tor Anonymity System's key functionality `Hidden Services' allows users to set up anonymous information services (like websites) that can only be accessed through the Tor network and therefore are protected against identification of the host that runs the services. Using these Hidden Services, critical political and human rights information can be published in a way that both the publisher and users of the service are protected from identification. The current version of Tor Hidden Services has a number of drawbacks that hamper the active use of this important feature. The most serious limitation is the performance: the time it takes until a Hidden Service gets registered in the network and the latency of contact establishment when being accessed by a user. Due to design issues in the original Tor protocol, the connection to a new Hidden Service can take several minutes, leading most users to give up before the connection has been established. Using the Tor Hidden Services for direct interactive user-to-user communication (like for instant messaging) is nearly impossible due to this high latency in the Hidden Service circuit setup. An evolution of the Tor protocol is proposed to speed up the Tor Hidden Services. The improved protocol will change the way circuits are set up. The end goal is to have the protocol change production ready and propagated to the Tor users within nine months. The resulting software will be published under the GPL license, like the rest of the Tor code. All deliverables will be fully public. >> Read more about Tor hidden services Tor low-bandwidth — Tor for modem and mobile users The Tor anonymity system is currently only usable by internet users with high-bandwidth connections. Upon start of a Tor client, a large file with all Tor server descriptions is being downloaded. This \"Tor Directory\" file enables the client to pick from the available mix-servers in the Tor network. This Directory file is too large for users on modem lines or on mobile data networks (like GPRS) as it gets downloaded each time a user logs in, taking 10 to 30 minutes over a slow connection. Therefore, Tor is not usable by modem and mobile users. One of the major goals of the Tor project is to provide secure anonymous internet access to users in repressive states. These location often have very slow internet connections to the outside world. By enabling these users to use the Tor network, significant progress can be made towards free communication and free information in these countries. An evolution of the Tor protocol is proposed to reduce the initial download size. The new Tor protocol version should change the way a client receives the information for its Tor circuit setup in such a way, that the initial download can be performed over a slow modem line in less then three minutes. The work to be conducted under the proposal is split into two major deliverables, with the end goal of having the protocol change production ready and propagated to the Tor users within a timeframe of less then 8 months. The resulting software will be published under the GPL license, like the rest of the Tor code. All deliverables will be fully public. >> Read more about Tor low-bandwidth Tracking Exposed — Increase transparency behind personalization algorithms Goal of the project is to increase transparency behind personalization algorithms, so that people can have more effective control of their online experiences and will have more awareness of the information to which they are and are not exposed. >> Read more about Tracking Exposed Trusted Boot Module — An open hardware trusted boot manager This project is developing a system for booting trusted OS images on existing, ARM-based systems. It will consist of open hardware and software that allows users to start up Linux systems on off-the-shelf ARM development boards, where the system ensures that the system can be booted in a trusted state by booting only OS images trusted by the vendor and/or the user of the system. The hardware consists of cheap, off-the-shelf components that are simple to analyse and program, and which provide for an easily verifiable solution that does not depend on 'black box' components. This project aims to bring trusted boot to the market of commodity ARM-based servers, thus providing the community a security solution that allows for, for example, affordable distributed hosting and computing. >> Read more about Trusted Boot Module Turtle — P2P infrastructure for safe sharing of sensitive data Turtle aims at the creation of a peer-to-peer (P2P) infrastructure for safe sharing of sensitive data. The truly revolutionary aspect of Turtle rests in its novel way of dealing with trust issues. Where other P2P architectures attempt to build trust relationships on top of a trust-agnostic P2P overlay, Turtle builds its overlay on top of pre-existent trust relationships among its users. This allows both data sender and receiver anonymity. At the same time, it protects each intermediate relay in the data query path against liability. Furthermore, its trust model should allow Turtle to withstand most of the denial of service attacks that plague other peer-to-peer data sharing networks. >> Read more about Turtle Unhosted — Unhosted, separating data servers from application servers The web is not as open as it used to be: big monopoly platforms have formed new proprietary layers on top of it. This project breaks the \"you get our app, we get your data\" package deal. This by providing a cross-origin data storage protocol, thus separating data servers from application servers. More and more applications are hosted online and force users to put their data onto servers where applications run. Apart from our data being locked inside a place we don't have control over, many websites sell the data to third parties. This is a huge emergency in terms of consumer rights. Unhosted improves the web infrastructure by separating web applications from your data: Your can store your data remotely anywhere, preferably encrypted; Unhosted apps, which are web applications, will run locally in your browser. This also makes it easier for app developers, as they neither have to worry about hosting all the data and user accounts nor about server load - all the computing takes place in your own browser on your own machine. With the app being just JavaScript it becomes very easy to develop and deploy new apps which everyone can use. The project will define a standard and submit it to W3C. >> Read more about Unhosted Unhosted — The Unhosted project enables separation of storage and applications Unhosted is an approach to the \"cloud\" opposite to the current web2.0 trend: it separates the user data from the application, rather than putting user data \"into\" the application. This leads to much better privacy management. End-users of \"cloud\" capable applications use Unhosted directly, they don't have to do anything special for that - just need to log in to remoteStorage enabled applications using their remoteStorage-enabled email address. As example, all Dutch students and academic staff already have remoteStorage connected to their university email addresses. Now the target community is web developers. They need to enable their applications so that they accept login with remoteStorage. Contrary to other projects (that usually create 1 product with 1 function, and offer that as a free software of which everyone can run their own server, like Diaspora, MediaGoblin, ownCloud, etc.), Unhosted aims for a generic storage server. Everyone just needs a bit of very simple and dumb cloud storage, with no application-specific features. Cloud storage becomes an interchangeable commodity, and the market of useful cloud applications becomes entirely separate from the market of reliable cloud storage. >> Read more about Unhosted XSSer — Cross Site Scripting testing Currently, XSS attack is one of the most widespread vulnerabilities in Web applications. Incorrect filtering and the appearance of new increasingly sophisticated techniques make protection a complex and time-consuming task. Cross Site \"Scripter\" aka XSSer, is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections in different applications. It contains several options to bypass certain filters, and various special techniques of code injection. It makes possible to test an application on vulnerabilities to Cross Site Scripting (XSS) attacks. The XSSer tool aims to automate these complex application security testing tasks. Run by R.C. Merida (psy) >> Read more about XSSer ","title":"Privacy and security","url":"https://nlnet.nl/thema/Privacyandsecurity.html"},{"description":" Operating Systems Operating Systems, firmware and virtualisation This page contains a concise overview of projects funded by NLnet foundation that belong to Operating Systems (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Firmwire full-system 5G baseband emulation — Easier testing of 5G baseband modems with FirmWire FirmWire is an open source full-system baseband firmware emulation framework for emulating, fuzzing, debugging, and root-cause analysis of smartphone baseband firmware. This project builds upon the framework to support newer, 5G capable, smartphones. Baseband processors are used in all modern smartphones for cellular network connectivity and are a remote attack surface. As such, baseband security is of utmost importance. Baseband firmware is complex, proprietary, and lacks public scrutiny. Emulation and reverse engineering are one of the few public ways to analyze baseband processors. These efforts will provide more transparency in baseband firmware and improve the community’s ability to analyze 5G security through emulation and fuzzing. Additionally, the reverse engineering efforts could aid in developing better open source drivers in the future. >> Read more about Firmwire full-system 5G baseband emulation Android translation layer (ATL) — Run Android apps on Linux The Android Translation Layer is an alternative implementation of Android application APIs on top of standard Desktop Linux, with the ability to run apps as-is using some AOSP components such as ART+libcore, modified to use system-provided libraries where possible to further the goal of being as lightweight as possible. That is in contrast with existing container-based solutions which require running a whole AOSP system in parallel to the host Linux system, resulting in considerably higher resource usage (both disk space and RAM) and longer startup times. The higher efficiency of ATL can make it viable to sideload apps also on more constrained devices. Another benefit of our approach is better integration with the desktop, such as native notifications. >> Read more about Android translation layer (ATL) Accessible security — Integration effort of independent security efforts like Qubes, Heads, coreboot, etc The \"Accessible security\" project's initiative was sparked by the need for usable security made available to the average citizen. Several projects are contributing a part of this bigger puzzle: QubesOS, coreboot, Heads, me_cleaner, Whonix and others. Yet the average person does not have the sophistication to integrate these software projects. With some effort we can add some missing parts, help the effected projects usability, and facilitate access to cutting-edge developments, currently only usable by developers and more sophisticated users. Bringing these projects together will reduce the amount of expertise and effort required to benefit from these projects. >> Read more about Accessible security Alder Lake Desktop — Open firmware for widely used Desktop/Workstation motherboard Modern firmwares are extremely complex pieces of software code. As such, it is not uncommon for some functionality to be bugged or to not be working as intended. Sometimes firmware updates break things that used to work, too. The first course of action is to request the mainboard manufacturer to resolve it, and typically the support team delivers a binary with a fix. However, when it comes to feature requests in the firmware, the manufacturers refuse to comply. The mainboard owner ends up with a piece of hardware not fulfilling the owner's needs and has to move to a different platform that is hopefully equipped with firmware containing the desired feature. However, this problem can be solved by offering freedom to the board owners. The freedom to modify and adapt the firmware to their own needs, what can be accomplished by open-source firmware. The goal of the project is to implement open-source firmware support for the MSI PRO Z690-A WIFI DDR4 workstation/desktop platform and open the door to liberty of customization. MSI PRO Z690-A supports the newest 12th generation of Intel Core processors. Furthermore, there will be no dependency on the mainboard manufacturer to provide fixes, because an experienced community could do them for a worldwide benefit. >> Read more about Alder Lake Desktop Arcan-A12 Directory — Server side scripting API for Arcan's directory server A12 is an explorative p2p protocol for fast and secure remote application interactions. Current desktop protocols are locked inside the constraints of their origins, and most of these have significant security and privacy issues. As a result, we've come to depend heavily on web frontends as the universal desktop application corset - which in return has caused a massive complication and overloading of the browser. A12 establish a secure and interconnected network of personal compute devices, includes peer-to-peer channels and cryptography components. This project add a directory server that can be used as a trusted 3rd party rendezvous to establish such channels. It will expand the scripting API towards writing assistive 'apps' that can complement or split the workload handled on client devices; provide state synchronization and indexing/search between dynamic mesh networks created by linking directory servers together; dynamically launch and attach controlled sources. >> Read more about Arcan-A12 Directory Arcan-A12 Tools — A12 clients for different platforms and devices such as drawing tablets The interaction patterns with our compute devices have switched from \"one device - multiple users\" over to \"one user - multiple devices\" and this new reality requires shift in how user personal data is shared and synchronised between their devices. A12 is a network protocol designed to establish a secure and highly interconnected network of personal compute devices that has been developed as part of a larger Arcan umbrella project. The protocol includes peer-to-peer channels and cryptography components. This follow-up project sets out to implement lightweight applications that will be capable of networking over A12 protocol to enable remote control, sensor and screen sharing, file sharing, notification sharing and enable other personal data flows. The end goal is convenience of having interconnected devices without sacrificing privacy and performance. >> Read more about Arcan-A12 Tools Heads-OpenPGP — OpenPGP Authenticated Heads and long-time awaited security improvements The work to be accomplished in this project will resolve Heads current missing accessibility, reproducibility and platforms locking improvements, including Heads missing authentication mechanisms prior of permitting recovery shell access or booting USB external media, possibly leading to data loss without evil-maid even having to unscrew anything. Also, a user currently losing his USB OpenPGP dongle would lose its private encryption subkey forever therefore losing access to all past encrypted content and lessening security until dongle replacement. By considering Heads as a secure pre-boot \"clean room\" environment on initial flashing/reflashing of whole firmware, generating OpenPGP master key and subkeys in memory and implementing keys backup/restore mechanisms to/from/creating USB thumb drive encrypted storage, Heads will be able to rely further on OpenPGP (gnupg toolstack) and its detached-signing of content and signature verification against fused public (measured) key to authenticate the owner of the machine prior of letting him have access to the machine's persistent states. Having reproducible builds again will make auditability of the firmware easier, while locking the firmware prior of leaving Heads environment will prevent whole classes of SPI based persistent threats. >> Read more about Heads-OpenPGP Betrusted OS — An embedded OS for cryptographic devices Betrusted OS will underpin the Betrusted ecosystem, and will enable secure process isolation. It will be written a safe systems language - namely Rust - to ensure various components are free from common programming pitfalls and undefined behavior. Unlike modern operating systems that trade security for speed, the Betrusted OS will prioritize security and isolation over performance. For example, it will be a microkernel that utilizes message passing and services rather than a monolithic kernel with modules. Unlike other deeply-embedded operating systems, it will require an MMU, and support multiple threads per process. This will let us add features such as service integrity and signature verification at an application level. >> Read more about Betrusted OS Betrusted software — A minimalist and secure OS for embedded communication devices The Betrusted software project utilizes the strongly typed Rust programming language to build the first applications and libraries for the open hardware Betrusted.io project. Betrusted is pioneering a new class of open hardware communications device, with a grant by NGI Zero. The project will set up a virtual environment for betrusted (e.g. QEMU / RISC-V) in order to develop and test software as close to target as possible and unlock community collaboration and contributions. The second main task in the project is to write a Matrix protocol command line client in order to analyze the memory characteristics in the highly constrained betrusted environment. The additional time is to be allocated to development support for the Bestrusted OS, develop glue layers and verify necessary interfaces for applications, provide unit/integration tests and develop (test) applications for it. >> Read more about Betrusted software Converged Security Suite Improvements — Open source tooling for BIOS configuration The Converged Security Suite has been developed as an open-source tool to provision and test systems where proprietary (and closed) Intel Security Technologies - such as \"Trusted Execution Environment\", \"BootGuard\", and \"Converged BootGuard and TXT\" (CBnT) - are enabled. Since this is a security-critical operation, transparent open-source tooling is needed to securely provision and test the configuration of your system within the limitations of a closed system. However, current configuration tools are not available for technical scrutiny and only available under NDA. The same applies to test suites that validate the system and its configuration.The Converged Security Suite tries to change this by implementing an open alternative for those tools. Within this project, the team will implement Bootguard (provisioning and test suite) and add CBnT test suite support. >> Read more about Converged Security Suite Improvements Converged Security Suite +AMD — Add AMD support to Converged Security Suite The Converged Security Suite has been developed as an open-source tool to provision and test systems where proprietary (and closed) Firmware Security Technologies - such as Intel \"Trusted Execution Environment\", Intel \"BootGuard\", and Intel \"Converged BootGuard and TXT\" (CBnT) - are enabled. Since this is a security-critical operation, transparent open-source tooling is needed to securely provision and test the configuration of your system within the limitations of a closed system. The CSS made huge progress provisioning and testing Intel-based security mechanisms, and within this project we extend this to AMD's Platform Secure Boot, AMD's Secure Memory Encryption and AMD's Secure Encrypted Virtualization. The goal is to provide a test suite for those security mechanism in order to understand how they are configured and provide transparency into those features. >> Read more about Converged Security Suite +AMD Anchorboot — Pre-built UEFI replacement firmware for ARM-based ChromeOS devices using coreboot/U-Boot Despite their bad reputation as walled-garden systems, ChromeOS devices have huge potential to be FOSS-friendly as most things that make them work are published as free software. However, they use custom platform firmware purpose-built to boot their operating system with non-standard boot mechanisms, whose limitations make it significantly hard to run other OSes on these devices through their stock firmware, stifling this potential. Anchorboot is a new platform firmware distribution for ARM-based ChromeOS devices using coreboot and U-Boot, with the aim to make it easy to install and use conventional Linux distributions on them through UEFI support. As part of this effort, we will first improve and extend integration between both projects to the ARM architectures, then work on a selection of Chromebooks to fix any issues and to port device drivers to either project where necessary. As each board's work is complete, we will prepare and distribute pre-built, tested firmware images ready to be flashed on these boards along with sources, instructions on how to use the images, and other documentation relevant to the devices. >> Read more about Anchorboot Cloud hosting service portability — Service portability for cloud hosting platforms Configurious Monk or cMonk is a combination of a configuration portal and a set of deterministically configured services that can be used to provide ‘common internet services’ like DNS, E-mail, Matrix, Mastodon, Pixelfed, eduVPN, Nextcloud and more. cMonk's intended use is in large scale cloud deployments, intended for thousands or even millions of users. It is not intended for use in self-hosting situations, but might still be used that way. The whole project is meant as a service-platform for 'at scale' operatoins, so we are specifically aiming at 24x7x365 availability which requires redundancy and automatic fail-overs everywhere. Configurious Monk is easy to use, and focuses on being ‘out of the way’ of the user. One of its key features is that it lets the user be in complete control. The ultimate form of control being that you can export all your data and configuration and take it elsewhere. Full service portability is the goal. It uses NixOS and the Nix package manager as its base and has an API that can be used to connect the configuration panel to other services. >> Read more about Cloud hosting service portability GNU Guix - Cuirass — Continuous integration system for GNU Guix/Linux + Hurd GNU Guix is a universal functional package manager and operating system which respects the freedom of computer users. The number of supported packages, almost 15.000 on 5 different architectures, is constantly increasing. With the recent efforts adding support for the GNU Hurd operating system, and the ongoing work to easily provide Guix System images for various boards, the need for a strong continuous integration system is critical. This project aims to improve Cuirass, the GNU Guix continuous integration software to provide binary substitutes for every package or system image within the shortest time. This way, the user won't have to allocate important time and computation power resources into package building. The plan is to add to Cuirass an efficient offloading and work-balancing mechanism between build machines, an improved web interface allowing to monitor machine loads and other build related metrics. A user account section to setup customized monitoring dashboards and subscribe to build failures notifications will also be developed. >> Read more about GNU Guix - Cuirass Structuring the System Layer with Dataspaces — Implementing a secure and scalable system layer on mobile The system layer is an essential but often-ignored part of an operating system, mediating between user-facing programs and the kernel. Despite its importance, the concept has only been recently recognised and has not received a great deal of attention. The novel Dataspace Model of concurrency and communication combines a small number of concepts to yield succinct expression of ubiquitous system-layer features such as service naming, presence, discovery and activation; security mechanism and policy; subsystem isolation; and robust handling of partial failure. This project will evaluate the hypothesis that the Dataspace Model provides a suitable theoretical and practical foundation for system layers, since a well-founded system layer is a necessary part of any vision of secure, securable, resilient networked personal computing. >> Read more about Structuring the System Layer with Dataspaces DeviceCode — Structured technical information about consumer devices This project is about reusing crowdsourced technical data about devices. This data is useful for researchers and tinkerers, but it is typically not the data that vendors are willing to give, let alone under a license that allows reuse. Think of: chipset information, serial port layout & speeds, amount of memory, and so on. Several groups of people have collected this data in several places (mostly wikis) under an open data license, but they are hard to reuse by other projects that could be interested in this data. The goal of \"DeviceCode\" is to collect this information, rework it into a format that is easy to reuse by other projects without having to resort to Wiki scraping, and also clean up the data (as humans make data entry mistakes and put useful data in places where it shouldn't be), cross-correlate different sources and automatically enrich the data where possible. >> Read more about DeviceCode Extend EFI support in BSDs — Bring automated firmware update to BSDs UEFI/EFI support covers boot integrity and as such has become a structural part of Linux, Windows, and other OS-es. There are a number of relevant operating systems however that are not able to benefit from this technical capability just yet. This project would fill that gap by extending EFI support to OpenBSD, NetBSD, and DragonflyBSD. This will allow proper hardware initialization as well as additional security features within those open source operating systems. >> Read more about Extend EFI support in BSDs Open source ESP32 802.11 MAC — Open source wifi drivers for ESP32 The ESP32 is a low-cost microcontroller with Wi-Fi connectivity. Currently, the Wi-Fi MAC layer of the ESP32 is closed-source. This project aims to change that: by reverse engineering the hardware registers and software, we can build a networking stack that is open-source up to the hardware, instead of having to use the proprietary MAC layer. This will improve security auditability, open up the possibility for features not supported in the proprietary implementation (for example, standards-compliant mesh networking), improve interoperability and make research into Wi-Fi networks with lots of nodes more affordable. >> Read more about Open source ESP32 802.11 MAC Fobnail — Remote attestation delivered locally The Fobnail Token is a tiny open-source hardware USB device that provides a means for a user/administrator/enterprise to determine the integrity of a system. To make this determination, Fobnail functions as an attestor capable of validating attestation assertions made by the system. As an independent device, Fobnail provides a high degree of assurance that an infected system cannot influence Fobnail as it inspects the attestations made by the system. Fobnail software is an open-source implementation of the iTurtle security architecture concept presented at HotSec07; in addition, it will leverage industry standards like TCG D-RTM trusted execution environment and IEFT RATS. The Fobnail project aims to provide a reference architecture for building offline integrity measurement servers on the USB device and clients running in Dynamically Launched Measured Environments (DLME). It allows the Fobnail owner to verify the trustworthiness of the running system before performing any sensitive operation. Fobnail does not need an Internet connection what makes it immune to the network stack and remote infrastructure attacks. It brings the power of solid system integrity validation to the individual in a privacy-preserving solution. >> Read more about Fobnail GNU Mes — Help create an operating system we can trust GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large, unauditable binary blobs, which is common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme and comes with a small, bootstrappable C library. The Mes bootstrap has halved the size of opaque binaries that were needed to bootstrap GNU Guix, a functional GNU/Linux distribution that focusses on user freedom, reproducibility and security. That reduction was achieved by replacing GNU Binutils, GNU GCC and the GNU C Library with Mes. The final goal is to help create a full source bootstrap for any interested UNIX-like operating system. After three years of volunteer work this funding will enable us to take another big step forward and reach an important new milestone in creating more auditable secure software distributions. >> Read more about GNU Mes Full-source GNU Mes on ARM and RISC-V — Expand full-source bootstrap to other CPU platforms GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large binary blobs of several 100s of megabytes, which (incredibly so!) is common practice for the software supply chains in use today. While these days users can reproducibly build software with modern functional package managers like Guix and Nix, the presence of potentially toxic code in these unauditable blobs or the propagation into binaries cannot be excluded. Users have no technical assurance that the executable they use corresponds with the source code - or whether the tool chain which compiled the source code introduce weaknesses or undefined behaviour. By making the toolchain 'bootstrappable' (as per bootstrappable.org), users can verify themselves for every step what happens - in the case of GNU Mes from one tiny (and orders of magnitude more easily verifiable) 357-byte file upwards. The final goal is to help create a \"full source\" bootstrap for any interested UNIX-like operating system and any type of architectures. In this project the project will add ARM and RISC-V, with other architectures on the roadmap. >> Read more about Full-source GNU Mes on ARM and RISC-V GNU Mes RISC-V — Bringing the trustworthy bootstrap to RISC-V GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large, unauditable binary blobs, which is common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme that comes with a small, bootstrappable C library. The final goal is to help create a full source bootstrap for any interested UNIX-like operating system. This funding will enable GNU Mes to work on the RISC-V platform, an instruction set architecture (ISA) that is provided under open licenses. Combining GNU Mes with an open ISA will provide an extra level of security and trust by extending the auditability of the system from the software to also the hardware. RISC-V is a relatively new architecture so this effort requires the backport of many tools that were already available for GNU Mes in other architectures. Also the modular nature of RISC-V makes it an specially complex bootstrap target, because it needs to support all the possible RISC-V implementations. This project aims to overcome the current limitations to prepare GNU Mes and all the associated projects for a full RISC-V port. >> Read more about GNU Mes RISC-V RISC-V bootstrapping effort via GNU Mes — Allow bootstrapping Guix on RISC-V via GNU Mes This project is a continuation of several previous modest effort that each made good steps in bringing the GNU Mes project to the quickly growing ecosystem of RISC-V. RISC-V is a relatively new instruction set architecture (ISA) for computer chips, and because it obviously has its own variant of the very lowest level of instructions, adopting this new hardware platform for practical use cases requires porting of some software and tools that were already available in other architectures. Such \"chip agility\" makes the overall technology ecosystem more robust, creating more diversity and consumer choice. One aspect of working towards chip agility in a trustworthy manner is aiming for a \"full source bootstrap\", as pioneered by GNU Mes and others on other architectures. This addresses the security concerns associated with bootstrapping an operating system using large, unauditable binary blobs, which until recently was common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme that comes with a small, bootstrappable C library. The goal of this project is to complete the port of Mes to RISC-V, and achieve the first full source bootstrap - which is then available to use for any interested UNIX-like operating system. As a first major step towards universal adoption, the project will subsequently package the whole process and include it in Guix's commencement module. >> Read more about RISC-V bootstrapping effort via GNU Mes GNU Mes on ARM — Trustworthy bootstrap for operating systems on ARM ISA GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large, unauditable binary blobs, which is common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme that comes with a small, bootstrappable C library. The final goal is to help create a full source bootstrap for any interested UNIX-like operating system. This funding will enable GNU Mes to work on the ARM platform. >> Read more about GNU Mes on ARM GNU Mes: Full Source bootstrap — GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large, unauditable binary blobs, which is common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme and comes with a small, bootstrappable C library. The Mes bootstrap has greatly reduced the size of opaque binaries that were needed to bootstrap GNU Guix, a functional GNU/Linux distribution that focusses on user freedom, reproducibility and security. That reduction (from ~250MB to ~60MB) was achieved by first replacing GNU Binutils, GNU GCC and the GNU C Library with Mes. The second step was funded by NLnet (https://nlnet.nl/project/GNUMes) and replaced GNU Awk, GNU Bash, the GNU Core Utilities, GNU Grep, GNU Gzip, GNU SED, and GNU Tar with a more mature Mes, Gash and Gash-Utils. The final goal is to help create a full source bootstrap for any interested UNIX-like operating system and non-intel architectures (see https://nlnet.nl/project/GNUMes-arm) This funding will enable us to take another big step forward and reach an important new milestone in creating more auditable secure software distributions. >> Read more about GNU Mes: Full Source bootstrap GNU Mes Tower — GNU Mes with alternative scheme implementations and WASM GNU Mes was created to provide transparency and strong technical assurances when bootstrapping an operating system - instead of using large, unauditable binary blobs that bring the risk of \"reproducibly malicious\" behaviour within the software toolchain. GNU Mes provides a transparent alternative: starting from a Scheme implementation of a C compiler, and a minimal Scheme interpreter written in C, to bootstrap the full GNU toolchain capable of building the rest of all open-source software. The GNU Mes Tower projects will add the option to stay on the \"Scheme\" path without having to resort to C, starting from either same minimal Scheme interpreter with a specializer as a Scheme compiler capable of generating native binaries. To achieve self-hosting, a series of bootstrapping steps will be implemented to add features to each interpretation level one-by-one, maintaining specialization to native code. The sequence of more and more capable Scheme compilers will allow operating systems like Guix to be bootstrapped without C, and move from a minimal Scheme interpreter to full-blown modern scheme dialects to allow much more advanced features and optimisations during the bootstrap. >> Read more about GNU Mes Tower GNU Guix — Discovery of service configurations in a declarative setup GNU Guix is a universal functional package manager and operating system which respects the freedom of computer users. It focuses on bootstrappability and reproducibility to give the users strong guarantees on the integrity of the full software stack they are running. It supports atomic upgrades and roll-backs which make for an effectively unbreakable system. This project aims to enhance multiple facets; the main three goals are: (1) distributed package distribution (e.g. over IPFS), (2) composable and programmable user configurations / services (a way to replace \"dotfiles\" by modules that can be distributed and serve a wide audience), (3) broaden accessibility via, among others, a graphical user interface for installation / package management. >> Read more about GNU Guix Tooling to improve security and trust in GNU Guix — Contextual software vulnerability discovery GNU Guix is a universal functional package manager and operating system which respects the freedom of computer users. It focuses on boostrappability and reproducibility to give the users strong guarantees on the integrity of the full software stack they are running. It supports atomic upgrades and roll-backs which make for an effectively unbreakable system. This project aims to automate software vulnerability scanning of packaged software to protect users against possibly dangerous code. >> Read more about Tooling to improve security and trust in GNU Guix Gash — Port Gash to GNU Mes for auditable bootstrap For several years, the GNU Guix project has been reducing the amount of unauditable binary blobs used in bootstrapping its operating system, through efforts such as GNU Mes. This is needed to avoid \"reproducibly malicious\" behaviour within the software toolchain. Gash is a POSIX-compatible shell written in Guile Scheme. Gash provides both the traditional shell interface, as well as a Guile library for parsing shell scripts. Once this project is completed, Guix (and other operating systems) can be bootstrapped from legible source, without depending on already compiled compilers or C standard libraries. This will allow to move step by step from a minimal Scheme interpreter to full-blown modern scheme dialects to subsequently much more advanced features and optimisations required during the bootstrap. >> Read more about Gash Genealogos — Nix to SBOM generator targeting the CycloneDX format With the increasing importance of understanding the software supply chain, both for security and legal purposes, it has become necessary to provide users, administrators, and developers with an accurate picture of what's in the software they use. Like with any bookkeeping task, doing that manually is cumbersome and hard to keep up to date. The better course of action is to use the information encoded within functional package management tools like Nix. With Genealogos you can generate a compliance-ready CycloneDX Software Bill of Materials (SBOM) for any package available in the nixpkgs repository or in fact from any nix flake -- and automatically keep it up to date. >> Read more about Genealogos Genodepkgs — When Genode and Nixpkgs meet The past decade has seen substantial improvements in the field of operating systems that have raised the standards for building high-assurance and security-critical systems. Unfortunately this technology is rarely utilized by smaller organizations and private users due to the cost of retooling, reconfiguring, and the lack of continuity between OS communities. The Genode OS framework is a free-software toolkit of components that can be used to construct custom operating systems from a trusted codebase of drastically reduced complexity. Genodepkgs is an extension to the Nix package collection that integrates the Genode toolkit. This package collection, or Nixpkgs, is one of the most comprehensive collections of readily deployable software to date, and contains within it the NixOS Linux distribution. By extending the collection to cover Genode, a new diversity of operating systems can be realized using the variety of microkernels, device drivers, and utilities provided by Genode, as well as hybrid systems composed of an isolating Genode base layer and virtualized NixOS guests. Making such compositions possible by reusing the methods of NixOS can bridge the divide between contemporary Linux system administration and next-generation operating system developments. >> Read more about Genodepkgs Grate project — Linux support for Tegra 2/3/4 devices GRATE driver started as an attempt to create a open source re-implementation of proprietary software for Nvidia’s older Tegra system-on-chips (Tegra 2, Tegra 3 and Tegra 4). Although this goal is still yet to be achieved, progress is being made and GRATE project provides a strong support for a wide variety of various devices: smartphones, tablets, convertibles, all-in-one computers — all of which based on older Tegra SoCs. Decent devices that were considered an e-waste, not even by the users, but by the vendors themselves, gain a second life with strong Linux kernel support and open source bootloader substitution. >> Read more about Grate project Guix Peer-to-Peer substitutes — We have seen a lot of progress in the fields of reproducible builds and peer-to-peer storage in recent years. Today Guix project provides a complete set of tools that allows users to have complete control over their software distribution. At the same time most Guix users rely on centralized infrastructure that provides binary artifacts (also called package substitutes) for practical reasons. This project aims to develop systems that will allow Guix users to participate in a process of collaborative building of a public build artifacts cache for different architectures in a tamper resistant way with the help of verifiable build results log. We want to make collective ownership of infrastructure and means for package distribution practical and provide instruments for establishing trust relationships within developer communities. >> Read more about Guix Peer-to-Peer substitutes Porting Guix to Riscv64 — Port Guix software collection to Riscv64 architecture This project will work on bringing the Rust support of GNU Guix on Riscv64 up to fully supported, with the bootstrap chain from source. It will also bring Riscv64 in Guix up to the full level of support that is expected of commonly used architectures, ready to be used in all the applications where GNU Guix is already found. Riscv64, being an Open Architecture, freely available to anyone who wants to implement processors, goes a long way towards ensuring that our future computing platforms are free of hidden backdoors. GNU Guix, being a true Free Software Operating System and compiled from source from a small bootstrap binary, with reproducibility guarantees, is as close as the computing community has come to a fully auditable software chain that makes sure all the software we run on our computers is what we intend, and nothing more. By combining the Riscv64 architecture and GNU Guix for software we can reach toward a fully secure and auditable computing platform that we might consider trusting. >> Read more about Porting Guix to Riscv64 Guix-Daemon — Transition to a Guile implementation of the guix-daemon GNU Guix is a transactional package manager and a distribution of the GNU system that respects user freedom. A key component in Guix is the guix-daemon, currently implemented in C++. Much of the power and flexibility of Guix comes from all of the package definitions and surrounding tooling being implemented in GNU Guile, however this doesn't extend to the guix-daemon. This difference has been a limiting factor in making changes and improvements to the way the guix-daemon works and is interacted with. The expected outcome of this project is to have a Guile implementation of the guix-daemon, and to transition to this being the default guix-daemon used. This will improve the maintainability and portability of the guix-daemon and Guix overall, as well as unlocking future improvements to the guix-daemon and connected tools. >> Read more about Guix-Daemon TPM 2.0 for HEADS — TPM 2.0 support for open source BIOS replacement firmware HEADS is an open source custom firmware for laptops that aims to provide slightly better physical security and protection for data on the system. HEADS combines physical hardening of specific hardware platforms and flash security features with custom coreboot firmware and a Linux boot loader in ROM. This moves the root of trust into the write-protected region of the SPI flash and prevents further software modifications to the bootup code. HEADS allows to verify that laptop hardware has not been tampered with in transit or in your absence (so-called evil maid attack). Until now HEADS is mostly used with older Thinkpad X230 and T430 laptops. As part of this funded project we will develop HEADS to support state of the art hardware. >> Read more about TPM 2.0 for HEADS Nix Integration for Hop3 — Nixify the Hop3 self-hosted cloud platform Hop3 is an open-source orchestration platform designed to simplify the deployment and management of distributed applications across cloud and edge environments. With a focus on flexibility, security, resilience, and ease of use, Hop3 empowers developers and small organisations to take full control of their IT infrastructure and data, ensuring digital sovereignty and avoiding vendor lock-in. The project will enhance the Hop3 platform by integrating Nix, a powerful package manager known for its ability to create reproducible environments, to improve build-time flexibility and ensure consistent, reliable run-time performance. As a test bed and showcase of this integration, we will package 20 diverse and impactful F/OSS applications. Additionally, we will develop new resilience and cybersecurity features to further strengthen the platform's robustness and security. >> Read more about Nix Integration for Hop3 Implement sound support in the Hurd — Add audio capabilities to the multiserver microkernel from GNU The GNU Hurd is a light weight kernel (the central part of an operating system) on top of the Mach microkernel, with full POSIX compatibility. The mission of the Hurd project is: to create a general-purpose kernel suitable for the GNU operating system, which is viable for everyday use, and gives users and programs as much control over their computing environment as possible. Hurd provides security capabilities like adding access to services for programs at runtime when and only while they need it, and to enable easy low-level development - like replacing a file system during runtime and real-time kernel debugging as if it were a normal program. This project adds an important feature to GNU Hurd: an audio-system with fine-grained access management to physical hardware. >> Read more about Implement sound support in the Hurd Ironclad — Hard real-time capable kernel written in SPARK/Ada Ironclad is a partially formally verified, hard real-time capable kernel for general-purpose and embedded uses, written in SPARK and Ada. It is comprised of 100% free software, free in the sense that it respects the user's freedom. By providing a UNIX-like interface which ensures an easy porting process from Linux and BSD distributions, Ironclad aims to be a solution for developers searching for a security-first, resilient platform with the smallest barrier to entry. This project will work on expanding hardware support for x86_64 Intel and AMD based systems, bringing Ironclad to RISC-V 64 bit based platforms, expanding several areas of the kernel, and work on Ironclad-based distributions. >> Read more about Ironclad KDE Plasma Wayland — Accessibility and advanced graphics input support for KDE Plasma Wayland Plasma is the desktop provided by the KDE project, one of the largest and most successful open source initiatives in the world. Wayland is the successor of X11 for Unix desktops and the future for many reasons, including security and privacy. However there are some user groups that currently do not have their requirements satisfied. Some people have motor impairments of their arms/hands (such as restricted movement, tremors, or missing fingers) that make it hard or impossible to operate a traditional computer keyboard. Operating systems provide a number of options like sticky keys, slow keys, or bounce keys to accommodate for such disabilities. Another pain point is configuration of graphics tablet input devices. This includes things like mapping the tablet area to an output area, binding tablet/stylus buttons to actions, or configuring pen pressure curves. This project will implement support for these special user groups in KDE Plasma on Wayland. >> Read more about KDE Plasma Wayland KWin and Wayland input — Secure windowing system for KWin When you run remote applications across the internet, you typically need a display server. Wayland is the future windowing system on Unix, a communication protocol that specifies the communication between a display server and its clients One core goal in its design was to provide a safe and secure system protecting users data and privacy. The traditional windowing system X11 does not, which means that programmes can just spy on inputs and outputs of every other programme. Making a secure system that is still usable comes with challenges. When clients need to communicate, channels of communication must be carefully designed to provide it in a secure and reliable way. One of these channels is when one client provides a virtual keyboard or input methods support (for example for CJK languages) and another client consumes the input data. The project aims at implementing communication channels for that through Wayland protocol extensions in KWin and provide test clients as well as improving the used protocol extensions upstream. >> Read more about KWin and Wayland input Liminix — Nix-based OS for domestic WiFi routers, access points etc Today you can reflash your broadband router with Linux (e.g. DD-WRT, OpenWRT, Tomato or variants) to provide unparalleled flexibility to do things that the manufacturer system was not capable of. However, managing this flexibility by hand is challenging, especially when keeping custom configuration in sync across devices or through version upgrades. Liminix aims to provide an OpenWrt-style embedded Linux distribution based on the Nix language for congruent configuration management, and the Nix package system. On top of this we plan to implement seamless management of configuration and secrets across a network of Liminix devices, and robust dependency-based service/process management so that a device can respond usefully when hardware or network connectivity changes. >> Read more about Liminix Usability of Linux firewall userspace tools — Userspace tooling for Linux kernel Netfilter Netfilter is the project offering the packet classification framework for GNU/Linux operating systems. Netfilter supports for stateless and stateful packet filtering, mangling, logging and NAT. Netfilter provides a rule-based language to define the filtering policy through a linear list, sets and maps. This language is domain specific and it provides a simplified programming language to express filtering policies. Firewall operators are usually not programmers, although they are typically knowledgeable about shell scripting. Humans currently have few means to check for mistakes when elaborating filtering policies, which as a result can interact in unpredictable ways or cause performance issues - meaning one can never be sure how much they can be trusted to protect users. Lack of correctness and inconsistencies emerge as the rule set increases in complexity. Introducing ways to assist the operator to spot these problems and to provide hints to express the filtering policies in a better way would help to improve this situation. Error reporting is another key aspect to assist humans in troubleshooting. This project aims to extend the existing tooling to introduce infrastructure to cover this aspects. >> Read more about Usability of Linux firewall userspace tools Mainline Linux on ARM Chromebooks — Open firmware and standards-based boot for Mediatek MT818x/MT819x based devices If we want to truly own our computing devices, ARM Chromebooks with Mediatek CPUs have much potential for liberation. Unlike most other personal computers (such as laptops with Intel CPUs), the software and firmware for these devices is user-replaceable. There's no need to worry about manufacturer firmware being able to control the entire computer: the TrustZone firmware can be replaced with an audited version the owner trusts. While Chromebooks are shipped with ChromeOS, a system intimately tied to a single proprietary vendor, we can bring a standards-based boot to these devices by adding support for them to u-boot. Then, booting a standard Linux distribution becomes easy - so we'll co-operate with distributions like postmarketOS to provide the needed drivers. We will release better coreboot firmware for the Mediatek \"Kompanio\" families of SoC, found in Chromebooks from various manufacturers (MT8183, MT8186, MT8195, MT8196 and MT8188. Firmware is also software, and equally deserves to be free. While this effort is pragmatically focused on bringing basic, reliable functionality to as many laptops as we can, we also keep an eye on freeing more low-level firmware. Perhaps it'll be the RAM initialization, or power management. Regardless, those laptops could push the envelope of user freedom. >> Read more about Mainline Linux on ARM Chromebooks The MacBook Liberation Project — Implement Coreboot support to various Apple devices The MacBook Liberation Project aims to bring software freedom to the Apple MacBook by replacing its proprietary boot firmware with freedom respecting boot firmware. This will increase their longevity, privacy and security. Intel based models that are now partially compatible with coreboot will be made fully compatible with not only coreboot, but easily installable coreboot distributions like Libreboot as well. The focus will lie on support for all possible RAM and SPD configurations for these models as well as easy internal installation for end users. >> Read more about The MacBook Liberation Project Maemo Leste — An independent mobile operating system focused on trustworthiness Maemo Leste aims to provide a free and open source Maemo experience on mobile phones and tablets. It is an effort to create a true FOSS mobile operating system for the FOSS community. Maemo Leste is based on GNU/Linux, and specifically - Devuan GNU/Linux. The goal is to provide a secure and modern mobile operating system that consists only of free software, obeys and respects the users' privacy and digital rights. The project also works closely with projects that aim to produce hardware that Maemo Leste and other community mobile operating systems could run on. The operating system itself takes much of its design and core components from the Nokia-developed Maemo Fremantle, while replacing any closed source software with open source software. >> Read more about Maemo Leste Maemo Leste Telepathy — Modernise open source real-time communications stack Maemo Leste aims to provide a free and open source Maemo experience on mobile phones and tablets. It is an effort to create a true FOSS mobile operating system for the FOSS community. Maemo Leste is based on GNU/Linux, and specifically - Devuan GNU/Linux. The goal is to provide a secure and modern mobile operating system that consists only of free software, obeys and respects the users' privacy and digital rights. The project also works closely with projects that aim to produce hardware that Maemo Leste and other community mobile operating systems could run on. The operating system itself takes much of its design and core components from the Nokia-developed Maemo Fremantle, while replacing any closed source software with open source software. In this effort project the Maemo Leste team will update the Telepathy real time communications framework (which should benefit all other users of that ramework) and add among others double ratched based OMEMO encryption to XMPP. >> Read more about Maemo Leste Telepathy Makatea — An x86, 64-bit Virtual Machine Monitor for the seL4, verified microkernel The security of any software system depends on its underlying Operating System (OS). However, even compartmentalization focused OSes such as Qubes, which are \"reasonably secure\" depend on large trusted computing bases (e.g. hypervisors) with hundreds of thousands of lines of code. seL4 is an open-source, formally-verified microkernel that has matured and been maintained for over a decade. seL4's small size (10,000 Lines of Code) and formal verification make it an appealing base to implement a hardened, open-source, x86 64-bit Virtual Machine Monitor (VMM) on. Makatea is a new hypervisor written from the ground up, capable of paravirtualisation, Hardware-Assisted Virtualisation and device emulation. Makatea also will allow to run software originally written for other platforms wherever seL4 can be made to run - and do so in a very controlled environment. >> Read more about Makatea Mobile Test Farm — Test farm setup for aftermarket mobile operating systems This project will deliver a useful contribution to the alternative mobile ecosystem: a physical continuous integration system that allows to connect different phones and which can be used to e.g. run regression tests for different operating systems on these devices to verify if core functionality isn't broken when e.g. a new kernel is added. >> Read more about Mobile Test Farm Mollymawk — Mollymawk - orchestration and management of MirageOS unikernels Mollymawk is a deployment and orchestration tool designed to simplify the management of MirageOS unikernels and other virtual machines. In this project, we will focus on optimizing deployment, ochestration and scaling (up and down). Key enhancements we are looking at include implementing websockets, streaming services when deploying unikernel images, automated configurations (DHCP, DNS etc), support for virtual machines that are not MirageOS unikernels, mechanisms for autoupgrading unikernels with rollback options, notification of available updates, unattended updates, and managing multiple physical machines with a single mollymawk. >> Read more about Mollymawk Securing NixOS services with systemd — NixOS, with the nix package manager, provides different services that can be installed and configured in a reproducible, declarative way. But how does one know whether software sticks to what it is supposed to do, and prevent a malicious application to spy on others? Systemd provides users with ways to specify fine-grained sandboxing options for their running service, taking advantage of the Linux kernel's security facilities. This project will improve the default configuration of the services that are available in NixOS using systemd, so that users may deploy services without granting them too much trust: the services would only have access to the parts of the system they require. From a security point of view, this limits the attack surface of the system and improves a lot of defense in depth. This also means that services wouldn't be able to snoop on all of the user's system. To gain long-term benefits from this project, we will develop automated tools to help with finding the right configuration for a given service, and we will write documentation to help people who will want to secure other services with their task. >> Read more about Securing NixOS services with systemd UEFI Secure Boot support for NixOS — Add a self-sovereign root of trust as part of supply chain security This project combines the power of the reproducible package manager Nix with the cryptographic protections of UEFI Secure Boot to provide concrete assurances about the authenticity of the software being booted into. Supply chain security works upward from a root of trust, which has to be in place before the very first bytes of code are even executed by a host’s CPU. UEFI Secure Boot helps provide this root of trust. Using UEFI Secure Boot, the host’s firmware will only boot the operating system if it is signed by a key stored in the firmware. This key may be issued by Microsoft, or in this project’s case, be generated by the user. This can help resist attacks from malware or other attacks against the system’s integrity. Obviously, when people use a commodity operating system commercially available to everyone (like Microsoft Windows) the security protection is far less and the risks are far greater than when someone generates a custom operating system with a reproducible tool like Nix. The Host and signing service will use TPM-backed attestation keys to mutually attest the authenticity of the requests. This tool will initially support systemd-boot and uboot, however the project will be specifically designed with the intention of supporting additional bootloaders. >> Read more about UEFI Secure Boot support for NixOS Nominatim — Multi-lingual support in address search Nominatim is an open-source geographic search engine (geocoder). It makes use of the data from OpenStreetMap to built up a database and API that allows to search for any place on earth and lookup addresses for any given geographic location. It is used as the main search engine on the OpenStreetMap website where it serves millions of requests per day but it can also be installed locally. You can easily set it up for a small country on your laptop. Nominatim has always aimed to be usable world-wide for any place in any language. To that end it has used generic, language-agnostic algorithms that assume a uniform data model. This has served us especially well while the OpenStreetMap database was in its early stages of development and changing fast. Now that it has matured, it is time to further improve the search experience by taking into account the particularities of different languages and the different practises when it comes to geographic addressing. We aim to restructure the part of the software that parses the place names and search queries to make it more configurable and make it easier to take into account languages and regional peculiarities. >> Read more about Nominatim Oil Shell — A new dialect of shell that is less error-prone Oil is a new Unix shell. Shell languages provide an (IEEE standardised) interactive command language and interactive scripting environment used to control computer operating systems. Shell scripts are deployed and used visibly and invisibly to command or glue together different applications and control the execution of tasks. Oil is the upgrade path from traditional shells like bash to a better and more structured language and runtime. It already runs thousands of lines of unmodified POSIX compliant shell scripts (as well as bash scripts which aren't compliant), but in a safer and more reliable way. OSH can be smoothly upgraded to YSH, a new shell language influenced by Python, Ruby, JavaScript, JSON, and YAML. YSH also offers a basic interactive shell UI, and a \"headless\" API for building GUIs on top of shell. Through its set of specification languages, scripts can be translated to fast C++. >> Read more about Oil Shell Oil Shell — Modern shell language and runtime Oil is a new Unix shell. Shell languages provide an (IEEE standardised) interactive command language and interactive scripting environment used to control computer operating systems. Shell scripts are deployed and used visibly and invisbly to command or glue together different applications and control the execution of tasks. Oil is the upgrade path from traditional shells like bash to a better and more structured language and runtime. It already runs thousands of lines of unmodified POSIX compliant shell scripts (as well as bash scripts which aren't compliant), but in a safer and more reliable way. OSH can be smoothly upgraded to Oil, a new shell language influenced by Python, Ruby, JavaScript, JSON, and YAML. Oil also offers a basic interactive shell UI, and a \"headless\" API for building GUIs on top of shell. This project will finish the translation from statically typed Python to C++. This will let it match the speed of bash and existing shells, while offering reliable error handling, safe processing of user-supplied data, the elimination of quoting issues and better error messages and tools. >> Read more about Oil Shell Oils for Unix — Bringing shell environments into the 21st century Oil is a new Unix shell. Shell languages provide an (IEEE standardised) interactive command language and interactive scripting environment used to control computer operating systems. Shell scripts are deployed and used visibly and invisibly to command or glue together different applications and control the execution of tasks. Oil is the upgrade path from traditional shells like bash to a better and more structured language and runtime. It already runs thousands of lines of unmodified POSIX compliant shell scripts (as well as bash scripts which aren't compliant), but in a safer and more reliable way. OSH can be smoothly upgraded to YSH, a new shell language influenced by Python, Ruby, JavaScript, JSON, and YAML. YSH also offers a basic interactive shell UI, and a \"headless\" API for building GUIs on top of shell. Through its set of specification languages, scripts can be translated to fast C++. Goal of this project is to implement various new builtin YSH methods and functions (Str, Dict, IO, ...), implement JSON / J8 Data languages, create a Flag parsing lib and test framework, and significantly improve documentation throughout the entire project. >> Read more about Oils for Unix OpenCryptoLinux — Make Linux run on OpenCryptoHW OpenCryptoLinux aims to develop an open, secure, and user-friendly SoC template capable of running the Linux operating system, with cryptography functions running on a RISC-V processor. The processor will control a low-cost Coarse-Grained Reconfigurable Arrays (CGRAS) for enhanced security, performance, and energy efficiency. Running Linux on this SoC allows non-hardware experts to use this platform, democratizing it. This project will help build an Internet of Things (IoT) that does not compromise security and privacy. The project will be fully open-source, which guarantees public scrutiny and quality. It will use other open-source solutions funded by the NLnet Foundation, such as the RISC-V processors from SpinalHDL and the OpenCryptoHW project. >> Read more about OpenCryptoLinux Better support for display notches and cutouts in Phosh — Better custom shape screen support for Wayland Mobile phones often have notches or cutouts in their displays (often to accommodate the camera), rounded corners or waterfalls (lower resolution areas at the edge of the screen). The aim of this project is to propose and implement a Wayland protocol that gives applications the necessary information about these areas. This allows them to place UI elements in a sensible and visually pleasing way, color lower resolution areas properly and avoid having important information occluded. Besides for mobile shells like Phosh this information is also important for e.g. video players and other full screen applications and out of the box support in toolkits is desirable. >> Read more about Better support for display notches and cutouts in Phosh Proper Webcam support in Qemu — Better virtualisation of camera interfaces QEMU is one of the most popular open source machine emulators and virtualizers. It supports a wide range of architectures and is capable of emulating many types of hardware devices. Many people rely on QEMU to run alternative operating systems or even as a secure development environment. Sometimes it is necessary to pass camera devices to the QEMU guest and make them available to the system. While it is possible to pass cameras using the generic QEMU USB host emulator, this only works with USB cameras and only makes them available to that single QEMU guest. However, many modern systems move away from USB cameras and provide other interfaces for the camera, and thus cannot be passed through. Our solution is to use the operating system's video API instead to make the video device available. We will focus on providing proper support for the Video4Linux API to emulate a USB video device so that it works with the already existing OS drivers. With proper integration of a camera subsystem, this opens the door to supporting more camera APIs and even extending paravirtualized VirtIO devices in the future to improve video quality for next generation video devices. >> Read more about Proper Webcam support in Qemu Qubes OS — Bring the security of Qubes OS to people with disabilities Qubes OS is a free and open source operating system uniquely designed to protect the security and privacy of the user. Its architecture is built to enable the user to define different security environments (\"qubes\") on their computer and visually manage their interaction with each other and the world. This project will improve the usability of Qubes OS by: (1) reviewing and integrating already existing community-created usability improvements, (2) implementing a localization strategy for the OS and its documentation, and (3) creating a holistic approach for improved accessibility. >> Read more about Qubes OS Raptor Lake Desktop — Implement open-source firmware for modern mainboards and chipsets The Raptor Lake Desktop project aims to deliver open-source firmware support for a modern day motherboard (the MSI PRO Z690-A WIFI DDR4/DDR5 workstation/desktop), enabling users to customize and enhance their hardware. Through open-source firmware, users will have the freedom to modify and adapt the software according to their specific requirements. Building on the success of the Alder Lake Desktop initiative, this project focuses on two key goals: adding support for 13th generation Raptor Lake-S CPUs on existing boards and implementing open-source firmware support for the MSI PRO Z790-P WIFI DDR4/DDR5 boards. The project also includes the development of additional firmware features to improve system functionality and security, such as selective Option ROM loading, ESP partition scanning, power state after power fail option, PCIe Resizable BARs, and XMP memory profile selection. Through community involvement and feedback, the project aims to provide a more personalized and flexible computing experience for board owners. >> Read more about Raptor Lake Desktop Redox OS Unix-style Signals — Add Unix-style signal handling to Redox Operating System Redox OS is a Unix-like microkernel based operating system written in Rust. It is intended to provide a secure and reliable alternative to Linux. Redox is continuing to add functionality to provide source-code compatibility for most Linux software. This project will provide Redox with Linux-compatible inter-process signals, including signalling to process groups, processes and threads, and improved process management. >> Read more about Redox OS Unix-style Signals Replicant on Guix — Reproducible build infrastructure for Replicant The project summary for this project is not yet available. Please come back soon! >> Read more about Replicant on Guix Replicant on Pinephone 1.2 — Add basic support for the Pinephone 1.2 to Replicant Replicant is the only fully free operating system for smartphones and tablets. All the other operating systems for smartphones and tablets use nonfree software to make some of the hardware components work (cellular network modem, GPS, graphics, etc). Replicant avoids that, either by writing free software replacement, by tweaking the system not to depend on it, or, as the last resort by not supporting the hardware component that depends on it. The goals is to first adapt support for the Pinephone and various other hardware (mainly from GLODroid), to make it generic and reusable by other Android distributions and smartphones to improve collaboration between Android distributions using mainline linux kernels. >> Read more about Replicant on Pinephone 1.2 Graphics acceleration on Replicant — Free software graphics drivers for mobile phones The project aims to create a free software graphics stack for Replicant 9 that is compatible with OpenGL ES (GLES) 2.0 and can do software rendering with a decent performance, or GPU rendering if a free software driver is available. Replicant is a fully free software Android distribution that puts emphasis on freedom, privacy and security. It is based on LineageOS and replaces or avoids every proprietary component of the system. Replicant is so far the only distribution for smartphones that is endorsed by the Free Software Foundation as meeting the Free System Distribution Guidelines. Due to its strict commitment to software freedom, Replicant does not use the proprietary GPU drivers that shipped within other Android distributions. The project aims to put together a new graphics stack for the upcoming Replicant 9 that is GLES 2.0 capable. The project will then focus on improving the performance by fine tuning its OpenGL operations and leveraging hardware features. At last, focus will swift into the integration of the Lima driver, a free software driver for ARM Mali-4xx GPUs, which will allow to offload some GLES operations to the GPU. This will greatly increase graphics performance and thus usability. >> Read more about Graphics acceleration on Replicant Finish porting Replicant to newer Android version — Alternative, free software version of Android Replicant is the only fully free operating system for smartphones and tablets. All the other operating systems for smartphones and tablets use nonfree software to make some of the hardware components work (cellular network modem, GPS, graphics, etc). Replicant avoids that, either by writing free software replacement, by tweaking the system not to depend on it, or, as the last resort by not supporting the hardware component that depends on it. However it is based on Android 6, which is not supported anymore, thus it has way too many security issues to fix, so keeping using this version is not sustainable. This project consists in finishing to port Replicant to Android 9, which now has standardised an interface for the code that makes the hardware components work. Once done, it will also make the free software replacement automatically work on future Android versions. >> Read more about Finish porting Replicant to newer Android version NetBSD Reproducibility — Extend Reproducibility for CTF Debugging Infos and NetBSD Image Creation The NetBSD operating system is built from a single source code repository and supports a great variety of different hardware and CPU variants. NetBSD has a working infrastructure for being reproducible, thus you can verify eg. an install ISO to be created from an untampered repository. As NetBSD is technically always cross-compiled, it can be build on several platforms, most commonly on NetBSD itself and on Linux. This project aims to fix two issues where a Linux-based build host creates different output than a NetBSD host. Ports using the newer GCC-12 based compiler usually use the CTF debugging format, where the binary representation (probably due to different sorting) differs between Linux and NetBSD builds. The second issue is with install image creation, where symlinks permissions and owner/permission bits from the building host leak into the image, breaking reproducibility. Both of these issues affect the widely used amd64 (usual PCs and Laptops) and arm/aarch64 (Raspberry Pi) ports. >> Read more about NetBSD Reproducibility Reproducible-openSUSE — Reproducible distribution of openSUSE rolling release The Reproducible-openSUSE project is creating a proof-of-concept of a general-purpose Linux distribution based on openSUSE-Tumbleweed. By employing reproducible-builds, it allows independent verification that all its binaries correspond to the sources. This greatly reduces the amount of trust that users need to place in the build infrastructure. It is not only a proving-ground, but also a staging-area for upstreaming changes to make them useful to millions of users. >> Read more about Reproducible-openSUSE Robotnix — Reproducible Builds of Android with NIX Robotnix enables a user to easily build Android (AOSP) images using the Nix package manager. AOSP projects often contain long and complicated build instructions requiring a variety of tools for fetching source code and executing the build. This applies not only to Android itself, but also to projects which are to be included in the Android build, such as the Linux kernel, Chromium webview, and others. Robotnix orchestrates the diverse build tools across these multiple projects using Nix, inheriting its reliability and reproducibility benefits, and consequently making the build and signing process very simple for an end-user. >> Read more about Robotnix Free and open source NPU Drivers — Libre drivers for Neural Processing Units As of today, companies that sell components that include accelerators for machine learning workloads (NPU, TPU, DLA, etc) are generally engaged in vendor lock-in practices that interfere with the ability of their customers to freely choose their partners and adapt their software components to their own needs. This project aims to incentivize providers of accelerating hardware to move to more fair practices by reverse engineering their hardware and writing open source implementations of the corresponding software stack, for interoperability purposes. These drivers become part of projects such as the Linux kernel and the Mesa project, and will become available to users via existing distributions such as Debian, Fedora and NixOS. >> Read more about Free and open source NPU Drivers Rocket CWMP — Remote governance and configuration for internet equipment CWMP (CPE WAN Management Protocol) or TR-069 is a technical specification of a Broadband Forum designed for remote governing of a CPE. CWMP is a standardized and widely-used text-based protocol enabling communication between CPE and Auto Configuration Server (ACS). Rocket CWMP is a modular CWMP-client capable of supporting TR-069, TR-181 and other technical reports. The project was started out of an industry gap regarding a production-ready, FOSS solution that meets the ISP requirements and the feature and security requirements of modern embedded devices. It is capable of integrating into existing solutions for automatic and remote software installation or provisioning of CPEs. The client is designed to be easily portable to different Linux platforms (OpenWrt and other Linux distributions such as Yocto, Debian, Ubuntu and others). Its modularity implies that developers can easily build new features based on their requirements. It would serve as a light weight glue between CWMP and embedded Linux software standards for configuration and statistics. The end goal of this project would be to create and FOSS delivering mandatory remote management features in ISP ecosystem. ISPs would finally be equipped with a CWMP client that: a) is an open and extendable replacement of the closed software alternatives, b) is designed to easily include and configure various backend systems and c) allows replacing proprietary firmware and leveraging Open Source components. >> Read more about Rocket CWMP Storing Efficiently Our Software Heritage — Faster retrieval within Software Heritage Software Heritage (https://www.softwareheritage.org) is the single largest collection of software artifacts in existence. But how do you store this in a way that you can find something fast enough, taking into account that these are billions of files with a huge spread in file sizes? \"Storing Efficiently Our Software Heritage\" will build a web service that provides APIs to efficiently store and retrieve the 10 billions small objects that today comprise the Software Heritage corpus. It will be the first implementation of the innovative object storage design that was designed early 2021. It has the ability to ingest the SWH corpus in bulk: it makes building search indexes an order of magnitude faster, helps with mirroring etc. The project is the first step to a more ambitious and general purpose undertaking allowing to store, search and mirror hundreds of billions of small objects. >> Read more about Storing Efficiently Our Software Heritage Security audit of Sailfish FOSS components — Analyse security of secrets, Sailfish ofono and Sailjail Sailfish is a European mobile operating system developed by the Finnish company Jolla. This project will conduct independent security research into the Sailfish FOSS components, with a focus on its cryptography, 5G support and sandboxing of the SailfishOS operating system. The project will also compare Android and SailfishOS on their app permissions, encryption and isolation mechanisms. The researchers are not affiliated with the company behind the development of SailfishOS. >> Read more about Security audit of Sailfish FOSS components SpinalHDL, VexRiscv, SaxonSoc — Open Hardware System-on-Chip design framework based on SpinalHDL The goal of SaxonSoc is to design a fully open source SoC, based on RISC-V, capable of running linux and optimized for FPGA to allow its efficient deployment on cheap and already purchasable chips and development boards. This would provide a very accessible platform for individuals and industrials to use directly or to extend with their own specific hardware/software requirements, while providing an answer to hardware trust. Its hardware technology stack is based on 3 projects. SpinalHDL (which provides an advanced hardware description language), VexRiscv (providing the CPU design) and SaxonSoC (providing the facilities to assemble the SoC). In this project, we will extend SpinalHDL, VexRiscv and SaxonSoc with USB, I2S audio, AES and Floating point hardware capabilities to extend the SoC applications to new horizons while keeping the hardware and software stack open. >> Read more about SpinalHDL, VexRiscv, SaxonSoc Secure Web Tokens for Linux — TPM 2.0 backed FIDO2/U2F tokens on Linux This project aims to develop a systemd daemon that utilizes the TPM 2.0 security chip to provide FIDO2/U2F tokens for web browsers and operating system applications on Linux. Leveraging the ubiquitous presence of TPM2 in modern PCs, the daemon will enhance security and usability for Linux users. It will allow the integration of security chips as access tokens with web extensions, secure local passwords and HOTP/TOTP managers, and enable hardware-based lock screen authentication mechanisms. The daemon will interface with the TPM2 chip to manage FIDO2 token generation. It includes support for the \"uhid\" kernel driver for button press emulation when no fingerprint reader is available for authentication. The project involves developing the daemon, ensuring seamless integration with systemd, and conducting extensive testing for functionality and security. Comprehensive documentation will be provided for setup and use, along with user guides for web extension integration. The outcome will be a robust, secure, and user-friendly solution for Linux users, elevating the baseline security and leveraging existing hardware capabilities to the fullest. >> Read more about Secure Web Tokens for Linux SelfPrivacy — Reproducible self-hosting stack based on NixOS Self-hosting can be a challenge even for a professional, let alone an unprepared user. SelfPrivacy is a free application that helps you set up and manage your self-hosted services. The goal of the project is to create an accessible tool that gives everyone an opportunity to create their own self-hosted infrastructure. Selfprivacy supports multiple platforms and to use it, all you need is to register with a provider and copy the access token into the application. SelfPrivacy will set up the system, domain, DNS and install open source services such as E-Mail, Nextcloud, Jitsi, etc. SelfPrivacy automates the entire lifecycle: provisioning, updates, configuration changes, monitoring, backups and space management. >> Read more about SelfPrivacy Adding TPM Support to Sequoia PGP — Implement use of TPM 2.0 crypto hardware for OpenPGP Protecting cryptographic keys is hard. If they are stored in a file, an attacker can exfiltrate them - even if the harddrive is encrypted at rest. A good practical solution is a hardware token like a Nitrokey, which stores keys and exposes a limited API to the host. For most end users, a token is a hassle: one needs to carry it around, it needs to be inserted, and it is not possible to work if it is left at home. And, it needs to be purchased. There is a better solution, which doesn't cost anything. A trusted computing module (TPM) is like an always-connected hardware token only more powerful (the keys can be bound to a particular OS installation, it can store nearly an unlimited number of keys, not just three) and TPMs are already present in most computers. This project will add support for TPMs to Sequoia PGP including comprehensive test suites and in-depth documentation for both software engineers: as an API and end-users as a way to use TPM bound keys through Sequoia's command-line interface (sq) for decryption and signing. >> Read more about Adding TPM Support to Sequoia PGP Multiprocess Mode in Servo — Speed up Servo with parallelisation While Servo already has multi-process mode, it’s not enabled by default. The main reason is that it isn’t completely supported on every platform yet. Only Linux and macOS have full support. It also isn't tested in the WPT suite. In this project, we want to complete the feature set of multi-process mode in Servo, set it to default, and encourage other projects based on Servo (like the Verso browser) to use it, as they could massively benefit from this multi-process architecture. >> Read more about Multiprocess Mode in Servo SiCl4 — Tool for interactive reverse engineering of digital logic. SiCl4 (silicon tetrachloride) is a tool for reverse-engineering digital logic designs. Starting from an FPGA bitstream or other types of netlists, this tool will assist users in interactively recovering higher-level structures. Algorithms will help with tasks such as finding shared subcircuits or identifying known patterns such as adders, counters, comparators, state machines, etc., so that the user can focus on understanding the higher-level functions of the target design. SiCl4 will be scriptable in order to allow for easy extension, and it will also integrate with the existing open-source EDA ecosystem. >> Read more about SiCl4 Snix-{Store/Build} — Improve store and builder component of Snix Snix is a modern design and implementation of the Nix package manager (GPLv3). It brings a modular architecture in which components such as the build environment or package store are replaceable, which enables new use-cases and platforms. A graph-reduction evaluation model will make it possible to use Nix for package definitions and entire system configurations, its proven and tested use case, as well as for granular build definitions for individual components of software. Snix will be fully compatible with nixpkgs, the existing package definition set for Nix, letting its users leverage more than a decade of community contributions and making it useful right out-of-the-box. This particular project focuses on the Store and Builder components of Snix, upgrading the store protocol, improving the Builder API as well as providing more interop with Nix. >> Read more about Snix-{Store/Build} Spectrum — A security through compartmentalization based operating system Spectrum is an implementation of a security through compartmentalization based operating system, built on top of the Linux kernel. Unlike other such implementations, user data and application state will be managed centrally, while remaining isolated, meaning that the system can be backed up and managed as a whole, rather than mixed up in several dozen virtual machines. The host system and isolated environments will all be managed declaratively and reproducibly using Nix, the purely functional package manager. This will save the user the burden of maintaining many different virtual computers, allowing finer-grained resource access controls and making it possible to verify the software running across all environments. The Linux base, and a variety of isolation technologies from containers to virtual machines, will bring security through compartmentalization to a much wider range of hardware than previous implementations, and therefore make it accessible to many more people. >> Read more about Spectrum Spectrum Applications — Add running graphical applications to the compartmentalized desktop OS Spectrum Spectrum is a project that aims to develop a secure, compartmentalized desktop operating system with security and usability improvements over other existing implementations. This project will improve Spectrum's support for running graphical applications. Currently, users have to manually create virtual machines by laying out a configuration directory themselves (or using a helper Nix function). Running a new application often requires some customisation work on the VM to set up the environment suitably for the application to run and defining access controls - and there is no facility to create a VM on the fly. After this project is done, the system will be able to automatically start VMs on the fly for applications packaged as AppImages, and applications will be able to dynamically request access to files using the existing XDG Desktop Portals interface that is already implemented by major toolkits (so File→Open… will just work in unmodified applications, with the user able to select from all their files without the application being able to see them). The foundations will have been laid to go on to support applications packaged in other ways, such as Flatpak (which could be follow-up work, should this initial stage be successful). >> Read more about Spectrum Applications Transitioning SMM Ownership to Linuxboot — More robust defense Against Firmware Vulnerabilities In an era marked by escalating cybersecurity threats, firmware security is one of biggest blind spots. One pervasive weakness lies in an architectural design called System Management Mode (SMM). Sometimes referred to as “Ring -2”, SMM is used by device manufacturers to interact with hardware like NVRAM, emulate hardware functionality, handle hardware interrupts or errata, and perform other functions. The unrestricted, non-standardized control inherent to SMM implies significant security vulnerabilities. There is no shortage of Day-0 and Day-1 Firmware vulnerabilities related to SMM. Current industry practices open a wide door for cyber attacks, and the attacker can even bypass the secured OS kernel with the SMM loopholes. This proposal introduces a novel SMM architectural design, by transitioning SMM ownership from core firmware (e.g. coreboot) to payload - in this case Linuxboot. This will leverage the robust, open-source nature of Linux’s SMM drivers, as its drivers that has been proven working very well over decades, and its open source nature made it easier for security reviews. This initiative aims to develop and universalize a secure architectural design in collaboration with chip vendors, and thus elevating the resilience and integrity of our digital ecosystem. >> Read more about Transitioning SMM Ownership to Linuxboot Servo Webview for Tauri — Integrated portable webview based on Servo engine into Tauri The web ecosystem lacks a cross-platform, non-corporate controlled system for running web content. Tauri is a system for distributing cross-platform applications that relies on engines present on a system - effectively those owned by Apple, Google, and Microsoft. These permit varying levels of user control. The Servo project is a cross-platform, open source web engine. While Servo's support for web features such as CSS and JS is still incomplete (making it difficult to rely on it for running arbitrary web content) it is actually a great match for Tauri already. This project would incorporate Servo into the Tauri project, enabling it to run applications in a consistent, open source web runtime on major desktop and mobile platforms. In doing so, the project would also identify and address the highest priority web compatibility issues in Servo, while preparing a roadmap for significant compatibility issues that remain unaddressed. Additionally, the project would identify any opportunities for reducing the binary size, supporting broad distribution of Tauri apps to as many users as possible. >> Read more about Servo Webview for Tauri Termux — Android terminal app and software distro/run-time Termux is an Android app that provides a terminal emulator and a GNU/Linux distribution environment with 2000+ packages and executes programs natively on Android host OS/kernel, without any emulation or containerisation. It allows users to locally do most things that can be done on a Linux PC, like program in many languages, use text editors/IDEs, backup files, host websites and servers, and even run a full linux desktop interface. Under the NGI Mobifree grant the following three improvements to Termux are planned to be implemented: 1) A termux-core library will be created which allows external projects to use Termux execution environment in their own apps. 2) A new APK Library File (APKLF) execution/packaging design will be implemented so that Termux can comply with security restrictions in Android 10 and newer that prevents apps from executing downloaded code. Currently Termux works by being compiled in backward compatibility mode. 3) Package sources will be patched to read paths from environment variables exported by the app, or compiled package files will be patched at install time, rather than relying on hardcoded paths in the package files to Termux rootfs. >> Read more about Termux TrenchBoot as Anti Evil Maid - UEFI boot mode support — Add UEFI to the Qubes integration of Trenchboot with AEM Qubes OS is a free and open source operating system uniquely designed to protect the security and privacy of the user. Its architecture is built to enable the user to define different security environments (\"qubes\") on their computer and visually manage their interaction with each other and the world. TrenchBoot provides a secure environment for operating system launch and integrity measurements, ensuring greater protection. The main objective of the TrenchBoot as Anti Evil Maid project is to enhance the security of Qubes OS by integrating the TrenchBoot Project with the Anti Evil Maid (AEM) implementation. Through comprehensive hardware testing, the successful execution of this initiative will promote the adoption of DRT technology in open-source and security-oriented operating systems, ensuring enhanced security for Qubes OS. This project will prioritize stability, testing, and ensuring the reproducibility of results for broader community adoption. >> Read more about TrenchBoot as Anti Evil Maid - UEFI boot mode support TrenchBoot for AMD platform in Linux kernel — Upstream TrenchBoot AMD support to the Linux kernel TrenchBoot is a framework that allows individuals and projects to build security engines to perform launch integrity actions for their systems. Trenchboot is a unified framework to verify if bugs or vulnerabilities have compromised a system, based on dynamic RTM (DRTM). The framework builds upon Boot Integrity Technologies (BITs) that establish one or more Roots of Trust (RoT) from which a degree of confidence that integrity actions were not subverted is derived. A previous effort successfully developed support for DRT technologies for AMD platforms in the Linux kernel. This project intends to upstream TrenchBoot support to the mainline Linux kernel and to the widely used GRUB boot manager. >> Read more about TrenchBoot for AMD platform in Linux kernel Trenchboot as Anti Evil Maid — Integrate Trenchboot into Qubes OS as defense mechanism against physical compromise Enhancing the security measures of Qubes OS is the primary objective of this initiative, which involves integrating the TrenchBoot Project into the Anti-Evil Maid (AEM) implementation. Traditional firmware security measures, such as UEFI Secure Boot and measured boot, have limitations that can be overcome by leveraging Dynamic Root of Trust (DRT) technologies and TPM 2.0. TrenchBoot provides a secure environment for operating system launch and integrity measurements, ensuring greater protection. The project aims to extend support to both Intel and AMD hardware, addressing the current lack of TPM 2.0 support and AMD compatibility in the AEM implementation. Key objectives include implementing TPM 2.0 support in Xen, updating AEM scripts, and ensuring seamless integration with AMD hardware. The successful execution of this initiative will significantly enhance the security of Qubes OS and promote the adoption of DRT technologies in open-source and security-oriented operating systems. Thorough testing on various hardware configurations will validate the solution's effectiveness and reliability. >> Read more about Trenchboot as Anti Evil Maid Trustix — Make build logs available as publicly verifiable, tamper-proof Merkle trees Software build infrastructure is vastly underestimated in terms of its potential security impact. When we install a computer program, we usually trust downloaded software binaries. But even in the case of open source software: how do we know that we aren't installing something malicious which is different from the source code we are looking at - for instance to put us in a botnet or siphon away cryptocurrencies? Typically, we have confidence in the binaries we install because we get them from a trusted provider. But once the provider itself is compromised, the binaries can be anything. This makes depending on individual providers a single point of failure in a software supply chain. Trustix is a tool that compares build outputs across a group of providers - it decentralizes trust. Multiple providers independently build the software, each in their own isolated environment, and then can vouch for the content of binaries that are the outcome of reproducible builds - while non-reproducible builds can be automatically detected. In this project the team will work on further enabling trust delegation, by offloading log verification to trusted third parties - heavily inspired by the Delegated Proof of Stake consensus algorithm. It will bring Trustix into the Nix and the Guix ecosystems that are most amenable to Trustix' approach. The ultimate goal is for Trustix to integrate seamlessly into the entirely decentralized software supply chain so we can securely distribute software without any central corruptible entity. >> Read more about Trustix Tvix — Alternative Rust-based software build transparency Tvix is a modern design and implementation of the Nix package manager (GPLv3). It brings a modular architecture in which components such as the build environment or package store are replaceable, which enables new use-cases and platforms. A graph-reduction evaluation model will make it possible to use Nix for package definitions and entire system configurations, its proven and tested use case, as well as for granular build definitions for individual components of software. Tvix will be fully compatible with nixpkgs, the existing package definition set for Nix, letting its users leverage more than a decade of community contributions and making it useful right out-of-the-box. >> Read more about Tvix UEFI isolation in VM from non UEFI firmware — Safer booting into UEFI-compliant operating system UEFI is the successor to BIOS, which initialises the bare hardware of a computer before handing over to a bootloader. The UEFI specification defines the architecture of platform firmware used for booting and its interface for run-time interaction with operating systems. As such, UEFI is responsible for bootstrapping pretty much every modern computer. In the majority of cases this is done with very little transparency for users - essentially relegating this enormously responsible position to a \"black box\" that just blips on the screen. Unfortunately trust in vendors to live up to their huge responsibility to make this safe and robust is not always justified: quite a few issues and security vulnerabilities in the (mostly proprietary) UEFI implementations have come to the surface via real-world exploits. The key open source booting mechanisms (like coreboot and Linuxboot/u-root) are not UEFI compliant. This project aims to close the gap in a pragmatic way: through virtualization - booting into a stripped down Linux and using the Kernel Virtual Machine (which is generally considered mature) to run the reference open source reference implentation of UEFI until it can hand over to a UEFI compliant boot loader. This is of course a security tradeoff (the early stage Linux used for virtualisation would not be able to use UEFI just yet itself in bootstrapping) , but it allows a single intervention to bridge to all different boot loaders and wholly avoid opaque proprietary ones by switching to open source ones. This also helsp to debug and assist in finding new solutions to cope with the shortcomings of native UEFI implementations. >> Read more about UEFI isolation in VM from non UEFI firmware UEFI Capsule Update for coreboot with EDK II — Implement more robust firmware updates in coreboot UEFI capsule update is an industry-standard approach widely supported by hardware vendors, providing a secure method for delivering firmware updates. By adopting capsule update methods, the project aims to simplify the update process and enhance the user experience, providing a more reliable approach compared to complex flashrom-based updates, which are still common in the open-source firmware distributions based on coreboot. Due to security measures, OS-level access to firmware is intentionally restricted, which in turn makes it increasingly challenging to apply firmware updates from the operating system. This limitation poses difficulties in utilizing traditional flashrom-based methods for firmware updates. The expected outcomes of the project include enhanced firmware update capabilities, a simplified user experience, heightened security, and enhanced compatibility, all achieved by seamlessly integrating with fwupd, a popular firmware update management tool for Linux systems. >> Read more about UEFI Capsule Update for coreboot with EDK II Verso Views — A Functional Browser Based on Servo Verso is a web browser based on Servo web engine. While Servo hasn’t been treated as a fully functioning browser, it is possible to build one based on it already. We plan to expand this into a formal and stable application release, eventually implementing the features, making it not just a general browser application but also a webview library for embedding purposes. There are some missing features we still need to push into Servo. And there are also other works that require time and resources to make a barebone web engine into a stable application. We hope to take this project as a chance to finally make an individual repository using Servo as a dependency. In this way, Servo can focus on issues and features of the web engine itself. In the meantime, other chores related to the application itself can be off-loaded to other repositories and organizations. >> Read more about Verso Views Webview library with Verso for Tauri — Refactor parts of Verso into a WebView library We aim to publish the Verso browser as a library in addition to the current application approach. This way other projects could use it as a dependency in their software, and render their content with it. The distribution of a shared library is a challenging set of problems (including, but not limited to bundle format, code signing, dependency linking, etc.) that we intend to solve. We also aim to find the best possible solutions to help developers use this library with ease. One of these approaches will be to integrate with Tauri as a webview backend. >> Read more about Webview library with Verso for Tauri video box — Affordable open hardware video-to-network The goal of the FOSDEM video box project is to develop a cheap, compact, open hardware & free software video-to-network solution. Initial motivation came from scratching our own itch: replacing 60 bulky, costly, not entirely free boxes currently used at the https://fosdem.org conference. Several other conferences have already used the current setup successfully. We expect this number to grow in the future. The solution being free software and open hardware should make it flexible to adapt to different environments, like education. Being cheap and compact encourages experimental use in areas difficult to foresee. On the hardware side, we use the open hardware Olimex Lime2 board (EU built!) as a base. We plan an open hardware hdmi input daughterboard, iterating on a simplified prototype that helped us verify feasibility. On the software side, the core Allwinner A20 chip has attracted a lot of free and open source development already. That enables us to focus our efforts on optimising video encoding on this platform from a hdmi signal to a compact network stream. >> Read more about video box OpenIMSd — 4G/VoiceOverLTE support for open source mobile OSes The OpenIMSd project aims to bring VoLTE (4G voice calls) to Qualcomm based phones (like the PinePhone) running Free Software Mobile Operating Systems including postmarketOS, Mobian, … We will create a daemon which runs in parallel to the Modem Manager, which configures the baseband via QMI and brings up all the required services to be able to place VoLTE calls. >> Read more about OpenIMSd Free Software Vulnerability Database — A resource to aggregate software updates \"Using Components with Known Vulnerabilities\" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (from US Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage over the last decade we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools. The goal of this project is create new FOSS tools to aggregate software component vulnerability data from multiple sources, organize that data with a new standard package identifier (Package URL or PURL) and automate the search for FOSS component security vulnerabilities. The expected benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source or a few foreign commercial data providers. >> Read more about Free Software Vulnerability Database Integration of Waydroid on mobile GNU/Linux — Run Android apps in Linux containers on mobile devices Waydroid lets the user run Android within a container on a regular GNU/Linux system, bringing access to countless existing Android applications. This particular project aims to research and implement tighter integration between the Waydroid container and its host system in terms of hardware access (sensors, location, telephony, cameras) and desktop environment (notifications, media controls), while keeping the user in control of what and when is shared with the Android container. >> Read more about Integration of Waydroid on mobile GNU/Linux Wayland input method support — Better specification for Wayland input methods As Linux distributions switch to Wayland, some functionality is still incomplete. One of them is being able to input non-Latin scripts. It is a necessity for a large portion of the world, yet it's not standardized across Wayland environments. The same text input functionality is needed for typing on mobile Linux, which, considering how many people use smartphones rather than laptops, might be even more important for Linux adoption. This project wants to bridge that gap, by continuing the effort of standardizing input-method protocols started for Phosh in Squeekboard, gtk, and wlroots. >> Read more about Wayland input method support Web Shell — Desktop and security environment for web apps The WebShell project aims to define and implement a new secure dataflow and the accompanying APIs for allowing users to use their files in Web apps without authorizing the apps to access the user's file storage. At its core, WebShell consists of a container single-page application which can open remote components (primarily apps and file-system adapters) in sandboxed iframes and communicate with them through HTML5 message channels using the defined APIs. WebShell provides for file operations and the required UI (file menus, toolbars, dialogs) to support the familiar file operations (new, open, save, etc.) while apps merely implement serialization and deserialization of an individual file's content, after the user's explicit request. The project will build a fully-featured WebShell Desktop container, as well as a minimal WebShell container for testing and easy deployment of single apps. In addition, we will integrate a starter set of editor apps for common file types and a starter set of file system adapters, concentrating primarily on self-hosting and non-commercial web storage solutions like remotestorage.io and Solid storage. >> Read more about Web Shell XWiki — Bring wiki capabilities into the Fediverse XWiki is a modern and extensible open source wiki platform. Up until now, XWiki had been focusing on providing the best collaboration experience and features to its users. We're now taking this to the next level by having XWiki be part of the larger federation of collaboration and social software (a.k.a. fediverse), thus allowing users to collaborate externally. XWiki is embracing the W3C ActivityPub specification. Specifically we're implementing the server part of the specification, to be able to both view activity and content happening in external services inside XWiki itself and to make XWiki's activity and content available from these other services too. A specific but crucial use case, is to allow content collaboration between different XWiki servers, sharing content and activity. >> Read more about XWiki ZSipOs — Open hardware for telephony encryption ZSIPOs is a fully open source based encryption solution for internet telephony. It takes the shape of a little dedicated gadget you connect with a desktop phone. At its core the device does not have a normal chip capable of running regular software (including malware) but a so called FPGA (Field Programmable Gate Array). This means the device cannot be remotely updated (secure by design): the functionality is locked down into the chip, and the system is technically incapable of executing anything else. This means no risk of remote takeover by an attacker like with a normal computer or mobile phone connected to a network like the internet. The whole system is open hardware, and the full design is available for introspection. Normal users and security specialists get transparent access to the whole system and can easily check, what functionality is realized by the FPGA. This means anyone can verify the absence of both backdoors and bugs. ZSIPOs is designed to be fully compatible with the standard internet telephony system (SIP) which is the one used with traditional telephony numbers. The handling is done in principal by a regular internet phone (Dial, Confirm once – done). The cryptographic system is based on the standard RFC 6189 - ZRTP (with “Z” like Phil Zimmermann, the father of PGP), meaning it can also be used when using internet telephony on a laptop or mobile phone - of course without the additional guarantee of hardware isolation. There is no need to trust in an external service provider to establish the absolute privacy of speech communication. The exchange and verification of a secure key between the parties ensures end-to-end encryption, meaning that no third party can listen into the call. To that extent the device has a display to exchange security codes. The same approach can also also used for secure VPN Bridgeheads, secure storage devices and secure IoT applications and platforms. The ZSipOS approach is an appropriate answer on today security risks: it is completely decentralized, and has no dependency on central instances. It has a fully transparent design from encryption hardware to software. And it is easy to use with hundreds of millions of existing phones. >> Read more about ZSipOs Bcachefs — Next generation file system bcachefs aims to be a next generation Linux filesystem, with a fully modern featureset and vastly improved performance, scalability and reliability as compared to other next generation filesystems. Additionally, we aim to improve upon the state of the art in a number of areas such as extensibility, which will aid in development in other areas that have historically had to reinvent technology that already exists in local filesystems (distributed systems), repairability (online check and repair, self healing), and ease and correctness of development with the use of Rust. >> Read more about Bcachefs fwupd — Automatic Firmware updates for BSD operating systems Security holes in the equipment we run are discovered all the time, and firmware is continuously upgraded as a result. But how do users discover what they need to upgrade to protect themselves? The goal of the \"fwupd/LFVS integration in the BSD distributions\" is to reuse the effort done by the fwupd/LVFS project and make it available in the BSD-based systems as well. The fwupd is available on Linux-based systems since 2015. It is an open-source daemon for managing the installation of firmware updates from LVFS. The LVFS (Linux Vendor Firmware Service) is a secure portal which allows hardware vendors to upload firmware updates. Over the years, some major hardware vendors (e.g. Dell, HP, Intel, Lenovo) have been uploading their firmware images to the LVFS so they can be later installed on the Linux-based systems. The integration of the fwupd in the BSD-based systems would allow reusing the well-established infrastructure so more users can take advantage of it. >> Read more about fwupd libnix — Native Nix on MS Windows The libnix project improves the Windows support of the Nix package manager, by making nix and nix-build work natively on the Windows platform. By creating a ‘libnix’ on top of this, it will allow package managers like node, cargo, pip, and vcpkg to use Nix for building their dependencies. The effort helps bring declarative, reliable packaging systems to a wider audience. >> Read more about libnix Verifying and documenting live-bootstrap — A reproducible, automatic, complete end-to-end bootstrap The goal of the live-bootstrap project is to compile the necessary tools to compile Linux from a minimal binary footprint to avoid the possibility that a (binary) compiler could be used to introduce back-doors into the Linux kernel. As a user of the live-bootstrap project, one should be able to trace and review all steps and sources used. The goal of this project is to facilitate this. >> Read more about Verifying and documenting live-bootstrap mobile-nixos — NixOS for mobile phones and tablets The mobile-nixos project seeks to provide a coherent tool to produce configured boot images of NixOS GNU/Linux on existing mobile devices (cellphones, tablets). The goal is to provide a completely integrated mobile operating system, allowing full use of the hardware's capabilities, while empowering the user to exercise their four software freedoms to use, study, share and improve the software. >> Read more about mobile-nixos Multisoni — Modern and efficient real-time audio playback engine Multisoni is a versatile audio engine for all creative uses. For demanding real-time uses (such as video games, VR, live installations) there is a lack of free/libre audio authoring tools to map playback and effects to trigger events and interaction parameters, suitable for industrial purposes. Multisoni is designed to meet this need: it manages many input sources - either samples or synthesis, with support for input plugins - source and effect patching, and rendering for a variety of output systems ranging from binaural stereo to complicated multichannel setups, drawing on existing open-source solutions for audio hardware abstraction and raw audio stream management. One of its main objectives is to put creative users - sound designers, composers - on an equal footing with developer users. >> Read more about Multisoni Software vulnerability discovery — Automating discovery of software update and vulnerabilities nixpkgs-update automates the updating of software packages in the nixpkgs software repository. It is a Haskell program. In the last year, about 5000 package updates initiated by nixpkgs-update were merged. This project will focus on two improvements: One, developing infrastructure so that the nixpkgs-update can run continuously on dedicated hardware to deliver updates as soon as possible, and Two, integrating with CVE systems to report CVEs that are addressed by proposed updates. I believe these improvements will increase the security of nixpkgs software and the NixOS operating system based on nixpkgs. >> Read more about Software vulnerability discovery openXC7 — Improve hardware support for open source FPGA tooling FPGAs are reconfigurable chips capable of handling many electronic signals in parallel. They are used in network equipment like backbone switches, firewalls, video devices like surveillance cameras and radio equipment like mobile-phone base stations, radar systems and satellites to process high volumes of data with very low latency. FPGAs are also used to test digital circuit designs before they are manufactured as chips. The functionality of FPGAs is determined by a configuration file which is loaded into the FPGA at power-on. The configuration file is usually generated from a design file by a proprietary tool provided by the manufacturer of the FPGA. openXC7 will provide a complete set of open source tools to generate a configuration file for the widely used family of Xilinx Series 7 FPGAs from manufacturer Xilinx/AMD without having to use any proprietary tools. This will empower digital design engineers to have the guarantee that no backdoor is implemented on FPGA based devices by the proprietary design tool provided by the vendor. The availability of the source code of the FPGA design tool will also allow anyone to come up with new use cases for FPGAs currently not possible with existing tools. In this project the team will implement gigabit transceiver support, both for the widely used Artix7 and the Kintex7 families of devices, thus enabling complete open source network infrastructure (e.g. an open source 10 GB Ethernet switch). The second focal point will be identifying and fixing issues that arise from the community of users of the toolchain. >> Read more about openXC7 p4-nix — Combine Programming Protocol-independent Packet Processors language with declarative Nix packaging This project is aiming to democratize high capacity and high performance networking stacks by integrating the P4 DSL into Nix and making it easy to make an infrastructure relying on the technology by bringing up functional programming to the P4 world. Bringing P4 to Nix gives us amazing flexibility for dealing with network devices, making it easy to deploy, make artifacts, and so on, all the while exposing it to end-users who wouldn't necessarily know or use P4 otherwise. This also gives us the opportunity to look into automated deployment of hardware based networking devices, such as FPGA targets, directly from within Nix. >> Read more about p4-nix postmarketOS: v23.12 and v24.06 Releases — New versions of the mobile operating system postmarketOS postmarketOS keeps smartphones useful after they don't receive updates anymore: the original operating system gets replaced with an up-to-date lightweight open source software stack based on Alpine Linux. Oftentimes people use postmarketOS to upcycle their old smartphones to small home servers (like Raspberry Pis). While still experimental, we also work towards enabling all typical smartphone features too so postmarketOS can fully replace the original operating system. Besides extending the lifetime of smartphones, in postmarketOS we value the user's privacy, security and in general control over their own device. Unlike current mainstream smartphone operating systems, it is not needed to register an account and get tracked to use the operating system. Creating new releases allows us to keep the software stack up-to-date, to integrate important fixes, features and in general to get closer to provide a full smartphone experience. >> Read more about postmarketOS: v23.12 and v24.06 Releases postmarketOS — An independent mobile operating system postmarketOS is a mobile phone operating system for phones (and other mobile devices), based on Alpine Linux. Just like desktop Linux distributions, we have a package manager and a carefully crafted repository of trustworthy and privacy focused free software that will actually serve the users and not exploit them for their data. By sharing as much code as possible between various phone models, postmarketOS scales well and it becomes feasible to maintain devices even after OEMs have abandoned them. >> Read more about postmarketOS postmarketOS daemons — Add modern service daemons to postmarketOS postmarketOS keeps smartphones useful after they don't receive updates anymore: the original operating system gets replaced with an up-to-date lightweight open source software stack based on Alpine Linux. This project will add initial systemd support to postmarketOS, as well as making Pipewire the default audio server in postmarketOS. It will help switch the wifi backend to iwd by default, and design and prototype an immutable version of postmarketOS with an efficient A/B OTA mechanism with binary delta updates, and automatic rollback on failed updates. >> Read more about postmarketOS daemons Reproducible Builds — Make the build processes behind software distributions reproducible Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code. >> Read more about Reproducible Builds x86-64 VM Monitor for seL4 verified microkernel — Very restricted virtualized environment for higher security The security of any software system depends on its underlying Operating System (OS). However, even OSes such as Qubes, which are \"reasonably secure\" depend on large trusted computing bases (e.g. hypervisors) with hundreds of thousands of lines of code. For example, the Qubes' Xen Security Advisory Tracker reports that 53/283 (18%) of Xen vulnerabilities over the last eight years affected Qubes. As a step towards facilitating the implementation of more secure, Qubes-like systems, we propose to retarget it to the seL4 microkernel. seL4 is an open-source, formally-verified microkernel that has matured and been maintained for over a decade. seL4's small size (10,000 Lines of Code) and formal verification make it an appealing Xen replacement for Qubes, however, its virtualization support is currently limited. As a first step to enabling Qubes on seL4 we will implement a hardened, open-source, x86 64-bit Virtual Machine Monitor (VMM) for the seL4 microkernel capable of hosting the core Qubes OS virtual machines. >> Read more about x86-64 VM Monitor for seL4 verified microkernel tslib — Better configuration and callibration of touchscreen devices tslib is somewhat older but widely used software for configuring the touchscreen of (mainly) embedded Linux devices including printers, mobile phones, etc. This nimble project concerns a bundle of improvements in terms of calibration, some accessibility research (to see if people with e.g. a tremor can be better served), and addressing a backlog of feature requests. In addition the project will use the help of NGI Zero to apply additional security scrutiny. >> Read more about tslib Free Software Vulnerability Database — A resource to aggregate software updates \"Using Components with Known Vulnerabilities\" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (from US Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage over the last decade we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools. The goal of this project is create new FOSS tools to aggregate software component vulnerability data from multiple sources, organize that data with a new standard package identifier (Package URL or PURL) and automate the search for FOSS component security vulnerabilities. The expected benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source or a few foreign commercial data providers. >> Read more about Free Software Vulnerability Database xrsh — Interactive text/OS terminal inside WebXR xrsh (xrshell) brings the FOSS-soul of unix/linux to WebXR, promoting the use of (interactive text) terminal and user-provided operating systems inside WebXR (=xrsh). Technically, xrsh is a bundle of freshly created re-usable FOSS WebXR components. These provide a common filesystem interface for interacting with WebXR, offering the well-known linux/unix toolchain including a commandline to invoke, store, edit and run WebXR utilities - regardless of their implementation. Think of it as termux for the VR/AR headset browser, which can be used to e.g. livecode (using terminal auto-completion!) for XR component (registries). >> Read more about xrsh ","url":"https://nlnet.nl/thema/OperatingSystems.html","title":"Operating Systems"},{"title":"Open Social Fund","url":"https://nlnet.nl/thema/OpenSocialFund.html","description":" Open Social Fund Promoting the healthy development of the Fediverse This page contains a concise overview of projects funded by NLnet foundation that belong to Open Social Fund (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. The User-Operated Internet fund is aimed at establishing technology commons which allow users of the internet to operate and improve every part of the technologies they depend on. This ranges from free and open source software to open hardware, so feel free to check them out and use whatever you find in whatever way you need - everything is licensed in such a way that you can study, use, modify and share them. The User-operated Internet Fund is made possible with financial support from the PKT Community/ The Network Steward and stichting Technology Commons Trust. Applications are still open, you can apply today. ActivityPub community steward — Despite the decentralised nature of the internet, its widely popular application for social media has created highly centralised platform-based networks, where power is concentrated in few hands and participants (‘users’) are subject to the whims of whomever owns the platform. While critique on the situation is prevalent, the network effect has kept many people, organisations and institutions including governments, locked in to these platforms. The Fediverse has appeared as an alternative to centralised social media, based on W3C ActivityPub, with the convergence of a standard allowing for decentralisation and local autonomy. This project revolves around helping to promote healthy practices and supporting the growth of the wider Fediverse ecosystem via supporting the FEP process, participation in community initiatives and the Social Web Incubator Community Group (SWICG). This involves being available as a facilitator for dialogue, helping to structure discussions and involving relevant stakeholders missing in important dialogues, and linking people and efforts to each other where possible. >> Read more about ActivityPub community steward Progressive Web App - ActivityPub API — General purpose web client for ActivityPub The project will build a Progressive Web App (PWA) compatible with ActivityPub servers supporting the ActivityPub API (the Client to Server protocol, aka C2S). The goal is to support general purpose and specialized ActivityPub projects beyond the micro-blogging domain, allowing those projects to focus on innovation and server to server federation. >> Read more about Progressive Web App - ActivityPub API Betula — Betula is a free federated self-hosted single-user bookmarking software for the independent web with archival support. Use it to organize bookmarks, maintain a linklog or a personal web archive. It supports W3C ActivityPub, meaning Betula instances can be subscribed to from other Fediverse software like GoToSocial, Mastodon, and Lemmy. Betula instances can follow other Betula instances, and users can repost other users' bookmarks. >> Read more about Betula Connected Places — All the news happening in the Fediverse Connected Places publishes a weekly newsletter with comprehensive coverage of all the news and developments that are happening in the ActivityPub ecosystem and other federated technologies. The project systematically monitors the various parts of the ecosystem for news, ranging from developer channels to ActivityPub standards W3C Working Groups, from community events to moderation networks and inter-community struggles. Each issue delivers has an comprehensive overview of all the news concerning the Fediverse of that week. The news is placed in a wider context, with the goal of helping people with sense-making and understanding what the Fediverse network actually is. Connected Places also regularly publishes deep-dive articles that analyse specific aspects of the Fediverse, ActivityPub, and the cultures of the network. >> Read more about Connected Places EU Voice-Video case study — Integrating Fediverse into Public Administration The EU’s reliance on profit-driven, closed-source and ad-based social media platforms comes with significant challenges to digital sovereignty. Dependency on these to facilitate official communication can undermine democracy and influence political opinions. The goal of this project is to provide policy recommendations and comprehensive guides for public administrations, and civil society actors interested in self-hosting and alternatives. A starting point of the projects is the pioneering effort by the European Data Protection Supervisor (EDPS) to integrate self-hosted Fediverse instances into public administration (\"EU Voice\" and \"EU Video\"). The project will map the landscape of Fediverse use and the surrounding policy considerations in the EU's public administration by issuing informal inquiries with stakeholders, via Freedom of Information Requests (FOIA) requests of involved institutions. The project will also conduct in-depth interviews to elicit the affordances and limitations in operational activities to set up and maintain Fediverse instances and the impact on organizational structures and existing social media outreach strategies. >> Read more about EU Voice-Video case study Fediverser — Easier migration towards Fediverse alternatives Fediverser is a set of tools to help people migrate away from proprietary social media into upcoming alternatives in the Fediverse. It provides a service that runs on top of Lemmy to let the instance admins create a map of legacy (e.g. subreddits) to specific Lemmy communities. It also provides an authentication and signup system on top of OAuth, which allows, for example, for people to sign up to a Lemmy server by using nothing but their existing Reddit account, and when they signup the user will be automatically subscribed to the Lemmy communities that correspond to their favorite subreddits. >> Read more about Fediverser Govdirectory — Global directory of public bodies on the fediverse Govdirectory is a crowdsourced global directory for public organizations and their contact details. It already has a lot of contact details for public organizations across the world. This project makes it easier for people to discover and engage with governments on the Fediverse. >> Read more about Govdirectory Nitro Porter support expansion — As some large proprietary social platforms have become increasingly problematic to stick to, communities are looking for alternatives. The biggest hurdle to changing to open alternatives is the migration process. Folks understandably don’t want to give up their community’s history and legacy even if the new tool is obviously better. This creates lock-in and stagnation across the entire industry as everyone settles for “good enough” in how we build communities online. Nitro Porter seeks to “free communities” by giving them a straightforward tool to migrate to the software of their choice. It offers dozens of source products and several target products. It does this by using an intermediary “porter format” that is universally adaptable to all community data structures that also grew out of Vanilla Forums. In this project, NitroPorter will implement migrations to a number of new targets: Discourse, NodeBB, Agorakit, PhpBB, and Simple Machines Forum. >> Read more about Nitro Porter support expansion "},{"description":" OpenDocument Format Enable future proof office documents. This page contains a concise overview of projects funded by NLnet foundation that belong to OpenDocument Format (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. AbiCollab — AbiWord Telepathy and SIP backends This project is centered around AbiWord, a Free and Open Source word processor, which supports most of the features people have come to expect from a modern word processor. It also comes with features that are not present in competing products, most notably support for real time document collaboration through the AbiCollab plugin. The AbiCollab plugin allows multiple people to work on-line on the same document at the same time. This eliminates the error prone practice of sending document updates over email to co-authors to keep everyone in sync. AbiCollab is designed to be transport protocol independent. It currently supports collaborating over plain TCP, XMPP/Jabber, the OLPC mesh network and over the AbiCollab.net service. This project aims creation of two additional AbiCollab transport backends. The first would use the Telepathy framework. The second AbiCollab backend would be based on the SIP SIMPLE client SDK. >> Read more about AbiCollab AbiMacOS — Port Abiword to MacOS Within the scope of this project the open and free word processor AbiWord will be ported to MacOS platform and submitted to the AppStore. >> Read more about AbiMacOS AbiRDF — Abiword RDF NLnet strives to broaden the footnote of the ODF standard. RDF (Resource Description Framework) is one of the distinguishing features of ODF. The project is to enhance the existing RDF support in Abiword. Many use cases which are highly user oriented are being handled: drag and drop, sidepanels, notifications, stylesheets, and hookups to Web services. Allowing SPARQL queries will significantly enhance the possibility of ODF for real time collaboration. >> Read more about AbiRDF AbiRDF2 — Abiword RDF-2 Abiword is an open source word processing application with advanced collaboration features. The project is to improve RDF support in abiword with the goal of increasing user adoption and interest in the technology. The following improvements are foreseen: Support for office:annotation-end in Abiword's ODF handling C++ Semantic Objects which relate to common RDF vocabularies. Drag and Drop to/from Semantic Objects Presenting drag and drop possibilities, both from other applications into an ODF file, and from an ODF file to other applications, should entice users to see ODF as a solid single file container for storage and transmission of not only words but also semantics. >> Read more about AbiRDF2 Calligra-SVG — Improve fallback mechanisms in Calligra ODF loading and saving. The ODF standard specifies that adraw:framecan contain text boxes, ODF objects, binary objects, images, applets, plug-ins or floating frames. No current ODF-handling application can handle all of these. The standard anticipates this and specifies a fall-back mechanism by recommending to include an image representation of the object into the frame in addition to the object itself. The image specification does not limit the formats for the images but recommends that vector graphics are stored in the SVG format and bitmap graphics in the PNG format. We propose to improve the fallback mechanism for unsupported objects in the Calligra suite. >> Read more about Calligra-SVG Calligra-Windows — Bringing Calligra Suite to Windows The Calligra project is an ambitious new take on productivity and creativity. Built on the powerfull cross-platform QT and KDE technology platforms, it offers a complete open source office suite that sports exciting new features and offers excellent support of the OpenDocument Format. The project will port a number of open source library to the Microsoft Windows platform and produce a standalone Windows installer that users can download and execute. Applications include The Windows Calligra applications will check on startup whether a new version is available and warn the user. The applications will be built using Microsoft Visual C++ to conform best to platform standards. Visit the website of Calligra and Krita. >> Read more about Calligra-Windows FLOSS-manuals — on-demand printing of Open Source manuals FLOSS Manuals produces high quality collaboratively authored manuals about how to use free software. Within this project FLOSS Manuals integrates the content creation platform with Print on Demand services. This will enable collaborative authoring of manuals online, and the output directly to book form available for purchase via a print on demand service. The project wil result in a platform allowing: To extend our available output formats. We currently enable output to html, basic pdf, and we have inclusion api. However its very necessary to extend this to output to docbook, man pages, and the forthcoming new scribus file format. To tie in manual production and remixing to a print on demand service. To build RSS subscription services for manuals. >> Read more about FLOSS-manuals Kolab-Sync — ActiveSync your Kolab Kolab is a modular groupware solution being used in a wide variety of settings, including heterogeneous environments with KDE Kontact and Microsoft Outlook clients. Differentiating features for Kolab include a security centric design and support for end-to-end encryption on GNU/Linux and Windows. Kolab is also unique in that it has no proprietary components and offers a strong migration path on the desktop from Windows to GNU/Linux and has been designed with strong privacy in mind. The next generation of Kolab clients will bring secure semantic search in encrypted email for Kontact, the primary Kolab client, on GNU/Linux, Windows, Mac OS X, Maemo and Windows Mobile. This project is being co-financed by Intevation GmbH. >> Read more about Kolab-Sync LibreDocs — LibreDocs This project aims to develop a open web-based office suite and offer it online for everybody to use, free of charge. Contrary to GoogleDocs leaving users in control of the documents they author with it. Using Unhosted it will separate user data from the application. Libre Docs is a perfect proof of concept for Unhosted. It will help the Unhosted project evolve from a conceptual phase to proven technology, after which many more applications can follow this successful path. There are three distinguishing advantages to applications like Google Docs. It is free and thus allows the technology to evolve freely, without generating lock-in and monopolies. The Unhosted web architecture is better than hosted software because it separates user data from applications. It is storing the data in a location that is chosen by the user and not at the premises of an application provider, leading to better privacy control and security. >> Read more about LibreDocs Lokalize — cross-platform computer-aided translation system KAider was renamed to Lokalize and will be included in kdesdk package for KDE. Lokalize is a computer-aided translation system that focuses on productivity and performance. Translator does only creative work (of delivering message in his/her mother language in laconic and easy to understand form). Lokalize implies paragraph-by-paragraph translation approach (when translating documentation) and message-by-message approach (when translating GUI). This project will develop of a cross-platform computer-aided translation system. Currently it is fine-tuned for open source software translation and is used in production by contributors of KDE, openSUSE, and several other projects. >> Read more about Lokalize ODF-AbiChanges — ODF Track changes in AbiWord The ODF file format is an open format for storing computing documents. The format is gaining support for tracking changes made in revisions of documents. In order to advance the cause of including change tracking in the ODF/ODT file format specification some office suites must be able to save and load the change tracking information. The project is to add initial support for change tracking to the ODF code in the Abiword word processor. >> Read more about ODF-AbiChanges ODF-AbiChanges2 — ODF Track changes in AbiWord (2) This is the continuation of the earlier project ODF Track changes. The ODF file format is an open format for storing computing documents. The format is gaining support for tracking changes made in revisions of documents. In order to advance the cause of including change tracking in the format ODF/ODT file format specification some office suites must be able to save and load the change tracking information. The project is to improve how paragraph merge is handled in the ODT+ChangeTracking code. Explicitely tracking of paragraph merges. This will render many of the current existing heuristics for tracking paragraph merge situations unnecessary. >> Read more about ODF-AbiChanges2 ODF-AbiWord — improving AbiWord OpenDocument Free and Open Source Software (F/OSS) is rapidly gaining market share, especially in the Netherlands, where the government stimulates the use of F/OSS in the entire public sector. On its way to full acceptation in the real (business) world, F/OSS applications need to meet open and widely accepted standards. For the domain of Word Processing the emerging standard is the OpenDocument specification. The goal of this project is to make the AbiWord word processor more compliant with the OpenDocument specification. Scope: Resolving the software bugs related to AbiWord's OpenDocument compatibility. The produced software improvements submitted to the AbiWord community. >> Read more about ODF-AbiWord ODF-changes — Representing Changes in Open Document Format This project addresses deficiencies in the ability of the Open Document format to record changes. This is deemed to be a critical area for the wider acceptance of this format. The current capability in this area has limited scope and a number of known problems. These issues mean that the Open Document format is significantly weaker in this area than Microsoft Word. >> Read more about ODF-changes ODF-changes2 — Standardisation for Tracked Changes in ODF This project is intended to assist the Standardization Committee preparing the standard for a syntax named XML Change ML (short for XML Change Markup Language) that allows for accurately describe any incremental change and edit to the content and structure of (compound) XML documents, typically in multiple editing sessions by different authors. OpenDocument already supports a track changes mechanism, but this is limited in scope and functionality. This project's contribution will be used as one of the starting points of the work of the XML Change Markup Language SC. The goal is to create a generic syntax that will allow for 100% reliable capturing of differences between different versions and states of office document of any class (text documents, spreadsheets, presentations), including those that have been enhanced by custom XML markup. Change should thus provide a futureproof, application neutral syntax, that should even be capable of being used to provide change tracking between versions of documents as they are converted to yet unpublished versions of the OpenDocument Format specification, using features not currently available - although this might involve significant complexity on the side of the software in meaningfully presenting this to users. >> Read more about ODF-changes2 ODF-compare — Creating Tracked Changes in Open Document Format by Document Comparison This project Provides an inter-operability demonstration of the proposed new track change format for ODT. There is an urgent need to demonstrate that the proposed tracked-change format for ODF works in practice. Therefore this project will provide a simple on-line demonstration of this. It will not be based specifically on ODF but will rather compare any two XML files and generate a tracked-change result. This will enable evaluators to put in, for example, two versions of an ODT table and see how the changes would be represented. The work will be done in two phases: Generate a tracked-change (TC) XML document from two XML input documents neither of which have any tracked change within them. This would be achieved by comparing the files using DeltaXML Core and then converting the DeltaXML delta format into the new TC format. Provide the above as a web service for access by a limited number of members of relevant technical committees. This would provide the ability to upload XML files and download a tracked-change representation of the changes. The web service will be maintained until January 2011. >> Read more about ODF-compare ODF-DocMod — Modularise ODF 1.2 documentation The modularization of the Open Document Format is one of the most important upcoming tasks for the OASIS ODF TC. Unfortunately it is not an easy step, as the model of the ODF 1.2 part 1 is listing about 600 XML elements about 1300 XML attributes. The modularization of these elements into logical pieces (like section, image, paragraph, table, etc.) is needed. To ease the TC's work and avoid errors such huge tasks are best being solved by tools, automating all the parts that can be automated. The idea is to provide a generated ODF documentation in HTML that lists alphabetically all attributes and elements of ODF. In addition this will allow to extract values for attributes and an easy to read backus naur form for all 'children elements'. >> Read more about ODF-DocMod ODF-KOffice — ODF load and save in KOffice KOffice has long had a strong OpenDocument implementation, the main implementation outside the famous OpenOffice. In KOffice version 2, the text engine was upgraded to support more features and to support anonymous properties inside the text engine. This project aims to make KWord ready for release based on the new text engine. The new text engine requires that large parts of the existing ODF loading need to be reworked. The main task is therefore to make the ODF loading and saving code work as good (or even better) than with the latest stable release (1.6.3). To reach this goal, automated tests based will be created based on existing collection of ODF test-documents. The ODF-testsuite is available with an open licensing model, but is hardly used by any vendors. One reason for this is the amount of manual labor to load each test and visually confirm the on screen version is according to spec. The second problem is that the results are open to interpretation. The main project goal is to import relevant tests from the test-suite. This is estimated to contain around 100 tests. There will be a framework to load each test and code that tests if the loading succeeded and thus if the test passed. The second goal after this is to make a significant portion of the tests pass, which implies that KOffice can correctly load the ODF data. This goal includes implementing features in KWord that are required by ODF. The third goal, is that KWord as an application is finalized to be releasable at the KOffice 2.0.0 release. This includes fixing bugs and polishing the user interface. >> Read more about ODF-KOffice ODF-KOffice2 — ODF metadata in KOffice KOffice has strong OpenDocument implementation, the main implementation outside the famous OpenOffice. The goal of this project is to add ODF metadata support to KOffice. >> Read more about ODF-KOffice2 ODF-KOffice3 — ODF revisions in KOffice The open source cross-platform KOffice suite is an exemplary ODF implementer, currently lacking some features. In KOffice 2.1 there is only basic support for track changes as per the OASIS ODF specification. The project will add full support to the relevant KOffice products, to create another strong independent implementation of this part of the specification. Specifically, the following features are targeted: Bug-fixes to fix Danish Test Failures Complete Delete change implementation Tool-Tip Support Change Tracking for lists, images Change Tracking for tables Change Visualization Configuration Re-factoring to separate show and record. Text Layout Bug-Fixes Unit-Testing of Table Layout >> Read more about ODF-KOffice3 ODF-KOffice4 — ODF track changes/tables in KOffice and Calligra Suite This project is about Writing and testing the code to produce valid ODF track changes according to the proposed ODF 1.2 track changes format. The ODF TC has received a proposal for a new and vastly improved change tracking format, that is able to capture an unprecedented nuance in change tracking. By creating a full blown implementation of the proposed specification in an ODF compliant suite, including the most difficult use case, the technical proposal is validated in a real world environment. The project will also implement Basic Change Tracking Migration to the new proposed format. >> Read more about ODF-KOffice4 ODF-Numbertext — number to text conversion for the upcoming ODF OpenFormula standard This project represents well-defined spreadsheet functions and a language-neutral algorithm for the number to text (number name) conversion for the upcoming ODF OpenFormula standard, also an OpenOffice.org Calc extension as a working implementation. It is a generalization of the BAHTTEXT function and a huge number language-dependent third-party extensions of Microsoft Office Excel 2003 and OpenOffice.org. This is an important function for spreadsheets, but there was no language-neutral solution yet. Finishing the project will imply support for a dozen new European languages, plus document the implemented functions and the algorithm. >> Read more about ODF-Numbertext ODF-Recipes — ODF Software Recipes This project demonstrates what ODF libraries can do (and how) and helps attract users to them. For programmers and users ODF ODF is a great solution, and the projec thelps by showing its effectiveness and simplicity compared to legacy formats such as binary office formats and OOXML. The result of the project is a platform where any ODF library developer can upload its own library and benefit from this suite of recipes. Practically, such a project entails the opening of a wiki grouping cookbooks and recipes to perform defined tasks in those libraries. But instead of separating each library with its own pages, we'll compare them to perform the same task. Emulation... Pros and cons of each approach will be exposed. The developers of these libraries could compare its API with the other ones and find ideas to improve and complement it. Run by Itaapy. >> Read more about ODF-Recipes ODF-Symbian — view ODF on Symbian OS and other mobile systems As more and more governments are adopting ODF --some of them even as the obligatory document format-- it is disappointing that no open source viewer for Symbian OS or other mobile systems exists. (Symbian OS is the leading smartphone operating system in Europe, with a market share of about 80%) This project is aimed to support and release the source code of Mobile Office under a license like GPL3/LGPL3. The following will be supported by the funding: create an appropriate project under e.g Google Code, Sourceforge or other release Mobile Office's source code under an appropriate license add end-user documentation about Mobile Office as html and/or pdf pages as well as help content integrated into the application itself. finish up some remaining stuff to make it compatible with some changes done by OpenOffice.org, e.g. in relation to encryption of documents. >> Read more about ODF-Symbian ODF-Valid — ODF Online Validator to the command-line The current ODF Online Validator is hosted by Oracle Hamburg and due to the site shut-down, will be turned off any moment. The project will answer to this urgency and build an open, free, easy and out-of-the box web application - the command-line validator. The source code will be contributed to Apache, as the ODF Toolkit has become an Apache Incubator project. >> Read more about ODF-Valid ODF-XLIFF — convert ODF to Gettext PO and XLIFF for translation and localising Much content, both open and closed, is produced in office documents: word processing documents, presentations and spreadsheets. The advent of XML based formats such as OpenDocument Format (ODF) has made it possible to manipulate and add value to these documents. An important part of produced content is the ability to localise or adapt it to another culture. By translating documents it is possible for more people to access the information. This project aims the creation of a filter that can convert ODF documents into common translation formats (PO and XLIFF) so that they can be easily translated into other languages. Thus the objective of this project is to allow documents in the XML based OpenDocument format to be extracted for easier translation in translation tools. In order to reach this objective, a collaborative arrangement between Translate.org.za and Itaapy will be forged with the objective to build a solid platform by using the expertise from each organisation and software project, thereby providing a stronger platform for innovation in the future. >> Read more about ODF-XLIFF ODF Autotests — a framework to help users and developers write test documents for ODF software The Open Document Format (ODF) is an international standard, a vendor neutral and open format for document exchange. ODF is currently supported by multiple office suites such as LibreOffice.org, Google Docs, Microsoft Office, Apache OpenOffice, WebODF and OX. In an ideal world, all these ODF implementations would be fully compatible with each other and with the published standard. Unfortunately in the real world, multiple ODF versions with software bugs and other inconsistencies present document designers and authors with many of the same problems that HTML authors face on the world wide web. Different applications may display and handle ODF documents in different ways. ODFAutoTests is a framework to help users and developers write test documents for ODF software. Tests are a great tool to help software and standards mature, but writing tests by hand is very time consuming. ODFAutoTests makes it easy to create them, and run them across multipe products. >> Read more about ODF Autotests OdfKit — base library for processing ODF OdfKit is being designed as an open source library for creating, loading, storing, manipulating, saving and rendering documents in the OpenDocument Format (ODF). Like WebKit. It provides a framework of classes, functions and macros that can be used with a toolkit library like Qt or Gtk+ to create the actual library that can then be used in an application. Project deliverables: Odf Loader and saver Lossless roundtripping of documents from the beginning API for manipulating the document contents. This API should follow the specification of the OpenDocument toolkit. >> Read more about OdfKit odfsvn — use SVN to maintain ODF documents ODFSVN is a toolset to store ODF documents in a subversion repository. Why you would want to use subversion for documents: it allows you to use all features of a version control system: all changes are archived along with change notes, roll back to previous versions, see who made what changes and why, etc. people share their changes on the document through a shared repository. You can always see all changes from all editors, update your version to the latest revision and submit your changes. ODFSVN stores all repository information in the ODF metadata, you do not need to configure anything on your system. To illustrate how this works lets examine the differences between using odfsvn and email when working on a document with multiple people. Take Alex, Burt and Charles who are working on a proposal. Alex writes a first draft and mails that to Burt and Charles. Burt makes a few changes and mails the updated document to Alex and Charles. Finally a few hours later Charles finds two emails with documents in his mailbox. He needs to read both emails to see which one has the latest revision of the document, download the attachment and edit that. When he is done revising the document he, sends his updates back to Alex and Burt. As you see, this scenario involves a number of emails being exchanged at every step, people having to switch from their email application to their office application and back again for every revision, and no quick method to check if you have the latest revision of the document. Now lets see how Alice, Bernice and Charlene prepare a new marketing proposal using odfsvn. Alice creates a first draft and uses odfsvn to store it in a central subversion repository and mails it to Bernice and Charlene. Bernice is the first to respond and uses the document to download the latest version. When she is finished making changes, she uses odfsvn to commit her changes to the repository. When Charlene comes back in after lunch, she sees the email from Alice. She grabs the attachment, just like Bernice did earlier, uses odfsvn to update the document. odfsvn updates the document to the version Bernice commited earlier and Charlene can start editing. The second scenario is much simpler: there is no longer a need to exchange extra emails or for people to switch between their mail and office applications: odfsvn will always be able to update a document to the latest revision. In a future version, when odfsvn will also be available as a plugin for OpenOffice.org, this will be completely automatic. >> Read more about odfsvn OfficeShots — see how different office suites render your ODF document. The Open Document Format (ODF) is a new, vendor neutral and open standard for document exchange. ODF is currently supported by multiple office suites such as OpenOffce.org, KOffce, AbiWord and IBM Lotus Symphony. Microsoft has announced that MS Office will also include support for ODF. In an ideal world, all these ODF implementations would be fully compatible with each other and with the published standard. Unfortunately in the real world, multiple ODF versions with software bugs and other inconsistencies present document designers and authors with many of the same problems that HTML authors face on the world wide web. Different applications may display and handle ODF documents in different ways. This project will create a service called “ODF-Shots\" which lets ODF authors and designers upload documents to a webservice and see how different office suites render their documents. This allows authors of complex documents and designers of ODF templates to ensure that their documents work under many different office suites. The service works in a manner similar to Browser-shots where HTML authors can ensure that their designs work under various browser versions. >> Read more about OfficeShots SIPcollab — Decentralized and secure collaborative editing on office documents Collaborative editing on documents is required (or at least very helpful) in a broad range of use-cases. Collaborative editing capabilities between peers gets rid of the need of server and enables usage in places and circumstances where it was not possible before. >> Read more about SIPcollab ViewerJS — A multiformat document viewer for embedding, combining WebODF.js and PDF.js Is your website still littered with unfriendly commands to your users like \"In order to read this document, you must install Acrobat Reader\"? Start using viewer.js today, so that your visitors can read safely read documents online within your own website. Users hate switching between applications as they are browsing the web. Just adding links with downloads all over your site is seen as unprofessional, lousy UX and oldfashioned. Yet sometimes all you have are a bunch of documents you need to show, and manually converting each of them to native content on your site is just not practical. In addition, more and more users are becoming aware that downloading documents from the web and then running them outside of the browser is a major security risk - in fact one of the most common ways in which people are infected with malware on their computers. View some examples or just try it out on your own site. The heavy lifting in Viewer.js is done by these awesome projects: PDF.js (by Mozilla)PDF.js is a library created by Andreas Gal and others at Mozilla Labs. It is an HTML5 technology experiment that explores building a faithful and efficient Portable Document Format (PDF) renderer without native code assistance. PDF.js is community-driven and supported by Mozilla Labs. Its goal is to create a general-purpose, web standards-based platform for parsing and rendering PDFs, and eventually release a PDF reader extension powered by PDF.js. Visit project website WebODF (by KO GmbH)WebODF is a JavaScript library previously funded by NLnet that shows office documents created by KO GmbH. It was started by Jos van den Oever at KO and is now developed by a growing team including external collaborators. It makes it easy to add Open Document Format (ODF) support to your website and to your mobile or desktop applications. It uses HTML and CSS to display ODF documents. Visit project website >> Read more about ViewerJS WebODF — ODF editor in the browser Aim of the project: make an ODF editor that runs in the browser. WebODF is an innovative initiative because it is the first attempt at FOSS implementation of an office suite based on HTML5. Using HTML5 means that the code will run on nearly all modern computing systems. On top of that, it uses CSS in such a way that the ODF XML is used nearly unaltered in the program. This simplification allows us to develop fast and with little code. This project will help WebODF to grow: to have architectural documentation, save support, simple editing support and better rendering. Also a plugin for OfficeShots is planned to be written that writes png and PDF files. >> Read more about WebODF WebODF-Dissem — WebODF Dissemination WebODF is a JavaScript library that makes it easy to add Open Document Format (ODF) support to your website and to mobile or desktop application. WebODF is extremely innovative because it is the first attempt at FOSS implementation of an office suite based on HTML5. Using HTML5 means that the code runs on nearly all modern computing systems. This project aims to make WebODF stable, versatile and easy. To achieve this, a number of highly desired scenarios are being implemented: Read ODF documents on iPhone, iPad, Android and MeeGo devices. View ODF documents directly in Chrome, Firefox and Safari. Add and view ODF documents that are stored in a CMS or web mail system. Report bugs in WebODF. View a text document as it would be printed. View a document with proper placement of graphics. >> Read more about WebODF-Dissem ","url":"https://nlnet.nl/thema/OpenDocumentFormat.html","title":"OpenDocument Format"},{"description":" OpenData Projects to facilitate the creation, collection and curation of free information. This page contains a concise overview of projects funded by NLnet foundation that belong to OpenData (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Record Federation for Corteza Clouds — Data federation over ActivityPub Corteza is a low code platform for building cloud-based web applications. This is typically for private, records-based management purposes (e.g. case management, insurance claims processing, public sector management applications, CRM, ERP), but the uses can also be public if required. It has a modular architecture and its data later, presentation layer and automation layer can each be treated individually. Corteza Record Federation makes innovative use of the ActivityPub standard to describe how content from the Corteza data layer can be broadcast across large federations of Corteza clouds. All data types, simple or compound, entire records and entire data models are supported. Whether it be energy, finance, health, education or smart cities, many industries need to share complex data in real-time or near real-time, while preserving the digital sovereignty of a large number of disparate actors, protecting the privacy of user data and acknowledging the law of whichever territories in which they find themselves operating. Corteza Record Federation allows for the creation of private networks of decentralised “mini-clouds”, all self-hosted and controlled by their owners, where this data exchange can happen as efficiently and more effectively than on any single centralised cloud. >> Read more about Record Federation for Corteza Clouds Folksonomy engine for the food ecosystem — Data modelling by the community Everybody is interested in the food they eat, by many different aspects, ranging from taste, cost, ingredients and nutrition to its impact on health, the environment and society. We also happen to have many different names for the same food, the way we prepare it and other properties - sometimes only used very locally. That means it is not always easy for everyone to effectively search open data sets like OpenFoodFacts. Open Food Facts - sometimes referred to as the \"wikipedia for food products\" - is the biggest open food-database in the world. The Folksonomy engine for the food ecosystem created within this project will unleash an ocean of new data and uses regarding food. Citizens, researchers, journalists, professionals, artists, communities, and innovators will be able to define and add new properties of their choice to food products on Open Food Facts for their own use or to enrich the shared knowledge. Open Food Facts already feeds hundreds of data reuses. Thousands more will become possible thanks to the new user defined properties. >> Read more about Folksonomy engine for the food ecosystem The Open Green Web — Ethical meta-search filter on green hosted websites The world wide web has become a mainstay of our modern society, but it is also responsible for a significant use of natural resources. Over the last ten years, The Green Web Foundation (TGWF) has developed a global database of around 1000 hosters in 62 countries that deliver green hosting to their customers, to help speed a transition away from a fossil fuel powered web. This has resulted in roughly 1.5 billion lookups since 2011 - through its browser based plugins, manual checks on the TGWF website and its API, provided by an open source platform. But what if you want to take things one step further? This project will create the world's first search engine with ethical filtering, that will exclusively show green hosted results. In addition to giving a new choice of search engine to environmentally conscious web users, all the code and data will be open sourced. This creates a reference implementation for wider adoption across industry of search providers, increasing demand and visibility around how we power the web. The project build upon the open source search engine Searx, and will collaborate with the developers of that search tool to make \"green\" search an optional feature for all installs of Searx. >> Read more about The Open Green Web Nominatim — Multi-lingual support in address search Nominatim is an open-source geographic search engine (geocoder). It makes use of the data from OpenStreetMap to built up a database and API that allows to search for any place on earth and lookup addresses for any given geographic location. It is used as the main search engine on the OpenStreetMap website where it serves millions of requests per day but it can also be installed locally. You can easily set it up for a small country on your laptop. Nominatim has always aimed to be usable world-wide for any place in any language. To that end it has used generic, language-agnostic algorithms that assume a uniform data model. This has served us especially well while the OpenStreetMap database was in its early stages of development and changing fast. Now that it has matured, it is time to further improve the search experience by taking into account the particularities of different languages and the different practises when it comes to geographic addressing. We aim to restructure the part of the software that parses the place names and search queries to make it more configurable and make it easier to take into account languages and regional peculiarities. >> Read more about Nominatim Personal Food Facts — Privacy protecting personalized information about food Open Food Facts is a collaborative database containing data on 1 million food products from around the world, in open data. This project will allow users of our website, mobile app and our 100+ mobile apps ecosystem, to get personalized search results (food products that match their personal preferences and diet restrictions based on ingredients, allergens, nutritional quality, vegan and vegetarian products, kosher and halal foods etc.) without sacrificing their privacy and having to send those preferences to us. >> Read more about Personal Food Facts Plaudit — Make good science discoverable through endorsements Plaudit is open source software that collects endorsements of scholarly content from the academic community, and leverages those to aid the discovery and rapid dissemination of scientific knowledge. Endorsements are made available as open data. The NGI Search & Discovery Grant will be used to simplify the re-use of endorsement data by third parties by exposing them through web standards. >> Read more about Plaudit Software Heritage — Collect, preserve and share the source code of all software ever written Software Heritage is a non profit, multi-stakeholder initiative with the stated goal to collect, preserve and share the source code of all software ever written, ensuring that current and future generations may discover its precious embedded knowledge. This ambitious mission requires to proactively harvest from a myriad source code hosting platforms over the internet, each one having its own protocol, and coping with a variety of version control systems, each one having its own data model. This project will amongst other help ingest the content of over 250000 open source software projects that use the Mercurial version control system that will be removed from the Bitbucket code hosting platform in June 2020. >> Read more about Software Heritage Solid-Search — Queries in a pod Solid-Search aims to provide an open source module that adds full-text search functionality to Solid pods. Solid is an emergent specification initiated by the inventor of the World Wide Web, sir Tim Berners-Lee. Solid aims to decentralize the web by decoupling applications from databases by introducing Solid Pods (personal online datastores that are in full control of the data owner). Having a way to search through your personal data on your Solid Pod is a must-have for the project to become truly successful. However, this requires technology that does not exist yet: a full-text search interface that works with schema-less RDF data. In order to maximize adoption and retain a modular, open approach, we will standardize the way in which data changes are described. By doing so, it will be relatively easy to introduce new search / query systems (such as search by location). The project will will create the open source search back-end, improve linked data synchronisation specs, link the module to two solid implementations, create a front-end for end-users, and write a tutorial for adding data sources. >> Read more about Solid-Search StreetComplete — Fix open geodata with OpenStreetMap The project will make collecting data for OpenStreetMap easier and more efficient. OpenStreetMap is the best source of information for general purpose search engines that need a geographic data about locations and properties of various objects. The objects vary from cities and other settlements to shops, parks, roads, schools, railways, motorways, forests, beaches etc etc etc. The search engine can use the data to answer queries such as \"route to nearest wheelchair accessible greengrocer\", \"list of national parks near motorways\" or \"London weather\". Full OpenStreetMap dataset is publicly available on an open license and already used for many purposes. Improving OSM increases quality of services using open data rather than proprietary datasets kept as a trade secret by established companies. >> Read more about StreetComplete WebXray Discovery — Expose tracking mechanism in search hubs WebXray intends to build a filter extension for the popular and privacy-friendly meta-search Searx that will show users what third party trackers are used on the sites in their results pages. Full transparency of what tracker is operated by what company is provided to users, who will be able to filter out sites that use particular trackers. This filter tool will be built on the unique ownership database WebXray maintains of tracking companies that collect personal data of website visitors. Mapping the ownership of tracking companies which sell behavioural profiles of individuals, is critical for all privacy and trust-enhancing technologies. Considerable scrutiny is given to the large players who conduct third party tracking and advertising whilst little scrutiny is given to large numbers of smaller companies who collect and sell unknown volumes of personal data. Such collection is unsolicited, with invisible beneficiaries. The ease and speed of corporate registration provides the opportunity for data brokers to mitigate their liability when collecting data profiles. We must therefore establish a systematic database of data broker domain ownership. The filter extension that will be the output of the project will make this ownership database visible and actionable to end users, and to curate the crowdsourced data and add it to the current database of ownership (which is already comprehensive, containing detailed information on more than 1,000 ad tech tracking domains). >> Read more about WebXray Discovery Fashion Freedom — Supporting research, development, and education to bring the fashion industry into the 21st century The Fashion Freedom Initiative wants to make sure that everyone benefits from new advances in technology in the fashion industry and beyond. It aims to assist the industry and the wider society in transitioning into a new phase where social responsibility, art, usability, privacy and sustainability are combined into a better and smarter fashion for everyone. Designing and making clothes isn't just a luxury for the affluent, or a prerogative of large factories and consumer brands: it is a universal need at the largest possible scale. >> Read more about Fashion Freedom LTSP Deskop — Remote desktop via an LTSP-Cluster Thin clients (PCs where all data is kept on a remote server and only the desktop is kept locally), are already in use for a long time. These days, increased bandwidth and Cloud Computing allow us to go further, even to stream the complete desktop from the Internet. The possibility to start a desktop \"on demand\" from the cloud offers interesting new collaboration possibilities: any application can instantly become remote accessible. For instance, having a graphic design reviewed by a design interface specialist. Or program together/review code within a single IDE instance. The goal of this project is to completely integrate remote access to a cluster of LTSP servers that can be directly accessible or streamed from any private or public cloud (like Amazon EC2 or Eucalyptus). At start, the project is targeted at Open Source specialists which should test the new functionality, translations and design. Development versions are simple to test: no need to \"scrap\" my computer: simply instantiate a remote development desktop. Schools are a second target. Schools will be able to distribute any application to any computer with the LTSP-Cluster. Schools all over the World will be able to provide the complete school environment to any child (using Windows, Linux or Mac computer). All students have access to the same educational tools. >> Read more about LTSP Deskop OpenStreetMapNL — maintenance software for OpenStreetMap Nederland () Het geodatalandschap verandert. Overheidsdata wordt meer en meer vrij beschikbaar. Belangrijke kaartenleveranciers TeleAtlas en Navteq verliezen hun onafhankelijke positie door inlijving bij TomTom respectievelijk Nokia. Tegelijkertijd neemt het belang van het `Geografische Web' steeds toe en nemen gebruikers van geografische informatie geen genoegen meer met een passieve gebruikersrol. De commerciële leveranciers herijken hun strategie teneinde een graantje te kunnen meepikken van `user generated content'. In dit veranderende landschap wordt OpenStreetMap steeds meer een factor om mee te rekenen --in het bijzonder in Nederland. Als onafhankelijke bron van een hoogwaardige, landsdekkende, volledige en bovendien vrij te gebruiken geodataset van Nederland eist OpenStreetMap een duidelijke plaats op. Dat zal niet ongemerkt blijven. Er zullen meer eindgebruikers komen. Er zullen meer bedrijven geïnteresseerd raken in het inzetten van OpenStreetMap-data in hun systemen, websites en applicaties. Nieuwe toepassingen zullen het levenslicht zien. Wellicht volgen er nog meer donaties van geografische data. Dit project is specifiek gericht op: Ontwikkelen van systemen voor backups, rollback-mogelijkheden, signaleren van wijzigingen en toekenning van niveaus van vertrouwen gekoppeld aan bijdragers en hun wijzigingen. Ontwikkelen van een lichtgewicht mobiele editor om het rechtstreeks controleren en aanpassen van de OpenStreetMap-data `in het veld’ mogelijk te maken. Ontwikkelen van een laagdrempeliger interface voor het doorgeven van eenvoudige wijzigingen door ‘leken’. >> Read more about OpenStreetMapNL Searsia — Searsia is a protocol and implementation for large scale federated web search. Searsia provides the means to create a personal, private, and configurable search engine, that combines search results freely from a very large number of sources. Searsia enables existing sources to cooperate such that they together provide a search service that resembles today’s large search engines. In addition to using external services at will, you can also use it to integrate whatever private information from within your organisation - so your users or community can use a single search engine to serve their needs. >> Read more about Searsia TOS;DR — A user rights initiative to rate and label website terms & privacy policies Terms of service are often too long to read (reading all of these carefully wrought documents could quite literally cost you years of your life), yet it is very important to understand what is in them. After all, your actual legal position online depends on them in a very concrete way. The ratings from TOS;DR can help users get informed about their rights. >> Read more about TOS;DR Free Software Vulnerability Database — A resource to aggregate software updates \"Using Components with Known Vulnerabilities\" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (from US Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage over the last decade we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools. The goal of this project is create new FOSS tools to aggregate software component vulnerability data from multiple sources, organize that data with a new standard package identifier (Package URL or PURL) and automate the search for FOSS component security vulnerabilities. The expected benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source or a few foreign commercial data providers. >> Read more about Free Software Vulnerability Database ","title":"OpenData","url":"https://nlnet.nl/thema/OpenData.html"},{"url":"https://nlnet.nl/thema/Networkinfrastructure.html","title":"Network infrastructure","description":" Network infrastructure Network infrastructure incl. routing, P2P and VPN This page contains a concise overview of projects funded by NLnet foundation that belong to Network infrastructure (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. 0WM — Measure and visualize Wi-Fi coverage Wi-Fi coverage is key in corporate and BYOD environments, as the mobility offered by wireless protocols often outweighs criteria such as speed and stability, offered by wired alternatives. These criteria are however critical to guarantee a suitable quality of service, and reliable options to help network operators are scarce and unaffordable to small organizations. 0WM will provide feature-rich tools to produce quality coverage maps, leveraging affordable COTS components, to quickly and efficiently identify coverage problems affecting end users. >> Read more about 0WM AI-VPN — Local machine-based learned analysis of VPN trafffic Our security decreases significantly especially when we are outside our offices. Current VPNs encrypt our traffic, but they do not protect our devices from attacks or detect if there is an infection. The AI-VPN project proposes a new solution joining the VPN setup with a local AI-based IPS. The AI-VPN implements a state-of-the-art machine learning based Intrusion Prevention System in the VPN, generating alerts and blocking malicious connections automatically. The user is given a summary of the traffic of the device, showing dectected malicious patterns, privacy leaked data and security alerts, in order to protect and educate the users about their security status and any risks they are exposed to. >> Read more about AI-VPN Accessible security — Integration effort of independent security efforts like Qubes, Heads, coreboot, etc The \"Accessible security\" project's initiative was sparked by the need for usable security made available to the average citizen. Several projects are contributing a part of this bigger puzzle: QubesOS, coreboot, Heads, me_cleaner, Whonix and others. Yet the average person does not have the sophistication to integrate these software projects. With some effort we can add some missing parts, help the effected projects usability, and facilitate access to cutting-edge developments, currently only usable by developers and more sophisticated users. Bringing these projects together will reduce the amount of expertise and effort required to benefit from these projects. >> Read more about Accessible security Detecting Forged-Origin BGP hijacks — Probabilistic detection of BGP hijacking Hackers often exploit vulnerabilities in BGP, the primary inter-domain routing protocol (essentially the “glue” that connects all networks on the Internet), to hijack Internet traffic. Our project builds on our work in detecting forged-origin BGP hijacks, a specific type of BGP hijack that remains unaddressed by recent cryptographic efforts aimed at securing BGP. Our objective is to enhance the accuracy of our detection system, which relies on a probabilistic model to compensate for the lack of cryptographic tools, ensuring that no attack goes unnoticed. Additionally, we plan to share our data and improve access to our inferences by developing APIs. This will enable both network operators and the research community to benefit from our findings and apply them to improve the security of their networks. >> Read more about Detecting Forged-Origin BGP hijacks CAKE-MAINT — Improve network queue management algorithms on Linux With the wider and wider adoption of the fq_codel (RFC8290) and cake codebases in shipping products, many issues in the field have been discovered, and features to address them proposed but not mainlined into Linux (or the BSDs). This project intends to tighten up the corner cases, fix up multiple observed problems, and add some needed new features if possible, as well as take a stab at addressing the biggest observed problem in the field for cake - not scaling shaping well to ever more popular multi-core routers. In addition the project will work on a new release of babeld, the reference implementation of RFC 8966 (Babel Routing Protocol) and on standardisation of Sroam, a protocol for WiFi roaming. >> Read more about CAKE-MAINT CNSPRCY — E2EE connections between trusted devices CNSPRCY aims to tightly integrate your personal computing devices (i.e. desktop, laptop & phone but not wearables) with each other. It will provide a replicated eventually-consistent database, the ability to send encrypted messages, and it will always (unless it is impossible) know how to connect to your other devices! It does not rely on third parties or blockchains, and it will not make your devices carry other people's data. Devices will simply connect directly to each other, forming a mesh and adapting to the conditions of the underlying network using a variety of protocols. CNSPRCY provides a CLI application and exposes an IPC API, allowing you or your applications and scripts to synchronize data (asynchronously) or exchange messages (synchronously) with your other devices. These messages can then trigger scripts and execute applications on the receiving device. With these tools, it will be easier to write robust, private, offline-first, P2P software than it is to implement a centralized client-server architecture. >> Read more about CNSPRCY CryptPad: Project Dialogue — Secure surveys and polls for Cryptpad Cryptpad is a real-time collaboration environment that encrypts everything clientside. The project will incorporate structured group interaction other than collaborative editing (e.g. gathering input through forms, polls) is a useful addition to this. This will replacing the current basic implementation of polls (like Doodle), and introduce surveys (like Google Forms). Authors will have exclusive control over the content and format of the polls and surveys, such as which questions are asked and the acceptable format of their answers. They'll also have control over the cryptographic keys which decrypt the submitted results, granting authors control over publishing. In addition, the project will develop an extension of its current notifications system to allow instance administrators to publish translatable messages visible to all their users. We'll use this broadcast system to distribute language-specific surveys and recruit willing users into a series of usability studies which will guide a second round of development for these applications. >> Read more about CryptPad: Project Dialogue Distributed GNU Shepherd — A Secure Distributed System Layer for Networked Cluster Computing The project to convert the GNU Shepherd to a distributed program by porting it to use Spritely's Goblins library will empower users to more securely connect computers for clustered and other forms of cooperative work. As a daemon-managing daemon, the Shepherd exposes control of the system layer. Goblins, as an implementation of the object-capability security paradigm, provides both networking and security abstractions. Together, they will simplify and increase the efficiency of existing networked workflows without sacrificing security while also enabling entirely new kinds of cooperation between disparate machines. >> Read more about Distributed GNU Shepherd Open source ESP32 802.11 MAC — Open source wifi drivers for ESP32 The ESP32 is a low-cost microcontroller with Wi-Fi connectivity. Currently, the Wi-Fi MAC layer of the ESP32 is closed-source. This project aims to change that: by reverse engineering the hardware registers and software, we can build a networking stack that is open-source up to the hardware, instead of having to use the proprietary MAC layer. This will improve security auditability, open up the possibility for features not supported in the proprietary implementation (for example, standards-compliant mesh networking), improve interoperability and make research into Wi-Fi networks with lots of nodes more affordable. >> Read more about Open source ESP32 802.11 MAC Fix the Pitch Black Attack in Freenet routing — A decentralized distributed platform for private communication Hyphanet (previously: Freenet) is a peer-to-peer platform with academic roots, offering censorship-resistant publication and privacy by design. It uses a decentralized distributed data store to store and forward information of its users, and is one of the oldest privacy related infrastructures - having been in continuous development for two decades, and predating the alpha version of TOR with several years. This project solves a published theoretical denial-of-service attack on the friend-to-friend structure of its routing, which has been a looming threat since it was discovered a number of years ago. >> Read more about Fix the Pitch Black Attack in Freenet routing GNUnet CONG — Modernise the network stack of GNUnet GNUnet-CONG is an intermediate abstraction layer for decentralized network stacks. The goal of this project is to create a common abstraction for the gnunet layer-2-overlay and libp2p, which can be used by higher level services of GNunet (DHT, CADET and others). In addition to the abstraction GNUnet-CONG adds E2E encryption and protocol versioning for protocols on higher layers. With wrapping these functionalities in a nice abstraction, CONG offers a usable secure protocol/service that enables a controlled way to deal with developmental progress on higher layers. In addition to integrating the latest changes to the layer-2-overlay of GNUnet with its other parts, this project is a step towards interoperability and collaboration between projects for a decentralized internet on a technical as well as on a organisational level. >> Read more about GNUnet CONG Layer-2-Overlay — Generalising the GNUnet Layer-2 Overlay for broader usage Layer-2-Overlay is a P2P connectivity layer that allows decentralized applications to establish communication with peers. The current Internet architecture is strongly biased in favor of client-server applications. To regain data sovereignty from tech oligopoly, citizens must be able to communicate directly without a few gatekeepers. Therefore decentralized applications need to overcome network obstacles of the existing Internet infrastructure without the need to setup a costly alternative infrastructure. An additional benefit is the effective usage of existing resource, to lower the environmental damage big centralized systems are doing to our planetary ecosystem. The Layer-2-Overlay will achieve this goal by utilizing a variety of existing protocols and infrastructure (Ethernet/WLAN, TCP/UDP, QUIC, Satellite) and an effective flow- and congestion-control to distribute traffic through different channels. After reconnecting the edges (e.g. PCs at home or mobiles) of the existing Internet among each other again, traffic can be forwarded directly to known peers and existing infrastructure will be preserved. The API of Layer-2-Overlay will be usable by all kinds of decentralized application use cases. For a first showcase Layer-2-Overlay will be integrated into GNUnet, an alternative network stack for building secure, decentralized and privacy-preserving distributed applications. >> Read more about Layer-2-Overlay GNUnet Messenger API — API for decentralized instant messaging using CADET Communication is one of the most valuable goods, but it requires confidentiality, integrity and availability to trust it. The GNUnet Messenger API implements an encrypted translation layer based on Confidential Ad-hoc Decentralized End-to-End Transport (CADET). Through CADET the API will allow any kind of application to set up a fully decentralized form of secure and private communication between groups of users. The service uses e2e-encryption and does not require any personal information from you to be used. You are able to send text messages, share files, invite contacts to a group or delete prior messages with a custom delay. Messages and files will both be stored decentralized being only available for others in the group. GNUnet provides the possibility to use this service without relying on the typical internet structures, with a turnkey optional DHT for sharing resources. Unlike many other messengers out there the GNUnet Messenger service focuses on privacy. You decide who can contact you and who does not. You decide which information gets shared with others and which stays a secret. The whole service and its API is free and open by design to be used by many different applications without trusting any third party. >> Read more about GNUnet Messenger API Gosling — Generic Onions Services Library Project One of the internet’s core infrastructural flaws is a lack of anonymity - yet anonymity is a form of privacy that many users would prefer to have. Building products which preserve this user privacy while also being featureful and easy to use is difficult. Part of this difficulty has to do with the fact that developers need to be aware of and actively counter the myriad ways users can be de-anonymised (e.g. fingerprinting, side-channels). This requires knowing many intricate details at all levels of the software stack.Project parent Blueprint for Free Speech's goal is to gradually increase the portion of the internet that offers anonymity. By creating a “generic onions services library” (Gosling), we can help developers create secure and anonymous p2p applications without having to delve too deeply into protocol design or the Tor spec, and to do so with more security assurance. >> Read more about Gosling OCap layer for Haskell actor library — Implement OCapN and Syndicate in Haskell's troupe This project aims to develop a stratified framework for the Haskell language to utilize ocap-based protocols. This would enable modern, secure, and efficient communication in distributed systems. The target protocols are OCapN and Syndicate, both related to CapTP, but different in focus (RPC vs sharing state). The project will provide a set of packages necessary to participate in a cross-language P2P network of applications. That includes pluggable transports, message codecs, and handling patterns. >> Read more about OCap layer for Haskell actor library SCE, DelTiC and Antler — High-Fidelity Congestion Control Some Congestion Experienced (SCE) is a project in high-fidelity congestion control (HFCC) that aims to stabilize transport congestion windows, thereby reducing queueing delay and jitter, and increasing link utilization. Our goals under NGI Zero are to complete the DelTiC (Delay Time Control) AQM algorithm, implement a new MIMD transport response aiming for max-min-fair flow competition at shared bottlenecks, and release a purpose-built congestion control testing tool, Antler v1.0. We will inform the CC community about our work, and update our Internet Drafts to keep the door open for future standardization, should the opportunity arise. >> Read more about SCE, DelTiC and Antler Holo Routing — A novel routing stack in Rust, including IS-IS routing Holo is a suite of routing protocols designed to address the needs of modern networks. Holo was started in response to the increasing trend in the networking field towards automation, where network devices are expected to be managed programatically using a variety of standard interfaces. Written in Rust, a memory-safe language, Holo prioritizes reliability, ease of maintenance, and security. This project aims to extend Holo by incorporating support for the IS-IS protocol, one of the most widely used interior routing protocols. The IS-IS implementation will encompass both IPv4 and IPv6 support, cryptographic authentication, and extensions for traffic engineering. Rigorous testing against multiple vendors and comprehensive conformance tests will ensure the interoperability and robustness of the implementation. >> Read more about Holo Routing Hypermachines: Realtime and Collaborative P2P Search — Realtime and Collaborative P2P Search Modern search systems don't work offline, rely on proprietary indexes, and give users limited interfaces for content discovery. Our earlier work on the Hypercore Protocol produced a collection of data structures and networking modules for building low-latency, secure P2P applications. With this project, we will extend the Hypercore Protocol with a novel mechanism for distributing sandboxed computation, called Hypermachines, that can be combined with the existing data structures in our stack to power a next-generation search system. Hypermachines are deterministic Javascript programs, akin to lightweight smart contracts, that introduce algorithmic transparency and compositionality into our ecosystem. Users can create powerful indexing pipelines that merge their Hypermachine datasets together, yielding a highly-composable, collaborative search engine. By storing indexing logic directly alongside data structures, users can see exactly how indexes are produced, verify that they were produced correctly, and modify them according to their needs. We imagine a future in which Hypermachines power a decentralized marketplace for collaborative, transparent, and fast search engines. >> Read more about Hypermachines: Realtime and Collaborative P2P Search IPv6-monostack - upstream Linux SIIT/NAT64 — Commoditizing NAT64 and IP/ICMP translation to accelerate IPv6 deployment NAT64/SIIT technology is critical in enabling networks to transition away from the legacy internet protocol IPv4, yet this network function is currently expensive and hard to deploy, seriously hampering adoption. We believe we can remedy this situation by getting this translation technology accepted into the upstream Linux kernel thus paving the way to rapid and widespread adoption, accelerating IPv6 adoption overall. >> Read more about IPv6-monostack - upstream Linux SIIT/NAT64 Interpeer — Collaboration infrastructure with near real-time p2p data synchronization The Interpeer Project's purpose is to research and develop novel peer-to-peer technologies for open and distributed software architectures. The goal is to enable serverless modes of operation for collaborative software with rich feature sets equal to or surpassing centralized client-server architectures. For that reason, the initial focus lies on facilitating the extreme end of the use case spectrum with very low latency and high bandwidth requirements, as exemplified by peer-to-peer video communications in quality as close to 4k resolution as possible. When that initial goal is reached, the project focus will shift to other collaboriative applications of the technology. >> Read more about Interpeer Irdest - OpenWRT Image and Bluetooth LE — Add Bluetooth LE connections to Irdest This project extends the Irdest mesh networking stack in two ways: Firstly, adding Bluetooth Low Energy support to Irdest. Bluetooth Low Energy (BLE) is an important technology to support for the mesh to work seamlessly. BLE supports the same communication range as regular Bluetooth protocol, while substantially reducing the energy footprint. Given that almost all mobile devices support BLE, supporting it in Irdest is a great advantage. Secondly, creating an OpenWRT image for Irdest. OpenWRT is a Linux distribution for embedded devices like routers. Like any other operating system, it has apps or packages. Irdest could see wider adoption if we publish an Irdest package for easy installation on OpenWRT. >> Read more about Irdest - OpenWRT Image and Bluetooth LE Irdest IP Traffic Proxy — Route existing IP-network traffic through an Irdest network An Irdest network allows users to easily create locally focused mesh networks amongst their communities and friend circles. To allow applications not written for this mesh network (using IP traffic routing) to route traffic through the Irdest network a proxy is required. This proxy is responsible for managing routes on entry and exit nodes, announcing routes, and allowing users control over which exit nodes they want to use for different target IP addresses. The goal of this proxy is to provide a better out-of-the box experience for new users, and expanding the scope of usable scenarios. >> Read more about Irdest IP Traffic Proxy Irdest spec, db, route scoring — Route scoring and other routing improvements for Irdest meshnets Performant ad hoc mesh networks are an important way to achieve more resilience and reduce the dependency on fixed infrastructure. Irdest is a mature, relevant and up-to-date effort for hardware- and end-user-agnostic mesh networking. This project tackles some of the largest remaining issues in the Irdest stack. The Ratman router is currently not yet usable in production settings without immense supervision. The main goal of this project is to elevate the quality and resilience of Ratman to reach a level that users, who are not directly involved in development, have the capacity to run an instance and get reasonable error messages when something goes wrong - while minimising the amount of intervention actually required. Additional implementation of a few key missing features will make Ratman more useful in a wider set of deployments, and should improve general performance and uptime. >> Read more about Irdest spec, db, route scoring Verified Differential Privacy for Julia — Proving sound privacy guarantees through a type system Differential privacy can be used to prevent leakage of private information from published results of analyses performed on sensitive data. Doing so correctly requires handling the extra complexity introduced by this technique, on top of the complexity of the analysis procedure itself. A proposed relief comes in the form of type systems. They allow tracking privacy properties of functions in types, where successful typechecking is equivalent to proving sound privacy guarantees. This aids the programmer in reasoning about code, detects implementation errors that are really hard to notice before one falls victim to privacy breach, and can give formal guarantees to the people whose privacy is claimed to be protected. This project will implement a typechecker based on the type system of the Julia programming language. Julia is a high-level, high-performance, dynamic programming language. While it is a general purpose language and can be used to write any application, many of its features are well-suited for high-performance numerical analysis and computational science. This should enable data scientists to compute privacy guarantees for any Julia function before they start working with real user data. >> Read more about Verified Differential Privacy for Julia Standardizing KEMTLS — Post-quantum TLS without handshake signatures KEMTLS is a recent academic proposal for an alternative way of adding authentication to the Transport Layer Security (TLS) protocol. The project is motivated by the need to migrate public key cryptography to new algorithms that resist attacks by quantum computers. Compared to traditional cryptography, post-quantum signature schemes generally have larger public keys and/or signatures, and need more computational effort. KEMTLS, published at the ACM Computer and Communications Security Conference in 2020, replaces signature-based authentication for web servers with a post-quantum key exchange (called a KEM) in a way that saves communication and computation. In this project we aim to prepare KEMTLS for standardization by the Internet Engineering Task Force (IETF). To that end we will implement KEMTLS in a few different open source TLS software libraries and demonstrate the viability and interoperability of these implementations. This software will assist later implementers of KEMTLS by allowing to validate their implementations against our reference. We will also investigate optimizations for using KEMTLS in specialized environments like IoT, and will investigate issues involving certification of KEM keys. >> Read more about Standardizing KEMTLS Katzen — Meta-data resistant instant messaging over the Katzenpost mixnet Katzen is a new private instant messaging application built using the Katzenpost mixnet project, which is an overlay network that is able to hide communication patterns of individual users from passive network observers. This means that attackers cannot link sending and receiving of messages on the network with any of the participants. Messages between conversation parties are delivered to and read from message queues operated by the mixnet service operators. The legacy simple design maintains a per client queue and is able to see when a client is receiving a message, how often clients receive messages, and when the client is online and checking for their messages. The purpose of this project is to replace the legacy ephemeral message storage system used by Katzen with a replacement that does not link messages with a specific user or conversation, To do this, clients will include a csprng seed as part of the contact creation process that will be used to generate a deterministic sequence of message identifiers between conversation participants; these identifiers will be used by each client to query the ephemeral storage provider for the next message in the conversation. Because polling the storage service adds latency, and this design must check for new messages from each conversation partner, mechanisms to reduce the number of round trips - such as using SURBs as an asynchronous callback upon message delivery on the storage provider will be explored as a means to build a mixnet 'push' service to decrease the total round trip delay in receiving a new message. >> Read more about Katzen Wireguard-1GE FPGA — Implement Wireguard in Verilog WireGuard is a modern data tunneling and encryption protocol for Internet security. Traditional VPN solutions such as OpenVPN and IPSec are outdated, bloated, and have security gaps. While WireGuard in many cases will be a superior alternative, the performance of a software implementation will not always be enough for high-throughput use cases. The project will implement the WireGuard protocol on a cost-effective Artix-7 FPGA, targeting a board supported by open-source tools for Xilinx with four 1Gbps Ethernet ports. The corresponding gateware will be written in the industry-standard Verilog, welcoming everyone to contribute and review our code, helping us make it more secure and widely used. This project promises to deliver a working prototype of WireGuard in hardware in complete alignment with the spirit of the open-source movement. >> Read more about Wireguard-1GE FPGA Krill High Availability — Making Krill RPKI daemon deployment more robust Krill shows users which announcements are seen in BGP based on the resources on their certificate, and uses this information to give suggestions about ROA configurations. Currently, this functionality is built around RIPE Routing Information System (RIS) data, which can be up to 8 hours old. With this funding Krill will be extended so that it will be able to use a local BMP or even BGP feed. This will offer a number of major advantages to users. Most importantly it will allow for near-realtime insight and alerting, and it will ensure the visibility of RPKI Route Origin Validation \"Invalid\" announcements - as those are more and more commonly dropped and therefore increasingly invisible to RIS. >> Read more about Krill High Availability Let's Connect! Client-Server to P2P — Add P2P features to Let's Connect! Let's Connect! provides an open-source VPN solution allowing ISPs, hosting providers and businesses to easily set up a secure VPN service. Currently Let's Connect! has been engineered in a traditional client-server VPN model. Basically connecting the client with VPN technology into the organization where the VPN server is deployed. Let's Connect! is also used in the educational and research community under the name eduVPN. Roughly 140 organisations, and estimated 300K users, around the globe are using eduVPN. The current client-server model of Let's Connect! doesn't facilitate directly connecting devices located in various places, like IoT devices at home or services offered in various datacenters or (public) cloud environments. This project focusses on engineering a P2P solution integrated with Let's Connect! VPN, which empowers users to connect safely to all their devices, anywhere on the internet. >> Read more about Let's Connect! Client-Server to P2P Librecast — E2E encrypted multicast The Librecast project contributes to decentralising the Internet by enabling multicast. It builds transitional protocols and software to extend the reach of multicast and enable easy deployment by software developers. This can for instance help to synchronise large evolving datasets to many users at the same time (even hundreds of gigabytes of blockchain data) in an economic, reliable, transparent and fair way - unlike with unicast, everyone can get a copy of the same packets received by everyone else. Not depending on a centralised structure (anyone can be the upstream source), means it is very robust as well. LibreCast is energy efficient and as a next generation internet technology offers confidentiality and security - and is sustainable, has high scalability and throughput. Librecast Live is a Multicast Live Streaming, Conferencing and Remote Collaborative Work Environment. It is a versatile multicast platform flexible and scalable enough to be used for live-streaming, classrooms and conferences - using an ad hoc or previously established web of trust. While using multicast helps solve the scalability inherent with this kind of setup, actually all messages are transmitted over encrypted channels - providing strong privacy and integrity assurances through E2E encryption. >> Read more about Librecast LibreQoS — Improve congestion control for wifi networks LibreQoS is a Quality of Experience (QoE) open source platform that leverages state of the art (and IETF standardized) Flow Queueing (FQ) and Active Queue Management (AQM) algorithms to help Internet Service Providers (ISPs) enhance their customers' internet connections. It effectively manages latency and bufferbloat over existing infrastructure. LibreQos ensures fair sharing of bandwidth, prioritizes critical real-time applications and promotes connection quality, equity and access. >> Read more about LibreQoS LibreQoS 2.1 — Transactional Move System and improved APIs for LibreQoS LibreQoS is a Quality of Experience (QoE) open source platform that leverages the state of the art (and IETF standardized) Flow Queueing (FQ) and Active Queue Management (AQM) algorithm CAKE to help Internet Service Providers (ISPs) enhance their customers' internet connections. It effectively manages latency and bufferbloat over existing infrastructure. LibreQos ensures fair sharing of bandwidth, prioritizes critical real-time applications and promotes connection quality, equity and access. This project adds API functionality, which will make scaling LibreQoS to multiple servers much easier, allowing ISP operators to break the current 70 Gbps per server barrier. In addition, this project allows for a new Transactional Move System, which prevents any packet loss upon reload/refresh of shaper rules - allowing LibreQoS to scale to much larger ISP networks, improving internet connectivity for millions more end-users worldwide. >> Read more about LibreQoS 2.1 The Libre-SOC Gigabit Router — Native Open Hardware chip implementation of crypto primitives The Libre-SOC Project is developing a Libre System-on-a-Chip in a transparent fashion to engender end-user trust. Based on the OpenPOWER ISA, the next logical step is to extend and modernise OpenPOWER into the cryptographic and blockchain realm, and to do so in a practical way: design a Router ASIC. Whilst many commercial ASICs would do this using hard-coded non-transparent blocks or instructions, true transparency really only exists if the ISA has general-purpose primitives that can be Formally (mathematically) validated. The Libre-SOC Crypto-router Project therefore goes back to mathematical \"first principles\" to provide general-purpose Galois-Field, Matrix abstraction and more, on top of Simple-V Vectorisation. This provides flexibility for future cryptographic and blockchain algorithms on a firm transparent foundation. >> Read more about The Libre-SOC Gigabit Router Librecast Overlay Multicast — Privacy-preserving, energy efficient data replication and verification The original design goals of the Internet do not match today's privacy and security needs, and this is evident in the technologies in use today. The Librecast project contributes to decentralizing the Internet by enabling multicast. Multicast is an important network capability for a secure, decentralized and private by default Next Generation Internet. Multicast is networking with consent. Unfortunately, today's infrastructure does not fully support end to end multicast. In order to reap the benefits of multicast in the applications we build now, we need a transitional mechanism which enables overlay multicast via peer to peer tunnels so that multicast applications - using the Librecast libraries - can work everywhere, regardless of underlying network support. The Librecast project is building the transitional protocols and software required to extend the reach of multicast and enable easy deployment by software developers, to make end to end encrypted multicast a reality. >> Read more about Librecast Overlay Multicast Mainstreaming Anonymity for Developers (MAD) — Add Onion Services to interactive internet applications A library that allows software developers to build anonymous and secure peer-to-peer services and applications using Tor onion services. Gosling enables a developer to easily build technologically-guaranteed secure, metadata-resistant and anonymous networked applications (both peer-to-peer or client-server). Gosling is a Blueprint for Free Speech-developed, open-source library enabling this functionality via the use of Tor's onion services. Because effectively and safely using Tor onion services programmatically is difficult and requires specialised expertise, very few applications use this technology despite the benefits to users. Most of these existing applications are dependent on the web-browser technology stack and seek to 'bolt-on' anonymity and privacy guarantees to existing clearnet applications. Gosling, inspired by Ricochet Refresh and subsequent peer-to-peer onion service-based instant messaging clients, starts from first-principles and provides developers a tailored, pluggable system for peer-to-peer connectivity with all of the security and privacy properties of Tor onion services. It provides a simple API surface which reduces the chance of errors by developers which may end up compromising users' security and anonymity. Gosling contributes to globally expanding user's defences against ever-more-ubiquitous online surveillance. This project moves Gosling from a functional proof-of-concept toward a trusted library which developers will be happy integrating into their programs to build the next generation of privacy-preserving internet applications. >> Read more about Mainstreaming Anonymity for Developers (MAD) MPTCP — MultiPath TCP How do you find the best way to communicate with a computer on the other side of the internet? And why bet everything on a single connection? Multipath TCP (MPTCP) extends the most widely used transport protocol on the internet (TCP) so that it can discover and use several physical paths (e.g., Wifi, cellular, between multihomed servers) in parallel. This allows to speed up transfers, smoothly transition from wifi to cellular when leaving one's house or potentially prevent traffic spying. While the protocol is proven to work well in certain conditions (the fastest TCP connection ever was using MPTCP), it is configuration-sensitive and can degrade badly under adverse conditions (for instance in heterogeneous networks with small buffers). The aim of this project is to provide the tool to help analyze the performance of a multipath protocol as well as the software to (auto)configure the system depending on the application objective and network conditions. >> Read more about MPTCP Improving the deployability of Multipath TCP — Improve MPTCP support in the Linux kernel Multipath TCP (MPTCP) is a standardised technology extending TCP and invented in Europe. TCP is one of the key protocols of the TCP/IP protocol stack, designed in the 1970s when hosts were attached to the network through a single cable. Today's hosts have several network interfaces, but TCP only uses one of them for a given connection. Multipath TCP solves this problem by enabling TCP connections to exchange packets over different network interfaces. With the current version of MPTCP in the Linux kernel, most of the features listed in the RFC8684 are implemented. Basic use-cases are supported but still it doesn't mean the solution is covering all needs and is easy enough to use. In short, MPTCP works well in some controlled environments but not as good in too heterogeneous ones like it is common to see on the Internet. Also its configuration is sometimes seen as difficult and/or confusing for the moment. Some work is then still needed to cover more use-cases plus to improve the usability and performances in order to have Multipath TCP adopted by a broader audience. >> Read more about Improving the deployability of Multipath TCP Improving the deployability of Multipath TCP, part 2 — Improve MPTCP support in the Linux kernel Multipath TCP (MPTCP) is a standardised technology extending TCP and invented in Europe. TCP is one of the key protocols of the TCP/IP protocol stack, designed in the 1970s when hosts were attached to the network through a single cable. Today's hosts have several network interfaces, but TCP only uses one of them for a given connection. Multipath TCP solves this problem by enabling TCP connections to exchange packets over different network interfaces. With the current version of MPTCP in the Linux kernel, most of the features listed in the RFC8684 are implemented. Basic use-cases are supported but still it doesn't mean the solution is covering all needs and is easy enough to use. In short, MPTCP works well in controlled environments but there is room for improvement in heterogeneous ones. Some work is then still needed to cover more use-cases plus to improve the usability and performances in order to have Multipath TCP adopted by a broader audience. >> Read more about Improving the deployability of Multipath TCP, part 2 Practical Decentralised Search and Discovery — Search and discovery inside mesh/adhoc networks Internet search and service discovery are invaluable services, but are reliant on an oligopoly of centralised services and service providers, such as the internet search and advertising companies. One problem with this situation, is that global internet connectivity is required to use these services, precisely because of their centralised nature. For remote and vulnerable communities stable, affordable and uncensored internet connectivity may simply not be available. Prior work with mesh technology clearly shows the value of connecting local communities, so that they can call and message one another, even in the absence of connectivity to the outside world. The project will implement a system that allows such isolated networks to also provide search and advertising capabilities, making it easier to find local services, and ensuring that local enterprises can promote their services to members of their communities, without requiring the loss of capital from their communities in the form of advertising costs. The project will then trial this system with a number of pilot communities, in order to learn how to make such a system best serve its purpose. >> Read more about Practical Decentralised Search and Discovery MirageVPN — Robust OpenVPN client and server, and QubesOS client OpenVPN is a virtual private network protocol which is still widely used. We will extend the existing MirageOS OpenVPN implementation in three aspects: develop a unikernel suitable for QubesOS, develop an OpenVPN server, and add recent features (e.g. tls-crypt v2) . The project builds on top of MirageOS: a library operating system developed in OCaml — a memory-safe functional programming language. In MirageOS, each service is a separate unikernel with a minimal attack surface that only contains the code required to run it. These unikernels are normally executed as a virtualized machine such as KVM, VirtIO, Xen. MIrageOS also supports using a strict security feature of the Linux kernel called seccomp. The elliptic curve primitives used in this project are correct by construction (and free of timing side channels), and have been developed in Coq as part of the Fiat-Crypto project. >> Read more about MirageVPN Movedata — Privacy-preserving, energy efficient data replication and verification MOVEDATA is an efficient and privacy-preserving tool to distribute large blocks of data, such as the contents of a whole storage device (or a device image), with zero knowledge of the structure or meaning of the data to enhance the privacy aspect, and using multicast and other technologies for efficiency, both in terms of network bandwidth and of energy usage. Ease of use is also of particular concern, providing different interfaces adapted to different use cases. >> Read more about Movedata Packet classification extensions for Netfilter — High throughput packet classification of tunneled traffic With the advent of virtualization and containers, datacenter traffic is becoming prominently tunneled through layer 2 and layer 3 encapsulation techniques such as VLAN, GRE, VxLAN, GRETAP and Geneve among others. Extended packet classification through advanced string-matching also allows to proactively detect malicious traffic patterns and to improve overall datacenter network security. Performance is also a paramount aspect to improve resource utilization and to allow packet classification to scale up to the increasing demands in latency and bandwidth. Nftables is the next generation packet classification software that replaces {ip,ip6,eb,arp}tables which reuses the existing main components of the Netfilter frameworks such as Connection tracking, NAT and logging. This project aims at three goals: 1) Enhancing Nftables packet classification by extending its tunneled packet classification capabilities to allow to match on inner header, 2) add string-matching infrastructure for Nftables and 3) evaluate performance to analyze bottlenecks and deliver upstream enhancements for the Netfilter packet classification datapath. >> Read more about Packet classification extensions for Netfilter neuropil — DHT based overlay network The neuropil protocol is a new integration protocol for the IoT, which can be embedded into applications and devices. It facilitates and recombines messaging paradigms with distributed hash tables, self-sovereign identities and named-data networks to establish a new kind of privacy- and security-by-design overlay network. The protocol itself embraces self-containment, reducing the need for external systems/dependencies. Our goal is a trustworthy, democratized access control mechanism for the internet of everybody. Within our project we would like to leave the beta-phase and realize the first full release of our protocol. To reach this goal we will add two remaining critical parts to our protocol: distributed time calculations and distributed linked time-stamping authorities. The first addition is not only crucial for systems without an RTC, but it also enables a de-centralized time service with a much lower attack surface. The second builds upon the first and is a key requirement to establish trust between entities using the protocol. It can also be used to ensure the integrity and to keep-track of (search-) contents of peers. Furthermore we will review our current reference implementation for efficiency and use less power-hungry algorithms whenever possible to support the green deal of the European Union. >> Read more about neuropil NixBox — Nix integration with netbox NixBox is a modern approach to network deployments, it combines the configuration management powers of nix with the documentation capabilities provided by NetBox. It focuses on testability, reliability and automation while making your network documentation your configuration. Our goals are to reduce downtime and improve network visibility. Utilizing virtual machine tests we can ensure that your deployment will actually work before you ship it to production. >> Read more about NixBox Adopting the Noise Key Exchange in Tox — Improved security of Tox instant messaging with NoiseIK Tox is a P2P instant messaging protocol that aims to provide secure messaging. It's implemented in a FOSS library called \"c-toxcore\" (GPLv3). The project started in the wake of Edward Snowden's disclosure of global surveillance. It's intended as an end-to-end encrypted and distributed Skype replacement. The cryptographic primitives for the key exchange (X25519), authentication (Poly1305) and symmetric encryption (XSalsa20) are state of the art peer-reviewed algorithms. Tox' authenticated key exchange (AKE) during Tox' handshake works, but it is a self-made cryptographic protocol and is known to be vulnerable to key compromise impersonation (KCI) attacks. This vulnerability enables an attacker, who compromised the static long-term private X25519 key of a Tox party Alice, to impersonate any other Tox party (with certain limitations) to Alice (reverse impersonation) and to perform Man-in-the-Middle attacks. The objective of this project is to implement a new KCI-resistant handshake based on NoiseIK in c-toxcore, which is backwards compatible to the current KCI-vulnerable handshake to enable interoperability. Further Noise's rekey feature will be evaluated for adoption. >> Read more about Adopting the Noise Key Exchange in Tox Nyxt — Browser integration of federated, distributed platforms Nyxt is a new type of web browser designed to empower users to find and filter information on the Internet. The information available to browsers is limited by the protocols they understand; the languages they speak. Most browsers only speak HTTP(S), a protocol designed for client/server interactions. In its latest generation, Nyxt plans to open up access to an Internet beyond HTTP, a larger, more decentralized Internet. The new versions of Nyxt will feature support for XMPP, ActivityPub, and IPFS. Together, these decentralized technologies will power much of the next generation of Internet technologies, and Nyxt will speak their language! >> Read more about Nyxt OpenHarbors — Dynamic Tunneling of WPA over IP/L2TP OpenHarbors wants to establish a novel approach for secure communication over an untrusted Wifi network - and beyond: Dynamic tunneling of WPA over IP/L2TP. Why? Because current, secure solutions are not satisfactory: They are either hard to set up, require extra software in advance or are not applicable on an open wireless community mesh network like Freifunk. OpenHarbors will utilize and implement WPA Enterprise with an extra twist: Instead of providing an encryption channel only between your mobile device and the direct WLAN access point you will be able to securely dial-out at any location on the internet you trust and choose and are granted access to. Without the hassle of installing and setting up an extra VPN software on your phone. Without the need of a trusted WLAN access point operator model or closed source firmware, in contrast to current approaches with Passpoint/Hotspot 2.0/eduroam/WBA OpenRoaming and similar - which all are conceptually not applicable on open wireless community mesh networks. >> Read more about OpenHarbors Securing PLCs via embedded protocol adapters — Open hardware protocol adapters for industrial automation Industrial Programmable Logic Controllers have been controlling the heart of any production machinery since the mid-70s. However have these devices never been built for the usage in completely unprotected environments such as the Internet. Currently most PLCs out in the wild have absolutely no means to protect them from malicious manipulation (Most don't even have an effective password protection). Unfortunately \"Industry 4.0\" is all about connecting these devices to the Cloud and hereby attaching them to potentially unsecure networks. In the \"Securing PLCs via embedded Open-Source protocol adapters\" initiative we are planning on porting the Apache PLC4X drivers to languages that can also be used in embedded hardware. Additionally we also want to create secure protocol-adapters using these new drivers together with Apache MyNewt, to create protocol-adapters that could eventually even be located inside the network connectors which are plugged into the PLC in an attempt to reduce the length of the unsecured network to an absolute minimum without actually modifying the PLC itself. >> Read more about Securing PLCs via embedded protocol adapters Statime — Memory-safe high-precision clock synchronization Of all severe software security bugs, a big chunk (50-70%) has one single source: memory corruption. The underlying cause is that, traditionally, systems software is implemented in languages that are not memory-safe. The way forward is to replace these pieces of software with memory-safe alternatives, one by one. Doing so will not just mitigate, but eliminate this category of bugs entirely. This project picks out one piece: the Precision Time Protocol (PTP). High-precision clock synchronization plays a crucial role in networking, with application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. Our proof-of-concept implementation will conform to the IEEE standard for PTP and will focus on the software implementation of a slave-only PTP ordinary clock. In the future, our work is expected to become part of a wider open-source roadmap for reliable and memory-safe keeping of network time, that will seek to expand the feature set of our implementation and work towards growing its adoption. Statime is part of Project Pendulum. >> Read more about Statime PeerTube — A decentralised streaming video platform PeerTube is a free, libre and federated video platform. Video is a very popular class of content and meanwhile accounts for a signicant share of internet traffic, but the choice of hosting has a lot of implications - if you send your viewers to some proprietary platform because you want to avoid cost, what happens after they watch your video? And who watches them watch? PeerTube allows for a federation of interconnected hosts (so more choice of videos wherever you go to see them) while containing the risk of exposing users to profiling, algorithmic pressure that favors extreme content, censorship and other negative aspects of centralised services like YouTube or Vimeo. PeerTube implements the ActivityPub standard and works with peer-to-peer distribution - and therefore viewing. This means no slowing down when a video suddenly goes viral, and much lower distribution costs thanks to shared bandwidth. PeerTube aims to make it easier to host videos on the server side, while remaining practical, ethical and fun on the Internet user side. In this project, Framasoft will work on PeerTube 4.0 with interesting new features such as better search, live streaming, channel customisation and improved accessibility. >> Read more about PeerTube Peertube-Desktop — Enjoy and share federated videos Cuttlefish is a client for PeerTube that will allow for searching and discovering new and interesting video's online with more privacy. PeerTube is a federated video hosting service based on the W3C ActivityPub standard. By using WebTorrent - a version of BitTorrent that runs in the browser - users help serve videos to other users. Cuttlefish is a desktop client for PeerTube, but will work on GNU/Linux-based phones (like the Librem 5 or Pinephone) as well. We want the experience of watching PeerTube videos and using PeerTube in general to be better, by making a native application that will become the best and most efficient way to hook into the federation of interconnected video hosting services. It will have improved search, and will allow people to continue sharing watched videos with other PeerTube users for longer periods of time, instead of discarding the video when done watching. It will also help bridge PeerTube's gap between the - now separated - BitTorrent and WebTorrent networks by speaking both of those protocols. >> Read more about Peertube-Desktop Privacy Enhancements for PowerDNS and DNSdist — Make it easier to deploy private DoT/DoH resolvers DNS over TLS (DoT) and DNS over HTTPS (DoH) are two recent developments in the DNS field, and currently these are dominated by US based providers. The project will enhance the availability of open, trustworthy, privacy respecting DNS Resolvers in such a way that it allows any DNS provider, operator, or user to provide encrypted DNS service. This project aims to speed up implementation, improvement and standardisation of the most important Privacy enhancing features of DNSdist and PowerDNS resolvers to allow for the entire DNS-chain (from client, to caching-resolver, to authoritative nameserver) to be encrypted. The project will add support to the (open source) PowerDNS components (dnsdist, recursor and Authoritative server) for the privacy features necessary. >> Read more about Privacy Enhancements for PowerDNS and DNSdist Probabilistic NAT Traversal — Last resort ad hoc connections for GNUnet With the Probabilistic NAT Traversal project, we want to significantly improve the ability of users to directly connect with each other. For establishing a peer to peer (p2p) network among regular internet users, unhindered connectivity is anything but self-evident. Today consumer devices are often not directly reachable via the internet but quite often are behind a so called NAT delivering only indirect internet connectivity. There are several methods to reach peers who are behind a NAT, but there are as many reasons those existing methods might fail. Manual configuration for example, as it is possible for example with home routers, often does not work for mobile devices like mobile phones. We will implement a new way of NAT traversal that we think of being independent from the existing network configuration, and does not require a third party with a direct internet connection helping two peers to connect to each other. Existing NAT traversal methods using third parties which are permanently required for communication. Our Probabilistic NAT traversal method does require some third party only at the beginning of the communication. The selection of third parties to start the connection establishment is based on previous work from the Layer-2-Overlay project. Probabilistic NAT Traversal will greatly improve the connectivity of GNUnet and other P2P networks that adopt it. >> Read more about Probabilistic NAT Traversal R5N-DHT — Formalisation within IETF of R5N Distributed Hash Table design Decentralization and digital sovereignty are fundamental building blocks to strengthening European values of freedom of information and informational self-determination against particular interests of foreign state and commercial actors. Decentralization is often based on Distributed Hash Tables; DHTs are already an important component for many NGI components such as decentralized web applications (IPFS, Web3) or components in the blockchain ecosystem. The GNUnet/R5N-DHT - a Free Software distributed hash table and P2P protocol - provides additional and relevant properties like Byzantine fault tolerance and censorship resistance. The project will improve, implement and specify the R5N protocol as an IETF RFC (Informational). This supports other efforts such as the GNU Name System protocol (GNS). >> Read more about R5N-DHT Radio-Meshnet — Self-sustained Community and Emergency Radio Networking The project summary for this project is not yet available. Please come back soon! >> Read more about Radio-Meshnet Robur private DNS resolver and DHCP server — Secure network configuration and DNS resolution DHCP and DNS are fundamental Internet protocols, DHCP is used for dynamic IP address configuration in a local network, DNS for resolving hostnames to IP addresses. In this project, we develop a robust DHCP server and DNS resolver as a MirageOS unikernel. MirageOS unikernels are self-contained virtual machine images which are composed of the required OCaml libraries, leading to a binary with a minimal trusted code base, and thus minimized attack surface. The choice of the memory-safe, functional, and statically typed language OCaml avoids common attack vectors, such as buffer overflows and double frees. MirageOS unikernels can be deployed on various hypervisors (Xen, KVM, BHyve), microkernels (Genode, Muen), or as Unix binary (also with seccomp rules that allow only 10 system calls) on x86-64 and arm64. Several DHCP and DNS privacy extensions, extensive testing, and documentation is worked on to allow everyone to use it on their home router or in the data center. Migration of existing configuration (e.g. dnsmasq) to Robur DNS resolver and DHCP server will be provided as well. >> Read more about Robur private DNS resolver and DHCP server Rosenpass Broker — Expanding the Rosenpass API's to enable easy integration in applications Rosenpass is a post-quantum secure cryptographic protocol, an implementation of that protocol in the Rust programming language, and a governance organization stewarding development of both protocol and implementation. When used with WireGuard, Rosenpass functions as a ready-to-use virtual private network with full security against quantum attackers. This project extends the current basic API in order to allow Rosenpass to double as a programming interface for other programmers to integration this functionality into their external applications. >> Read more about Rosenpass Broker Rotonda Secure Extensions — Implement BGPSec in Rust and integrate into Rotonda Rotonda is a modular routing project that brings BGP observability and easy BGP provisioning to networks. Its aim is to improve the safety and security of the inter-domain routing system. In this particular effort we will build two features that will help us further the goal of security and safety. First, we will implement BGPsec as a first-class citizen in Rotonda. BGPsec is a standardised protocol for securing routes in the inter-domain routing system. As far as we know Rotonda will be the first open source routing software that supports BGPsec out-of-the-box. Second, we will implement a run-time configurable plug-in system for Rotonda, that will not only increase its modularity and extensibility, but also its usability. >> Read more about Rotonda Secure Extensions SCION Open Source Implementation — Performance improvements for SCION reference Implementation SCION Open Source is an implementation of the SCION architecture that allows trusted, highly resilient, and path-aware routing infrastructure to be built by ISPs, CDN/cloud providers and enterprises. It supports inter-domain multipath routing by discovering paths between participating Autonomous Systems that can be combined into selectable cryptographically validated end-to-end paths. This provides higher assurances that packets will follow particular paths which can prevent route leaks and hijacks, and allow data to be geofenced thereby ensuring compliance with legislation such as GDPR and NIS2. SCION also supports fast multi-path discovery and fast failover as its path discovery process does not rely on BGP iterative convergence or forwarding table updates. Having a performant and robust open source implementation ensures there’s a viable alternative to commercial and closed source implementations which is pre-requisite for some large potential adopters. >> Read more about SCION Open Source Implementation WWW SCION — Path-aware web server/proxy deployment and browsing The WWW SCION project aims to bring innovation to web applications by enabling seamless SCION support to the web ecosystem. SCION is a clean-slate, more secure, and robust path-aware Internet architecture designed to provide route control, fault isolation, and explicit trust information for end-to-end communication. The main outcome of this project will be a full software suite for path-aware web browsing that can be easily adopted by network operators to make their web resources available on the SCION network. To do so, this project will develop (1) a production-grade reverse proxy, which enables web resources to be accessed via SCION, and (2) much improved client-side support. This will have an immediate impact on thousands of users who are already connected to the SCION infrastructure, allowing them to access next-generation network features such as expressing path-selection policies that implement their preferences. For instance, a web user could avoid traversing ASes (Autonomous systems) in certain regions when accessing their e-banking website. Another example from which users may benefit is using distinct paths depending on the web resources. In this case, the server could make use of a high-bandwidth path to increase the throughput when loading a large resource, while it could use a low-latency path for a latency-sensitive resource, e.g., a server control message. >> Read more about WWW SCION Toward a Fully-Verified SCION Router II — Align router code with formal verification tooling SCION is a next-generation Internet architecture that addresses many of the security vulnerabilities of today’s Internet. Its clean-slate design provides, among other properties, route control, failure isolation, and multi-path communication. This project is concerns the implementation part of a larger effort that is verifying the core component of the SCION inter-domain routing architecture - the SCION router. SCION’s open-source router should not only be memory-safe but should implement the SCION protocols correctly in order to provide the intended security and correctness guarantees. >> Read more about Toward a Fully-Verified SCION Router II SES - SimplyEdit Spaces — SimplyEdit Spaces - collaborative presentations SimplyPresent allows users to collaboratively create and deliver good looking presentation using CRDT's through Hyper Hyper Space - another project supported by NGI Assure. SimplyPresent is itself based on top of the open source SimplyEdit tool, adding advanced user-friendly presentation features. SimplyPresent allows team members to live edit a presentation and the presenter notes while the presentation is being given, control the presentation from any phone without complicated setup: all that is needed on the presenting system or with remote viewers is a URL which will sync through Hyper Hyper Space. >> Read more about SES - SimplyEdit Spaces Cell broadcast support for the Linux Mobile Stack — Implement SMS-CB for emergency messages on Linux Cell broadcast is the capability of the mobile network to send messages to multiple mobile devices in an area. It is the common way to alert users about disasters and emergencies. Phosh is a user friendly, graphical interface for Linux based mobile phones using GTK, GNOME and the wlroots compositor library. It uses ModemManager for it's mobile broadband connections. ModemManager is used on Linux systems to control mobile broadband devices and connections. The aim of this project is to add cell broadcast support to ModemManager and the necessary UI elements to Phosh so cell broadcast messages sent to devices running this platform can be properly received and displayed. >> Read more about Cell broadcast support for the Linux Mobile Stack smoltcp RPL — Implement Routing Protocol for Low-Power and Lossy networks Smoltcp is a TCP/IP library written in the Rust programming language. The Rust language offers many advantages, such as memory safety. The smoltcp library recently gained support for the 6LoWPAN protocol, enabling IPv6 for IEEE802.15.4 devices. However, a routing protocol tailored for low power devices is still missing in the library (or even one written in the Rust programming language). In this project, an implementation of the Routing Protocol for Low-Power and Lossy Networks (RPL) will be added to the smoltcp library. This protocol is designed for Low-Power wireless networks that are generally susceptible to packet loss. By adding this protocol to smoltcp, we get closer to a network stack that is safer to use for the Internet of Things (IoT). >> Read more about smoltcp RPL SocksTrace — Ptrace based proxy leak detector Proxy leaks are a class of software vulnerability in which network traffic intended for a proxy (e.g. Tor) is instead sent without a proxy, risking the deanonymization of the user. Auditing software for proxy leaks is presently nontrivial, e.g. tools like tcpdump and Corridor generally require invasive privileges, cannot audit for stream isolation leaks, and provide limited diagnostic capabilities. SocksTrace is a proxy leak detection tool, suitable for CI testing or manual QA testing, that utilizes the ptrace feature of Linux to detect socket syscalls that would bypass a proxy. If a proxy leak is detected, SocksTrace can respond by (among other things) denying the syscall, redirecting the connection to a proxy, or logging a stack trace. SocksTrace is written in Go, making it memory-safe and securely bootstrappable. >> Read more about SocksTrace Peer-to-Peer Access to Our Software Heritage — Access Software Heritage data via IPFS DHT Peer-to-Peer Access to Our Software Heritage (SWH × IPFS) is a project aimed at supporting Software Heritage’s mission to build a universal source code archive and preserve it for future generations by leveraging IPFS’s capabilities to share and replicate the archive inadecentralized, peer-to-peer manner. The project will build a bridge between the existing Software Heritage (SWH) API and the IPFS network to transparently serve native IPFS requests for SWH data. In the short term, this allows users using IPFS to form their own Content Distribution Network for SWH data. Longer term, we hope this will serve as a foundation fora decentralized network of copies that, together, ensure that the loss of no one repository, however large, results in the permanent destruction of any part of our heritage. The end product would be a perfect application of IPFS’s tools and a step in the direction of a decentralized internet services infrastructure. >> Read more about Peer-to-Peer Access to Our Software Heritage Spritely (and OCapN) — Enable secure P2P applications with Object Capabilities OCapN (the Object Capability Network, and featuring CapTP, the Capability Transport Protocol) simplifies building otherwise complicated security-oriented peer to peer systems as a natural extension of ordinary programming patterns. OCapN/CapTP features intentional collaboration amongst networked objects, distributed garbage collection, networked promise pipelining for efficient distributed communication, a peer introduction and consensual resource sharing system, and an abstract networking layer compatible with Tor Onion Services, I2P, libp2p, and even more traditional DNS + TLS. While multiple implementations exist within Spritely and elsewhere, these are all incompatible. The project will produce specifications, documentation, and test suites to encourage consistency, interoperability, and smooth adoption of the technology. >> Read more about Spritely (and OCapN) Statime PTP Master — Statime - Zero-allocation cross-platform Precision Time Protocol High-precision clock synchronization is becoming increasingly important in application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. The Precision Time Protocol (PTP) is widely used for these critical applications and it is therefore important for it to be as secure and reliable as possible. We have previously developed the first iteration of Statime, an implementation of a PTP slave in the Rust programming language. The outcome of that project is a secure-by-design implementation, leveraging the Rust borrow checker to guarantee memory-safety. With this project, we will expand our implementation in two ways. Firstly, we will expand the feature set to include a PTP master, conforming to the IEEE standard for PTP (the 2019 version, IEEE1588-2019), so we can run a full PTP instance with the memory-safety guarantees that our implementation provides. Secondly, our implementation will be able to run without an operating system or system allocator. Those properties make the implementation inherently portable and more reliable. Our concrete goal for this second phase is that it runs on the stm32f7 microcontroller, a device with built-in PTP Ethernet support, but otherwise limited capabilities. >> Read more about Statime PTP Master RETETRA — Security Analysis of Proprietary Cryptography in Terrestrial Trunked Radio Terrestrial Trunked Radio (TETRA) is a European standard for trunked radio used globally by government agencies, emergency services and critical infrastructure. Apart from most European police agencies (such as BOSNET in Germany or RAKEL in Sweden), military operators and emergency services, TETRA is also widely used for SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities. TETRA authentication and encryption are handled by secret, proprietary cryptographic cipher-suites known as TAA1 and TEA which are only available to select parties under strict NDAs which runs counter to both the spirit of open technologies and Kerckhoffs's principle. The latter's potential consequences are illustrated by the fate of A5/1, A5/2 and their GMR variants in cellular and satellite communications, allowing ciphers that can be broken in practice to fester in public and critical infrastructure for far too long. This project aims to reverse-engineer and subsequently perform cryptanalysis on these cipher-suites and finally formulate a hardening roadmap in order to provide a research-oriented FOSS implementation of the cipher-suites and aid affected parties in moving away from unexamined, proprietary security mechanisms towards open standards. >> Read more about RETETRA TSCH-rs — Time Slotted Channel Hopping implement in Rust Time Slotted Channel Hopping (TSCH) is a Medium Access Control (MAC) layer protocol described in IEEE 802.15.4e designed for low-power and lossy networks. Devices are allocated time slots in which they can transmit and/or receive frames. The rest of the time the radio is turned off, reducing energy consumption. Consecutive transmissions are done on different frequencies to tackle interference. Implementations of TSCH can be found in Contiki-NG and OpenWSN, both written in C. TSCH-rs is a TSCH implementation written in Rust, providing ease-of-maintanance, security and reliability. Furthermore, the implementation aims to be hardware-agnostic, making it easy to port to different IEEE 802.15.4 based radios. The Rust network stack for IEEE 802.15.4 radios already contains an implementation for 6LoWPAN and RPL. TSCH-rs will be a valuable addition to the Rust based low-power IEEE 802.15.4 network stack. >> Read more about TSCH-rs TrustING — Ultrafast AS-level Public-Key Infrastructure TrustING is a human-transparent and agile Trust Infrastructure for a Next-Generation Internet. This infrastructure enables any two entities to establish secret keys that can be used to encrypt and authenticate data. The foundation of TrustING is the AS-level Public-Key Infrastructure (PKI) of the SCION Internet Architecture that provides sovereignty (ensuring absence of global kill switches), trust transparency, and algorithm agility, among others. The TrustING service establishes symmetric keys with other domains in advance, and then relies on those keys to derive keys for local hosts. The core novelty of this approach is the ability to derive keys purely locally on both sides of the communication, without even requiring key transport. By making TrustING a control-plane mechanism offered by the network infrastructure, higher-level applications can make use of it without having to worry about complexities such as exchanging key material or establishing trust. To show the viability of TrustING, we will implement TLS trust bootstrapping using TrustING and additionally demonstrate the efficiency of TrustING by using it to authenticate SCMP (SCION's equivalent of ICMP) messages. >> Read more about TrustING Build Transparency (Trustix) — Towards a decentralized supply chain for software When we install a program, we usually trust downloaded software binaries. But how do we know that we aren't installing something malicious? Typically, we have confidence in those binaries because we get them from a trusted provider. But if the provider itself is compromised, the binaries can be anything. This makes individual providers a single point of failure in a software supply chain. Trustix is a tool that compares build outputs across a group of providers - it decentralized trust. Multiple providers independently build the software, each in their own isolated environment, and then can vouch for the content of binaries that are the outcome of reproducible builds - while non-reproducible builds can be automatically detected. This is the first step towards an entirely decentralized software supply chain that can securely distribute software without any central corruptible entity. >> Read more about Build Transparency (Trustix) Toward a Fully-Verified SCION Router — Formal verification of the reference open source SCION Router SCION is a next-generation Internet architecture that addresses many of the security vulnerabilities of today’s Internet. Its clean-slate design provides, among other properties, route control, failure isolation, and multi-path communication. This project will demonstrate the feasibility of verifying the core component of the SCION inter-domain routing architecture - the SCION router. Prior work has proved that the SCION data plane protocols are secure. The focus of this project is on verifying that SCION’s open-source router is memory-safe and implements those protocols correctly and, thus, provides the intended security and correctness guarantees. >> Read more about Toward a Fully-Verified SCION Router Vula — Encrypted ad hoc local-area networking With zero configuration, Vula automatically encrypts IP (v4) communication between hosts on a local area network (LAN) in a forward-secret and transitionally post-quantum manner to protect against passive eavesdropping. When the local gateway to the internet is a Vula peer, internet-destined traffic will also be encrypted on the LAN. With simple verification using QR codes, Vula is also able to disrupt active surveillance adversaries. Vula combines WireGuard for forward-secret point-to-point tunnels with cryptographically enhanced mDNS and DNS-SD for local peer discovery. Vula enhances the confidentiality of WireGuard tunnels by using CSIDH, a post-quantum non-interactive key exchange primitive, to generate a peer-wise pre-shared key for each tunnel configuration. Vula avoids the need for any Single Point of Failure (SPOF) such as a trusted third party. Vula is equally functional on otherwise air-gapped networks. >> Read more about Vula Waasabi Framework — P2P Live Streaming for events Waasabi is a highly customizable platform for self-hosted video streaming (live broadcast) events. It is provided as a flexible open source web framework that anyone can host and integrate directly into their existing website. By focusing on quick setup, ease of use and customizability Waasabi aims to lower the barrier of entry for hosting custom live streaming events on one's own website, side-stepping the cost, compromises and limitations stemming from using various \"batteries-included\" offerings, but also removing the hassle of having to build everything from scratch. Active research into the creation of a peer-to-peer streaming backend seeks to advance the project's long-term goal of promoting the adoption of owned experiences through the use of decentralized technology. By further cutting down on dependencies, cost and infrastructure complexity this effort aims to enable broadcasts to scale as the audience size grows, which in turn will support Waasabi's continued adoption. >> Read more about Waasabi Framework Winden/Magic Wormhole dilation — Improving Magic-Wormhole by implementing dilation and multiple file support for the web Winden is an open-source web app built on the Magic-Wormhole protocol, which allows two devices to connect and exchange data without requiring identity information. We are building Winden to make file-transfers for the web secure and private. With Winden, we are giving users control over their data without them needing to trust us. This project adds support for reconnection (referred to as the ‘Dilation’ protocol) and multiple file-transfers into both Winden and wormhole-william, the Go implementation of Magic-Wormhole used by Winden and other projects. Magic-Wormhole file-transfers require both parties to be online at the same time. Dilation allows for reconnection and changing networks during a transfer. This reduces the risks of connection interruptions during these synchronous transfers. Multiple file support is a much sought after need for transferring data, which requires Dilation (and Dilation’s sub-channels). >> Read more about Winden/Magic Wormhole dilation WireGuard on FPGA — FPGA implementation of Wireguard protocol written in SpinalHDL This project will do an open hardware implementation of the WireGuard VPN protocol. The data plane with symmetric cryptography is implemented in HDL and should be able to handle 100 Gbit/s IP/Ethernet, whereas the asymmetric handshake is implemented on VexRiscv with accelerators and will be capable of maintaining thousands of concurrent connections. An off-the-shelf FPGA card handles the full protocol transparently: Ethernet/Ethernet or Ethernet/PCIe with one side ciphered and the other side plaintext. >> Read more about WireGuard on FPGA WireGuard — Scale up WireGuard WireGuard is a next generation VPN protocol that uses state of the art cryptography. This project aims to deliver various tasks: put WireGuard into the OpenBSD kernel and userspace tooling (tcpdump, ifconfig, wg, etc), rewrite Android client UI in Kotlin and make use of Kotlin coroutines, make the Android code into a library consumable by third-party apps, support more complex DNS and networking management in Windows client, improve performance and stability of cross-platform userspace implementation library, integrate more closely with various Linux netdev semantics and backport to Linux 5.4 and 4.19. >> Read more about WireGuard Wireguard Windows client — Native Wireguard protocol client for Windows WireGuard is a next generation VPN protocol that uses state of the art cryptography. WireGuard allows to safely tunnel traffic across the internet. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. While still under heavy development, it is regarded by many as the most secure, easiest to use, and simplest VPN solution in the industry. Initially released for the Linux kernel, it is now cross-platform and the open source technology is ready for wide deployment. Unfortunately, WireGuard support on the widely used Microsoft Windows operating system is still immature and experimental. This makes the technology unavailable to many desktop and notebook users. This project will deliver the first stable Windows version. >> Read more about Wireguard Windows client Wireguard Rust Implementation — Implementation of WireGuard in a type safe language WireGuard is an emerging open VPN protocol, WireGuard stands out from similar solutions, notably OpenVPN and IPSec, by being significantly simpler and hence easier to analyze and implement. WireGuard is currently available on Linux, Windows, MacOS,iOS, Android and BSD variants. WireGuard-rs will be an implementation of WireGuard in the Rust systems programming language. The WireGuard projects desire for a Rust userspace implementation, stems from the improved speed, memory consumption and safety guarantees offered by the Rust language, all of which are essential to the nature of the WireGuard project: a high performance, high security VPN. This implementation will be targeting userspace for Linux, Windows, MacOS and BSD variants. >> Read more about Wireguard Rust Implementation Yrs — Collaborative editing with CRDT written in Rust Yrs \"wires\" will be a native port (in the Rust programming language) of the Yjs shared editing framework. Abstractly speaking, Yjs allows many users to concurrently manipulate state that eventually converges. It is a popular solution for enabling collaborative editing (Google Docs style) on the web because it is indefinitely scalable, works peer-to-peer, and has a rich ecosystem of plugins. There are plugins that allow you to connect with other peers over different network providers (WebRTC, Websocket, Dat/Hyper, IPFS, XMPP, ..) and there are many editor plugins that allow you to make existing (rich-)text editors collaborative. The Yjs project is about connecting projects with each other and providing a network-agnostic solution for syncing state. A native port will allow native applications (e.g. XI, Vi, Emacs, Android, iPhone, ..) to sync state with web-based applications. We chose Rust because it's well suited to be embedded in other languages like C/C++, PHP, Python, Swift, and Java. With Yrs, we want to connect even more projects with each other and provide a modern collaboration engine for native applications. The Rust implementation will implement the full feature set of the shared types, including the event system. This will enable users to parse existing Yjs documents, manipulate them, and implement collaborative applications. The port will make it easy to \"bind\" to another language so that the shared state is available in other languages as well. There will likely be a WASM binding, a C++ binding, and a Python binding (provided by Quantstack). Other existing features like awareness, selective Undo/Redo manager, relative positions, and differential updates will be added after the initial release. >> Read more about Yrs Yrs Undo — Rust-based CRDT framework for real-time multi-user applications Yrs \"wires\" is a native port (in the Rust programming language) of the Yjs shared editing framework. Abstractly speaking, Yjs allows many users to concurrently manipulate state that eventually converges. It is a popular solution for enabling collaborative editing (Google Docs style) on the web because it is indefinitely scalable, works peer-to-peer, and has a rich ecosystem of plugins. There are plugins that allow you to connect with other peers over different network providers (WebRTC, Websocket, Dat/Hyper, IPFS, XMPP, ..) and there are many editor plugins that allow you to make existing (rich-)text editors collaborative. This project will add a selective Undo/Redo manager, include support for other native clients and to interop with languages like Java, PHP and Swift. The goal is to reach full feature compatibility with Yjs and improve its performance even more - bringing a collaborative, decentralized experience where users' data lies in their own hands. >> Read more about Yrs Undo Yrs weak links — More efficient CRDT by interconnecting and synchronising data structures inside documents Yrs weak links project aims to extend existing implementation of Yjs/Yrs - one of the most popular free and open source libraries for building collaborative peer-to-peer applications - with new primitives such as cursors allowing for a seamless integration with rich text editors, and an ability to cross-reference and react to changes occuring in a different parts of an application: be it for display or other evaluation purposes like referencing cells in spreadsheet calculations. All of these will be possible while preserving eventual consistency in an environment where applications need to be operable and accept changes coming from many different users even when offline or when the standard Internet access is not available. >> Read more about Yrs weak links Bitmask — User-friendly and secure VPN configuration Bitmask is a Desktop and Android client designed to achieve a zero-configuration end-user experience for setting up a VPN that connects to a given set of providers - those that follow the LEAP platform specification. To do so, clients rely on providers exposing configuration files on well-known urls, according to their particular setup regarding the available VPN gateways and transports. This project aims at adding low-end routers a new extra platform that users can choose when installing BitmaskVPN. Running VPN software in a commonly available router, with hardware-based user interfaces, will greatly extend the target audience for Bitmask. To achieve this goal, a porting of the BitmaskVPN client will be done in nim, a statically typed language that generates small native and dependency-free executables, allowing the setup of the VPN with the switch of a hardware button. Finally, the resulting port will be packaged for OpenWRT, and build scripts will be made available for providers to offer to their users a ready-to-use flashing image for a selection of routers. >> Read more about Bitmask dhcpcanon — Network configuration with better privacy When your computer enters a new network as a guest, it will need to receive information to be able to send and receive packets. The internet standard responsible for this is called Dynamic Host Configuration Protocol (DHCP). Traditional DHCP and DHCPv6 can potentially leak information which can be abused to uniquely identify a certain device - and thus track a user. dhcpcanon is a DHCP client implementation that implements the technical standard RFC7844, DHCP Anonymity Profiles. The new standard provides guidelines for minimizing information disclosure via DHCP. This project will produce DHCP clients implementing the Anonymity Profiles for restricted devices as microcontrollers and easy integration with network management tools. >> Read more about dhcpcanon it — Radically decentralised version control with CRDTs The project summary for this project is not yet available. Please come back soon! >> Read more about it Katzenpost — Observation resistant secure messaging layer Secure messaging is among the most fundamental privacy challenges of today. While there are meanwhile several widely used offerings that can encrypt instant messages you send to others, there are very few reliable options that are able to keep others from finding out who you were communicating with - and when. The most popular end-to-end messaging application do not adequately protect the identities of who-is-talking-to-who from the infrastructure operators. Katzenpost aims to offer a traffic analysis resistant messaging layer that allows all the participants in the network to have significantly more privacy than other mechanisms. It offers a decentralized mixnet architecture that works similarly to onion routing, where message routing information is encrypted, and differs in that each message is a fixed size, has random forwarding delays, and is accompanied by cover traffic messages to frustrate passive traffic analysis. The project aims to be a building block for other to build applications on, lowering the threshold for existing applications to benefit from increased privacy and confidentiality. >> Read more about Katzenpost libresilient — Create robust web presence with service workers and DHT A browser-based decentralized content delivery network, implemented as a JavaScript library to be deployed easily on any website. LibResilient uses ServiceWorkers and a suite of non-standard in-browser delivery mechanisms, with a strong focus on decentralized tools like IPFS. Ideally, users should not need to install any special software nor change any settings to continue being able to access an overloaded LibResilient-enabled site as soon as they are able to access it once. >> Read more about libresilient librice — Pure Rust implementation of IETFs real-time communication standard ICE The Interactive Connectivity Establishment (ICE) protocol is everywhere in real-time communication, providing a rendezvous mechanism allowing to establish e.g. a SIP or WebRTC connection. Addition of another protocol, TURN, allows hosts which are behind a middleware box or CPE (which is the most common scenario in the IPv4 realm) to still successfully set up a bi-directional path. This puts ICE/TURN at the heart of communication. This project will implement the four key TURN RFCs in librice - a pure Rust implementation of ICE. >> Read more about librice Securing Decentralised Live Information with m-ld — Collaborative editing of LInked Data based on CRDT m-ld is a software technology for live information sharing. It enables software engineers to reliably add real-time collaboration, support for offline working, and service resilience to both new and existing software architectures. It achieves this by operating at an \"information\" level, creating reusable patterns for maintaining the consistency and integrity of application content that is being edited from multiple locations at once. m-ld is built from the ground up on a W3C standard information representation, contributing ideas for its evolution, and is committed to open standards and open source. This project will research and prototype modifications to the primitives of the m-ld core protocol to natively support strong assurance of data integrity and traceability, with authority assignable to identified users or groups, so that they can be reliably assured of the integrity and controlled availability of their data. >> Read more about Securing Decentralised Live Information with m-ld Minedive — P2P search over webRTC The minedive project is building several components: first, minedive is a browser extension aiming to allow users to search the web while preserving their anonymity and privacy. The second is an open source reference implementation of its rendez-vous server. minedive instances connect each-other (via WebRTC data channels) forming a two layered P2P network. The lower layer (L1) provides routing, the upper layer (L2) provides anonymous and encrypted communication among peers acting as a MIX network. This architecture guarantees that peers which know your IP address (L1) do not know search data for (L2) and vice-versa. A central (websocket) rendez-vous server is needed to find and connect with L1 peers, and to exchange keys with L2 peers, but no search goes through it. We are running a default server which can be overridden by users who want to run their own (using our reference implementation or a custom one). Users can also set the extension to pick peers from a given community (identified by an opaque tag). Currently all requests are satisfied by letting L2 peers return results from the 1st page of mainstream search engines (as they see it, in an attempt to escape the search bubble). While this will stay as a fallback, we plan to implement web crawling on peers, doing keyword extraction from URLs in local bookmarks and history and ranking with open algorithms, being transparent with users about which techniques are used and open to suggestions. >> Read more about Minedive mitmproxy — HTTP/3 Support and OS Proxy Mode for intercepting local proxy mitmproxy is a versatile tool for debugging, testing, privacy measurements, and penetration testing. It can be used to intercept, inspect, modify and replay network communication from websites and mobile applications. This project is about the development of two new major features to mitmproxy: HTTP/3 Interception and a new OS proxy mode. With an increasing number of apps using the HTTP/3 protocol to communicate, we are adding support for it in mitmproxy so that it can be observed just as well as other protocols. For the second part of this project, we will be adding a new operating mode that makes it possible to inspect applications running on the user's device with a single click. These features collectively empower users to gain insights into what data their own devices are sending out. >> Read more about mitmproxy Improvements for next generation Linux firewalling — Netfilter kernel improvements, user space tools and testing This project comprises a series of preventive and corrective actions as well as improvements for the next generation firewall software offered by the Netfilter project (https://www.netfilter.org) available in the Linux kernel, such as the enhancement of the set and map infrastructure, the resolution of existing limitations in the user space tool and libraries, enhancements to the filtering policy optimisation infrastructure, improved string match support and the extension of the test coverage for early detection of regression. >> Read more about Improvements for next generation Linux firewalling node-Tor — Implementation of Tor protocols for inside webpages Node-Tor is an open source project and the only existing implementation of the Tor protocol in Javascript. That gives it the unique property to not just run on a server or desktop, but also inside a regular webbrowser itself as a standalone secure webapp. It must not be misunderstood for just a re-implementation of Tor network nodes: the goal is much wider, because it allows any project related to privacy/security enhancement to implement the Tor protocol in their nodes and/or inside a web page. The browser client acts as a standalone node itself communicating via web interfaces such as Websockets with servers or through WebRTC with other browsers. The use of Javascript allows to reduce very significantly the code and libraries (prone to security breaches), simplifying the integration for developers (like removing the need to maintain installation packages since standard web interfaces can be used), simplifying the use for users. This offers a lot of potential for increasing security and privacy for everybody, since the technology can be accessed from any place and any device that has a browser or can run Javascript, including mobile devices. >> Read more about node-Tor Strengthening NTP and NTS in ntpd-rs — Memory-safe implementation of IETF time standards including NTPv5 and NTS NTP is one of the building blocks of the internet, and it and its security improvements are, therefore, of vital importance for a safer internet. Over the last year, we have created a new implementation of the Network Time Protocol called ntpd-rs, which includes Network Time Security support. In this project, we will work on growing adoption and strengthening our implementation. On the one hand, that means expanding platform support, packaging options, and implementing improvements suggested by early adopters. On the other hand, we see the need to increase the usability of NTS, which is not deployed widely. By contributing to improvements of NTP (NTPv5) and exploring the creation of an NTS pool, we aim to foster NTS adoption. >> Read more about Strengthening NTP and NTS in ntpd-rs reqwest — Memory safe HTTP client reqwest is the de-facto HTTP client for the Rust language, with batteries-included. In this project we will make many of its powerful features to be composable and reusable outside of reqwest. This includes converting its connection pool, proxying and redirection into middleware, and improving integration with existing middleware, such as retries. This ultimately enables two groups of people: some so they can use only the parts of reqwest they need. And others that want to use all of reqwest while inserting new middleware or customizing its default \"stack\". >> Read more about reqwest Vita — A high performance IPSEC implementation When the IP protocol was designed, its original authors did not add adequate security features. In 1994 the first official RFC concerning an end-to-end encrypted variant of IP called IPSEC was published after a number of years of standardisation work in the IETF. Almost a quarter of a century later, there is still a very limited set of implementations of the protocol. IPSEC is perceived by many as hard to deploy, which creates a chicken and egg situation in driving adoption. Vita is a fresh new implementation of IPSEC based on Snabb Switch, a high performance open source packet networking toolkit. The goal of Vita is to make it very easy to use IPSec on commodity hardware, and to produce a fast and compliant clean room implementation. Vita previously received funding from the Internet Hardening Fund. This project will move the deployability of Vita forward, and among others will produce a number of drivers for interfacing with e.g. high speed interfaces such as the Linux kernel. It limited size and use of an existing packet networking toolkit means it can be easily audited. >> Read more about Vita Wireguard — Take modern network tunnels to the next level WireGuard is a next generation VPN protocol that uses state of the art cryptography. One of the most exciting recent crypto-networking developments, WireGuard aims to drastically simplify secure tunneling. The current state of VPN protocols is not pretty, with popular options, such as IPsec and OpenVPN, being overwhelmingly complex, with large attack surfaces, using mostly cryptographic designs from the 90s. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It uses a 1-RTT handshake, based on NoiseIK, to provide perfect forward secrecy, identity hiding, and resistance to key-compromise impersonation attacks, among other important security properties, as well as high performance transport using ChaCha20Poly1305. A novel IP-binding cookie MAC mechanism is used to prevent against several forms of common denial-of-service attacks, both against the client and server, improving greatly on those of DTLS and IKEv2. Key distribution is handled out-of-band with extremely short Curve25519 points, which can be passed around in the likes of OpenSSH. Discarding the academic layering perfection of IPsec, WireGuard introduces the idea of a \"cryptokey routing table\", alongside an extremely simple and fully defined timer-state mechanism, to allow for easy and minimal configuration; WireGuard is actually securely deployable in practical settings. In order to rival the performance of IPsec, in addition to cross-platform implementations, WireGuard is implemented inside the Linux kernel, but unlike IPsec, it is implemented in less than 4,000 lines of code, making the implementation manageably auditable. These features converge to create an open source VPN utility that is exceedingly simple, yet thoroughly modern and secure. >> Read more about Wireguard "},{"description":" Network Applications Software application development projects based upon Internet technology. This page contains a concise overview of projects funded by NLnet foundation that belong to Network Applications (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. A-A-P — tools for developing, distributing, and installing software The A-A-P project intends to provide a series of tools for developing, distributing and installing software. The two main programs are aap (a replacement for make) and agide (the A-A-P GUI IDE). The agide program provides a portable framework to combine existing programs. Agide provides interfaces between editors, viewers, debuggers, cross referencers, etc. These are used connect any editor to any debugger, without the need to implement every combination. Agide relates to many existing tools and adds the glue to make them work together. A central element is the A-A-P recipe. It is a powerful replacement for Makefiles and shell scripts. The Aap program is used to execute the recipes. It can be used for building software, version control, maintaining a web site, installing ported software, and much more. >> Read more about A-A-P BlenderWeb — free 3D animation and compositing suite There is currently no open source platform capable of delivering rich web content similar in scope and impact to Adobe Flash and Shockwave or Microsoft Silverlight. Creators and developers are tied to proprietary tools and software if they wish to create rich interactive content for online distribution and consumption. This creates a high barrier to entry in many countries the cost of Adobe software licenses can be more than a years salary for an artist --so only those individuals of wealth can make use of this communications medium. This project is devoted to the development of the web plugin of the game engine, improve its security and resource utilization and add functionality, in general produce an end-to-end solution and open source platform capable of delivering 2d and 3d content of a richness and variety similar to that available in the propriety Adobe Flash and Adobe Shockwave plugins. >> Read more about BlenderWeb CP2PC — common programming interface for peer-to-peer systems CP2PC (pronounced \"copy to pc\") develops a minimal programming interface to peer-to-peer (P2P) file-sharing systems. Client side applications can be built on top of this interface by other projects. In addition, the project includes development of a simple GUI client that integrates various file-sharing systems. >> Read more about CP2PC CUGAR — Implement a Wireless Access Point and a back-end This project aims to develop and implement a (Wireless) Access Point and a back-end for it using only Open Source software components. The Access Point (AP) together with the back-end makes secure environment for Closed User Group Services. This allows a secure connection between AP and the back-end when using a non-secure transport medium (like the Internet). The whole system is being developed as an \"appliance\" and a back-end software package. AP itself will be implemented on small embedded systems in order to ease the deployment. The back-end (authentication, management, routing) can run on a generic UNIX system. >> Read more about CUGAR Dowse — Dowse is a smart digital network appliance for home based local area networks. Dowse is a smart digital network appliance for home based local area networks (LAN), but also small and medium business offices, that makes it possible to connect objects and people in a friendly, conscious and responsible manner. >> Read more about Dowse FileSender — FileSender is a secure and private way to share large files with anyone. FileSender is a self-hosted service that allows you to share very large files with anyone. >> Read more about FileSender FreeBSD-3G — network drivers for 3G cards on FreeBSD The project started by improving 3GPP support for Option GT GPRS/EDGE cards, to provide a second serial channel to retrieve signal quality and other status info from the data card while being online. Starting off with the OpenMoko 3GPP implementation, this was quickly replaced with own development due to memory constraints on embedded systems. Later, similar functionality was added for data cards which use an internal USB-hub with several serial ports connected. The project contains: development of a FreeBSD driver for data cards supported by the Linux hso driver; development of FreeBSD driver for nozomi type Option cards; improvements to, and open sourcing of, the 3GPP protocol daemon; and setup of Knowledge Base website. Each of these individual subprojects is valuable on its own. Sub0hr-project 'Setup of wiki/website' would provide the Open Source community as a whole a needed central point for information on this topic. Building a new site is necessary to not only gather information but also process the various sources into a coherent source of information, providing more value than information presentation on its own. >> Read more about FreeBSD-3G FSF Priority — stimulating High Priority Projects of the Freedom Software Foundation The Freedom Software Foundation high-priority projects list serves to foster the development of projects that are important for increasing the adoption and use of free software and free software operating systems. The priority projects list shows areas where free software development needs to accelerate in order to stop users from being drawn to proprietary software and operating systems. It lists holes that aren't fully covered by existing projects. NLnet's contribution will be used to support development sprints around the priority projects, including the project to produce free software drivers for network routers. >> Read more about FSF Priority JigLibJS — JigLib to JavaScript for use with WebGL JigLib is an open source 3D rigid body physics engine. So far, most of the web browser implementations of this technology (including open source libraries such as Papervision3d and the ARToolkit) are reliant on closed source 3rd party plugins (Flash, Silverlight, Unity3D etc.). The project will create an open source, community driven port of JigLib to JavaScript for use with WebGL, thus providing a portable API for linking to other WebGL JavaScript libraries such as GLGE. Within the project a demo application showcasing the potential of this library and of WebGL will be produced, this in order to stimulate interest and participation in the open source community. The major aims of this project are: to prove the use of WebGL as a viable replacement for plugins. to help with the implementation of WebGL in browsers by providing regression and performance test results. to stimulate growth in the Open Source community around WebGL by giving them a library and an attractive Demo to work with. to attract and encourage contributors to WebGL by placing all source code and documentation in the public domain using the BSD license for both code and documentation. to stimulate the use of the open standard WebGL (instead of closed solutions such as Flash, Silverlight etc.) by the web development community. to facilitate innovation in 3D physics based UI design and interactivity online. >> Read more about JigLibJS LogReport — tools for computer/network log file analysis Log files are often treated like the unwanted by-product of IT activity, sitting somewhere in a dark corner of a computer system, examined only occasionally, usually in the case of after-the-fact reactive problem solving. LogReport aims to change this. These files contain the traces of computer activity, and by intelligently analyzing these traces, one can increase existing system efficiency and improve future system design. The LogReport project serves a dual purpose: developing and maintaining Lire, an Open Source reporting and analysis software package, and serving as a nexus of documentation, ideas, and thoughts on the topic of log files and their potential applications. There are quite a few specific tools for analyzing particular types of log files. However, LogReport's Lire is designed as a generic tool, with plug-in capability for handling a wealth of different types of log files and report integration features. From 2000 till 2005, the activities of this project were bundled in the Foundation Stichting LogReport. Thereafter, the project continued on voluntary basis. >> Read more about LogReport Mail::Box — software for e-mail handling in Perl Mail::Box is a module for the Perl programming language. This module can be used for automation of various e-mail related tasks. With support of NLnet, the module is promoted and improved. >> Read more about Mail::Box Meemoo — Meemoo: hackable web apps Meemoo is intended to lowering the threshold for app makers - ideally everybody should be able to create web apps. When people think of an app, thy do not think of something that one can open, hack, and change how it works. Meemoo will give everybody this freedom. Meemoo is a framework that connects Open Source modules, powered by any web technology - it is a browser-based modular dataflow/patching framework. It all happens on the web, so it is easy to share a hacked app by copying the source code. The way that the data flows from module to module is defined and visualized by colorful wires. It becomes simple like that: If you can connect a video player to a TV, you can program a Meemoo app. The project will also build a community site for sharing, forking, and creating with Meemoo apps. The site will also be open source, so schools and other organizations can set up their own open or closed version. The site will be built on Unhosted/ownCloud for maximum data portability. >> Read more about Meemoo Morphle — free and anonymous powerful but simple to use end-user website editing Morphle is a project to stitch and glue together a large number of web 2.0 and 3.0 technologies. The principle technologies to be used will be HTML and javascript-tool-kits and the web-tools built into Squeak. And it will be through Squeak's web-tools that Morphle will be able to hide the former tools (HTML, javascript and the like) from the end-user. What will be achieved through this arrangement is, among other things, to provide the end-user with the ability to combine very easily web page parts such as snippets, widgets or components to create incredible web-sites. This tying together of these kinds-of-parts is often referred to as web mash-ups. The second component of the Morphle project is to offer all of these tools through the Internet and accessed directly through the browser. Eventually, Morphle's hosting system will served-up from next-generation large scalable web-server (called Morphel) at very low costs. This project is about putting an alpha release of a meta-website online. The website will offer free and anonymous powerful but simple to use end-user website editing based on state of the art component ecapsulation technologies in the hands of everyone. >> Read more about Morphle NILO — reference implementation of PXE-based network boot module NILO wants to create an Open Source reference implementation of a PXE-based network boot module, with a footprint that is small enough to include in the EPROM on the most popular Network Interface Cards. >> Read more about NILO Parrot — virtual machine for scripting languages Parrot is a virtual machine (VM) designed to execute bytecode for interpreted languages efficiently. Many modern programming languages do not translate programs into machine native instructions, but produce some intermediate bytecode which needs be interpreted by a virtual machine when the program is run. Parrot will run the bytecode for the Perl 6 programming language, which is being developed. There is already a partial Perl 6 compiler which uses Parrot. But Parrot is also able to be the run-time environment for various other compilers, of which some already have demonstration implementations. >> Read more about Parrot Proxy App — Proxy appliance to utilize unused bandwidth networks The \"Generic Proxy Appliance\" projects will develop and implement an (internet) proxy appliance helping to utilize unused bandwidth in (wireless) networks A wireless community network, e.g. Wireless Leiden, can be used for various applications. First of all, it provides point-to-point communication between the users of the local the network: between individual users (using P2P, VoIP or VPN) or the user and some service provider which is directly connected to the network. Secondly, the network can be used as a Last Mile for the Internet access for both mobile and 'fixed' users. With the current broadband services, there is unused bandwidth at any given moment in time. This project's goal is to develop an internet proxy appliance with additional features allowing to utilize unused bandwidth in (wireless) networks. The proxy appliance will use Wireless Leiden infrastructure as breeding place for the prototype implementation. >> Read more about Proxy App PulseAudio — PulseAudio echo cancellation The project aims to extend the PulseAudio sound server to support echo cancellation technologies needed to be able to do high quality VoIP conferencing. With the growing popularity of VoIP and videoconferencing, the issue of echo cancellation on the Linux desktop is growing in importance. The Linux audio layer has long been a struggling beast with a lot of competing solutions, all of them with their own set of flaws. Thanks to the increased resources put into the media layers by Linux distribution vendors, it seems that a combination of ALSA and PulseAudio is emerging as the standard sound system layer, with GStreamer being the de-facto application writers interface. Therefore the natural place to put a system wide echo cancellation would be in the Pulse Audio sound server. Development tasks: Implement echo cancellation ALSA test application Implement PulseAudio audio filter infrastructure Implement echo cancellation for PulseAudio Enable echo cancellation in Empathy Desktop linux Run by Collabora Multimedia. >> Read more about PulseAudio Sabayon — creating a fast binary package manager using relational databases Sabayon is a free, open source, GNU/Linux distribution aimed to compete with Ubuntu in terms of hardware support, features and packages availability. The aim is to create an unpresended smart package manager. The challenge is creating a fast binary package manager (using relational databases), with strong AI (allowing just 2/3 developers to maintain about 12000 packages), able to solve most of the user-side issues automatically (such as API/ABI breakages, missing libraries, database corruptions, automatic kernel dependencies for external drivers, inverse dependencies), able to provide users a web2.0-alike experience by allowing them to share, extend, manipulate any content connected to packages (like screenshots, URLs, images, videos, rankings) directly from their system, able to provide a transparent client/server infrastructure to remotely manage infinite Sabayon installations, able to provide hot packaging formats, like Smart Packages (multiple packages packaged into one) and Smart Applications (unpack & run applications). All this while keeping a complete Portage compatibility and cooperating tightly with Gentoo Linux developers in bug hunting and feature proposals. >> Read more about Sabayon TimeWalker — tools for visualising huge amounts of log data Timewallker is a multi-focal time-lens for visual data-mining. Its application domain is information visualization, which is characterized by handling huge data sets with unkown correlations and by real-time zooming within multiple graphical and textual representations. TimeWalker is primarily intended to be a useful instrument for people like system-administrators that are confronted with unmanageable amounts of logging data. >> Read more about TimeWalker VDD — project virtual operating system instances on arbitrary terminals Virtual Distro Dispatcher is a distributed system which aim is to project virtual, fully operational operating system instances on arbitrary terminals. Client terminals can be obsolete PCs or energy saving thin clients (such as mini-ITX) managed by a powerful, multiprocessor (and possibly clustered) central system. The VDD gives users a possibility to enjoy their own favourite operating systems, including those that are not Open Source, possibly at the same time, simply by switching from one to another, on each single thin client, on demand, across a network. Thin clients are interfaces to proper and isolated machines, that can be made to measure for whatever need and in whatever number. This is completely transparent to users, who, even from an obsolete machine, can select a particular machine with certain characteristics and then do absolutely everything they would do on such a machine as if it was physical and with its virtual performance. Contrary to other systems, like LTSP (Linux Terminal Server Project) the VDD offers not only the host operating system to thin clients, but projects virtualized guest systems, i.e. fully operational and independent machines. >> Read more about VDD VirtNet — network stack virtualization for FreeBSD Traditionally, UNIX operating systems have been equipped with monolithic network stack implementations, meaning all user processes have to cooperatively share a single networking subsystem. The introduction of the network stack cloning model enables the kernel to simultaneously maintain multiple independent and isolated network stack instances. Combined with forcible binding of user processes to individual network stacks, this concept can bring us a step closer to an efficient pseudo virtual machine functionality which opens new possibilities particularly in virtual hosting applications, as well as in other less obvious areas such as network simulation and advanced VPN provisioning. This project is focused on design, implementation and performance aspects of experimental clonable network stack support in the FreeBSD kernel. >> Read more about VirtNet ","url":"https://nlnet.nl/thema/NetworkApplications.html","title":"Network Applications"},{"description":" NREN Projects relevant to the research and higher education community This page contains a concise overview of projects funded by NLnet foundation that belong to NREN (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. How AdTech works — Improving public awareness of AdTech and privacy The web has become a place where visiting a webpage triggers many effects elsewhere on the globe, and where advertising technology has morphed into a market driven surveillance ecosystem of a size that was unimaginable even a few decades ago. While especially older people may still think of the 'friendly' world wide web of the nineties, the reality is that underneath the surface of many web pages lies a dark technology layer that sprawls data. \"How AdTech works\" is a project by the European umbrella of digital rights organisations, EDRi. The goal of EDRi is to address the threat these developments hold for our online lives and the shared public spaces. EDRi wants to de-mystify and challenge the complex and secretive world of online advertising and profiling - and bring attention to these issues at a policy level. With upcoming platform regulation like the pending EU Digital Services Act (DSA), there is an urgent need to share insights among human rights defenders, academics and the public at large. We need a concerted effort to take on this challenging subject - in order to better understand and subsequently challenge invasive and exploitative monopolistic practices that lead to aggravations of polarisation, spread of disinformation, and other abuses of fundamental rights. EDRi will engage with legislative efforts across Europe as an opportunity to better protect people’s rights online against data-hungry, abusive business models. EDRi will support this work via creation of a publication on AdTech and online advertising booklet, which will be distributed among policy makers, human rights defenders and the broader public. >> Read more about How AdTech works Democratic SendComm — Easy to use connected open hardware device Decocratic SenComm is an open hardware LoRaWAN capable device, aimed at the educational sector. The subgigaherz LoRa network and the IP networked LoRaWAN can be used to transmit data at relatively large distances with very simple commodity infrastructure, and Democratic SendComm is therefore for instance suitable for measurement data from actuators and sensors in low-bandwidth scenario's. The whole design is available under the CERN HW license. >> Read more about Democratic SendComm ","title":"NREN","url":"https://nlnet.nl/thema/NREN.html"},{"description":" NGI Zero PET NGI0 PET was a grant programme that ran from 2018-2022, funding projects working on enhancing privacy and trust of internet and related technologies as part of the Next Generation Internet initiative of the European Commission. For a more complete description see the home page of the fund: NGI Zero PET. This page contains a concise overview of projects funded by NLnet foundation that belong to NGI Zero PET (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Technology has become part of the fabric of our society, but unfortunately the market doesn't automatically provide the honest, reliable and robust technology we as humans expect and deserve. NGI Zero PET? t is an ambitious grant programme led by NLnet as part of the Next Generation Internet initiative, which focuses on privacy and trust enhancing technologies. The projects within this fund run on pretty much all layers of technology, from the internet protocols that run underneath every packet sent across the wire, the operating system and browser that we run our day-to-day applications and services on, the messaging apps we use to stay in contact with each others, all the way up to the infrastructure we compile software on, the computer chips we use in our devices and even the design and manufacturing of integrated circuits - projects within NGI Zero PET are breaking down barriers in the market and working towards a technology commons. So brace yourself for a deep dive in technology, and if you have the time — check each and every one of them out. Note that everything should be available under a free and open source license so it is not the type of technology you can look at but not touch — you can study, use, modify and share everything you come across with anyone you want! And if you think your idea fits in such a list, why not propose a project yourself in one of our other calls: we are always looking for new great ideas to support! Interesting in applying for a grant yourself? Check our active theme funds, such as NGI Zero Commons Fund, NGI Fediversity or NGI TALER. Applications to this particular fund are currently closed and no new projects are accepted for now. Donate to help us fund more projects like these. LibreCellular — Open hardware 4G Mobile Network Free and open source solutions now exist for every component that is required to create a 4G cellular (LTE) network, all the way from the radio access network (RAN) and core, to services which are used for integrated voice (VoLTE). Creating a fully functional mobile network is the next logical step, but this requires overcoming the final remaining technical hurdles. This project will provide end-to-end integration of a FOSS technology stack for 4G networks, via a validated hardware and software configuration that is subjected to appropriate testing. Together with additional tooling and documentation for repeatable deployment, the project will making it far easier to create a self-contained 4G network than ever before. This is particularly timely given the availability of low cost software-defined radio (SDR) hardware, coupled with the efforts of wireless regulators to provide increased access to spectrum for private and community LTE networks. >> Read more about LibreCellular AI-VPN — Local machine-based learned analysis of VPN trafffic Our security decreases significantly especially when we are outside our offices. Current VPNs encrypt our traffic, but they do not protect our devices from attacks or detect if there is an infection. The AI-VPN project proposes a new solution joining the VPN setup with a local AI-based IPS. The AI-VPN implements a state-of-the-art machine learning based Intrusion Prevention System in the VPN, generating alerts and blocking malicious connections automatically. The user is given a summary of the traffic of the device, showing dectected malicious patterns, privacy leaked data and security alerts, in order to protect and educate the users about their security status and any risks they are exposed to. >> Read more about AI-VPN Analog/Mixed-Signal Library — OSHW component library for ASIC design One of the gaps in the open chip toolchain is a libre-licensed analog/mixed-signal library. Having access to such a library contributes to having a fully open ASIC design infrastructure through which secure and trustworthy open hardware can subsequently be built. This project is trying to fill that void. The first part of the project consists of enhancing and stabilising the underlying PDKMaster project, and allow it to facilitate programmatic co-generation of circuit and layout with integrated support for circuit simulation. This should make resulting circuits DRC and LVS clean by design. Second part of the bootstrapping effort is then to implement a set of scalable analog/mixed-signal blocks which can be integrated into PDKMaster. The initial set will consist of the following 4 core blocks: a voltage reference, a PLL (phase-locked loop), a low frequency, low accuracy ADC and a low frequency, low accuracy DAC. The overall focus is on proving the overall suitability of the PDKMaster framework, rather than on the complexity and difficulty of the individual analog/mixed-signal blocks which are to be added. Thanks to proper documentation and examples, users can start expanding the available building blocks by adding their own contributions. >> Read more about Analog/Mixed-Signal Library Accessible security — Integration effort of independent security efforts like Qubes, Heads, coreboot, etc The \"Accessible security\" project's initiative was sparked by the need for usable security made available to the average citizen. Several projects are contributing a part of this bigger puzzle: QubesOS, coreboot, Heads, me_cleaner, Whonix and others. Yet the average person does not have the sophistication to integrate these software projects. With some effort we can add some missing parts, help the effected projects usability, and facilitate access to cutting-edge developments, currently only usable by developers and more sophisticated users. Bringing these projects together will reduce the amount of expertise and effort required to benefit from these projects. >> Read more about Accessible security Alder Lake Desktop — Open firmware for widely used Desktop/Workstation motherboard Modern firmwares are extremely complex pieces of software code. As such, it is not uncommon for some functionality to be bugged or to not be working as intended. Sometimes firmware updates break things that used to work, too. The first course of action is to request the mainboard manufacturer to resolve it, and typically the support team delivers a binary with a fix. However, when it comes to feature requests in the firmware, the manufacturers refuse to comply. The mainboard owner ends up with a piece of hardware not fulfilling the owner's needs and has to move to a different platform that is hopefully equipped with firmware containing the desired feature. However, this problem can be solved by offering freedom to the board owners. The freedom to modify and adapt the firmware to their own needs, what can be accomplished by open-source firmware. The goal of the project is to implement open-source firmware support for the MSI PRO Z690-A WIFI DDR4 workstation/desktop platform and open the door to liberty of customization. MSI PRO Z690-A supports the newest 12th generation of Intel Core processors. Furthermore, there will be no dependency on the mainboard manufacturer to provide fixes, because an experienced community could do them for a worldwide benefit. >> Read more about Alder Lake Desktop Autocrypt for Thunderbird — Make email encryption extremely simple Autocrypt is a specification that provides guidance for e-mail clients on how to achieve a seamless user experience. It does so by transparently exchanging keys, almost entirely automating public key management. This reduces the UI to \"single click for encryption\". The project will create an extension for the Thunderbird e-mail client that brings this experience to its users. The goal is to provide a new extension with a streamlined user experience that requires as little user interaction as possible, without \"poweruser\" features and performing practical user testing to identify open pain points. The extension will be based on OpenPGP.js, since this can be packaged directly. This will simplify installation and maintenance a great deal. >> Read more about Autocrypt for Thunderbird BBBsecureChat — Add E2EE instant messaging to Big Blue Button meetings BigBlueButton is a video conferencing framework built on open source components. It is being used worldwide for education, events and training, and gained a lot of usage during the Covid-19 pandemic. Whilst audio and video are being handled by scalable components (notably Freeswitch and Kurento), the chat currently integrated in BBB is a single node.js thread for all conferences. This causes performance problems if used heavily in conferences, and lacks features such as E2EE and emoji support. In this project we will be trying to create an alternative chat service component based on mature open source solutions which have a richer feature set and offer end-to-end encryption. Some of the challenges are: respecting privacy in recordings, allowing chats 1:1 and in break-out rooms, automatic exchange of encryption keys, authentication, SingleSignOn and handling file exchange among chat users. We will be testing the enhanced chat with selected BBB users and will offer the result to the BBB developer and user community. >> Read more about BBBsecureChat Balthazar — One laptop for the new internet age. Project's ambition is to design and deliver an innovative and technically advanced open hardware (RISC-V/ISA) based, European made, inexpensive, FOSS laptop as a personal computing device, containing on board all desirable (FOSS compliant) hardware and software features and functionalities needed to prevent any 3rd party intrusion into the system. It adds physical safety features currently not available in the market such as hot-swappable CPU, hardwired switches for e.g. camera and audio devices, and a quickly removable encrypted hard drive and peripherals. A goal of Balthazar is to enable and educate end users to be private, safe and careful with their own data, and that of others. Another goal is to make computing more sustainable and reach eco-friendly footprint, by empowering users to take up their 'right to repair', through a modular laptop that allows components to be easily exchanged and upgraded - up to the CPU itself. The goal is to lead by example and gently lead other hardware manufacturers to become fully open and transparent. And create an educational platform, as well as an advanced computing device where its users (including those with low income ) to feel secure, safe and comfortable using it. For the children of all ages. >> Read more about Balthazar Balthazar - One laptop for the new internet age. — A secure fully open hardware laptop Project's ambition is to design and deliver an innovative and technically advanced open hardware (RISC-V/ISA) based, European made, inexpensive, FOSS laptop as a personal computing device, containing on board all desirable (FOSS compliant) hardware and software features and functionalities needed to prevent any 3rd party intrusion into the system. It adds physical safety features currently not available in the market such as hot-swappable CPU, hardwired switches for e.g. camera and audio devices, and a quickly removable encrypted hard drive and peripherals. A goal of Balthazar is to enable and educate end users to be private, safe and careful with their own data, and that of others. Another goal is to make computing more sustainable and reach eco-friendly footprint, by empowering users to take up their 'right to repair', through a modular laptop that allows components to be easily exchanged and upgraded - up to the CPU itself. The goal is to lead by example and gently lead other hardware manufacturers to become fully open and transparent. And create an educational platform, as well as an advanced computing device where its users (including those with low income ) to feel secure, safe and comfortable using it. For the children of all ages. >> Read more about Balthazar - One laptop for the new internet age. Betrusted OS — An embedded OS for cryptographic devices Betrusted OS will underpin the Betrusted ecosystem, and will enable secure process isolation. It will be written a safe systems language - namely Rust - to ensure various components are free from common programming pitfalls and undefined behavior. Unlike modern operating systems that trade security for speed, the Betrusted OS will prioritize security and isolation over performance. For example, it will be a microkernel that utilizes message passing and services rather than a monolithic kernel with modules. Unlike other deeply-embedded operating systems, it will require an MMU, and support multiple threads per process. This will let us add features such as service integrity and signature verification at an application level. >> Read more about Betrusted OS Betrusted software — A minimalist and secure OS for embedded communication devices The Betrusted software project utilizes the strongly typed Rust programming language to build the first applications and libraries for the open hardware Betrusted.io project. Betrusted is pioneering a new class of open hardware communications device, with a grant by NGI Zero. The project will set up a virtual environment for betrusted (e.g. QEMU / RISC-V) in order to develop and test software as close to target as possible and unlock community collaboration and contributions. The second main task in the project is to write a Matrix protocol command line client in order to analyze the memory characteristics in the highly constrained betrusted environment. The additional time is to be allocated to development support for the Bestrusted OS, develop glue layers and verify necessary interfaces for applications, provide unit/integration tests and develop (test) applications for it. >> Read more about Betrusted software Betrusted Storage — Plausably deniable encrypted storage Betrusted aims to be a secure communications device that is suitable for everyday use by non-technical users of diverse backgrounds. We believe users shouldn’t have to be experts in supply chain or cryptography to gain access to our ultimate goal: privacy and security one can count on. Today’s “private key only” secure enclave chips are vulnerable to I/O manipulation. This means there is no essential correlation between what a user is told, and what is actually going on. Betrusted will build a full technology stack, including silicon, device, OS, and UX that is open for inspection and verification. We've passed the first hurdle of creating an FPGA-based device, which we have spun out into a development platform we call Precursor. We are now advancing deeper into the technology stack to improve FPGA, drivers, OS, and UX elements, all driving toward the common goal of making Betrusted a simple, secure, and strong device that aims to advance Internet freedom. >> Read more about Betrusted Storage Briar — A secure messaging app with offline capabilities Briar is a secure messaging app designed for activists, journalists and civil society groups. Instead of using a central server, encrypted messages are synchronized directly between the users' devices, protecting users and their relationships from surveillance. This project will enable users of Briar to delete their private messages. Giving users control of what information their devices retain will allow them to practice defence in depth, managing their exposure if their devices are lost or compromised. >> Read more about Briar LibrEDA — An integrated development environment for chip design Because digital circuits are a core part of today’s society there is a significant value in free and open chips and, equally important, free and open design software that is accessible also to small entities. Not only would this enhance trust through transparency and digital sovereignty through distributed knowledge but it would also be a fertile ground for education, hobbyists and small enterprises. The main goal of this project is to create a new libre-software framework for the physical design of digital integrated circuits. The framework is meant to simplify the development of chip layout tools, i.e. the tools used to convert a gate-level netlist into a fabrication-ready layout. This includes fundamental data structures and algorithms, interface definitions of the design algorithms (e.g. placement, routing or timing analysis), input/output libraries for commonly used file formats as well as documentation and example implementations. Two variants will be pursued in parallel: One with a clear focus on simplicity and education and another with a focus on performance and scalability. Another part of the project is the continuation of the ‘LibreCell’ standard-cell generator and characterization tool. >> Read more about LibrEDA Zerocat Chipflasher Flashrom Interface — Hardware to flash alternative/libre firmware to BIOS chips The Zerocat Chipflasher Project aims to provide a fully user controlled electronic device, that helps users to remove the proprietary BIOS firmware from their laptops. The tool allows them to instead run verifiable and Free Firmware, produced by the Coreboot and Libreboot project. Proprietary BIOS is opaque with regards to functionality, and may contain known and unknown security issues. Also controversial elements like the Intel Management Engine can be deactivated. The project helps to empower everyone to create trustworthy digital hardware on her or his own and has been successfully certified by the Respects-Your-Freedom (RYF) Certification Program, set up by the Free Software Foundation in Boston, USA. The device combines the Do-it-Yourself concept with free-design hardware development, even down to chip level. This is achieved by skipping convenient functionalities which would require chips of a proprietary design and by instead using a free-design microcontroller, only. The flasher’s integration into the grid of related existing free software projects yet is to be improved by an additional interface and an in depth firmware review. >> Read more about Zerocat Chipflasher Flashrom Interface Chips4Makers ASICs — Current scaling of micro-electronics is focused on improving power, performance and cost per device but with an exponentially increasing start-up cost related to the increased process complexity. For the design of custom chips currently expensive proprietary electronic design automation (EDA) tools need to be used and hefty license fees are due for blocks implementing specific functions like the CPU, USB etc. All this together makes custom chip development only accessible for high-volume production and proprietary designs. In this project a development version of the libre licensed Libre-SOC system-on-a-chip will be manufactured in a 0.18um process combined with development on the open source tools and open source chip building blocks to make this possible. Development on the free and open source tools will be focused on making them compatible with the selected process and the building block development will be focused on the so-called standard cell library, the IO library and the SRAM compiler. This project fits in the longer term goal of the Chips4Makers project to make low-volume custom chip production possible using mature process technologies and free and open source tool chains and building blocks. Purpose is to get innovation using custom chips within reach of small start-ups, makers and even hobbyists. >> Read more about Chips4Makers ASICs Conversations — A secure mobile messaging client Conversations is an Android client for the federated, provider independent network of instant messaging servers that use the Extensible messaging and Presence Protocol (XMPP). It aims to provide a feature set and a user experience that is on par with other well known messaging services. While Conversations is capable of sending end-to-end encrypted text messages, images, short videos and voice messages it currently lacks the ability to make voice and video calls. This project is about adding A/V call capabilities to Conversations in a manner that is compatible to other XMPP clients. To achieve compatibility Conversations will implement the Jingle protocol extensions including XEP 0353 (Jingle Message Initiation) for a smooth user experience across multiple devices. >> Read more about Conversations Libre-SOC, Coriolis2 ASIC Layout Collaboration — Open tooling for ASIC Layout One of the key issues in a trusted, trustable ASIC is for the toolchain to be libre-licensed, so that there is no possibility for hardware-level spying or backdoor compromises. The Alliance / Coriolis2 ASIC layout toolchain by LIP6.fr is one of the leading tools in this area. The Libre-SoC is another project being funded through NGI Zero, and at this moment that project needs to get beyond FPGA-proven status. The challenging next phase is to do an actual ASIC layout. With the System-on-Chip being developed in nmigen (a python-based HDL), Alliance / Coriolis2 also makes sense as it is written in Python as well. The funding will go towards doing an ASIC layout in 180nm. >> Read more about Libre-SOC, Coriolis2 ASIC Layout Collaboration CryptPad: Project Dialogue — Secure surveys and polls for Cryptpad Cryptpad is a real-time collaboration environment that encrypts everything clientside. The project will incorporate structured group interaction other than collaborative editing (e.g. gathering input through forms, polls) is a useful addition to this. This will replacing the current basic implementation of polls (like Doodle), and introduce surveys (like Google Forms). Authors will have exclusive control over the content and format of the polls and surveys, such as which questions are asked and the acceptable format of their answers. They'll also have control over the cryptographic keys which decrypt the submitted results, granting authors control over publishing. In addition, the project will develop an extension of its current notifications system to allow instance administrators to publish translatable messages visible to all their users. We'll use this broadcast system to distribute language-specific surveys and recruit willing users into a series of usability studies which will guide a second round of development for these applications. >> Read more about CryptPad: Project Dialogue CryptPad — Real-time collaboration with client-side encryption Cryptpad is a secure and encrypted open source collaboration platform. The CryptPad teams project will fund the development of a number of group-focused features to Cryptpad. We'll improve our current implementation of encrypted shared folders to display the permissions possessed by team members for different documents. The capacity to remove a member from a group is difficult in an encrypted system, as the knowledge of encryption keys cannot be taken away once given. We'll implement key-rotation protocols, and develop encrypted mailboxes to facilitate the delivery of new keys to authorized members. The same mailbox system will enable the development of notifications, allowing users to request additional permissions for documents, to invite new members to a group or session, or to inform friends that a document has been updated. Teams organize in many ways, and with the technical components available we'll focus on interfaces which support different modes of coordination, whether the team is hierarchical or self-organizing. Overall, we hope to make it so that the most intuitive way to collaborate is also the most secure. >> Read more about CryptPad CryptPad for communities — Collaborative web editor with client-side encryption CryptPad is a secure and encrypted open-source collaboration platform, that allows people to work together online on documents, spreadsheets and other types of documents. The amazing thing is that while the participants can work with these web applications as they would with any normal tool, the server has no way of telling what it is they are working on. Everything is encrypted on the device of the user, before it is sent to the server. The \"CryptPad for communities\" project will improve the experience of users adopting the platform for community management tasks. We'll spend time solving the issues most commonly reported by our users as obstacles to their broader adoption of the platform as an alternative to proprietary services. Document review is as important to many as collaborative editing, so we'll implement comment workflows that integrate our recently introduced social features into our text editors. Our Kanban and spreadsheet apps will both receive some crucial updates to better facilitate project management tasks without compromising on privacy. We'll develop extra access control features based on users' public keys for documents that require stricter protection than is currently offered. Those hosting their own CryptPad instance will benefit from new functionality for their admin panel as well as detailed documentation to make server management more accessible. Finally, we'll implement extra controls permitting admins to limit access to their instance by requiring invites for registration. Altogether we hope these tools will allow communities more determination when it comes to their data, their processes, and their ability to work together productively. >> Read more about CryptPad for communities GNU Guix - Cuirass — Continuous integration system for GNU Guix/Linux + Hurd GNU Guix is a universal functional package manager and operating system which respects the freedom of computer users. The number of supported packages, almost 15.000 on 5 different architectures, is constantly increasing. With the recent efforts adding support for the GNU Hurd operating system, and the ongoing work to easily provide Guix System images for various boards, the need for a strong continuous integration system is critical. This project aims to improve Cuirass, the GNU Guix continuous integration software to provide binary substitutes for every package or system image within the shortest time. This way, the user won't have to allocate important time and computation power resources into package building. The plan is to add to Cuirass an efficient offloading and work-balancing mechanism between build machines, an improved web interface allowing to monitor machine loads and other build related metrics. A user account section to setup customized monitoring dashboards and subscribe to build failures notifications will also be developed. >> Read more about GNU Guix - Cuirass DCnets — Implementation of Dining Cryptographers Network The aim of the proposed project is to design and implement an open source library that implements the so-called Dining Cryptographer's network or DCnet (first proposed by David Chaum in 1998). Existing implementations suffer from poor efficiency (e.g. high computation and/or communication cost) or limited security (e.g. when a malicious participant can disrupt the communication). The project will produce cryptographic primitives and protocols that help to bring untraceable communication (e.g. untraceable instant messaging, file transfer, IP telephony) closer to practice. We will implement the most recent advances in cryptographic research (e.g. zero-knowledge proofs) and engineering (e.g. highly optimized arithmetic on elliptic curves and finite fields) into account to maximize both security and efficiency. >> Read more about DCnets Dat Private Network — Private storage in DAT The dat private network is a self-hosted server that is easy to deploy on cloud or home infrastructure. Key features include a web-based control panel for administration by non-developers, as well as on-disk encryption. These no-knowledge storage services will ensure backup and high availability of distributed datasets, while also providing trust that unauthorized third-parties won’t have access to content. By creating a turnkey backup solution, we’ll be able to address two of our users’ most pressing questions about dat: who serves my data when I’m offline, and how do I archive and secure important files? The idea for this module came from the community, and reflects a dire need in the storage space -- no-knowledge backup and sync across devices. A properly-designed backup service will provide solutions to both of these questions, and will do so in a privacy-preserving way. This deliverable will put resources into bringing this work to a production-ready state, primarily through development towards updates that make use of the latest performance and security updates from the dat ecosystem, such as NOISE support. We plan to maintain the socio-technical infrastructure through an open working group that creates updates for the network as it matures. >> Read more about Dat Private Network Structuring the System Layer with Dataspaces — Implementing a secure and scalable system layer on mobile The system layer is an essential but often-ignored part of an operating system, mediating between user-facing programs and the kernel. Despite its importance, the concept has only been recently recognised and has not received a great deal of attention. The novel Dataspace Model of concurrency and communication combines a small number of concepts to yield succinct expression of ubiquitous system-layer features such as service naming, presence, discovery and activation; security mechanism and policy; subsystem isolation; and robust handling of partial failure. This project will evaluate the hypothesis that the Dataspace Model provides a suitable theoretical and practical foundation for system layers, since a well-founded system layer is a necessary part of any vision of secure, securable, resilient networked personal computing. >> Read more about Structuring the System Layer with Dataspaces Dino — User-friendly and secure instant messaging Dino is an open-source messaging application. It uses XMPP as an underlying protocol, which allows federated, provider-independent communication and offers a world-wide network of interconnected servers. Dino aims to be secure and privacy-friendly while at the same time offering a good user experience and a modern feature set. This project will add encrypted audio/video calling functionality between two or more parties. The implementation will rely on existing standards to interoperate with other XMPP applications. >> Read more about Dino Distributed Private Trust — Decentralised trust and reputation system The project \"Distributed Private Trust\" wants to develop a prototype for a trust and reputation system that does not rely on a centralized trusted party and provides users with more privacy than current systems. It uses secure multi-party computation to calculate aggregate ratings without having to reveal individual users ratings to any other party. The project also applies techniques from mechanism design to make the system robust to malicious behaviour of participants, for example by diminishing incentives to submit dishonest ratings. >> Read more about Distributed Private Trust EEZ DIB — EEZ DIY Instrument Bus The aim of the EEZ DIB project is to enable the creating and management of modular open hardware T&M (Test & Measurement) solutions. Born out of frustration that solutions from reputable manufacturers are feature rich but closed in design and with expensive software licenses, an attempt have been made to fill the gap between such solutions and DIY/hobbyists solutions which although often open in design lack structure, documentation and completeness that could ensure further growth, development and support. The hardware part of the project is EEZ BB3, an open source DIB chassis in a compact format that can accommodate up to 3 peripheral T&M modules which can be monitored locally via touchscreen display with responsive and attractive user interface or remotely via USB or Ethernet using Telnet, MQTT, JS and Node-RED. Additional autonomy and programmability has been achieved by adding support for MicroPython scripting. The software part of the project is EEZ Studio, a free and open source cross-platform application that has two functions: a) visual editor that simplify and accelerate touchscreen GUI development and b) management of multiple EEZ BB3 and 3rd party T&M devices for the purpose of simple communication and acquisition, search and presentation of measurement data. >> Read more about EEZ DIB EGIL SCIM client — System for Cross-domain Identity Management Managing student information in an effective, secure and GDPR compliant way is crucial for the digitalized school. EGIL is an open source client that facilitates the exchange of student information to external providers of study material or administrative services in a standardized way. It supports attributes based on SCIM (RFC 7642-7644) and extensions, it provides an interface to common directory services and supports federated solutions between a large number of school principals and service providers. This project will improve EGIL's federative capabilities, submit an Internet-Draft on the subject federated accounts provisioning, as well as providing a proof of concept for using SCIM as the standard for exchange of student information. This will eliminate the problems caused by using several different exchange protocols and formats between school principals and service providers. >> Read more about EGIL SCIM client Edalize ASIC backend — Create open hardware silicon with a fully free software toolchain Affordable Open Source ASIC development and custom silicon has been a long-standing goal in the community. This will unlock innovation that has previously only been possible for the largest tech companies, allowing for the creation of deployable, trusted Open Source based hardware. Step by step, this goal has come closer in the last few years as individuals, companies and academic institutions have filled in the missing pieces. Today we have a fully open source end-to-end flow for building open source ASIC - but the effort of on-boarding existing designs remains high. This project aims to provide an easy way to onboard existing gateware and full designs to an open source ASIC flow by creating a FuseSoC backend that targets this toolchain. This will enable a smoother transition from projects already running on FPGAs to also be targeting ASIC flows. It will also allow easier switching between different open source ASIC flows at the point when there are several alternatives to choose from. In addition to the backend itself, a reference design containing SERV, the world’s smallest RISC-V CPU, will be run through the flow and committed to actual silicon. This will provide a way to guarantee a working flow and provide a simple but usable reference for everyone else looking to onboard their designs. Enabling and demonstrating this path will allow a fully trustworthy path for the fabrication of system-on-a-chip ICs, with no proprietary or closed tools as part of the flow and hence completely inspectable at all stages. This paves the road for other more complex FuseSoC-based open source silicon projects such as OpenTitan and SweRVolf. >> Read more about Edalize ASIC backend Etebase - protocol and encryption enhancements — Redesign EteSync protocol and encryption scheme Etebase is an open-source and end-to-end encrypted software development kit and backend. Think of it as a tool that developers can use to easily build encrypted applications. Etebase is the new name for the protocol that powers EteSync, an open source, end-to-end encrypted, and privacy respecting sync solution for contacts, calendars, notes, tasks and more across all major platforms. Many people are well aware of the importance of end-to-end encryption. This is evident by the increasing popularity of end-to-end encrypted messaging applications. However, in today's cloud-based world, there is much more (as important!) information that is just left exposed and unencrypted, without people even realising. Calendar events, tasks, personal notes and location data (\"find my phone\") are a few such examples. This is why the overarching goal of Etebase is to enable users to end-to-end encrypt all of their data. While the Etebase protocol served EteSync well, there are a number of improvements that could be made to better support EteSync's current and long-term requirements, as well as enabling other developers to build a variety of encrypted applications. >> Read more about Etebase - protocol and encryption enhancements EteSync - iOS application — Encrypted synchronisation for calendars, addressbook, etc EteSync is an open source, end-to-end encrypted, and privacy respecting sync solution for contacts, calendars and tasks with more data types planned for the future. It's currently supported on Android, the desktop (using a DAV adapter layer) where it seamlessly integrates with existing apps, and on the web for easy access from everywhere. Many people are well aware of the importance of end-to-end encryption. This is evident by the increasing popularity of end-to-end encrypted messaging applications. However, in today's cloud-based world, there is much more (as important!) information that is just left exposed and unencrypted, without people even realising. Calendar events, tasks, personal notes and location data (\"find my phone\") are a few such examples. This is why the overarching goal of EteSync is to enable users to end-to-end encrypt all of their data. The purpose of this project is to create an EteSync iOS client which will seamlessly integrate with rest of the system and let the many currently uncatered for iOS users securely sync their data. >> Read more about EteSync - iOS application Tracking the Trackers — Automated scanning for spyware in mobile applications F-Droid is a free software, community app store that has been working since 2010 to make all forms of tracking and advertising visible to users. It is the trusted name for privacy in Android, and app developers who sell based on privacy make the extra effort to get their apps included in the F-Droid.org collection. These include Nextcloud, Tor Browser, TAZ.de, and Tutanota. Auditing apps for tracking is labor intensive and error prone, yet ever more in demand. Our tools already aide F-Droid contributors in this process. This project creates new tools using machine learning to drastically speed up this process by augmenting the human review process. Since the prime motivation of the F-Droid community is ethical software distribution, algorithms will never replace humans in making ethical decisions. We will also explore using machine learning to detect tracking in a more generic way, without requiring manually compiled lists of key information. The resulting tools will be generally available for any use case needing to reliably detect trackers in Android apps. This builds upon our collaboration with Exodus Privacy and LibScout. >> Read more about Tracking the Trackers Fractal — Native client for the Matrix protocol Fractal is an Open Source (GPLv3) Matrix client written in Rust. It uses the GTK graphical interface toolkit and is part of the GNOME project. It was created with a big focus on usability and interface design. The objective of this project is to add end-to-end encryption support to Fractal. Fractal has two major parts: A backend part, which communicates with the Matrix server, and a part that contains the GUI and data handling. This will be achieved by first replacing the current backend with the matrix-rust-sdk that was created recently and has several advantages to the current backend, including an abstraction for handling end-to-end encryption for Matrix. Once the backend pieces are in place, Fractal's UI needs to be updated to allow users to actually use end-to-end encryption, which involves a number of non-trivial new user flows (e.g. device verification, cross-signing, key backup). >> Read more about Fractal Fix the Pitch Black Attack in Freenet routing — A decentralized distributed platform for private communication Hyphanet (previously: Freenet) is a peer-to-peer platform with academic roots, offering censorship-resistant publication and privacy by design. It uses a decentralized distributed data store to store and forward information of its users, and is one of the oldest privacy related infrastructures - having been in continuous development for two decades, and predating the alpha version of TOR with several years. This project solves a published theoretical denial-of-service attack on the friend-to-friend structure of its routing, which has been a looming threat since it was discovered a number of years ago. >> Read more about Fix the Pitch Black Attack in Freenet routing GNU Mes — Help create an operating system we can trust GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large, unauditable binary blobs, which is common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme and comes with a small, bootstrappable C library. The Mes bootstrap has halved the size of opaque binaries that were needed to bootstrap GNU Guix, a functional GNU/Linux distribution that focusses on user freedom, reproducibility and security. That reduction was achieved by replacing GNU Binutils, GNU GCC and the GNU C Library with Mes. The final goal is to help create a full source bootstrap for any interested UNIX-like operating system. After three years of volunteer work this funding will enable us to take another big step forward and reach an important new milestone in creating more auditable secure software distributions. >> Read more about GNU Mes GNU Mes on ARM — Trustworthy bootstrap for operating systems on ARM ISA GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large, unauditable binary blobs, which is common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme that comes with a small, bootstrappable C library. The final goal is to help create a full source bootstrap for any interested UNIX-like operating system. This funding will enable GNU Mes to work on the ARM platform. >> Read more about GNU Mes on ARM GNU Mes: Full Source bootstrap — GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large, unauditable binary blobs, which is common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme and comes with a small, bootstrappable C library. The Mes bootstrap has greatly reduced the size of opaque binaries that were needed to bootstrap GNU Guix, a functional GNU/Linux distribution that focusses on user freedom, reproducibility and security. That reduction (from ~250MB to ~60MB) was achieved by first replacing GNU Binutils, GNU GCC and the GNU C Library with Mes. The second step was funded by NLnet (https://nlnet.nl/project/GNUMes) and replaced GNU Awk, GNU Bash, the GNU Core Utilities, GNU Grep, GNU Gzip, GNU SED, and GNU Tar with a more mature Mes, Gash and Gash-Utils. The final goal is to help create a full source bootstrap for any interested UNIX-like operating system and non-intel architectures (see https://nlnet.nl/project/GNUMes-arm) This funding will enable us to take another big step forward and reach an important new milestone in creating more auditable secure software distributions. >> Read more about GNU Mes: Full Source bootstrap GNU Taler — Advanced electronic payment system for privacy-preserving payments GNU Taler is an advanced electronic payment system for privacy-preserving payments. Unusual for such a system, the entire Taler system is ethical, free/libre software, so there are no dependencies on third parties and no black boxes. Taler can support digital payments in any currency - existing or new, mainstream or private. Unique to the GNU Taler system is that it provides anonymity for customers, while delivering various anti-fraud measures necessary to curb abuse. If you are a central bank, you can use Taler to provision a CBDC. If you are a regular bank or payment provider, you can use it as a mature digital payment method instead of various proprietary solutions which are opaque and come with many restrictions and high costs. The technology behind Taler fully supports local or community currencies too. Taler was designed to meet all the usual regulations for electronic money issuers, and supports regulations like PCI-DSS and GDPR out of the box. The work done within this grant delivered a key regulatory requirement, an independent audit of the payment service operator (the \"exchange\"). With the third party security audit of the GNU Taler codebase completed, banks and payment providers can now switch to this new system with confidence. GNU Taler finally brings us a transparent, trustworthy and truly private payment ecosystem that operates independent from vendors. >> Read more about GNU Taler GPG Lacre project — Best effort encryption of mail flows with OpenPGP This project is the continuation of the work on providing open source, GnuPG based email encryption for emails at rest. All incoming emails are automatically encrypted with user's public key before they are saved on the server. It is a server side encryption solution while the control of the encryption keys are fully at the hands of the end-user and private keys are never stored on the server. The scope of the project is to improve on the already existing code, provide easy to use key upload system (standalone as well as Roundcube plugin) and key discoverability. Beside providing a solution that is easy to use we will also provide easy to digest material about encryption, how it works and how to make use of it in situations other the just mailbox encryption. Understanding how encryption works is the key to self-determination and is therefore an important part of the project. GPG Mailgate will be battle tested on the email infrastructure of Disroot.org (an ethical non-profit service provider). >> Read more about GPG Lacre project GoatCounter — Privacy-friendly web analytics for small websites GoatCounter aims to provide meaningful privacy-friendly analytics for businesspurposes, while still staying usable for non-technical users to use onpersonal websites. The choices that currently exist are between hosted online services that have serious privacy issues, running your own complex software, or extremely simplistic \"vanity statistics\". GoatCounter attempts to strike a good balance between various interests. Major features include an easy to run self-hosted option, an intuitive user interface that is also accessible to website maintainers with accessibility needs, and meaningful statistics that go beyond \"vanity stats\" but still respect user privacy. >> Read more about GoatCounter Implement sound support in the Hurd — Add audio capabilities to the multiserver microkernel from GNU The GNU Hurd is a light weight kernel (the central part of an operating system) on top of the Mach microkernel, with full POSIX compatibility. The mission of the Hurd project is: to create a general-purpose kernel suitable for the GNU operating system, which is viable for everyday use, and gives users and programs as much control over their computing environment as possible. Hurd provides security capabilities like adding access to services for programs at runtime when and only while they need it, and to enable easy low-level development - like replacing a file system during runtime and real-time kernel debugging as if it were a normal program. This project adds an important feature to GNU Hurd: an audio-system with fine-grained access management to physical hardware. >> Read more about Implement sound support in the Hurd A proof of concept of identity-based encryption — Make encryption simpler The project aims to extend the existing attribute-based identity platform IRMA with easy-to-use encryption. The kind of encryption is called Identity-Based. Its main advantage is that key management is simple, so that encryption becomes easy to use, via a plugin to an email client (only Thunderbird in this proof of concept project). The plugin computes the public key of the recipient of a message, from some uniquely identifying attribute of the recipient (typically an email address, but phone number, or citizen registration number could work as well). The receiver of the message will have to prove, via IRMA, possession of the uniquely identifying attribute to some Trusted Third Party (TTP), which will then provide the corresponding private key. Within this project a working set-up will be built. Turning it into a widely usable product will require more work, in follow-up projects. >> Read more about A proof of concept of identity-based encryption IMSI Pseudonymization — Better privacy protection for 2G-5G The IMSI Pseudonymization project will design a specification and provide a reference implementation of a mechanism to conceal the IMSI (international mobile subscriber identity) of a mobile subscriber on the radio interface. The IMSI is used to uniquely identify each subscriber in a (2G, 3G, 4G, 5G) cellular network. However, the privacy of users is not really well protected: current specification require to transfer the IMSI in plain-text at various times before an encrypted connection can be set up. The present project will specify, implement and evaluate a method by which the IMSI will be concealed on the air interface with no modifications to existing mobile phones or any network elements of the operator beyond the HLR/HSS (which implements the authentication on the network side). The project will further submit this proposal into the 3GPP standardization process and attempt to make it at least an optional extension that operators (even MVNOs) can deploy. >> Read more about IMSI Pseudonymization IRMA made easy — Usability research into attribute based authentication Authentication methods, like passwords, often involve a trade-off between usability and security. Secure passwords are a hassle to use, and easy-to-use passwords are often also easy to guess or to brute force. Clearly, there is a need for authentication methods that are both secure and user-friendly. The IRMA mobile app can fill this gap. It was originally developed with a strong focus on providing secure and privacy-friendly authentication. This project will focus on making IRMA easy to use for everyone. We will conduct a formal large-scale evaluation of IRMA that focuses on usability in general as well as on accessibility (i.e. for users with disabilities) in particular. By doing so, usability hindrances can be identified and improved, making IRMA user-friendly and accessible for users with the widest range of capabilities. >> Read more about IRMA made easy YunoHost and the Internet Cube — Solutions for DIY-ISP's and self-hosters YunoHost is a free and open-source server distribution that provides a self-hosted alternative to commercial centralized services, and allows people to take back control over their data. Yunohost aims to make server administration accessible to the general public and ultimately make personal servers as common as desktop computers. Based on YunoHost, the Internet Cube project develops an affordable plug-and-play server that can be bought and easily deployed at home by the general public. In addition to its self-hosting capabilities, it provides a privacy-enhancing WiFi hotspot which protects its users from censorship and metadata leaks. And because it is low-power, it can be used even in remote and offline situations. >> Read more about YunoHost and the Internet Cube JavaScript Restrictor — Increasing Security and Privacy of JavaScript APIs A JavaScript-enabled web page can access any of the APIs that a web browser provides. The user has only a limited control, and some APIs cannot be restricted by the user easily. JShelter (previously also known as JavaScript Restrictor) aims to improve the user control of the web browser. Similarly to a firewall that controls the network traffic, Jshelter controls the APIs provided by the browser. This project has several goals: (1) the analysis of fingerprinting scripts deployed on the web; based on the study, we want to improve the anti-fingerprinting techniques deployed in the JShelter, (2) improvements in the integration, functional, and unit testing, (3) usability and documentation. >> Read more about JavaScript Restrictor JShelter — Cross-browser extension to make javascript less exploitable The Internet is vital to the everyday lives of billions of people. That's why it's especially problematic that, in the course of using the Web, even from an otherwise fully free machine, browsers run nonfree programs that are outside the control, and even awareness, of many users. These programs run behind the scenes -- but on the user's system -- whenever the Web server says to run them. They are typically served to the user as minified JavaScript, and few provide the corresponding human readable source code, or a free license allowing users to lawfully inspect and modify the program. By definition, these programs infringe user freedom. In practice, this also means they pose serious threats to users' privacy and security -- such as by surreptitiously using a user's CPU to mine cryptocurrency, or by capturing and manipulating keystrokes. The Free Software Foundation is working to make all JavaScript on the Web be free software; its JavaScript Shield project is a freely licensed anti-malware browser add-on to limit potential threats from JavaScript, such as fingerprinting, tracking and data collection. It would ask -- globally or per site -- if specific native functions provided by the JavaScript engine and the DOM are allowed by the user. It would also link to an explanatory page for each function, to raise awareness of related threats. Depending on the function being addressed, the user would have the option to allow it, block it, or have it return a spoofed value. This extension will help protect users from critical threats now, and contribute significantly to progress on the necessary longer-term cultural shift of moving away from nonfree JavaScript. >> Read more about JShelter End-To-End Encryption for Jitsi Meet — Proven strong encryption for open source video conferencing Jitsi Meet is an open-source video conferencing application that uses Jitsi Videobridge to provide high quality, secure and scalable video conferences. Traditionally, it used hop-by-hop encryption to secure the contents. The drawback of this is of course that the videobridge is able to view the unencrypted contents. With the advent of the WebRTC Insertable Streams API in Chrome it became possible to implement actual end-to-end encryption on top of WebRTC. This project will implement and verify a more complete solution that involve a key management system which establishes public keys, derives encryption keys and changes them depending on the state of the conference. >> Read more about End-To-End Encryption for Jitsi Meet Verified Differential Privacy for Julia — Proving sound privacy guarantees through a type system Differential privacy can be used to prevent leakage of private information from published results of analyses performed on sensitive data. Doing so correctly requires handling the extra complexity introduced by this technique, on top of the complexity of the analysis procedure itself. A proposed relief comes in the form of type systems. They allow tracking privacy properties of functions in types, where successful typechecking is equivalent to proving sound privacy guarantees. This aids the programmer in reasoning about code, detects implementation errors that are really hard to notice before one falls victim to privacy breach, and can give formal guarantees to the people whose privacy is claimed to be protected. This project will implement a typechecker based on the type system of the Julia programming language. Julia is a high-level, high-performance, dynamic programming language. While it is a general purpose language and can be used to write any application, many of its features are well-suited for high-performance numerical analysis and computational science. This should enable data scientists to compute privacy guarantees for any Julia function before they start working with real user data. >> Read more about Verified Differential Privacy for Julia Kaidan — Adding encryption to userfriendly cross-platform XMPP client Kaidan is a user-friendly and modern chat app for every device. It uses the open communication protocol XMPP (Jabber). Unlike other chat apps, you are not dependent on one specific service provider. Instead, you can choose between various servers and clients. Kaidan is one of those XMPP clients. In contrast to many other XMPP clients, it is easy to get started and switch devices with Kaidan. Additionally, it adapts to your operating system and device's dimensions. It runs on mobile and desktop systems including Linux, Windows, macOS, Android, Plasma Mobile and Ubuntu Touch. The user interface makes use of Kirigami and QtQuick. The back- end of Kaidan is entirely written in C++ using Qt and the Qt-based XMPP library QXmpp. >> Read more about Kaidan Kaidan A/V — Secure audio and video calls for Kaidan and QXmpp Kaidan is a user-friendly and modern chat app for every device. It uses the open communication protocol XMPP (Jabber). Unlike other chat apps, you are not dependent on one specific service provider. Instead, you can choose between various servers and clients. Kaidan is one of those XMPP clients. In contrast to many other XMPP clients, it is easy to get started and switch devices with Kaidan. Additionally, it adapts to your operating system and device's dimensions. It runs on mobile and desktop systems including Linux, Windows, macOS, Android, Plasma Mobile and Ubuntu Touch. The user interface makes use of Kirigami and QtQuick. The back-end of Kaidan is entirely written in C++ using Qt and the Qt-based XMPP library QXmpp. This project aims to add audio/video calls to Kaidan in a standards-compliant manner. >> Read more about Kaidan A/V Improve Email Encryption in KMail — Adopt improvements in Email Encryption in KMail The goal of this project is to make it more simple for inexperienced users to just use encrypted mails, at the click of a button. Autocrypt is a new method for email encryption, that needs nearly no user interaction. It performs the needed key exchange transparently in the background, and does key management automatically. Encrypted Headers is a protocol to send mail headers in the encrypted mail part. Traditional encryption methods leaked meta-data, which could be used for mass surveillance purposes. The result will be part of the KDEPIM codebase, so you don't have to install anything else than KMail to use these improvements. >> Read more about Improve Email Encryption in KMail ARPA2 LDAP Middleware — Privacy enhancing middleware Some protocols are far better known than others. Everyone will recognise the HTTP protocol we use to transfer web pages. LDAP is not as well known, but it is also a key technology we use on a daily basis - in fact it shapes how most organisations are organised online. LDAP is a proven technology but can be cumbersome to work with, and as a result it has seen little innovation in recent years. This project develops a number of innovatie middleware components from the ARPA2 project. This includes a privacy enhancing middleware for LDAP (LEAF), which allows to do attribute filtering and selectively transforming of LDAP; SteamWorks, which allows for responsive large scale configuration and trust delegation; and Lillydap, a library that can be used to easily add LDAP to any application. The project also delivers on (broad)er deployability of these building blocks, by providing tools for distropackaging the innovative solutions produced by the project. >> Read more about ARPA2 LDAP Middleware Liberaforms — Open source form server Cloud services that offer handling of online forms are widely used, for questionnaires but also for gathering data within schools, associations, volunteer organisations, civil society and even families. While these cloud services (such as Google Forms and Microsoft Forms) can be quite convenient to create forms with, for the constituency which has to fill out these forms such practices can actually be very invasive to their privacy - as many forms not only include personal details such as their name, address, gender or age, but also a lot more intimate questions - up to medical details, political information and life style background. In many situations there is a power asymmetry between the people creating the form and the users that have to supply the data through that form. Often there is significant time pressure. No wonder that users feel socially coerced to comply and hand over their data, even though they might be perfectly aware that their own data might be used against them. This project will produce a free and libre software solution to create online forms, and to manage the outcomes. The goal is to make something for regular humans: user-friendly, non-intrusive and light-weight. The project aims to make self-hosted form management easy even for novice users, so data can be kept safely on-premise or with a hosting company you can trust. Something that can be used by our neighbours, friends, colleagues and anyone else who respects privacy and understands the moral obligation of the creator of a form to protect the privacy of the people that are supposed to share data with them. >> Read more about Liberaforms Libre-SOC — A fully open hardware System-on-a-Chip It is 2019 and it is not possible to buy a mass-produced laptop, tablet or smartphone and replace all of its software (with software that a user can trust) without loss of functionality. Processor boot-loaders are DRM-locked; WIFI, 3D Graphics and Video Processors are proprietary, and Intel's processors contain problematic features and intransparent elements such as the \"Management\" Engine. The most logical way to restore and engender trust is to literally make a new processor - one that is developed transparently and may be independently audited to the bedrock. The project develops a low-power, mobile-class, 64-bit Quad-Core OpenPower SoC at a minimum 800mhz clock rate, suitable for tablet, netbook, and industrial embedded systems. Full source code files are available for the operating system and bootloader, and the actual processor, its peripherals and its 3D GPU and VPU. Details at https://libre-soc.org/3d_gpu/ >> Read more about Libre-SOC LibreSilicon — Free/open source semiconductor manufacturing process LibreSilicon aims to reduce the steep entry barriers to full custom application-specific integrated circuit (ASIC) design and help people to regain trust in their computing devices, right at the bedrock: When they are manufactured. LibreSilicon provides a standard for manufacturing semiconductors which allows platform independent process design kits (PDKs) and design rules that allow manufacturing the same chip layout in any factory that has calibrated their process according to the LibreSilicon specs. By introducing this process standard, full custom ASIC design should become available to private persons without corporate or academic access to IC foundries. After democratizing software development with tools like Arduino, and PCB design with tools like KiCAD, LibreSilicon will democratize ASIC design, and GDS2 intends to become the new Gerber file format for semiconductor manufacturing. >> Read more about LibreSilicon Libre Silicon compiler — Synthesize, place and route hardware description to silicon LibreSilicon Compiler (LSC) is a place + route suite for silicon. The main focus of this project is to produce legal and efficient silicon layouts from digital netlists (e. g. BLIF, EDIF). Traditionally the placement and routing problem are handled separately and in sequence and the final layout is given by the routing step. In this setup the routing step gains information from placement but not the other way around. LSC attempts to shift this paradigm to create a feedback loop between the two main problems to improve the solution. Furthermore we are incorporating formal methods to produce the compiler software and to verify resulting layouts. While the latter is standard practice, proving properties of the compiler software itself is only widespread in the domain of software compilers. This exercise will be favored by the use of the programming language Haskell and advanced theorem provers. Finally this software aims to profit from explicit module hierarchies given by the developers of digital logic in register-transfer level (e. g. Verilog, Chisel). Greedy solutions can be found for highly modularised chips: when logic is not inlined in the conventional software compiler sense, the size of problem instances is kept small. This also gives parallelism for free, as the dependency tree is resolved from the bottom up. >> Read more about Libre Silicon compiler Standard Cell Library — Open Standard Cell Library with automated dimensioning of transistors Without having an open standard cell library, any open hardware project depends on unknown components. This significantly hampers innovation, and is on the critical path of delivering truly open hardware chips. LibreSilicon's approach to this problem is generative, working from a (potentially verifiable) algorithm for automated sizing of transistors. All commercial available Standard Cell Libraries contain a small subset of all useful cells only, limited by the manpower of the vendor. They are hand-crafted and error-prone, and typically require Non-disclosure agreement (NDAs) while heavily depending on the underlaying PDKs - meaning that the outcome is hard to verify and trust. Goal it so produce a production quality free and open source Standard Cell Library. >> Read more about Standard Cell Library Port of AMDVLK/RADV 3D Driver to the Libre-SOC — Adapt Vulkan Drivers to the Libre-SoC The Libre SoC is being developed to provide a privacy-respecting modern processor, developed transparently and as libre to the bedrock as possible. As a hybrid processor, it is intended to be both a CPU and a GPU. GPUs are typically proprietary (and thus not fully transparent), as is the 3D driver software. The SoC design requires a Vulkan compliant hybrid hardware-software API. The development of the Kazan 3D Driver (developed from scratch inside the Libre SoC) that aims to provide such an API is therefore on the critical path to final release. Given the complex nature of 3D driver development, and because Kazan is a novel approach (written in rust, for security reasons) that dependency is considered a liability. This project develops a second, more traditional Mesa3D driver in c++. This reduces the pressure on the Kazan development, and allows for benchmarking and increased transparency and collaboration on this ambitious project. >> Read more about Port of AMDVLK/RADV 3D Driver to the Libre-SOC Libre-SOC Formal Correctness Proofs — Mathematical unit tests for open hardware System-on-Chip Hardware projects like the Libre-SOC Project involve writing an inordinate amount of comprehensive unit tests to make sure everything functions the way it should. This is a critical and expensive part of the overall design process. Formal Mathematical Proofs (already quite popular in secure software development) provide an interesting alternative for several reasons: they're mathematically inviolate, which we believe makes them more trustworthy. And they are simpler to read and much more comprehensive (100% coverage), saving hugely on development and maintenance. From a security and trust perspective, both aspects are extremely important. Security mistakes are often accidental due to complexity: a reduction in complexity helps avoid mistakes. Secondly: independent auditing of the processor is a matter of running the formal proofs. The project aims to provide proofs for every module of the Libre RISC-V SoC, and therefore contributes significantly with the larger goal of developing a privacy-respecting processor in a way that is independently verifiable. >> Read more about Libre-SOC Formal Correctness Proofs Libre-SOC Formal Standards Development — Formal Standards for OpenPower extensions from Libre-SoC Libre-SOC was first funded from NLnet in 2018. This was for the core of the project, based on an informally-developed Hybrid CPU-GPU 3D instruction set that had been written (and implemented in a simulator) in the 18 months prior to contacting NLnet. During the implementation it became clear that a lot more work is needed, and, further, that to meet proper transparency criteria, the proposed instruction set enhancements would need to be properly written up. In addition, negotiations and communications with the Standards Body responsible for POWER ISA (the OpenPower Foundation) also needed to be taken into consideration. The goal of this project is to deliver on those requirements, and achieve full transparency and understanding of the Libre-SoC. >> Read more about Libre-SOC Formal Standards Development Libre-SOC Video Acceleration — Optimised video acceleration instructions for Libre RISC-V SoC The Libre-SoC Project, has been funded by NLnet to get to FPGA-proven status. This was for the \"core\" (the main processor). One of the next, specialist, phases, is to ensure that its capabilities are useable to perform Video Acceleration. To do so, Video Software such as ffmpeg, gstreamer and their low-level libraries need to actually use the hardware-accelerated capability. A \"normal\" commercial processor usually has a separate proprietary VPU, along with proprietary software: both unfortunately are vectors for attack against users, undermining trust and privacy. Without access to Video Acceleration, users are left with the stark choice: be compromised, or don't watch any video, period. This project therefore provides a commercial-grade Video Decoder (minimum 720p) and helps restore trust in the software *and* hardware. >> Read more about Libre-SOC Video Acceleration Lightmeter — Email server configuration lifecycle management Lightmeter will make it easy to run email servers large and small by visualising, monitoring, and notifying users of problems and opportunities for improved performance and security. People will regain control of sensitive communications either directly by running their own mailservers, or indirectly via the increased diversity and trustworthiness of mail hosting services. >> Read more about Lightmeter Usability of Linux firewall userspace tools — Userspace tooling for Linux kernel Netfilter Netfilter is the project offering the packet classification framework for GNU/Linux operating systems. Netfilter supports for stateless and stateful packet filtering, mangling, logging and NAT. Netfilter provides a rule-based language to define the filtering policy through a linear list, sets and maps. This language is domain specific and it provides a simplified programming language to express filtering policies. Firewall operators are usually not programmers, although they are typically knowledgeable about shell scripting. Humans currently have few means to check for mistakes when elaborating filtering policies, which as a result can interact in unpredictable ways or cause performance issues - meaning one can never be sure how much they can be trusted to protect users. Lack of correctness and inconsistencies emerge as the rule set increases in complexity. Introducing ways to assist the operator to spot these problems and to provide hints to express the filtering policies in a better way would help to improve this situation. Error reporting is another key aspect to assist humans in troubleshooting. This project aims to extend the existing tooling to introduce infrastructure to cover this aspects. >> Read more about Usability of Linux firewall userspace tools LumoSQL — Create more reliable, distributed embedded databases The most widely-used database (SQLite) is not as reliable as it could be, and is missing essential features like encryption and safe usage in networked environments. Billions of people unknowingly depend on SQLite in their applications for critical tasks throughout the day, and this embedded database is used in many internet applications - including in some core internet and technology infrastructure. This project wants to create a viable alternative ('rip and replace'), using the battle tested LMDB produced by the LDAP community. This effort allow to address a number of other shortcomings, and make many applications more trustworthy and by means of adding cryptography also more private. Given the wide range of use cases and heavy operational demands of this class of embedded databases, a serious effort is needed to execute this plan in a way where users can massively switch. The project will extensively test, and will validate its efforts with a number of critical applications. >> Read more about LumoSQL Luna PnR — A versatile and fast new open-source place and route tool Making a custom chip (ASIC) requires a vast ecosystem of expensive commercial tools, limiting the application of ASICs to large companies; this greatly hampers innovation. Project Luna aims to mitigate this situation by providing a robust open-source automated place & route tool, which forms an important but mostly missing part of the ASIC design flow. This way, universities, makers, small companies and start-ups can get access to ASIC design tools. Luna targets ASIC processes larger than 100nm, which makes it ideal for designing mixed-signal (analogue + digital) chips used in sensors and IOT devices. It integrates well with existing open-source tools, such as YosysHQ's Yosys (a logic synthesis tool) and KLayout (a manual ASIC layout tool), and commercial tools via industry standard file formats. In addition to the affordability issue, Luna allows a full-circle chain-of-trust to be established between designer and chip manufacturer because of its fully open-source nature. During its development, Luna will be used to manufacture designs via our industrial partners in order to verify the correctness and usability of the software. The goal is to present a minimal viable product consisting of a GUI, working place & route and timing verification. >> Read more about Luna PnR MNT Reform — A trustworthy open hardware laptop MNT Reform is a modular open hardware laptop, the first of its kind - designed and built in Europe. The project has high ambitions in terms of usability and user experience. A mechanical keyboard and an elaborate industrial design provide for professional ergonomics. MNT Reform uses RISC processors like ARM and has no built-in recording technology. It runs a free and open source software stack from the ground up. Third parties can easily contribute to the development of new modules. The modular approach does not only make the laptop more extensible but also improves sustainability, and supports the right to repair. During the project, the team will develop two open hardware System-on-Modules. The first module is based on NXP LS1028A, and will increase RAM capacity to up to 16GB and make external GPUs usable. The second open hardware SoM uses an FPGA (field programmable gate array) to support the validation of open silicon SoC projects in a real laptop. Modules like this make the development of embedded computers easier for open hardware engineers by pre-solving risky and expensive challenges. Finally, we will develop an optional camera module for MNT Reform as part of the project, which will allow the laptop to be used for remote learning and video conferencing. >> Read more about MNT Reform Maemo Leste — An independent mobile operating system focused on trustworthiness Maemo Leste aims to provide a free and open source Maemo experience on mobile phones and tablets. It is an effort to create a true FOSS mobile operating system for the FOSS community. Maemo Leste is based on GNU/Linux, and specifically - Devuan GNU/Linux. The goal is to provide a secure and modern mobile operating system that consists only of free software, obeys and respects the users' privacy and digital rights. The project also works closely with projects that aim to produce hardware that Maemo Leste and other community mobile operating systems could run on. The operating system itself takes much of its design and core components from the Nokia-developed Maemo Fremantle, while replacing any closed source software with open source software. >> Read more about Maemo Leste Manyverse — An off-line capable privacy-centric social messaging app Manyverse is a social networking mobile app, implemented not as a typical cloud service, but instead on a peer-to-peer network: Secure Scuttlebutt (SSB). The mobile app locally hosts the user's database, allowing them to own their personal data, and also use the app when offline. Data can sync from one mobile device to another, via Bluetooth, Wi-Fi, or Internet. Free and open source software. >> Read more about Manyverse MEGA65 Phone — A phone simple enough to understand in full Much of the insecurity and lack of privacy is the simple result of how complex computers, the internet and all of the protocols and technologies that they include. It seems that the majority of proposals to fix this solution consist of adding something to this complicated mess. While this has helped to reduce the symptoms of the problem, by adding complexity it has actually made the problem worse. There are simply too many places for insecurities and privacy violating software to hide in modern complex systems. Even the hardware itself is not immune, with problems like SPECTRE, MELTDOWN and vulnerabilities in the management processors of modern computers and phones showing that even the processors we use today carry significant risks due to their complexity. This project takes a contrarian approach of seeing just how simple a system can be make, that would still be useful for a core set of functionality. The project takes inspiration from the simple and effective computers of the 1980s: it explores how to retain their simplicity and transparency, and combine them with modern improvements in security and capability. The goal is to allow even a single determined person to completely verify that a device has not been compromised, and that there are no unwanted listening ears when performing privacy sensitive tasks. The project will advance its current proof-of-concept to a functioning hardware and software system that can demonstrate profoundly improved security and privacy, and in a way that allows a determined user to verify that the device is still truly under their exclusive control and serving them alone. >> Read more about MEGA65 Phone MobileAtlas — A distributed open hardware test infrastructure to analyse mobile networks MobileAtlas is an international measurement platform for cellular networks that takes roaming measurements to the next level. Although mobile cellular networks have become a major Internet access technology, mobile data traffic is surging, and data roaming has become widely used, well-established measurement platforms (e.g., RIPE Atlas) are not well-suited for measurements in the mobile network ecosystem. This includes measurements of metered connections and consideration of roaming status and zero-rating offers. MobileAtlas implements a promising approach by geographically decoupling SIM card and modem, which boosts the scalability and flexibility of the measurement platform. It offers versatile capabilities and a controlled environment that makes a good foundation for qualitative measurements. We want to establish the framework with at least twenty open hardware probes, and create a platform for shared usage among scientists and Internet activists. >> Read more about MobileAtlas Mobile Test Farm — Test farm setup for aftermarket mobile operating systems This project will deliver a useful contribution to the alternative mobile ecosystem: a physical continuous integration system that allows to connect different phones and which can be used to e.g. run regression tests for different operating systems on these devices to verify if core functionality isn't broken when e.g. a new kernel is added. >> Read more about Mobile Test Farm Mosaic — Trustworthy open hardware design tool for electrical engineers Today, the chip design industry is deeply proprietary with NDAs at every level, which means it is not possible to share design files at all, which in turn stifles innovation and transparency in chip design. In order to create a chip design industry that can be trusted with our digital lives, and is accessible to educational institutions and small business, it is essential to develop powerful open source tools for chip design, which can be used by anyone and allows unhindered collaboration. Mosaic is a tool that attacks the first design phase of an analog chip, or analog peripherals for a digital one: design and simulation of the schematic. It will also interact with other phases of the design as needed. Unlike existing open source solutions it will be catered towards chip design, based on modern technologies, and extensive UX design. >> Read more about Mosaic Movim — Add OMEMO encryption to Movim XMPP client Movim is a web platform that delivers social and IM features on top of the mature XMPP standard (aka Jabber). Unlike other chat apps, with XMPP you have a choice of both servers and clients - and the ability to add any features you want, and restrict your trust to those that deserve it. Movim is a user-friendly communication platform aimed at small and medium structures (up to a hundred simultaneous users), and sports a number of unique social features beyond instant messaging. And because it sits on XMPP, Movim users can explore the whole global instant messaging network from a single account. In this project, Movim will add end-to-end encryption to its chat interface, in this case the OMEMO XEP. Since Movim is browser based, the implementation will be have to put the encryption layer client-side - or in other words, inside the browser. Because users can connect simultaneously on the same XMPP account using different browsers with Movim, each browsers will be seen as a different \"device\". Decrypted messages will be saved in a browser database, using IndexedDB. The web server will just take care of handling public keys to the XMPP network and store the encrypted messages, same as the user's XMPP server does when using archiving methods. The project will deal with both the one-to-one chat implementation and the Multi-User Chat part of Movim. This is part of a concerted effort to create reliable end-to-end encryption for XMPP based real time communications. At present growth of the wider network is hampered by lack of interoperability. >> Read more about Movim Nitrokey — Open hardware for encryption and authentication Nitrokey is an open source hardware USB key for data encryption and two-factor authentication with FIDO. While FIDO is supported by web browsers, using Nitrokey as a secure key store for email and (arbitrary) data encryption requires a native software. Therefore email encryption in webmail isn’t possible with Nitrokey. At the same time strong end-to-end encryption in web applications all share the same challenge: To store users' private keys securely and conveniently. Therefore secure end-to-end encryption usually requires native software too (e.g. instant messenger app) or - less secure - store the user keys password-encrypted on servers. Nitrokey aims to solve these issues by developing a way to use Nitrokey with web applications. To avoid the necessity of device driver, browser add-on or separate software this project is going to utilize the FIDO (CTAP) protocol. As a result the solution will work with any modern browser (which all support WebAuthn), on any operating system even on Android. This will give any web application the option to store private keys on ones own Nitrokey devices. >> Read more about Nitrokey NoScript Contextual Policies & LAN protection — Application Boundaries Enforcer (ABE) for new generation of browsers NoScript is a FOSS browser extension for Firefox, Chromium and its derivatives. It can be used on desktop and mobile browsers, and enhances security by providing control over JavaScript and other active content. It is the first and still most effective XSS filter. NoScript is an integral part of the Tor Browser, as the back-end of its \"Security Level\" settings. ABE-Quantum is the next generation of the Application Boundary Enforcer (ABE), a NoScript module that provided protection against several cross-site and cross-network attacks. When Mozilla abandoned the legacy Firefox add-ons platform in 2017, ABE did not survive the painful transition to the new cross-browser (but backward incompatible) WebExtensions API. The ABE-Quantum project aims to bring the main ABE features to WebExtension-capable browsers, and specifically: 1) contextual content blocking policies depending both on the origin and the destination of the request, e.g. \"Block facebook.net scripts everywhere unless the parent site is facebook.com\"; 2) protecting LAN endpoints (i.e. routers or other internal applications) against browser-based attacks from the WAN using the web layer to work-around traditional firewalls. These features will be integrated in NoScript's user interface - rather than leveraging a firewall-inspired policy definition language like in the original ABE - in order to provide a simpler, more accessible and more intuitive user experience. >> Read more about NoScript Contextual Policies & LAN protection Nym Credentials — A decentralised solution for authentication Nym Credentials provides open-source code for privacy-enhanced authentication and authorization in a decentralized environment. Today, when using \"single-sign in\" solutions, users hand over their personal data to third-party identity providers such as Facebook Connect and Sign-In with Google. Nym Credentials tackles this problem by allowing users to securely authenticate and transfer personal data (and proofs of private data) while maintaining privacy without a centralized identity provider. Each credential is cryptographically unlinkable between usages and multiple decentralized identity providers can verify this data. Open-source Nym credential libraries can be easily integrated into existing services, with a focus on federated and decentralized European environments. >> Read more about Nym Credentials Off-the-Record messaging version 4 — Advanced protocol for secure messaging OTRv4 is the newest version of the Off-The-Record messaging protocol. It is a protocol where the newest academic research intertwines with real-world implementations. It's aim is to give end-to-end encryption, deniability, authentication, forward secrecy and post-compromise security for any kind of messaging (online or offline). The goal of this new version is to give the most secure privacy and security properties that have a real impact on the world. This new version aims to be available in different desktop clients (that use XMPP or other messaging protocol) and in mobile clients. >> Read more about Off-the-Record messaging version 4 OnBaSca — Tor Bandwidth Scanner The Tor network is comprised of thousands of volunteer-run relays around the world, and millions of people rely on it for privacy and freedom online everyday. To monitor the Tor network's performance, detect attacks on it, and better distribute load across the network, we employ what we call Tor bandwidth scanners. The bandwidth scanners are run by the directory authorities, which are special relays that maintains a list of currently-running relays. This project will make a number of improvements to the new bandwidth scanner call sbws, to make it easier for directory authorities to deploy it, for relay operators to better diagnose issues and for end users to benefit from increased quality of experience. >> Read more about OnBaSca Opaque Sphinx — Secure password-based authentication with Opaque/Sphinx Opaque Sphinx is a project that aims to secure password-based authentication by deploying the state-of-the-art SPHINX and OPAQUE cryptographic protocols to eliminate almost all common attack vectors - such as weak guessable passwords, password reuse, phishing, password databases, offline dictionary attacks, database leaks - plaguing current solutions. These protocols provide the strongest available cryptographic properties with cryptographic proofs. The project intend to port its already existing free software SPHINX implementation - besides already existing support for Linux and Windows - to Android so it can also be used on smartphones. >> Read more about Opaque Sphinx Opaque Sphinx Server and Clients — Server and tools for modern authentication Passwords are probably the most common way to remotely use private services, which makes them a major liability - humans on average find it very hard to memorize strong passwords. Luckily, passwords - or more particularly tools to work with passwords more safely - are evolving as well. SPHINX is a novel approach to password storage that is information theoretically secure. And unlike most online password managers, the user does not even have to trust the server. OPAQUE is a novel protocol that can be used to eliminate phishing as an attack vector when authenticating to servers. The combination of SPHINX and OPAQUE provides some very strong guarantees while still allowing users to only need to remember one or just a few passwords. This project will develop a SPHINX server in a safe, compiled language, with ample tests. It will also further develop and refine a protocol above SPHINX, handling creation, deletion, backup and changing of data. In addition it will add the OPAQUE protocol to various free software ecosystems such as PHP, java, nodejs, ruby, golang, erlang and rust, as well as to the two most used webservers: nginx and apache2. >> Read more about Opaque Sphinx Server and Clients DRTM implementation for AMD processors — Unified framework for dynamic RTM The Trenchboot project aims to create a unified framework for dynamic RTM (DRTM) implementation for all platforms. (D)RTM is used to verify if bugs or vulnerabilities have compromised a system, and as such is an important component to get to advanced stages of trustworthiness for our hardware. >> Read more about DRTM implementation for AMD processors OpenPGP Certificate Authority — Managing OpenPGP keys for communities and organisation OpenPGP CA is a tool for managing OpenPGP keys within an organization. Its primary goal is to make it trivial for end users to authenticate the OpenPGP keys of users in their organization, and in adjacent organizations. In an OpenPGP CA-using organization, users delegate authentication to an in-house CA. This allows users to securely and seamlessly communicate via PGP-encrypted email without having to manually compare fingerprints, without having to understand OpenPGP keys or signatures, and without having to trust a third-party with potentially conflicting interests. This goal is achieved by shifting the authentication burden from individual users to an organization's administrator, and providing a tool that largely automates key creation, and signing as well as key dissemination. Importantly, because OpenPGP CA works within the existing OpenPGP framework, users do not need any new software to take advantage of OpenPGP CA's benefits; they can continue to use existing email clients and encryption plugins. Further, OpenPGP CA can co-exist with other authentication approaches, like traditional key signing workflows. >> Read more about OpenPGP Certificate Authority 802.11n feature of openwifi — Open Hardware implementation of wifi The Openwifi project aims to offer an open source Wi-Fi chip design that could act as a missing piece of the open source software/hardware puzzle. In the past decades, open source software has played a key role towards the open and trusted internet. In recent years, the open source processor project, like openRISC and RISC-V, pushes forward to construct open source devices/computers. However, the radio connectivity of the device still relies on the black-box radio chips (Wi-Fi, BLE, cellular). As the initial step of the open source Wi-Fi chip, openwifi project has implemented the 802.11a/g full-stack on the FPGA based Software Defined Radio (SDR) platform. The FPGA (Xilinx Zynq SoC) also includes a multi-core ARM processor, so that we can have Linux (TCP/IP, mac80211 and driver) and Wi-Fi (Low MAC and PHY) in the same chip. This NGI funding opportunity will support openwifi project development of 802.11n feature, which moves the project closer to the state of art Wi-Fi technology. The development mainly includes 3 tasks: Adding the 802.11n mode to the original 802.11a/g PHY (Physical layer) transceiver; Extending the low MAC (Media Access Control) and processor interface to support the additional 802.11n elements, such as the SIGNAL field and bigger payload size; Improving the openwifi driver to handle the 802.11n elements and expose the 802.11n capabilities to Linux mac80211 framework. The Openwifi project currently focuses on the Wi-Fi functionality, integrity and stability. In the future, the platform independent methodology will be considered: Integrating the openwifi IP with open source on-chip bus (such as wishbone) and RISC-V processor by open source EDA tools. >> Read more about 802.11n feature of openwifi PGP4civiCRM — Add email encryption to CRM E-mail security and privacy is not just relevant inside organisations or between individuals. A lot of email traffic comes from the institutions we all have to deal with, including some of the most confidential emails we get. And yet there is no way for users to protect their privacy and confidentiality when sending and receiving messages from organisations using such systems. PGP4civiCRM enables automatic PGP encryption/decryption of e-mails on the server side. While the project will provide special integration for the Constituent Relation Management System CiviCRM, the basic functionality can be used also with regular mailservers like postfix. The PGP4civiCRM core will basically be a milter, that listens for input messages, then looks up PGP keys from configurable sources (local key rings, LDAP) and then, based on a local, configurable, policy, encrypts/decrypts messages (or leaves them untouched) before passing them on. This way system administrators can with tiny effort provide transparent encryption support for all their mail users. Especially for CiviCRM the project will create an extension that allows easy web-based configuration of the relevant pieces and displaying of encrypted, received e-mails using OpenPGP.js. >> Read more about PGP4civiCRM Securing PLCs via embedded protocol adapters — Open hardware protocol adapters for industrial automation Industrial Programmable Logic Controllers have been controlling the heart of any production machinery since the mid-70s. However have these devices never been built for the usage in completely unprotected environments such as the Internet. Currently most PLCs out in the wild have absolutely no means to protect them from malicious manipulation (Most don't even have an effective password protection). Unfortunately \"Industry 4.0\" is all about connecting these devices to the Cloud and hereby attaching them to potentially unsecure networks. In the \"Securing PLCs via embedded Open-Source protocol adapters\" initiative we are planning on porting the Apache PLC4X drivers to languages that can also be used in embedded hardware. Additionally we also want to create secure protocol-adapters using these new drivers together with Apache MyNewt, to create protocol-adapters that could eventually even be located inside the network connectors which are plugged into the PLC in an attempt to reduce the length of the unsecured network to an absolute minimum without actually modifying the PLC itself. >> Read more about Securing PLCs via embedded protocol adapters Privacy Enhancements for PowerDNS and DNSdist — Make it easier to deploy private DoT/DoH resolvers DNS over TLS (DoT) and DNS over HTTPS (DoH) are two recent developments in the DNS field, and currently these are dominated by US based providers. The project will enhance the availability of open, trustworthy, privacy respecting DNS Resolvers in such a way that it allows any DNS provider, operator, or user to provide encrypted DNS service. This project aims to speed up implementation, improvement and standardisation of the most important Privacy enhancing features of DNSdist and PowerDNS resolvers to allow for the entire DNS-chain (from client, to caching-resolver, to authoritative nameserver) to be encrypted. The project will add support to the (open source) PowerDNS components (dnsdist, recursor and Authoritative server) for the privacy features necessary. >> Read more about Privacy Enhancements for PowerDNS and DNSdist Qubes OS — Bring the security of Qubes OS to people with disabilities Qubes OS is a free and open source operating system uniquely designed to protect the security and privacy of the user. Its architecture is built to enable the user to define different security environments (\"qubes\") on their computer and visually manage their interaction with each other and the world. This project will improve the usability of Qubes OS by: (1) reviewing and integrating already existing community-created usability improvements, (2) implementing a localization strategy for the OS and its documentation, and (3) creating a holistic approach for improved accessibility. >> Read more about Qubes OS RISC-V Phone — Open hardware RISC-V Phone The goal of the \"RISC-V Phone\" project is to develop a simple, fully featured and privacy enhanced mobile phone. It is built using off-the-shelf inexpensive components which are easy to assemble even in a home lab. The software for it is small, simple and easy to audit. Basic phone functionality is running on a secure RISC-V microcontroller (FE310 from SiFive) which controls all peripherals: microphone, speaker, display/touch controller, camera. The phone will be using esp32 for WiFi and Bluetooth, along with industry standard mPCIe modem for cellular communication. Graphics/touch panel controller FT813 enables advanced user experience. The phone will provide VOIP/messaging application using packet data protocol similar to CurveCP which features end-to-end encryption and onion routing. There is also a socket for optional ARM SoM which shares display/touch panel with the main board. >> Read more about RISC-V Phone RNP Confium — Distributed trust store enabling threshold encryption Confium is an open-source distributed trust store framework that enables usage of the new paradigm of threshold encryption, powering new modes such as cryptographic secure multi-factor authentication. It aims to provide a generalized API and an extensible architecture for the usage of trust stores and future cryptographic families, to support standardization efforts of threshold cryptography, and to bridge cryptographers with the practical usage of cryptography. The current project enables implementation of the Confium framework with a 2-out-of-3 threshold RSA signature scheme. >> Read more about RNP Confium Redwax — Standardisation of client side PKI interfaces The internet was not designed as a public infrastructure and most of the engineering trade-offs of the lower-layer technologies have generally erred on the side of accommodating fast growth and ease rather than values such as security, confidentiality and privacy. Yet today the internet is everywhere from providing a place for democratic discourse to healthcare to finance and personal communication. Redwax aims to decentralise trust management so that the values security, confidentiality and privacy can be upheld in public infrastructure and private interactions. The overarching goal of Redwax is to strengthen the existing technologies and infrastructure by providing a modular and practical set of tools to manage public key based trust infrastructures as currently used. These tools capture and hard code a lot of industry best practice and specialist PKI knowledge so that they can be put into the hands of a much wider community than currently served by a few specialist industries. With this project the Redwax team hopes to help re-establish (and/or strengthen) the support for these non-centralized trust management technologies inside web browsers and other relevant applications by working with standards organizations and industry coordination groups, and to create the initial reference implementations for their standardisation. >> Read more about Redwax Reowolf — Rip and replace for BSD socket insecurity The Reowolf project aims to replace a decades-old application programming interface (BSD-style sockets) for communication on the Internet. In this project, a novel programming interface is implemented at the systems level that is interoperable with existing Internet applications. Currently, to increase quality of service (e.g. intrusion detection, latency and throughput) non-standard techniques are applied. Internet service providers resort to deep packet inspection to guess applications intent, and BSD-style socket programming is error-prone and tweaking is fragile. This project resolves these problems: it provides support to middleware to further improve quality of service without having to give up on privacy, and makes programming of Internet applications easier to do correctly and thus more reliable. >> Read more about Reowolf Graphics acceleration on Replicant — Free software graphics drivers for mobile phones The project aims to create a free software graphics stack for Replicant 9 that is compatible with OpenGL ES (GLES) 2.0 and can do software rendering with a decent performance, or GPU rendering if a free software driver is available. Replicant is a fully free software Android distribution that puts emphasis on freedom, privacy and security. It is based on LineageOS and replaces or avoids every proprietary component of the system. Replicant is so far the only distribution for smartphones that is endorsed by the Free Software Foundation as meeting the Free System Distribution Guidelines. Due to its strict commitment to software freedom, Replicant does not use the proprietary GPU drivers that shipped within other Android distributions. The project aims to put together a new graphics stack for the upcoming Replicant 9 that is GLES 2.0 capable. The project will then focus on improving the performance by fine tuning its OpenGL operations and leveraging hardware features. At last, focus will swift into the integration of the Lima driver, a free software driver for ARM Mali-4xx GPUs, which will allow to offload some GLES operations to the GPU. This will greatly increase graphics performance and thus usability. >> Read more about Graphics acceleration on Replicant Finish porting Replicant to newer Android version — Alternative, free software version of Android Replicant is the only fully free operating system for smartphones and tablets. All the other operating systems for smartphones and tablets use nonfree software to make some of the hardware components work (cellular network modem, GPS, graphics, etc). Replicant avoids that, either by writing free software replacement, by tweaking the system not to depend on it, or, as the last resort by not supporting the hardware component that depends on it. However it is based on Android 6, which is not supported anymore, thus it has way too many security issues to fix, so keeping using this version is not sustainable. This project consists in finishing to port Replicant to Android 9, which now has standardised an interface for the code that makes the hardware components work. Once done, it will also make the free software replacement automatically work on future Android versions. >> Read more about Finish porting Replicant to newer Android version Ricochet Refresh — Anonymous, meta-data free secure messaging Ricochet Refresh, is a metadataless messenger for PCs (Windows, macOS, Unix) that provides anonymity as well as security. By using Tor, it allows people at risk making public interest disclosures to communicate in chat sessions with anonymity to journalists, members of parliament, regulators protecting the environment, financial malfeasance investigators and others who have the power in society to act as corrective mechanisms to serious wrongdoing. This project will update Ricochet, reduce known security risks, and ensure continued compatibility with Tor's onion services protocol. The possibility of anonymous communication is important for everyone, but particularly vital for those who risk reprisal in their workplace or other institutions to be able to speak up. Through anonymity, Ricochet Refresh allows the focus to be on the disclosure, not on the source or whistleblower. Thus, the project provides a tool in support of evidence-based reporting in the public interest by creating a safe on-going channel for the journalist to conduct verification as the story develops. >> Read more about Ricochet Refresh Ripple — Safer and faster incremental software builds As it stands, reproducible builds are not accessible to the average developer. Existing projects tackling this problem come with significant caveats: some rebuild packages from scratch, making them practically useless for interactive development, while discouraging users from hacking on the core parts of their system due to cascading rebuilds; others are drastically more efficient, but come with fewer correctness guarantees, and require build scripts to be re-implemented in custom DSLs, making them costly to adopt. This is further exacerbated by frustrating, flaky tooling, and the proliferation of compatibility issues arising from inherent constraints of these solutions. Ripple is a hermetic, incremental, meta build system. It provides stronger purity guarantees and improved efficiency over existing solutions, while being completely ecosystem-agnostic. In effect, Ripple can memoize arbitrary programs. This lets users migrate gradually, opting into ecosystem-specific optimizations and abstractions at their own pace, and opens up a huge number of creative possibilities. Ripple aims to make reproducible builds not only easy, but fun — encouraging mainstream adoption, so we might together put to rest the ghost of bygone builds. >> Read more about Ripple Robotnix — Reproducible Builds of Android with NIX Robotnix enables a user to easily build Android (AOSP) images using the Nix package manager. AOSP projects often contain long and complicated build instructions requiring a variety of tools for fetching source code and executing the build. This applies not only to Android itself, but also to projects which are to be included in the Android build, such as the Linux kernel, Chromium webview, and others. Robotnix orchestrates the diverse build tools across these multiple projects using Nix, inheriting its reliability and reproducibility benefits, and consequently making the build and signing process very simple for an end-user. >> Read more about Robotnix Rust Threadpool — Improve privacy of Rust threading library ThreadPool is a free and open-source library that provides a simple and intuitive interface for programmers to multi-threaded programming. ThreadPool aims to make parallel programming accessible to the general public. Running tasks in parallel is a vital building block for building efficient solutions on modern hardware. Combined with Rust's type-system this library allows programmers to parallelize their applications without introducing unsafe behaviour while managing the administrative tasks of interacting with the operating system. >> Read more about Rust Threadpool SASL XMSS — Make SASL work with XMSS protocol Simple Authentication and Security Layer (SASL) is an authentication and data security framework. The framework defines a structured interface to which SASL mechanisms must comply. These mechanisms can then be used by application protocols in a uniform manner. XMSS provides cryptographic digital signatures without relying on the conjectured hardness of mathematical problems. Instead, it is proven that it only relies on the properties of cryptographic hash functions. XMSS provides strong security guarantees and is even secure when the collision resistance of the underlying hash function is broken. It is suitable for compact implementations, is relatively simple to implement, and naturally resists side-channel attacks. Unlike most other signature systems, hash-based signatures can so far withstand known attacks using quantum computers. The SASL XMSS project's goal is to implement the XMSS system as a SASL mechanism in one of the publicly available open source SASL libraries. >> Read more about SASL XMSS SASL Works for the InternetWide Architecture — Integrate new authentication mechanisms into SASL The SASL Works allow clients to use authentication mechanism that meet their requirements, and use it in virtually all protocols, which includes but is not limited to the web. Servers on the other hand, can flexibly adapt to clients from any domain, by backporting authentication inquiries to the client's own realm for the desired level of approval. Once configured, this process frees service providers from the need to manage user accounts and secure storage of credentials. Clients finally get a choice to use strong cryptographic authentication mechanisms instead of being forced to use a site programmer's poor approach to security. This in turn is helpful for setting higher levels of security policies in formal bodies such as organisations and governments, while generally simplifying the user interaction. >> Read more about SASL Works for the InternetWide Architecture SpinalHDL, VexRiscv, SaxonSoc — Open Hardware System-on-Chip design framework based on SpinalHDL The goal of SaxonSoc is to design a fully open source SoC, based on RISC-V, capable of running linux and optimized for FPGA to allow its efficient deployment on cheap and already purchasable chips and development boards. This would provide a very accessible platform for individuals and industrials to use directly or to extend with their own specific hardware/software requirements, while providing an answer to hardware trust. Its hardware technology stack is based on 3 projects. SpinalHDL (which provides an advanced hardware description language), VexRiscv (providing the CPU design) and SaxonSoC (providing the facilities to assemble the SoC). In this project, we will extend SpinalHDL, VexRiscv and SaxonSoc with USB, I2S audio, AES and Floating point hardware capabilities to extend the SoC applications to new horizons while keeping the hardware and software stack open. >> Read more about SpinalHDL, VexRiscv, SaxonSoc SeedVault — Private backups of mobile applications SeedVault is an independent open-source data backup and restore application for Android and derived mobile operating systems. By storing Android users' data in a place the user chooses, and by using client-side encryption to protect backed-up data, SeedVault offers users maximum data privacy and resilience with minimal hassle. SeedVault uses Android's Storage Access Framework (SAF) to read and write encrypted app data. This allows it to backup and restore application data on a wide range of platforms and even USB flash drives. The first part of this project is to improve the current implementation and optimize it to work with widely used self-hosted storage solutions like Nextcloud. The second part of this project is to allow SeedVault to also back up data beyond the installed apps and their data, including the user's photos, videos and music as well as their call logs and SMS. >> Read more about SeedVault Solid Control — Access Control mechanism for data and services within Solid Solid-Control aims to enhance Tim Berners-Lee's Social Linked Data Project (Solid) with Attribute-Based Access Control. By extending the Linked Data Platform (LDP) with WebID based authentication and Access Control Lists (ACL), Solid has enabled the emergence of new forms of Hyper-Apps. These apps can follow data from server to server, authenticate when needed and write to the user's Personal Online Data storage (Pod), creating a decentralised social web. With relation-based access control (friend of a friend, business network, etc.), Solid can be a full alternative to centralised social networks. We also want to allow authentication based on Verifiable Claims such as age. Solid-Control will work on developing the needed logic, verify protocols, write prototype implementations and contribute to the Solid Auth Community groups, which are developing specs for standardisation. >> Read more about Solid Control Spectrum — A security through compartmentalization based operating system Spectrum is an implementation of a security through compartmentalization based operating system, built on top of the Linux kernel. Unlike other such implementations, user data and application state will be managed centrally, while remaining isolated, meaning that the system can be backed up and managed as a whole, rather than mixed up in several dozen virtual machines. The host system and isolated environments will all be managed declaratively and reproducibly using Nix, the purely functional package manager. This will save the user the burden of maintaining many different virtual computers, allowing finer-grained resource access controls and making it possible to verify the software running across all environments. The Linux base, and a variety of isolation technologies from containers to virtual machines, will bring security through compartmentalization to a much wider range of hardware than previous implementations, and therefore make it accessible to many more people. >> Read more about Spectrum Secure User Interfaces (Spritely) — Usability of decentralised social media Spritely is a project to advance the federated social network by adding richer communication and privacy/security features to the network. This particular sub-project aims to demonstrate how user interfaces can and should play an important role in user security. The core elements necessary for secure interaction are shown through a simple chat interface which integrates a contact list as an easy-to-use implementation of a \"petname interface\". Information from this contact list is integrated throughout the implementation in such a way that helps reduce phishing risk, aids discovery of meeting other users, and requires no centralized naming authority. As an additional benefit, this project will demonstrate some of the asynchronous network programming features of the Spritely development stack. >> Read more about Secure User Interfaces (Spritely) Suhosin-NG — Harden PHP 7 and PHP 8 applications The PHP programming language was invented by Danish programmer Rasmus Lerdorf in 1994. The language is actively used by millions of websites through popular tools such as WordPress, Owncloud and Wikimedia. Suhosin-NG (next generation) will significantly improve the security of web applications running with PHP 7, and help thwart popular web attack vectors aimed at PHP based websites. Already existing ideas from the Suhosin project for PHP 5 will be gathered in addition to implementing a number of new ideas to improve the overall security stature of PHP 7. This concerns harnessing new features of the language, mitigating security risks in the default configuration and improvements to the runtime behaviour. In practical terms the project will implement these by extending the PHP extension Snuffleupagus, that already provides a good basis for hardening PHP 7. The project's goal is to provide software and documentation for setting up a PHP 7 environment in the most secure way possible. >> Read more about Suhosin-NG Sylk chat — Add instant messaging features to Sylk Internet communications privacy is important to users, and there is a limited set of encrypted multiparty audio and videoconferencing solutions available to consumers and businesses today. The market, predominantly occupied by proprietary services that often require risky plugins, lack introspection and transparency, proved to expose users to significant security and privacy issues. This trend must be counteracted by better open source equivalents. Sylk provides a multi-party video encrypted conferencing solution meant to run on an end user computer or a mobile device. It is based on the WebRTC standard, and has a focus on user privacy and easy of use. This project will add one-to-one and group chat capabilities, allowing users to for example have end-to-end encryption or maintain long term group chats like other messaging apps do. >> Read more about Sylk chat Sylk Client — Secure multiparty videoconferencing application Internet communications privacy is important to users, and there is a limited set of encrypted multiparty audio and videoconferencing solutions available to consumers and businesses today. The market, predominantly occupied by proprietary services that often require risky plugins, lack introspection and transparency, proved to expose users to significant security and privacy issues. This trend must be counteracted by better open source equivalents. SylkSuite, composed by SylkServer and SylkClient is a clean and elegant open source multiparty conferencing solution for both the client and a server written in Python. SylkSuite allows groups of users to communicate privately with rich multimedia, accessed through different protocol stacks. SylkSuite allows bridging SIP clients, XMPP endpoints and WebRTC applications by using Janus backend. The developers have a focus on strong interoperability based on the use of open standards. >> Read more about Sylk Client Sylk Mobile — Secure real-time mobile communications Internet communications privacy is important to users, and there is a limited set of encrypted multiparty audio and videoconferencing solutions available to consumers and businesses today. The market, predominantly occupied by proprietary services that often require risky plugins, lack introspection and transparency, proved to expose users to significant security and privacy issues. This trend must be counteracted by better open source equivalents. Sylk Mobile provides a multi-party video encrypted conferencing solution mean to run on an end user computer or a mobile device. It is based on the WebRTC standard, and has a focus on user privacy and easy of use. >> Read more about Sylk Mobile RETETRA — Security Analysis of Proprietary Cryptography in Terrestrial Trunked Radio Terrestrial Trunked Radio (TETRA) is a European standard for trunked radio used globally by government agencies, emergency services and critical infrastructure. Apart from most European police agencies (such as BOSNET in Germany or RAKEL in Sweden), military operators and emergency services, TETRA is also widely used for SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities. TETRA authentication and encryption are handled by secret, proprietary cryptographic cipher-suites known as TAA1 and TEA which are only available to select parties under strict NDAs which runs counter to both the spirit of open technologies and Kerckhoffs's principle. The latter's potential consequences are illustrated by the fate of A5/1, A5/2 and their GMR variants in cellular and satellite communications, allowing ciphers that can be broken in practice to fester in public and critical infrastructure for far too long. This project aims to reverse-engineer and subsequently perform cryptanalysis on these cipher-suites and finally formulate a hardening roadmap in order to provide a research-oriented FOSS implementation of the cipher-suites and aid affected parties in moving away from unexamined, proprietary security mechanisms towards open standards. >> Read more about RETETRA TLS-KDH mbed — Implement TLS-KDH into mbed TLS-KDH (http://tls-kdh.arpa2.net/) is a mechanism that adds Kerberos authentication to the Transport Layer Security (TLS) network protocol. TLS-KDH is developed under the flag of ARPA2 (www.arpa2.net) and is formalized in the form of a draft Internet specification. Furthermore, a successful prototype implementation has been built and integrated into GnuTLS. Making this prototype code production ready is well underway and in its final stage. In order for TLS-KDH to become an Internet Standard the IETF requires at least two working implementations. To provide the IETF with two TLS-KDH implementations and to address the embedded world with a TLS-KDH capable TLS library we chose MbedTLS as our second library. The TLS-KDH mbed project's goal is to implement the TLS-KDH functionality in the MbedTLS library. But why do we want to implement Kerberos authentication in the first place? Well first of all, the Kerberos protocol is quantum computer proof. That means that we can use this mechanism in the (future) presence of quantum computers. Since TLS is one of the most widely used security protocols on the present Internet having such mechanism would be a welcome addition. Secondly, Kerberos employs a centralized architecture as opposed to X.509 which is distributed. Adding TLS-KDH gives the user a choice which architecture (and implied pros and cons) to use. For a more extensive overview of advantages of TLS-KDH we refer to the project's homepage (http://tls-kdh.arpa2.net/). >> Read more about TLS-KDH mbed Padding Machines for Tor — Protect metadata in the Tor onion routing network Tor is the worlds largest anonymity network with about eight million daily users around the world who use Tor to browse the web anonymously, access onion services, and circumvent censorship. The project Padding Machines for Tor will design and implement padding machines---as part of a new framework in Tor for generating fake padding traffic---to defend against website fingerprinting attacks. A website fingerprinting attack is a type of traffic analysis attack where an attacker attempts to determine websites visited by a target Tor user by analysing encrypted traffic. The results of the project will be both open source and open access, with the goal of contributing to effective and efficient defenses deployed by default in Tor against website fingerprinting attacks. >> Read more about Padding Machines for Tor Build Transparency (Trustix) — Towards a decentralized supply chain for software When we install a program, we usually trust downloaded software binaries. But how do we know that we aren't installing something malicious? Typically, we have confidence in those binaries because we get them from a trusted provider. But if the provider itself is compromised, the binaries can be anything. This makes individual providers a single point of failure in a software supply chain. Trustix is a tool that compares build outputs across a group of providers - it decentralized trust. Multiple providers independently build the software, each in their own isolated environment, and then can vouch for the content of binaries that are the outcome of reproducible builds - while non-reproducible builds can be automatically detected. This is the first step towards an entirely decentralized software supply chain that can securely distribute software without any central corruptible entity. >> Read more about Build Transparency (Trustix) ULX4M — A modular open hardware FPGA platform Embedded systems are everywhere, including in trusted environments. But what is really inside them? ULX3M is a modular version of the popular open hardware project ULX3S. ULX3M delivers a versatile programmable (FPGA) modular mainboard that can be used a wide choice of peripherals. The main board is \"vendor neutral\" and can be used with different FPGA vendors daughter boards. As the community continues to grow, lots of FPGA modules are written, and one goal of our boards would be that we can easily switch and check other vendor chips, and work more on vendor neutral code where possible. The project also improves SERDES availability. Some cheaper FPGA chips do not have lots of SERDES lines and when someone makes a board it needs to choose what peripheral will be using those SERDES lines. A daughter board that can be rotated in any position will allow more flexible usage. In that way, cheaper FPGA could be used to write all the code. With an open source design, users are not dependent on anyone to make boards and can run independent production. >> Read more about ULX4M Universal DID Resolver and Registrar — Tooling for decentralized identifiers The Universal DID Resolver and Registrar are open-source software components that implement Decentralized Identifiers (DIDs). DIDs lie at the heart of an emerging technical and social paradigm known as \"self-sovereign identity\" (SSI), which allows individuals, organizations, and things to create and manage their digital identities without dependence on any central authority or intermediary. This technology is highly aligned with Next Generation Internet values such as human-centricity, openness, trust, and reliability. DIDs as a building block for protocols are of similar importance to Internet infrastructure as other identifiers such as domain names or e-mail addresses. The Universal DID Resolver and Registrar are aligned with corresponding W3C community group specification efforts. Development and maintainance of the code takes place in close collaboration with relevant community and industry stakeholders such as the Decentralized Identity Foundation, uPort, Jolocom, Sovrin, Civic, Veres One, Blockstack, ERC725 Alliance, etc. >> Read more about Universal DID Resolver and Registrar ValOS Cryptographic Content Security project — Cryptographic Content Security for ValOS ValOS (Valaa Open System) is a project pushing programming to become a civic skill. It’s a decentralized software development architecture that empowers beginners with little training or prior experience to create practical web applications. ValOS applications and data are created, stored and distributed as event streams. ValOS Gateway is a JavaScript library that acts like a browser: it connects to event streams, reduces them into applications and provides means to induce new events. ValOS Cryptographic Content Security project focuses on enhancing the infrastructure level security of ValOS through event log hash chaining, end-to-end encryption and other features. >> Read more about ValOS Cryptographic Content Security project Noise Explorer-VerifPal — Automated proofs and code generation for secure protocols Noise Explorer is an online engine for reasoning about Noise Protocol Framework (revision 34) Handshake Patterns. Noise Explorer allows you to design Noise Handshake Patterns, and immediately obtain validity checks that verify if your design conforms to the specification. For visually oriented people, it provides a convenient visualisation in your browser. Noise Explorer can also generate Formal Verification Models and Software Implementations. This allows to instantly generate full symbolic models in the applied pi calculus for any Noise Handshake Pattern that you enter. Using ProVerif, these models can be analyzed against passive and active attackers with malicious principals. The model's top-level process and sophisticated queries are specifically generated to be relevant to your Noise Handshake Pattern, including tests for strong vs. weak forward secrecy and resistance to key compromise impersonation Noise Explorer also automatically generates a secure implementation of your chosen Noise Handshake Pattern design, written in Go. In addition the users can explore a Compendium of Formal Verification Results. Since formal verification for complex Noise Handshake Patterns can take time and require fast CPU hardware, Noise Explorer comes with a compendium detailing the full results of all Noise Handshake Patterns described in the original specification. These results are presented with a security model that is even more comprehensive than the original specification, since it includes the participation of a malicious principal. >> Read more about Noise Explorer-VerifPal Verifpal — Prove soundness of verification in Verifpal Verifpal is new software for verifying the security of cryptographic protocols. Building upon contemporary research in symbolic formal verification, Verifpal’s main aim is to appeal more to real-world practitioners, students and engineers without sacrificing comprehensive formal verification features. In order to achieve this, Verifpal introduces a new, intuitive language for modeling protocols that is much easier to write and understand than the languages employed by existing tools. At the same time, Verifpal is able to model protocols under an active attacker with unbounded sessions and fresh values, and supports queries for advanced security properties such as forward secrecy or key compromise impersonation. Verifpal has already been used to verify security properties for Signal, Scuttlebutt, TLS 1.3, Telegram and other protocols. It is a community-focused project, and available under a GPLv3 license. >> Read more about Verifpal VFRAME: Visual Defense Tools — Use computer-vision to shield privacy in video Visible data shares many of the same risks as wireless data yet visual privacy is often overlooked in the field of information security studies as separate and less relevant. As computer vision becomes increasingly adept at understanding the visual domain, differences between existing protocols for processing wireless data and emerging protocols for processing visible data (computer vision) become less apparent. Ultimately, images and video are wireless data too, and they are exposed to an increasing number of attacks on visual information privacy with less technologies for protection. Visual Defense Tools will explore and prototype computer vision methods for visual privacy through visual obfuscation and minimization techniques, mostly related to biometrics. The goal will be to build a conceptual road map and functional open-source prototypes to stimulate future development of more accessible visual privacy technologies. >> Read more about VFRAME: Visual Defense Tools video box — Affordable open hardware video-to-network The goal of the FOSDEM video box project is to develop a cheap, compact, open hardware & free software video-to-network solution. Initial motivation came from scratching our own itch: replacing 60 bulky, costly, not entirely free boxes currently used at the https://fosdem.org conference. Several other conferences have already used the current setup successfully. We expect this number to grow in the future. The solution being free software and open hardware should make it flexible to adapt to different environments, like education. Being cheap and compact encourages experimental use in areas difficult to foresee. On the hardware side, we use the open hardware Olimex Lime2 board (EU built!) as a base. We plan an open hardware hdmi input daughterboard, iterating on a simplified prototype that helped us verify feasibility. On the software side, the core Allwinner A20 chip has attracted a lot of free and open source development already. That enables us to focus our efforts on optimising video encoding on this platform from a hdmi signal to a compact network stream. >> Read more about video box Video chat privacy — Add privacy features to video chats Making video calls can be very invasive to privacy: the camera does not only capture the face and posture of the person talking, but will in fact capture the entire environment in glorious high definition - from the books in your bookshelf to family members or laundry rack behind you. This information is of no interest to the other end, but with a camera you have little choice: once you slide open the camera cover, it takes everything within the field of view and broadcasts it to the other side. This project aims to use advanced AI technology to edit the video feed in real-time, and apply various privacy enhancements such as removal of backgrounds. >> Read more about Video chat privacy Free Software Vulnerability Database — A resource to aggregate software updates \"Using Components with Known Vulnerabilities\" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (from US Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage over the last decade we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools. The goal of this project is create new FOSS tools to aggregate software component vulnerability data from multiple sources, organize that data with a new standard package identifier (Package URL or PURL) and automate the search for FOSS component security vulnerabilities. The expected benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source or a few foreign commercial data providers. >> Read more about Free Software Vulnerability Database Waasabi Framework — P2P Live Streaming for events Waasabi is a highly customizable platform for self-hosted video streaming (live broadcast) events. It is provided as a flexible open source web framework that anyone can host and integrate directly into their existing website. By focusing on quick setup, ease of use and customizability Waasabi aims to lower the barrier of entry for hosting custom live streaming events on one's own website, side-stepping the cost, compromises and limitations stemming from using various \"batteries-included\" offerings, but also removing the hassle of having to build everything from scratch. Active research into the creation of a peer-to-peer streaming backend seeks to advance the project's long-term goal of promoting the adoption of owned experiences through the use of decentralized technology. By further cutting down on dependencies, cost and infrastructure complexity this effort aims to enable broadcasts to scale as the audience size grows, which in turn will support Waasabi's continued adoption. >> Read more about Waasabi Framework Web Shell — Desktop and security environment for web apps The WebShell project aims to define and implement a new secure dataflow and the accompanying APIs for allowing users to use their files in Web apps without authorizing the apps to access the user's file storage. At its core, WebShell consists of a container single-page application which can open remote components (primarily apps and file-system adapters) in sandboxed iframes and communicate with them through HTML5 message channels using the defined APIs. WebShell provides for file operations and the required UI (file menus, toolbars, dialogs) to support the familiar file operations (new, open, save, etc.) while apps merely implement serialization and deserialization of an individual file's content, after the user's explicit request. The project will build a fully-featured WebShell Desktop container, as well as a minimal WebShell container for testing and easy deployment of single apps. In addition, we will integrate a starter set of editor apps for common file types and a starter set of file system adapters, concentrating primarily on self-hosting and non-commercial web storage solutions like remotestorage.io and Solid storage. >> Read more about Web Shell WireGuard — Scale up WireGuard WireGuard is a next generation VPN protocol that uses state of the art cryptography. This project aims to deliver various tasks: put WireGuard into the OpenBSD kernel and userspace tooling (tcpdump, ifconfig, wg, etc), rewrite Android client UI in Kotlin and make use of Kotlin coroutines, make the Android code into a library consumable by third-party apps, support more complex DNS and networking management in Windows client, improve performance and stability of cross-platform userspace implementation library, integrate more closely with various Linux netdev semantics and backport to Linux 5.4 and 4.19. >> Read more about WireGuard Wireguard Windows client — Native Wireguard protocol client for Windows WireGuard is a next generation VPN protocol that uses state of the art cryptography. WireGuard allows to safely tunnel traffic across the internet. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. While still under heavy development, it is regarded by many as the most secure, easiest to use, and simplest VPN solution in the industry. Initially released for the Linux kernel, it is now cross-platform and the open source technology is ready for wide deployment. Unfortunately, WireGuard support on the widely used Microsoft Windows operating system is still immature and experimental. This makes the technology unavailable to many desktop and notebook users. This project will deliver the first stable Windows version. >> Read more about Wireguard Windows client Wireguard Rust Implementation — Implementation of WireGuard in a type safe language WireGuard is an emerging open VPN protocol, WireGuard stands out from similar solutions, notably OpenVPN and IPSec, by being significantly simpler and hence easier to analyze and implement. WireGuard is currently available on Linux, Windows, MacOS,iOS, Android and BSD variants. WireGuard-rs will be an implementation of WireGuard in the Rust systems programming language. The WireGuard projects desire for a Rust userspace implementation, stems from the improved speed, memory consumption and safety guarantees offered by the Rust language, all of which are essential to the nature of the WireGuard project: a high performance, high security VPN. This implementation will be targeting userspace for Linux, Windows, MacOS and BSD variants. >> Read more about Wireguard Rust Implementation Wishbone Streaming — Add Streaming capabilities to Wishbone On System-on-Chips (SoC) the commercial grade bus infrastructure is covered by patents and at best available \"royalty-free\" (but with no ability to change). A serious alternative with significant adoption is the Wishbone SoC Bus, which is an Open Standard but does not yet have a \"streaming\" capability. That capability is needed for high-throughput data paths and interfaces. This project will provide an enhancement to the current Wishbone SoC Bus specification, provide Reference Implementations and Bus Function Models (BFM) to easily allows unit tests for all Wishbone BFM users. For demonstration purposes the project will implement an example peripheral to prove the overall concept. >> Read more about Wishbone Streaming ZSipOs — Open hardware for telephony encryption ZSIPOs is a fully open source based encryption solution for internet telephony. It takes the shape of a little dedicated gadget you connect with a desktop phone. At its core the device does not have a normal chip capable of running regular software (including malware) but a so called FPGA (Field Programmable Gate Array). This means the device cannot be remotely updated (secure by design): the functionality is locked down into the chip, and the system is technically incapable of executing anything else. This means no risk of remote takeover by an attacker like with a normal computer or mobile phone connected to a network like the internet. The whole system is open hardware, and the full design is available for introspection. Normal users and security specialists get transparent access to the whole system and can easily check, what functionality is realized by the FPGA. This means anyone can verify the absence of both backdoors and bugs. ZSIPOs is designed to be fully compatible with the standard internet telephony system (SIP) which is the one used with traditional telephony numbers. The handling is done in principal by a regular internet phone (Dial, Confirm once – done). The cryptographic system is based on the standard RFC 6189 - ZRTP (with “Z” like Phil Zimmermann, the father of PGP), meaning it can also be used when using internet telephony on a laptop or mobile phone - of course without the additional guarantee of hardware isolation. There is no need to trust in an external service provider to establish the absolute privacy of speech communication. The exchange and verification of a secure key between the parties ensures end-to-end encryption, meaning that no third party can listen into the call. To that extent the device has a display to exchange security codes. The same approach can also also used for secure VPN Bridgeheads, secure storage devices and secure IoT applications and platforms. The ZSipOS approach is an appropriate answer on today security risks: it is completely decentralized, and has no dependency on central instances. It has a fully transparent design from encryption hardware to software. And it is easy to use with hundreds of millions of existing phones. >> Read more about ZSipOs ARPA2 resource ACL and HTTP SASL modules for NGINX — Extend consistent access control to NGINX webserver In most of our daily interactions with a remote server we depend on the application running on the server to properly authenticate the user within the browser session, and to manage who can do what. However, if we want to enforce stronger guarantees with regards to restricted resources and tasks, our options are much more limited. This project from the ARPA2 community wants to move the state of the art in access control forward by combining the extensible SASL standard with a well-defined generic ACL mechanism that also allows for pseudonimity. The project will produce a self-contained library and two modules for a popular web server (NGINX) that use the new library. With the NGINX HTTP SASL module a user-agent can authenticate to the web server using any SASL mechanism the server supports. With the NGINX ARPA2 ACL module the web server can determine whether an authenticated user has authorization for the request that he/she sent. I.e. a user makes the request: \"DELETE /messages/10\" and the server can then decide based on the authenticated user, the action and resource whether this is allowed or not. >> Read more about ARPA2 resource ACL and HTTP SASL modules for NGINX betrusted — A protected hardware device for your private matters. Betrusted aims to be a secure communications device that is suitable for everyday use by non-technical users of diverse backgrounds. We believe users shouldn’t have to be experts in supply chain or cryptography to gain access to our ultimate goal: privacy and security one can count on. Today’s “private key only” secure enclave chips are vulnerable to I/O manipulation. This means there is no essential correlation between what a user is told, and what is actually going on. Betrusted will build a full technology stack, including silicon, device, OS, and UX that is open for inspection and verification. Betrusted is a simple, secure, and strong device that aims to advance Internet freedom. >> Read more about betrusted Bitmask — User-friendly and secure VPN configuration Bitmask is a Desktop and Android client designed to achieve a zero-configuration end-user experience for setting up a VPN that connects to a given set of providers - those that follow the LEAP platform specification. To do so, clients rely on providers exposing configuration files on well-known urls, according to their particular setup regarding the available VPN gateways and transports. This project aims at adding low-end routers a new extra platform that users can choose when installing BitmaskVPN. Running VPN software in a commonly available router, with hardware-based user interfaces, will greatly extend the target audience for Bitmask. To achieve this goal, a porting of the BitmaskVPN client will be done in nim, a statically typed language that generates small native and dependency-free executables, allowing the setup of the VPN with the switch of a hardware button. Finally, the resulting port will be packaged for OpenWRT, and build scripts will be made available for providers to offer to their users a ready-to-use flashing image for a selection of routers. >> Read more about Bitmask Katzenpost — Observation resistant secure messaging layer Secure messaging is among the most fundamental privacy challenges of today. While there are meanwhile several widely used offerings that can encrypt instant messages you send to others, there are very few reliable options that are able to keep others from finding out who you were communicating with - and when. The most popular end-to-end messaging application do not adequately protect the identities of who-is-talking-to-who from the infrastructure operators. Katzenpost aims to offer a traffic analysis resistant messaging layer that allows all the participants in the network to have significantly more privacy than other mechanisms. It offers a decentralized mixnet architecture that works similarly to onion routing, where message routing information is encrypted, and differs in that each message is a fixed size, has random forwarding delays, and is accompanied by cover traffic messages to frustrate passive traffic analysis. The project aims to be a building block for other to build applications on, lowering the threshold for existing applications to benefit from increased privacy and confidentiality. >> Read more about Katzenpost DNSSEC Key Signing Suite — A best practise for DNSSEC Key Signing DNSSEC provides trust in the DNS by guaranteeing the authenticity and integrity of DNS responses. As DNS is of fundamental importance to most Internet communication, this is a vital function that needs safeguarding. Beyond providing trust in the DNS, DNSSEC is a key enabler for other technologies that improve the security, privacy and trust of Internet users. In the DNSSEC Key Signing Suite project we build a set of tools, scripts and guidelines (a playbook) to facilitate simple key signing with a standardised ceremony that has automated checks and audits where possible. The impact of this will be twofold. First, it leads to reliable, predictable and verifiable key ceremonies, which improves the trust in DNSSEC. Second, it will significantly ease the burden of operation, bringing the use of a validated and trustworthy signing procedure within reach for many more DNSSEC operators than today (e.g. smaller or less profitable top-level domain operators). >> Read more about DNSSEC Key Signing Suite libspng — A fast and safe implementation of Portable Network Graphics libspng is a platform-independent C library for handling IETF's Portable Network Graphics (PNG) images. The goal of this project is to provide a robust and fast library with an easy to use API. It is designed to be a modern alternative to the reference implementation, written from scratch using secure coding standards. It comes with an extensive test suite and is fuzz tested, it is also fastest decoder overall. The NGI Zero grant will be used to develop complete PNG write support, architecture-specific performance optimizations, including improvements to testing, decoding and documentation. >> Read more about libspng mobile-nixos — NixOS for mobile phones and tablets The mobile-nixos project seeks to provide a coherent tool to produce configured boot images of NixOS GNU/Linux on existing mobile devices (cellphones, tablets). The goal is to provide a completely integrated mobile operating system, allowing full use of the hardware's capabilities, while empowering the user to exercise their four software freedoms to use, study, share and improve the software. >> Read more about mobile-nixos node-Tor — Implementation of Tor protocols for inside webpages Node-Tor is an open source project and the only existing implementation of the Tor protocol in Javascript. That gives it the unique property to not just run on a server or desktop, but also inside a regular webbrowser itself as a standalone secure webapp. It must not be misunderstood for just a re-implementation of Tor network nodes: the goal is much wider, because it allows any project related to privacy/security enhancement to implement the Tor protocol in their nodes and/or inside a web page. The browser client acts as a standalone node itself communicating via web interfaces such as Websockets with servers or through WebRTC with other browsers. The use of Javascript allows to reduce very significantly the code and libraries (prone to security breaches), simplifying the integration for developers (like removing the need to maintain installation packages since standard web interfaces can be used), simplifying the use for users. This offers a lot of potential for increasing security and privacy for everybody, since the technology can be accessed from any place and any device that has a browser or can run Javascript, including mobile devices. >> Read more about node-Tor offen — Ethical site analytics, controlled by the user Transparently handling data in the open creates mutual trust: Offen is a web analytics software that gives users insights into the data they are generating by giving them access to the same suite of analytics tools site operators themselves are using. Usage metrics come with explanations about their meaning, relevance, usage and possible privacy implications, and also details which kind of data is not being collected. Offen treats both users and operators as parties of equal importance. Users can expect full transparency and are encouraged to make autonomous and informed decisions regarding the use of their data, and operators are being enabled to collect needed usage statistics while fully respecting their users' privacy and data. No user data is being collected until the user has explicitly opted-in. All data can be deleted either selectively or in its entirety by the users. >> Read more about offen pcb-rnd — Modular printed circuit board editor Pcb-rnd is a modular printed circuit board editor that is designed with the UNIX mind set. It has a convenient GUI for editing the graphical data of the board but is also has a handy command line interface. Both the GUI and the CLI aspects are scriptable (in more than 10 scripting languages) and pcb-rnd can also process boards as a headless converter tool. It has support for various proprietary schematics/netlist and board formats which makes it also a good choice for converting free hardware designs coming in proprietary formats to free file formats. Among the upcoming challenges are a full rewrite of the Design Rule Checker, more file format support and making the menu system even more dynamic to match the modular nature of pcb-rnd better. >> Read more about pcb-rnd postmarketOS — An independent mobile operating system postmarketOS is a mobile phone operating system for phones (and other mobile devices), based on Alpine Linux. Just like desktop Linux distributions, we have a package manager and a carefully crafted repository of trustworthy and privacy focused free software that will actually serve the users and not exploit them for their data. By sharing as much code as possible between various phone models, postmarketOS scales well and it becomes feasible to maintain devices even after OEMs have abandoned them. >> Read more about postmarketOS x86-64 VM Monitor for seL4 verified microkernel — Very restricted virtualized environment for higher security The security of any software system depends on its underlying Operating System (OS). However, even OSes such as Qubes, which are \"reasonably secure\" depend on large trusted computing bases (e.g. hypervisors) with hundreds of thousands of lines of code. For example, the Qubes' Xen Security Advisory Tracker reports that 53/283 (18%) of Xen vulnerabilities over the last eight years affected Qubes. As a step towards facilitating the implementation of more secure, Qubes-like systems, we propose to retarget it to the seL4 microkernel. seL4 is an open-source, formally-verified microkernel that has matured and been maintained for over a decade. seL4's small size (10,000 Lines of Code) and formal verification make it an appealing Xen replacement for Qubes, however, its virtualization support is currently limited. As a first step to enabling Qubes on seL4 we will implement a hardened, open-source, x86 64-bit Virtual Machine Monitor (VMM) for the seL4 microkernel capable of hosting the core Qubes OS virtual machines. >> Read more about x86-64 VM Monitor for seL4 verified microkernel Vita — A high performance IPSEC implementation When the IP protocol was designed, its original authors did not add adequate security features. In 1994 the first official RFC concerning an end-to-end encrypted variant of IP called IPSEC was published after a number of years of standardisation work in the IETF. Almost a quarter of a century later, there is still a very limited set of implementations of the protocol. IPSEC is perceived by many as hard to deploy, which creates a chicken and egg situation in driving adoption. Vita is a fresh new implementation of IPSEC based on Snabb Switch, a high performance open source packet networking toolkit. The goal of Vita is to make it very easy to use IPSec on commodity hardware, and to produce a fast and compliant clean room implementation. Vita previously received funding from the Internet Hardening Fund. This project will move the deployability of Vita forward, and among others will produce a number of drivers for interfacing with e.g. high speed interfaces such as the Linux kernel. It limited size and use of an existing packet networking toolkit means it can be easily audited. >> Read more about Vita Wireguard — Take modern network tunnels to the next level WireGuard is a next generation VPN protocol that uses state of the art cryptography. One of the most exciting recent crypto-networking developments, WireGuard aims to drastically simplify secure tunneling. The current state of VPN protocols is not pretty, with popular options, such as IPsec and OpenVPN, being overwhelmingly complex, with large attack surfaces, using mostly cryptographic designs from the 90s. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It uses a 1-RTT handshake, based on NoiseIK, to provide perfect forward secrecy, identity hiding, and resistance to key-compromise impersonation attacks, among other important security properties, as well as high performance transport using ChaCha20Poly1305. A novel IP-binding cookie MAC mechanism is used to prevent against several forms of common denial-of-service attacks, both against the client and server, improving greatly on those of DTLS and IKEv2. Key distribution is handled out-of-band with extremely short Curve25519 points, which can be passed around in the likes of OpenSSH. Discarding the academic layering perfection of IPsec, WireGuard introduces the idea of a \"cryptokey routing table\", alongside an extremely simple and fully defined timer-state mechanism, to allow for easy and minimal configuration; WireGuard is actually securely deployable in practical settings. In order to rival the performance of IPsec, in addition to cross-platform implementations, WireGuard is implemented inside the Linux kernel, but unlike IPsec, it is implemented in less than 4,000 lines of code, making the implementation manageably auditable. These features converge to create an open source VPN utility that is exceedingly simple, yet thoroughly modern and secure. >> Read more about Wireguard ","title":"NGI Zero PET","url":"https://nlnet.nl/thema/NGIZeroPET.html"},{"description":" NGI Zero Discovery NGI0 Discovery was a grant programme that ran from 2018-2022, funding projects enabling search and discovery as part of the Next Generation Internet initiative of the European Commission. For a more complete description see the home page of the fund: NGI Zero Discovery. This page contains a concise overview of projects funded by NLnet foundation that belong to NGI Zero Discovery (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Now, what about NGI Zero Discovery? Well, it is an ambitious grant programme led by NLnet as part of the Next Generation Internet initiative, which focuses on search, discovery and discoverability. You could see these as the trinity of relevant search: in order to be able to search you first need to discover as much as possible relevant items within the desired domain meaning that everything needs to be discoverable (i.e. it needs to be made available and be accessible, but also the right structure and metadata need to be in place for everything to be properly indexed and categorised) In practical terms you traverse these three the reverse way: everything that is discoverable through a set of mechanism, can be discovered, allowing users to search within the bucket of discovered things to hopefully find whatever they need. The projects within this fund so far are quite diverse: some focus on discoverability standards like ActivityPub or RELOAD or specific domains like open hardware or threedimensional virtual objects, while other focus on ethical search filters, security updates and software vulnerabilities or different aspects and challenges of building a search services like crawling, multimodal search, address search across different languages, and linked data - and many more... Check them out and use them in whatever way you need - everything is free and open source so you can study, use, modify and share them with anyone you want. While NGI Zero Discovery is no longer accepting new proposals, if you have an important idea that deserves to be funded - why not look at our other funds. We are always looking for great ideas! Interesting in applying for a grant yourself? Check our active theme funds, such as NGI Zero Commons Fund, NGI Fediversity or NGI TALER. Applications to this particular fund are currently closed and no new projects are accepted for now. Donate to help us fund more projects like these. OCCRP Aleph disambiguation — OCCRP Aleph: disambiguating different people and companies Aleph is an investigative data platform that searches and cross-references global databases with leaks and public sources to find evidence of corruption and trace criminal connections. The project will improve the way that Aleph connects data across different data sources and how it ranks recommendations and searches for reporters. Our goal is to establish a feedback loop where users train a machine learning system that will predict if results showing a person or company refer to the same person or company. If successful this means journalists can conduct more efficient research and investigations, finding key information more quickly and wasting less time trawling through irrelevant documents and datasets. >> Read more about OCCRP Aleph disambiguation AREXERA Crawler — C++ based web crawler The AREXERA web crawler dates back to the early 2000's when AREXERA GmbH (former TECOMAC GmbH) wrote it as part of a toolset to run public search engines like Seekport in Germany and some other European countries. The AREXERA crawler is written in C++ and was designed from the ground up for speed. The crawler supports the common features, like TLS support, robots.txt, politeness rules and WARC file output. The tool was in full production use until the company went out of business, and subsequently development stopped for a while. Recently the code resurfaced, and AREXERA was reborn as a free and open source project. Recent first tests showed still promising performance compared to other widely crawlers. The aim of the project is to bring the crawler up to date with modern requirements and clean up the code, so it can be properly benchmarked with a representative workload - after all, high crawling speed means faster throughput and a lower power consumption per fetched web page. >> Read more about AREXERA Crawler Babelia — Search engine and crawler in Scheme Babelia is a privacy friendly, decentralized, open source, and accessible search engine. Search has been an essential part of knowledge acquisition from the dawn of time, whether it is antique lexicographically ordered filing cabinets or nowadays computer-based wonders such as Google or Bing. From casual search to help achieve common tasks such as cooking, keeping up with the news, a regular dose of cat memes or professional search such as science research. Search is, and will remain, an essential daily-use tool, and steers human progress forward. Babelia aims to replace the use of privateer search engines with a search engine that is open, hence under the control of the commons. Babelia wants to be an easy to install, easy to use, easy to maintain, no-code, personal search engine that can scale to billions of documents, beyond a terabyte of text data, for under €100 a month per Babelia instance. >> Read more about Babelia Blink RELOAD — Secure P2P real-time communications with RELOAD REsource LOcation And Discovery specification (RELOAD) is a standard produced by the IETF standard to (as the name indicates) describe how people can search within a local network to discover other people and devices they can then exchange video and voice calls with, send messages etc. Why make every discovery depend on the availability of a global DNS system, if you are actually near each other... Blink is a mature open source real-time communication application that can be used on different operating systems, based on the IETF SIP standard. It offers audio, video, instant messaging and desktop sharing. Blink RELOAD aims to implement RELOAD (RFC 7904) , which describes a peer-to-peer network that allows participants to discover each other and to communicate using the IETF SIP protocol. This offers an alternative discovery mechanism, one that does not rely on server infrastructure, in order to allow participants to connect with each other and communicate. In addition, the RELOAD specification describes means by which participants can store, publish and share information, in a way that is secure and fully under the control of the user, without a third party controlling the sharing process or the information being shared. >> Read more about Blink RELOAD Bonfire Search & Discovery — Improving search and discoverability in the Fediverse Bonfire is a modular ecosystem for federated networks. The project creates interoperable toolkits that people can use to easily build their own apps to meet their specific needs. Users are then free to interact with multiple people and groups using these apps hosted on their own device, regardless of what federated software these other people use. Federated topics within the Bonfire ecosystem can consist of a hashtag, a category in a taxonomy, a location, etc. This enables users to find a topic they are interested in, see everything that was tagged with that (publicly or in their network), and follow it to receive any new tagged content. This will be interoperable with existing fediverse apps like Mastodon without requiring extra development on their end, and will create a decentralised graph of topics that can help relevant information flow from instance to instance. All content on a Bonfire instance (including remote content coming in via follows or federated topics) will also be aggregated in a local search index with which the user can search their own data, information from people or groups they follow, as well as content from topics or locations they are interested in from around the fediverse. This search will happen locally on their device (which is a plus for privacy), with results appearing instantly while typing a query, and being able to filter the results (e.g., by object or activity type, hashtags, topics, or language). Every line of Bonfire’s code is available to be used or forked, in a collection of libraries that can be assembled and re-assembled to create all kinds of full-featured apps. One example is Bonfire's mutual aid extension where users can post and search for requests and offers across different instances according to topic and/or geographical location. >> Read more about Bonfire Search & Discovery Castopod — Podcasting in the fediverse Castopod is an open-source podcast hosting solution for everyone, that can connect to the Fediverse through the W3C ActivityPub standard (Pixelfed, Mastodon, Pleroma…). Castopod is user friendly, and allows for easy discovery everywhere. Whether you are a beginner, an amateur or a professional, you will get everything you need: you can create, upload, publish, manage server subscriptions (WebSub embedded server). You can allow users to listen to your podcast directly, but just as easily connect to commercial directories (Apple, Google, Spotify…). Take back control: interact with your audience on your platform (like, share, comment), the social network IS the podcast. In addition to supporting W3C ActivityPub, you can also export to proprietary social networks (Twitter, Instagram, Youtube, Facebook). Castopod is easily hosted on any PHP/MySQL server: unzip it and you and other podcasters are ready to broadcast professionally. >> Read more about Castopod Castopod Mobile — Userfriendly mobile podcasting application Castopod Mobile is a free and open-source mobile podcast player application (GPL v3). It is intended to be installed on your mobile phone (iOS, Google Android, /e/…). You can install it from F-Droid, from your usual app store or you may compile it yourself for your own needs. Castopod Mobile is a two-in-one application: a podcast player and a Fediverse client. It serves several purposes: to provide a mobile application that takes advantages of ActivityPub features for podcasts (the ones that Castopod Server provides for instance). Secondly, to reduce the complexity of the Fediverse ecosystem during onboarding: account creation currently prevents many users into joining the Fediverse because it is difficult to guess where to begin. And thirdly: to provide a podcast application template for communities who want to build and manage their ecosystem from beginning (with your own private Castopod Server) to end (with your own Castopod Mobile based application). >> Read more about Castopod Mobile Discover and move your coins by yourself — A safe way to explore and work with cryptocurrency forks The numerous technologies behind cryptocurrencies are probably the most difficult to understand compared to any other networks, even for technical experts - and especially bitcoin based networks. Most users, even those familiar with the technology for years, have to rely on wallets or run/sync full nodes. Empirically we can see that they usually get lost at a certain point of time, especially when said wallets dictate the use of new \"features\", like bip39 and alike, multisig, segwit and bech32. Most users don't understand where their coins are and on what addresses, what is the format of these addresses and what are their seeds and what they need to unlock their coins. This situation pushes users to give their private keys to dubious services, resulting to the loss of all of their coins. The alternative is to let exchanges manage their coins, which removes their agency and puts them at risk. The goal of this project is to correct this situation allowing people to simply discover where are their coins and what are their addresses, whatever features are used. It will allow them to discover their addresses from one coin to another, rediscover their seed if they lost a part, sign/verify addresses ownership, discover public keys from private keys and create their hierarchical deterministic addresses. In fact, all the tools needed to discover and check what is related to their coins - and this for any bitcoin based network, in addition it allows them to create their transactions by themselves and send them to the networks, or just check them. The tool is a standalone secure open source webapp inside browsers that must be used offline, this is a browserification of a nodejs module that can be also used or modified for those that have the technical knowledge. >> Read more about Discover and move your coins by yourself Connect by Name — Library for easy connection setup Connect by Name will be a C library providing an interface that allows a software developer to setup internet connections from an application in the most private and secure manner using well-established and open standards. The interface provided to the software developer will be as simple as “Connect to a service on a domain name” and be flexible enough to fit with different programming paradigms and environments. The library will facilitate composability with other systems and will be extensible with future standards. Our goal is to lower the barrier for developing high-quality software and thereby improve the security and privacy of end users. >> Read more about Connect by Name Conzept encyclopedia — An alternative encyclopedia The Conzept encyclopedia is an attempt to create an encyclopedia for the 21st century. A modern topic-exploration tool based on: Wikipedia, Wikidata, the Open Library, Archive.org, YouTube, the Global Biodiversity Information Facility and many other information sources. A semantic web app build for fun, education and research. Conzept allows you to explore any of the millions of topics on Wikipedia from many different angles - such as science, art, digital books and education - both as a defined semantic entity (\"thing\") as well as a string. Client-side topic-classification in addition allows for a fast, higher-level logic throughout the whole user experience. Conzept also has an uniquely integrated user-interface, which gives you a single well-designed view of all this information (in any of the 300+ Wikipedia languages), without cognitive overload. >> Read more about Conzept encyclopedia Record Federation for Corteza Clouds — Data federation over ActivityPub Corteza is a low code platform for building cloud-based web applications. This is typically for private, records-based management purposes (e.g. case management, insurance claims processing, public sector management applications, CRM, ERP), but the uses can also be public if required. It has a modular architecture and its data later, presentation layer and automation layer can each be treated individually. Corteza Record Federation makes innovative use of the ActivityPub standard to describe how content from the Corteza data layer can be broadcast across large federations of Corteza clouds. All data types, simple or compound, entire records and entire data models are supported. Whether it be energy, finance, health, education or smart cities, many industries need to share complex data in real-time or near real-time, while preserving the digital sovereignty of a large number of disparate actors, protecting the privacy of user data and acknowledging the law of whichever territories in which they find themselves operating. Corteza Record Federation allows for the creation of private networks of decentralised “mini-clouds”, all self-hosted and controlled by their owners, where this data exchange can happen as efficiently and more effectively than on any single centralised cloud. >> Read more about Record Federation for Corteza Clouds Corteza Discovery — (Geo)search and discovery within federated services Corteza Discovery will render Corteza as a search-oriented architecture. Corteza is an open source Low Code Application Development solution for building records-based management systems. It can be used in a wide array of applications, from Urban Data Platform for smart city management to business applications and CRM. Corteza is capable of many-to-many data federation and WCAG2.0 accessibility is an objective across all components of the solution. Advanced, permissioned search will be implemented locally, within federations and between federations. Standards-oriented geolocation and mapping will be supported across the platform. The ultimate goal is to create a compelling, modern and friendly UX for users/citizens - yet based on federated, high-utility Low Code applications which have been specifically designed for purposes of data collection, organisation and portability. Search features such as tokenisation, lemmitisation and \"more like this\" functionality will enrichen user interaction. From any point of user interaction with any search, to developers building new applications to be searched, Corteza aims to set a standard for inclusive design. >> Read more about Corteza Discovery Privacy Infrastructure for Corteza Federations — Allow users to locate and browse their private data wherever The project summary for this project is not yet available. Please come back soon! >> Read more about Privacy Infrastructure for Corteza Federations ArtistHub — Allow creative artists to gain visibility and build reputation on the web The Artist Hub is a progressive web app developed by The Creative Passport MTU, that allows users - Music makers - to connect different data sources and display their feeds all in the same global wall arranged in chronological order. Music makers will be able to create a custom fan page on a self-hostable server where all their music and related content can be placed and shared with their fans. The underlying architecture for subscribing to and receiving posts/updates from connected services will be built using ActivityPub. The idea behind this architecture is a free and open-source way for music makers to share their content without needing to post to a number of different websites and social media and for fans to have the freedom to choose their platform of choice for engaging with that content. We will use ActivityPub to aggregate data from a number of platforms. This will enable us to offer support for video (using PeerTube), audio (using Funkwhale), images (using PixelFed) and text (using Mastodon). >> Read more about ArtistHub DeltaBot — Social discovery over mail-based chat Why make humans be the only ones to search new content that is relevant to you, if bots can be made to do the same on your behalf? The DeltaBot project will research and develop decentralized, e2e-encrypting and socially trustworthy bots for Delta Chat (https://delta.chat). Bots will bridge with messaging platforms like IRC and Matrix, offer media archiving for its users and provide ActivityPub and RSS/Atom integration to allow users to discover new content. Our project is not only to provide well tested and documented Chat Bots in Python but also help others to write and deploy their own custom bots. Bots will perform e2e-encryption by default and we'll explore seamless ways to resist active MITM attacks. >> Read more about DeltaBot Extend EFI support in BSDs — Bring automated firmware update to BSDs UEFI/EFI support covers boot integrity and as such has become a structural part of Linux, Windows, and other OS-es. There are a number of relevant operating systems however that are not able to benefit from this technical capability just yet. This project would fill that gap by extending EFI support to OpenBSD, NetBSD, and DragonflyBSD. This will allow proper hardware initialization as well as additional security features within those open source operating systems. >> Read more about Extend EFI support in BSDs EDeA — A forge suitable for open hardware development The short version: EDeA is a novel approach to allow exploration of and improve discovery within the open hardware ecosystem - in order to help make open hardware designs and components discoverable and reusable. At this moment in time, pretty much everything surrounding open hardware development is manual. Beyond just typing something into a generic search engine there isn't really suitable tooling available to search across what already exists. Accessible and usable distributions, collaboration tools and version control are what drove the free and open source software revolution, now open hardware needs to take the same leap forward. Open hardware electronics projects are growing in numbers, thanks to crowdfunding, a strong developer community, and sophisticated open source electronic design automation (EDA) tools like KiCad. Between circuit schematic and printed circuit board (PCB) layout there is a logical association, but are being handled by separate programs, and therefore one can’t simply copy-paste design blocks. In 2020 it is still next to impossible to reuse proven parts of different designs without needless reimplementation. By leveraging KiCad’s pcbnew and eeschema scripting, a new way of building modular, reusable electronics opens. We are creating a catalog and community portal for discovery and development of proven circuit modules: power management, signal conditioning, data conversion, micro-controllers, etc. >> Read more about EDeA AEAP — Automated e-mail address porting to a new provider There is no search for email addresses, like there was in the days long gone of the phone book. Once an old contact disappears (e.g. moves jobs, changes provider), even hough you may have exchanged many emails with that person you can not discover which new email address(es) go(es) with that old contact. The Automated E-mail Address Porting project (AEAP) wants to allows you to find the new email addresses of these existing email contacts. The project will research and develop the porting of an e-mail address to a new provider. We will implement, document, user-test and release a porting mechanism for Delta Chat, a leading end-to-end encryption mail client. Users can decide they want to use a new provider by entering credentials for a new e-mail address. The outcome of the AEAP project will be Delta Chat Desktop, Android and iOS releases to all app stores, providing seamless porting of e-mail addresses. Changing an e-mail provider will not depend on the consent of the existing one. GMail and various other \"free e-mail\" provider lock-in strategies will be weakened, also through the e2e-encryption that our AEAP effort spearheads. >> Read more about AEAP Email for expert news — Keep up to date with a flow of publication Full text search can help locate text within a certain corpus, but it doesn't help much with staying up to date with the continuous development of a certain field. Ingesting the daily flood of potentially relevant publications is time-consuming, and so sharing and delegating effort makes a lot of sense. Bims (Biomed News) and NEP (New Economics Papers) are long standing projects in this vein, based on PubMed and RePEc, respectively. They are early examples of expertise sharing systems that deliver digests - human curated sets of the most relevant new publications. Dedicated experts filter the flow of incoming publications in different domains, allowing everyone to stay up to date with the latest developments through publicly available periodic reports on a variety of topics. This project aims to build a new software tool to allow users to subscribe to these report across different fields of interest. Subscribers get a fully personalised report meaning they will not have to deal with distractions such as duplicate items. The software aims to be generic, so it may be applied to any serial data of records formatted in a structured way. >> Read more about Email for expert news The search for ethical Apps — Create custom, self-hostable app stores for Android(-like) OS-es Once you own a smartphone, often you will want to install additional apps to add additional functionality. In some cases there isn't much choice, like when you as a citizen need to use digital services provided by your government and these are exclusively available through apps. Pre-configured vendor app stores such as the Google Play store and the Apple App store actually require you to agree to privacy-unfriendly terms of service and introduce tracking behaviour - even if you are only going to be installing ethical apps that themselves are open source and privacy-friendly. On top of that, these apps \"warehouses\" contain a confusing amount of lookalike and dishonest applications that take advantage of naive consumers. Sending users into an app jungle with hundreds of thousands of apps that often resemble each other, leaves users unprotected. In fact, in many cases the whole idea of a \"store\" doesn't make sense - like when an app is paid for by public funding. So why not create alternative mechanisms, that give easy and convenient access to apps do not force citizens to sign contracts with commercial third parties. This project will created custom app distribution mechanisms based on F-Droid, allowing anyone to curate a set of applications and distribute these to users directly - without them having to sign away any rights to third parties. >> Read more about The search for ethical Apps FairSync — Simplify aggregation and discovery of places and events How can we make it possible to search across different maps and lists of events maintained by different organisations? By connecting them, of course! FairSync develops and collects best practices to synchronize maps and events and to federate messengers and identities active in the global movement for sustainability. System integrators are faced with fast evolving APIs and protocols when they try to discover and connect systems and make search more easy. We will work on master-master replication frameworks of metadata enriched data sets and test with platform providers for sustainability affairs. One approach is the \"lazy master scheme\": a common update propagation strategy where changes on a primary copy are first committed at the master node, afterwards the secondary copy is updated in a separate transaction at slave nodes. We will try to advance such immediate update propagation in this project using protocols such as ActivityPub or the InCommon API. Federation of identities will be managed with SAML or oAuth2 protocols with fairlogin as a common identity provider. >> Read more about FairSync searx — Federating self-hosted search hubs Searx is a popular meta-search engine, with the aim of protecting the privacy of its users. In the typical use case, few users trust one instance. However, a third-party services can easily fingerprint the users using the IP address of the searx instance and the user's queries. The project aims to create a searx federation to solve this issue. First, a protocol needs to be defined to allow the instances to discover themselves. Then, each instance will be able to proxy the HTTPS requests through other instances, so the user only has to trust one instance. Also, each instance will spread the requests to other instance according to their response time, and make that IP addresses are evenly used, or at least in the best possible way. To ensure the latter, the statistics page will be enhanced and available through an API that other instances will use. The federation will make sure that bots can't abuse this pool of IP address. >> Read more about searx First Classify Documents — Categorise different types of official documents With governments all over the world turning to digital filing systems, millions of paper files still wait to be digitized. One major challenge in this process is a structured approach to classifying and ordering documents. It is an unfortunate fact that many public documents are bitmap images of texts. For instance, tenders are published digitally but the actual resulting contracts are not published in a way that allows them to be indexed and queried - which hinders civil society in their ability to access these documents. Open source OCR software needs to become better to get good results with this. This project developed a system for models to distinguish between different types of official documents. able to classify state documents according to structure, keywords, document name, word and page count, metadata and context. >> Read more about First Classify Documents Folksonomy engine for the food ecosystem — Data modelling by the community Everybody is interested in the food they eat, by many different aspects, ranging from taste, cost, ingredients and nutrition to its impact on health, the environment and society. We also happen to have many different names for the same food, the way we prepare it and other properties - sometimes only used very locally. That means it is not always easy for everyone to effectively search open data sets like OpenFoodFacts. Open Food Facts - sometimes referred to as the \"wikipedia for food products\" - is the biggest open food-database in the world. The Folksonomy engine for the food ecosystem created within this project will unleash an ocean of new data and uses regarding food. Citizens, researchers, journalists, professionals, artists, communities, and innovators will be able to define and add new properties of their choice to food products on Open Food Facts for their own use or to enrich the shared knowledge. Open Food Facts already feeds hundreds of data reuses. Thousands more will become possible thanks to the new user defined properties. >> Read more about Folksonomy engine for the food ecosystem ForgeFed — Federation for software collaboration tools When you are searching for new software to use, you will have to visit many different software forges - like Gitlab, Codeberg or Sourcehut. There isn't really a tool to search for anything across the boundaries of these different software forges. ForgeFed aims to define a vocabulary and a protocol for decentralized communication and federation of websites used for hosting and collaboration on version control repositories, issue tracking and project management. Typical such websites are code forges such as GitLab and Gitea instances (and centralized services like github), but the idea also applies to applications like collaborative civic planning, publishing of creative writing (such as prose and poetry) and more. ForgeFed is to be designed as an extension of ActivityPub, and web apps implementing it would be joining the Fediverse. The world of repo and project hosting would switch from the centralized model of github (and the lonely disconnected websites running GitLab or Gitea etc.) into a network of federating websites, creating a global decentralized community. The project will publish a set of specifications and guides for implementing the federation protocol, and to work with existing projects and communities to refine and finalize the specifications and implement ForgeFed federation. >> Read more about ForgeFed Funkwhale — ActivityPub-driven audio streaming and sharing Funkwhale is a free, decentralized and open-source audio streaming and sharing platform, built on top of the ActivityPub protocol. It enables users to create communities of interest around music and audio content in general, listen to their private music library or distribute their own productions on the network. Each Funkwhale pod, or server, can communicate with other pods to exchange audio content, metadata or for user interactions. In this project, Funkwhale will improve the publication experience for creators, release its first stable version, improve content discovery inside the platform through better sharing and search mechanisms. We will also continue research and development for Retribute, a community wealth sharing platform meant to support creators on Funkwhale or any other platform. >> Read more about Funkwhale GNU Name System — Authenticated naming system for the internet from GNU project Today, the starting point of any discovery on the Internet is the Domain Name System (DNS). DNS suffers from security and privacy issues. The GNU project has developed the GNU Name System (GNS), a fully decentralized, privacy-preserving and end-to-end authenticated name resolution protocol. In this project, we will document the protocol on a bit-level (RFC-style) and create a second independent implementation against the specification. Furthermore, we will simplify the installation by providing proper packages that, when installed, automatically integrate the GNS logic into the operating system. >> Read more about GNU Name System GNU social — Modernizing the original FOSS Social Network GNU social is a free social networking platform, easily self-hostable and highly accessible, that enables both private and public decentralized communications. With NLnet NGI Zero's support, the project is undergoing a change of main focus from microblogging to groups and tags. With this, GNU social will be a space for communities where users can express their passions and explore new ones. Users will be able to immerse themselves in easily filterable content relevant to their interests, and to create and join communities. It's hard to pinpoint an existing alternative service that promotes the same level of functionality in terms of tagging, filtering and connecting with people that share common interests. Especially considering the available degree of accessibility, customization and expansion via plugins. >> Read more about GNU social Tooling to improve security and trust in GNU Guix — Contextual software vulnerability discovery GNU Guix is a universal functional package manager and operating system which respects the freedom of computer users. It focuses on boostrappability and reproducibility to give the users strong guarantees on the integrity of the full software stack they are running. It supports atomic upgrades and roll-backs which make for an effectively unbreakable system. This project aims to automate software vulnerability scanning of packaged software to protect users against possibly dangerous code. >> Read more about Tooling to improve security and trust in GNU Guix Geolexica reverse — Reverse Semantic Search and Ontology Discovery via Machine Learning Ever forgotten a specific word but could describe its meaning? Internet search engines more than often return unrelated entries. The solution is reverse semantic search: given an input of the meaning of the word (search phrase), provide an output with dictionary words that match the meaning. The key to accurate reverse search lies in the machine’s ability to understand semantics. We employ deep learning approaches in natural language processing (NLP) to enable better comparison of meanings between the search phrases with word definitions. Accuracy will be significantly increased. The project outcome will be employed on Geolexica as a pilot application and testbed for evaluation. The ability to identify entities with similar semantics facilitates ontology discovery in the Semantic Web and in Technical Language Processing (TLP). >> Read more about Geolexica reverse Federated software forges with Gitea — Use W3C ActivityPub to federate amond software forges Gitea is a popular free and open-source software forge, a solution for code hosting, version control (using Git) and featuring other collaborative features like bug tracking, wikis and code review. Unlike proprietary platforms like GitHub, anyone can host the software for themselves and for others - and retain full control and confidentiality over their operations and community. The goal of this project is to implement federation features to Gitea, by implementing among other the W3C ActivityPub standard. This is an important enabler that can be used to implement a distributed search across different software repositories - an important feature for decentralised systems. The project will also make sure to verify the implementation of the federation proposed for Gitea is conformant with the ActivityPub W3C standard as well as the Forgefed models. >> Read more about Federated software forges with Gitea Real time graph database search engine — Live filtering on graph database streams Based is the world's first open source pub/sub real time graph database. It allows for millions of concurrent connections to changes in data or relationships, and offers built-in features such as authentication, internationalisation, server-side scripts for automation, time-series data, and user management. This saves money, complexity, and maintenance. In this project we will work on a full text indexing engine, that will give developers and end users the ability to query text in real time – and get back any updates in text instantly. The search engine is geared toward working with our database, but is applicable to any database in which users are interested in text search that updates in real time and indexes dynamically. >> Read more about Real time graph database search engine The Open Green Web — Ethical meta-search filter on green hosted websites The world wide web has become a mainstay of our modern society, but it is also responsible for a significant use of natural resources. Over the last ten years, The Green Web Foundation (TGWF) has developed a global database of around 1000 hosters in 62 countries that deliver green hosting to their customers, to help speed a transition away from a fossil fuel powered web. This has resulted in roughly 1.5 billion lookups since 2011 - through its browser based plugins, manual checks on the TGWF website and its API, provided by an open source platform. But what if you want to take things one step further? This project will create the world's first search engine with ethical filtering, that will exclusively show green hosted results. In addition to giving a new choice of search engine to environmentally conscious web users, all the code and data will be open sourced. This creates a reference implementation for wider adoption across industry of search providers, increasing demand and visibility around how we power the web. The project build upon the open source search engine Searx, and will collaborate with the developers of that search tool to make \"green\" search an optional feature for all installs of Searx. >> Read more about The Open Green Web Haketilo/Hydrilla — Browser extension for site customisatoin Internauts today have very little control over their web browsing. Many sites are no longer simple documents meant for reading but complex in-browser applications often equipped with facilities to mistreat their users. Haketilo is a browser extension that aims to change this by giving you complete control over the resources your browser loads for websites, starting with JavaScript. One of its features is the ability to replace sites' javascript programs with user-supplied ones. There is currently no other browser extension that provides users with a secure and fully free browsing experience of this kind. Haketilo works together with its repository, Hydrilla, which it can query for community-developed custom site resources. Both tools are available as free/libre software under GNU licenses. In addition, the Hydrilla API can also be utilized by independent developers who want to increase the amount of user agency in their products. For greater website compatibility, Haketilo will work alongside other browser extensions that mitigate harmful JS. >> Read more about Haketilo/Hydrilla Great scanning and OCR for mobile devices — The aim of this project is to improve the scanning and optical character recognition on mobile devices. Currently the cameras of many mobile devices have relatively noisy output whenever lighting conditions are less than optimal. Additionally, it's almost impossible to achieve scans that are distortion free as mobile devices don't have a surface to which the document under scan could be pressed to reliably. These two problems lead to difficulties in performing optical character recognition over acquired images as most recognition algorithms require an input that is noise and distortion free. The solution that will be developed by this project will solve both of these problems by acquiring multiple scan images from different angles. Same objects can then be matched across the source images providing two benefits: the noise can be cancelled out and 3D shape of the document under scan can be derived. Such information can then be used to unfold the document to 2D space and provide a noise and distortion-free image to optical character recognition algorithms. The solution will be implemented taking into account the performance limitations of mobile devices and a major optimization effort will be spent to achieve an acceptable latency of the complex image processing algorithms. >> Read more about Great scanning and OCR for mobile devices Hubzilla — Federated social networking environment Hubzilla is one of the most mature stacks within the so called Fediverse, and is able to run different protocols such as ActivitPub, Diaspora and Zot. Hubzilla provides powerful tools for communities and individuals to help organise themselves, while providing a possibility to interact with each other. It is a decentralised identity, communications and permissions framework built, using common webserver technology. The software features many useful apps to enable discussions, event organisation, file sharing etc. with built-in internet-wide access control. With Hubzilla you don't have an account on a server, you own an identity that you can take with you across the network. With the help of the NGI Zero grant, the new version of the zot protocol (zot6) will be implemented as the primary communication protocol and the UX/UI will be improved to lower the entry barrier for less experienced computer users. And of course you can easily search your Hubzilla server for topics, users, fora and tags. >> Read more about Hubzilla ipfs-search.com — Search engine for the Interplanetary File System ipfs-search.com is a Free and Open Source (FOSS) search engine for directories, documents, videos, music on the Interplanetary Filesystem (IPFS), supporting the creation of a decentralized web where privacy is possible, censorship is difficult, and the internet can remain open to all. >> Read more about ipfs-search.com Icebreaker — Gemini centric viewpoint of coding issues and bug tracking Modern software projects not only require source code repository management but also tools to plan projects and solve technical problems. Closed source solutions and online commercial services may be convenient, but create significant concerns around control, autonomy and privacy - and they skew discoverability. Icebreaker believes in decentralised approaches which keep the coding repo separate from the project management repo. In terms of cooperation and teamwork, this helps to encourage new, flexible and dynamic approaches. These expectations are solved through the minimalism of the Gemini protocol and its terse Markdown format, Gemtext. It is modern because it is easy to understand; accessible to interact with (whether as a consumer or a contributor); and treats privacy as a foremost priority. Icebreaker's flagship project, gLean, provides building blocks for navigating and interpreting one or more Gemini content sources (with settings, rulesets, and regex magic). (Non core) modules provide output in alternative formats, including Kanban boards. Creators will control their issue trackers. Creators' terms. Creators' conditions. 'Off-the-shelf' solutions can't compete against gLean's tailored approaches. FOSS communities can choose workflows that match their technical requirements, while supporting autonomy and adhering to their ethical values. >> Read more about Icebreaker IN COMMON — Public platform to map and act together for the Commons IN COMMON emerged as a transnational European collective from a network of non-profit actors to identify, promote, and defend the Commons. We decided to start a common pool for Information Technologies with the aim to create, maintain, and share with the public geo-localized data that belong to our constituents and to articulate citizen movements around a free, public and common platform to map and act together for the Commons. IN COMMON forms a cooperative data library that provides collective maintenance to ensure data is always accurate. >> Read more about IN COMMON In-document search — Interoperable Rich Text Changes for Search There is a relatively unexplored layer of metadata inside the document formats we use, such as Office documents. This allows to answer queries like: show me all the reports with edits made within a timespan, by a certain user or by a group of users. Or: Show me all the hyperlinks inside documents pointing to a web resource that is about to be moved. Or: list all presentations that contain this copyrighted image. Such embedded information could be better exposed to and used by search engines than is now the case. The project expands the ODF toolkit library to dissect file formats, and will potentially have a very useful side effect of maturing the understanding of document metadata at large and for collaborative editing of documents in particular. >> Read more about In-document search Practical Tools to Build the Context Web — Declarative setup of P2P collaboration In a nutshell, the Perspectives project makes collaboration behaviour reusable, and workflows searchable. It provides the conceptual building blocks for co-operation, laying the groundwork for a federated, fully distributed infrastructure that supports endless varieties of co-operation and reuse. The declarative Perspectives Language allows a model to translate instantly in an application that supports multiple users to contribute to a shared process, each with her own unique perspective. The project will extend the existing Alpha version of the reference implementation into a solid Beta, with useful models/apps, aspiring to community adoption to further the growth of applications for citizen end users. Furthermore, necessary services such as a model repository will be provided. This will bring Perspectives out of the lab, and into the field. For users, it will provide support in well-known IDE's for the modelling language, providing syntax colouring, go-to definition and autocomplete. Real life is an endless affair of interlocking activities. Likewise, Perspectives models of services can overlap and build on common concepts, thus forming a federated conceptual space that allows users to move from one service to another as the need arises in a most natural way. Such an infrastructure functions as a map, promoting discovery, decreasing dependency on explicit search. However, rather than being an on-line information source to be searched, such the traditional Yellow Pages, Perspectives models allow their users (individuals and organisations alike) to interact and deal with each other on-line. Supply-demand matching in specific domains (e.g. local transport) integrates readily with such an infrastructure. Other patterns of integrating search with co-operation support form a promising area for further research. >> Read more about Practical Tools to Build the Context Web Indigenous — Indieweb mobile clients Indigenous is a collection of native, web and desktop applications which allows you to engage with the Internet as you do on social media sites, but posts it all on your website. Use the built-in reader to read and respond to posts across the internet. Indigenous doesn't track or store any of your information, instead you choose a service you trust or host it yourself. Posts are collected on your website or service which supports W3C Microsub, writing posts uses the W3C Micropub specification. Popular services that support both are Wordpress, Micro.blog and Drupal, with more coming soon. >> Read more about Indigenous Interpeer — Collaboration infrastructure with near real-time p2p data synchronization The Interpeer Project's purpose is to research and develop novel peer-to-peer technologies for open and distributed software architectures. The goal is to enable serverless modes of operation for collaborative software with rich feature sets equal to or surpassing centralized client-server architectures. For that reason, the initial focus lies on facilitating the extreme end of the use case spectrum with very low latency and high bandwidth requirements, as exemplified by peer-to-peer video communications in quality as close to 4k resolution as possible. When that initial goal is reached, the project focus will shift to other collaboriative applications of the technology. >> Read more about Interpeer Inventaire — Wikidata-based social sharing of reading experiences The Inventaire Project is an effort to move forward on the front of accessing information on resources using libre software powered by open knowledge. This ideal is being materialized in the form of inventaire.io, a libre book sharing webapp, inviting everyone to make the inventory of their physical books, declare what they want to do with it (giving, sharing, selling), as well as who should be able to see it (shared publicly through e.g. ActivityPub, or only visible by your friends and groups). To power those inventories with structured bibliographic data, inventaire.io is also playing the role of a Wikidata-federated open and contributive bibliographic database, extending wikidata.org data with Wikidata-compatible entities (CC0, shared data schema) tailored to our needs, but ready to be pushed to Wikidata when the data contributor deems it appropriate. This linked open data architecture allows users to build their inventories on a huge open knowledge graph, that we believe will, in time, offer exceptional discovery capabilities. This project addresses many features, such as improved privacy settings, accessibility, creating publisher collections and data federation. >> Read more about Inventaire Inventaire recommender — Book recommendations in Inventaire The Inventaire Project is an effort to move forward on the front of accessing information on resources using libre software powered by open knowledge. This ideal is being materialized in the form of inventaire.io, a libre book sharing webapp, inviting everyone to make the inventory of their physical books, declare what they want to do with it (giving, sharing, selling), as well as who should be able to see it (shared publicly through e.g. ActivityPub, or only visible by your friends and groups). To power those inventories with structured bibliographic data, inventaire.io is also playing the role of a Wikidata-federated open and contributive bibliographic database, extending wikidata.org data with Wikidata-compatible entities (CC0, shared data schema) tailored to our needs, but ready to be pushed to Wikidata when the data contributor deems it appropriate. This linked open data architecture allows users to build their inventories on a huge open knowledge graph, that we believe will, in time, offer exceptional discovery capabilities. Now that this first base of inventories and contributive bibliographic data has reached a certain level of maturity, we want to start moving forward on the next challenges: introduce curation and recommendation mechanisms, improve search tools, offer finer privacy settings, and move forward on decentralization. >> Read more about Inventaire recommender Irdest — Local P2P mesh discovery of devices and users How can you search for wireless devices near you to interact with, without other infrastructure present? The Irdest project allows devices such as laptops and smartphones to create wireless mesh networks over Bluetooth and direct WiFi connections, rather than relying on internet access via mobile networks, and traditional internet service providers. It decentralises the routing and peering mechanisms used to connect people together, to allow users to have more control over their digital lives. In addition to this, direct circuits in a Irdest network are end-to-end encrypted, meaning that data privacy is built into the protocol at a fundamental level. >> Read more about Irdest Karrot — Save and share food waste Karrot started as a free and open-source tool to support grassroots initiatives that save and share food waste, but it has been gradually re-designed to become a more general purpose tool to support various groups of people in their face-to-face activities on a local, autonomous, solidarity-driven and voluntary basis. Some of its defining features are the self-assignment of tasks, full transparency of members' actions and no admin roles, using a trust-based system instead. In order to better support the diverse ways in which people self-organize and practice commoning, this project will further develop features focused in the needs of end users through a participatory design process. We will work with the themes of collective agreements, role assignment and going beyond group boundaries for organising, which includes exploring options for federating. The same way we envision the software to be used, we will continue to work for the governance and organisation of Karrot project itself to be community-driven, transparent and democratic. >> Read more about Karrot Kazarma — Bridge ActivityPub and Matrix realms Matrix-Appservice-CommonsPub is a bridge between two decentralized protocols: Matrix and ActivityPub. The development includes polishing CommonsPub, an Elixir generic ActivityPub implementation, and creating an Elixir library to build Matrix bridges. We will first focus on private messages between Matrix users and users of an ActivityPub-enabled platform, like PeerTube or Funkwhale, then explore the possibilities of synchronizing ActivityPub feeds (e.g. \"toots\" feeds) in Matrix. The bridge comes as an easy-to-deploy, secure and scalable solution. >> Read more about Kazarma Keyoxide — Self-hostable identity proofs with bidirectional linking verification How do you discover which other online accounts across different services and service providers actually belong to the same person? Keyoxide is a secure, privacy-friendly and decentralized platform to manage online identities, uncompromisingly driven by what the user herself wants to share. Keyoxide is a new type of service to allow proving linked account ownership on a variety of platforms. Keyoxide levers existing and battle-tested cryptographic primitives. The goal is to give users more control over their online presence, independent from dominant internet actors - without in fact having to depend on any centralised services or third parties. The project will improve the usability of the current Keyoxide, and its emerging underlying technology (Decentralized OpenPGP Identity Proofs). More service providers will be added and additional tools to provide proofs will be developed, to create a smooth and easy onboarding process for less tech-savvy people. >> Read more about Keyoxide Collabora Online and LibreOffice — Improved visual document search for cloud service Today it’s usually easier to use a search engine for information than find it locally, which is not optimal from a digital sovereignty point of view. Part of the problem is that we lack good open source tools to provide context and graphical search of local documents. These tools present plain-text lists for search results, which means people with good graphical memory find information slower. We think it’s a huge opportunity to show the context of search hits in a graphical form to find information faster. Technically, this will mean taking an existing file synchronization and sharing (FSS) solution, hosting your documents on-site. Then improving LibreOffice to index content in documents with their context. We will build a secure REST API on top of this in Collabora Online which provides good performance. Finally we will integrate with a search engine, e.g. Apache Solr to create a proof-of-concept search page that allows searching in all documents hosted in a FSS solution. This will serve as an example how to integrate our solution to other projects like Nextcloud. >> Read more about Collabora Online and LibreOffice lemmur — A Lemmy mobile client Lemmur is a multi-platform client for Lemmy - a federated link aggregator. It aims to bring the fediverse to the hands of regular people by providing a seamless experience across different instances. Currently lemmur implements the majority of functionalities provided by Lemmy making it competitive with existing social media apps. In this project lemmur will expand to support more Quality of Life features such as live comment updates and notifications with websockets, caching, theming system, and custom feeds. Additionally lemmur will expand its and Lemmy's reach by internationalizing the whole app, creating adaptive UI for different platforms, and creating an onboarding experience that will work as an introduction to both lemmur and the fediverse. Lastly lemmur will continue improving the seamless instance experience reducing the need of changing instances to the minimum. >> Read more about lemmur Lemmy — ActivityPub for link aggregation Lemmy is an open-source, easily self-hostable link aggregator that you can use to share and discover interesting new ideas - and discuss them with the world. Its designed to work in the Fediverse, and communicate natively with other ActivityPub services, such as Mastodon, Funkwhale and Peertube. Lemmy aim to create a decentralized alternative to widely used proprietary services like Reddit. For a link aggregator, this means a user registered on one server can subscribe to communities on any other server, and have discussions with users registered elsewhere. The front page of popular link aggregators is where many people get their daily news, so Lemmy has the potential to help alter the social media landscape. >> Read more about Lemmy Lemmy Federation — Lemmy Federation and ActivityPub compliance Lemmy is an open-source, easily self-hostable link aggregator that you can use to share and discover interesting new ideas - and discuss them with the world. Its designed to work in the Fediverse, and communicate natively with other ActivityPub services, such as Mastodon, Funkwhale and Peertube. Lemmy aim to create a decentralized alternative to widely used proprietary services like Reddit. For a link aggregator, this means a user registered on one server can subscribe to communities on any other server, and have discussions with users registered elsewhere. The front page of popular link aggregators is where many people get their daily news, so Lemmy has the potential to help alter the social media landscape. In this project, the team focuses on standards compliance, interoperability, internationalisation features, private communities and improving moderation. >> Read more about Lemmy Federation XMPP-ActivityPub gateway — XMPP, ActivityPub and E2EE Pubsub XMPP (aka Jabber) is the vendor-netural internet standard for instant messaging. ActivityPub is a web standard for federated social networking, used in software like Mastodon, Pleroma, PeerTube, Pixelfed and Funkwhale. The project consists of two components: an ActivityPub-XMPP gateway, which will be a component bridging these protocols - enabling ActivityPub users to access XMPP blogs, comments and other features, and vice versa. And adding state of the art end-to-end encryption (E2EE) for PubSub and filesharing, which entails proposing a new XMPP standard which can provide a secure way to publish, retrieve and subscribe to all sorts of data over XMPP. The project is built on Libervia (previously known as \"Salut à Toi\"), a communication ecosystem based on XMPP. Libervia offers several interfaces (web, desktop, mobile, command line, text UI) and explores the XMPP protocol beyond instant messaging. Libervia features chat, blogging, file sharing, photo albums, events, forums, etc. Libervia's goal is to develop an all-in-one, easy to use \"familial and personal social network\", i.e. a tool to communicate with the people close to you securely - and that lets your personal data stay within your control (as it should be). >> Read more about XMPP-ActivityPub gateway Librecast Live — Live streaming with multicast The Librecast Live project contributes to decentralizing the Internet by enabling multicast. Multicast is a major network capability for a secure, decentralized and private by default Next Generation Internet. The original design goals of the Internet do not match today's privacy and security needs, and this is evident in the technologies in use today. There are many situations where multicast can already be deployed on the Internet, but also some that are not. This project will build transitional protocols and software to extend the reach of multicast and enable easy deployment by software developers. Amongst others it will produce a C library and POC code using a tunneling method to make multicast available to the entire Internet, regardless of upstream support. We will then use these multicast libraries, WebRTC and the W3C-approved ActivityPub protocol to build a live streaming video service similar to twitch.tv. This will be a complement to the existing decentralised Mastodon and Peertube projects, and will integrate with these services using ActivePub. By doing so we can bring live video streaming services to these existing decentralised userbases and demonstrate the power of multicast at the same time. Users will be able to chat and comment in realtime during streaming (similar to YouTube live streaming). This fills an important gap in the Open Source decentralised space. All video and chat messages will be transmitted over encrypted channels. >> Read more about Librecast Live LinkedDataHub — Framework to handle Linked Data at scale LinkedDataHub is a Knowledge Graph explorer, or in technical terms, a rich Linked Data client combined with a personal RDF dataspace (triplestore). It provides a number of features for end-users: browsing Linked Data, cloning RDF resources to the personal dataspace, searching and querying SPARQL endpoints, creating collections from SPARQL queries, editing remote and local RDF documents, creating and transcluding structured content with visualizations of SPARQL results, charts etc. LinkedDataHub is a standalone product as well as a framework – its data-driven architecture allows extension and customization of at every level from the APIs up to the UI. We expect LinkedDataHub to become a go-to tool for end-users working with Linked Data and SPARQL: researchers, data scientists, domain experts – regardless of whether they work in the digital humanities, life-sciences or any other domain. We strive to provide an unparalleled Knowledge Graph user experience that is enabled by the RDF stack, with the focus on discovery, exploration and personalization. >> Read more about LinkedDataHub MaDada — Using LinkedData to improve FOI processes MaDada is a free open source platform that simplifies and opens up the process of access by the general public to data and information held by the French government. Making use of the Freedom Of Information (FOI) law, the platform guides citizens to file requests, but also acts as an open data archive and platform for right-to-know or transparency campaigns, by publishing the whole process : the requests history, the resulting correspondence, and the data obtained through it. Launched in October 2019 by Open Knowledge Foundation France members, MaDada has helped 250+ users make over 1200 FOI requests to French public bodies, and is beginning to play an important role in the right-to-know, need for transparency and open government problems. MaDada is based on the open source software Alaveteli (https://alaveteli.org), which has been adapted and deployed to more than 25 countries in 20 different languages and jurisdictions. Alaveteli offers efficient functions for users to request and manage FOI requests. The NLnet funding will help the project develop and improve discovery and search features of public bodies on madada.fr and Alaveteli software - for instance, in France alone there are more than 60,000 public authorities. This will take advantage of existing digital commons such as Wikidata, and open standards such as schema.org and DCAT. >> Read more about MaDada Mailpile Search Integration — Personal email search engine Mailpile is an e-mail client and personal e-mail search engine, with a strong focus on user autonomy and privacy. This project, \"Mailpile Search Integration\", will adapt and enhance Mailpile so other applications can make use of Mailpile's built-in search engine and e-mail store. This requires improving Mailpile in three important ways: First, the project will add fine-grained access control, so the user can control which data is and isn't exposed. Second, enabling remote access will be facilitated, allowing a Mailpile running on a personal device to communicate with applications elsewhere on the network (such as smartphones, or services in \"the cloud\"). And finally, the interoperability functions themselves (the APIs) need to be defined (building on existing standards wherever possible), implemented and documented. >> Read more about Mailpile Search Integration Mangaki — Advanced group recommendations Within a set of search results, what should you do to find the optimal solution for not just a single user but a group? Mangaki is building an open source library for privacy-preserving group recommendations of items. While many content providers suggest recommendations at a personal level, these are often directed to a single user, or are restricted to a generic “family” category. Whenever say a group of friends want to watch a movie, it is often hard to decide what to watch, because people can have really different tastes. Recommendations are also very privacy-sensitive. A straightforward way might be to share our complete viewing history, but that certainly can lead to embarrassing and awkward situations. So how can we collectively compute a list of relevant items without disclose all of our data unencrypted. The Mangaki project is making an open source library for group recommendations that works in a scalable and distributed way. >> Read more about Mangaki Mastodon - groups, filtering, moderation — Group support with ActivityPub Mastodon is a decentralized open-source social network built on the ActivityPub protocol. It allows users to launch their own instances of social networks, while allowing the instances to connect over the Fediverse. The project foresees the development of groups, advanced filtering, and improved moderation functionality. Groups functionality gives users the option to communicate with a smaller subset of their connections; improved moderation functionality will give admins a toolkit to efficiently deal with reported cases, e.g. with batch actions; advanced filtering adds more sophisticated ways to filter posts. >> Read more about Mastodon - groups, filtering, moderation Mepo — Lightweight mobile map search Mepo is a fast, simple, and hackable OSM map viewer for desktop linux & mobile linux devices (like the Pinephone, Librem 5, and postmarketOS devices) and both environments' various user interfaces (Wayland & X inclusive). Mepo works both offline and online, features a minimalist both touch/mouse and keyboard compatible interface, and offers a UNIX-philosophy inspired underlying design, exposing a powerful command language called mepolang capable of being scripted to provide and customize functionality such as bounding-box search scripts, bookmarks, routing, and more. >> Read more about Mepo Practical Decentralised Search and Discovery — Search and discovery inside mesh/adhoc networks Internet search and service discovery are invaluable services, but are reliant on an oligopoly of centralised services and service providers, such as the internet search and advertising companies. One problem with this situation, is that global internet connectivity is required to use these services, precisely because of their centralised nature. For remote and vulnerable communities stable, affordable and uncensored internet connectivity may simply not be available. Prior work with mesh technology clearly shows the value of connecting local communities, so that they can call and message one another, even in the absence of connectivity to the outside world. The project will implement a system that allows such isolated networks to also provide search and advertising capabilities, making it easier to find local services, and ensuring that local enterprises can promote their services to members of their communities, without requiring the loss of capital from their communities in the form of advertising costs. The project will then trial this system with a number of pilot communities, in order to learn how to make such a system best serve its purpose. >> Read more about Practical Decentralised Search and Discovery Meta-Press.es — A press search engine in your browser Meta-Press.es is a press search engine, in the shape of a browser add-on. When using it, everything happens between the user's computer and the queried newspapers. Using Meta-Press.es, there is no data sent to third party (including our servers). We're not asking the users to believe that we respect their privacy, it's a matter of verifiable fact that we do. That means there is no single point of failure, of surveillance or of censorship. >> Read more about Meta-Press.es Meta-Press.es — Retrieve news feeds and search locally Meta-Press.es is a addon (in the standard WebExtension format) which gives super powers to your web browser. Meta-press.es equips your browser with the capacity to query hundreds of online presss sources in a few seconds and get you the relevant results. It is a drop-in replacement for centralised services like Google News, and in addition helps you to create press reviews (via selection and export of results from automatized searches). Using Meta-Press.es, it's your web browser that does the work, without any middleman between information sources and you. Your privacy is respected even against the ad or social trackers of the newspapers (as those mechanisms aren't triggered by Meta-Press.es searches). Unlike its news portal competitors, Meta-Press.es transparently shows what was queried and what was not - and you can choose your own information sources (via source selection filters and even source selection pick-up). Everything happens directly on the user device and under control of the user, avoiding single points of censorship and in support of Freedom of the Press and media diversity. >> Read more about Meta-Press.es Mobilizon — Find, create and organize events Mobilizon is a free, libre and federated groups and events management platform. Most proprietary social medias collect behavioral data and social graphs by hosting groups and events management tools (such as Facebook events, MeetUp, etc.). This can become a problem, even more when your group works on topics like activism, raising awareness and empowering citizens. Mobilizon allows for a federation of interconnected hosts, that decentralize by design data concentration while permitting interactions between users across the federation. This group and event management tool has been designed by asking and considering the needs of mobilized citizens. It includes features that has been since implemented as well by mainstream social medias (multiple profiles for each account), and does not reproduces mechanisms driven by the attention economy. As such, Mobilizon is not a social media, it does not pander to egos, but focuseson being a toolkit tomanagecommunities. On top of the eventpublishingtool, it features a group discussion tool (akin to a minimalist forum), a group page management tool (that can be used as a one-page website), a group public and private posts tool (similar to a blog), and a group link directory (to organize links to online documents, resources, etc.). With this grant, Framasoft aims to improve Mobilizon's search results (within an instance as well as throughout the federation) and recommendations. We also want to help people find groups and events close to their interests or their location, as well as allow them to import their events from other platforms when possible (Facebook, MeetUp, etc.). >> Read more about Mobilizon MoboSearch — Providing an alternative view on the Android App ecosystem Mobile phones play a major role in our society, yet they still suffer from severe limitations in how they handle apps. As a result, most people are unaware of the dangers of privacy leaks and are typically offered very constrained search capabilities within one single source of information, the app store. MoboSearch is a new search engine and information portal for apps, empowering users beyond the existing app stores. The system exposes privacy and security information, like app permissions, and gives users new easy and flexible search capabilities that allow to make an informed choice and to increase people's awareness. Openness and interoperability ensure that the system can offer and receive data, so to cooperatively enable a better and healthier app ecosystem. >> Read more about MoboSearch Mynij — Portable indexing and search engine for mobile People feel lost when their connection to the internet is cut. All of a sudden, they cannot search for some reference or quickly look up something online. At the other end, hundreds of millions of servers are 'always on', awaiting the user to come online. Of course, this is neither very resilient nor economic. And it is also not necessary. In the 60s, computers used to occupy a large room. Nowadays, with smartphones, they fit in your hand. A complete copy of the Web (10 PB) already fits on 100 SSDs of 100 TB occupying a volume similar to an original IBM PC. A partial copy of the Web optimised for a single person will thus soon fit on a smartphone. Mynij believes that Web search will eventually run offline for legal, technical and economic rationale. This is why it is building a general purpose Web search engine that runs offline and fits into a smartphone. It can provide fast results with better accuracy than online search engines. It protects privacy and freedom of expression against recent forms of digital censorship. It reduces the cost of online advertising for small businesses. It brings search algorithms and information presentation under end-user control. And you control its availability: as long as you have a copy and a working device, it can work. >> Read more about Mynij NEFUSI — NEFUSI: A novel NEuroFUzzy approach for semantic SImilarity assessment The challenge of determining the degree of semantic similarity between two expressions of a textual nature has become increasingly important in recent times. The great importance it has in many modern computing areas and the latest advances in neural computation have made the solutions better. NEFUSI (which stands for \"NEuroFUzzy approach for semantic SImilarity assessment\") aims to go a step further with the design and development of a novel neurofuzzy approach for semantic textual similarity based on neural networks and fuzzy logics. We intend to benefit from the outstanding capabilities of the latest neural models to work with text and, at the same time, from the possibilities that fuzzy logic offers to aggregate and decode numerical values in a personalized way. In this way, the project will build an approach intended to effectively determine the degree of semantic similarity of textual expressions with high accuracy in a wide range of scenarios concerning Search and Discovery. >> Read more about NEFUSI Namecoin: ZeroNet and Packaging — Make ZeroNet work with Namecoin Namecoin provides a decentralized naming system and trust anchor. Its flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Among other things, this provides a decentralized trust anchor for Public Key Infrastructure that does not require third party trust. It operates independent from the DNSSEC root trust chain, and can thus offer additional security under some circumstances. ZeroNet is a decentralized web-like network of peer-to-peer users, which provides an alternative to TOR hidden services. In the project, Zeronet will be adapted to support a local Namecoin client, and provide additional assurances such as a Host Header-like mechanism to protect users from spoofing. Namecoin will be used as a human-readable naming layer for Tor onion services and ZeroNet sites. This eliminates the user problem of pseudorandom, unmemorable website addresses for onion services and ZeroNet sites, which can facilitate phishing attacks. >> Read more about Namecoin: ZeroNet and Packaging Namecoin: Core Infrastructure — Alternative domain name system Namecoin is a blockchain project that provides a decentralized naming system and trust anchor. Our flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. This project is meant to improve the security and usability of core components of Namecoin. >> Read more about Namecoin: Core Infrastructure neuropil — Privacy by design P2P search including IoT Neuropil is an open-source de-centralized messaging layer that focuses on security and privacy by design. Persons, machines, and applications first have to identify their respective partners and/or content before real information can be sent. The discovery is handled internally and is based on so called \"intent messages\" that are secured by cryptographic primitives. This project aims to create distributed search engine capabilities based on neuropil, that enable the discovery and sharing of information with significantly higher levels of trust and privacy and with more control over the search content for data owners than today's standard. As of now large search engines have implemented \"crawlers\", that constantly visit webpages and categorize their content. The only way to somehow influence the information that is used by search engines is by using a file called „robots.txt“. Other algorithms are only known to the search engine provider. By using a highly standardized \"intents\" format that protects the real content of users, this model is reversed: data owners define the searchable public content. As an example we seek to implement the neuropil messaging layer with its extended search capabilities into a standard web server to become one actor and to handle and maintain the search index contents of participating data owners. By using the Neuropil messaging layer it is thus possible to build a distributed search engine database that is able to contain and reveal any kind of information in a distributed, concise and privacy preserving manner, without the need for any central search engine provider. >> Read more about neuropil Nextcloud — Unified and intelligent search within private cloud data The internet helps people to work, manage, share and access information and documents. Proprietary cloud services from large vendors like Microsoft, Google, Dropbox and others cannot offer the privacy and security guarantees users need. Nextcloud is a 100% open source solution where all information can stay on premise, with the protected users choose themselves. The Nextcloud Search project will solve the last remaining open issue which is unified, convenient and intelligent search and discoverability of data. The goal is to build a powerful but user friendly user interface for search across the entire private cloud. It will be possible to select data date, type, owner, size, keywords, tags and other metadata. The backend will offers indexing and searching of file based content, as well as integrated search for other contents like text chats, calendar entries, contacts, comments and other data. It will integrate with the private search capabilities of Searx. As a result the users will have the same powerful search functionalities they know and like elsewhere, but respecting the privacy of users and strict regulations like the GDPR. >> Read more about Nextcloud Nominatim — Multi-lingual support in address search Nominatim is an open-source geographic search engine (geocoder). It makes use of the data from OpenStreetMap to built up a database and API that allows to search for any place on earth and lookup addresses for any given geographic location. It is used as the main search engine on the OpenStreetMap website where it serves millions of requests per day but it can also be installed locally. You can easily set it up for a small country on your laptop. Nominatim has always aimed to be usable world-wide for any place in any language. To that end it has used generic, language-agnostic algorithms that assume a uniform data model. This has served us especially well while the OpenStreetMap database was in its early stages of development and changing fast. Now that it has matured, it is time to further improve the search experience by taking into account the particularities of different languages and the different practises when it comes to geographic addressing. We aim to restructure the part of the software that parses the place names and search queries to make it more configurable and make it easier to take into account languages and regional peculiarities. >> Read more about Nominatim Nyxt — A programmable browser with advanced search integration Nyxt is a new type of web browser designed to empower users to find and filter information on the Internet. Web browsers today, largely compete on performance in rendering, all whilst maintaining similar UIs. The common UI they employ is easy to learn, though unfortunately it is not effective for traversing the internet due to its limited capabilities. This presents itself as a problem when a user is trying to navigate the large amounts of data on the Internet and in their open tabs. To deal with this problem, Nyxt offers a set of powerful tools to index and jump around one's open tabs, through search results and the wider Internet. For example, Nyxt offers the ability for the user to filter and process their open tabs by semantic content search. Because each workflow and discipline is unique, the real advantage of Nyxt is in its fully programmable and open API. The user is free to modify Nyxt in any way they wish, even whilst it is running. >> Read more about Nyxt Nyxt — Browser integration of federated, distributed platforms Nyxt is a new type of web browser designed to empower users to find and filter information on the Internet. The information available to browsers is limited by the protocols they understand; the languages they speak. Most browsers only speak HTTP(S), a protocol designed for client/server interactions. In its latest generation, Nyxt plans to open up access to an Internet beyond HTTP, a larger, more decentralized Internet. The new versions of Nyxt will feature support for XMPP, ActivityPub, and IPFS. Together, these decentralized technologies will power much of the next generation of Internet technologies, and Nyxt will speak their language! >> Read more about Nyxt Open Know-How Search — Search Open Hardware Projects Open Know-How Search is a project to create a search engine for the open source hardware designs. We are building a modern, clean and accessible search experience for makers. Our index will span the entire internet and all existing ways to share designs. Users and platforms will be able to make use of the Open Know-How meta-data standard to help get their projects into the index and surface those that are in advanced stages of development and worth looking at and attempting to re-build. The front page and top results in the search will be a useful resource to someone looking for a new open source hardware project to build and contribute to. >> Read more about Open Know-How Search OSF Crawler Cooperation — Support Infrastructure for Open Search initiatives The Open Search Foundation (OSF) attempts to build a European main stream search engine alternative, under European regulations like privacy and fair participation. Our project builds on the foundations of that OSF search engine to be, in an attempt to combine existing crawling efforts of OSF participants. This is implemented on the real internet scale: petabytes of data, billions of webpages, a hundred million websites with terabytes of communication between the components per day. The scale and regulations call for a concept which has not been implemented before. Existing web-search related projects are invited to contribute their ideas into our larger concept, which could become not just an alternative for Google Search but also has many other uses - even in early stages. >> Read more about OSF Crawler Cooperation OpenStreetMap Speed Limits — Infer default speed limits for better quality OpenStreetMap-based routing OpenStreetMap (OSM) is the worlds largest open geodata set, created and maintained collaboratively by millions of users. Of course there are many other purposes beyond creating a map, for instance finding the best route from A to B. Such usage needs to take into account incomplete data, as coverage of speed limits varies greatly across OSM. Currently, only about 12% of roads in OSM have speed limits set. However, default legal speed limits can often be inferred from other data, such as whether the road is within an urban zone, whether the carriage way is segregated, how many lanes it has, whether it is paved etc. The goal of this project is to extract the default speed limits for different road and vehicle types for all state legislations, map these to OSM and provide these in a machine-readable form so that it can be consumed by open source routing software such as GraphHopper, Valhalla or OSRM. Further, a reference implementation that interprets this data will be provided. >> Read more about OpenStreetMap Speed Limits Offen — Privacy-respecting site analytics Transparently handling data in the open creates mutual trust: Offen is a fair web analytics software that gives users insights into the data they are generating by giving them access to the same suite of analytics tools site operators themselves are using. One unique aspect of Offen is requiring user consent before collecting any data. Especially in countries that are governed by GDPR and its siblings this is a real world requirement for many websites. This is not only about collecting data, but also about embedding third party content or similar. Usage metrics come with explanations about their meaning, relevance, usage and possible privacy implications, and also details which kind of data is not being collected. Users can expect full transparency and are encouraged to make autonomous and informed decisions regarding the use of their data, and operators are being enabled to collect needed usage statistics while fully respecting their users' privacy and data. No user data is being collected until the user has explicitly opted-in. All data can be deleted either selectively or in its entirety by the users. >> Read more about Offen Omnom — Self-hosted bookmarking and snapshotting with search Omnom is a webpage bookmarking and snapshotting service. It consists of two parts, a web application which stores and serves the snapshots and the other part is a browser addon to create and save bookmarks. Snapshots created by Omnom are searchable, secure and exact copies of the rendered webpages, even with front-end heavy sites which require multiple actions to reach the relevant content. Omnom also provides functionality to tag bookmarks and highlight key information to be able to organize and efficiently search in your bookmarks and snapshots. Omnom is a self-hosted free software which can handle multiple users with their own private and publicly visible bookmarks & snapshots. Public bookmarks are available in various formats to support feed creation or programmatic processing. >> Read more about Omnom Personal Food Facts — Privacy protecting personalized information about food Open Food Facts is a collaborative database containing data on 1 million food products from around the world, in open data. This project will allow users of our website, mobile app and our 100+ mobile apps ecosystem, to get personalized search results (food products that match their personal preferences and diet restrictions based on ingredients, allergens, nutritional quality, vegan and vegetarian products, kosher and halal foods etc.) without sacrificing their privacy and having to send those preferences to us. >> Read more about Personal Food Facts Open Hospitality Network — Federated hospitality with ActivityPub Hospitality is part of human tradition, practiced long before any software infrastructure existed. People share with others their homes, and exchange life’s stories and adventures - often without even mention of money. The internet age allowed hosts and travelers from all around the world to find each other more easily, and spontaneous communities emerged online. Nowadays, many hospitality exchange platforms exist which help travelers and hosts find each other. Open Hospitality Network wants to unify hospitality exchange communities into one federated system conveniently serving travelers and hosts. We envision a variety of platforms to exist, united in diversity, where each of them is built around their own unique culture, yet they all communicate with each other in federation. We'd like them together to create a resilient ecosystem outlasting any particular founders and exchange platforms. Following a collaborative process, we are building software from the community for the community, software that on the one hand helps connect existing communities and on the other enables new federated communities to spring up and flourish. >> Read more about Open Hospitality Network Openki.net — Make local events and meetups discoverable How do you discover what you can learn from the people around you? How do you search what other people in the same region have to offer, like a training course or a debating event? Openki is an interface between technology and culture. It provides an interactive web platform developed with the goal to remove barriers for universal education for all. The platform makes it simple to organise and manage \"peer-to-peer\" courses. The platform can be self-hosted, and integrates with OpenStreetMap. At the moment Openki is focused on facilitating learning groups and workshops. The project will improve the tool, so it can be used not only to organise courses (with the collaboration of many different actors, in a more participatory way) but much broader,for bottom-up project initiation, for grassroot organizations and facilitating societal dialogue. >> Read more about Openki.net Owncast — ActivityPub powered Livecasting Owncast is a self-hosted, open source live streaming platform for people to easily host and manage their own live streams. It has become an increasingly popular option for many people to break away from the large centralized services. The project will add Fediverse (ActivityPub) integration in order to provide better means of discovery, increase engagement, and to have interoperability with other applications. The goal is for Owncast to become a fully fledged member of the Fediverse, focusing on people's streams being discovered with existing timelines and search indexes. This would allow people to for instance contribute comments directly from their own ActivityPub powered website or ActivityPub-powered link aggegators like Lemmy. >> Read more about Owncast P2Pcollab — Decentralised social search and discovery This project is working towards creating a more decentralized, privacy-preserving, collaborative internet based on the end-to-end principle where users engage in peer-to-peer collaboration and have full control over their own data, enabling them to collaborate on, publish & subscribe to content in a decentralized way, as well as to discover & disseminate content based on collaborative filtering, while allowing local, offline search of all subscribed & discovered content. The project is researching & developing P2P gossip-based protocols and implementing them as composable libraries and lightweight unikernels with a focus on privacy, security, robustness, and scalability. >> Read more about P2Pcollab PRESC Classifier Copies Package — Implementing Machine Learning Copies as a Means for Black Box Model Evaluation and Remediation The ubiquitous use over the Internet, and in particular in search engines, of often proprietary black-box machine learning models and APIs in the form of Machine Learning as a Service, makes it very difficult to control and mitigate their potential harmful effects (such as lack of transparency, privacy safeguards, robustness, reusability or fairness). Machine Learning Classifier Copying allows us to build a new model that replicates the decision behaviour of an existing one without the need of knowing its architecture nor having access to the original training data. A suitable copy allows to audit the already deployed model, mitigate its shortcomings, and even introduce improvements, without the need to build a new model from scratch, which requires access to the original data. This project aims to implement a practical solution of this innovative technique into PRESC, an existing free software tool for the evaluation of machine learning classifiers, so that classifier copies are automated and can be easily created by developers using machine learning, in order to reuse, evaluate, mitigate and improve black-box models, ensure a personal data privacy safeguard into their machine learning models, or for any other application. >> Read more about PRESC Classifier Copies Package The PeARS app — Building low-resource Web search applications from cognitive models It is widely believed that Web search engines require immense resources to operate, making it impossible for individuals to explore alternatives to the dominant information retrieval paradigms. The PeARS project aims at changing this view by providing search tools that can be used by anyone to index and share Web content on specific topics. The focus is specifically on designing algorithms that will run on entry-level hardware, producing compact but semantically rich representations of Web documents. In this project, we will use a cognitively-inspired algorithm to produce queryable representations of Web pages in a highly efficient and transparent manner. The proposed algorithm is a hashing function inspired by the olfactory system of the fruit fly, which has already been used in other computer science applications and is recognised for its simplicity and high efficiency. We will implement and evaluate the algorithm on the task of document retrieval. It will then be integrated into a Web application aimed at supporting the growing practice of 'digital gardening', allowing users to research and categorise Web content related to their interests, without requiring access to centralised search engines. >> Read more about The PeARS app PeerDB Search — Search for semantic and full-text data PeerDB Search is an opinionated but flexible open source search system incorporating best practices in search and user interfaces and experience to provide intuitive, fast, and easy to use search over both full-text data and semantic data exposed as facets. The goal of the user interface is to allow users without technical knowledge to easily find results they want, without having to write queries. The system will also allow multiple data sources to be used and merged together. As a demonstration PeerDB will deploy a public instance as a search service for Wikipedia articles and Wikidata data. >> Read more about PeerDB Search PeerTube — A decentralised streaming video platform PeerTube is a free, libre and federated video platform. Video is a very popular class of content and meanwhile accounts for a signicant share of internet traffic, but the choice of hosting has a lot of implications - if you send your viewers to some proprietary platform because you want to avoid cost, what happens after they watch your video? And who watches them watch? PeerTube allows for a federation of interconnected hosts (so more choice of videos wherever you go to see them) while containing the risk of exposing users to profiling, algorithmic pressure that favors extreme content, censorship and other negative aspects of centralised services like YouTube or Vimeo. PeerTube implements the ActivityPub standard and works with peer-to-peer distribution - and therefore viewing. This means no slowing down when a video suddenly goes viral, and much lower distribution costs thanks to shared bandwidth. PeerTube aims to make it easier to host videos on the server side, while remaining practical, ethical and fun on the Internet user side. In this project, Framasoft will work on PeerTube 4.0 with interesting new features such as better search, live streaming, channel customisation and improved accessibility. >> Read more about PeerTube Extending PeerTube — Adding advanced search capabailities to PeerTube This project aims to extend PeerTube to support the availability, accessibility, and discoverability of large-scale public media collections on the next generation internet. Although PeerTube is technically capable to support the distribution of large public media collections, the platform currently lacks practical examples and extensive documentation to achieve this in a timely and cost-efficient way. This project will function as a proof-of-concept that will showcase several compelling improvements to the PeerTube software by [1] developing and demonstrating the means needed for this end by migrating a large corpus of open video content, [2] implementing trustworthy open licensing metadata standards for video publication through the PeerTube platform, [3] and emphasizing the importance of accompanying subtitle files by recommending ways to generate them. >> Read more about Extending PeerTube peermaps — Peer to peer cartography Peermaps is a p2p, offline-friendly way to distribute, view, and embed map data. Instead of fetching data from a centralized tile provider, you fetch data from other peers on the network. Right now we have all of OpenStreetMap processed into a 100GB archive in our p2p spatial database and rendering formats and seeded to hyperdrive and ipfs. This data is hooked up to a proof-of-concept web map viewer. For this grant, we will build on our proof-of-concept to release a user-oriented map viewer as a web application with search functionality on peermaps.org along with a developer-oriented tool to embed web maps in an iframe. In addition to (p2p) web development, this project will involve research on peer queries for offline and online location-based search, optimizations to the spatial database and p2p layer, webgl graphics improvements in addition to web development in order to produce a usable p2p mapping alternative. >> Read more about peermaps A Distributed Software Stack For Co-operation — Facilitating easy ad hoc cooperation Perspectives aims to be to co-operation, what ActivityPub is to social networks. It provides the conceptual building blocks for co-operation, laying the groundwork for a federated, fully distributed infrastructure that supports endless varieties of co-operation. The declarative Perspectives Language allows a model to translate instantly in an application that supports multiple users to contribute to a shared process, each with her own unique perspective. The project builds a reference implementation of the distributed stack that executes these models of co-operation, and makes the information concerned searchable. Real life is an endless affair of interlocking activities. Likewise, Perspectives models of services can overlap and build on common concepts, thus forming a federated conceptual space that allows users to move from one service to another as the need arises in a most natural way. Such an infrastructure functions as a map, promoting discovery, decreasing dependency on explicit search. However, rather than being an on-line information source to be searched, such the traditional Yellow Pages, Perspectives models allow their users (individuals and organisations alike) to interact and deal with each other on-line. Supply-demand matching in specific domains (e.g. local transport) integrates readily with such an infrastructure. Other patterns of integrating search with co-operation support form a promising area for further research. >> Read more about A Distributed Software Stack For Co-operation PixelDroid — Share and browse photos in the fediverse with a mobile app PixelDroid is an Android client for Pixelfed, the federated image sharing platform based on W3C ActivityPub. Our goal is to bring the Pixelfed platform to Android and provide a mobile user experience that excites. We aim to provide feature-parity with the Pixelfed web client as well as add additional features - like image and video editing, capturing and uploading directly from the app. During the project we will also make it easy to use multiple accounts, even across different instances. Additionally, we want to contribute to the Pixelfed API with testing and additional documentation. >> Read more about PixelDroid Pixelfed Live — Live streaming and other Pixelfed enhancements Pixelfed is an open source and decentralised photo sharing platform, in the same vein as services like Instagram. The twist is that you can yourself run the service, or pick a reliable party to run it for you. Who better to trust with your privacy and the privacy of the people that follow you? The magic behind this is the ActivityPub protocol - which means you can comment, follow, like and share from other Pixelfed servers around the world as if you were all on the same website. Timelines are in chronological order, and there is no need to track users or sell their data. The platform has many features including Discover, Hashtags, Geotagging, Photo Albums, Photo Filters and a few still in development like Ephemeral Stories. After supporting development of social discovery and a mobile app, NGI Zero funds this project to add a much requested live streaming feature to Pixelfed. >> Read more about Pixelfed Live Pixelfed — ActivityPub driven decentralised photo sharing platform Pixelfed is an open source and decentralised photo sharing platform, in the same vein as services like Instagram. The twist is that you can yourself run the service, or pick a reliable party to run it for you. Who better to trust with your privacy and the privacy of the people that follow you? The magic behind this is the ActivityPub protocol - which means you can comment, follow, like and share from other Pixelfed servers around the world as if you were all on the same website. Timelines are in chronological order, and there is no need to track users or sell their data. The project has many features including Discover, Hashtags, Geotagging, Photo Albums, Photo Filters and a few still in development like Ephemeral Stories. The goal of the project is among others to solidify the technical base, add new features and design and build a mobile app that is compatible with Mastodon apps like Fedilab and Tusky. >> Read more about Pixelfed Plaudit — Make good science discoverable through endorsements Plaudit is open source software that collects endorsements of scholarly content from the academic community, and leverages those to aid the discovery and rapid dissemination of scientific knowledge. Endorsements are made available as open data. The NGI Search & Discovery Grant will be used to simplify the re-use of endorsement data by third parties by exposing them through web standards. >> Read more about Plaudit Poliscoops — Make political news and online debate accessible PoliFLW is an interactive online platform that allows journalists and citizens to stay informed, and keep up to date with the growing group of political parties and politicians relevant to them - even those whose opinions they don't directly share. The prize-winning polical crowdsourcing platform makes finding hyperlocal, national and European political news relevant to the individual far easier. By aggregating the news political parties share on their websites and social media accounts, PoliFLW is a time-saving and citizen-engagement enhancing tool that brings the internet one step closer to being human-centric. In this project the platform will add the news shared by parties in the European Parliament and national parties in all EU member states. , showcasing what it can mean for access to information in Europe. There will be a built-in translation function, making it easier to read news across country borders. PoliFLW is a collaborative environment that helps to create more societal dialogue and better informed citizens, breaking down political barriers. >> Read more about Poliscoops PrivateRecSys — Privacy-Friendly Recommendation System The use of recommender systems has grown significantly in recent years, with users receiving personalised recommendations ranging from products to buy, news to read, movies to watch, people to follow. At the same time, recommender systems have become extremely effective revenue drivers for online business. However, producing personalised recommendations requires collecting of users’ data, which makes conventional recommenders effective at the cost of users' privacy. The PrivacyRecSys project aims to develop an open-source toolkit for delivering accurate recommendations while respecting users' privacy. The toolkit will consist of novel privacy-preserving recommender approaches, which modify the state-of-the-art recommender approaches by applying the principles of differential privacy, homomorphic encryption and federated learning. >> Read more about PrivateRecSys Private Searx — Add private resources to the open source Searx metasearch engine Searx is a popular meta-search engine letting people query third party services to retrieve results without giving away personal data. However, there are other sources of information stored privately, either on the computers of users themselves or on other machines in the network that are not publically accessible. To share it with others, one could upload the data to a third party hosting service. However, there are many cases in which it is unacceptable to do so, because of privacy reasons (including GPPR) or in case of sensitive or classified information. This issue can be avoided by storing and indexing data on a local server. By adding offline and private engines to searx, users can search not only on the internet, but on their local network from the same user interface. Data can be conveniently available to anyone without giving it away to untrusted services. The new offline engines would let users search in local file system, open source indexers and data bases all from the UI of searx. >> Read more about Private Searx Re-isearch — Vectorise text with a flexible unit of retrieval *Project re-isearch: a novel multimodal search and retrieval engine using mathematical models and algorithms different from the all-too-common inverted index (popularized by Salton in the 1960s). The design allows it to have no limits on the frequency of words, term length, number of fields or complexity of structured data and support even overlap--- where fields or structures cross other's boundaries (common examples are quotes, line/sentences, biblical verse, annotations). Its model enables a completely flexible unit of retrieval and modes of search. Initial project outcome: a freely available and completely open-source (and multiplatform) C++ library, bindings for other languages (such as Python) and some reference sample code using the library in some of these languages. >> Read more about Re-isearch Great OCR for SANE — Integrate OCR capabilities into open source scanning tools We have become dependent on search engines, allowing us to locate a document using some specific words across billions of webpages. However, not every document is born digital - or may reach the web via an indirect way. And users with for instance visual disabilities cannot read documents that are 'just' pixels. The SANE project is a collection of open-source scanner drivers and related software. SANE tools allow the users to convert their documents, photos and any other similar material from a completely unsearchable and non-discoverable analog form into a digital representation, which can be easily shared and distributed. The SANE-OCR project enables users to close the gap right at the stage when physical documents are converted from their incoming \"analog\" form to a searchable digital form - using a completely open-source stack. While the traditional result of scanning is just the visual image (essentially a photo), but in addition contains the recognized text using optical character recognition (OCR). This outputs documents which are searchable and discoverable. >> Read more about Great OCR for SANE SCION-RAINS — RAINS, Another Internet Naming Service (or, a DNS alternative) RAINS (which recursively stands for RAINS, Another Internet Naming Service) is an alternative name resolution protocol that has been designed with the aim to provide an ideal naming service for the SCION Internet architecture. SCION is one of the most ambitious and realistic alternative Internet architectures currently in play, and has interesting traits such as route control, failure isolation, multipath capabilities and explicit trust information for end-to-end communication. The RAINS architecture is simple but effective, while it resembles the architecture of DNS it also benefits from being a clean-slate design and provides security across all TLD's - where DNS with DNSSEC fails to provide such capabilities across the board. RAINS, unlike DNS, has no relative clocks: the DNS TTL is replaced by the absolute validity timestamps on the signature. All records are signed. >> Read more about SCION-RAINS SCION-Pathdiscovery — Secure and reliable decentralized storage platform With the amount of downloadable resources such as content and software updates available over the Internet increasing year over year, it turns out not all content has someone willing to serve all of it up eternally for free for everyone. And in other cases, the resources concerned are not meant to be public, but do need to be available in a controlled environment. In such situations users and other stakeholders themselves need to provide the necessary capacity and infrastructure in another, collective way. This of course creates new challenges. Unlike a website you can follow a link to or find through a standard search engine and which you typically only have to vet once for security and trustworthiness, the distributed nature of such a system makes it difficult for users to find the relevant information in a fast and trustworthy manner. One of the essential challenges of information management and retrieval in such a system is the location of data items in a way that the communication complexity remains scalable and a high reliability can be achieved even in case of adversaries. More specifically, if a provider has a particular data item to offer, where shall the information be stored such that a requester can easily find it? Moreover, if a user is interested in a particular information, how does he discover it and how can he quickly find the actual location of the corresponding data item? The project aims to develop a secure and reliable decentralized storage platform enabling fast and scalable content search and lookup going beyond existing approaches. The goal is to leverage the path-awareness features of the SCION Internet architecture to use network resources efficiently in order to achieve a low search and lookup delay while increasing the overall throughput. The challenge is to select suitable paths considering those performance requirements, and potentially combining them into a multi-path connection. To this end, we aim to design and implement optimal path selection and data placement strategies for a decentralized storage system. >> Read more about SCION-Pathdiscovery Geographic tagging of Routing and Forwarding — Geographic tagging and discovery of Internet Routing and Forwarding SCION is the first clean-slate Internet architecture designed to provide route control, failure isolation, and explicit trust information for end-to-end communication. As a path-based architecture, SCION end-hosts learn about available network path segments, and combine them into end-to-end paths, which are carried in packet headers. By design, SCION offers transparency to end hosts with respect to the path a packet travels through the network. This has numerous applications related to trust, compliance, and also privacy. By better understanding of the geographic and legislative context of a path, users can for instance choose trustworthy paths that best protect their privacy. Or avoid the need for privacy intrusive and expensive CDN's by selecting resources closer to them. SCION is the first to have such a decentralised system offer this kind of transparency and control to users of the network. >> Read more about Geographic tagging of Routing and Forwarding SWH package manager Data Ingestion — Add Package managers to Software Heritage Software Heritage's ambition is to collect, preserve, and share all software that is publicly available in source code form. In this project we improve the SWH scanner tool which compares any set of files with the SWH archive. This is very useful for detecting license violations or security issues. The goal of the project is to take the scanner from a research prototype to a widely available and usable tool. This involves work around its packaging, user interface, robustness and performance. We will be re-purposing the advanced graph-comparison algorithm from the Mercurial DVCS to minimize the load to the SWH archive. We will also expand the list of existing source code origins we will create new listers and loaders for Maven, Go, Packagist, RubyGems, Bower, CPAN and pub.dev/Dart package managers. >> Read more about SWH package manager Data Ingestion Storing Efficiently Our Software Heritage — Faster retrieval within Software Heritage Software Heritage (https://www.softwareheritage.org) is the single largest collection of software artifacts in existence. But how do you store this in a way that you can find something fast enough, taking into account that these are billions of files with a huge spread in file sizes? \"Storing Efficiently Our Software Heritage\" will build a web service that provides APIs to efficiently store and retrieve the 10 billions small objects that today comprise the Software Heritage corpus. It will be the first implementation of the innovative object storage design that was designed early 2021. It has the ability to ingest the SWH corpus in bulk: it makes building search indexes an order of magnitude faster, helps with mirroring etc. The project is the first step to a more ambitious and general purpose undertaking allowing to store, search and mirror hundreds of billions of small objects. >> Read more about Storing Efficiently Our Software Heritage Adera — Relevant scientific research results The project summary for this project is not yet available. Please come back soon! >> Read more about Adera SEARXR — Virtual reality for web search SearXR brings a beautiful, privacy-respecting search to 2D and 3D devices. Why? Because searching on alternative devices (VR headsets, conference-presentation) is not always easy nor private. SearXR aims to provide alternative search interfaces which are more appropriate for VR, AR and big screens. SearXR aims to progressively enhance these search experiences: better screen-layout, privacy, and WebXR compatibility. All features are based on user preferences and available hardware. Built upon SearX and W3C's WebXR technology, it will enable everybody to search, or add XR-features to their SearX instance. Whether it be state of the art headsets, or a 65” screen: pointing the browser to an SearXR-instance will immediately launch a wonderful, privacy-respecting search experience. >> Read more about SEARXR searx — A privacy-respecting, hackable metasearch engine Searx (/sɜːrks/) is a free metasearch engine, available under the GNU Affero General Public License version 3, with the aim of protecting the privacy of its users. Across all categories, Searx can fetch and combine search results from more than 80 different engines. This includes major commercial search engines like Bing, Google, Qwant, DuckDuckGo and Reddit, as well as site-specific searches such as Wikipedia and Archive.is. Searx is a self hosted web application, meaning that every user can run it for themselves and others - and add or remove any features they want. Meanwhile, numerous publicly accessible instances are hosted by volunteer organizations and individuals alike. The project will consolidate the many suggestions and feature requests from users and operators into the first full-blown release (1.0) for Searx, as well as spend the necessary engineering effort in making the technology ready for even wider deployment. >> Read more about searx Dynamic indexing for real time graph database — Provide faster query results through algorithmic preprocessing Based is an open source real time data platform with a suite of features that help developers build more performant applications faster and with more flexibility. It’s built on a self-developed real time graph database and the WebSocket protocol to ensure performance and scaling. One of the features is an automatic indexing system that keeps track of frequently performed queries by monitoring a set of (real time) parameters and assigning values to queries, that in turn inform which parts of the graph to index. This index has to work with the Based real time graph database and optimise its performance, which means the index also has to be aware of any changes in schema structure or updates in indexed data. This is achieved through the existing subscription engine in Based. Our hope is that this project can lay the groundwork for more efficient indexing systems for all graph databases. >> Read more about Dynamic indexing for real time graph database SensifAI — AI driven image tagging Billions of users manually upload their captured videos and images to cloud storages such as Dropbox, Google Drive and Apple iCloud straight from their camera or phone. Their private pictures and video material are subsequently stored unprotected somewhere else on some remote computer, in many cases in another country with quite different legislation. Users depend on the tools from these service providers to browse their archives of often thousands and thousands of videos and photo's in search of some specific image or video of interest. The direct result of this is continuous exposure to cyber threats like extortion and an intrinsic loss of privacy towards the service providers. There is a perfectly valid user-centric approach possible in dealing with such confidential materials, which is to encrypt everything before uploading anything to the internet. At that point the user may be a lot more safe, but from now on would have a hard time locating any specific videos or images in their often very large collection. What if smart algorithms could describe the pictures for you, recognise who is in it and you can store this information and use it to conveniently search and share? This project develops an open source smart-gallery app which uses machine learning to recognize and tag all visual material automatically - and on the device itself. After that, the user can do what she or he wants with the additional information and the original source material. They can save them to local storage, using the tags for easy search and navigation. Or offload the content to the internet in encrypted form, and use the descriptions and tags to navigate this remote content. Either option makes images and videos searchable while fully preserving user privacy. >> Read more about SensifAI Simmel — A wearable contact tracing beacon/scanner Simmel is a platform that enables COVID-19 contact tracing while preserving user privacy. It is a wearable hardware beacon and scanner which can broadcast and record randomized user IDs. Contacts are stored within the wearable device, so you retain full control of your trace history until you choose to share it. The Simmel design is open source, so you are empowered to audit the code. Furthermore, once the pandemic is over, you are able to recycle, re-use, or securely destroy the device, thanks to the availability of hardware and firmware design source. The contact tracing algorithm is programmed using CircuitPython, to facilitate ease of code audit and community participation. The Simmel project does not endorse a specific contact tracing platform, but it is inherently not compatible with contact tracing proposals that rely on the constant upload of data to the cloud. >> Read more about Simmel Software Heritage — Collect, preserve and share the source code of all software ever written Software Heritage is a non profit, multi-stakeholder initiative with the stated goal to collect, preserve and share the source code of all software ever written, ensuring that current and future generations may discover its precious embedded knowledge. This ambitious mission requires to proactively harvest from a myriad source code hosting platforms over the internet, each one having its own protocol, and coping with a variety of version control systems, each one having its own data model. This project will amongst other help ingest the content of over 250000 open source software projects that use the Mercurial version control system that will be removed from the Bitbucket code hosting platform in June 2020. >> Read more about Software Heritage Solid Application Interoperability — Solid Application Interoperability specification details how Agents in the Solid ecosystem can read, write, and manage data stored in a Solid pod using disparate Applications, either individually or in collaboration with other Agents. Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. When data is stored in someone's Pod, they control which people and applications can access it. Solid was initiated and is currently led by the inventor of the World Wide Web, sir Tim Berners-Lee. Solid Application Interoperability provides clear way to create intuitive data boundaries and higher level patterns to manage access to that data following the principle of least privilege. Specification is accompanied by a primer and sample implementations. >> Read more about Solid Application Interoperability Solid-NextCloud app — Bridge Nextcloud to Solid This project connects the world of Solid with the world of Nextcloud. The aim is to develop an open source Nextcloud app that turns a Nextcloud server into a spec-compliant Solid server. It gives every user a WebID profile and allows Solid apps to store data on the user's Nextcloud account. It also exposes some of the user's existing Nextcloud data like contacts and calendar events as Solid user data, so that Solid apps can interact with the user's Nextcloud data, and allow the user to manage which Solid apps can access which specific aspects of the user's personal data. We will make our implementation compatible with the latest version of the Solid spec (including DPop tokens and the WebSockets AUTH command), and contribute the surface tests we create for this as a well-documented independent test-suite, for other Solid server implementers to benefit from. We will also publish a stand-alone version of our PHP components, which can run independently of Nextcloud. >> Read more about Solid-NextCloud app Solid-Search — Queries in a pod Solid-Search aims to provide an open source module that adds full-text search functionality to Solid pods. Solid is an emergent specification initiated by the inventor of the World Wide Web, sir Tim Berners-Lee. Solid aims to decentralize the web by decoupling applications from databases by introducing Solid Pods (personal online datastores that are in full control of the data owner). Having a way to search through your personal data on your Solid Pod is a must-have for the project to become truly successful. However, this requires technology that does not exist yet: a full-text search interface that works with schema-less RDF data. In order to maximize adoption and retain a modular, open approach, we will standardize the way in which data changes are described. By doing so, it will be relatively easy to introduce new search / query systems (such as search by location). The project will will create the open source search back-end, improve linked data synchronisation specs, link the module to two solid implementations, create a front-end for end-users, and write a tutorial for adding data sources. >> Read more about Solid-Search Solid Application Interoperability — Solid Application Interoperability specification details how Agents in the Solid ecosystem can read, write, and manage data stored in a Solid pod using disparate Applications, either individually or in collaboration with other Agents. Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. When data is stored in someone's Pod, they control which people and applications can access it. Solid was initiated and is currently led by the inventor of the World Wide Web, sir Tim Berners-Lee. Solid Application Interoperability provides clear way to create intuitive data boundaries and higher level patterns to manage access to that data following the principle of least privilege. In this follow up project there is a focus on implementing the Authorization Agent service in TypeScript. It will also work on the SAI specification, which needs to provide more details on how the agent who receives access grant gets updated when the access grant is replaced by a new one. The Authorization Agent service will also implement server to server subscription type developed in the Solid Authentication panel. >> Read more about Solid Application Interoperability Sonar: a modular peer-to-peer search engine — Modular peer-to-peer search engine Sonar is a project to research and build a toolkit for decentralized search. Currently, most open-source search engines are designed to work on centralized infrastructure. This proves to be problematic when working within a decentralized environment. Sonar will try to solve some of these problems by making a search engine share its indexes incrementally over a P2P network. Thereby, Sonar will provide a base layer for the integration of full-text search into peer to peer/decentralized applications. Initially, Sonar will focus on integration with a peer-to-peer network (Dat) to expose search indexes securely in a decentralized structure. Sonar will provide a library that allows to create, share, and query search indexes. An user interface and content ingestion pipeline will be provided through integration with the peer to peer archiving tool Archipel. >> Read more about Sonar: a modular peer-to-peer search engine sourcehut — Graph query support for software development platform SourceHut is a free-software platform providing infrastructure for free-software projects, providing hosted repositories, mailing lists, bug trackers, real-time chat tools, and continuous integration infrastructure, among other services, and facilitating collaboration and project discovery via a federated project index. SourceHut focuses on performance, accessibility, and robustness, and since 2018 has provided a reliable platform supporting the thousands of FOSS projects that depend on its services. The NLnet project will expand the integration between SourceHut services, and between SourceHut and independently operated third-party services, primarily through the development of a comprehensive federation of GraphQL APIs. >> Read more about sourcehut Spritely — Capability based petname system Users are currently caught between two worlds of identity solutions: prepackaged centralized identity silos (which also tend to be very phishing-vulnerable) and more decentralized naming systems that awkwardly separate the experience of secure connections from identity. What if instead users could have an experience where decentralized naming was a natural outgrowth of using the application? Spritely is a laboratory project to advance the decentralized social web founded by authors of the popular ActivityPub federated social web protocol. Spritely's approach to decentralized naming systems is to implement a \"petnames system\", where local meaning is given to \"petnames\" to otherwise non-human-meaningful decentralized identifiers (such as a hash of cryptographic key material). An important part of this design is that decentralized naming flows should be a natural part of use of the program. Petnames tend to resemble local contacts in a \"contact list\", but petnames on their own do not provide a sufficient way to discover, meet, and come to trust new contacts. A complete petname system also provides \"edge names\": for example \"CWebber=>JessicaTallon\" would show JessicaTallon as an \"edge name\" proposed by the petname CWebber. Our system also provides support for contacts introduced in a context with no existing relationships; these are called \"self-proposed names\" and are rendered in a way distinct from petnames and edge names. This has been under-implemented in existing petname systems; since Spritely is implementing decentralized communication systems, this will be a full implementation of a petname system (including edge names and self-proposed names) in an ergonomic manner that can also be applied to other decentralized systems. In addition to a specification, the project will delivered a usable chat application plus contact list. >> Read more about Spritely StreetComplete — Fix open geodata with OpenStreetMap The project will make collecting data for OpenStreetMap easier and more efficient. OpenStreetMap is the best source of information for general purpose search engines that need a geographic data about locations and properties of various objects. The objects vary from cities and other settlements to shops, parks, roads, schools, railways, motorways, forests, beaches etc etc etc. The search engine can use the data to answer queries such as \"route to nearest wheelchair accessible greengrocer\", \"list of national parks near motorways\" or \"London weather\". Full OpenStreetMap dataset is publicly available on an open license and already used for many purposes. Improving OSM increases quality of services using open data rather than proprietary datasets kept as a trade secret by established companies. >> Read more about StreetComplete StreetComplete — Collaborative editing in OpenStreetMap StreetComplete is a mobile app that makes it easy and fun to contribute to OpenStreetMap while on and about. OpenStreetMap is the largest open data community about maps, and the go-to source for free geographic data when doing a location-based search. This project focuses on making the collection of data to be used in a search more powerful and efficient. More specifically, the main goals are to add the possibility to collect more data with an easy interface and to add a new view in which it shall be more efficient to complete and keep up-to-date certain types of data, such as housenumbers or cycleways. >> Read more about StreetComplete StreetComplete UX — Improve usability of StreetComplete OpenStreetMap is the best source of information for general purpose search engines that need a geographic data about locations and properties of various objects. The objects vary from cities and other settlements to shops, parks, roads, schools, railways, motorways, forests, beaches etc etc etc. The search engine can use the data to answer queries such as \"route to nearest wheelchair accessible greengrocer\", \"list of national parks near motorways\" or \"London weather\". Full OpenStreetMap dataset is publicly available on an open license and already used for many purposes. The project will make collecting open data for OpenStreetMap easier and more efficient, and lower the threshold for contribution by improving usability and accessibility. Any user should be able to help improve OpenStreetMap data, simply by downloading the app from F-droid or Google store and map as they walk. >> Read more about StreetComplete UX URL Frontier 2.0 — Enterprise features for URLFrontier URLFrontier provides a crawler-neutral API and service implementation for a crawl frontier, which can power various web crawlers independently from their implementation language and scalability. This API defines the operations that a web crawler typically does when communicating with a web frontier e.g. get the next N URLs to crawl, update the information about URLs already processed, change the crawl rate for a particular hostname, get the list of active hosts, get stats, etc… The aim of this project is to turn what is currently a working piece of software (the result of an earlier grant from NGI Zero Discovery) into an enterprise-grade solution. The improvements will mainly concern the service implementation, eg. monitoring/reporting, clustering/discovery and robustness/resilience. The project will improve the usability of the system by adding configurable logging and metrics reporting, improve the performance of the service for very large volumes of data by adding efficient parallelization across multiple nodes; and improve the overall robustness through more graceful failure modes and more efficient restarts . >> Read more about URL Frontier 2.0 URL Frontier — Develop a API between web crawler and frontier Discovering content on the web is possible thanks to web crawlers, luckily there are many excellent open source solutions for this; however, most of them have their own way of storing and accessing the information about the URLs. The aim of the URL Frontier project is to develop a crawler-neutral API for the operations that a web crawler when communicating with a web frontier e.g. get the next URLs to crawl, update the information about URLs already processed, change the crawl rate for a particular hostname, get the list of active hosts, get statistics, etcetera. It aims to serve a variety of open source web crawlers, such as StormCrawler, Heritrix and Apache Nutch. The outcomes of the project are to design a gRPC schema then provide a set of client stubs from the schema as well as a robust reference implementation and a validation suite to check that implementations behave as expected. The code and resources will be made available under Apache License as a sub-project of crawler-commons, a community that focuses on sharing code between crawlers. One of the objectives of URL Frontier is to involve as many actors in the web crawling community as possible and get real users to give continuous feedback on our proposals. >> Read more about URL Frontier variation graph (vgteam) — Privacy enhanced search within e.g. genome data sets Vgteam is pioneering privacy-preserving variation graphs, that allow to capture complex models and aggregate data resources with formal guarantees about the privacy of the individual data sources from which they were constructed. Variation graphs relate collections of sequences together as walks through a graph. They are traditionally applied to genomic data, where they support the compression and query of very large collections of genomes. But there are many types of sensitive data that can be represented in a variation graph form, including geolocation trajectory data - the trajectories of individuals and vehicles through transportation networks. Epidemiologists can use a public database of personal movement trajectories to for instance do geophylogenetic modeling of a pandemic like SARS-CoV2. The idea is that one cannot see individual movements, but rather large scale flows of people across space that would be essential for understanding the likely places where a outbreak might spread. This is essential information to understand at scientific and political level how to best act in case of a pandemic, now and in the future. The project will apply formal models of differential privacy to build variation graphs which do not leak information about the individuals whose data was used to construct them. For genomes, the techniques allow us to extend the traditional models to include phenotype and health information, maximizing their utility for biological research and clinical practice without risking the privacy of participants who shared their data to build them. For geolocation trajectory data, people can share data in the knowledge that their social graph is not exposed. The tools themselves are not limited to the above use cases, and open the doors to many other types of applications both online (web browsing histories, social media usage) and offline. . >> Read more about variation graph (vgteam) Web Annotation — Building blocks for interoperable annotation systems The idea of web annotation is to support the creation and exchange of annotations on any visited page; thereby enabling people to make, share, and discover corrections, rebuttals, side-notes, or other contextually relevant resources. Using the W3C’s Web Annotation standard, and contributing to the incubating Apache Annotator project, this project works on modules and tools that facilitate a diverse ecosystem of interoperable annotation systems. >> Read more about Web Annotation WebXray Discovery — Expose tracking mechanism in search hubs WebXray intends to build a filter extension for the popular and privacy-friendly meta-search Searx that will show users what third party trackers are used on the sites in their results pages. Full transparency of what tracker is operated by what company is provided to users, who will be able to filter out sites that use particular trackers. This filter tool will be built on the unique ownership database WebXray maintains of tracking companies that collect personal data of website visitors. Mapping the ownership of tracking companies which sell behavioural profiles of individuals, is critical for all privacy and trust-enhancing technologies. Considerable scrutiny is given to the large players who conduct third party tracking and advertising whilst little scrutiny is given to large numbers of smaller companies who collect and sell unknown volumes of personal data. Such collection is unsolicited, with invisible beneficiaries. The ease and speed of corporate registration provides the opportunity for data brokers to mitigate their liability when collecting data profiles. We must therefore establish a systematic database of data broker domain ownership. The filter extension that will be the output of the project will make this ownership database visible and actionable to end users, and to curate the crowdsourced data and add it to the current database of ownership (which is already comprehensive, containing detailed information on more than 1,000 ad tech tracking domains). >> Read more about WebXray Discovery XWiki — Bring wiki capabilities into the Fediverse XWiki is a modern and extensible open source wiki platform. Up until now, XWiki had been focusing on providing the best collaboration experience and features to its users. We're now taking this to the next level by having XWiki be part of the larger federation of collaboration and social software (a.k.a. fediverse), thus allowing users to collaborate externally. XWiki is embracing the W3C ActivityPub specification. Specifically we're implementing the server part of the specification, to be able to both view activity and content happening in external services inside XWiki itself and to make XWiki's activity and content available from these other services too. A specific but crucial use case, is to allow content collaboration between different XWiki servers, sharing content and activity. >> Read more about XWiki WikiRate Insights — Transforming WikiRate ESG Platform User Experience to Maximise Reliable Data Insights For too long actionable data about the behavior of companies has been hidden behind the paywalls of commercial data providers. As a result only those with sufficient resources were able to advocate and shape improvements in corporate practice. Since launching in 2016, WikiRate.org has become the world’s largest open source registry of ESG (Environmental, Social, and Governance) data with nearly 1 million data points for over 55,000 companies. Through the open data platform anyone can systematically gather, analyze and discuss publicly available information on company practices, joining current debates on corporate responsibility and accountability. By bringing this information together in one place, and making it accessible, comparable and free for all, we aim to provide society with the tools and evidence it needs to spur corporations to respond to the world's social and environmental challenges. Homing in on the usability of the platform, this project will tackle some of the most crucial barriers for users when it comes to gathering and extracting the data, whilst boosting reuse of the open source platform for other purposes. >> Read more about WikiRate Insights WikiRate Insights 2 — Dedicated text search architecture for environmental, social and corporate governance platform The project summary for this project is not yet available. Please come back soon! >> Read more about WikiRate Insights 2 WordPress ActivityPub — Bring ActivityPub social networking to the widely used Wordpress WordPress ActivityPub is a plugin that allows your site users to interact with other users in the fediverse. Currently the plugin supports Follows by remote users, sending out pubilc posts to followers, and receiving remote users public Comments on local posts. This project will develop features allowing for a more rich and typical social experience with Direct messages, Followers only posts, and Threaded comments to and from the fediverse. Moderation tools will be included and user privacy features will also be developed. >> Read more about WordPress ActivityPub XWiki ActivityPub — First class ActivityPub support in XWiki XWiki is a modern and extensible open source wiki platform. XWiki is the first wiki that is part of the larger federation of collaboration and social software (a.k.a. fediverse), allowing users to collaborate externally. XWiki is embracing the W3C ActivityPub specification. Specifically we're implementing the server part of the specification, to be able to both view activity and content happening in external services inside XWiki itself and to make XWiki's activity and content available from these other services too. A specific but crucial use case, is to allow content collaboration between different XWiki servers, sharing content and activity. >> Read more about XWiki ActivityPub YaCy Grid SaaS — YaCy Grid Search-as-a-Service creates document crawling indexing functionality for everyone. Users of this new platform will be able to create their custom search portal by defining their own document corpus. Such a service is an advantage as a privacy or branding tool, but also allows scientific research and annotation of semantic content. User-group specific domain knowledge can be organized for custom applications such as fueling artificial intelligence analysis. This should be a benefit i.e. for private persons, journalists, scientists and large groups of people in communities like universities and companies. Instances of the portal should be able to self-support themselves financially: there is turn-key infrastructure to handle payments for crawling/indexing amounts as a subscription on a periodical basis while search requests are free for everyone. The portal will consist of free software, and users can download the portal software itself together with the acquired search index data - so everyone can start running a portal for themselves whenever they want. >> Read more about YaCy Grid SaaS ZetaOffice — Encrypted collaborative editing in the browser ZetaOffice is an online open source office application based on LibreOffice, the leading implementation of the ISO/IEC 26300 OpenDocument Format standard. It can run fully client-side inside a regular browser - meaning you can view and edit office documents without an install required. This provides the technical foundations to support true P2P editing of complex office documents. The ability to remove the entire dependency on a server means that document collaboration is moving towards zero-knowledge implementations – where no single-point of architectural failure exists and no data is required to sit unencrypted on a non-user owned (or trusted) server instance. This would allow ZetaOffice in the future to provide end-to-end encryption – both for the peer2peer use case, as well as securely keeping documents encrypted when at rest. That means data is safe when the user is disconnected, whether it is stored on an untrusted server or in the local Web storage. >> Read more about ZetaOffice dweb-search — Index DHT based distributed webs dweb-search is a Free and Open Source (FOSS) search engine for directories, documents, videos, music on the Interplanetary Filesystem (IPFS), supporting the creation of a decentralized web where privacy is possible, censorship is difficult, and the internet can remain open to all. This project implements a publicly accessible IPFS thumbnail service and creaties a UI specifically to explore music or videos. >> Read more about dweb-search elRepo.io - Resilient, distributed content sharing — Resilient, human-centered, distributed content sharing and discovery. In this project AlterMundi and NetHood collaborate to develop a critical missing part in decentralized and distributed p2p systems: content search. More specifically, this project will implement advanced search for elRepo.io, the self-hosted and distributed culturesharing platform currently under active development by AlterMundi and partners. Search functionalities will expand on the already proven coupling of thelibxapian searching and indexing library and turtle routing. The distributed search functionality will be implemented to be flexible and modular. It will become the meeting point of three complementary threads of on-going work: Libre technology and tools for building Community Networks (LibreRouter & LibreMesh), fully decentralized, secure and anonymous Friend2Friend software (Retroshare), and a transdisciplinary participatory methodology for local applications in Community Networks (netCommons). >> Read more about elRepo.io - Resilient, distributed content sharing fediverse.space — Find your way in the Fediverse Fediverse.space is a tool for understanding decentralized social networks, and searching through them. The fediverse, or federated universe, is the set of social media servers, hosted by individuals across the globe, forming a libre and more democratic alternative to traditional social media. When displaying these servers in an intuitive visualization, clusters quickly emerge. For instance, servers with the same primary language will be close to each other. There are more subtle groupings, too: topics of discussion, types of users (serious vs. ironic), and political leanings all play a role. fediverse.space aims to be the best tool for understanding and discovering communities on this emerging social network. >> Read more about fediverse.space fwupd — Automatic Firmware updates for BSD operating systems Security holes in the equipment we run are discovered all the time, and firmware is continuously upgraded as a result. But how do users discover what they need to upgrade to protect themselves? The goal of the \"fwupd/LFVS integration in the BSD distributions\" is to reuse the effort done by the fwupd/LVFS project and make it available in the BSD-based systems as well. The fwupd is available on Linux-based systems since 2015. It is an open-source daemon for managing the installation of firmware updates from LVFS. The LVFS (Linux Vendor Firmware Service) is a secure portal which allows hardware vendors to upload firmware updates. Over the years, some major hardware vendors (e.g. Dell, HP, Intel, Lenovo) have been uploading their firmware images to the LVFS so they can be later installed on the Linux-based systems. The integration of the fwupd in the BSD-based systems would allow reusing the well-established infrastructure so more users can take advantage of it. >> Read more about fwupd Handling Data from IPv6 Scanning — Scanning tools for scaling up IPv6 scans Scanning is state of the art to discover hosts on the Internet. Today’s scanning relies on IPv4 and simply probes all possible addresses. But global IPv6 adoption will render brute-forcing useless due to the sheer size of the IPv6 address space, and demands more sophisticated ways of target generation. Our team developed such an approach that generally allows to probe all subnets in the currently deployed IPv6 Internet within reasonable time. Positive responses are however scarce in the IPv6 Internet; thus, we include error messages in our analysis as they provide meaningful insight into the current deployment status of networks. First experiments covering only parts of the Internet were promising and at least 5% of our probes trigger error messages. However, a full scan would lead to approx. 10^14 responses causing Petabytes of data, and demands an adequate solution of data handling. In this project, we will develop a data storage and analysis solution for high-speed IPv6 scanning. It will process the high amount of received data concurrently with scanning, and provide continuous results while scanning for long periods. This effort enables full scans of the IPv6 Internet. >> Read more about Handling Data from IPv6 Scanning Minedive — P2P search over webRTC The minedive project is building several components: first, minedive is a browser extension aiming to allow users to search the web while preserving their anonymity and privacy. The second is an open source reference implementation of its rendez-vous server. minedive instances connect each-other (via WebRTC data channels) forming a two layered P2P network. The lower layer (L1) provides routing, the upper layer (L2) provides anonymous and encrypted communication among peers acting as a MIX network. This architecture guarantees that peers which know your IP address (L1) do not know search data for (L2) and vice-versa. A central (websocket) rendez-vous server is needed to find and connect with L1 peers, and to exchange keys with L2 peers, but no search goes through it. We are running a default server which can be overridden by users who want to run their own (using our reference implementation or a custom one). Users can also set the extension to pick peers from a given community (identified by an opaque tag). Currently all requests are satisfied by letting L2 peers return results from the 1st page of mainstream search engines (as they see it, in an attempt to escape the search bubble). While this will stay as a fallback, we plan to implement web crawling on peers, doing keyword extraction from URLs in local bookmarks and history and ranking with open algorithms, being transparent with users about which techniques are used and open to suggestions. >> Read more about Minedive Software vulnerability discovery — Automating discovery of software update and vulnerabilities nixpkgs-update automates the updating of software packages in the nixpkgs software repository. It is a Haskell program. In the last year, about 5000 package updates initiated by nixpkgs-update were merged. This project will focus on two improvements: One, developing infrastructure so that the nixpkgs-update can run continuously on dedicated hardware to deliver updates as soon as possible, and Two, integrating with CVE systems to report CVEs that are addressed by proposed updates. I believe these improvements will increase the security of nixpkgs software and the NixOS operating system based on nixpkgs. >> Read more about Software vulnerability discovery openEngiadina — Platform for creating, publishing and using open local knowledge OpenEngiadina is developing a platform for open local knowledge - a mashup between a semantic knowledge base (like Wikipedia) and a social network using the ActivityPub protocol. openEngiadina is being developed with small municipalities and local organizations in mind, and wants to explore the intersection of Linked Data and social networks - a 'semantic social network'. openEngiadina started off as a platform for creating, publishing and using open local knowledge. The structured data allows for semantic queries and intelligent discovery of information. The ActivityPub protocol enables decentralized creation and federation of such structured data, so that local knowledge can be created by indepent actors in a certain area (e.g. a music association publishes concert location and timing). The project aims to develop a backend allowing such a platform, research ideas into user interfaces and strengthen the ties between the Linked Data and decentralized social networking communities. >> Read more about openEngiadina Privacy Preserving Disease Tracking — Research into contact tracing privacy In case of a pandemic, it makes sense to share data to track the spread of a virus like SARS-CoV2. However, that very same data when gathered in a crude way is potentially very invasive to privacy - and in politically less reliable environments can be used to map out the social graph of individuals and severely threaten civil rights, free press. Unless the whole process is transparent, people might not be easily convinced to collaborate. The PPDT project is trying to build a privacy preserving contact tracing mechanism that allows to notify users if they have come in contact with potentially infected people. This should happen in a way that is as privacy preserving as possible. We want to have the following properties: the users should be able to learn if they got in touch with infected parties, ideally only that - unless they opt in to share more information. The organisations operating servers should not learn anything besides who is infected, ideally not even that. The project builds a portable library that can be used across different mobile platforms, and a server component to aggregate data and send this back to the participants. >> Read more about Privacy Preserving Disease Tracking Search and Displace — Find and redact privacy sensitive information The goal of this project is to establish a workflow and toolchain which can address the problem of mass search and displacement for document content where the original documents are in a range of forms, including a wide variety of digital document formats, both binary and more modern compressed XML forms, and potentially even encompassing older documents where the only surviving form is printed or even handwritten. The term \"displacement\" is meant to encompass actions taken on the discovered content that are beyond straight replacement, including content tagging and redaction, as well as more complex contextual and user-refined replacement on an iterative basis. It is assumed that this process will be a server application with documents uploaded as needed, on either an individual or bulk upload basis. The solution would be built in a modular fashion so that future deployments could deploy and/or modify only the parts needed. In practical terms this involves the creation of an open source tool chain that facilitates searching for private and confidential content inside documents, for instance attachments to email messages or documents that are to be published on a website. The tool can subsequently be used for the secure and automated redaction of sensitive documents; by building this as a modular solution enables the solution to be used “standalone” with a simple GUI, or used via command line, or embedded within 3rd party systems such as document management systems, content management systems and machine learning systems. In addition a modular approach will facilitate the use of the solution both with different languages (natural and programming) and different specialities e.g. government archives, winning tenders, legal contracts, court documents etc.. >> Read more about Search and Displace Free Software Vulnerability Database — A resource to aggregate software updates \"Using Components with Known Vulnerabilities\" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (from US Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage over the last decade we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools. The goal of this project is create new FOSS tools to aggregate software component vulnerability data from multiple sources, organize that data with a new standard package identifier (Package URL or PURL) and automate the search for FOSS component security vulnerabilities. The expected benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source or a few foreign commercial data providers. >> Read more about Free Software Vulnerability Database ","title":"NGI Zero Discovery","url":"https://nlnet.nl/thema/NGIZeroDiscovery.html"},{"title":"NGI Zero Core","url":"https://nlnet.nl/thema/NGIZeroCore.html","description":" NGI Zero Core NGI0 core is a grant programme funding projects moving the internet forward, at the architecture level and above, as part of the Next Generation Internet initiative of the European Commission. For a more complete description see the home page of the fund: NGI Zero Core. This page contains a concise overview of projects funded by NLnet foundation that belong to NGI Zero Core (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. The internet was never designed with our modern usage in mind. Important decisions that shaped how the internet works today were made in the distant past, and we continue to run into the consequences — cascading effects and limited resilience, scalability issues, lack of strong privacy and security and a blind spot for energy efficiency. These may have seemed less important at the time, but currently they certainly are not, and we need to act. NGI Zero Core is an ambitious grant programme led by NLnet as part of the Next Generation Internet initiative, which focuses on moving the internet forward according to the vision of a resilient and trustworthy technology stack that empowers users, and grants everyone full autonomy. All projects become available under a free and open source license so you will be able to study, use, modify and share everything with anyone you want! The programme is no longer accepting new application, but you can propose a project within one of our other funds! Interesting in applying for a grant yourself? Check our active theme funds, such as NGI Zero Commons Fund, NGI Fediversity or NGI TALER. Applications to this particular fund are currently closed and no new projects are accepted for now. Donate to help us fund more projects like these. 0WM — Measure and visualize Wi-Fi coverage Wi-Fi coverage is key in corporate and BYOD environments, as the mobility offered by wireless protocols often outweighs criteria such as speed and stability, offered by wired alternatives. These criteria are however critical to guarantee a suitable quality of service, and reliable options to help network operators are scarce and unaffordable to small organizations. 0WM will provide feature-rich tools to produce quality coverage maps, leveraging affordable COTS components, to quickly and efficiently identify coverage problems affecting end users. >> Read more about 0WM Hardware 2D graphics engine — Additional functionality and better performance for FPGA-based 2D video controller This project is to develop hardware accelerated 2D display controller boards for easily adding interactive user interfaces to single-purpose industrial and commercial machines. Traditionally, to make stand-alone machines and systems (i.e. not based on PCs but on custom computing boards), if developers need to provide a high resolution graphical user interfaces (GUI) they are offered only two inconvenient options: use a complex system like a Linux-capable single board computer, or limit performance to low resolutions that are unsuitable for medium to large displays. The latter case simply prevents successfully marketing those products, while the former requires a high degree of qualifications in embedded systems development, where the requirements are simple products like signage systems or vending machines. The controller boards (CPU and FPGA based, released as open hardware) are capable of loading previously stored images (lossy or lossless), plus movies, fonts and other resources required. The drawing commands are implemented with hardware acceleration on the FPGA board, using a custom C-to-hardware tool: CflexHDL, making it possible to use a fully open-source toolchain. Interactivity is achieved by the use of a USB host capable of handling mouse, keyboards and touchscreens. Displays of multiple kinds are supported by the use of PCB adapters, including: Analog VGA, DVI protocol (compatible with HDMI monitors), LVDS for direct connection to laptop replacement displays, among other options. The controllers can be used stand-alone (like a development platform) or be controlled by other systems like Arduino or similar boards. >> Read more about Hardware 2D graphics engine Firmwire full-system 5G baseband emulation — Easier testing of 5G baseband modems with FirmWire FirmWire is an open source full-system baseband firmware emulation framework for emulating, fuzzing, debugging, and root-cause analysis of smartphone baseband firmware. This project builds upon the framework to support newer, 5G capable, smartphones. Baseband processors are used in all modern smartphones for cellular network connectivity and are a remote attack surface. As such, baseband security is of utmost importance. Baseband firmware is complex, proprietary, and lacks public scrutiny. Emulation and reverse engineering are one of the few public ways to analyze baseband processors. These efforts will provide more transparency in baseband firmware and improve the community’s ability to analyze 5G security through emulation and fuzzing. Additionally, the reverse engineering efforts could aid in developing better open source drivers in the future. >> Read more about Firmwire full-system 5G baseband emulation AI Horde — Collaborative infrastructure for running generative AI models The AI Horde is a crowdsourced, free, libre and open sourced service with the aim to truly democratise access to Generative AI. It supports both generating text via Large Language Models and images via Stable Diffusion via a simple REST API, allowing everyone to integrate this technology to any product. One of the biggest challenges with Generative AI is the amount of resources required to run even simple models, leaving the vast majority of humanity without access to this technology. The AI Horde delivers a groundbreaking smart-queuing clearing house where enthusiasts can volunteer their idle compute for everyone in the world to generate images or text without any further commitments or budget. >> Read more about AI Horde AlekSIS: Integration and Communication — SCIM, timetabes and other features for AlekSIS AlekSIS is a free school information system that helps with school organisation as an interactive web application. It is a central platform for students, teachers, and parents to manage any information related to everyday school life. The software's functions include lesson planning, creating timetables, managing absences and substitution planning, the digital class register, inventory management, payment systems, and student ID cards. AlekSIS is completely modular and can therefore be flexibly adapted to individual needs. Within this grant, the goals is to improve and add integrations with other software, make the timetable and substitution planning easier by providing assistance tools, integrate parents in daily school workflows and provide advanced attendance tracking. Additionally the aim is to get rid of several legacy technologies and update all AlekSIS apps to a more modern technology stack, and improve documentation and demo data accordingly. >> Read more about AlekSIS: Integration and Communication Alive2 — Translation validation for LLVM Modern compilers, such as LLVM, perform advanced optimizations to improve performance and reduce binary size of programs. However, getting these optimizations correct is very challenging: there are many corner cases, tricky issues with undefined behavior, modular arithmetic, and so on. On the other hand, programs rely on compilers being correct. A single bug in the compiler may introduce security vulnerabilities in the compiled programs. Alive2 aims to solve this issue by verifying that LLVM is correct. It is an indispensable tool for compiler developers and for anyone that wishes to validate the compilation of their program. >> Read more about Alive2 Arcan-A12 Directory — Server side scripting API for Arcan's directory server A12 is an explorative p2p protocol for fast and secure remote application interactions. Current desktop protocols are locked inside the constraints of their origins, and most of these have significant security and privacy issues. As a result, we've come to depend heavily on web frontends as the universal desktop application corset - which in return has caused a massive complication and overloading of the browser. A12 establish a secure and interconnected network of personal compute devices, includes peer-to-peer channels and cryptography components. This project add a directory server that can be used as a trusted 3rd party rendezvous to establish such channels. It will expand the scripting API towards writing assistive 'apps' that can complement or split the workload handled on client devices; provide state synchronization and indexing/search between dynamic mesh networks created by linking directory servers together; dynamically launch and attach controlled sources. >> Read more about Arcan-A12 Directory Arcan-A12 Tools — A12 clients for different platforms and devices such as drawing tablets The interaction patterns with our compute devices have switched from \"one device - multiple users\" over to \"one user - multiple devices\" and this new reality requires shift in how user personal data is shared and synchronised between their devices. A12 is a network protocol designed to establish a secure and highly interconnected network of personal compute devices that has been developed as part of a larger Arcan umbrella project. The protocol includes peer-to-peer channels and cryptography components. This follow-up project sets out to implement lightweight applications that will be capable of networking over A12 protocol to enable remote control, sensor and screen sharing, file sharing, notification sharing and enable other personal data flows. The end goal is convenience of having interconnected devices without sacrificing privacy and performance. >> Read more about Arcan-A12 Tools Automerge — Add Merkle Search Tree support to Automerge Automerge is a CRDT library for building local-first collaboration software, allowing several users to concurrently edit a file, both in real-time and offline. It is currently optimized for working on a single document; this project aims to improve Automerge's support for synchronizing large collections of documents across multiple devices (for example, all of a user's notes in a note-taking app). The challenges here are efficiently determining which documents need to be synced, syncing multiple documents in parallel, giving users a progress indicator during large data transfers, and making the protocol efficient in terms of computation, memory, and bandwidth. Our protocol will be compatible with both client-server and peer-to-peer synchronization. >> Read more about Automerge Interpretation feature for Big Blue Button — Adding translator streams for live interpretation to BBB conference software BigBlueButton is one of the leading open source videoconference solutions. The project will add support for simultaneous interpretation to BigBlueButton. Participants of a meeting will be able to choose the language they would like to listen to. Interpreters can choose which language they listen to and into which language they interpret. The solution can be combined with classical radio setups for interpretation already used in grassroot events to enable interpretation in hybrid situations. >> Read more about Interpretation feature for Big Blue Button Detecting Forged-Origin BGP hijacks — Probabilistic detection of BGP hijacking Hackers often exploit vulnerabilities in BGP, the primary inter-domain routing protocol (essentially the “glue” that connects all networks on the Internet), to hijack Internet traffic. Our project builds on our work in detecting forged-origin BGP hijacks, a specific type of BGP hijack that remains unaddressed by recent cryptographic efforts aimed at securing BGP. Our objective is to enhance the accuracy of our detection system, which relies on a probabilistic model to compensate for the lack of cryptographic tools, ensuring that no attack goes unnoticed. Additionally, we plan to share our data and improve access to our inferences by developing APIs. This will enable both network operators and the research community to benefit from our findings and apply them to improve the security of their networks. >> Read more about Detecting Forged-Origin BGP hijacks BIDS: Binary Identification of Dependencies with Search — Identify known open source elements present in binaries Embedded device firmware is assembled from many FOSS package dependencies. Knowing which dependencies have been used is essential for security and licence compliance. However this is a complex task for native ELF binaries built from languages such as C/C++ that do not have package managers for metadata and simpler conventions for bytecode like Java or Python. The BIDS (Binary Identification of Dependencies with Search) project will build a tool (in Python) to analyse ELF binaries and find dependencies contained and built in these binaries. The BIDS project will deliver tooling to analyse ELF binaries and extract key features and store these for indexing, tooling to index these binary features in a search engine using inverted indexing, and a query tool and library to process large binaries to query this inverted index. The latter will return results as lists of ranked FOSS packages and files found to be present in the analysed binary. The data and tools will also be packaged to allow for further integration and reuse by other FOSS tools and analysis pipelines. >> Read more about BIDS: Binary Identification of Dependencies with Search Back2Source next — Better matching of binaries with source code Sometimes, the released binaries of an open source package do not match its source code. Or the source code does not match the code in a version control repository. There are many reasons for this discrepancy, but in all cases, this is a potential serious issue as the binary cannot be trusted. Additional (or different) code in the binary could be malware or a vector for unknown software vulnerabilities, or create FOSS license compliance issues. \"Back to source\" creates analysis pipelines in ScanCode.io to systematically map and cross-reference the binaries of a FOSS package to its source code and source repository and report discrepancies. We call this the deployment to development analysis (d2d) to map deployed code (binaries) to the development code (the sources) and we enable applying this \"trust but verify\" approach to all the binaries. >> Read more about Back2Source next Blitz - a modular web renderer — Rust-based browser engine Blitz is a new independent web engine implemented in Rust. It’s flexible low-level APIs make it suitable for a wide variety of use cases web browsers, an application runtimes, ebook rendering, email rendering, rendering HTML to image, etc. And its uniquely modular architecture allows it to share much of its code with other projects which it is hoped will lead to a more sustainable development model. This project aims to bring Blitz “up to scratch” for the use-case of being an HTML/CSS browser (JavaScript support is not in scope). Use cases that are being targeted include: browsing wikipedia, viewing news websites, and searching using a search engine. The work to be completed includes improvements to the layout engine, implementation of form controls, adding WPT testing infrastructure, and the creation of an initial browser UI. >> Read more about Blitz - a modular web renderer BrowserAudit — Test common security standards and features in browsers The web depends on security standards to safeguard your data as you navigate online. The effectiveness of your browser in protecting this data depends on how well it implements these standards. BrowserAudit is a free, open-source tool designed to assess your browser’s compliance with common security protocols. By running hundreds of tests, it generates a detailed report highlighting the strengths and weaknesses of your browser's security. This report can help you select a more secure browser, notify developers of potential issues, or, if you’re a developer, address these vulnerabilities directly. >> Read more about BrowserAudit Tracing and rebuilding packages — Improved metadata/provenance for build artifacts For many end users the smallest unit of software is the \"package\": a collection of programs and configuration files bundled in a single file, typically shipped as a single archive. Examples are \"util-linux\", \"glibc\", \"bash\", \"ffmpeg\" and so on. Open source distributions install packages using their package management systems. The package management system writes the contents of a package to disk when the package is installed or updated and removes the contents if the package is removed. The packages themselves contain metadata maintained by the distribution maintainers. This information includes the name of the package, project URL, description, dependency information and license information, etc. This granularity can be too coarse. For example, the license information is aggregated at the package level. If there are separate files that are under different licenses, then this will not always be clear from the license information at the package level. This project will make it more easy to understand by looking at what goes into each individual binary in a package, and assign metadata to the individual binaries instead of to a package. It will do so by tracing the build of a package and recording which files are actually used. By building packages in a minimal (container) environment, capturing the build trace, processing the build trace to see exactly what goes into which binary it becomes much easier to zoom in and answer specific questions such as \"what license does this binary have\" or \"which binaries use vulnerable file X\" and combining it with efforts like VulnerableCode and PurlDB. >> Read more about Tracing and rebuilding packages CAKE-MAINT — Improve network queue management algorithms on Linux With the wider and wider adoption of the fq_codel (RFC8290) and cake codebases in shipping products, many issues in the field have been discovered, and features to address them proposed but not mainlined into Linux (or the BSDs). This project intends to tighten up the corner cases, fix up multiple observed problems, and add some needed new features if possible, as well as take a stab at addressing the biggest observed problem in the field for cake - not scaling shaping well to ever more popular multi-core routers. In addition the project will work on a new release of babeld, the reference implementation of RFC 8966 (Babel Routing Protocol) and on standardisation of Sroam, a protocol for WiFi roaming. >> Read more about CAKE-MAINT CRAVEX integration — Integrated vulnerability exploitability management CRAVEX makes it easier for any organization to efficiently comply with the emerging CRA. The solution is based on the AboutCode stack of open source tools, but no solution is an island. This project integrates CRAVEX with other tools to better orchestrate software supply chain and compliance automation, including: packaging for Linux distributions to maximize the ease of deployment, business systems to create tailored SBOMs and VEX, other FOSS SCA tools to accommodate different software stacks, CI/CD pipelines with scripts and workflows to improve usability, and container cluster analysis to allow users to point to a Kubernetes cluster to collect and scan all the images, and then detect vulnerabilities. The CRAVEX Integration project orchestrates the different tools critical for practical and efficient software supply chain management and compliance automation processes. >> Read more about CRAVEX integration CRAVEX 2 Code Reachability — Do vulnerable dependencies actually impacts security or not? CRAVEX makes it easier for any organization to efficiently comply with the emerging CRA. CRAVEX collects, tracks, and triages FOSS package vulnerabilities, determines their exploitability in a portfolio of software products and projects, and provides reporting with SBOMs and VEX statements to share with stakeholders. CRAVEX 2 enables CRAVEX users to triage vulnerabilities faster and more efficiently with automation and more accurate vulnerability data. An integrated, rule-based system automatically filters or reranks the vulnerabilities in the context of the managed application, system or device. This will integrate the emerging SSVC scoring for decision trees-driven automation. Vulnerable code \"reachability\" determines if the code impacted by a CVE is present, used, and exploitable. It will integrate and extend the features of NGI0-funded and FOSS projects, such as BANG. With increased automation and more accurate data, CRAVEX 2 further facilitates CRAVEX users' ability to efficiently manage vulnerabilities towards CRA compliance. >> Read more about CRAVEX 2 Code Reachability Cartes — Modern web map application with transit support Cartes.app is a modern web map application. Cartes (which means maps in French) provides a universal interface for mobile and desktop: a simple URL lets the user open or share the map of a place with friends. This fills the gap of the \"online\" experience of proprietary offerings such as Google and Apple Maps. It levers state of the art open-source libraries to offer a rich feature set including transit and itinerary plans, address search and place categories, to name a few. In addition to data from OpenStreetMap (OSM) Cartes also draws from other public data sources to deliver a complete experience: transit data sets, Panoramax street level imagery, Wikimedia, etc. Cartes runs its own hosted tile layers. In the scope of this grant, the project will tackle internationalisation of the user interface, enable editing and reviewing places, add satellite tiles, live transit data, low-carbon itineraries as well as perform a variety of other performance and feature improvements. >> Read more about Cartes COCOLIGHT — Lightweight version of Communecter COmmunecter is an open source social and societal platform. COCOLIGHT is an low tech light weight client able to connects to any COmmunecter server, allowing both read and contribution modes. Easy to Install, fully Activity Pub compliant, federating organizations, events, projects and open badges. It allows to create networks of many COPI instances interconnected together and exchanging information and data. >> Read more about COCOLIGHT Cross-root ARIA — Standardisation for Accessibility when using Shadow DOM ARIA is a technology used by developers to add accessibility attributes to web-based user interfaces. Web Components are a set of tools which allow developers to create components which can be used in a framework-independent way across different websites. Due to the way Web Components provide encapsulation, using Shadow DOM, some parts of ARIA have become incompatible with Web Components. This project will contribute to ongoing efforts to provide web developers with mechanisms to make these technologies work together. Our goal is to contribute to the relevant specifications, as well as implementing and shipping the proposed solution in one additional browser. >> Read more about Cross-root ARIA CryptoLyzer IKE — Add IKE protocol to CryptoLyzer protocol analyser CryptoLyzer is a cybersecurity tool that can analyze the cryptography-related settings of clients and servers in the case of several different protocols. The tool’s primary purpose is to support end users as well as system administrators, security engineers, auditors, etc., in their work by telling them the details of the currently applied setting and informing them about the potential weaknesses and vulnerabilities. Unlike many other notable free software projects that focus on just one protocol family, CryptoLyzer wants to be as comprehensive as possible. Internet Key Exchange or IKE (RFC 7296) lies at the heart of IPsec. IKE performs mutual authentication between two parties and establishes an IKE Security Association (SA) that includes shared secret information that can be used to efficiently establish SAs for Encapsulating Security Payload (ESP) [ESP] or Authentication Header (AH) [AH] and a set of cryptographic algorithms to be used by the SAs to protect the traffic that they carry. The project will allow users to analyze a security protocol that is widely used in critical infrastructure, and which cannot be analyzed by any of of the current tools, at least not ones that are publicly available for users. >> Read more about CryptoLyzer IKE Darkstar — Open source vulnerability management solution Build an open source, self hostable, commercial grade attack surface management/vulnerability management solution, for web, network, agent based and cloud security. Our idea is to build a self hostable (container based) vulnerability management solution, which allows companies and people worldwide to monitor their security trough finding vulnerabilities. The main focus lies on creating the basic features that are required for a functional vulnerability management solution: on demand scanning, reporting, prioritization, scanning internal networks via container appliances you can place on your network, scanning external attack surface (web security scanning/DAST), network based external security scanning and g and agent-based vulnerability management. >> Read more about Darkstar DataLab — Scientific platform for signal and image processing + visualisation DataLab is an open-source scientific platform for processing and visualizing 1D signals and 2D images for research, education and industry. It provides powerful, validated computing capabilities with a focus on extensibility, automation, and interoperability. The project aims to refactor DataLab’s core architecture by decoupling its computational engine from the graphical interface, creating a new standalone, reusable library. This modular approach will improve scalability, facilitate integration with third-party tools, and lay the foundation for future expansions, such as a web-based frontend. By enhancing flexibility and sustainability, DataLab seeks to serve a broader research and engineering community. >> Read more about DataLab Diesel — Safe and performant query builder and ORM written in Rust Diesel is a safe and performant query builder and ORM written in Rust. It aims to eliminate security issues like SQL injections by providing a type safe domain specific language to express your SQL query as Rust code. This enables checking the query at compile time to turn insecure or otherwise invalid SQL queries into compile time errors. As part of this project we want to extend Diesel to provide built-in support for `WINDOW` functions, to enable the usage of secure and type safe queries in more places. >> Read more about Diesel Draupnir — Moderation bot for Matrix servers Draupnir is a comprehensive moderation bot for room moderators using Matrix (the open source decentralized instant messaging protocol). Draupnir assists room moderators in managing their community and provides continuous protection from spam and harmful content. This is done by utilising sharable and interoperable policy lists that allow different communities to work together to combat new threats. Draupnir also provides a plugin system that can adapt Draupnir to the different needs of every community. Our ongoing efforts to further modularise Draupnir's code base in the interests of maintainability should provide groundwork for future Trust & Safety related projects in the Matrix ecosystem. >> Read more about Draupnir Open source ESP32 802.11 MAC — Open source wifi drivers for ESP32 The ESP32 is a low-cost microcontroller with Wi-Fi connectivity. Currently, the Wi-Fi MAC layer of the ESP32 is closed-source. This project aims to change that: by reverse engineering the hardware registers and software, we can build a networking stack that is open-source up to the hardware, instead of having to use the proprietary MAC layer. This will improve security auditability, open up the possibility for features not supported in the proprietary implementation (for example, standards-compliant mesh networking), improve interoperability and make research into Wi-Fi networks with lots of nodes more affordable. >> Read more about Open source ESP32 802.11 MAC Email <=> XMPP gateway — Bridge instant messaging with email Libervia is a versatile communication ecosystem offering features like instant messaging, blogging, event planning, photo albums, file sharing, audio/video calls, and more. It can additionally function as an XMPP component, providing server-side features. This initiative focuses on creating an Email <=> XMPP gateway, enhancing file management for attachments, transforming mailing list threads into interactive, forum-style discussions with modern elements such as tags and mentions, and ensuring support for end-to-end encryption. The Libervia interface will also see improvements for a better user experience, with clear indicators of message origins and security status. This gateway is a move toward unifying various communication methods within single clients, following Libervia's philosophy as seen with its ActivityPub <=> XMPP gateway and is in harmony with other projects like Slidge, Spectrum 2, or Biboumi. With the introduction of this component, not only will Libervia's functionality be elevated, but it will also equip other XMPP ecosystem projects with the ability to connect their users with the email world, fostering deeper integration of XMPP across the spectrum of communication tools. >> Read more about Email <=> XMPP gateway Encaya — TLS interop with alternative/decentralised CA mechanisms Public certificate authorities as used by the TLS ecosystem play a critical role, but the fact that there are many such authorities forms a security liability. DANE (DNS-Based Authentication of Named Entities) provides a complementary mechanism that provides an additional check on top of the public CA's through DNS; it is yet to see meaningful adoption by major TLS implementations. Encaya is a compatibility layer that provides DANE-like functionality in TLS implementations that don't support DANE. It is used in production by Namecoin, an alternative decentralized naming system. By only replacing the root CA list rather than the entire TLS stack, Encaya achieves considerably smaller attack surface than other similar compatibility layers. This grant covers efforts to improve Encaya's scalability, standardize its behavior, and extend its usage beyond Namecoin. >> Read more about Encaya EventFahrplan — User-friendly mobile event app EventFahrplan is a privacy-friendly app for attending conferences and events running on Android phones and tablets. The development of the project happens continuously by staying up-to-date with new technologies and Android versions, adding useful features and fixing bugs. It offers a convenient overview of event schedules and valuable features and integrations such as organizing favorite sessions, setting alarms, sharing session details and providing direct feedback. Offline functionality is built-in and automatic updates ensure that the latest program is always available. Within the scope of this grant, the migration from legacy UI to Compose UI is completed, support for new Android versions is added and a number of accessibility and user experience improvements are made. On top of this some new functionality is added, such as predefined filter options to ease finding sessions, favorites and improved integration with Engelsystem. >> Read more about EventFahrplan Exter — Proxy-based external browser extensions Exter is a web based plugin platform which allows addons to alter websites behavior/style/functionality. Instead of trusting the browsers' plugin ecosystem, let's modify the websites before browsers receive them! The goal of this project is to provide a stable and free website-extension-platform to allow future proof and flexible addon development. As a web application, Exter opens URLs, rewrites the static content and injects client scripts to wrap default javascript functions, applies addons, then sends the sanitized/modified website to the browser. This way we have the ability to write plugins that can intercept/modify not only HTTP requests, but even client side functionalities, such as sanitizing 3rd party content or appending new DOM elements to the website or altering cookie handling from javascript and much more. >> Read more about Exter FOSS Warn — Aggregate source of emergency alerts The FOSS Public Alert Server lets clients receive Push Notification (via UnifiedPush) about official emergency alerts worldwide. Besides infrastructure like sirens, radio, and Cell-Broadcast, CAP (Common Alerting Protocol) alerts are another way of alerting the public. CAP alerts are used for a wide variety of emergencies. From alerts about extreme weather to alerts about contaminated drinking water to pandemics. Our server bundles over 280 official CAP alert publishers worldwide and can easily extend to more sources. This project aims to bundle the underlying alerting infrastructure into a single trustworthy source of information, not to replace it. Having a shared global public source of information reduces the user's dependency on local emergency apps - which are often only available for the two largest mobile platforms. Furthermore such a converged effort makes it much simpler to develop clients for devices other than cell phones (like desktop PCs or smart speakers). Thirdly it can make traveling safer. Finding and installing the right local emergency apps to receive emergency alerts when traveling is quite the hurdle. With our solution, it would suffice to install one app for the world. One such app is FOSS Warn, an Android app that for now receives alerts for Germany and Switzerland. Within this project, FOSS Warn will be extended to work worldwide with the new server infrastructure. >> Read more about FOSS Warn FPGA-ISP-UVC-USB2 — Open hardware FPGA-based USB webcam The USB UVC project is designed to create an innovative and adaptable webcam that easily connects to any laptop, providing high-quality video without the need for special drivers. Unlike ordinary USB webcams that often come with proprietary software and limited functionality, this project aims to deliver a flexible, open-source solution that can be tailored and improved by anyone. The webcam will offer superior video quality with features like automatic brightness adjustment, color correction, and real-time video compression, making it ideal for video calls, streaming, and other visual applications. By focusing on open-source principles, this project ensures that the technology is accessible, modifiable, and transparent, allowing for continuous community-driven enhancements. This project stands out because it is not locked into proprietary ecosystems, offering users greater control and flexibility over their hardware. It can work with a wide range of computer models, providing a versatile tool for both personal and professional use. Additionally, the open-source nature of the project means that it can be continuously improved and customized by developers around the world, fostering innovation and collaboration. >> Read more about FPGA-ISP-UVC-USB2 FastScan — Performance improvements for ScanCode Toolkit/ScanCode.io ScanCode is a powerful free and open source software composition analysis (SCA) code scanner. It can be used to analyze a complete virtual machine image, or a single application package with customizable pipelines. It integrates into DevOps workflows with comprehensive APIs, and helps to generate correct SBOMs. It can be used with all programming languages and environments. One weakness so far has been througput. ScanCode could be much faster, and this is the topic of this grant: it improves the performance for both ScanCode Toolkit and ScanCode.io. By profiling ScanCode.io performance and identifying hotspots and issues using benchmarks, and subsequently improving performance in a targeted manner this project stands to make software composition analysis more easy and more accessible. >> Read more about FastScan Feather UI — Declarative cross-platform UI toolkit Feather is a universal UI library that applies user inputs to application state, and maps application state to an interactive visualization using a custom graphics rendering language capable of compiling to arbitrary GPU code or vectorized CPU code. By building on top of a well-typed graphics abstraction, it is possible to make custom shaders \"write once, run anywhere\" with confidence and no overhead. This allows the creation of UI Fragments, which no longer need to be built on top of a library of UI widget elements, allowing the creation of arbitrarily complex UI elements that are no longer bound to traditional widget designs. This level of abstraction allows targeting anything from embedded devices to webpages, or even mixed-reality devices. >> Read more about Feather UI Fediverse Test Framework — Test bench for ActivityPub implementations The Fediverse consists of individual servers, possibly running different software, that talk to each other. One of the challenges in developing for the Fediverse is to stay interoperable with all the different deployed software. As the message format standard, ActivityStreams, is extensible through JSON-LD, judging how a message is parsed, can be a hard task. By using ideas from automated testing, we provide an application that determines a baseline how messages are processed and rendered. The process being simply: run end to end tests and record their result. From the test results a webpage is generated that provides developers the information how a message is rendered in different applications. We aim to make the framework extensible so new applications can be included. >> Read more about Fediverse Test Framework Fediverse Test Suite — Interoperability effort for W3C ActivityPub The Fediverse is a global, standards-based, decentralized social network accessible to all and not subject to algorithmic manipulation or platform surveillance. While best known for Mastodon, an open-source alternative to X/Twitter, it already successfully connects dozens of independently developed software applications running on tens of thousands of independently operated servers and implementing feature sets that go far beyond traditional social networking. To enable even more innovative developers to successfully connect their applications to the Fediverse, and their users to successfully interoperate with users using different software, it needs to become much simpler and cost-effective for developers to 1) know that they have implemented the relevant standards (notably ActivityPub) correctly, that their implementation is not regressing and that 2) their software indeed delivers the experience users expect from interoperability with other software developed independently by other developers. This project brings together a group of fediverse developers to set up an automated test framework and initial test cases in an open-source project that will systematically test standards conformance, ensure meeting user expectations for interoperability of Fediverse apps, and enable a new wave of innovation based on more trustworthy infrastructure. >> Read more about Fediverse Test Suite Enhancing Firefox for Linux on Mobile — Mobile native feature-complete Firefox Enhancing Firefox for Linux on Mobile aims to offer a privacy respecting alternative to Chromium-based browsers by improving the user experience (UX) of Firefox on small form factor devices (mobile, tablet) running Linux. We will update the Firefox codebase, primarily the user interface (UI) and the rendering engine. Additionally, we will collaborate with Mozilla to ensure that our modifications are included in Firefox to reduce the maintenance burden by sharing a common codebase across the different projects. As a side effect, our modifications will benefit all Firefox Desktop users including Windows when the Firefox application window is not maximized. >> Read more about Enhancing Firefox for Linux on Mobile Flashkeeper — Write Protection on SOIC-8 flash chips without soldering Firmware security projects such as Heads assume the firmware itself to be protected against tampering. Outside of proprietary solutions Boot Guard, partial write protection (WP) of the SPI flash chip (recently implemented by 3mdeb) is one solution. However, WP requires grounding the chip's WP pin, something that currently requires users to solder to the chip. As many users find this difficult, this has limited \"retrofit\" adoption of WP. This project is developing Flashkeeper, a device that can be permanently installed on a common SOIC-8 flash chip. It attaches to the chip with a peel-and-stick layer and spring-loaded contacts or low-profile solder-down flex cable, interfacing with the SPI flash pins for easy write protection and external reprogramming (unbricking). For users concerned with physical attacks on their systems, for whom easy access to SPI flash pins may be seen as a risk, a variant including a microcontroller (MCU) is also being developed, allowing authenticated external reprogramming and WP control, and independently verifying the SPI flash image against a user-controlled signature each boot. >> Read more about Flashkeeper ForgeFed Frontend — Improved UI for federated version controlrepositories Software developers often use websites called forges, where they collaborate on software projects. But these forge platforms are centralized, leading to the community flocking into big privately- controlled forges. The ForgeFed project is creating a protocol specification and a reference implementation for forge communication, allowing forge websites to form a decentralized network, putting the power and freedom of choice back in the hands of the community. >> Read more about ForgeFed Frontend Frugal EDA — Energy-efficient circuits and systems through quantum superconductivity FRUGAL EDA is an open-source user-friendly software design suite dedicated to energy-frugal electronics based on the amazing quantum physical properties of superconductivity. Its objective is to enable the design of energy-efficient ultra-high-speed (up to clock frequencies of several hundreds GHz) quantum-based circuits and systems for the widest possible audience. FRUGAL will emulate the development of new circuits and functionalities so that disruptive quantum electronics can take its place in the current highly-competitive emerging technology landscape. One goal is to increase the number of students and newcomers interested to design quantum-based circuits without the need of unaffordable tools, proprietary technologies or steep learning curves. FRUGAL embeds a set of open-source software tools comprising a schematic editor(LibrePCB), a SPICE netlist converter (L2SPICE), quantum time-domain simulators (JSIM and JoSIM) and a layout editor (KLayout). More designer-oriented features will be added along the course of development. >> Read more about Frugal EDA Namespace-specified imports in GHC — Fine-grained namespace control in Haskell Haskell is a purely functional programming language with a free and open-source compiler (GHC), as well as a mature ecosystem of open-source libraries for server-side programming (warp, wai, servant, scotty, etc), client-side programming (http-client), and blog generation (hakyll). By making use of Haskell's features, especially its support for concurrent and parallel programming, it is possible to develop efficient, secure and scalable web servers. \"Namespace-specified imports\" is a proposed feature for the Haskell programming language that further enhances its capabilities. By implementing \"Namespace-specified imports\" in the Glasgow Haskell Compiler, we will enable Haskell programmers to exercise fine-grained control over the namespaces of imported and exported entities. This is important when combining the use of existing libraries with the use of type-level programming features (techniques to ensure software correctness). This project should result in a complete implementation of this feature and its inclusion in the next compiler release. >> Read more about Namespace-specified imports in GHC GNU Mes interpreter speedup effort — Increase performance of full source bootstrap GNU Mes is a Scheme interpreter (mes), C compiler (mescc) and a minimal C standard library (meslibc) for bootstrapping the GNU System. The Scheme interpreter is written in a few thousands lines of simple C, and the C compiler is written in Scheme, and these are mutually-hosted. GNU Mes has a key role in the Full Source Bootstrap chain as it is the first fully featured C compiler that also ships a C standard library. This project aims to improve the performance of GNU Mes' scheme interpreter, rewriting it as a bytecode interpreter, while keeping it as simple and readable as it is. This would enable faster execution of the Mes C Compiler (mescc) for faster build times, making the bootstrapping chain more accessible, specially in small single-board computers where memory access is more expensive. This speedup could also lead to a reduction of steps in the bootstrapping chain, making it simpler and easier to maintain. >> Read more about GNU Mes interpreter speedup effort GNUnet on Android — Port GNUnet protocol stack to Android mobile OS This project is about making GNUnet, a network protocol stack for developing secure, distributed and privacy-preserving applications, available on Android. To achieve this, we are developing an Android application that runs the basic GNUnet services and make them available to other applications that want to use these services. As a blueprint for an application that uses GNUnet services, we will port the GTK-based GUI for the GNUnet's messenger service to Android. To get GNUnet running on Android, we need to make sure that GNUnet works behind NAT boxes in the mobile environment, and make changes to the GNUnet architecture so that it runs as a monolithic single-threaded app. Additionally, we have to take care of the resource consumption on mobile devices. Of course, tests and benchmarks need to be written and integrated into a new CI/CD worker that builds and verifies GNUnet on Android. >> Read more about GNUnet on Android GPGPU Playground — A virtual GPU to learn GPU programming GPUs are an extremely effective and widely deployed vector co-processor, and yet those interested in adapting their capabilities are faced with a very high barrier to entry. Tools like OpenCL, CUDA, and WebGL all require a broad background to get started solving even simple problems, and mistakes in larger programs can be nearly impossible to identify without an even deeper level of experience. This project takes advantage of WebAssembly and Vulkan's SPIR-V format to deliver a safe, on-demand toolkit for exploring the potential of GPUs, focused on applications outside the bounds of traditional graphics acceleration. >> Read more about GPGPU Playground Galene — High quality libre videoconferencing server Galene is a complete self-hosted videoconferencing system that has been designed to be easy to install and to manage, to preserve the users' privacy, and that uses very moderate server resources. Galene has been continuously used in production to host university lectures and staff meetings since September 2020, as well as to host a number of international conferences during the COVID pandemic. The goal of this project is to improve Galene to make it use state-of-the-art networking and video algorithms, to improve its management features, and to add a number of user-visible features, such as background blur and automatic subtitling. >> Read more about Galene Gancio — Shared agenda for local communities that supports Activity Pub Gancio is a shared agenda for local communities, and was the first one to support Activity Pub. Gancio focuses on cross-cutting collaboration through its decentralized instances that allow to connect communities. This enabling users to easily discover and engage in events in their neighborhood, as well as elsewhere - while avoiding attention-based business models and intrusive advertisements. The focus of this project are a numberof new features such as implementing HTTP Signatures, moderation and onion routing, as well as improving compatibility with other Fediverse event tools. In addition, the team seeks to establish a common agreed upon event format to make the interaction with such tools more streamlined. >> Read more about Gancio Collection of Verified multi-platform Gatewares — Comprehensive repository of open source gateware designs The \"Verified Multi-Platform Gatewares\" project will create a comprehensive repository of gateware designs that are compatible with various FPGA development environments and boards. The goal is to reduce the barriers to FPGA development by providing designs that are rigorously tested and maintained for compatibility. The project will host these open source designs on a dedicated website, ensuring they work seamlessly across multiple toolchains and boards. The collection will range from beginner to advanced designs, serving as educational resources and benchmarking tools, continually updated to prevent bitrot. >> Read more about Collection of Verified multi-platform Gatewares Persistent Storage for Goblins — Integrate ERIS content-addressable encrypted storage to Goblins Goblins is a distributed object programming environment that is being developed by the Spritely Institute for building secure peer-to-peer applications. It is intended to be used for building fully-decentralized, healthy social community networks. This project aims at adding persistent storage to Goblins, allowing arbitrary content such as text files, images or music to be referenced and used from within Goblins with a large-degree of network transparency. For this we will use an encrypted content-addressed storage network based on ERIS (Encoding for Robust Immutable Storage). >> Read more about Persistent Storage for Goblins Goupile — Secure forms including Clinical Report Forms (eCRF) Goupile is an open-source form editor designed for data collection in research, particularly in health, replacing traditional paper case report forms (CRF) with electronic versions (eCRF) accessible on computers and mobile devices. Developed by the InterHop.org association, it allows users to easily create customized forms with a programming approach using JavaScript, which enables the creation of highly dynamic and interactive forms with ease. Goupile also provides user management, data recording, synchronization, and options for online and offline data collection. Users can choose to self-host Goupile or utilize a turnkey service on certified HDS servers (Sofware As A Service SAAS), all while benefiting from InterHop's support for the development of new features. >> Read more about Goupile Grate project — Linux support for Tegra 2/3/4 devices GRATE driver started as an attempt to create a open source re-implementation of proprietary software for Nvidia’s older Tegra system-on-chips (Tegra 2, Tegra 3 and Tegra 4). Although this goal is still yet to be achieved, progress is being made and GRATE project provides a strong support for a wide variety of various devices: smartphones, tablets, convertibles, all-in-one computers — all of which based on older Tegra SoCs. Decent devices that were considered an e-waste, not even by the users, but by the vendors themselves, gain a second life with strong Linux kernel support and open source bootloader substitution. >> Read more about Grate project Guix-Daemon — Transition to a Guile implementation of the guix-daemon GNU Guix is a transactional package manager and a distribution of the GNU system that respects user freedom. A key component in Guix is the guix-daemon, currently implemented in C++. Much of the power and flexibility of Guix comes from all of the package definitions and surrounding tooling being implemented in GNU Guile, however this doesn't extend to the guix-daemon. This difference has been a limiting factor in making changes and improvements to the way the guix-daemon works and is interacted with. The expected outcome of this project is to have a Guile implementation of the guix-daemon, and to transition to this being the default guix-daemon used. This will improve the maintainability and portability of the guix-daemon and Guix overall, as well as unlocking future improvements to the guix-daemon and connected tools. >> Read more about Guix-Daemon Hardware Bill-of-Materials (HBOM) generator — Create CycloneDX HBoM compliant inventory of hardware cdxgen is a CLI tool, library, REPL, and server for creating valid and compliant CycloneDX Bills of Materials (BOMs) in JSON format, containing an aggregate of all project dependencies. CycloneDX is a full-stack BOM specification that is easily created, human- and machine-readable, and simple to parse. The proposed project aims to extend cdxgen by adding support for generating hardware bills of materials (HBOM) in CycloneDX format, while remaining fully compatible with the existing tool ecosystem. >> Read more about Hardware Bill-of-Materials (HBOM) generator Hyper Hyper Space Sync Engine and adapters — Secure P2P data synchronisation The way authority is coded into software platforms impacts the health of the communities they serve. The goal of this project is to provide an information sync engine that can provide an application back-end with as little authority delegation as possible, thus enabling applications that are truly user-controlled. By using a formulation based on monotonicity, Hyper Hyper Space is able to simulate a transactional engine over a cryptographically secure event log. This yields a versatile data model, that is usable in a coordination-free setting and in the presence of Byzantine faults. This modelling flexibility can be leveraged by using bi-directional adapters, that are able to ingest and export synchronized data into a variety of local storage systems, including relational databases, document stores, and files. Application builders can choose the storage system that better suits their use-case, and rely on an adapter to synchronize its contents. This should lower the barriers of entry for creating p2p applications, and hopefully significantly boosts quality while reducing complexity. >> Read more about Hyper Hyper Space Sync Engine and adapters Open Hardware Manuals — Automatically generate user-friendly documentation for open hardware elements This project will create a tool that automatically generates Computer-Aided Design (CAD) models, assembly documentation, graphics, and user guides based on user provided configurations. These documents can be continuously updated, localized, and are shareable - akin to an always up-to-date Ikea-style assembly guide. The tools developed during this project will also be applicable to other open hardware projects, empowering designers to produce hardware that is more adapted to specific contexts, without creating fragile documentation that always goes out of date when a change is made to the design. >> Read more about Open Hardware Manuals SCE, DelTiC and Antler — High-Fidelity Congestion Control Some Congestion Experienced (SCE) is a project in high-fidelity congestion control (HFCC) that aims to stabilize transport congestion windows, thereby reducing queueing delay and jitter, and increasing link utilization. Our goals under NGI Zero are to complete the DelTiC (Delay Time Control) AQM algorithm, implement a new MIMD transport response aiming for max-min-fair flow competition at shared bottlenecks, and release a purpose-built congestion control testing tool, Antler v1.0. We will inform the CC community about our work, and update our Internet Drafts to keep the door open for future standardization, should the opportunity arise. >> Read more about SCE, DelTiC and Antler Hockeypuck — Next generation OpenPGP keyserver Cryptography is often said to be a method of converting security problems into key management problems. In OpenPGP, the reliable distribution of public keys has traditionally been done using public keyservers. While there are alternative methods of public key distribution, keyservers still perform a key role in the OpenPGP ecosystem. Hockeypuck is a modern synchronising OpenPGP keyserver application written in Go and licensed under the AGPL. It powers the OpenPGP synchronising keyserver network, which is a fully decentralised caching database run collaboratively by dozens of independent operators, but can also be deployed on a private or individual basis. Hockeypuck is currently being updated to support RFC9580, the latest iteration of the OpenPGP specification, and the upcoming HKPv1 keyserver API specification. >> Read more about Hockeypuck Holo Routing — A novel routing stack in Rust, including IS-IS routing Holo is a suite of routing protocols designed to address the needs of modern networks. Holo was started in response to the increasing trend in the networking field towards automation, where network devices are expected to be managed programatically using a variety of standard interfaces. Written in Rust, a memory-safe language, Holo prioritizes reliability, ease of maintenance, and security. This project aims to extend Holo by incorporating support for the IS-IS protocol, one of the most widely used interior routing protocols. The IS-IS implementation will encompass both IPv4 and IPv6 support, cryptographic authentication, and extensions for traffic engineering. Rigorous testing against multiple vendors and comprehensive conformance tests will ensure the interoperability and robustness of the implementation. >> Read more about Holo Routing IPDL II — A new process logic aimed at formal proofs for cryptographic algorithm Our project IPDL aims to increase the trustworthiness of large cryptographic systems by designing and implementing a natural and principled way of thinking about them. IPDL, short for Interactive Probabilistic Dependency Logic, is a process calculus and software implementation for formally verifying message-passing cryptographic protocols. Our goal is to use IPDL to develop cryptographic foundations that are both composable and concurrent. Concurrency means that our model of computation natively allows processes to run at the same time; composability allows us to prove the system secure by verifying the security of its subparts. In this setting, formal proofs closely resemble the thinking of a cryptographer. >> Read more about IPDL II IPv6-monostack - upstream Linux SIIT/NAT64 — Commoditizing NAT64 and IP/ICMP translation to accelerate IPv6 deployment NAT64/SIIT technology is critical in enabling networks to transition away from the legacy internet protocol IPv4, yet this network function is currently expensive and hard to deploy, seriously hampering adoption. We believe we can remedy this situation by getting this translation technology accepted into the upstream Linux kernel thus paving the way to rapid and widespread adoption, accelerating IPv6 adoption overall. >> Read more about IPv6-monostack - upstream Linux SIIT/NAT64 ISCC-CORE typescript implementation library — Decentralised content identifiers through ISO 24138. The goal of this project is to implement core functions of the new ISCC standard ISO 24138:2024 (“International Standard Content Code”) in Typescript, resulting in a library will be useful for the javascript ecosystem and developers to use and work with this new standard in their project. ISCC is a similarity preserving fingerprint and identifier for digital media assets. ISCCs are generated algorithmically from digital content, just like cryptographic hashes. However, instead of using a single cryptographic hash function to identify data only, the ISCC uses various algorithms to create a composite identifier that exhibits similarity-preserving properties (soft hash). This supports content deduplication, database synchronization, indexing, integrity verification, timestamping, versioning, data provenance, similarity clustering, anomaly detection, usage tracking, allocation of royalties, fact-checking and other use-cases. >> Read more about ISCC-CORE typescript implementation library Optimized Image Codecs — More efficient image handling for embedded systems The Optimized Image Codecs project aims to bring portable, efficient image and video codecs to all platforms. It is primarily focused on enabling them on devices that previously were assumed to be incapable of using standard compressed images or video due to their limited memory and speed. The efficiency of the code also means that energy usage is reduced on systems large and small. This code represents state of the art efficiency combined with a careful design to minimize the memory requirements. This enables their use on the widest possible set of devices. This project started with the release of a JPEG decoder and now consists of mature JPEG, PNG, GIF and TIFF G4 codecs used by thousands of developers in projects large and small. Within the scope of this project, the aim is to release software MPEG-1 and H.263 video decoders which will run well on low cost microcontrollers. This should dramatically improve the efficiency of products which had to settle for MJPEG (Motion-JPEG) as a substitute for a true video codec. >> Read more about Optimized Image Codecs Micro25519 — Lightweight Elliptic Curve Cryptography for microcontrollers This project is building an open-source software library for modern Elliptic Curve Cryptography (ECC). To achieve this, the project aims for a unique trade-off between three different (and partly conflicting) goals that is currently not offered by any of the existing ECC libraries for small 8/16/32-bit microcontrollers. The first goal is efficiency, which includes not only fast execution times, but also small code size and low RAM usage. Equally important as efficiency is the second goal, namely security, and this includes not only the absence of subtle bugs that could leak secret information, but also robustness against timing-based side-channel attacks. The third goal is usability, which is achieved by a simple and intuitive API, an easily readable and well-commented source code, and a rich documentation with examples for common use cases. Micro25519 will come with highly-optimized Assembly functions for the low-level field-arithmetic for 8-bit AVR, 16-bit MSP430, as well as 32-bit ARM Cortex-M3 and RISC-V microcontrollers. The higher-level functions are written in C and shared among the different platforms to minimize the code base and reduce complexity. >> Read more about Micro25519 Irdest IP Traffic Proxy — Route existing IP-network traffic through an Irdest network An Irdest network allows users to easily create locally focused mesh networks amongst their communities and friend circles. To allow applications not written for this mesh network (using IP traffic routing) to route traffic through the Irdest network a proxy is required. This proxy is responsible for managing routes on entry and exit nodes, announcing routes, and allowing users control over which exit nodes they want to use for different target IP addresses. The goal of this proxy is to provide a better out-of-the box experience for new users, and expanding the scope of usable scenarios. >> Read more about Irdest IP Traffic Proxy IronCalc — Embeddable spreadsheet engine written in Rust IronCalc is a versatile open-source spreadsheet engine written in Rust from the ground up, employing modern programming best practices. It can be used from any programming language or from end-user products like Web IronCalc. Around the world, millions of spreadsheets are used for accounting, data analysis, processing, educational purposes, collaboration, sharing, etc. IronCalc aims to be an all-purpose alternative to Excel or Google Sheets, filling an important gap in the democratisation of spreadsheets. Suited for companies, individuals, and schools alike, the project aims to be feature-rich, international, fast, and lightweight. >> Read more about IronCalc Ironclad — Hard real-time capable kernel written in SPARK/Ada Ironclad is a partially formally verified, hard real-time capable kernel for general-purpose and embedded uses, written in SPARK and Ada. It is comprised of 100% free software, free in the sense that it respects the user's freedom. By providing a UNIX-like interface which ensures an easy porting process from Linux and BSD distributions, Ironclad aims to be a solution for developers searching for a security-first, resilient platform with the smallest barrier to entry. This project will work on expanding hardware support for x86_64 Intel and AMD based systems, bringing Ironclad to RISC-V 64 bit based platforms, expanding several areas of the kernel, and work on Ironclad-based distributions. >> Read more about Ironclad JSON-Joy Peritext — Rich-text CRDT implementations for json-joy CRDT json-joy is an open source library for building distributed collaborative web applications, its major focus is on implementing performant state-of-the-art CRDT algorithms. This project aims to implement a Peritext-like rich-text CRDT on top of the JSON CRDT Specification as part of the json-joy library. The goal of the project is to implement a production-ready collaborative rich-text editing algorithm, Peritext, and supporting modules for the json-joy library. The project will also improve on the originally proposed Peritext algorithm by leveraging JSON CRDT data structures to make various rich-text annotations mutable and block elements nestable. >> Read more about JSON-Joy Peritext AppBundler — Package (graphical) Julia apps for all platforms While Julia provides excellent support for GUI frameworks across all major desktop operating systems, deploying these applications traditionally requires users to install Julia, instantiate projects, and run them from the command line. AppBundler addresses this challenge by creating self-contained, native installers for Julia GUI applications regardless of framework. It employs a flexible recipe system with sensible defaults, allowing developers to easily configure resulting bundles. This project will integrate open-source bundling tools for macOS and Windows to replace proprietary SDKs, enabling distribution as binary dependencies without cumbersome host setup and facilitating cross-platform deployment from Linux hosts. AppBundler will support various Julia compilation methods, including pkgimages, sysimages, and Julia 1.12+ static compilation features, while developing Flatpak integration and addressing sandboxing to ensure applications run securely without compromising user systems. >> Read more about AppBundler KDE Plasma Wayland — Accessibility and advanced graphics input support for KDE Plasma Wayland Plasma is the desktop provided by the KDE project, one of the largest and most successful open source initiatives in the world. Wayland is the successor of X11 for Unix desktops and the future for many reasons, including security and privacy. However there are some user groups that currently do not have their requirements satisfied. Some people have motor impairments of their arms/hands (such as restricted movement, tremors, or missing fingers) that make it hard or impossible to operate a traditional computer keyboard. Operating systems provide a number of options like sticky keys, slow keys, or bounce keys to accommodate for such disabilities. Another pain point is configuration of graphics tablet input devices. This includes things like mapping the tablet area to an output area, binding tablet/stylus buttons to actions, or configuring pen pressure curves. This project will implement support for these special user groups in KDE Plasma on Wayland. >> Read more about KDE Plasma Wayland Knowledge Graph Portal Generator — Automatically generate custom web interfaces for structured data The Knowledge Graph Portal Generator is a toolkit designed to create user-friendly web portals for Knowledge Graph (KG) datasets, making data from public SPARQL endpoints accessible to users without expertise in semantic technologies. Built on the LinkedDataHub framework, our solution will feature paginated collections, faceted search, and detailed entity views. It will extract RDF ontologies from datasets, generate content configurations, and use these to extend the default LinkedDataHub into a dataset-specific web application. >> Read more about Knowledge Graph Portal Generator Kami — Choreography programming language integrated with the Rust ecosystem Kami is a new programming language, based on the Rust ecosystem, designed from the ground up for correct-by-construction distributed systems. In its core it is pure and functional, thus ideal for building complex concurrent systems. It takes cues from multiparty session types and choreographic programming language research: The behaviour of all roles in a distributed application can be implemented at once from a global point of view. This high-level description is compiled to rust code for all participating roles, with the guarantee that the system will be deadlock-free. Developers can seamlessly drop down to using rust, and all of its ecosystem, for writing local code, while using Kami for composing the local computations into a coherent distributed system. In this project we implement the type-checker, compiler and other developer tools for Kami, to provide for a similarly friendly developer experience as Rust. >> Read more about Kami Keyhive — Edge Names, invites and group key agreement for local first data Keyhive is a synchronization engine for end-to-end encrypted group collaboration. It is designed to support scalable operation in peer-to-peer, federated, and centralized deployments and to support both real-time and asynchronous collaboration. Keyhive is intended to allow efficient decentralized collaboration on collections as large as millions of documents, hundreds of thousands of words / points per document, and thousands of contributors. Keyhive takes advantage of recent advances in algorithms including breakthroughs in set reconciliation, and in some cases advances the state of the art, such as by extending existing group key management systems to eliminate the requirement for a central server. Our aim is to deliver a high performance, useful, and secure open source system to production users around the world. >> Read more about Keyhive KiCad-IPC — Add RPC API, multichannel designs and schematic variant system to FOSS EDA suite KiCad is an open source electronics design application (EDA) suite. The program includes schematic capture, printed circuit board (PCB) layout, circuit simulation, 3D viewer, and many other tools to provide the best possible user experience for professional electronics designers while still remaining approachable for new and inexperienced users. It is available for Windows, macOS, and Linux and is released under the GPL3+ license. >> Read more about KiCad-IPC LDAP Synchronization Connector — Synchronize data from/to various data sources with LDAP LSC (LDAP Synchronization Connector) is a community open source software designed to get rid of all customized scripts developed by system admistrators to sync their files or databases to maintain accounts and groups in an LDAP directory. LSC works with one configuration file and can connect to any database, LDAP directory (including Active Directory) or REST API. It solves use cases like \"create an account for every new people hired in the company\", \"lock this account in Active Directory because it was locked in OpenLDAP\", \"create a group for all people of this department\" or \"push accounts to this application API\". The project will refresh all the dependencies, and add new features such as allowing javascript in LDAP filters. >> Read more about LDAP Synchronization Connector LO/CODE Book project — Professional typography inside LibreOffice The project enhances readability of text documents by adding highly customizable paragraph-level line breaking and microtypography to the LibreOffice/Collabora Online Writer word processors. It creates a new type of software, with the print quality of proprietary DTP programs and with productivity of word processors. It saves paper and screen area with a compact paragraph layout and readable multi-column pagination. It should result in proposals to enhance the OpenDocument format standard (ISO/IEC 26300) which will be submitted for standardization, encouraging future standards to support enhanced readability, especially for people with reading difficulties. >> Read more about LO/CODE Book project LabPlot — Scientific and engineering data analysis and visualisation LabPlot is a free, open source and cross-platform data visualisation and analysis software. It focuses on ease of use and performance. It provides high quality data visualisation and plotting capabilities, as well as reliable and easy data analysis, without requiring any programming skills from the user. Data import and export to and from a variety of formats is supported. LabPlot also allows calculations to be performed in various open source computer algebra systems and languages via an interactive notebook interface. In this project the team will work on extending the current feature set of the application to reach a wider audience. This includes scripting capabilities (in Python only in the initial implementation) to script and automate repetitive data visualisation and analysis workflows and to allow control of LabPlot from external applications via a public interface. The second feature that will be worked on is the ability to apply analysis functions such as FFT, smoothing, etc. to live/streaming data (data imported into LabPlot and modified externally). And thirdly, statistical analysis including common hypothesis tests, correlations, regressions and data panning. >> Read more about LabPlot Lemmy Scale — ActivityPub-powered social link aggregation and discussion Lemmy is an open-source, easily self-hostable link aggregator that is used to share, discover and discuss whatever comes to mind. Unlinke proprietary services that welcome users only on their own terms, Lemmy instances can each determine their own course. Lemmy implements the W3C ActivityPub standard, and federates with other ActivityPub services such as Mastodon, Funkwhale and Peertube. Users registered on one server from one of these services are able to subscribe to communities on other servers where they can have discussions with users registered elsewhere. In this project, a number of noteworthy features are worked on, ranging from improving UX, federation, APIs, storage optimisation, tagging, polls, and more. >> Read more about Lemmy Scale Libre Diagnostic — Open hardware car diagnostics Car diagnostic has evolved from the early OBD-I systems of the 1980s to today’s OBD-II standard. While some commercial scanners provide real-time vehicle data and trouble code readings, they are proprietary, limiting transparency and customisation. An open-source alternative will offer greater control, community-driven improvements, and long-term affordability. This project aims to develop a cost-effective and user-friendly diagnostic tool that connects to a vehicle’s OBD-II system via Bluetooth using the ELM327 adapter. It will allow users to read and clear diagnostic trouble codes (DTCs), monitor real-time performance data, and analyse key systems like ABS, airbags, and engine health. The project will provide a transparent, accessible, and reliable diagnostic solution for both car owners and professionals. >> Read more about Libre Diagnostic LibreQoS 2.1 — Transactional Move System and improved APIs for LibreQoS LibreQoS is a Quality of Experience (QoE) open source platform that leverages the state of the art (and IETF standardized) Flow Queueing (FQ) and Active Queue Management (AQM) algorithm CAKE to help Internet Service Providers (ISPs) enhance their customers' internet connections. It effectively manages latency and bufferbloat over existing infrastructure. LibreQos ensures fair sharing of bandwidth, prioritizes critical real-time applications and promotes connection quality, equity and access. This project adds API functionality, which will make scaling LibreQoS to multiple servers much easier, allowing ISP operators to break the current 70 Gbps per server barrier. In addition, this project allows for a new Transactional Move System, which prevents any packet loss upon reload/refresh of shaper rules - allowing LibreQoS to scale to much larger ISP networks, improving internet connectivity for millions more end-users worldwide. >> Read more about LibreQoS 2.1 Librecast Overlay Multicast — Privacy-preserving, energy efficient data replication and verification The original design goals of the Internet do not match today's privacy and security needs, and this is evident in the technologies in use today. The Librecast project contributes to decentralizing the Internet by enabling multicast. Multicast is an important network capability for a secure, decentralized and private by default Next Generation Internet. Multicast is networking with consent. Unfortunately, today's infrastructure does not fully support end to end multicast. In order to reap the benefits of multicast in the applications we build now, we need a transitional mechanism which enables overlay multicast via peer to peer tunnels so that multicast applications - using the Librecast libraries - can work everywhere, regardless of underlying network support. The Librecast project is building the transitional protocols and software required to extend the reach of multicast and enable easy deployment by software developers, to make end to end encrypted multicast a reality. >> Read more about Librecast Overlay Multicast Automate FOSS license compatibility determination — Check software projects for license (in)compatibility + compliance By classifying license clauses, rather than only the licenses themselves, and the way components are used and provided, we reduce the complexity of license compliance and compatibility and will provide useful resources for humans and computers. The result of this project can be used to simplify choosing a license for your project, assisting in complying when providing FOSS components to your users, checking compatibility between the licenses in your project. >> Read more about Automate FOSS license compatibility determination LANShield — Constrain local network access for mobile devices LANShield is a tool that will give users control over which apps and programs are allowed to access devices in the local network. This is done to defend against malicious apps that may try to scan the user's local network and subsequently leak sensitive information. For instance, when an app tries to access the local network for the first time, the user is asked whether this app should be allowed to access local devices. The project will also investigate models and protocols to safely enable an app to communicate with local devices, with the idea that apps can use this protocol to access local devices without requiring explicit user permission. The project will also investigate how to integrate this defence into Android. >> Read more about LANShield Loops — ActivityPub based sharing of short video clips Loops is an innovative Fediverse platform inspired by TikTok and powered by the decentralized ActivityPub protocol. It aims to deliver personalized short-form video content through a \"For You\" recommendation algorithm, enhancing user engagement and discovery. The platform supports interactive features like comments and video remixes, fostering a creative and collaborative community. By connecting with the Fediverse, Loops gives users more control over their data, better privacy, and the ability to interact with other platforms—making it an exciting new way to experience social media in our ever-changing world. >> Read more about Loops MEGA65 Phone Modular MVP — OSHW mobile device with form-factor of hand-held game consoles The previous MEGAphone project laid the groundwork for creating personal communications devices that are secure through simplicity. This project extends that work by making the hardware modular, at some cost of minimum size, so that it becomes much more feasible for small communities to produce and maintain their own units, even in the face of supply chain challenges and other contributors to the \"digital winter\", i.e., the situation where open innovation becomes more difficult due to number of factors. This will also make it easier to include diverse resilient communications options, whether RF, optical or acoustic, so that peer-to-peer communications networks can be sustained even in environments that are hostile to freedom of communications. For this reason energy sovereignty will also be part of the design, so that even if all civil infrastructure is denied, that basic communications and computing functions can be sustained, with a single device whose security can be much more easily reasoned about. >> Read more about MEGA65 Phone Modular MVP MNT Reform QCS6490 Module — MNT Reform compatible open Hardware processor module This project develop an open source hardware processor module for the MNT Reform open hardware laptop series, based on a System on Chip designed and optimized for industrial IoT use cases, which is meanwhile decently supported on mainline Linux. The module is aimed at providing a competitive and more performant option/upgrade for OSHW laptops, but may also be used in tablets and phones (as well as other cases where soldering is not an option). This creates an option for consumers to obtain a laptop they can inspect from top to bottom as well as tinker with. By expanding the options for open hardware processor modules and lowering the cost, this project will enable more people to switch over to a fully transparent OSHW device. >> Read more about MNT Reform QCS6490 Module Improving the deployability of Multipath TCP — Improve MPTCP support in the Linux kernel Multipath TCP (MPTCP) is a standardised technology extending TCP and invented in Europe. TCP is one of the key protocols of the TCP/IP protocol stack, designed in the 1970s when hosts were attached to the network through a single cable. Today's hosts have several network interfaces, but TCP only uses one of them for a given connection. Multipath TCP solves this problem by enabling TCP connections to exchange packets over different network interfaces. With the current version of MPTCP in the Linux kernel, most of the features listed in the RFC8684 are implemented. Basic use-cases are supported but still it doesn't mean the solution is covering all needs and is easy enough to use. In short, MPTCP works well in some controlled environments but not as good in too heterogeneous ones like it is common to see on the Internet. Also its configuration is sometimes seen as difficult and/or confusing for the moment. Some work is then still needed to cover more use-cases plus to improve the usability and performances in order to have Multipath TCP adopted by a broader audience. >> Read more about Improving the deployability of Multipath TCP Improving the deployability of Multipath TCP, part 2 — Improve MPTCP support in the Linux kernel Multipath TCP (MPTCP) is a standardised technology extending TCP and invented in Europe. TCP is one of the key protocols of the TCP/IP protocol stack, designed in the 1970s when hosts were attached to the network through a single cable. Today's hosts have several network interfaces, but TCP only uses one of them for a given connection. Multipath TCP solves this problem by enabling TCP connections to exchange packets over different network interfaces. With the current version of MPTCP in the Linux kernel, most of the features listed in the RFC8684 are implemented. Basic use-cases are supported but still it doesn't mean the solution is covering all needs and is easy enough to use. In short, MPTCP works well in controlled environments but there is room for improvement in heterogeneous ones. Some work is then still needed to cover more use-cases plus to improve the usability and performances in order to have Multipath TCP adopted by a broader audience. >> Read more about Improving the deployability of Multipath TCP, part 2 MWoffliner — Software to make Wikipedia and other Mediawiki content available offline Wikipedia aims to make the Sum of All Human Knowledge available to all and for free. But with three to four billion people around the world lacking connectivity (because of cost, infrastructure or censorship) we need a solution to bridge the digital divide and bring this great tool to everyone. Mediawiki offliner packages and compresses any wiki into a portable ZIM archive that can then be browsed offline and on any device, no matter where their users are located. In short, this allows everyone and everyone to carry the largest encyclopaedia ever on their phone and in their pocket. >> Read more about MWoffliner MailBox renewal — Performance upgrade of MailBox mail modules Email is still the workhorse of the internet, and behind the screens some of the heavy lifting is by applications like the Mailbox modules. Under the hood, this software is processing billions of emails every day at some of the largest players in the industry. The project will deliver a major update of the code after two decades. This is not only long overdue, but actually offers interesting opportunities to take into account new email related RFCs, investigate new possibilities for code optimisation as well as tackling new threats like SMTP smuggling. As a bonus, the project will work on a standalone tool to be able to once more properly forward emails in the SPF/DMARC era - a very welcome capability, the lack of which is currently causing a lot of headache and lost email for users. >> Read more about MailBox renewal Mapterhorn — Open terrain tile sets and data catalog Mapterhorn is an open-source alternative to proprietary terrain data platforms that addresses the fragmentation of global high-resolution terrain data. While many European countries like Austria and the Netherlands have released open terrain datasets, users currently rely predominantly on proprietary intermediaries such as Google Maps or Esri to consume these. This is due to inconsistencies in formats, projections, licenses, and access methods. Mapterhorn solves this through three components: a global low-resolution terrain tileset based on ESA's Copernicus model, regional high-resolution tilesets from national LIDAR surveys, and a comprehensive data catalog using the open STAC specification. By distributing terrain tiles in Web Mercator projection in standard formats such as GeoTiff and PMTiles, Mapterhorn will enhance disaster response capabilities, improve solar energy planning, boost tourism promotion, and enable numerous other applications across the public sector in Europe and beyond. >> Read more about Mapterhorn Multilingual Marginalia — Search engine focused on quality discovery Marginalia Search is an experimental Internet search engine for the independent web designed and optimized to run on cheap consumer hardware. The goal of the development effort is to improve the search engine's technical abilities, including adding support for indexing additional languages beyond than English, but also addressing other technical shortcomings. >> Read more about Multilingual Marginalia Miru — Multi-track video editing and real-time AR effects Miru is a new set of modular, extensible Web platform tools and components for still image and multi-track video editing and state-of-the-art, real-time AR. Using WebGL, WebAssembly, and open source, mobile-optimized machine learning models, Miru will give people on the social web the tools to edit images and apply interactive effects to recorded video without compromising on privacy and transparency. Miru aims to provide intuitive and user-friendly UIs which developers can easily integrate into their Web apps regardless of the frontend frameworks they use. >> Read more about Miru postmarketOS/phosh-mobile-settings integration — Consolidate functionality of FOSS mobile settings applications Currently, there is no easy way for applications to install settings that then show up in the system's settings app on desktop Linux systems. As part of bringing desktop Linux to mobile phones in postmarketOS, we have created a \"tweaks\" app for phone-specific configuration options. With this project, the options in this tweaks app will be converted to a format described by a specification which settings apps then can implement. This in turn is part of a broader effort to make desktop Linux suitable for running on mobile phones as a means to create an operating system for phones without excessive user tracking or built-in ads, with a focus on the user instead of money. >> Read more about postmarketOS/phosh-mobile-settings integration Mobilizon UX — Share events on the fediverse Mobilizon enables the creation of community venues for organising and promoting local and topical events, activities, and groups. These instances can share information using the ActivityPub protocol, allowing users to publish their events on one Mobilizon server and propagate these elsewhere. Mobilizon is designed to be user-friendly and empowering. In order to reach a wider audience with Mobilizon, we need to make sure we serve the needs of users well - whether they are instance administrators, event organisers, or end users. We will conduct workshops to study how each of these interacts with Mobilizon and understand their expectations, so that we can develop Mobilizon accordingly. Additionally, we will test, document and improve interoperability with other Mobilizon instances, other fediverse applications, and other websites in general. This can be achieved through plugins, APIs, and aligning on standard formats such as Ical. Ultimately, communicating about local activities will become more efficient and finding local activities easier. >> Read more about Mobilizon UX Mollymawk — Mollymawk - orchestration and management of MirageOS unikernels Mollymawk is a deployment and orchestration tool designed to simplify the management of MirageOS unikernels and other virtual machines. In this project, we will focus on optimizing deployment, ochestration and scaling (up and down). Key enhancements we are looking at include implementing websockets, streaming services when deploying unikernel images, automated configurations (DHCP, DNS etc), support for virtual machines that are not MirageOS unikernels, mechanisms for autoupgrading unikernels with rollback options, notification of available updates, unattended updates, and managing multiple physical machines with a single mollymawk. >> Read more about Mollymawk Mosaic Simulation — EDA tool for analog chip design Today, the chip design industry is deeply proprietary with NDAs at every level, which means it is not possible to share design files at all. This in turn stifles learning, innovation and transparency in chip design. In order to create a chip design industry that can be trusted with our digital lives, and which is accessible to educational institutions and small business, it is essential to develop powerful open source tools for chip design. Anyone should be able to use these tools, allowing for unhindered collaboration. Mosaic is a tool that attacks the first design phase of an analog chip, or analog peripherals for a digital one: design and simulation of the schematic. In this follow-up grant the team will focus on simplification, distribution, and polish - making Mosaic easier to install and use as well as maintain. >> Read more about Mosaic Simulation Movim — Add end-to-end encrypted videocalls to Movim XMPP Movim is a web-based social and chat platform that acts as a frontend for the XMPP network. The goal of this project is to modernize and extend the long-existing audio and video conferencing features in three major steps. First, the existing UI will be completely refactored and redesigned to better integrate the conferencing features into the existing pages and flows. Secondly, Movim will support one-to-many call features and offer full compatibility with other XMPP clients building upon the step-one features but without relying on a central server to handle the media streams. And finally, to handle conference calls with a large number of participants, Movim will standardize and integrate SFU (Selective Forwarding Unit) support that will then lift the streams network bottlenecks offering a complete and scalable experience to its users. With those three steps fulfilled Movim will then be able to greatly simplify fully standard XMPP audio and video conferencing calls on the web. >> Read more about Movim Mox management and automation — Automated email server management and administration Mox is a modern email server implementation that makes it easy for people and organizations to run their own mail server, allowing them to stay in control of their own email communication, and keeping email decentralized. While high-quality open source mail server software components exist, their code bases are growing old, and getting a working setup involves configuring at least half a dozen of them to work together. That complexity has turned people to a few (centralized) email providers. Within this grant the team will add a number of missing key features such as server-side email filtering (Sieve) and encrypted storage, among others. >> Read more about Mox management and automation Collation + i18n support in musl libc — Complete POSIX internationalised functions in musl libc musl libc is a lean C standard library implementation for Linux. It strongly focuses on correctness, compliance with standards, and reduced footprint, both in terms of binary size and memory usage. Its initial release dates to 2011, making it a considerably modern implementation compared to alternatives like glibc. As default in e.g. Alpine Linux (which is widely used in containers but also is the basis for end user facing efforts like postmarketOS) it can be found in many unexpected places. This project will implement two features still missing: collation and internationalization support. The first one allows set ordering based on locales, and follows a certain set of established rules and standards. The second one provides basic functionality in the language of choice for the user like dates, times, numbers, and monetary symbols. Contributors from the postmarketOS community will validate the work, to make sure that everything actually works out as intended. >> Read more about Collation + i18n support in musl libc Control plane for Nix-based systems — Dynamic system management and orchestration with Nix Nix is a cross-platform package management solution in which software packages are each installed into unique directories with immutable contents. This allows to elegantly manage even the most complex configurations: system services, software deployments, hardware descriptions across a heterogeneous fleet of machines, including routers, switches, servers, etc. Nix's declarative and reproducible nature makes it an ideal choice of unified interface for orchestration and managing configurations across a fleet of machines. It is already capable of reliably delivering a single source of truth but in terms of deployment, tooling for more advanced scenario's is lacking - such as staged rollouts and blue/green deployments. This project will build a dynamic control plane that would take Nix expressions and add orchestration capabilities for Nix-based systems. >> Read more about Control plane for Nix-based systems NixBox — Nix integration with netbox NixBox is a modern approach to network deployments, it combines the configuration management powers of nix with the documentation capabilities provided by NetBox. It focuses on testability, reliability and automation while making your network documentation your configuration. Our goals are to reduce downtime and improve network visibility. Utilizing virtual machine tests we can ensure that your deployment will actually work before you ship it to production. >> Read more about NixBox NodeBB — ActivityPub support and accessibility improvements for forum software NodeBB is a Node.js based community forum software utilizes web sockets for instant interactions and real-time notifications. NodeBB benefits from modern features like real-time streaming discussions, mobile responsiveness, and rich RESTful read/write APIs, while staying true to the original bulletin board/forum format — categorical hierarchies, local user accounts, and asynchronous messaging. In this project, the team will be working on bringing ActivityPub integration to NodeBB, in order to allow forums to become truly interconnected with other ActivityPub-enabled applications throughout the wider Fediverse (of course including other NodeBB forums). The absolute hardest part of starting a community — forum or otherwise — is gaining a critical mass of adoption in order to sustain interest and content. What if we could bypass this hurdle altogether? >> Read more about NodeBB Nova JavaScript engine — Independent JavaScript engine written in Rust Nova is a JavaScript engine exploring a different, data-oriented design inspired JavaScript engine design. This design allows greatly reduced memory usage, optimal data cache locality for algorithms on happy paths, memory safety by construction, and various other technical optimisations that together form a compelling and interesting whole. The design involves tradeoffs, paying extra indirection for its gains, and the implementation treads mostly unfamiliar territory: the technical choices are nothing new, but they have not seen wide usage in production JavaScript engines to date. If the upsides overshadow the downsides, as they seem to do, the result will be a JavaScript engine that reduces memory usage by 30 to 50 percentage points, while improving performance under real-world loads. >> Read more about Nova JavaScript engine NovyWave — Waveform visualizer for gateware development NovyWave is an open-source waveform viewer designed as a modern alternative to GTKWave. This cross-platform desktop application is suitable for both professionals and beginners, offering simple installation and a strong focus on user experience. Its goal is to boost productivity and satisfaction among current hardware developers while also attracting new developers and students to the hardware design ecosystem. NovyWave is built on fast and reliable Rust libraries and leverages well-proven web technologies to ensure a consistent look, accessibility, design flexibility, and safe user extensibility via WebAssembly plugins. >> Read more about NovyWave O-ESD — Open-hardware for ElectroStatic Discharge testing The goals of the Open-hardware for ElectroStatic Discharge testing (O-ESD) is to design, produce and verify an open-hardware and accompanying open-software for a device for electrostatic discharge testing. Electrostatic discharge is a phenomenon that occurs daily between humans and electronics and can irreversibly damage the electronics. All consumer electronics sold in EU, including all internet hardware, must satisfy Electromagnetic Compatibility (EMC) Directive. One of the most hardest tests within EMC directive deals with electrostatic discharge as defined by IEC/EN 61000-4-2 standard. Standardized tests are typically done with special equipment in accredited EMC laboratories and are costly. The O-ESD tester will minimize the costs of pre-compliance testing and make it publicly available. >> Read more about O-ESD OCaml direct style transition — Helping with the transition of OCaml programs from Lwt to Eio OCaml traditionally uses monadic style for concurrent programming, offering advantages like reduced data races and efficiency but requiring all code to be written in this style and leading to frequent allocations. OCaml 5 is one of the first languages to implement algebraic effects, enabling direct-style concurrency with multiple stacks, addressing these drawbacks. However, the transition to effects-based concurrency can lead to incompatibility between libraries written in different styles, putting the whole OCaml ecosystem at risk. This project aims to mitigate these risks by developing tools to automatically rewrite code and identify potential issues during the transition from monadic to direct-style concurrency, specifically focusing on the complex case of the Ocsigen Web framework. >> Read more about OCaml direct style transition OCaml-QUIC — Implement QUIC/QUIC-TLS/QPACK and HTTP/3 in OCAML HTTP/3 is the most recent version of the Hypertext Transfer Protocol used to exchange information on the World Wide Web. Like the QUIC transport layer protocol it uses, it is standardized by the Internet Engineering Task Force (IETF). OCaml-QUIC is an implementation of QUIC (RFC9000), QPACK (RFC9204), HTTP/3 (RFC9114) and associated protocols in OCaml, an industrial, functional, memory safe programming language, used in sectors ranging from finance and research to social media and web application. The project aims to provide an open, complete implementation of the aforementioned protocols to be used and deployed in embedded devices, POSIX/UNIX operating systems and unikernels (self-contained, library operating systems). >> Read more about OCaml-QUIC OPERA-DSP — Open hardware FMCW Radar signal processing in FPGA Frequency Modulated Continuous Wave (FMCW) radar is essential for applications such as autonomous vehicles, industrial automation, environmental monitoring, and security, enabling high-resolution object detection and speed estimation. However, to fully leverage FMCW radar data, digital signal processing (DSP) techniques must be applied in real time to extract meaningful information. The OPERA-DSP project aims to develop an open-source FMCW radar DSP hardware library, making radar signal processing more accessible to researchers and developers. It will provide essential IP cores, including windowing functions, Fast Fourier Transform (FFT), magnitude computation, and Constant False Alarm Rate (CFAR) detection. To simplify adoption, OPERA-DSP will integrate these DSP libraries with a RISC-V core and develop an FPGA-based design, complemented by scripts for automated bitstream generation. >> Read more about OPERA-DSP OWASP dep-scan — Security and risk audit tool OWASP dep-scan is a next-generation Software Composition Analysis (SCA) tool based on known vulnerabilities, advisories, and license limitations for applications, container images, and Linux virtual machines. Powered by abc - AppThreat atom, OWASP blint, and CycloneDX Generator (cdxgen) - dep-scan performs a range of advanced code hierarchy and lifecycle analysis (for example, reachability analysis) to improve precision and reduce false positives, thus helping developers and AppSec people focus on supply chain vulnerabilities and risks that needs real attention. Dep-scan is purpose-built to be integrated in CI, Vulnerability Management platforms, and air-gapped environments. Dep-scan can perform all the analysis offline, with no code or SBOM leaving your environment. The tool supports generating reports in CycloneDX VDR, OASIS CSAF VEX, HTML, PDF, and Markdown formats. >> Read more about OWASP dep-scan owi — Symbolic evaluator and fuzzing of WASM software WebAssembly (Wasm) is a post-JavaScript code format for the web, enabling efficient computing, with built-in sandboxed execution. Its usage is expanding: it is now used in online services, in embedded systems and to create portable binaries. Owi is a toolkit tailored for Wasm. In particular it can perform efficient symbolic program execution. That is to say, for a given program, it is able to find input values leading to a crash. Many languages are compiling to Wasm, e.g. C/C++/Rust. Owi can thus be used as a bug-finding tool working on any of these languages. We're currently improving the usability of the tool as a part of the testing workflow for developers, the first step of this work is to provide an interface making Owi a drop-in replacement for AFL. >> Read more about owi Omnom — Add social layer to personal bookmarking Omnom is a web-based, self-hosted bookmarking and snapshotting platform that can create identical snapshots of any opened webpage to what it looks like in the browser at the time of creating the snapshot. It consists of a browser addon compatible with Firefox and Chrome based browsers and a multi-user web based application. The goal of this project is to add social features and improve user experience. >> Read more about Omnom OpenCarLink — Security tooling for vehicle ODB2 ports OpenCarLink is an initiative aimed at revolutionizing vehicle diagnostics and security through the development of an open hardware device for vehicle OBD2 ports. By supporting communication protocols such as DOIP, CAN, Kline, and Single-Wire CAN, OpenCarLink enables users to perform remote diagnostics, real-time emissions tracking, enhanced vehicle security through penetration testing, and increased driver safety via behavioral data tracking. This project promotes an open and innovative future for the European mobility sector by help circumventing manufacturer limitations. By releasing the hardware design under an open-source license, OpenCarLink fosters a environment where enthusiasts, researchers, and professionals can contribute to and benefit from the advancements in vehicle diagnostics and control. With a focus on democratizing access to the DOIP protocol, OpenCarLink challenges the restrictive policies and secrecy that currently dominate the automotive industry, help paving the way for a more open and informed society. >> Read more about OpenCarLink Open Cloud Mesh — Improved specs and test suite for Open Cloud Mesh protocol The Open Cloud Mesh protocol, at its core, defines a wonderfully simple JSON payload to notify another server when a user wants to share a folder or file with a user on that server. It is implemented by some major Enterprise File Sync and Share (EFSS) vendors, and used in production by several serious organisations - including major National Research and Education Networks (NRENs). But its specification and test suite are still lacking in substance and quality. In this project we will improve the specification text, flesh it out to a more strictly defined (RFC-style) text that addresses all aspects and considerations of the protocol. In addition we improve the test suite so that it can be run in Continuous Integration (CI) instead of requiring frequent manual intervention, and clarify any incompatibilities we find between implementations. >> Read more about Open Cloud Mesh OpenEMSH — Automatic mesher for FDTD simulation OpenEMS is arguably the only free and open source FDTD solver out there that is usable out of the box for RF (Radio Frequency electromagnetics) design. Its main competitive disadvantage is that FDTD requires simulated models to be meshed according to specific rules, yet it does not provide an automatic mesher to create such meshes. Some facilities already do exist but meshing by hand is time-consuming and error-prone - enough to stand in the way of broader adoption. OpenEMSH aims to be a mesher for OpenEMS that makes it as simple to use as any proprietary solution. >> Read more about OpenEMSH OpenHarbors — Dynamic Tunneling of WPA over IP/L2TP OpenHarbors wants to establish a novel approach for secure communication over an untrusted Wifi network - and beyond: Dynamic tunneling of WPA over IP/L2TP. Why? Because current, secure solutions are not satisfactory: They are either hard to set up, require extra software in advance or are not applicable on an open wireless community mesh network like Freifunk. OpenHarbors will utilize and implement WPA Enterprise with an extra twist: Instead of providing an encryption channel only between your mobile device and the direct WLAN access point you will be able to securely dial-out at any location on the internet you trust and choose and are granted access to. Without the hassle of installing and setting up an extra VPN software on your phone. Without the need of a trusted WLAN access point operator model or closed source firmware, in contrast to current approaches with Passpoint/Hotspot 2.0/eduroam/WBA OpenRoaming and similar - which all are conceptually not applicable on open wireless community mesh networks. >> Read more about OpenHarbors Open Web Calendar Stack — Aggregate public and private web calendars The Open Web Calendar stack is an open-source set of Python libraries and programs which read and write calendars based on the iCalendar standard. The Open Web Calendar displays a highly configurable website that can be embedded to show a calendar. Currently, ICS URLs are supported and a goal is to also support CalDAV. Amongst the used libraries is the popular icalendar library to parse and write iCalendar (RFC5545) information. This cornerstone of Python's ecosystem requires some work to be up-to-date with common practice such as updating the timezone implementation. The updates to the icalendar library will be tested and also pushed up the stack to the Open Web Calendar. The recurrence calculation of events is done by the python-recurring-ical-events library. Changes to icalendar will be tested against this library to find compatibility issues. As the iCalendar standard has been updated, recurrence calculation is affected, too. These updates need to be evaluated and possibly implemented for both icalendar and the recurrence calculation. By implementing changes at the base, the whole stack is improved. We can use the Open Web Calendar project to make sure that possible transitions and updates are mapped out and communicated to other projects in the ecosystem. Improving a FOSS solution thus spreads the accessibility of iCalendar. >> Read more about Open Web Calendar Stack Open Web Calendar Stack II — Recurring events and calendar merging The Open Web Calendar creates a highly configurable calendar what can be integrate into existing websites. Its stack is composed of various libraries working with a variety of internet standards/RFCs. This project will amongst others improve the support for recurring events. Various widely used Python libraries such as icalendar, mergecal, caldav and dateutil will also receive improvements as well as better documentation to aid developers. Their compliance with the underlying standards will be better tested to cope with the wide range of applications and use cases in the 'wild' - and should improve software quality and stability in millions of installations. >> Read more about Open Web Calendar Stack II Extensive openwifi support for OpenWRT — Software Defined Radio Wifi for OpenWRT routers The internet service provider and the IT department are often responsible for setting up your Wi-Fi network at home and work, respectively. As a result, many people take Wi-Fi routers and APs for granted and do not realize that these devices are complex and vulnerable closed black boxes of software, firmware and hardware. The often-outdated software and firmware on these devices, combined with their hardware and overall black box nature, raise serious security concerns. For example, the US is considering a ban on TP-Link devices. The software community addresses this issue through projects such as OpenWRT. However, these OpenWRT devices still route their wireless traffic through a closed Wi-Fi chip. This project (from the creators of openwifi, the first full-stack open-source IEEE 802.11a/g/n Wi-Fi chip) aims to provide a transparent alternative. The project will deliver fully featured openwifi-on-OpenWRT support for all openwifi-enabled boards. To achieve this, the dependency of openwifi on ADI Kuiper Linux is broken and its hardware description is modularized, allowing us to port openwifi to OpenWRT in a maintainable manner. The result is an openwifi package within OpenWRT, allowing users to choose for both open-source software and Wi-Fi chip, thereby enhancing the security and openness of Wi-Fi routers/APs. With this work, we lay the foundation for future developments, including potential partnerships with open-source Wi-Fi router vendors. >> Read more about Extensive openwifi support for OpenWRT openwifi: 802.11a/g/n maturity — Improved stability, data rate and reach of openwifi Wi-Fi has become ubiquitous in modern society. While many people might assume that the Wi-Fi chip in their device is a dumb component that merely sends and receives packets over the air, the reality is far more complex. Even the most affordable Wi-Fi chips are sophisticated heterogeneous computing systems, as highlighted by many researchers and hackers. These chips contain multiple types of firmware and silicon fabric working together. The lack of open-source Wi-Fi chips and the transparency of commercial Wi-Fi chips have raised many security concerns, and security threats over Wi-Fi have been around for years. Openwifi pioneered the first open-source soft-MAC Wi-Fi chip/FPGA design in 2019, with 802.11n added in 2020. As more users, researchers, and hackers engage with the project, they have identified issues related to stability, data rate, and communication distance. This maturity-elevating project aims to tackle these issues through improvements in the Linux driver, FPGA, and RF control. The enhanced version will be comparable to commercial Wi-Fi4 chips, such as the ath9k series, and will be capable of operating in more realistic electromagnetic environments rather than just short-range, controlled environments. These advancements will facilitate broader adoption of the project and lay a solid foundation for future developments, including the creation of a real chip. >> Read more about openwifi: 802.11a/g/n maturity Openfire Next-Gen Connectivity — Authentication/SASL improvements to Openfire XMPP server Openfire is a mature, open-source, cross-platform real-time collaboration server based on the XMPP protocol, known for its flexibility and widespread use in decentralized communication. Over the past two decades, the XMPP protocol has evolved, introducing new standards that significantly enhance connection setup speed, security, and flexibility. These advancements improve the establishment of authenticated connections, ensuring better overall performance and more robust functionality for real-time communication systems. >> Read more about Openfire Next-Gen Connectivity Openfire IPv6 support — Add IPv6 support to the Openfire XMPP server Openfire is an open-source, mature, cross-platform, real-time collaboration server based on the XMPP protocol. Originating around the turn of the century, IPv6 was not explicitly supported when it was originally created. As shown by anecdotal evidence, some IPv6 functionality already ‘works’ in Openfire. This, however, is accidental, and not by design. This project intends to add explicit IPv6 support to Openfire. >> Read more about Openfire IPv6 support Organic Maps сonvergent UI with Qt Quick/Kirigami — Declarative cross-platform UI for navigation Maps navigation software is a crucial part of computer systems today, be it on Mobile, Desktop, Automotive and so on. For quite a lot time already, we have a brilliant open-source maps application, now named Organic Maps. It's features make it strong competitor to commercial-grade software, among them are: privacy, fully offline maps, low battery consumption, navigation, points of interest (POI) and much more. Currently, the application shows it's strength on mainstream mobile operating systems only. On other systems, it's ability is quite limited, mainly because of lack of proper User Interface for them. This project aims to create an Organic Maps convergent touch-friendly User Interface for Linux, backed by featured Qt Quick/QML application framework, perfectly suitable for this task. This would allow feature-parity for Mobile and Desktop Linux systems, and also creates solid ground for further unification of the User Interface among other platforms. >> Read more about Organic Maps сonvergent UI with Qt Quick/Kirigami Organic Maps bookmarks, hike and bike — Improved bookmarks, address search, map styles and driving Organic Maps is a free, open-source offline map application available for Android and iOS. It provides a privacy-focused alternative to Google and Apple Maps, empowering individuals who value their privacy and freedom from the surveillance ecosystems created by these companies. The app offers downloadable outdoor maps of the entire world, offline multi-point navigation, offline search on the map, saved bookmarks and trails, KML/KMZ/GPX interoperability, elevation contours, track recording, and more. This project focuses on enhancing core functionality: optimizing offline search, expanding bookmark management, and introducing new features for hikers and bikers. >> Read more about Organic Maps bookmarks, hike and bike Overte Visual Scripting — Feature enhancements of FOSS virtual reality platform Overte is a virtual social platform that allows its users to socialize in a more involved way than traditional digital communications, by allowing them to enter worlds using Virtual Reality. It can be used not just for recreational activities, but also education, psychotherapy, congresses, and more. The goal is to support people's need for immersive social platforms, by providing them with something that is privacy respecting and free. As part of this project, we aim to take on bigger maintenance and development tasks that may otherwise happen slowly or remain undone. Such tasks include fixing bugs, updating to Qt 6, and overhauling the UI, as it has accumulated quite some technical debt over the years. >> Read more about Overte Visual Scripting PTT — Unikernel Mailing list server in OCAML Email is still one of the main channel of communication.Setting up and maintaining something as simple as a reliable mailing list in-house is significantly more complex than it ought to be. Out of convenience, many organisations and communities outsource running their maiilng lists service to third-party agents. However, this not only creates an unnecessary dependency but also reduces confidentiality, which can be a critical aspect. This project has the ambition to win back the means of communication, developing a new mailing list application service that is easier to maintain securely (through unikernels using MirageOS), and is efficient in terms of resource usage. The service should integrate into existing infrastructures seamlessly. >> Read more about PTT Patchouli — Arbitrary-sized open hardware EM pen products Patchouli is an open-source electro-magnetic drawing tablet hardware implementation, including a coil array, an RF front end built using commercially available parts, and digital signal processing algorithms. The design is compatible with most commercial pens from different vendors, offering an ultra-low-latency pen input experience for your customized hardware projects. The hardware is released under the CERN-OHL-S license, and the firmware/simulation code is released under the GPL3+ license. >> Read more about Patchouli Better support for display notches and cutouts in Phosh — Better custom shape screen support for Wayland Mobile phones often have notches or cutouts in their displays (often to accommodate the camera), rounded corners or waterfalls (lower resolution areas at the edge of the screen). The aim of this project is to propose and implement a Wayland protocol that gives applications the necessary information about these areas. This allows them to place UI elements in a sensible and visually pleasing way, color lower resolution areas properly and avoid having important information occluded. Besides for mobile shells like Phosh this information is also important for e.g. video players and other full screen applications and out of the box support in toolkits is desirable. >> Read more about Better support for display notches and cutouts in Phosh Pijul ecosystem — A modern patch-based version control system Pijul is a modern patch-based version control system that addresses many shortcomings found in existing tools. While its foundations are already mature and well-tested, it lacks many conveniences users expect from the ecosystems of popular tools such as Git. This project aims to significantly reduce Pijul's barrier to adoption by addressing common areas of user feedback - documentation, usability, robustness, and integration into other tools such as text editors or CLI prompts. We believe this will improve the workflow of existing users, and enable many more to adopt Pijul and its benefits without sacrificing other parts of their workflow. >> Read more about Pijul ecosystem Pijul Hybrid — Hybrid patch-based/snapshot-based system for distributed versioning Pijul is a modern patch-based version control system that addresses many shortcomings found in existing tools, based on a mathematical theory of collaborative work. In order to ease the transition from existing tools, and increase utility in a wider set of use cases, this project will work on a better transition story from other tools like Git and Mercurial, and improve tooling around it. In particular, it will deliver a hosting platform called Nest which has features which will be quite different from other hosting services. Pijul is able to apply patches independently from each other, meaning that (reorderable) patches can be used in place of legacy pull/merge requests everywhere. This should makes most workflows vastly simpler, as well as result in cleaner code bases. >> Read more about Pijul Hybrid Pimalaya PIM — Memory-safe emails, contacts, calendars, tasks and more Pimalaya aims to improve open-source tooling related to Personal Information Management (PIM). Pimalaya has two objectives: to provide solid Rust libraries dedicated to the PIM domain, which serve as a basis for all sorts of top-level applications (meaning their developers can focus on functionality) and to develop a number of quality applications on top of these libraries. Within the scope of this project, Pimalaya will release additional production-grade libraries and tools, expanding its scope to contacts and calendars — through contact and calendar libraries, command line interfaces and plugins. At the end of this grant, the Pimalaya project covers not just email but also contacts, events, alarm and tasks. >> Read more about Pimalaya PIM Plasma Mobile powermanagement improvements — Better power management on mobile Linux Plasma Mobile is an open source user interface for mobile devices developed by the KDE Community. Plasma works on top of various free and open source operating systems such as Linux, offering an attractive open mobile stack. Built on the foundations of Plasma Desktop, Plasma Mobile brings its flexibility to a mobile form factor. To increase mass-adoption of such a free-software alternative, it is important that we offer a great experience in terms of productivity and usability of the platform. One aspect in helping to achieve broader adoption of Plasma Mobile is by extending battery-life: the longer users can use their phone without needing to recharge, the better. This project will improve the power management for Plasma Mobile, also keeping an eye on user experience. >> Read more about Plasma Mobile powermanagement improvements Pleroma — Scalable ActivityPub server written in Elixir Pleroma is an extendable ActivityPub communication server. Pleroma can be as light-weight as you want it to be, fit for both running from a homeserver or from more serious infrastructure. Pleroma embraces customization. Instead of trying to dictate how users should use our software, we give them options. From the backend to the frontend, there are hundreds of configurable options to satify the different needs of everyone. We know there's no single setup that works for everyone, and are more than willing to listen to users' feedback. Being part of fediverse of course means interacting with other servers and Pleroma provides the best experience when displaying other types of content, even non-microblogging. The Fediverse nowadays is a very big place with a lot of different people, who don't necessarily agree with each other or have good intentions. To help with the insurmountable task to moderate the stream of incoming and outgoing content, Pleroma has Message Rewrite Facility, allowing instance administrators to automatically act upon activities including modifying them and deciding whether to show them in federated timeline or not. Having more detailed and partially automated moderation helps create a network where users don't have to worry about not being able to talk to someone else because the admins didn't have the rights tools at their disposals. >> Read more about Pleroma Pre-Scheme — Compile Scheme directly to portable C Pre-Scheme is a statically-typed dialect of the Scheme programming language which compiles to C, suitable for low-level systems programming. Pre-Scheme is implemented using a sophisticated general-purpose compiler, written in Scheme, with demonstrated applications to other programming languages and compilation targets. This project aims to port the compiler to R7RS, the latest Scheme standard, so that it can run on a variety of modern Scheme implementations. The Pre-Scheme language and tooling will also be updated to meet the expectations of a contemporary developer audience, and the compiler framework will be documented and exposed to support future innovations in programming language development and research. >> Read more about Pre-Scheme Protomaps — Self-hostable maps based on OpenStreetMap data Protomaps is a free and open source map of the world, deployed as a single file you can host yourself. It enables interactive, zoomable mapping applications with only static storage and HTTP Range Requests. It uses the OpenStreetMap dataset as a primary source; its configurable toolchain can create maps with specific areas, custom data, and different cartographic styles. It’s used in earth science, journalism and the public sector. Protomaps has no vendor lock-in, permits end-to- end data sovereignty, and can ensure end-user privacy.  >> Read more about Protomaps Py2HWSW — A tool to manage embedded HW/SW project This project aims to develop an open-source Python framework for managing files, automating project flows of embedded hardware/software codesign projects, and partially generating Verilog hardware components. The framework simplifies the project structure, addresses challenges in Hardware Design Languages like Verilog and VHDL, and automates emulation, simulation, FPGA, and ASIC flows. The proposed Verilog generator offers flexibility, user control and ease of use, producing human-readable code compatible across FPGAs and ASICs. >> Read more about Py2HWSW Py3DTiles - Textured Mesh tiling — OGC 3DTiles 1.1 support for 3D tile conversion tool Py3DTiles is an OpenSource Python module and CLI to create 3DTiles from various 3D geo-referenced data types and formats. It supports point clouds, IFC (BIM) and other 3D data types. It generates datasets suitable for 3D visualization of cartographic data. This project will add support for Textured Mesh conversion. Textured Mesh data can originate from various sources such as drone sensors, satellite imagery, and aerial photography through photogrammetry. Pointclouds can be transformed to Textured Mesh through triangulation. Textured mesh can also be created with 3D design software like Blender or Vue. Implementing 3D Tiles conversion capabilities of these data types will reinforce 3D data processing capabilities with opensource software, and increase interoperability and interconnection of software and data processing pipelines. Beyond adding these new capabilities to Py3DTiles, the project will also integrate and develop underlying algorithms and methods to process the data efficiently and handle large amounts of data. >> Read more about Py3DTiles - Textured Mesh tiling Proper Webcam support in Qemu — Better virtualisation of camera interfaces QEMU is one of the most popular open source machine emulators and virtualizers. It supports a wide range of architectures and is capable of emulating many types of hardware devices. Many people rely on QEMU to run alternative operating systems or even as a secure development environment. Sometimes it is necessary to pass camera devices to the QEMU guest and make them available to the system. While it is possible to pass cameras using the generic QEMU USB host emulator, this only works with USB cameras and only makes them available to that single QEMU guest. However, many modern systems move away from USB cameras and provide other interfaces for the camera, and thus cannot be passed through. Our solution is to use the operating system's video API instead to make the video device available. We will focus on providing proper support for the Video4Linux API to emulate a USB video device so that it works with the already existing OS drivers. With proper integration of a camera subsystem, this opens the door to supporting more camera APIs and even extending paravirtualized VirtIO devices in the future to improve video quality for next generation video devices. >> Read more about Proper Webcam support in Qemu RVVM — RISC-V Virtual Machine RVVM is a virtual machine/emulator for RISC-V guests, which emphasizes on performance, security, lean code and portability. It runs a lot of guest operating systems, including Linux, Haiku, FreeBSD, OpenBSD, etc, and has a rich device infrastructure (Network adapters, NVMe, HID, PCIe with MSI). Emulation performance is very competitive thanks to RVJIT dynamic binary translator. Portability is taken very seriosly and only requires C99 as a baseline. We also aim to run RISC-V applications on a foreign host without full OS guest (userland emulation, i.e. RISC-V containers). To prevent theoretical VM escape vulnerabilities from being exploited, we enforce kernel-level isolation, strict codestyle and compiler warning policies, extensive static analysis and use of sanitizers/fuzzers. The RVVM infrastructure is meant to be modular and embeddable - the whole project is contained within \"librvvm\" library and a reference VM manager to make use of it. GDB debug server is also available for kernel developers and alike. The goal under NGI Zero Core is to implement first-class KVM hypervisor suport for RISC-V, as well as x86_64 & ARM64 hypervisor variant (reusing the same device emulation infrastructure), shadow pagetable acceleration for guest MMU, and RISC-V Vector extension support which is gaining serious traction and is much needed for software testing. Additionally, a special deduplication image format is in the works which should give immense storage benefits in terms of space saved for build farms and cloud use, as well as atomic write consistency for reliability. >> Read more about RVVM Rackweaver — Design and manage physical infrastructure hosting RackWeaver is an AGPLv3+ cross-platform desktop application for designing and managing data center infrastructure. Its describes a complete object representation of one's data centers, including physical locations, port connections, and network configurations. Further, it comprises a suite of tools (both GUI and CLI) to act upon that model and modify it intelligently. It is able to generate documentation, switch configurations, and disk images, aid in system monitoring, and more through a plugin system. RackWeaver is built as a native desktop application (using Python and Qt) so that it continues to run for decades. Additionally, it leverages version control and OpenPGP keys to reliably document all changes to one's infrastructure. RackWeaver is usable by anyone, from a solo sysadmin managing a few machines, to a team overseeing multiple autonomous systems, for those who prefer offline, scriptable, and easy-to-use free/libre software. >> Read more about Rackweaver Rauthy — Reliable OpenID Connect IdP and IAM solution. Rauthy is a lightweight and easy to use OpenID Connect Identity Provider. It aims to be simple to both set up and operate, with very secure defaults and lots of config options, if you need the flexibility. It puts heavy emphasis on Passkeys and a very strong security in general. The project is written in Rust to be as memory efficient, secure and fast as possible, and it can run on basically any hardware. If you need Single Sign-On support for IoT or headless CLI tools, it's got you covered as well. You get High-Availability, client branding, UI translation, a nice Admin UI, Events and Auditing, and many more features. By default, it does not depend on an external database but runs on top of Hiqlite, an embeddable SQLite database that can form a Raft cluster to provide strong consistency and high availability - although it can use e.g. Postgres as an alternative. This makes it simple to operate, while scaling up to millions of users easily. >> Read more about Rauthy Reaction — Event-based system programming A lot of bots roam the internet, scanning server ports and web endpoints, and filling out any web form they come across - continuously on the lookout for vulnerabilities to exploit. In order to maintain server security, one of the currently most common defense mechanisms is to monitor logs for repetitive behaviour, or specific patterns implying the involvement of bots. With tools like fail2ban, one can write simple rules to automatically isolate machines identified as suspect. Reaction wants to provide a more modern and efficient approach to regex-based log scanning, allowing multiple reaction instances to communicate, sharing bans across an entire infrastructure as well as more intelligent and user-friendly soft bans. This extends the scope of this class of tooling allowing it to act as a light monitoring tool, or an orchestrator for any other event-based actions. >> Read more about Reaction Real Time Litex Extension — Real time capabilities for FPGA-based RISC-V core The Core-Local Interrupt Controller (CLIC) is a RISC-V standard extension that enhances real-time performance by enabling the prioritization of interrupts based on levels and priorities. This feature allows developers to have fine-grained control over interrupt prioritization, leading to more efficient handling of real-time events. In this project, we propose to replace the original interrupt controller of the VexRiscv based processor core family with CLIC. By implementing the CLIC, VexRiscv can efficiently propagate the highest-level, highest-priority pending interrupt to the core, significantly improving real-time responsiveness. The CLIC implementation also introduces features like selective hardware vectoring and the special register (xnxti CSR), which further optimize interrupt handling. >> Read more about Real Time Litex Extension Redox OS Unix-style Signals — Add Unix-style signal handling to Redox Operating System Redox OS is a Unix-like microkernel based operating system written in Rust. It is intended to provide a secure and reliable alternative to Linux. Redox is continuing to add functionality to provide source-code compatibility for most Linux software. This project will provide Redox with Linux-compatible inter-process signals, including signalling to process groups, processes and threads, and improved process management. >> Read more about Redox OS Unix-style Signals Renderling — Real-time rendering library on top of WebGPU Renderling is an innovative, GPU-driven real-time renderer designed for efficient scene rendering with a focus on leveraging GPU capabilities for nearly all rendering operations. Utilizing Rust for shader development, it ensures memory safety and cross-platform compatibility, including web platforms. The project, currently in the alpha stage, aims for rapid loading of GLTF files and handling large, animated scenes with many lighting effects. Development emphasises performance, safety, observability, and the use of modern rendering techniques like forward+ rendering and physically based shading. >> Read more about Renderling NetBSD Reproducibility — Extend Reproducibility for CTF Debugging Infos and NetBSD Image Creation The NetBSD operating system is built from a single source code repository and supports a great variety of different hardware and CPU variants. NetBSD has a working infrastructure for being reproducible, thus you can verify eg. an install ISO to be created from an untampered repository. As NetBSD is technically always cross-compiled, it can be build on several platforms, most commonly on NetBSD itself and on Linux. This project aims to fix two issues where a Linux-based build host creates different output than a NetBSD host. Ports using the newer GCC-12 based compiler usually use the CTF debugging format, where the binary representation (probably due to different sorting) differs between Linux and NetBSD builds. The second issue is with install image creation, where symlinks permissions and owner/permission bits from the building host leak into the image, breaking reproducibility. Both of these issues affect the widely used amd64 (usual PCs and Laptops) and arm/aarch64 (Raspberry Pi) ports. >> Read more about NetBSD Reproducibility Rivista — Publish and consume news feeds via XMPP Rivista Journal is an open-source, minimalist journaling platform which is designed for writers who want a simple and distraction-free writing experience. It is built to support the XMPP protocol, allowing people to publish content which can be shared and discovered across different platforms, such as Blasta, Libervia, and Movim, over the decentralized network. In addition to being cost-effective and having low maintenance overhead, Rivista Journal focuses on providing a clean interface that emphasizes writing and reading without the clutter often associated with more complex content management systems. >> Read more about Rivista Free and open source NPU Drivers — Libre drivers for Neural Processing Units As of today, companies that sell components that include accelerators for machine learning workloads (NPU, TPU, DLA, etc) are generally engaged in vendor lock-in practices that interfere with the ability of their customers to freely choose their partners and adapt their software components to their own needs. This project aims to incentivize providers of accelerating hardware to move to more fair practices by reverse engineering their hardware and writing open source implementations of the corresponding software stack, for interoperability purposes. These drivers become part of projects such as the Linux kernel and the Mesa project, and will become available to users via existing distributions such as Debian, Fedora and NixOS. >> Read more about Free and open source NPU Drivers Rosenpass Broker — Expanding the Rosenpass API's to enable easy integration in applications Rosenpass is a post-quantum secure cryptographic protocol, an implementation of that protocol in the Rust programming language, and a governance organization stewarding development of both protocol and implementation. When used with WireGuard, Rosenpass functions as a ready-to-use virtual private network with full security against quantum attackers. This project extends the current basic API in order to allow Rosenpass to double as a programming interface for other programmers to integration this functionality into their external applications. >> Read more about Rosenpass Broker Rust crate auditing and source correspondence checks — Better supply chain security for Rust crates + packages in distributions This project aims to harden the flow from upstream project sources (in version control), via published tarballs (on crates.io), to Linux distributions (RPM packages), by checking published sources for unexpected differences from version control, and other changes - including metadata changes - between released versions. An additional goal is for issues that are uncovered by this process - or during review for their inclusion in Linux distributions - to be made available to the broader Rust ecosystem. >> Read more about Rust crate auditing and source correspondence checks SCION Open Source Implementation — Performance improvements for SCION reference Implementation SCION Open Source is an implementation of the SCION architecture that allows trusted, highly resilient, and path-aware routing infrastructure to be built by ISPs, CDN/cloud providers and enterprises. It supports inter-domain multipath routing by discovering paths between participating Autonomous Systems that can be combined into selectable cryptographically validated end-to-end paths. This provides higher assurances that packets will follow particular paths which can prevent route leaks and hijacks, and allow data to be geofenced thereby ensuring compliance with legislation such as GDPR and NIS2. SCION also supports fast multi-path discovery and fast failover as its path discovery process does not rely on BGP iterative convergence or forwarding table updates. Having a performant and robust open source implementation ensures there’s a viable alternative to commercial and closed source implementations which is pre-requisite for some large potential adopters. >> Read more about SCION Open Source Implementation SCION-enabled IPFS and libp2p — Enhancing IPFS Performance and Resilience through SCION's Path-Aware Networking SCION is a clean-slate Next-Generation Internet (NGI) architecture which offers a.o. multi-path and path-awareness capabilities by design. Moreover, SCION was designed to provide route control, failure isolation, and explicit trust information for end-to-end communication. As a result, the SCION architecture provides strong resilience and security properties as an intrinsic consequence of its design. The goal in this project is to leverage the path-awareness in SCION to align the storage and lookup in IPFS with the underlying network in an optimal manner, while at the same time using SCION to establish trust between the entities. >> Read more about SCION-enabled IPFS and libp2p Toward a Fully-Verified SCION Router II — Align router code with formal verification tooling SCION is a next-generation Internet architecture that addresses many of the security vulnerabilities of today’s Internet. Its clean-slate design provides, among other properties, route control, failure isolation, and multi-path communication. This project is concerns the implementation part of a larger effort that is verifying the core component of the SCION inter-domain routing architecture - the SCION router. SCION’s open-source router should not only be memory-safe but should implement the SCION protocols correctly in order to provide the intended security and correctness guarantees. >> Read more about Toward a Fully-Verified SCION Router II SMAesH-Mode — Side-channel protected hardware implementation of AES The security of internet devices relies on cryptography for many features such as secure communications, secure boot or user authentication. In many cases, the underlying cryptographic building blocks are implemented in hardware for efficiency and/or security reasons. Further, many devices can be attacked through physical side-channel leakage such as power consumption or electromagnetic emanations (EM). Critically, these attacks do not strictly require direct physical access to the device, and attack based only on remote physical access have been demonstrated (e.g. EM a few meters way). Nowadays, AES remains a fundamental block cipher in most security solutions. In this context, SMAesH is a open-source side-channel protected hardware implementation of the AES that could be used in secure micro-controllers for direct use in protocols that rely on AES, or as a building block for secure storage. However, a block cipher is rarely used alone, and is instead integrated in a mode of operation that provides confidentiality and/or integrity, which are currently not supported by the existing SMAesH IP. This project mainly aims at extending SMAesH to include support for common modes of operation (GCM, CBC and CTR). Besides, our goal is to make SMAesH easy to integrate with open-source hardware designs by implementing a standard TileLink bus interface. >> Read more about SMAesH-Mode Security audit of Sailfish FOSS components — Analyse security of secrets, Sailfish ofono and Sailjail Sailfish is a European mobile operating system developed by the Finnish company Jolla. This project will conduct independent security research into the Sailfish FOSS components, with a focus on its cryptography, 5G support and sandboxing of the SailfishOS operating system. The project will also compare Android and SailfishOS on their app permissions, encryption and isolation mechanisms. The researchers are not affiliated with the company behind the development of SailfishOS. >> Read more about Security audit of Sailfish FOSS components Scheme Testing Framework — Modernise testing for Scheme This project addresses a critical gap in the Scheme ecosystem by delivering a comprehensive and extensible testing framework that will serve as foundational infrastructure for current and future development. The Scheme family of languages powers numerous important projects in reproducible builds, decentralized systems, and security-critical applications, yet lacks a modern, well-designed testing solution compatible with today's development practices. Our library bridges this gap, enables interactive testing workflows with immediate feedback for REPLs and IDEs while supporting automated CI/CD pipelines through standardized interfaces. By creating SRFI specification with an implementation-agnostic design, proper test isolation, and metadata-driven test runners, we will empower developers to build more reliable software across the entire Scheme ecosystem. This contribution in core development infrastructure will strengthen existing projects, lower barriers to entry for newcomers, and enable the next generation of Scheme applications. >> Read more about Scheme Testing Framework SelfHostBlocks — NixOS based server management for self-hosting It is obvious by now that a deep dependency on proprietary service providers - \"the cloud\" - is a significant liability. One aspect often talked about is privacy which is inherently not guaranteed when using a proprietary service and is a valid concern. A more punishing issue is having your account closed or locked without prior warning. When that happens, you get an instantaneous sinking feeling in your stomach at the realization you lost access to your data, possibly without recourse. Hosting services yourself is the obvious alternative to alleviate those concerns but it tends to require a lot of technical skills and time. SelfHostBlocks (together with its sibling project Skarabox) aims to lower the bar to self-hosting, and provides an opinionated server management system based on NixOS modules embedding best practices. Contrary to other server management projects, its main focus is ease of long term maintenance before ease of installation. To achieve this, it provides building blocks to setup services. Some are already provided out of the box, and customising or adding additional ones is done easily. The building blocks fit nicely together thanks to contracts which SelfHostBlocks sets out to introduce into nixpkgs. This will increase modularity, code reuse and empower end users to assemble components that fit together to build their server. >> Read more about SelfHostBlocks Servo: Benchmarking and Statistics — Infrastructure for benchmarking and testing Servo Servo is a web engine written in Rust that already provides results from the Web Platform Test Suite. However, these results may be difficult for newcomers to understand, as they lack a clear indication of the progress in supporting modern web standards. This creates challenges for the community in assessing the current state of development. When the community inquires about the support for specific features, these capabilities can often only be verified through manual testing. Moreover, finding information about Servo's performance can be equally challenging. To address these issues, this project aims to develop an infrastructure to benchmark and report on the current state of Servo, monitor performance differences between commits, and present these metrics and supported features in a more comprehensible way. This will give the community a clearer understanding of the state of the Servo project, leading to a more active and engaged contribution environment. >> Read more about Servo: Benchmarking and Statistics Multiprocess Mode in Servo — Speed up Servo with parallelisation While Servo already has multi-process mode, it’s not enabled by default. The main reason is that it isn’t completely supported on every platform yet. Only Linux and macOS have full support. It also isn't tested in the WPT suite. In this project, we want to complete the feature set of multi-process mode in Servo, set it to default, and encourage other projects based on Servo (like the Verso browser) to use it, as they could massively benefit from this multi-process architecture. >> Read more about Multiprocess Mode in Servo Servo Script Improvement — Refactoring Servo’s script crate The Servo web browser engine is back to its pace of development, but many improvements are still needed in Servo's script crate, which needs to adequately implement every Web API. Several DOM structures have become slightly outdated because of the lack of maintenance. Some basic script types are missing, and patches from Spidermonkey still need work. Within the scope of this project we will address the most needed fixes and improvements for the script crate. >> Read more about Servo Script Improvement Slint port for Android — Port the Rust-based Slint UI toolkit to Android Slint is a next generation declarative GUI toolkit that supports multiple programming languages such as Rust, C++, and JavaScript. Implemented in Rust, a language known for its memory safety and performance, Slint can run on platforms such as Windows, Linux, Mac, QNX, and microcontrollers. The popularity of Android as a mobile phone operating system has influenced the standardisation of drivers on embedded systems to the extent that its possible to easily procure off-of-the-shelf embedded hardware that can run Android. Slint will be the first native (non-web based technology) Rust based toolkit for creating applications on Android and will allow designers and developers an alternative open source option to build the user interface for their applications. >> Read more about Slint port for Android Slint on iOS — iOS support for typed declarative UI toolkit Slint is a next generation declarative GUI toolkit that supports multiple programming languages such as Rust, C++, Python and JavaScript. Implemented in Rust, a language known for its memory safety and performance, Slint can run on platforms such as Windows, Linux, Mac, Android, QNX, and microcontrollers. This project will add iOS as a fully supported platform to enable developers create their cross-platform applications with Slint. Slint will be the first native (non-web based technology) Rust based toolkit for creating applications on iOS, allowing designers and developers an alternative open source option to build the user interface for their applications. >> Read more about Slint on iOS Slixfeed — News feed delivery through standard-based instant messaging Slixfeed is a vigorous syndicated news aggregator which runs as a chat client and also as an HTTP server. It can concurrently manage and serve multiple contacts (news sources), schedule update interval, customize the amount of items per update, and filter items by keywords; in addition, it can also create new pages from syndicated news sources in a chronological order, either from HTML over HTTP or PubSub over XMPP. Slixfeed has a special niche for XMPP as it utilizes Ad-Hoc Commands and Data Forms which, intertwined, form a visual and interactive interface which allows to seamlessly manage your sources, as if your chat client was a news reader. >> Read more about Slixfeed Snix-{Store/Build} — Improve store and builder component of Snix Snix is a modern design and implementation of the Nix package manager (GPLv3). It brings a modular architecture in which components such as the build environment or package store are replaceable, which enables new use-cases and platforms. A graph-reduction evaluation model will make it possible to use Nix for package definitions and entire system configurations, its proven and tested use case, as well as for granular build definitions for individual components of software. Snix will be fully compatible with nixpkgs, the existing package definition set for Nix, letting its users leverage more than a decade of community contributions and making it useful right out-of-the-box. This particular project focuses on the Store and Builder components of Snix, upgrading the store protocol, improving the Builder API as well as providing more interop with Nix. >> Read more about Snix-{Store/Build} SoCLinux — Easier driver development for Py2HWSW framework SoCLinux is an open-source project that aims to configure and generate a Linux system for RISC-V processors, focusing on creating a robust and maintainable environment for designing and testing IP cores. The project builds upon the existing open-source Py2HWSW framework powering the IOb-SoC platform, enhancing the functionality and portability of IP cores, by using as examples the key IOb-Cache, IOb-Eth, and IOb-UART16550 open-source cores. By providing a Linux IP core testbed, SoCLinux enables developers to build and test Linux drivers for new IP cores quickly, accelerating the production of high-quality IP cores, open-source or otherwise. The project aims to establish a widely adopted and maintainable ecosystem for IP core development, benefiting the broader community of IP core providers and users. SoCLinux will leverage the IP-XACT standard (IEEE 1685) for IP core packaging, and seamlessly exchange IP cores with FuseSoC, a well-known open-source IP core package manager. >> Read more about SoCLinux SocksTrace — Ptrace based proxy leak detector Proxy leaks are a class of software vulnerability in which network traffic intended for a proxy (e.g. Tor) is instead sent without a proxy, risking the deanonymization of the user. Auditing software for proxy leaks is presently nontrivial, e.g. tools like tcpdump and Corridor generally require invasive privileges, cannot audit for stream isolation leaks, and provide limited diagnostic capabilities. SocksTrace is a proxy leak detection tool, suitable for CI testing or manual QA testing, that utilizes the ptrace feature of Linux to detect socket syscalls that would bypass a proxy. If a proxy leak is detected, SocksTrace can respond by (among other things) denying the syscall, redirecting the connection to a proxy, or logging a stack trace. SocksTrace is written in Go, making it memory-safe and securely bootstrappable. >> Read more about SocksTrace Solid NC 2024 — Add more Solid capabilities to Nextcloud The Solid Nextcloud project implemented a server component with the Solid specification for Nextcloud, which makes ones Nextcloud server a Solid server as well. This allows user to user their existing server for identity and storage within the Solid eco-system. To enhance security and to enable easier cooperation and release of new versions we need to improve a number of things. The CI/CD of the project will be improved. Based on an earlier audit, we will implement a number of security enhancing features and we will release a PHP Solid Server next to the Solid Nextcloud module. These servers share a lot of code, which makes maintenance easier. The advantage is that PHP has a security maintenance cycle of three years, making it easier for users to stay secure when using a Solid server. >> Read more about Solid NC 2024 Solid Application Interoperability — Easy to deploy authorization for Solid Applications Solid Application Interoperability specification details how Agents in the Solid ecosystem can read, write, and manage data stored in a Solid pod using disparate Applications, individually or in collaboration with other Agents. Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. When data is stored in someone's Pod, they control which people and applications can access it. Solid Application Interoperability provides a clear way to create intuitive data boundaries and higher-level patterns to manage access to that data following the principle of least privilege. This project focuses on finalizing the enforcement of user-defined access policies and improving related user experience (UX), development experience (DX), and deployability. Solid Project was founded by Tim Berners-Lee and is currently stewarded by the Open Data Institute (ODI). Incubation of technical reports happens in the W3C Solid Community Group. Some drafts have already been provided as inputs to the W3C Linked Web Storage Working Group which is chartered to publish final specifications. >> Read more about Solid Application Interoperability Spade — Standalone Hardware Description Language Spade is a hardware description language that draws inspiration from modern software languages to make hardware development more productive, more fun, and less error-prone. A big part of what makes this possible is the type system which helps prevent bugs and makes the code more maintainable. A common source of errors in hardware designs is clock domain crossing: signals should never cross domains accidentally, and when they do cross, it must be done correctly. Failures to correctly cross domains leads to intermittent problems that can take significant effort to find and fix. By making the language and compiler aware of clock domains through the type system, we will be able to detect and warn programmers about accidental clock domain crossings at compile time. We will to do this in an ergonomic way, where the user only has to specify clock domains on module inputs and outputs with the compiler being able to infer the rest. In addition, the default case of a module that only spans a single domain should not require any explicit domain information form the user to avoid unnecessary verbosity. >> Read more about Spade Spritely Oaken — Secure 3rd party extensibility with capability-based Scheme Spritely Oaken is a new programming system in the Scheme family, designed to provide strong security with a capability-based architecture. It will make it possible to safely add untrusted third-party code to programs without the usual risks of malicious code. Oaken builds on established ideas from the Scheme implementation ‘Scheme 48’, and will both extend this functionality and bring it to an actively maintained platform, Guile. This will eventually provide simple integration with Spritely’s Goblins system for distributed applications, which is also built on Guile. Oaken will play an important role towards enabling distributed and democratic internet platforms. >> Read more about Spritely Oaken Stalwart Collaboration Server — Integrated solution for email, calendaring and file management Stalwart Mail Server was created to address the challenges of email self-hosting by offering a modern, secure, and easy-to-maintain solution. With support for JMAP, IMAP4, POP3, and SMTP, it provides individuals and businesses with a powerful, privacy-focused alternative to third-party email providers. Now Stalwart is expanding beyond email with the introduction of Stalwart Collaboration Server, a new component that will complement Stalwart Mail Server and transform the platform into a complete, self-hosted collaboration suite. Stalwart Collaboration Server will provide built-in support for calendars using CalDAV and JMAP for Calendars, contacts management through CardDAV and JMAP for Contacts, and file storage and sharing via WebDAV and JMAP for File Management. By combining email, calendaring, contact management, and file storage in one open-source solution, Stalwart will offer a powerful alternative to proprietary platforms like Microsoft Exchange. Organizations will be able to self-host their entire collaboration stack while maintaining full control over their data, ensuring privacy, security, and scalability. Stalwart Collaboration Server will extend the project’s mission to modernize, democratize, and decentralize essential communication and collaboration tools. With this expansion, businesses and individuals will no longer need to rely on closed-source, vendor-locked solutions. Instead, they will have access to a fully integrated, scalable, and privacy-focused platform that empowers them to communicate and collaborate on their own terms. >> Read more about Stalwart Collaboration Server Transitioning SMM Ownership to Linuxboot — More robust defense Against Firmware Vulnerabilities In an era marked by escalating cybersecurity threats, firmware security is one of biggest blind spots. One pervasive weakness lies in an architectural design called System Management Mode (SMM). Sometimes referred to as “Ring -2”, SMM is used by device manufacturers to interact with hardware like NVRAM, emulate hardware functionality, handle hardware interrupts or errata, and perform other functions. The unrestricted, non-standardized control inherent to SMM implies significant security vulnerabilities. There is no shortage of Day-0 and Day-1 Firmware vulnerabilities related to SMM. Current industry practices open a wide door for cyber attacks, and the attacker can even bypass the secured OS kernel with the SMM loopholes. This proposal introduces a novel SMM architectural design, by transitioning SMM ownership from core firmware (e.g. coreboot) to payload - in this case Linuxboot. This will leverage the robust, open-source nature of Linux’s SMM drivers, as its drivers that has been proven working very well over decades, and its open source nature made it easier for security reviews. This initiative aims to develop and universalize a secure architectural design in collaboration with chip vendors, and thus elevating the resilience and integrity of our digital ecosystem. >> Read more about Transitioning SMM Ownership to Linuxboot Standards Grammar Catalog/Toolchain — Open Standards Grammar Catalog/Toolchain The Open Standards Grammar Catalog/Toolchain makes it easier to implement a format or protocol by translating its machine-readable definition, usually in a language such as ABNF, into forms readily compatible with popular programming languages, like regular expressions, YACC, ANTLR, and native code. By providing a toolchain for making these translations, assembling a catalog of commonly used formats & protocols, and publishing a developer-friendly website for browsing the grammars and generating translations, these tools will reduce the need to manually write a parser, ultimately reducing errors due to hand-written code, and enhancing interoperability. >> Read more about Standards Grammar Catalog/Toolchain Stencila v2 for ERA and EPP — Add editable, runnable code to scientific publications Stencila offers a platform for collaborating on, and publishing, dynamic, data-driven content with the aim of lowering the barriers for creating data-driven documents and making it easier to create beautiful, interactive, and semantically rich, articles, web pages and applications from them. The latest version, a rewrite in Rust, is aimed at leveraging two relatively recent and impactful innovations: conflict-free replicated data types (CRDTs), for de-centralized collaboration and version control, and large language models (LLMs) for assisting in writing and editing prose and code. These technologies used together provide an advance in scholarly communication of research findings by powering the Enhanced Preprint Platform and Executable Research Articles at publishing venues such as eLife and GigaScience. >> Read more about Stencila v2 for ERA and EPP Structured Email for Roundcube — Add schema.org metadata awareness to open source email Email is probably the only open and widespread technology bridging our private information space (Mobile, Desktop) and the public Internet. It can in fact be considered our \"personal API\". Structured Email for Roundcube develops a plugin for the popular Roundcube Webmail software, which extracts Schema.org data embedded in email messages. Based on that, it allows for new ways of presenting emails and interacting with them. >> Read more about Structured Email for Roundcube Surfer Waveform Viewer — Analyse signal levels in simulated circuits Surfer is an open source waveform viewer, primarily aimed at debugging digital designs. It is built for flexibility, extensibility, and speed to operate on most platforms. Although fully operational for many tasks, there are features to be added to improve the usability further. This project aims to implement the most requested missing features and pave a way for additional extensibility. >> Read more about Surfer Waveform Viewer Client Proof-of-Work in TLS — Mitigation against DoS amplification on the TLS handshake The computationally expensive nature of asymmetric crypto in TLS makes it vulnerable to denial-of-service attacks. We propose an extension to TLS that mitigates this attack vector, shifting the advantage from the attacker to the defender. The project will deliver a draft spec, mergeable patches for leading TLS libraries, and a measurement report explaining the results. >> Read more about Client Proof-of-Work in TLS TSCH-rs — Time Slotted Channel Hopping implement in Rust Time Slotted Channel Hopping (TSCH) is a Medium Access Control (MAC) layer protocol described in IEEE 802.15.4e designed for low-power and lossy networks. Devices are allocated time slots in which they can transmit and/or receive frames. The rest of the time the radio is turned off, reducing energy consumption. Consecutive transmissions are done on different frequencies to tackle interference. Implementations of TSCH can be found in Contiki-NG and OpenWSN, both written in C. TSCH-rs is a TSCH implementation written in Rust, providing ease-of-maintanance, security and reliability. Furthermore, the implementation aims to be hardware-agnostic, making it easy to port to different IEEE 802.15.4 based radios. The Rust network stack for IEEE 802.15.4 radios already contains an implementation for 6LoWPAN and RPL. TSCH-rs will be a valuable addition to the Rust based low-power IEEE 802.15.4 network stack. >> Read more about TSCH-rs Tau — Remote sharing of terminal sessions A common problem among people working on a command-line interface is to share their terminal session with one or many other people via the internet, ideally along with an audio stream, without viewers having to install any specific software. This project creates a solution that enables anyone with a web browser to receive such a broadcast. Unlike generic screensharing alternatives, a broadcast created by .tau will not be a stream of compressed video but rather a stream of ASCII characters with preserved timing as well as the broadcaster's terminal look & feel, and giving the ability to easily copy text. The broadcaster will have a nice and easy experience installing a piece of software which accomplishes this. Upon completing a broadcast, a single resultant file is available for later viewing on the internet and or private distribution. Simple, portable and robust. >> Read more about Tau Teamtype — Real-time co-editing of local text files Teamtype (previously Ethersync) aims to enable real-time collaborative editing of local text files. Similar to Etherpads, it facilitates multiple users to work on content simultaneously, enabling applications such as shared notes or pair programming. However, following a \"local-first\" approach, all files reside on the users' computers, allowing them to use their familiar editors and workflows, and to retain user control. This design enables a kind of collaboration that is simple and direct, stable and flexible, and preserves privacy. Teamtype is a supplement to tools that track larger changes on text files, like Git, and can be used in combination with it. The project leverages CRDTs, and consists of a server component, a cross-platform local synchronization daemon, and editor plugins. >> Read more about Teamtype Threadiverse Reproducible Deployment — Reproducible deployment for Threadiverse servers Fediverse is more than short form microblogging. The ActivityPub protocol connects all kinds of software for various communication needs. Some of those are concentrated on long blogs and threaded discussion forums. A common understanding of conversations in ActivityPub and their secure and safe-from-spam implementation is being developed in several fediverse projects. This project focuses on stable and documented automated deployment for two of them - Hubzilla and Streams, including interoperability tests. This will support threadiverse standardization efforts, and help to bring features like group photoalbums and full channel portability between instances. >> Read more about Threadiverse Reproducible Deployment Titanic — Database server to synchronize vast collections of CRDT documents Yjs is a Conflict-free Replicated Data Type (CRDT) which enables developers to build collaborative applications, just like Google Docs and Figma. Most CRDT implementations work just like any other data type, but they automatically sync with other peers without conflicts. Today, Yjs is among the most used technologies for building collaborative applications. The developers observed the development of competing CRDTs, and recognize the need for more specialized CRDTs for specific use-cases. Syncing many CRDT instances with different permissions is still an unsolved problem. Syncing documents individually quickly becomes infeasible with an increasing number of documents in a local-first app. This project will therefore develop Titanic, an isomorphic database (works in the browser, Node.js, Deno, Bun, ..) that can host different CRDT implementations. It will sync many CRDT instances efficiently in a network-agnostic manner. While it will support custom authentication approaches, Titanic will ship with a role-based document-level permission system that prevents unauthorized users from reading or writing documents. >> Read more about Titanic TrenchBoot as Anti Evil Maid - UEFI boot mode support — Add UEFI to the Qubes integration of Trenchboot with AEM Qubes OS is a free and open source operating system uniquely designed to protect the security and privacy of the user. Its architecture is built to enable the user to define different security environments (\"qubes\") on their computer and visually manage their interaction with each other and the world. TrenchBoot provides a secure environment for operating system launch and integrity measurements, ensuring greater protection. The main objective of the TrenchBoot as Anti Evil Maid project is to enhance the security of Qubes OS by integrating the TrenchBoot Project with the Anti Evil Maid (AEM) implementation. Through comprehensive hardware testing, the successful execution of this initiative will promote the adoption of DRT technology in open-source and security-oriented operating systems, ensuring enhanced security for Qubes OS. This project will prioritize stability, testing, and ensuring the reproducibility of results for broader community adoption. >> Read more about TrenchBoot as Anti Evil Maid - UEFI boot mode support Tusky — Android client for ActivityPub Tusky is an Andoid client for the popular social media server Mastodon. It also unofficially supports other platforms levering the same standard (W3C ActivityPub), such as Pleroma, Pixelfed and GotoSocial. This project will add official support of GotoSocial to Tusky, as well as update the codebase and improve accessibility. >> Read more about Tusky HTML export for Typst — Markup based typesetting for multichannel publishing Typst is a markup-based typesetting system that is designed to be as powerful as LaTeX while being much easier to learn and use. Currently, Typst outputs documents only as PDF, yet there is strong demand for generating HTML. We want to extend Typst such that it can create high-quality HTML and PDF versions from the same document, which is currently not possible with comparable programs. As a result, Typst could be used in a variety of new scenarios, such as the generation of websites and e-books. Furthermore, this will improve the accessibility of the output documents. >> Read more about HTML export for Typst UnifiedPush — Decentralized and open-source push notification protocol Push notifications are essential to the modern mobile experience, as they enable applications to communicate with users in real time, even when not in active use. Major mobile operating systems provide a centralized service that they control, but depending on a centralized push notification system controlled by one company raises issues of privacy and independence. UnifiedPush is a decentralized and open-source push notification protocol. It is a set of specifications and libraries that allow the user to choose how push notifications are delivered. It is compatible with WebPush, the standard for web applications. >> Read more about UnifiedPush UnifiedPush — Decentralized push notification protocol with libre implementations Push notifications are essential to the modern mobile experience, as they enable applications to communicate with users in real time, even when not in active use. Major mobile operating systems provide a centralized service that they control, but depending on a centralized push notification system controlled by one company raises issues of privacy and independence. UnifiedPush is a decentralized push notification system that lets the users choose the service they want to use. It’s designed to be privacy-friendly, flexible, and open. It is compatible with WebPush, the standard for web applications. >> Read more about UnifiedPush Toward a Fully-Verified SCION Router — Formal verification of the reference open source SCION Router SCION is a next-generation Internet architecture that addresses many of the security vulnerabilities of today’s Internet. Its clean-slate design provides, among other properties, route control, failure isolation, and multi-path communication. This project will demonstrate the feasibility of verifying the core component of the SCION inter-domain routing architecture - the SCION router. Prior work has proved that the SCION data plane protocols are secure. The focus of this project is on verifying that SCION’s open-source router is memory-safe and implements those protocols correctly and, thus, provides the intended security and correctness guarantees. >> Read more about Toward a Fully-Verified SCION Router VersatAI — Automation of ML/AI algorithm support in computational accellerators Versat is a Coarse-Grained Reconfigurable Array (CGRA) compiler and programming framework to accelerate AI and ML workloads on open-source RISC-V-based systems. The VersatAI project will enhance Versat to automate AI/ML accelerator generation by translating standard representations of these algorithms such as ONNX into optimized RISC-V programs accelerated by a CGRA. Leveraging prior work in cryptographic acceleration and SoC integration, the project will focus on key AI/ML tasks like convolutional neural networks and transformers. The development will be fully open-source, ensuring compatibility with industry-standard AI frameworks and improving CGRA accessibility for AI applications. >> Read more about VersatAI Verso Views — A Functional Browser Based on Servo Verso is a web browser based on Servo web engine. While Servo hasn’t been treated as a fully functioning browser, it is possible to build one based on it already. We plan to expand this into a formal and stable application release, eventually implementing the features, making it not just a general browser application but also a webview library for embedding purposes. There are some missing features we still need to push into Servo. And there are also other works that require time and resources to make a barebone web engine into a stable application. We hope to take this project as a chance to finally make an individual repository using Servo as a dependency. In this way, Servo can focus on issues and features of the web engine itself. In the meantime, other chores related to the application itself can be off-loaded to other repositories and organizations. >> Read more about Verso Views Webview library with Verso for Tauri — Refactor parts of Verso into a WebView library We aim to publish the Verso browser as a library in addition to the current application approach. This way other projects could use it as a dependency in their software, and render their content with it. The distribution of a shared library is a challenging set of problems (including, but not limited to bundle format, code signing, dependency linking, etc.) that we intend to solve. We also aim to find the best possible solutions to help developers use this library with ease. One of these approaches will be to integrate with Tauri as a webview backend. >> Read more about Webview library with Verso for Tauri VexiiRiscv — Next generation of the VexRiscv in-order FPGA softcore VexiiRiscv (Vex2Risc5) is a hardware project which aim at providing an free/open-source RISC-V in-order CPU which could scale from a simple microcontroller up to a multi-issue/debian capable cluster. While the project already surpasses VexRiscv in multiple domains (performances, 64 bits, debian), it still needs work and testing to reach feature parity (tightly coupled RAM, JTAG debug, optimization, ...), aswell to extend its scope (lightweight FPU, vector unit, ...). This grant would aim at filling those gaps aswell as improving its documentation. >> Read more about VexiiRiscv OpenIMSd — 4G/VoiceOverLTE support for open source mobile OSes The OpenIMSd project aims to bring VoLTE (4G voice calls) to Qualcomm based phones (like the PinePhone) running Free Software Mobile Operating Systems including postmarketOS, Mobian, … We will create a daemon which runs in parallel to the Modem Manager, which configures the baseband via QMI and brings up all the required services to be able to place VoLTE calls. >> Read more about OpenIMSd Vouivre — A dependent type system for machine learning in Lisp Current machine learning frameworks are built around relatively weak type systems. This is a problem because, at scale, machine learning applications are exceedingly intricate and computationally expensive, therefore making costly runtime errors unavoidable. This is where Vouivre comes into play. Using a dependent-type system, the project aims at enabling users to write machine-learning applications that solve real-world problems with compile-time validation of their correctness, thus preventing runtime errors at a reasonable computational cost. >> Read more about Vouivre Enhance the vulnerability database — Enhance the VulnerableCode vulnerability database Using Components with Known Vulnerabilities\" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (funded by the US CISA and Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage, we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools. This project delivers unique FOSS tools to aggregate software component vulnerability data from multiple sources, privileging upstream data directly from project maintainers. VulnerableCode organizes that data with a de-facto industry standard Package URL identifier (Package URL or PURL) enabling efficient and straightforward automation for the search for FOSS component security vulnerabilities. The benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source, or a few foreign commercial data providers. In the new context of the upcoming Cyber Resilience Act (CRA), the access to an open, free and curated FOSS package vulnerability data source is now an imperative. And the organization of vulnerability data by Package URL or PURL identifiers in VulnerableCode enables easy frictionless integration with Software Composition Analysis (SCA) code analysis tool chains, direct enrichment of SBOMs (Software Bill of Materials) to find if SBOM-listed packages have known vulnerabilities, and creation of VEX (Vulnerability Exploitability Exchange) document to communicate the impact of known vulnerabilities >> Read more about Enhance the vulnerability database WPE Android — Embedded-friendly Webview based on WebKit WPE (Web Platform for Embedded) is a WebKit port for Linux-based embedded devices with a focus on flexibility, security and performance on lower-powered devices. Albeit less known than Chromium, Firefox or Safari, WPE is currently deployed in millions of embedded devices (e.g. set-top-boxes, smart home devices, kitchen appliances, infotainment, etc), but it hasn't yet reached those based on the Android Operating System, which has become an important actor for certain types of devices, such as phones, tablets, set-top-boxes and even IoT devices. In such environments, the only option currently available to leverage the power of the Web Platform is to use Android's WebView, which is based on Chromium and therefore problematic in cases where using that is not an option. By bringing WPE to Android in the form of an Android WebView-compatible component, we aim not just to make WPE available in more platforms but also to expand the options Android developers currently have so that they can choose between a Chromium-based WebView and a WebKit-based WebView for their applications. This would be great to cover Web rendering needs in general on Android, and particularly beneficial for multimedia-intensive use cases (e.g. set-top-boxes, digital signage...), as well as for other less conventional use cases such as QA & testing (e.g. testing WebKit-based browsers on Android based systems). Last but not least, as a side effect of widening the reach of WPE to Android-based devices, we believe that we would also be bringing more balance and diversity to the Web, by making sure that developers have a realistic alternative to the Chromium-based Web rendering engine they can use to develop their products. >> Read more about WPE Android WPT automatic testing for platform accessibility mappings — Improve testing of platform a10y support in Web Platform Tests In order to support assistive technology (AT), web browsers must provide information about web pages' contents via OS-specific accessibility APIs. The Accessible Rich Internet Applications (ARIA) suite of standards includes specifications concerning how browsers should translate the web page contents into each supported API. To date, these Accessibility API Mapping (AAM) specifications have not been tested in a standard way across browsers. This project will help extend the primary test suite for web standards (https://web-platform-tests.org/) to allow for testing of accessibility APIs. The project also includes writing tests for the Linux accessibility API mappings. With these addition to the test suite, we will be able to find interop bugs between browsers and web developers will be able to understand the status of browser support for accessibility features they want to use on the Linux platform. >> Read more about WPT automatic testing for platform accessibility mappings Wax — Add ODF, legacy office and PDF capabilities to Wax Wax (formerly known as CokoDocs) is an open-source, web-based Word Processor that is collaborative by design. In this project we're actively extending CokoDocs' use cases to include paging support (through PagedJS), OpenDocument Format import/export as well as support for some legacy file formats. In addition we will add backend system configuration, asset management, text chat and more. CokoDocs aiming to become a best in breed, highly customizable, and innovative word processor with strong privacy and security properties and elegant accessible design. >> Read more about Wax Integration of Waydroid on mobile GNU/Linux — Run Android apps in Linux containers on mobile devices Waydroid lets the user run Android within a container on a regular GNU/Linux system, bringing access to countless existing Android applications. This particular project aims to research and implement tighter integration between the Waydroid container and its host system in terms of hardware access (sensors, location, telephony, cameras) and desktop environment (notifications, media controls), while keeping the user in control of what and when is shared with the Android container. >> Read more about Integration of Waydroid on mobile GNU/Linux Wayland input method support — Better specification for Wayland input methods As Linux distributions switch to Wayland, some functionality is still incomplete. One of them is being able to input non-Latin scripts. It is a necessity for a large portion of the world, yet it's not standardized across Wayland environments. The same text input functionality is needed for typing on mobile Linux, which, considering how many people use smartphones rather than laptops, might be even more important for Linux adoption. This project wants to bridge that gap, by continuing the effort of standardizing input-method protocols started for Phosh in Squeekboard, gtk, and wlroots. >> Read more about Wayland input method support WeasyPrint — Print rendering engine for HTML and CSS WeasyPrint helps web developers create high quality print documents. It turns simple HTML pages into gorgeous statistical reports, invoices, tickets… From a technical point of view, WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF - independent from rendering engine like WebKit or Gecko. It aims to support web standards for printing. WeasyPrint is free software made available under a BSD license. The CSS layout engine is written in Python, designed for pagination, and meant to be easy to hack on. >> Read more about WeasyPrint Webxdc evolve — Comparative analysis of HTML5 app containers Webxdc.org is an evolving standard which defines a format for portable HTML5 applications and an API for local-first, peer-to-peer, end-to-end encrypted applications. For this project we will perform a comprehensive survey of historical and contemporary efforts with similar goals, including those by W3C working groups, independent open-source developers, and noteworthy proprietary platforms. We'll produce reference documents providing developers with a comprehensive overview of the space, summarizing their options for packaging portable HTML5 applications for different platforms, and highlighting affinities between closely aligned projects. As a follow-up, we'll propose additions to the webxdc API based on patterns observed in other projects, aiming to reduce the complexity of common designs and facilitate portability between or interoperability with existing platform implementations. >> Read more about Webxdc evolve WgMath — Open GPU scientific computing for every platform Today’s GPU scientific computing ecosystem is still strongly dominated by CUDA, a closed, proprietary technology tied to a specific hardware vendor. The WgMath project aims to empower the scientific computing community, including the web community, with a collection of foundational GPU mathematical libraries that are fully cross-platform (hence not tied to a specific hardware vendor) by leveraging the open WebGPU standard, as well as WebAssembly for browser support. WgMath will provide mathematical compute shaders for linear algebra, geometry, and rigid-body physics simulation; as well as some utilities for easily combining WGSL shaders through Rust libraries and its popular Cargo dependencies management tool. With the creation of these foundational libraries, we aim to promote the development of a scientific computing community building highly performant, reusable, cross-platform, scientific computing projects, while relying on open standards, and preserving freedom of GPU hardware selection. >> Read more about WgMath Whippet — A new local maximum in safe, managed memory Whippet is a new automatic memory manager (garbage collector) which is designed to be incorporated into the Guile Scheme programming language implementation. Switching to Whippet should improve the speed and scalability of Guix and other Guile-based software while also lowering total system memory usage. This project aims to push Whippet over the finish line, filling in missing functionality and doing the last-mile work to incorporate Whippet into Guile. The anticipated results should also give confidence to other language run-times looking for a state-of-the-art, embeddable, minimal, no-dependency garbage collector. >> Read more about Whippet Willow Sync — General Sync Protocol for Willow written in Rust Willow is a protocol for syncable data stores, forming resilient data networks which can endure indefinite connectivity outages. This protocol brings qualitative advances to data deletion in distributed networks, supports completely decentralised fine-grained permission schemes, and has been designed to use memory, bandwidth (and consequently energy) efficiently. In this project, the Willow protocol will be implemented using the Rust programming language. This new implementation will be able to take advantage of Rust’s efficiency and safety guarantees, and make the protocol accessible to embedded devices, as well as provide a more efficient solution for smartphones, computers, and servers alike. >> Read more about Willow Sync Wobble Web — Hybrid graphics editor and coding environment WobbleWeb is a hybrid graphics editor and coding environment for making and sharing small-scale websites. It provides a gentle and playful introduction to coding in javascript and html, where dragging something on the page changes the code, and editing the code changes what is on the screen. The project is built upon a set of open-source web components that can be used with the editor as well as independently. The web components serve as a direct wrapper to html, adding gesture-based and direct in-browser editing capabilities to existing HTML and Web APIs. The extensible custom elements allow the open-source community to build more advanced features, such as incorporating canvas elements, WebGL, or integration with backend APIs. WobbleWeb differs from existing graphical webpage builders, with its emphasis on writing javascript for beginners, as well as its modular and extensible ecosystem. >> Read more about Wobble Web MLS for XMPP — Add Message Layer Security to XMPP XMPP (Extensible Messaging and Presence Protocol) is an IETF- standardized (RFC 6120/6121) communication protocol designed for instant messaging and other near-real-time exchange of structured data between two or more network entities. MLS (Messaging Layer Security) is an emerging, IETF-standardized (RFC 9420) protocol for end-to-end encryption of messages and a central part of the IETF MIMI (More Instant Messaging Interoperability) effort to allow communication across messaging apps, for example in the context of the EU Digital Markets Act. This project adds support for MLS encrypted messaging to XMPP group chats. This includes creating a prototype implementation, standardizing an XMPP Extension Protocol (XEP) and introducing support in two existing XMPP clients. >> Read more about MLS for XMPP XMPP Interoperability + Conformance Testing — Development of an XMPP Test Suite XMPP is the Extensible Messaging and Presence Protocol. XMPP offers an open, extensible, standardised and mature set of open technologies designed for decentralised communication. With its flexible design and rich history, its utilisation is widespread. To advance interoperability in its diverse ecosystem of developers and implementations of server software, this project will create an implementation-agnostic test suite for XMPP servers, testing for conformance with the XMPP protocol standards. The suite will be designed to be integrated with various third-party CI components to minimise the complexity of including the suite in development processes of the various and varied parties that are developing XMPP server implementations. >> Read more about XMPP Interoperability + Conformance Testing YAWS - Yet Another Web Server — Sans IO web server written in Rust HTTP protocols are everywhere, from embedded devices to big data centers. YAWS (Yet Another Web Server) is a harmonized, environment-neutral, open source HTTP server — or, rather, a web server capability that can be used to create web servers. It can be used with modern WebAssembly, io_uring, microkernel, RISC-V or embedded runtimes; even without POSIX, standard library or operating system support. YAWS democratizes HTTP by allowing everyone to integrate a modern HTTP interface safely and securely into where ever and whatever they build. >> Read more about YAWS - Yet Another Web Server Zero-allocation web servers in roc — Web server framework with constant memory usage Memory consumption in web servers is hard to predict and control. Our zero-allocation web server guarantees constant memory usage and per-request memory caps. These guarantees and capabilities make web infrastructure more reliable, because it is actually possible to calculate how much server capacity is required for a certain amount of traffic. The vast majority of webservers are written in a language with automatic memory management. They cannot provide the guarantees that our webserver can, and often have other downsides like poor general performance and GC pauses. The core of our webserver is written in rust, and while it works in a rust-only context, is meant to be used in combination with the roc programming language, a fast, friendly, functional language with automatic memory management, but without GC pauses. Users will be able to write web applications using roc, without having to consider how memory is allocated. At the same time, we manage the memory as efficiently as possible under the hood. >> Read more about Zero-allocation web servers in roc ZeroPhone Next — Hackable open hardware mobile phone This project is building a hacker-friendly personal device platform, providing people with an assortment of building blocks that can be reused in building devices of their own. It sets out to deliver a featureful device for day-to-day use, with cellular and wireless connectivity, and bringing a powerful user interface that can easily be used in others' projects. The platform's design prioritizes self-assembly capabilities, respect for the user's privacy, extensive documentation that makes the platform's building blocks all that more accessible, and forming a community aimed at helping other hackers build their own devices. The platform's inherent modularity also provides a testbench for designing open-source replacements for commonly closed-source parts of the DIY portable device ecosystem, as well as development of open firmware for currently-closed-source components. >> Read more about ZeroPhone Next Zilch — Tools for efficient granular builds and introspection Zilch is an experimental test bed for alternative approaches to building programs, services, and full Linux distributions. Being built on top of Nix, it is entirely compatible with NixOS. The goal of this project is to research and develop a set of tools that allow a developer to write programs and patch existing upstream projects, while keeping the reproducibility and sandboxing afforded to them by Nix. >> Read more about Zilch Zip linting and bzip2 in Rust — More secure handling of popular archive formats Zip is a widely used format for distributing files. It is a rather permissive file format, opening the door to various attacks such as zip bombs. The `bzip2` compression format is still used in many legacy settings. Consequently, it is part of the supply chain of many projects. To mitigate these risks, this project will deliver a) a zip linter checking for suspicious file contents in zip files and b) a memory-safe implementation of bzip2 through drop-in replacements of the libraries and a safe Rust `bzip2` binary. >> Read more about Zip linting and bzip2 in Rust badkeys — Detect compromised cryptographic public keys Public key cryptography is an important building block of Internet security through protocols like TLS or SSH. Key generation vulnerabilities in cryptographic implementations can compromise the security of these mechanisms. The tool badkeys allows identifying public keys affected by known vulnerabilities. The project will implement improvements to badkeys' coverage of known-compromised keys and regular monitoring of public keys in TLS certificates, DNSSEC, and DKIM for known vulnerabilities. >> Read more about badkeys bluetuith — Bluetooth connection/device manager for the terminal Bluetuith is a lightweight Text User Interface (TUI) based Bluetooth manager for the terminal, which allows users to manage a multitude of different Bluetooth based functions, like pairing, connection, file transfers, handling audio playback and networking and so on seamlessly via an easy-to-use interface. The project aims to extend support to as many other platforms as possible, to achieve multiplatform support, and provide users with a familiar interface to control Bluetooth across different platforms. The project also aims to solve the issue of communication and user-friendliness of platform specific Bluetooth stacks, by creating daemons/services native to that platform, and lightly wrapping native APIs and exposing a standard set of APIs that will allow any client to be built cross-platform and to connect and control Bluetooth (Classic especially) in a much more efficient and uniform manner. >> Read more about bluetuith Federated eIDAS-compatible signing portal — Qualified digital signatures using eID cards Existing electronic document signing platforms often lack support for advanced or qualified electronic signatures available under the EU's eIDAS standard, relying instead on simpler signatures without stronger legal validity. Our federated eIDAS-compatible signing portal addresses this gap by providing an open-source user-friendly platform for creating qualified electronic signatures using government-issued eID cards and other qualified signature creation devices. Unlike existing alternatives, our project integrates seamlessly with desktop and mobile signer applications, both open-source and commercial, enabling intuitive qualified document signing, validation, archiving, and API integration with third-party systems. Its federated manner ensures that independent portal instances can securely exchange documents, simplifying the adoption of qualified electronic signatures across Europe, reducing reliance on proprietary solutions, and improving digital administrative workflows. >> Read more about Federated eIDAS-compatible signing portal Federated webinars for eduMEET — Extended platform for distributed online webinars based on eduMEET The main aim of the project is a new functional scope of eduMEET: federated webinars for big online meetings. eduMEET is a free and open-source video conferencing (VC) application that allows organisations of any size to build and deploy cost-effective on-premises web-based VC services. It is an easy-to-use solution that originated within the European Research and Education community. It is focused on security and privacy, and designed to give full control and ownership of ones own data and video streams. A key aspect of the project is providing efficient engines for communication between distributed eduMEET instances, in order to provide support for large scale webinars. Additionally, eduMEET will add dedicated layout for webinars (speaker’s view), specific user roles and privileges (Panelist and Passive Participant) as well as a management module. The end result will be a full featured webinar platform that is an attractive low cost alternative to expensive proprietary services. >> Read more about Federated webinars for eduMEET f8 — Modern 8-bit instruction set Among microcontrollers (µC), 8/16-bit µC are an important part of the embedded systems ecosystem since they tend to have substantially lower resource and energy costs than the larger, more powerful 32-bit and 64-bit µC. However, existing 8/16-bit µC architectures tend to be either somewhat inefficient (e.g. MCS-51) or single-vendor (e.g. STM8, Rabbit). The latter are at a high risk of being discontinued when a vendor pulls out of the 8/16-bit market, and this has been announced recently for the STM8 and Rabbit architectures. One possible solution is to develop an efficient free architecture for 8/16-bit µC. The f8 is such an approach. It is based upon extensive experience from the large number of 8/16-bit architectures supported by the free Small Device C compiler (SDCC). Like RISC-V did for 32/64-bit architectures, f8 is based on lessons learned from the strengths and weaknesses of existing 8/16-bit architectures. >> Read more about f8 fdtshim — Simplify use of Device Tree Binaries for Linux installers The fdtshim project aims to implement a distribution-agnostic and hardware-agnostic method, and protocols, to load the correct hardware- specific DeviceTree on UEFI systems. With fdtshim, installation media for distributions can become truly generic, and support boot from different DT-incompatible kernels. Its usage is transparent to the user, and ensures the system will continue working after a major kernel update, whether booting from the current kernel, or the previously working kernel. Using fdtshim makes it much easier for end users to boot live and install media on different devices with different architectures: mobile phones, tablets, embedded systems, laptops, servers and workstations >> Read more about fdtshim foaHandler — Reverse engineer the OpenAccess file format Commercial CAE programs still dominate the community that designs electronic circuits. One of the most widely used file format here uses the OpenAccess API controlled by Si2. Unfortunately, this API is available only for members of the OpenAccess coalition. The project \"foaHandler\" aims at creating open-source programs for reading and writing OpenAccess files. Their internal data structure will be investigated by reverse engineering the file content of schematics, component symbols and layouts. Then, routines will be created that make it easy to import and export OpenAccess files in open-source programs like circuit simulators, layout programs etc. Example files and documentation will be published, too. This makes the data exchange between free and commercial EDA applications possible. >> Read more about foaHandler happyDomain — Simplify DNS zone management happyDomain is an interface designed to make domain name management more accessible, intuitive, and efficient. By consolidating domain names from multiple providers and abstracting technical complexities that often lead to common mistakes, happyDomain empowers operational teams to handle their domain needs effortlessly, saving time and reducing friction. Its modern interface offers essential features such as history tracking, one-click rollbacks, logical groupings for services, and a REST API for automation. Built with carefully selected technologies, happyDomain provides a fast and lightweight experience, suitable for both large-scale infrastructures and personal use. Our mission is to help individuals and organizations regain independence on the Internet by simplifying domain management and fostering confidence. Whether for system administrators, agencies, freelancers, or privacy-conscious users, happyDomain transforms domain management into an accessible and seamless task for all. >> Read more about happyDomain iso14229 — Universal Diagnostic Services for automotive diagnostics iso14229 is an open-source portable C implementation of Universal Diagnostic Services (ISO 14229-1:2020). UDS is a communications protocol used for diagnostics, tuning and firmware updates on embedded devices such as those in your car, tractor, robot, IoT device, or renewable energy system. Insecure UDS implementations expose software to security exploits. By providing an open source implementations including the security features of UDS, this project addresses an important gap. Within the scope of this grant, the team will work on the integration of static analysis, improve documentation and develop a number of security-focused examples. >> Read more about iso14229 k3lp — Unicode Keyboard3 Layout Parser k3lp (/kɛlp/) is a mobile-first library designed to support parsing and utilizing Unicode Keyboard3 files. Keyboard3 is an enhanced and rewritten standard developed by The Unicode Consortium and officially released with CLDR 45. It offers an open and interoperable standard for declaring and sharing keyboard layouts. Although the standard has been available for some time, there is currently no ready-to-use open-source library to effectively utilize these files. This is where k3lp comes into play, aiming to provide an easy-to-use, multi-platform library written in Kotlin 2.0. The library includes all the necessary business logic for layout parsing and streamlining keyboard developers' workflows, however the actual user interface implementation is left to the library consumer. Initially targeting Android and iOS developers in need of keyboard layout logic and tested in the open-source FlorisBoard keyboard, this library is capable of running on all platforms where the JVM runs on or where Kotlin compiles to. >> Read more about k3lp lib1305 — Microlibrary for Poly1305 hashing In modern network protocols, every packet is authenticated using a message-authentication code (MAC). Any data modified by an attacker is immediately caught and rejected by the MAC. The most popular MAC algorithms are Poly1305, normally used with the ChaCha20 cipher as part of ChaCha20-Poly1305, and GMAC, normally used with the AES cipher as part of AES-GCM. Many applications, such as WireGuard, require specifically Poly1305. This project will develop and release a new software library, lib1305, for Poly1305. The library will provide comprehensive and well-optimized software exploiting the 64-bit assembly instructions of Intel CPUs to provide top speeds for those CPUs, while meeting the security constraint of not leaking secret information through timing. >> Read more about lib1305 lib25519 using NEON for ARM64 — ARM64 optimisations for lib25519 microlibrary Network protocols in today's world rely on elliptic-curve cryptography (ECC) to protect communication against espionage and sabotage. lib25519 (https://lib25519.cr.yp.to) is a software library for the Curve25519 elliptic curve (https://cr.yp.to/ecdh/curve25519-20060209.pdf), including the X25519 encryption system and the Ed25519 signature system. Curve25519 is the fastest curve in TLS 1.3, and the only curve in Wireguard, Signal, and many other applications (https://ianix.com/pub/curve25519-deployment.html). Currently the optimizations in lib25519 use serial instructions and vector instructions for Intel and AMD CPUs, and use serial instructions for ARM CPUs, but do not use vector instructions for ARM CPUs. This project aims at exploiting the NEON vector instructions of 64-bit ARM CPUs and extend lib25519 by providing top speeds for those CPUs, in particular setting new speed records for X25519 key generation and Ed25519 signing, while meeting the security constraint of not leaking secret information through timing. >> Read more about lib25519 using NEON for ARM64 libnix — Native Nix on MS Windows The libnix project improves the Windows support of the Nix package manager, by making nix and nix-build work natively on the Windows platform. By creating a ‘libnix’ on top of this, it will allow package managers like node, cargo, pip, and vcpkg to use Nix for building their dependencies. The effort helps bring declarative, reliable packaging systems to a wider audience. >> Read more about libnix libvips — Add animated PNG and enhanced JPEG XL support to libvips libvips is an image processing meta-library, whose development the European Commission funded back in the 1990s. Applications can outsource the heavy lifting of handling a variety of image types to this library. The library has meanwhile grown very popular with web developers around the world; the node binding, for example, is downloaded more than 5 million times a week at the time of writing. In addition to scrutinizing the security of the library, this project will implement two key improvements to libvips: animated PNG support, and enhanced JXL support. The former capability (the addition of animated PNG support) can be gained from another NGI Zero project, libspng. libvips uses libspng for PNG read and write, so by extending libvips to use these new libspng features, they will become available to a large developer community very quickly. Second, libvips has had preliminary support for the JXL format since libjxl v0.4. Since then, the libjxl API has evolved considerably and the libvips connector needs updating, especially in the areas of large image support and HDR, both increasingly important with the steady improvement of smartphone cameras. >> Read more about libvips Verifying and documenting live-bootstrap — A reproducible, automatic, complete end-to-end bootstrap The goal of the live-bootstrap project is to compile the necessary tools to compile Linux from a minimal binary footprint to avoid the possibility that a (binary) compiler could be used to introduce back-doors into the Linux kernel. As a user of the live-bootstrap project, one should be able to trace and review all steps and sources used. The goal of this project is to facilitate this. >> Read more about Verifying and documenting live-bootstrap Lychee — Reliable and fast link checker to combat linkrot Links are the glue that holds the web together, but broken links undermine our collective digital knowledge. With 54% of Wikipedia references and 70% of links in legal journals now dead, link rot is a serious threat to information accessibility and makes for an unpleasant web experience. Lychee is a fast, memory-efficient CLI tool written in Rust that detects broken links in Markdown, HTML, and plain text. Over the past 4 years, it has been adopted by tens of thousands of public repositories and organizations like Google, Microsoft, and AWS. The project will focus on three key milestones: implementing recursion support to check entire websites at once, adding per-host rate limiting to prevent server overload and stabilizing the codebase for a 1.0 release. By improving Lychee, we're helping everyone from small websites to major platforms maintain their corner of the open web and preserve our digital heritage. >> Read more about Lychee machine-check — Tool for formal verification for machine-code Common bug-finding approaches like software testing do not guarantee the absence of bugs. Formal verification can prove the absence of bugs, but the added description and proving complexity means it only tends to be used for critical systems. The current state-of-the-art tools are complex to use and hard to reason around when they fail. Machine-check aims to bring scalable yet intuitive formal verification to non-experts, leveraging the Rust ecosystem for description of digital machines including processors with machine-code programs loaded into memory. Ultimately, this should lead to increased reliability, safety, and security of programs and systems. >> Read more about machine-check Multisoni — Modern and efficient real-time audio playback engine Multisoni is a versatile audio engine for all creative uses. For demanding real-time uses (such as video games, VR, live installations) there is a lack of free/libre audio authoring tools to map playback and effects to trigger events and interaction parameters, suitable for industrial purposes. Multisoni is designed to meet this need: it manages many input sources - either samples or synthesis, with support for input plugins - source and effect patching, and rendering for a variety of output systems ranging from binaural stereo to complicated multichannel setups, drawing on existing open-source solutions for audio hardware abstraction and raw audio stream management. One of its main objectives is to put creative users - sound designers, composers - on an equal footing with developer users. >> Read more about Multisoni nextpnr for GW-5 — Add support to nextpnr for Gowin GW-5 FPGA family This project focuses on enhancing the open-source FPGA design toolchain (specifically nextpnr and Apicula), to support the Gowin GW-5 series of FPGAs. This initiative involves creating detailed documentation and developing tools to understand and utilize these FPGAs effectively. By extending nextpnr and Apicula to generate valid bitstreams for the GW-5 series, the project aims to make advanced FPGA technology more accessible and usable for designers and engineers around the world. >> Read more about nextpnr for GW-5 openPCIe2 Root Complex — Open hardware implementation of gen 2 PCIexpress in OpenXC7 This project will develop an open hardware implementation of PCIexpress 2.0, the high-speed serial computer expansion bus standard used to allow computer peripherals to be slotted into a motherboard. When designing open hardware, having such a critical part of a component depend on proprietary components is problematic. The open hardware PCIe/Gen2 Root Complex developed within this project would make a big step towards developing fully open hardware components. Prior efforts only provided a partial implementation, and depended on vendor-provided 'black boxes' that would prevent such designs to be used to create a working, fully open hardware solution. >> Read more about openPCIe2 Root Complex p3pch4t — Decentralized chat platform built on i2p P3pch4t is a decentralized chat platform built on i2p that aims to provide a feature-rich experience with huge privacy standards, so it will be easy for people to switch from well-known centralized/proprietary chat apps - such as Facebook Messenger, Telegram, Slack to one place that will have all features that user desire - including large file sharing, shared calendar, group chats, multiple devices and chat themes - all of that will come in a cross-platform app that will run on all major mobile and desktop platforms. Together with that, there will be a handful of libraries in different languages to interact with the network directly - to ensure that it is easy for other developers to extend the p3pch4t ecosystem, and to ensure that the standard for communication is well defined. >> Read more about p3pch4t postmarketOS: v23.12 and v24.06 Releases — New versions of the mobile operating system postmarketOS postmarketOS keeps smartphones useful after they don't receive updates anymore: the original operating system gets replaced with an up-to-date lightweight open source software stack based on Alpine Linux. Oftentimes people use postmarketOS to upcycle their old smartphones to small home servers (like Raspberry Pis). While still experimental, we also work towards enabling all typical smartphone features too so postmarketOS can fully replace the original operating system. Besides extending the lifetime of smartphones, in postmarketOS we value the user's privacy, security and in general control over their own device. Unlike current mainstream smartphone operating systems, it is not needed to register an account and get tracked to use the operating system. Creating new releases allows us to keep the software stack up-to-date, to integrate important fixes, features and in general to get closer to provide a full smartphone experience. >> Read more about postmarketOS: v23.12 and v24.06 Releases postmarketOS daemons — Add modern service daemons to postmarketOS postmarketOS keeps smartphones useful after they don't receive updates anymore: the original operating system gets replaced with an up-to-date lightweight open source software stack based on Alpine Linux. This project will add initial systemd support to postmarketOS, as well as making Pipewire the default audio server in postmarketOS. It will help switch the wifi backend to iwd by default, and design and prototype an immutable version of postmarketOS with an efficient A/B OTA mechanism with binary delta updates, and automatic rollback on failed updates. >> Read more about postmarketOS daemons Support for OpenPGP v6 in rPGP — Implement draft-ietf-openpgp-crypto-refresh in rPGP rPGP is a high-quality implementation of OpenPGP in pure Rust (OpenPGP is a standard for encryption, digital signatures and key management). rPGP is used in production in different contexts, among them the popular \"Delta Chat\" decentralized and secure messenger that is used by hundreds of thousands of users, worldwide. The OpenPGP standard has recently been revised to reflect current best cryptographic practices. The revision of the standard defines \"OpenPGP version 6\" and is currently being finalized  for publication as RFC 9580. This project will implement the new formats and features of OpenPGP v6 for rPGP. This will bring the new features of OpenPGP v6 to users of rPGP, and ensures future interoperability with all other modern OpenPGP implementations. >> Read more about Support for OpenPGP v6 in rPGP reqwest — Memory safe HTTP client reqwest is the de-facto HTTP client for the Rust language, with batteries-included. In this project we will make many of its powerful features to be composable and reusable outside of reqwest. This includes converting its connection pool, proxying and redirection into middleware, and improving integration with existing middleware, such as retries. This ultimately enables two groups of people: some so they can use only the parts of reqwest they need. And others that want to use all of reqwest while inserting new middleware or customizing its default \"stack\". >> Read more about reqwest rrdnsd — DNS based load balancing and high availability rrdnsd implements DNS-based load balancing and failover in order to increase the reliability of geographically-distributed Internet services. It is designed to both scale up to managing hundreds of services but also scale down to small scale deployments. Written in Rust, it prioritizes resilience, ease of deployment and hands-off maintenance - without depending on 3rd-party services. It provides distributed connectivity monitoring using a quorum protocol. This allows detecting partial network outages without causing false positive alarms. >> Read more about rrdnsd s6-rc — Service manager for s6-based systems The s6-rc service manager, part of the s6 ecosystem, is a correct and efficient alternative to software managing boot scripts like sysv-rc or OpenRC: it provides a bootability guarantee, a reliable logging infrastructure, parallel service start without race conditions, and the lowest resource usage of all existing service managers (which means it is very fast and will run on the smallest systems). However, it is not yet adopted by many Linux distributions, for lack of a high-level user interface and pre-provided boot scripts. We are adding these features to s6-rc so it can be easily integrated to more distributions currently relying on OpenRC, such as Alpine Linux, and also targeted as a backend for service description languages for use with automatic deployment to containers, VMs, clusters, or embedded systems. The goal is to make s6-rc an accessible and widely known service management alternative for fast, reliable and energy-friendly system deployment. >> Read more about s6-rc Maintenance and portability of sudo-rs — Make sudo-rs available cross-platform The sudo and su utilities guard a critical privilege boundary on just about every free and open-source operating system that powers the Internet. Memory safety bugs occur in the original sudo from time to time, and there is only one maintainer to fix them. For these reasons sudo-rs was written: a Rust drop-in replacement for sudo on Linux. For it to be a success, it needs to gain adoption. In this project, we will 1) address bugs and incompatibilities between sudo-rs and sudo and 2) port it to platforms other than Linux, to grow its user base and viability. >> Read more about Maintenance and portability of sudo-rs synit-nixos — Expand synit system layer and integrate in NixOS Much of the software applications and services that we interact with today can only exist as dynamic compositions of many different software components. Dynamic systems can be adapted to serve different purposes, react to a changing environment, and can be self-updating or self-healing in response to failure. These systems exchange the predictability of static systems for the resilience of dynamism. Our software operating systems achieve dynamism by what some call the \"system layer\". Traditional this would be the so-called \"init\" system which activates different software components. The system layer is the software activation and management of init combined with a communication layer, reactive behavior, and system introspection. Synit is an experimental system layer that provides these features according to a model that combines capability security, conversational actors, and eventually-consistent replicated state. The Synit-NixOS project aims to bring init and system-layer portability to NixOS with Synit as an alternative to systemd. >> Read more about synit-nixos tslib — Better configuration and callibration of touchscreen devices tslib is somewhat older but widely used software for configuring the touchscreen of (mainly) embedded Linux devices including printers, mobile phones, etc. This nimble project concerns a bundle of improvements in terms of calibration, some accessibility research (to see if people with e.g. a tremor can be better served), and addressing a backlog of feature requests. In addition the project will use the help of NGI Zero to apply additional security scrutiny. >> Read more about tslib uFork/FPGA — A memory-safe pure-actor processor soft-core uFork is a novel microprocessor architecture based on dispatching immutable asynchronous message-events to reactive objects (actors) which manage private mutable state. Contention for shared mutable storage is eliminated, reducing complexity. Strong process and memory isolation prevents interference among tasks. Object-capability security (ocaps) provides fine-grained access control. The architecture has been validated by implementing a virtual-machine in software. This project will implement the design using FPGA hardware fully supported by open-source tooling. >> Read more about uFork/FPGA uberClock — High precision open hardware clocks using multi-mode crystal oscillators Very precise clocks have many different use cases, but they are complex to make and expensive to buy - leaving high precision timing out of reach for many. Currently, there are no open hardware designs capable of delivering so called \"Stratum 2\" accuracy. This project will design and build an open hardware clock exploiting the properties of multi-mode crystal oscillators using modern numerical methods for frequency stabilization. A Field-Programmable Gate Array (FPGA) will be used for digital signal processing functions, multiple Proportional-Integral-Derivative (PID) control loops, and executing all necessary calculations needed for dynamic, real-time frequency corrections. High-Level Synthesis (HLS) code will be developed using the CflexHDL+PipelineC toolset, in order to validate and further mature that emerging design flow for signal processing applications. >> Read more about uberClock vm-builder — Virtual Machine Build, Life Cycle and Integration in monolithic and microkernel platforms As each piece of software is built using other software, it is difficult to ensure that a program is not accidentally infected through malicious code interfering anywhere in this process. An important defence is reducing the amount of code one relies upon and strictly isolating the build from any other processes that could influence it, typically by using a virtual machine. However, the are currently no minimal, portable and final virtual machine build systems which enable effective bootstrapping of operating systems. Delegating this task to container build systems is insufficient, since they are primarily available to the Linux kernel and provide weak isolation properties. Delivering those with a high portability and even (or especially) on low TCB microkernels is key to secure bootstrapping of operating systems and applications on (to be) trusted infrastructure. The current prototype has proven successfully applicable to nowadays general purpose OSs, templating/inheritance and reproducible builds are to be implemented. An implementation in a more robust programming language like Rust is still lacking and will be completed in the course of this project. The long term goal is to easily build and provide legacy platforms and software especially on microkernels — allowing for a migration path towards operating systems with effectively manageable complexity. >> Read more about vm-builder "},{"title":"NGI TALER Fund","url":"https://nlnet.nl/thema/NGITALERFund.html","description":" NGI TALER Fund Privacy-preserving digital payments This page contains a concise overview of projects funded by NLnet foundation that belong to NGI TALER Fund (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. In the digital economy, payments play a critical role. Yet online payment systems tend to allow for far less privacy than paying with a bank note or coins, especially when using proprietary solutions like Google Pay or Apple Pay. When interacting with the offline economy comes into play, the alternative of paying with all kind of volatile cryptocurrencies isn't a viable option either. NGI TALER is a project funded by the European Commission and the Swiss State to roll out a new electronic payment system that benefits everyone: people, merchants, banks, financial authorities, auditors and anti-corruption researchers. The project doesn't have to start from scratch either, but builds on the strong foundations of GNU Taler — the privacy-preserving digital payment system developed by the GNU community and Taler Systems SA. This offers privacy for those that make payments, while enforcing transparency on those that sell. By providing micro payments at very low overhead, GNU Taler permits internet business models to shift away from advertising revenue or subscription models, especially for online publishers. No-risk transactions can lower transaction fees and open online payments for the underbanked population and citizens marginalized from digitalisation. NGI TALER is part of the Next Generation Internet initiative, which focuses on the development and maintenance of internet commons that support the vision of a resilient, trustworthy and sustainably open technology stack that empowers users, and grants everyone full autonomy. All project results become available under a free and open source license so you will be able to study, use, modify and share everything with anyone you want! And even better: part of NGI TALER is a supporting grant programme through NLnet, through which auxiliary efforts can be funded. This means that if you are interested in actively contributing to this effort, you can still join! Do you have a project idea that complements, strenghtens or otherwise will benefit GNU TALER? Why not put in a proposal yourself, calls are currently open! Applications are still open, you can apply today. Abelujo — Abelujo - free software for bookstores Abelujo is a free software for managing bookstores. Started for a not-for-profit, it grew its feature set and it is now used by a diversity of bookstores across the globe. However, the situations in how booksellers buy, present and sell books are so diverse that we'll work, in this project, to match important use cases. We'll also work on the online catalogue application, bring a safe and private payment method for clients to it, and make our solutions even easier to host. Books and their ideas should circulate easily and safely - with free and libre software. >> Read more about Abelujo Contributron — Privacy aware donation portal with Taler payments This projects aims to modernize and extend a self-hostable personal website to collect donations and track crowd-funding efforts on various external platforms. The existing software already allows for one-time and recurring donations with Stripe as the payment processor. This will be extended to offer GNU Taler as a second payment method, with Contributron acting as an easy to use frontend for the GNU Taler merchant backend. >> Read more about Contributron MTE - the MirageOS Taler Exchange — Implement Taler Exchange functionality in OCaml-based unikernel This project will develop a drop-in implementation for a GNU Taler exchange with the unikernel framework MirageOS. The GNU Taler Exchange is a service that needs to be robust and high secure (plus allow very high security deployments). MirageOS uses OCaml, a functional programming language with a static type system which catches lots of errors at compile time, and provides memory-safety. With MirageOS, one only embeds the code that is really required to run the service in the virtual machine image - resulting in a relatively much smaller attack surface. The resulting solution will use very little resources (memory usage / CPU cycles), which is beneficial both from a green computing perspective, and from a performance perspective. The plan is to use existing tests of GNU Taler exchange, in addition to our own fuzz testing, to ensure that MTE acts the same as GNU Taler exchange. >> Read more about MTE - the MirageOS Taler Exchange Maho — Self-hostable ecommerce platform Maho is a complete ecommerce platform that enables merchants and agencies to run online stores on their own infrastructure, free from vendor lock-in and recurring licensing fees. Built on a foundation refined over two decades by thousands of developers worldwide, Maho modernizes this proven codebase to ensure long-term sustainability and replacing abandoned dependencies and bringing the architecture up to contemporary standards. As a drop-in replacement for Magento 1, it offers existing stores a path forward without costly rewrites or forced migrations to proprietary platforms. The project provides small and medium businesses with a professional-grade alternative to SaaS solutions, giving them full ownership of their data and operations. By keeping ecommerce infrastructure in the commons, Maho helps preserve merchant autonomy and reduces dependency on centralized platforms that can change terms, raise prices, or discontinue services at will. >> Read more about Maho Taler OpenAPI specification — JSON/YAML OpenAPI for key GNU Taler API's The OpenAPI specification is an industry standard that simplifies application integration through code generation tools and basic test support. It is highly appreciated by developers who are confronted with the task of establishing a connection to new APIs. This project adds automatic OpenAPI specification generation to GNU Taler's bank APIs and the wallet-core API. These additions should prove beneficial for the introduction of GNU Taler, in banks and elsewhere. >> Read more about Taler OpenAPI specification TALER Bullion — Infrastructure for GNU Taler Payments with non-fiat Currencies Depending on how you design a money system, its properties can be quite different. Regular currencies are typically steered towards (slight) inflation by the public bodies that steward them, by means of a gradual influx of money. This benefits \"active money\" (investors) which yields economic growth. Of course this also makes prices for consumers continually rise, and savings de-valuate over time in terms of purchasing power. The rate at which this devaluation takes place is a policy instrument, and of course one that should be used wisely. When these systems were first designed, money was backed up by physical assets such as gold and silver which offered more predictable long term purchasing power. Some users still prefer for their savings to be backed up by something of concrete value they own. GNU Taler is a well-designed system for (online) payments, and it is eminently suitable to trade (the ownership safely of) stored gold, silver and similar systems based on real value. Besides its obvious use case as a payment system for regular currencies, the system can also be used to revitalise gold and silver for storage and payment systems; they still exist today but are decoupled. The purpose of this project is to solve problems with trust relations, such as passing (the ownership of) gold or silver between vault operators, or between gold storage and payment systems so it can become practically useful money on an international scale, in service of people outside the financial industry. >> Read more about TALER Bullion ERPnext TALER payment gateway — Refactor ERPnext payment module and integrate Taler This project integrates GNU TALER payments into ERPnext, a feature rich, open source enterprise resource planning system built with the open source frappe framework. The work involves finalizing a refactor of ERPnext's payments module to support multiple gateways, followed by developing and testing the full TALER integration, including API handlers for payments, transactions, sales orders and a user interface for configuration. By combining ERPnext's widespread use in the Global South with TALER's focus on privacy and financial inclusion, this project shall deliver a production-ready tool for a low-fee digital cash system with online shop, ledger, stock management and more. >> Read more about ERPnext TALER payment gateway Taler Integration into F-Droid Ecosystem — Secure, Streamlined and Integrated Payment Processing for F-Droid F-Droid is a privacy-respecting app ecosystem and distribution platform for Android. We propose to research how we might integrate GNU Taler into the F-Droid user experience to support adoption of privacy-preserving payments. This will allow Taler to be used for processing donations to F-Droid itself and for FOSS developers whose apps are hosted in our main repository. Our goal is to enhance Taler adoption and provide a frictionless, privacy-preserving donation experience for F-Droid developers and users to help make the FOSS ecosystem more sustainable long term. >> Read more about Taler Integration into F-Droid Ecosystem Taler plugin for Fastify — Add low-code zero-config Taler plugin for the Fastify web server framework Fastify is a popular high-performance, lightweight web server for Node.js, designed for speed, low overhead, extensibility and developer experience with a formidable plugin ecosystem. This project contributes a GNU Taler plugin for Donations and Payments to this ecosystem, following that very philosophy. It will not only provide the scalable Open/REST API's one would expect to build production ready webshops but furthermore focus on a low-code, zero-config simplicity for the architecture. This enables even plain vanilla javascript-free HTML form pages to post Taler payments and supply credentials in a web admin interface. All this can be easily explored in a one page vanilla HTML webshop example - and executed at the touch of a single shell command. >> Read more about Taler plugin for Fastify Interledger interoperability inquiry — Investigate synergy between Interledger and GNU Taler The Interledger Protocol and Open Payments API specification are the payment protocols used for an online tipping specification being proposed in the W3C Web Platform Incubator Community Group called Web Monetization. The Web Monetization specification allows for automatic streaming micropayments and low-friction on-demand tipping to online creators who specify an Open Payments wallet address in their HTML or respective metadata of the online experience (e.g. JSON-LD in Activity Streams/ActivityPub, XML attribute in podcast RSS). This project proposal will investigate the technical feasibility of using Taler as a payment method on the Interledger payment network to support Web Monetization. The outcome will be a an overview of potential approaches for integrating Taler using the Interledger Protocol or as a payment method in Interledger’s Open Payments API reference implementation (Rafiki). >> Read more about Interledger interoperability inquiry Taler in Liberapay — Implementation of Taler as payment provider in Liberapay Liberapay is a recurrent donations platform, that allows users to financially support people who contribute to the commons. Building free software, spreading free knowledge, these things take time and cost money, not only to do the initial work, but also to maintain over time. Liberapay's recurrent donations system is intended to provide crowdfunded income to creators and maintainers, enabling them to keep doing great work that benefits everyone. This project will add GNU Taler as a payment provider in Liberapay. This will enable users with a Taler wallet to support projects and people in a privacy preserving manner. >> Read more about Taler in Liberapay GNU Taler Wallet ID Lookup Service — Optional discovery of TALER wallet addresses linked to digital identities GNU Taler is a payment system that makes privacy-friendly online transactions fast and easy. This project will facilitate the support of peer-to-peer payments (P2P) for the GNU Taler payment system between users by implementing a privacy- friendly directory service and lightweight inbox service (TALer DIRectory). The services will allow users to securely associate their online identities (such as email addresses, phone numbers, X/Twitter/Mastodon handles or other suitable verifiable addresses and accounts) with their wallet public keys and the URL of an inbox service and use it for P2P payments. Storage and retrieval may also be offloaded to distributed directory services such as DNS or GNS (RFC 9498) instead of a database and web service while maintaining the respective privacy guarantees. >> Read more about GNU Taler Wallet ID Lookup Service Road Signs for Digital Payments — Safe, usable financial interfaces for poorly-schooled adults. GNU Taler is a digital payment protocol for privacy-preserving cash-like transactions. It improves usability by avoiding the need for the payer to authenticate to third parties. Oral Information Management (OIM) is an emerging approach of design for creating safe, usable financial interfaces for poorly-schooled adults. Worldwide UNESCO estimates over 750 million adults to be unable to read or write in any language, and hundreds of millions of more have extremely limited ability. Due to unequal schooling opportunities, most are women. In Europe millions of migrants, refugees and marginalized people cannot confidently use digital payments. Digital OIM features carefully user-tested cash scrollbars and counting tables, iconographic navigation, mnemonic cues, user-reversible transaction processes, a 0-9 (not 1-0) numeric keypad and more. Poorly-schooled app users learn how to decode place value notation, arithmetic graphs and other schooled, formal sector protocols from repetitive use. >> Read more about Road Signs for Digital Payments Taler-Odoo Payment System — Integration module for TALER in Odoo The Taler-Odoo Payment System will integrate the GNU Taler payment system within Odoo, a business management software suite that includes customer relationship management, e-commerce, billing, accounting, manufacturing, warehouse, project management, and inventory management. With Odoo, merchants can create invoices for products they sell, websites to display them and much more. This project will produce an Odoo module written in Javascript and Python, which allows users to pay with Taler. Similar to any other payment integration within the Odoo Framework, the module integrates into the functionality of other existing Odoo modules (ticket sale, online shopping, invoices, etc). It will allows merchants to offer a customer to choose a payment system that fully respects their privacy. >> Read more about Taler-Odoo Payment System Open Banking Gateway Taler Wallet Top-Up/Merchant Verification — Add GNU Taler support to Open Banking Gateway Transferring Euro to the Taler wallet should be quick, easy and flawless. Taler Open Banking Gateway (TOBG) will provide the technology to top-up a Taler wallet in a regulatory compliant, instant and user-friendly way. TOBG will use the Payment Initiation Services mechanism introduced and regulated under the revised European Payment Services Directive (PSD2). A German bank will support and run the platform, providing technical and regulatory alignment. The project will help to improve adoption and usage of the Taler system significantly. It will also extend the existing Open Banking Gateway software with additional functionality, improved user experience and additional adaptors for European banks. The outcome will be a full functional solution with a focused scope of supported banks users can top-up from. Both the operators and the free and open source community will able to further extend the reach, functionality, supported channels and use cases. One of these use cases is to use Payment Initiation Services in merchant apps for account verification. >> Read more about Open Banking Gateway Taler Wallet Top-Up/Merchant Verification Libre Payments in Ruby — GNU Taler Integration for ethical trade The project aims at developing and publishing an open-source Ruby gem for integrating GNU Taler into Ruby-based e-commerce applications—starting with Open Food Network (OFN). OFN is a global, nonprofit platform that supports food co-ops, local producers, and community food hubs with open-source tools for ethical trade. Currently, OFN supports Stripe and PayPal. Adding Taler introduces a low-fee, non-extractive payment option aligned with user values. The gem will be released on rubygems.org and designed for reuse in other Ruby apps such as Spree and Solidus. The project includes testing with pilot users, full documentation, and developer engagement.  >> Read more about Libre Payments in Ruby GNU Taler Tryton/GNUHealth integration — GNU Taler module for Tryton ERP/GNU Health This project will develop a Tryton module which would allow users to integrate payments with GNU Taler into their financial workflow, whether from a webshop, a factory or a hospital. Tryton is a popular libre business management system used for e-commerce and enterprise resource planning. There are many modules for financial accounting, sales, inventory and stock, CRM, shipping, subscription management, etc. Existing payment provider integrations within Tryton are limited to specific proprietary payment providers, having a Taler based option would allow organisations to handle Taler based payments (incoming as well as outgoing). GNU Health (which is built on Tryton) provides a suite of libre alternatives for Hospital Management software, health information systems and electronic health records. Integration of privacy preserving payments with TALER in GNU Health will deliver a much needed contribution to medical privacy, providing the first digital alternative (next to cash payment) which allows patients to pay for their personal medical treatment and medication directly and with full discretion - keeping the doctor-patient privilege intact. >> Read more about GNU Taler Tryton/GNUHealth integration GNU Taler Payment Provider for be-BOP — Integrate Taler payments into be-BOP shopping cart/POS software be-BOP is a free and open-source, peer-to-peer monetisation platform built for communities and creators. It combines e-commerce, point-of-sale (PoS), subscriptions, crowdfunding/peerfunding, ticketing, donations, and pay-what-you-want models — in a single package. be-BOP provides a toolbox for financing your work and managing your activity in complete autonomy. Developed under a free, copyleft license, it gives you full independence from intermediaries. This project will add GNU Taler as an additional payment provider to be-BOP. >> Read more about GNU Taler Payment Provider for be-BOP TALER integration in flohmarkt — Secure payments for P2P classified adds federating with ActivityPub Flohmarkt is a decentral federated small advertisement platform, sorted by category (hence the name \"classified ads\"). The name flohmarkt comes from the German word for \"flea market\". Flohmarkt allows to federate local platforms by using the web-based federation protocol ActivityPub, make up one big place for small advertisements about exchange of goods and services. This project will integrate Taler payments into Flohmarkt - allow individuals to informally sell goods to each other in a privacy preserving manner. >> Read more about TALER integration in flohmarkt Payment Module for Nuxt/Vue.js — Module to add GNU Taler support in Nuxt/Vue.js Nuxt is a widely used JavaScript library for building web interfaces based on the lightweight Vue.js framework. This project will create a dedicated GNU Taler module for Nuxt, allowing developers the same convenience when supporting a privacy-friendly option they would have using Nuxt modules for proprietary services like Stripe and PayPal. It includes Vue.js components for donation and order payment, documentation and examples such as a file-based webshop. >> Read more about Payment Module for Nuxt/Vue.js Taler-Kivitendo Integration — Integrate Taler with the Kivitendo ERP platform Kivitendo is Enterprise Resource Planning (ERP) software mainly in use in small businesses and organisations. It is often adapted to the specific needs of individual companies in a wide range of use cases. The Taler integration will offer the possibility for merchants creating invoices with Kivitendo for secure online payment processing with Taler respecting the privacy of the customers. The integration will be ERP-centric: information regarding inventory and orders remains in the ERP system, the GNU Taler system only handles payment processing. The project will also produce a Perl module with perldoc documentation ready to be used in other FOSS projects. >> Read more about Taler-Kivitendo Integration Taler-Dolibarr Integration — Taler payment handling for Dolibarr ERP software This project will provide a comprehensive module to integrate the privacy-preserving payment system GNU Taler with Dolibarr, an open-source Enterprise Resource Planning used by many small businesses around the world. Integration involves core workflows such as secure online payment processing, refunds, inventory and order management, and payment reconciliation—offering a single solution to costly proprietary solutions such as Stripe or PayPal. A LibEuFin-oriented module will also provide seamless bank account integration, with merchants able to automatically reconcile bank transactions in Dolibarr's easy-to-use interface. Merging Taler's privacy-centric design and low-fee paradigm into a popular ERP platform supports small business financial independence and encourages broader adoption of ethical digital payment systems. >> Read more about Taler-Dolibarr Integration xBSD porting and packaging — Porting and packaging of Taler components for xBSD systems GNU Taler is a privacy-preserving microtransaction and electronic payment system. This project will make sure that the entire Taler software stack is natively available on a number of operating systems beyond the already available (and obviously popular) Linux operating system. This will allow sellers (\"merchants\") to use their operating system of choice when integrating and deploying Taler. More specifically, the main target is the BSD family of UNIX-like operating systems - such as NetBSD, OpenBSD, FreeBSD and Apple's MacOS X. The work includes porting and packaging as well as developing appropriate documentation on how exactly to create a properly working set-up. This allows merchants wanting to use Taler to get started quickly without having to engage in time-consuming and error-prone steps like building the software from source. >> Read more about xBSD porting and packaging TalerPHP — PHP SDK for GNU Taler REST API Integration The TalerPHP project will develop an open-source PHP library to interact with GNU Taler’s REST APIs, enabling PHP-based applications to more easily support privacy-preserving payments. The project will deliver a framework-agnostic core SDK, followed by dedicated packages for Laravel, Symfony, and Yii - lowering the technical barrier for adoption. Given PHP’s dominant presence on the web, this SDK will provide essential building blocks for secure payment integration across a wide range of industries including e-commerce, healthcare, and not-for-profit donations. >> Read more about TalerPHP "},{"description":" NGI Mobifree Fund More ethical and human mobile software This page contains a concise overview of projects funded by NLnet foundation that belong to NGI Mobifree Fund (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Mobile devices like phones and tablets have become pervasive: they are our gateway to the world at large, function as an external brain and are increasingly part of even our most intimate moments. People should therefore be far more empowered when it comes to such a critical dependency. If we want everyone to use and benefit from the internet to its full potential without holding back, the internet must be built on strong and transparent technologies that allow for permissionless innovation and are equally accessible to all. Mobifree is a pilot programme designed to push beyond the status quo of mobile software, and create a virtuous cycle of innovation through free and open source software, libre hardware and open standards. It has brought together a number of the \"movers and shakers\" of the open mobile ecosystem, in order to deliver a comprensive development effort and advance a number of important free and open source technologies. Another part of the effort was a series of open calls that redistributed part of the budget to independent effort, so called Financial Support to Third Parties (FSTP). These calls were held between February 2024 and December 2025. Mobifree is part of the Next Generation Internet initiative, which focuses on the development and maintenance of internet commons that support the vision of a resilient, trustworthy and sustainably open technology stack that empowers users, and grants everyone full autonomy. Quick overview of the projects During the course of the programme, no less than 26 projects were funded. While open calls by their very nature yield a great diversity in terms of solutions towards different problems for different stakeholders, there are still quite some shared directions among them. The first and largest cluster of projects funded within Mobifree is concerned with the security of Android operating systems and their app ecosystem. This kind of horizontal effort to protect the integrity of the operating system, find and remove stalkerware, tracking software and detect other malicious activity, is something that is systematically above the responsibility of the individual developer and user. It is therefore a critical issue to address for the open source ecosystem. Androguard and OWASP blint perform static and dynamic analysis of Android apps, analysing the binaries to find malware indicators and generate a Software Bill of Materials that can be used to understand inherent weaknesses such as outdated dependencies. APKpatcher/PyAxml are tools which can be used to subsequently modify Android package files to remove undesired elements. Pithus, the PiRogue Tool Suite, Bugbane and IsMyPhonePwned are all tools for mobile device forensic analysis and threat intelligence with different approaches and security guarantees - from 'first aid' approaches like an end-user friendly scanning from a web browser (IsMyPhonePwned) or an installable app (Bugbane) to more professional analysis tools that perform the analysis externally (Androguard, Pithus, PiRogue Tool Suite) – to avoid the situations where an advanced attacker that has successfully entered a device anticipates such entry level scans and fools the scanner. Obviously, the more professional tools are important building blocks for organisations that have to monitor the security of an entire fleet of devices (so called mobile device management). Another cluster of projects is aimed at improving the operating system level of Android. Android translation layer (ATL) allows to run Android apps on Linux, which broadens the utility, enables reuse and makes it much easier for developers to do quality assurance. VirtuAndroid is an application-layer virtualisation for Android apps. SIMcurity is a highly advanced project to secure how the software handles dealing with a specific piece of cricical hardware in phones, namely the SIM interface. It is well-known that the low level baseband interaction with the SIM card (which is really a small computer) is one of the headache dossiers of security, and this isolation layer will help protect phones and users against SIM vulnerabilities and hostility. VoWiFi Watchdog warns users for misconfigurations and hidden blocks at the mobile telecom provider level, in particular for voice calls (“voice over WiFi”). Without this project, users are likely to blame their open source operating system for intentional and non-intentional breakage by their mobile operator. A final effort is aimed at opening up Apple’s Low Latency Wi-Fi Protocol, which helps to decrease the lock-in of users into the Apple ecosystem by creating an open-source interoperable implementation of the protocol for Linux. This protocol underpins applications such as Continuity Camera (using an iPhone as external camera) and Sidecar (using an iPad as wireless additional display), meaning that if people want to switch away from the Apple ecosystem they will be able to do so in a gradual way – without immediate loss of functionality. The next cluster concerns app stores, again another one of the target areas identified for the programme. The app stores play a key role in the market dominance, acting both as gatekeeper and as a proprietary lever against OEMs – and they force the user to agree with terms and conditions they would probably not consent to given a real choice. The most important open source app store for Android (and part of the NGI Mobifree project) is F-Droid, and two project directly aim at improving that effort: F-Droid App Overhaul is modernising the F-Droid mobile app, while LambdaNative F-Droid integration is enabling developers using Scheme to directly publish to the F-Droid store. Not all apps are free and open source, but users might still depend on some apps which don’t comply with the strict policies of F-Droid – even if only for a transitional period. IzzyOnDroid is a popular third party repository for FOSS Android apps, built on top of F-Droid – facilitating users that need apps which don’t fit into the main F-Droid store because of licensing or other requirements. Termux is another popular app distribution mechanism and runtime for Android, aimed at terminal apps. The project funded within Mobifree will allow external projects to use Termux execution environment in their own apps, and the project will also implement the new APK Library File (APKLF) execution/packaging design so that Termux can comply with security restrictions in Android 10 and newer that prevents apps from executing downloaded code. The project Weblate Android SDK will make it possible to decouple software distribution and translation. Currently, adding or updating a translation requires a new release of apps. The SDK will empower users to update their translations immediately once a new translation/localisation for Android apps is available, which will speed up community translations and unburden the developers. Users have come accustomed to proprietary tools and services which are useful and for which there are no good open alternatives available. Maps are one such domain, and a topic of particular interest to Mobifree. OpenAGPS provides a privacy-friendly, self-hostable location service as a partial alternative to Google Maps, while Easy Transit 2 delivers another part of the functionality of that app by building a public transit navigation app – even with some offline capabilities. An adjacent functionality is Google’s Find Your Phone which locates your phone on a map; the project Find My Device replaces this service with a privacy-preserving alternative. Obviously, unlike the Google alternative this will also work in an emergency and disaster situation. Translations are another domain where users often depend on proprietary services. Offline Translator and RTranslator 3.0 are free and open alternatives to services like Google Translate, but instead of leaking personal data to a remote server in another jurisdiction these projects provide the full translation on the user’s device itself – and in the case of RTranslator even for spoken text. Because they are designed for offline usage these will work in emergency and disaster situations, for instance in a refugee camp or to communicate with people when international rescue teams enter a disaster area such as a flood or earthquake terrain. Among the projects there were also some efforts to improve the ‘Quality of life’ for users and developers, ranging from input correction for a popular open source Android keyboard (Unexpected Keyboard Autocomplete/Correct) and more efficient text input for touch screen devices with Gesture Typing for AOSP-derived Keyboards. Users are very attached to specific input methods, but Google has all but abandoned the code from the original AOSP project. By supporting independent continuation of the development of these components, the entire Android ecosystem benefits. The two final projects are working towards the support for open standards, both within the World Wide Web Consortium (W3C). Solid Share develops a digital mobile wallet for W3C Solid, the standard for self-hosted LinkedData. and CanIWebView is aimed at standardisation of the so called WebView. One of the consortium partners within NGI Mobifree is the messaging app DeltaChat, which is the driving force behind a new app ecosystem built on web technologies called WebXDC which would benefit greatly from having a consistent and fully standardised WebView. Together we work towards better technologies to secure democratic ownership of our the digital society. Our goal is to help mobile technology evolve to a more healthy state, provide people with concrete new tools and more reliable infrastructure, in order to provide better security and allow users more agency and choice. All project results are made available under a free and open source license so you will be able to study, use, modify and share everything with anyone you want! Interesting in applying for a grant yourself? Check our active theme funds, such as NGI Zero Commons Fund, NGI Fediversity or NGI TALER. Applications to this particular fund are currently closed and no new projects are accepted for now. Donate to help us fund more projects like these. APKpatcher/PyAxml — Support tool to manipulate APK and AXML file The Apkpatcher and pyaxml tools suite is used to analyze, unpack and pack APKs (the Android file format for applications) and also AXML and ARSC files used inside these packages to store data and metadata. The core strategy is to be able to have a simple and modular way to manipulate these three formats for security reasons: to audit parsers, to audit applications (thanks to some features added to sniff the traffic or automatize some test directly by injecting code inside the APK) or to remove some trackers from an APK for privacy reasons. A code sharing website is planned, so users can share patches to remove trackers and keep control over their devices. >> Read more about APKpatcher/PyAxml Android translation layer (ATL) — Run Android apps on Linux The Android Translation Layer is an alternative implementation of Android application APIs on top of standard Desktop Linux, with the ability to run apps as-is using some AOSP components such as ART+libcore, modified to use system-provided libraries where possible to further the goal of being as lightweight as possible. That is in contrast with existing container-based solutions which require running a whole AOSP system in parallel to the host Linux system, resulting in considerably higher resource usage (both disk space and RAM) and longer startup times. The higher efficiency of ATL can make it viable to sideload apps also on more constrained devices. Another benefit of our approach is better integration with the desktop, such as native notifications. >> Read more about Android translation layer (ATL) Androguard — Static and dynamic analysis of Android apps The Androguard project is used to analyze Android applications. This project marks a major evolution for Androguard, focusing on modernizing its architecture. The core strategy is to replace its monolithic structure with a suite of independent, native Python libraries for parsing essential Android files like AXML, APK, and DEX. This modular approach will make the tools easier to maintain, reduce external dependencies, and allow for greater flexibility. Performance is a key driver of this initiative. To tackle the primary analysis bottleneck, a new high-speed dex-bytecode library will be developed in Rust with Python bindings. The main Androguard project will then be refactored to integrate these new, faster components, resulting in a cleaner and more efficient core tool for static analysis. Building on this new foundation, the project will expand into advanced security domains. This includes APKXploit, a new tool for penetration testing; AndroidIR, which will enable sophisticated code analysis via an Intermediate Representation; and Androguard-MCP, an innovative plugin to help security engineers in discovering vulnerabilities more effectively. >> Read more about Androguard Bugbane — App for self-conducting device forensics on Android devices Bugbane is a lightweight Android forensics and anomaly-detection tool designed to help users identify signs of compromise, including spyware, stalkerware, and other suspicious behavior, directly on their own devices. Bugbane builds on de-facto standard efforts such as MVT, reusing its indicators-of-compromise (IoC) formats and datasets, and is compatible with AndroidQF exports. It is designed to integrate easily into the existing workflows of civil society organizations, supporting their encryption tools of choice. Bugbane operates on-device, without requiring additional hardware or rooting and guides users through a structured, user-friendly acquisition and analysis process. By simplifying data collection and consensual sharing of forensic artifacts with partner organizations, Bugbane aims to reach users who are typically outside established support networks, contributing to a broader and more accurate understanding of threats targeting civil society. >> Read more about Bugbane Easy Transit 2 — Public transit navigation app with some offline capabilities The goal of Easy Transit is to make public transit dependable for a local, and de-mystified for a tourist. After successfully developing an app with a more limited geographic scope (Tallinn, Estonia), within this grant the project is now scaling up for broader international coverage while retaining its strong points - levering existing initiatives like Transitious. Key aspect is that it should work offline whenever possible, saving cost and taking just couple seconds to show you departure times. It also doesn't rely on an interactive map, and hence is accessible to people with limited sight or motor disabilities. It tries to explain the route you need to take in a way you understand, not just throw you into a list-and-map pool and have you do the work. >> Read more about Easy Transit 2 F-Droid App Overhaul — Modernise the F-Droid mobile app store F-Droid is a software ecosystem around Android applications. It is an app store kit, a platform, an app and catalogue of free and open source applications. The app makes it easy to browse and install apps, and redistribute these from your own device to others. This project is about modernizing and rewriting the official F-Droid app that still dates back to the early days of Android in 2009. The goal is to make the app easier to use and more appealing especially for new users. The rewrite will use the latest technologies and will make it easier and more attractive to contribute to the app while also making it easier for the maintainers to review and merge external contributions due to better test coverage and less code entanglement. >> Read more about F-Droid App Overhaul LambdaNative F-Droid integration — Portable, Productive and Performant App Development with Scheme LambdaNative is an free and open source framework that allows for creation of cross-platform applications, in particular on Android and general desktop operating systems such as Linux, BSD's, OS X or Windows. With LambdaNative, even someone with minimal programming background can create nice applications ranging from basic to advanced, using the Scheme programming language. This makes it very suitable for those that do not have a computer science background but still need to create a custom app - such as most researchers, educators and people working in the public sector. The aim of the project is to add a LambdaNative pipeline to publish apps on the free and open source F-Droid app store. The second part of the project will create educational materials to teach people how to work with LambdaNative mobile application and how to publish their app. >> Read more about LambdaNative F-Droid integration FMD — Privacy-preserving mobile device location FMD allows you to locate and remotely control your Android device. This is useful if you have lost or misplaced it. FMD is decentralised, and users remain in full control of their data. With FMD, you can send commands to your phone: to locate it via GPS, to locate it via nearby cell towers, to take a picture, to lock it, to let it ring, or to factory-reset it. Commands can be sent over multiple transport channels: over SMS, over third-party messaging apps like Signal or Matrix (that post a notification to the Android notification tray), or over the \"FMD Server\" (a self-hostable server providing a web interface to control your device). >> Read more about FMD Gesture Typing for AOSP-derived Keyboards — More efficient text input for mobile touch screen devices HeliBoard is a very customizable and privacy-conscious open-source keyboard for Android. The current gesture typing feature, which lets you input words by swiping your finger over the letters, is only accessible when adding abandoned closed source code by Google. Goal of this project is a well working and completely open-source implementation of gesture typing. Gesture typing quality will be ensured by sample contribution by developers and volunteers and comparison with results of said closed source code. The gesture typing library will be developed separately from HeliBoard, with a compatibility layer allowing it to be used as a drop-in replacement for said closed source gesture typing code. This approach will allow for compatibility with other virtual keyboards, mainly for Android, but also for other systems e.g. Linux. >> Read more about Gesture Typing for AOSP-derived Keyboards IsMyPhonePwned — Scan phone security directly from a web browser \"IsMyPhonePwned\" is a new open-source initiative designed to put the power of security back into the users hands. By leveraging the speed and safety of Rust, the project allows anyone to run a comprehensive security scan on their phone directly from a web browser implementing WebUSB. There's nothing to install and no complicated setup; just a simple, clear process to check for compromise with complete anonymity and privacy. \"IsMyPhonePwned\" aims to be more than just a tool; it's a statement that privacy is a fundamental right. By providing a free, accessible, and trustworthy way for journalists, activists, and any concerned citizen to secure their devices, we are building a community-driven defense against digital intrusion, one phone at a time. >> Read more about IsMyPhonePwned IzzyOnDroid — Third party repository for FOSS Android apps IzzyOnDroid provides Android apps which are available under free and open source licenses approved by OSI/FSF. With its more than 1,200 apps, this already popular repository is the largest third-party F-Droid-compatible repository - with more than 200,000 daily visitors on the primary site alone, not counting mirrors. Its intent is to provide useful apps, connecting a vibrant community of developers and users, with a focus on transparency, privacy, and security. The goal of this project is to provide additional security, transparency, flexibility, and decentralization – e.g. by advancing our reproducible builds (which already cover more than a third of all apps in our collection) and making our tooling easier available for others to use. >> Read more about IzzyOnDroid Opening up Apple’s Low Latency Wi-Fi Protocol — Open-source interoperable implementation of LLW for Linux Apple developed a proprietary protocol called Low Latency Wi-Fi (LLW) that enables several inter-device streaming features in the Apple ecosystem. This link-layer protocol acts as the basis for applications with low-latency and real-time constraints, such as using a phone’s camera wirelessly as a webcam on a laptop. This project focuses on implementing an open-source counterpart for Apple’s LLW protocol stack on Linux, thereby providing interoperability of Apple platforms and bringing a useful low-latency protocol to the open-source community. This way, LLW will be available to third parties, which is of importance to strengthen end-users in having more choices and hindering Apple from gatekeeping technologies. >> Read more about Opening up Apple’s Low Latency Wi-Fi Protocol OWASP blint — Versatile binary linter, malware research tool and SBOM generator OWASP blint is an open-source binary linter and SBOM generator. The project had a humble origin as a linting tool, but soon found rapid adoption for a range of use cases such as malware identification (MalwareBazaar is a large-scale user), binary risk audits, and more recently binary SBOM generation for Android apk, go, dotnet, and rust binaries. The current version of Blint can already generate a granular SBOM for Android apk/aab files, up to some extent even from binary. Within the scope of this grant, the team will enhance blint to improve package identification for native binary blobs (c/rust/kotlin native) bundled within an android app, will add fuctionality to identify cloud services, domain names, IP addresses, and other sensitive literals by performing static analysis on binaries. In addition support will be added for generating precise SBOM for swift binaries (unencrypted/debug files) by integrating blint with an LLVM frontend and a number of general improvements will be made to linting rules for mobile apps. >> Read more about OWASP blint Offline Translator — On-device translations using open models Offline translator is a privacy-focused application that handles multilingual needs entirely on-device, without sending data to external servers. It supports text and image translation with automatic language detection, transliteration across scripts, dictionary look-ups and text-to-speech functionality. The app uses exclusively open code, models and datasets, and will contribute to those ecosystems as necessary. >> Read more about Offline Translator OpenAGPS — Privacy-friendly, self-hostable location service Location-specific services benefit greatly from location awareness. However, satellite signals are slow and not always reliably available in urban areas (let alone inside buildings). Hence the need for \"assisted GPS\", which uses alternate sources such as information based on mobile cell ids to determine location. While it seems obvious for such a capability to be a digital commons, there are no open services reliably providing this information- Mozilla operated something called the Mozilla Location Service, but this was retired recently. This leaves users either unserved or with a huge dependency on a few large vendors that bundle their own location service (based on non-public data sources and dark code) - with the latter users being dependent on the availability of and connectivity to specific machines on the internet. This project aims to provide a self-hostable alternative based on free and public sources, such as Galmon and OpenCellID, which would function independently from the services mentioned earlier. >> Read more about OpenAGPS PiRogue Tool Suite — Consensual mobile device forensic analysis and incident response solution The PiRogue Tool Suite (PTS) is an open source, consensual digital forensic analysis and incident response solution that empowers organizations with comprehensive tools for network traffic analysis, mobile forensics, knowledge management, and artifact handling. The tool suite includes both hardware and software components, with the PiRogue network router and Colander, a case management platform. PTS aims to be a universally accessible and cost-effective solution for digital investigations, which is comprehensive, user-friendly design and modular. This allows for instance academics, civil society, and independent media to analyze artifacts, build investigations, and generate reports and intelligence feeds. This project will add support for dynamic analysis from emulated Android devices in addition to physical devices. implement TLS decryption for Flutter-based applications >> Read more about PiRogue Tool Suite Pithus — Free and open-source mobile threat intelligence Pithus is a free and open-source Android threat intelligence platform aimed at activists, journalists, NGOs and researchers. Its goals is to provide intelligible and relevant information aggregated from several android application analysis tools to facilitate the understanding, reverse engineering, and threat analysis of android applications. Pithus adapts to its users by providing easy to read information on application behaviors, as well as precise technical data and analysis tools to detect similar malicious samples. Functionalities to easily pivot to other malwares of a same family, create custom detection rules, and monitor, detect and analyse new emerging threats. Pithus is community driven with an ever growing database of android applications. This grant focuses on developing a number of new features and performing well overdue maintenance and necessary refactoring tasks, as well as provide adequate documentation and QoL improvements. >> Read more about Pithus RTranslator 3.0 — Real-time local translation app for spoken word for Android RTranslator is an open-source, free, and offline real-time translation app for Android, it allows users to translate text and audio with best in class quality. With the Conversation mode, RTranslator can also translate audio virtually in real time and hands free, by connecting to another phone and to a Bluetooth headphone. All the processing is done on device, ensuring total privacy for the user. Under the NGI Mobifree grant, the 3.0 version of the app will be released, upgrading the NLLB translation model to the Mozilla Bergamot models and Madlad 400. MLKit will be replaced, making RTranslator 100% open source. Various techniques will be added to improve translation quality, including: beam search, multi lingual dictionaries, Tatoeba integration and more. The app will be release on Play Store and F-Droid, and a self hosted web version of the app for text translation using Mozilla models will be made available. >> Read more about RTranslator 3.0 SIMcurity: Tools for Securing the SIM interface — Protect phones and users against SIM vulnerabilities and hostility The SIMcurity project will develop new software and hardware tools to secure mobile devices against attacks from hostile SIMs. Often considered as root-of-trust in mobile communication networks, SIMs and eSIMs authenticate users and their equipment, including smartphones, cars, smart devices, and even trains. However, SIMs cannot always be trustworthy: rogue operators can update them remotely over the air, their communication interface is susceptible to machine-in-the-middle attacks, and the software running on them may itself have vulnerabilities. SIMcurity will shine light on this often overlooked attack surface, provide tooling to find and mitigate security flaws, and create strong defenses to protect users and their mobile communication. >> Read more about SIMcurity: Tools for Securing the SIM interface Solid Share — Digital Mobile Wallet for W3C Solid This project works on a native app for the Android operating system, allowing citizens to use their solid pod as data and digital wallet. It allows users to login into their Solid pod with different accounts, manage their data (for instance also travel ticket and passes), share private files by means of a QR code, s and sync other Solid data modules (such as Contacts) within the Android ecosystem without needing extra apps. The app is designed offline-first. The goal of this project is to bring Solid into the hands of regular people, making them aware of the existence of the Solid project and allowing them to have a smooth and easy experience. It should be a base platform for using Solid pods as a daily usage storage as well. >> Read more about Solid Share Termux — Android terminal app and software distro/run-time Termux is an Android app that provides a terminal emulator and a GNU/Linux distribution environment with 2000+ packages and executes programs natively on Android host OS/kernel, without any emulation or containerisation. It allows users to locally do most things that can be done on a Linux PC, like program in many languages, use text editors/IDEs, backup files, host websites and servers, and even run a full linux desktop interface. Under the NGI Mobifree grant the following three improvements to Termux are planned to be implemented: 1) A termux-core library will be created which allows external projects to use Termux execution environment in their own apps. 2) A new APK Library File (APKLF) execution/packaging design will be implemented so that Termux can comply with security restrictions in Android 10 and newer that prevents apps from executing downloaded code. Currently Termux works by being compiled in backward compatibility mode. 3) Package sources will be patched to read paths from environment variables exported by the app, or compiled package files will be patched at install time, rather than relying on hardcoded paths in the package files to Termux rootfs. >> Read more about Termux Unexpected Keyboard Autocomplete/Correct — Input correction for popular alternative Android keyboard Unexpected Keyboard is a lightweight and privacy-conscious virtual keyboard for Android-based mobile operating systems. Its distinguishing feature is that you can type different characters by swiping your finger towards the corner of the key, a feature was originally designed for programmers using Termux. This allows to fit much more characters on screen than a regular keyboard layout, and prevents users from having to continuously switch just to input content containing characters spread across layouts. This project will add (offline) word suggestion and correction to Unexpected Keyboard, which well help to make the app even more user-friendly. >> Read more about Unexpected Keyboard Autocomplete/Correct VirtuAndroid — Application-layer virtualization for Android apps VirtuAndroid builds a fully open-source application-layer virtualization framework for the Android OS, designed to guarantee the main security and privacy principles. Unlike existing solutions, which break the Android permission and sandbox models, this framework provides per-app isolation, a permission system, and robust storage isolation within the virtual environment. It supports recent and upcoming Android versions through modular interception layers and offers hooking capabilities at both the Java and native levels, enabling advanced analysis, instrumentation, and security experimentation within a controlled environment. >> Read more about VirtuAndroid VoWiFi Watchdog — Identify blocks and misconfigurations for VoWiFi VoWiFi (Voice over WiFi, also WiFi-calling) is the preferred channel for voice calls and messages for 4G/5G for most operators and operating systems (i.e., Android, iOS). However, there is a lack of transparency regarding existing operator practices and the security of everyday voice calls and messages. There are shocking security weaknesses such as default and static private keys, insecure configurations, as well as anti-consumer practices (geoblocking) at live operators. Operators still use shared private keys to encrypt their customers' communication, allowing adversaries to eavesdrop on calls and messages. Due to the lack of transparency, customers have no way of evaluating the settings for their current operator and operators have little incentive for improvements. The VoWiFi Watchdog project will regularly probe operator's VoWiFi configurations to detect deployed geoblocking measures and expose deprecated security settings. The scan results will be automatically published at our project platform, allowing customers to check their current (or future) operator, motivating operators to upgrade insecure setups. This will help to bring transparency to the VoWiFi ecosystem. >> Read more about VoWiFi Watchdog CanIWebView — Contributing to standardisation of WebView in W3C Web technologies like HTML, CSS and JavaScript are also used very much outside of a  Web browser, because they are well standardized, openly available and many developers know how to build for the web. WebViews are software components used to render Web content inside native apps. They are integral to the mobile web experience, as in-app web content display for social media and serving as a foundation for entire applications and games built with web technologies. WebViews are, however, very much overlooked by web developers, web standards developers, and browser engine vendors in terms of compatibility and feature availability. As part of the W3C WebView Community Group, this project addresses a critical gap in the web platform by establishing comprehensive testing infrastructure and resources for WebView compatibility. The initiative will deliver three key components: open-source testing applications for Android and iOS distributed through app stores, automated testing infrastructure using WebDriver-like tools for continuous compatibility monitoring, and the caniwebview.com website as resource for WebView compatibility data and documentation. Through regular meetings and conference sessions with stakeholders in the WebView space this project aims to improve the user experience, address common issues and lay foundations to future standards. >> Read more about CanIWebView Weblate Android SDK — Live localisation updates for Android apps Weblate is a free and open-source localisation platform. Thanks to Weblate, thousands of projects including applications, websites or even comic art pieces are easily translated into any language desired. Weblate removes the hurdle of understanding a programming language from the translation process, thus enabling anyone to join the efforts, and building active user communities with truly democratic spirit around the projects involved. The aim of the Android SDK project is to support streamlining community driven localisation efforts directly into android application without the additional step of releasing a new version. This will further ease the process of translating and will enable developers to allow translations into a wider range of languages, including those with smaller communities. >> Read more about Weblate Android SDK ","title":"NGI Mobifree Fund","url":"https://nlnet.nl/thema/NGIMobifreeFund.html"},{"url":"https://nlnet.nl/thema/NGIFediversityFund.html","title":"NGI Fediversity Fund","description":" NGI Fediversity Fund Creating the hosting stack of the future This page contains a concise overview of projects funded by NLnet foundation that belong to NGI Fediversity Fund (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Our software supply chains are a silent miracle, the result of millions of hours spent every year packaging, compiling and distributing software. From this vast firehose of bits come the apps and services we depend on every day. Subsequently, billions of hours are spent by users on dealing with everything from simple updates to complex system administration. This vast effort is necessary to keep oneself abreast of the never-ending supply of potential vulnerabilities that arrives with just a slight delay. Users that fail to responsively track new releases of every deployed service and each of its dependencies, are bound to land themselves or others in trouble sooner rather than later. Deploying internet based services is much tougher than we can afford. No matter how user friendly or well-written software is, enabling the community at large to maintain internet services by themselves at scale has proven to be consistently challenging. Achieving high availability scenario's is even more of a dark art. No wonder, people just give in and surrender their data. Fediversity is a comprehensive effort to bring easy-to-use, hosted cloud services with service portability and personal freedom at their core to everyone. The programme is part of the Next Generation Internet initiative, which focuses on the development and maintenance of internet commons that support the vision of a resilient, trustworthy and sustainably open technology stack that empowers users, and grants everyone full autonomy. Fediversity wants to provide everyone with high-quality, secure IT systems for everyday use. Without tracking, without exploitation, in a way that runs everywhere and scales effortlessly. Fediversity is based on NixOS, a disruptive Linux distribution with a unique approach to package and configuration management. Built on top of the Nix package manager, NixOS is completely declarative, makes upgrading systems reliable, and has many other advantages. Because it is reproducible, it is ideally suited for complex deployment scenario's where consistent behaviour, stability and configurability matter. All project results become available under a free and open source license so you will be able to study, use, modify and share everything with anyone you want! And even better: part of NGI Fediversity is a supporting grant programme through NLnet, through which auxiliary efforts can be funded. This means that if you are interested in the project, you can be part of it still. Do you have a project idea that complements, strenghtens or otherwise will benefit Fediversity? Why not put in a proposal yourself, calls are currently open! Applications are still open, you can apply today. NixOS Agent-Based Deployment Stack — Fleet management for partially off-line NixOS deployments This project aims to build robust and user-friendly fleet management tooling, tailored for asynchronously managing devices that are capable of and intended to run NixOS. Upon successful completion of this first phase, the tooling will provide a centralized management system offering access control, fleet oversight, streamlined machine enrollment, and clear feedback on deployment status. >> Read more about NixOS Agent-Based Deployment Stack Drupal ActivityPub integration — More comprehensive W3C ActivityPub support in Drupal One of the unique features of having ActivityPub as a web standard is that one doesn't depend on a third party social network (or in fact any third party) to include social features in sites and applications - it can just be directly built into any web-facing service. Next to Wordpress, Drupal is still one of the most widely used CMS-es. The goal of this project is to make Drupal CMS integration with the fediverse better, by allowing any entity type to be an actor and to support event federation in a manner compatible with other currently ongoing efforts in this space. >> Read more about Drupal ActivityPub integration Source-based Nextcloud + Onlyoffice — Declarative packaging for Nextcloud and Onlyoffice on NixOS NGI Fediversity is an effort to develop a fully reproducible professional hosting stack-in-a-box, built on state of the art package management. For some use cases, it is essential to have a web-based editor for office documents, instead of using the desktop/mobile clients or performing manual download-edit-upload cycles. This project targets the NixOS module for OnlyOffice, which then integrates with the libre filehosting solution Nextcloud. Building it from source (instead of wrapping a binary release for other platforms) will improve the transparency and trustworthiness of how the binary is created - and make it easier to track upstream improvements and apply patches. Aside from integrating these modules, we plan further improvements to improve configurability and address additional cases and requirements. >> Read more about Source-based Nextcloud + Onlyoffice NixEdgeOpt — Adaptive placement and migration of NixOS services NixEdgeOpt aims to enable resilient, efficient services across many NixOS machines. The project will develop an open source “edge scheduling brain” for Nix, including a scheduler service and NixOS integration that automatically places and moves services between nodes based on load, failures, cost and latency. Users will express high-level intents (e.g. “keep latency low for my users”, or “maintain at least two replicas for reliability while minimising cost”), and NixEdgeOpt will realise them through adaptive, algorithmic placement and migration policies that react to changing conditions instead of relying on static rules. The design will be compatible with existing Nix ecosystem projects, making it easier to deploy and operate decentralised infrastructure. >> Read more about NixEdgeOpt End-to-end NixOS boot security — Ensure whole-system security with verified boot for NixOS configurations Trusted boot technologies like Secure Boot and TPM measured boot enhance system security by requiring the booted operating system to be trusted by the system administrator or hardware vendor. This project will implement trusted boot for NixOS using a new design for signing within Nix builds, focusing on readiness for official Secure Boot requirements while preserving reproducibility and maximizing user freedom and flexibility. We will also take advantage of NixOS's declarative whole-system approach and Linux technologies like overlayfs and fs-verity to provide trust for the entire system configuration, addressing the large remaining \"stage 2\" attack surface. This will allow greatly enhancing the security of all kinds of NixOS systems, including servers, desktops, and special-purpose appliances. >> Read more about End-to-end NixOS boot security Nixpkgs Clarity — State of the art automated license detection for Nixpkgs Nix provides a unique approach to package management and system configuration for more reproducible, declarative, and reliable systems. Nixpkgs is the largest and most up-to-date collection of software packages today, and forms the basis of the NGI Fediversity project. But like other ecosystems, Nix struggles with accurate and consistent license package metadata necessary for frictionless reuse of Nixpkgs in the software supply chain. For example, Nix's license tracking does not fully align with best practices like SPDX license expressions, using instead a custom list of license IDs, inconsistently referencing SPDX or ScanCode LicenseDB, that can be out of sync with the actual code, or misrepresenting its license. Packagers commonly only look at top declared licenses, ignoring the file-level licenses. The Nixpkgs Clarity project corrects and standardizes Nixpkgs's license metadata to enable efficient, responsible Nixpkgs usage in secured software supply chains. >> Read more about Nixpkgs Clarity SelfPrivacy Catalog — SelfPrivacy Self-hosting can be a challenge even for a professional, let alone an unprepared user. SelfPrivacy is a free application that helps you set up and manage your self-hosted services. The goal of the project is to create an accessible tool that gives everyone an opportunity to create their own self-hosted infrastructure. Selfprivacy supports multiple platforms and to use it, all you need is to register with a provider and copy the access token into the application. SelfPrivacy will set up the system, domain, DNS and install open source services such as E-Mail, Nextcloud, Jitsi, etc. SelfPrivacy automates the entire lifecycle: provisioning, updates, configuration changes, monitoring, backups and space management. >> Read more about SelfPrivacy Catalog bewCloud — Light-weight self-hosted cloud storage and productivity BewCloud is a nimble self-hosted cloud storage and collaboration platform offering efficient shared file storage and groupware. BewCloud's goal is to allow anyone to run their own personal private cloud software in cheap devices. It tries to keep its feature set deliberately simple, and not go beyond the core apps/functionality users need and satisfy all use cases - for that there are more customizable and extensible alternatives like Nextcloud and ownCloud. This allows bewCloud to have a pleasant user experience and a small resource footprint (CPU, memory). BewCloud is built with TypeScript and Deno using Fresh. Within the scope of this grant, the project will work on the main pieces that are frequently requested and currently missing: calendaring and address books, and public file sharing. >> Read more about bewCloud "},{"description":" NGI Assure Projects that make security and trustworthiness easier NGI Assure was a grant programme that ran from 2020-2024, funding projects making security and trustworthiness easier, as part of the Next Generation Internet initiative of the European Commission. For a more complete description see the home page of the fund: NGI Assure. This page contains a concise overview of projects funded by NLnet foundation that belong to NGI Assure (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. NGI Assure is an ambitious grant programme which is part of the Next Generation Internet initiative, which as part of a larger vision focuses on technological building blocks that provide different types of strong assurances and decentralisation to users of the internet. This can be through public key infrastructures, through a web of trust, a distributed ledger or through trustworthy and fast hardware implementations of important cryptographic primitives. The projects are typically work in progress, but since they are all free and open source software: feel free to check them out and use whatever you find in whatever way you need - everything is openly licensed so you can study, use, modify and share them. And if you think your own idea fits in here, why not propose a project yourself - we are still looking for great ideas! NGI Assure was established with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. Interesting in applying for a grant yourself? Check our active theme funds, such as NGI Zero Commons Fund, NGI Fediversity or NGI TALER. Applications to this particular fund are currently closed and no new projects are accepted for now. Donate to help us fund more projects like these. 0KNOW — Group Theoretic Zero-knowledge Proofs (0KNOW) Zero-knowledge proof (ZKP) systems help principals verify the veracity of a piece of information without sharing the data. The overall goal of 0KNOW is to develop a lightweight group-theoretic zero-knowledge proof (GT-ZKP) system that can be employed as a cryptographic primitive in many security protocols such as identification, authentication, or credential ownership. They are widely used to preserve confidentiality and ownership of data. GT-ZKP can be seen as a reusable building block for making the future internet trustworthy and secure. In 0KNOW, we will focus on NP group-theoretic problems and design GT-ZKP by finding an appropriate platform group based on the selected difficult problem considering its applicability in the post-quantum era and we will develop an open-source implementation of GT-ZKP. >> Read more about 0KNOW Aerogramme — Standards-compliant open-source IMAP server with server-side encryption Aerogramme is an open-source IMAP server targeted at distributed infrastructures and written in Rust. It is built on top of Garage, a (geographically) distributed object storage software. Aerogramme thus inherits Garage resiliency: its mailboxes are spread on multiple distant regions, regions can go offline while keeping mailboxes available, storage nodes can be added or removed on the fly, etc. Not only does it inherit its resiliency, but it also shares the burden of data management. Aerogramme can be seen as a proxy between the IMAP protocol and Garage protocols (S3 and K2V); it does not handle any data on its own and can be freely moved between machines. Multiple instances can also be run in parallel. As emails are very sensitive, Aerogramme encrypts users' mailboxes with their passwords. Data is decrypted in RAM upon user login: the Garage storage layer handles only encrypted blobs. Aerogramme is to our knowledge the first IMAP server to be designed from the ground up with object storage in mind. Thanks to this design, it is resilient and easy to scale. >> Read more about Aerogramme Ari — Purely functional programming language designed to \"type\" binary files Ari is an early research project designed to make binary files more accessible. It's a purely functional programming language and library intended to act as foundation for building developer tools that can manipulate arbitrary binary files. It can be used as a basis for building a structural binary differ, or a tree-based editor for directly editing binary files. It aims to reach this goal by tackling the biggest obstacle with binary data: the need for implicit format-specific knowledge to understand how binary files are structured. Over time, we'll build up a repository of file formats encoded in Ari (called \"Ari types\"), which can then be used to compile a \"type radix tree\" from any given set of Ari types. This \"type radix tree\" will be used as an efficient way to interpret a single file as multiple formats at once, while trimming out invalid interpretations along the way of parsing. Ari fundamentally differs from existing approaches like Kaitai Struct, GNU poke, and even parser generator tools like Tree-sitter in that it's heavily based around the combination of algebraic type theory & set theory and sits in-between a data specification language that doesn't have support for functions, and a fully Turing complete language that has no guarantee of halting. The plan is to work together with these other projects as they each have their own unique approach that Ari isn't focused on, whereas Ari is more of a research project intended to explore what's possible. >> Read more about Ari Atomic Data — Typesafe handling of LinkedData Atomic Data is a modular specification for sharing, modifying and modeling graph data. It uses links to connect pieces of data, and therefore makes it easier to connect datasets to each other - even when these datasets exist on separate machines. Atomic Data is especially suitable for knowledge graphs, distributed datasets, semantic data, p2p applications, decentralized apps and linked open data. It is designed to be highly extensible, easy to use, and to make the process of domain specific standardization as simple as possible. It is type-safe linked data (a strict subset of RDF), which is also fully compatible with regular JSON. In this project, we'll work on the MIT licensed atomic-server and atomic-data-browser, which are a graph database server and a modular web-gui that enable users to model, share and edit atomic data. We'll add functionality, improve stability and testing, improve documentation and create materials that help developers to get started. >> Read more about Atomic Data Authenticated DNSSEC bootstrapping — Secure in-band announcements of DNSSEC parameters Turning on DNSSEC for a domain involves (1) signing the domain's DNS zone content and (2) adding the signature public key to the chain of trust. The second step has long posed a problem, as it requires (often manual) transfer of information from the domain's operator to the parent (usually the top-level domain). It is largely due to this \"DNSSEC bootstrapping problem\" that only about 6% of the Top 1M domains are securely delegated (Tranco, 06/2022). The project extends commonly used authoritative nameserver software with native support for authenticated DNSSEC bootstrapping (draft-ietf-dnsop-dnssec-bootstrapping, ). This protocol, meanwhile published as RFC 9615 by IETF, allows DNSSEC parameters to be communicated automatically and securely, enabling DNS operators and parent registries to turn on DNSSEC automatically. To measure the protocol's impact on real-world DNSSEC deployment, measurements of protocol adoption over time will be made available. >> Read more about Authenticated DNSSEC bootstrapping Heads-OpenPGP — OpenPGP Authenticated Heads and long-time awaited security improvements The work to be accomplished in this project will resolve Heads current missing accessibility, reproducibility and platforms locking improvements, including Heads missing authentication mechanisms prior of permitting recovery shell access or booting USB external media, possibly leading to data loss without evil-maid even having to unscrew anything. Also, a user currently losing his USB OpenPGP dongle would lose its private encryption subkey forever therefore losing access to all past encrypted content and lessening security until dongle replacement. By considering Heads as a secure pre-boot \"clean room\" environment on initial flashing/reflashing of whole firmware, generating OpenPGP master key and subkeys in memory and implementing keys backup/restore mechanisms to/from/creating USB thumb drive encrypted storage, Heads will be able to rely further on OpenPGP (gnupg toolstack) and its detached-signing of content and signature verification against fused public (measured) key to authenticate the owner of the machine prior of letting him have access to the machine's persistent states. Having reproducible builds again will make auditability of the firmware easier, while locking the firmware prior of leaving Heads environment will prevent whole classes of SPI based persistent threats. >> Read more about Heads-OpenPGP Bertie — Formally verified TLS 1.3 implementation The security of the Web ecosystem relies crucially on Transport Layer Security (TLS) protocol, but despite years of study, cryptographic weaknesses and implementation bugs in TLS implementations continue to be found on a regular basis. Bertie is a high-assurance TLS 1.3 implementation written in a subset of Rust called hacspec. Bertie uses the formally verified HACL* cryptographic library and its protocol code can be verified using the F* framework. Hence, it offers strong guarantees from the crypto layer up to the protocol API. The funding from NLnet will be used to stabilise Bertie, add documentation and tests, improve its performance, maintain its proofs, and set it up as an open source project with best practices and long-term software support. >> Read more about Bertie Blink Qt Messaging — Add modern encryption to SIP softphone Blink is a mature open source real-time communication application that can be used on different operating systems, based on the IETF SIP standard. It offers audio, video, instant messaging and desktop sharing. This project will extend its capability to support end-to-end asynchronous messaging and end-to-end encryption that works both online (OTR) and offline (OpenPGP). Additional features to be developed include end-to-end delivery and read notifications, and a searchable history database. >> Read more about Blink Qt Messaging Briar Desktop — E2EE online and offline messaging and discussion Briar Desktop is a client for the peer to peer messenger Briar that runs on the typical desktop operating systems Windows, macOS and Linux. With the emergence of multiple Linux-based operating systems for phones, it will also become possible to adapt it to run on operating systems such as Manjaro, PureOS and postmarketOS. A basic version of Briar Desktop has just been implemented and released to the public, but its features are still limited to one-to-one communication. The main goal of this project is to implement the additional group-oriented modes of communication that Briar's Android client supports: groups, forums and blogs. While the first iteration of development focused on Linux, publishing for macOS and Windows are going to be stabilized from experimental to production stage within this project. To keep up with the development of the Android client, support for the upcoming Mailbox feature is also going to be implemented. >> Read more about Briar Desktop CNSPRCY — E2EE connections between trusted devices CNSPRCY aims to tightly integrate your personal computing devices (i.e. desktop, laptop & phone but not wearables) with each other. It will provide a replicated eventually-consistent database, the ability to send encrypted messages, and it will always (unless it is impossible) know how to connect to your other devices! It does not rely on third parties or blockchains, and it will not make your devices carry other people's data. Devices will simply connect directly to each other, forming a mesh and adapting to the conditions of the underlying network using a variety of protocols. CNSPRCY provides a CLI application and exposes an IPC API, allowing you or your applications and scripts to synchronize data (asynchronously) or exchange messages (synchronously) with your other devices. These messages can then trigger scripts and execute applications on the receiving device. With these tools, it will be easier to write robust, private, offline-first, P2P software than it is to implement a centralized client-server architecture. >> Read more about CNSPRCY Converged Security Suite Improvements — Open source tooling for BIOS configuration The Converged Security Suite has been developed as an open-source tool to provision and test systems where proprietary (and closed) Intel Security Technologies - such as \"Trusted Execution Environment\", \"BootGuard\", and \"Converged BootGuard and TXT\" (CBnT) - are enabled. Since this is a security-critical operation, transparent open-source tooling is needed to securely provision and test the configuration of your system within the limitations of a closed system. However, current configuration tools are not available for technical scrutiny and only available under NDA. The same applies to test suites that validate the system and its configuration.The Converged Security Suite tries to change this by implementing an open alternative for those tools. Within this project, the team will implement Bootguard (provisioning and test suite) and add CBnT test suite support. >> Read more about Converged Security Suite Improvements Cable — A new wire protocol for cabal (and beyond) Distributed systems development is hard. Doubly so when you have adopted a complicated technological stack in order to achieve the goals of a peer-to-peer group chat like Cabal. Some problems inherent in an approach can only be seen in hindsight, and repaired with foresight. Enter Cable, a new lightweight binary communication protocol originally specified to be the upcoming backbone of the peer-to-peer group chat Cabal. The Cable protocol is pull-based, with message authenticity through cryptographic hashes, where peers receive messages by sending queries into the network: \"give me the most recent week of chat messages in channel main\". Peer-to-peer query-forwarding is built into the design to enable message retrieval outside any given peer's direct connections. Its logless approach enables message deletion and allows the many devices owned by a single person to use the same cryptographic identity in communication. The binary specification combined with the pull-based design minimizes system resources in transport and storage alike. Cable's goals as a protocol: to be compact over the wire, easy to implement from scratch with libsodium bindings as the only dependency, to enable bridging across any network transport, and to be agnostic with regard to how data is stored. In addition to unlocking new capabilities in Cabal's future, we also hope to pave the way for a multitude of other protocols to be hosted on Cable's agnostic wire format. >> Read more about Cable Libre-SOC Cavatools: Power ISA Simulator — Power ISA Simulator Cavatools is a high performance ISA simulator, similar to qemu. However unlike qemu, cavatools is designed with two goals in mind: to provide accurate guidance on instruction effectiveness, and to run at close to real-time performance on multi-core host systems. The only hardware that cavatools currently supports is cycle-accurate emulation of RISC-V: this Grant is intended to add not only the Power ISA but also add the Draft SVP64 Cray-style Vector Extensions being developed by Libre-SOC (and sponsored by NLnet). Other work includes being able to verify and compare multiple independent implementations, running the same program, to check interoperability, whether in emulators, hardware simulations, simulators or actual ASICs. >> Read more about Libre-SOC Cavatools: Power ISA Simulator Choreographic Programming: From Theory To Practice — Generating a standard library of core distributed algorithms with formal proofs To safely leverage the next-generation internet for mission-critical apps, it is crucial to assure that communications among distributed processes are deadlock-free (i.e., processes never get stuck waiting for a message that will never be sent) and behaviourally-compliant (i.e., processes never send messages that violate the intended application-level protocols). Choreographic programming is a promising new method to build distributed systems that assures the absence of deadlock and compliant behaviour by construction (vs. testing, which is notoriously difficult in the presence of concurrency and distribution). The aim of this project is to take advantage of recent scientific progress in programming language theory for distributed systems, and develop a new choreographic programming language (Klor) as an embedded DSL in Clojure, including a standard library of core distributed algorithms. >> Read more about Choreographic Programming: From Theory To Practice Coko Docs — A modern, open source replacement for Google Docs and Drive Coko Docs is an open source solution for storing and editing documents using Coko’s publishing technologies. It is the first part of an Open Suite, which will be integrated with professional Open Publishing products. Coko Docs will have a modern collaborative environment for creating, sharing and hosting files in various formats. We aim to build inclusive tools as powerful as Google Drive and Docs, our initial target audience ranges from individuals to small organisations. Our primary goal is an Open Source product with strong Privacy and Security protocols and elegant accessible design. We will utilize the NLnet funding for the first phase of development where we are adding collaborative editing to the integrated document editor, with offline support (for low-bandwidth scenario's). >> Read more about Coko Docs Conversations 3.0 — Secure and standards-compliant XMPP client for Android Conversations – a popular XMPP instant messaging client for Android – has been around since 2014. Since then not only have Android development best practices changed but also user requirements on the app have shifted dramatically. Features like emoji reactions, quotations (references), edit history or simply multiple images per message weren’t on the developers mind in 2014 and are difficult or impossible to implement with the current software architecture. Conversations 3.0 is an architecture overhaul that adapts Conversations to a modern Android development style (namely Android Jetpack) and also redesigns the database to accommodate the aforementioned features. The well-functioning XMPP layer will remain intact during this refactoring in order to keep all existing features and not re-introduce bugs that have been fixed ages ago. >> Read more about Conversations 3.0 CryptPad Auth — Implement external identity mechanisms to E2EE collaborative editor CryptPad is a real-time collaboration environment that encrypts all user-generated content in users' browsers, making it illegible to the host of the service. In this project we'll develop optional extensions to the platform to provide additional layers of protection for such data by pursuing two broad strategies in parallel. For the first, we'll take a top-down approach to security through integration with identity provider services like LDAP or SSO, allowing organizations to apply centrally managed access control policies. For the second, more bottom-up approach, we'll offer tighter control of user accounts through various secondary authentication methods like app-based TOTP or email \"magic-links\". These new features will provide more choices for the protection of data stored in CryptPad, while also making the platform more approachable for conventional organizations by leveraging their existing points of trusted infrastructure. >> Read more about CryptPad Auth CryptPad Quality Test Suite — Continuous testing of critical CryptPad functionality Cryptpad is an open-source, end-to-end encrypted online collaboration platform featuring a number of different services like a code editor, spreadsheet, polls and Kanban boards. Unlike with other office suites, the server learns nothing about the contents of what is being collaborated on. As the project continues to gain traction with users and developers, and various integrations with the platform are taking place, there is an obvious need to make sure development in one place doesn't inadvertently break something somewhere for others. With the software now widely deployed and in active use by many people and organisations, a more structured approach to testing core accessibility of the platform through CI is necessary. This will ensure that Cryptpad remains available to serve users as long as they need it. >> Read more about CryptPad Quality Test Suite CryptPad WCAG — Accessibility improvements to CryptPad suite CryptPad is an end-to-end encrypted collaboration suite that is fully open-source. It is used by people around the world to work together on shared documents and spreadsheets in real-time, to conduct private polls, and many other use cases. A significant effort has always been made to make sure that the software is fully usable with assistive technologies. As a very active project which is continuously in development, this is of course a moving target. The goal of this specific project is to remove the last remaining hurdles that prevent people with disabilities from using the entire feature set of Cryptpad. The ultimate ambition of Cryptpad is to become officially W3C WCAG certified, and serve the widest possible community of users. >> Read more about CryptPad WCAG CryptoLyzer — Cryptographic settings analyzer library CryptoLyzer is a cybersecurity tool that can analyze the cryptography-related settings of clients and servers in the case of several different protocols. The tool’s primary purpose is to support end users as well as system administrators, security engineers, auditors, etc., in their work by telling them the details of the currently applied setting and informing them about the potential weaknesses and vulnerabilities. Unlike many other notable free software projects that focus on just one protocol family, CryptoLyzer wants to be as comprehensive as possible. On the one hand, users can analyze several cryptographic mechanisms (e.g., SSH, HTTP security headers, JA3 tag, and later OpenVPN), not just the most popular TLS protocol. On the other hand, it is possible to test both the standard and special or corner cases. Latter means the tool can test hardly supported, experimental, obsoleted, or even deprecated mechanisms or algorithms, which may carry significant risks. The project intends to learn from the existing projects and integrate their solutions to lower the barrier to good cryptographic settings making communication on private and public networks more secure. >> Read more about CryptoLyzer CryptPad Auth Improvements — Better user management, 2FA and SSO for CryptPad CryptPad is a secure and encrypted open-source collaboration suite, allowing people to work together in real-time on presentations, texts and spreadsheets as well as conduct polls or gather data through forms. And unlike traditional cloud offerings, the server does not get to learn what its users are working on: all the data is encrypted on the devices of the users, before it is sent to the server. The project already offers advanced features like 2FA and Single Sign On (OIDC and SAML), making it easy to smoothly integrate the tool into corporate environments. The goal of this project is to perform user interface improvements to the 2FA and SSO system. It will also build a User Directory that will allow to manage users and also list users according to information that would be available about them in case of login through SSO or Invitation. It will also build towards enabling advanced usage scenario's without SSO, instead offering for instance the possibility to send registration invitations to users in a way that doesn't break the security model of Cryptpad. >> Read more about CryptPad Auth Improvements Securing Internet protocols with DIDs — Bridge Decentralized Identifiers with standardised authorisation mechanisms Many Internet protocols require authentication, e.g. when we check our email account with a username and password, when we authenticate to SSH hosts with public keys, or when we log in to websites using OpenID Connect. Decentralized Identifiers (DIDs) are a new type of identifier that have associated private keys and can be used for authentication purposes. DIDs are in practice mostly used for exchanging Verifiable Credentials (VCs) between Issuers, Holders, and Verifiers. However, on a more basic level, DIDs can also simply be used as a replacement for usernames/passwords or static public keys, to authenticate by proving control over one's DID. Unlike other identifiers such as usernames or domain names, DIDs do not require a central authority for creating and using them. In this project, we will work on integrating DIDs with existing Internet protocols that require authentication by developing a new SASL mechanism. The idea is that for example you could log in to your SSH host, email account, IRC server, XMPP server, etc. using your DID, which can improve both usability and security. >> Read more about Securing Internet protocols with DIDs DATALISP — Universal data interchange format using canonical S-expressions As society moves digital the need for thorough fundamentals becomes more prominent. Datalisp is a laboratory for decentralized collaboration built on a few well understood ideas which imply a certain architecture. The central thesis of datalisp is: \"If we agree to use a theoretically sound data interchange format then we will be able to efficiently express increasingly complicated coordination problems\", but in order to move the web to a different encoding we will need incentives on our side. A substantial improvement in user experience is needed and we aim to provide it. Ultimately our goal is to give peers the tools they need to protect themselves, and others, by collaboratively measuring the legitimacy of information and locally; by assessing whether data can be trusted as code or whether it requires user attention. Datalisp is the convergence point for all these tools (none of which is named \"datalisp\") rather than a language, join us in figuring out how to reach it! >> Read more about DATALISP dream2nix — Automate reproducible packaging for various language ecosystems Dream2nix is part of the overal effort to create more technical assurances, transparency and robustness within the software supply chain. Dream2nix as a framework allows more open source projects to achieve reproducible builds easier, and helps to create an auditable toolchain across different technical dependencies. The ability to reproduce software builds is of major importance when it comes to verifying if a given binary is the product of a given source code. Reproducibility also increases the maintainability and reliability of small and large software deployments. The nix build system allows for such reproducibility even for complex software systems. dream2nix integrates existing well known programming language specific package managers like npm, yarn or cargo with the nix build system, which will allow many open source projects to benefit from nix' unique properties. >> Read more about dream2nix Python supply-chain with dream2nix —  Towards a secure, extensible & reproducible Python supply-chain with dream2nix We aim to improve the software supply chain of Python with Nix by extending Dream2nix. While the Nix build system offers great reproducibility and auditability features, the effort required to manual write build expressions for all transitive dependencies has lead to the creation of various \"lang2nix\" tools. Dream2nix is a collection of such tools and a library handling shared concerns, with existing implementations for NodeJS, Rust and Haskell. This project is going to implement first class Python support in dream2nix. Packagers and developers will be able to build standards-compliant projects with nix automatically, while still being able to transparently apply patches where necessary. >> Read more about Python supply-chain with dream2nix Encoding for Robust Immutable Storage (ERIS) — Encrypted and content-addressable data blocks The Encoding for Robust Immutable Storage (ERIS) is an encoding of content into a set of uniformly sized, encrypted and content-addressed blocks as well as a short identifier (a URN). The content can be reassembled from the encrypted blocks only with this identifier (the read capability). ERIS is a form of content-addressing. The identifier of some encoded content depends on the content itself and is independent of the physical location of where the content is stored (unlike content addressed by URLs). This enables content to be replicated and cached, making systems relying on the content more robust. Unlike other forms of content-addressing (e.g. IPFS), ERIS encrypts content into uniformly sized blocks for storage and transport. This allows peers without access to the read capability to transport and cache content without being able to read the content. ERIS is defined independent of any specific protocol or application and decouples content from transport and storage layers. The project will release version 1.0.0 after handling feedback from security audit, provide implementations in popular languages to facilitate wider usage (e.g. C library, JS library on NPM), perform a number of core integrations into various transport and storage layers (e.g. GNUNet, HTTP, CoAP, S3), and deliver Block Storage Management (quotas, garbage collection and synchronization for caching peers). >> Read more about Encoding for Robust Immutable Storage (ERIS) Earthstar — P2P protocol and APIs for collaborative and social applications Your data is stuff you care about. But a lot of the time, you only get to interact with it in places owned by corporations. It’s a bit like living in someone else's house. One consequence is that you don't get to choose who can see your stuff: malicious actors can follow your activities and harass you, and the owners of the space can record what you do and sell that information on. And because the space isn't yours, you don't get any say over how anything works: features you like can disappear overnight, and your data can be changed or deleted without your consent. What if you and the people you care about could band together and have your own place for your data to live? Where the only people who see your stuff are people you trust, and no-one is selling your privacy? And where you decide how things works and when it should change? Earthstar is a pocket-sized toolkit to help users build a place of their own. Easily create user-owned infrastructure that holds the data you care about, in formats which suit your needs, and write your own applications to interact with it — or use ones from the community! >> Read more about Earthstar Earthstar (Encryption, Safety, and Local Sync) — Improve security, encryption and sync capabilities in Earthstar CRDT Storing and collaborating digital data is an essential part of every day computing, from photo-sharing amongst family members, to document co-authoring between colleagues. Earthstar is a tool for building undiscoverable, offline-first shared data storage. Users decide which devices their data are stored on, what the infrastructure of their network looks like, the shape of their data, and how they can interact with it. The proposed project adds a number of useful features, notably end-to-end encryption (including metadata), P2P discovery in local networks and efficient data synchronisation. >> Read more about Earthstar (Encryption, Safety, and Local Sync) Friendly Forge Format (F3) — Proposed Standard for secure communication between software forges The Friendly Forge Format (abbreviated F3) is an Open File Format for storing the information from a forge such as issues, pull/merge requests, milestones, release assets, etc. as well as the associated VCS (Git, Mercurial, etc.). F3 is designed to exchange the state of a software project between GitHub, GitLab, Gitea, etc. for backup, mirroring or federation. F3 is essential for a forge to provide key requirements. (i) Portability: the entire state of a software project can be dumped and restored at a later time, on a different development environment (ii) Versatility: when published and updated as a F3 archive, a software project effectively is Open Data on which an unlimited range of applications can rely, even outside of the forge domain (iii) Consistency: it provides a common language to use when talking about the forge related domains (iv) Trust: cryptographic signatures on each F3 dump guard against malicious or unintentional tampering that could compromise the integrity of a software project. >> Read more about Friendly Forge Format (F3) FOSS Code Supply Chain Assurance — Mitigate attacks through software dependencies It is of the utmost importance to ensure that FOSS packages from public repositories have not been tampered with by malicious actors. This type of compromise is described as an open source \"supply chain attack\" and these have been increasing significantly. This project is building a new system (which is FOSS itself) to help verify the integrity of deployed code packages and validate their origin with external data sources, with the potential to mitigate attacks on open source packages supply chains such as: detecting if a package in use is matching verified code by matching source and binaries exactly and approximately. Or detecting abnormal code changes that may be signs of malicious modifications and possible attacks on a package. The key components of this open code and data solution are a Package and File Fingerprints Database, a Code Similarity and Changes Detection Engine, utilities to detect possibly malicious changes in upstream projects, and integration in build system(s). While existing approaches may require a tight control of the whole code supply chain, the approach of this project is designed for practical usage with limited changes to a build and CI/CD pipeline. >> Read more about FOSS Code Supply Chain Assurance Federated Task-Tracking with Live Data — Track tasks and issues in a federated way Applications and data are tightly coupled: the format, structure, and meaning of data are almost inseparable from the application generating and using them, hindering the data's portability. Sharing data between applications entails mastering complex and proprietary APIs or export formats, and transforming output data into the necessary structure and meaning for use elsewhere, time-consuming and error-prone activities. Federation is a way of linking different systems together so users can share data by being 'connected, but sovereign'. The precursor Federated Timesheets project successfully pioneered this approach for time-tracking data, bringing together WikiSuite, timeld, and Prejournal such that timesheet data entered into one are easily disseminated to the others. Federated Task-Tracking builds ambitiously on that foundation, with a more complex data model applicable to a broader range of real-world scenarios, introduces live collaborative editing of latency-critical data shared between participating systems. >> Read more about Federated Task-Tracking with Live Data Federated Timesheets — Interoperable machine-readable time tracking This project brings together developers from WikiSuite, m-ld.io, Muze and Ponder Source in a collaboration to deliberately research how federated machine-readable data can work between independent software projects on the user-operated internet. We want to showcase how our vision of Federated Bookkeeping can make internet users \"connected but sovereign\". Each project’s timesheet system that tracks billable hours will be extended with time tracker apps (locally or on a self-hosted server) to expose machine-readable timesheet data through a query endpoint (reader pull) or through a webhook (writer push). Furthermore a W3C interest group “federated timesheets” was started that will contain and maintain a repository of time tracker schemas and extend this continuously in an orderly fashion to enable developers to import recipients’ schemas as well as add their own to the repository. >> Read more about Federated Timesheets Fobnail — Remote attestation delivered locally The Fobnail Token is a tiny open-source hardware USB device that provides a means for a user/administrator/enterprise to determine the integrity of a system. To make this determination, Fobnail functions as an attestor capable of validating attestation assertions made by the system. As an independent device, Fobnail provides a high degree of assurance that an infected system cannot influence Fobnail as it inspects the attestations made by the system. Fobnail software is an open-source implementation of the iTurtle security architecture concept presented at HotSec07; in addition, it will leverage industry standards like TCG D-RTM trusted execution environment and IEFT RATS. The Fobnail project aims to provide a reference architecture for building offline integrity measurement servers on the USB device and clients running in Dynamically Launched Measured Environments (DLME). It allows the Fobnail owner to verify the trustworthiness of the running system before performing any sensitive operation. Fobnail does not need an Internet connection what makes it immune to the network stack and remote infrastructure attacks. It brings the power of solid system integrity validation to the individual in a privacy-preserving solution. >> Read more about Fobnail Full-source GNU Mes on ARM and RISC-V — Expand full-source bootstrap to other CPU platforms GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large binary blobs of several 100s of megabytes, which (incredibly so!) is common practice for the software supply chains in use today. While these days users can reproducibly build software with modern functional package managers like Guix and Nix, the presence of potentially toxic code in these unauditable blobs or the propagation into binaries cannot be excluded. Users have no technical assurance that the executable they use corresponds with the source code - or whether the tool chain which compiled the source code introduce weaknesses or undefined behaviour. By making the toolchain 'bootstrappable' (as per bootstrappable.org), users can verify themselves for every step what happens - in the case of GNU Mes from one tiny (and orders of magnitude more easily verifiable) 357-byte file upwards. The final goal is to help create a \"full source\" bootstrap for any interested UNIX-like operating system and any type of architectures. In this project the project will add ARM and RISC-V, with other architectures on the roadmap. >> Read more about Full-source GNU Mes on ARM and RISC-V GNU Mes RISC-V — Bringing the trustworthy bootstrap to RISC-V GNU Mes was created to address the security concerns that arise from bootstrapping an operating system using large, unauditable binary blobs, which is common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme that comes with a small, bootstrappable C library. The final goal is to help create a full source bootstrap for any interested UNIX-like operating system. This funding will enable GNU Mes to work on the RISC-V platform, an instruction set architecture (ISA) that is provided under open licenses. Combining GNU Mes with an open ISA will provide an extra level of security and trust by extending the auditability of the system from the software to also the hardware. RISC-V is a relatively new architecture so this effort requires the backport of many tools that were already available for GNU Mes in other architectures. Also the modular nature of RISC-V makes it an specially complex bootstrap target, because it needs to support all the possible RISC-V implementations. This project aims to overcome the current limitations to prepare GNU Mes and all the associated projects for a full RISC-V port. >> Read more about GNU Mes RISC-V RISC-V bootstrapping effort via GNU Mes — Allow bootstrapping Guix on RISC-V via GNU Mes This project is a continuation of several previous modest effort that each made good steps in bringing the GNU Mes project to the quickly growing ecosystem of RISC-V. RISC-V is a relatively new instruction set architecture (ISA) for computer chips, and because it obviously has its own variant of the very lowest level of instructions, adopting this new hardware platform for practical use cases requires porting of some software and tools that were already available in other architectures. Such \"chip agility\" makes the overall technology ecosystem more robust, creating more diversity and consumer choice. One aspect of working towards chip agility in a trustworthy manner is aiming for a \"full source bootstrap\", as pioneered by GNU Mes and others on other architectures. This addresses the security concerns associated with bootstrapping an operating system using large, unauditable binary blobs, which until recently was common practice for all software distributions. Mes is a Scheme interpreter written in a simple subset of C and a C compiler written in Scheme that comes with a small, bootstrappable C library. The goal of this project is to complete the port of Mes to RISC-V, and achieve the first full source bootstrap - which is then available to use for any interested UNIX-like operating system. As a first major step towards universal adoption, the project will subsequently package the whole process and include it in Guix's commencement module. >> Read more about RISC-V bootstrapping effort via GNU Mes GNU Mes Tower — GNU Mes with alternative scheme implementations and WASM GNU Mes was created to provide transparency and strong technical assurances when bootstrapping an operating system - instead of using large, unauditable binary blobs that bring the risk of \"reproducibly malicious\" behaviour within the software toolchain. GNU Mes provides a transparent alternative: starting from a Scheme implementation of a C compiler, and a minimal Scheme interpreter written in C, to bootstrap the full GNU toolchain capable of building the rest of all open-source software. The GNU Mes Tower projects will add the option to stay on the \"Scheme\" path without having to resort to C, starting from either same minimal Scheme interpreter with a specializer as a Scheme compiler capable of generating native binaries. To achieve self-hosting, a series of bootstrapping steps will be implemented to add features to each interpretation level one-by-one, maintaining specialization to native code. The sequence of more and more capable Scheme compilers will allow operating systems like Guix to be bootstrapped without C, and move from a minimal Scheme interpreter to full-blown modern scheme dialects to allow much more advanced features and optimisations during the bootstrap. >> Read more about GNU Mes Tower GNU Taler KYC — Know-Your-Customer support for GNU Taler This work is about adding proper Know-Your-Customer (KYC) support to GNU Taler to satisfy regulatory requirements to operate the Taler payment service. However, we will not implement our own KYC solution but instead provide a generic way to interface with existing KYC providers and implement several concrete adapters. By supporting multiple providers we will ensure that our KYC abstraction is reasonably generic. The KYC integration will be configurable to adjust the deployment to the legal requirements of different countries. Finally, we will support attestation of collected KYC information to third parties. This will allow the payment system to assure consumers receiving a bill about the identity of the invoicing business. >> Read more about GNU Taler KYC Layer-2-Overlay — Generalising the GNUnet Layer-2 Overlay for broader usage Layer-2-Overlay is a P2P connectivity layer that allows decentralized applications to establish communication with peers. The current Internet architecture is strongly biased in favor of client-server applications. To regain data sovereignty from tech oligopoly, citizens must be able to communicate directly without a few gatekeepers. Therefore decentralized applications need to overcome network obstacles of the existing Internet infrastructure without the need to setup a costly alternative infrastructure. An additional benefit is the effective usage of existing resource, to lower the environmental damage big centralized systems are doing to our planetary ecosystem. The Layer-2-Overlay will achieve this goal by utilizing a variety of existing protocols and infrastructure (Ethernet/WLAN, TCP/UDP, QUIC, Satellite) and an effective flow- and congestion-control to distribute traffic through different channels. After reconnecting the edges (e.g. PCs at home or mobiles) of the existing Internet among each other again, traffic can be forwarded directly to known peers and existing infrastructure will be preserved. The API of Layer-2-Overlay will be usable by all kinds of decentralized application use cases. For a first showcase Layer-2-Overlay will be integrated into GNUnet, an alternative network stack for building secure, decentralized and privacy-preserving distributed applications. >> Read more about Layer-2-Overlay GNUnet Messenger API — API for decentralized instant messaging using CADET Communication is one of the most valuable goods, but it requires confidentiality, integrity and availability to trust it. The GNUnet Messenger API implements an encrypted translation layer based on Confidential Ad-hoc Decentralized End-to-End Transport (CADET). Through CADET the API will allow any kind of application to set up a fully decentralized form of secure and private communication between groups of users. The service uses e2e-encryption and does not require any personal information from you to be used. You are able to send text messages, share files, invite contacts to a group or delete prior messages with a custom delay. Messages and files will both be stored decentralized being only available for others in the group. GNUnet provides the possibility to use this service without relying on the typical internet structures, with a turnkey optional DHT for sharing resources. Unlike many other messengers out there the GNUnet Messenger service focuses on privacy. You decide who can contact you and who does not. You decide which information gets shared with others and which stays a secret. The whole service and its API is free and open by design to be used by many different applications without trusting any third party. >> Read more about GNUnet Messenger API Gash — Port Gash to GNU Mes for auditable bootstrap For several years, the GNU Guix project has been reducing the amount of unauditable binary blobs used in bootstrapping its operating system, through efforts such as GNU Mes. This is needed to avoid \"reproducibly malicious\" behaviour within the software toolchain. Gash is a POSIX-compatible shell written in Guile Scheme. Gash provides both the traditional shell interface, as well as a Guile library for parsing shell scripts. Once this project is completed, Guix (and other operating systems) can be bootstrapped from legible source, without depending on already compiled compilers or C standard libraries. This will allow to move step by step from a minimal Scheme interpreter to full-blown modern scheme dialects to subsequently much more advanced features and optimisations required during the bootstrap. >> Read more about Gash Gosling — Generic Onions Services Library Project One of the internet’s core infrastructural flaws is a lack of anonymity - yet anonymity is a form of privacy that many users would prefer to have. Building products which preserve this user privacy while also being featureful and easy to use is difficult. Part of this difficulty has to do with the fact that developers need to be aware of and actively counter the myriad ways users can be de-anonymised (e.g. fingerprinting, side-channels). This requires knowing many intricate details at all levels of the software stack.Project parent Blueprint for Free Speech's goal is to gradually increase the portion of the internet that offers anonymity. By creating a “generic onions services library” (Gosling), we can help developers create secure and anonymous p2p applications without having to delve too deeply into protocol design or the Tor spec, and to do so with more security assurance. >> Read more about Gosling Porting Guix to Riscv64 — Port Guix software collection to Riscv64 architecture This project will work on bringing the Rust support of GNU Guix on Riscv64 up to fully supported, with the bootstrap chain from source. It will also bring Riscv64 in Guix up to the full level of support that is expected of commonly used architectures, ready to be used in all the applications where GNU Guix is already found. Riscv64, being an Open Architecture, freely available to anyone who wants to implement processors, goes a long way towards ensuring that our future computing platforms are free of hidden backdoors. GNU Guix, being a true Free Software Operating System and compiled from source from a small bootstrap binary, with reproducibility guarantees, is as close as the computing community has come to a fully auditable software chain that makes sure all the software we run on our computers is what we intend, and nothing more. By combining the Riscv64 architecture and GNU Guix for software we can reach toward a fully secure and auditable computing platform that we might consider trusting. >> Read more about Porting Guix to Riscv64 TPM 2.0 for HEADS — TPM 2.0 support for open source BIOS replacement firmware HEADS is an open source custom firmware for laptops that aims to provide slightly better physical security and protection for data on the system. HEADS combines physical hardening of specific hardware platforms and flash security features with custom coreboot firmware and a Linux boot loader in ROM. This moves the root of trust into the write-protected region of the SPI flash and prevents further software modifications to the bootup code. HEADS allows to verify that laptop hardware has not been tampered with in transit or in your absence (so-called evil maid attack). Until now HEADS is mostly used with older Thinkpad X230 and T430 laptops. As part of this funded project we will develop HEADS to support state of the art hardware. >> Read more about TPM 2.0 for HEADS Himalaya — End-to-end encryption capable scriptable email Himalaya is a cross platform and open source toolsuite for managing emails. Its aim is to extract the email business logic into a safe and secure Rust library, so it can be consumed by any compatible client. This architecture makes the tool very flexible and versatile: move batch of emails from the command-line input, automatically sign or decrypt emails levering OpenPGP's web of trust, view HTML version of emails from the terminal, write emails with your favourite text editor, set up a new message notifier in a systemd daemon, view emails from a graphical user interface alla Thunderbird… possibilities are endless! The funding from NLnet will be used to release the first production-ready version of the library and to release few compatible clients like a CLI, a TUI, a GUI, a Vim plugin and an Emacs plugin. Himalaya also plans to extend the concept to other email-related domains, like contact management, events/calendar management, tasks management etc. >> Read more about Himalaya Hyper Hyper Space — Cryptographically secure append-only distributed data layer The Hyper Hyper Space project aims to make distributed applications easy to build and usable by anyone. It introduces “spaces”, shared information objects that are stored locally (on personal computers or phones) and can be easily replicated over the network to any number of participants and kept synchronized. Spaces have formats (just like files): blogs, discussion forums, e-commerce stores, etc. can be represented as space-types. Instead of filenames or URLs, spaces can be universally looked up by entering a 3-word code into the application. This code is used to find devices hosting the space, and then to fetch and validate it. Application designers can build upon a library of building blocks supplied by Hyper Hyper Space (e.g. cryptographic identities, CRDT-inspired datatypes, etc.) that work over append-only DAGs. Once a space is defined this way, its synchronization can be handled by Hyper Hyper Space transparently, simplifying application development. Finally, to make spaces universally available, the Hyper Hyper Space runtime works inside an unmodified web browser (as a JavaScript library: IndexedDB is used for in-browser storage, WebRTC as transport - no extensions are needed). Thus a distributed application can be deployed as a static website that fetches its contents from a browser-to-browser mesh. Ultimately, the Hyper Hyper Space project’s goal is to encourage open information formats and software interoperability, helping make open source, non-for profit and public interest application development sustainable. >> Read more about Hyper Hyper Space IPDL — Equational Proofs for Distributed Cryptographic Protocols In cryptography, interactive, distributed cryptographic protocols are most often proved secure using the simulation paradigm, wherein the protocol of interest is proved (approximately) equivalent to an idealization. The simulation paradigm is extremely powerful, as it allows a wide range of security properties to be captured under one definition. On the other hand, while expressive, the simulation paradigm presents extra complications for formally verifying security proofs. Proving equivalences between distributed protocols in general requires heavyweight techniques based on manually constructing so-called bisimulations (suitable relational invariants), which creates a barrier to entry for formal methods. We lower this barrier to entry with IPDL, or Interactive Probabilistic Dependency Logic, a new process calculus for cryptographic protocols. IPDL includes an approximate equational logic that allows computationally sound reasoning about protocols in a manner both close to the simulation paradigm and amenable for formal verification. Using IPDL, we deliver short, simulation-based proofs of variety of cryptographic protocols. Our most complex and very general case study verifies the n-party GMW protocol for secure function evaluation. >> Read more about IPDL Interpeer SDKs — Secure and efficient peer-to-peer networking stack The Interpeer Project's purpose is to research and develop novel peer-to-peer technologies for open and distributed software architectures. The goal is to enable serverless modes of operation for collaborative software with rich feature sets equal to or surpassing centralized client-server architectures. In order to make the Interpeer technology stack accessible to software developers, the goal is to provide SDKs for a desktop and a mobile platform, complete with examples. These SDKs should enable seamless cross-platform data exchange and live editing capabilities by multiple authors. >> Read more about Interpeer SDKs json-joy — JSON data structure as a CRDT Conflict-Free Replicated Data Types (CRDTs) are specialized data structures that enable the merging of changes in two or more data replicas without conflicts. Despite their immense potential, CRDTs remain a relatively new area of research and development, and much can be improved in existing open source CRDT libraries. The objective of the json-joy project is to implement a full JSON CRDT library that reflects the current state of the art, while simultaneously ensuring optimal performance through the use of custom-designed data structures and the latest advancements in Replicated Growable Array (RGA) literature. In addition, the project aims to establish specifications for critical components of the library, including the data types employed, serialization protocols, and patch format protocols, thereby facilitating the portability of the open source code to other programming languages and promoting educational initiatives. >> Read more about json-joy KDE Connect — KDE Connect discovery and transport protocol improvements KDE Connect allows devices on a local network to discover each other and, after an initial pairing process, exchange data over an encrypted connection. Leveraging this abstraction, the KDE Connect desktop and phone apps provide cross-device syncing features like sharing files, notifications, input devices, multimedia controls and more. There are multiple independent implementations of the KDE Connect protocol written in C++, Java, Swift, Javascript, and more; as well as various applications using the protocol targeting different operating systems. The aim of this project is to reimplement KDE Connect's discovery process and transport protocol, which were shaped by the limitations of the smartphones of 10 years ago, using multicast and modern TLS. >> Read more about KDE Connect Standardizing KEMTLS — Post-quantum TLS without handshake signatures KEMTLS is a recent academic proposal for an alternative way of adding authentication to the Transport Layer Security (TLS) protocol. The project is motivated by the need to migrate public key cryptography to new algorithms that resist attacks by quantum computers. Compared to traditional cryptography, post-quantum signature schemes generally have larger public keys and/or signatures, and need more computational effort. KEMTLS, published at the ACM Computer and Communications Security Conference in 2020, replaces signature-based authentication for web servers with a post-quantum key exchange (called a KEM) in a way that saves communication and computation. In this project we aim to prepare KEMTLS for standardization by the Internet Engineering Task Force (IETF). To that end we will implement KEMTLS in a few different open source TLS software libraries and demonstrate the viability and interoperability of these implementations. This software will assist later implementers of KEMTLS by allowing to validate their implementations against our reference. We will also investigate optimizations for using KEMTLS in specialized environments like IoT, and will investigate issues involving certification of KEM keys. >> Read more about Standardizing KEMTLS Kaidan — Encrypted A/V calls, group chat messaging Kaidan is a user-friendly and modern chat app for every device. It uses the open communication protocol XMPP (Jabber). Unlike other chat apps, you are not dependent on one specific service provider. Instead, you can choose between various servers and clients. Kaidan is one of those XMPP clients. In contrast to many other XMPP clients, it is easy to get started and switch devices with Kaidan. Additionally, it adapts to your operating system and device's dimensions. It runs on mobile and desktop systems including Linux, Windows, macOS, Android, Plasma Mobile and Ubuntu Touch. The user interface makes use of Kirigami and QtQuick. The back-end of Kaidan is entirely written in C++ using Qt and the Qt-based XMPP library QXmpp. >> Read more about Kaidan Kaidan Mediasharing — Media sharing and improved contacts for Kaidan XMPP Kaidan is a user-friendly and modern chat app for every device. It uses the open communication protocol XMPP (aka Jabber). Kaidan is a convergent app, capable of supporting different device dimensions. It runs on a variety of mobile and desktop systems including Android, FreeBSD, Linux, macOS, Plasma Mobile, Ubuntu Touch and Windows. Kaidan uses the open communication standard XMPP, which is built around federation. That way, users can individually pick from a variety of apps, servers and service providers - or even run their choice of software themselves so that they are not dependent on any service provider or company. In this project, the team will work in particular on improving media sharing, including smoothening the overall user experience. In addition, a number of useful XEPs will be implemented, such as XEP-0368 (\"SRV records for XMPP over TLS for Direct TLS support\") and XEP-0484 (\"Fast Authentication Streamlining Tokens\") which speed up and strengthen transport layer security. Within this project the team will also refactor and fix presence subscription handling, enabling the user to accept presence subscription requests at any time. Where possible, features are upstreamed to the cross-platform C++ XMPP client and server library Qxmpp. >> Read more about Kaidan Mediasharing Katzen — Meta-data resistant instant messaging over the Katzenpost mixnet Katzen is a new private instant messaging application built using the Katzenpost mixnet project, which is an overlay network that is able to hide communication patterns of individual users from passive network observers. This means that attackers cannot link sending and receiving of messages on the network with any of the participants. Messages between conversation parties are delivered to and read from message queues operated by the mixnet service operators. The legacy simple design maintains a per client queue and is able to see when a client is receiving a message, how often clients receive messages, and when the client is online and checking for their messages. The purpose of this project is to replace the legacy ephemeral message storage system used by Katzen with a replacement that does not link messages with a specific user or conversation, To do this, clients will include a csprng seed as part of the contact creation process that will be used to generate a deterministic sequence of message identifiers between conversation participants; these identifiers will be used by each client to query the ephemeral storage provider for the next message in the conversation. Because polling the storage service adds latency, and this design must check for new messages from each conversation partner, mechanisms to reduce the number of round trips - such as using SURBs as an asynchronous callback upon message delivery on the storage provider will be explored as a means to build a mixnet 'push' service to decrease the total round trip delay in receiving a new message. >> Read more about Katzen Keyoxide Mobile — Mobile client for identity magement tool Keyoxide The Keyoxide Mobile app is an open source keyoxide client for Android that lets you verify and manage decentralized cryptographic identities while being on the go. To verify somenone else's decentralized identity: simply enter their identifier or scan their qr-code to see the verification result generated by the app. With the funding from NLnet, the app will be able to create new Keyoxide profiles and additional features will be added such as iOS support, a design update, being able to save multiple profiles, text encryption/decryption, custom instance support, accessibility features like localization, color themes and contrast. >> Read more about Keyoxide Mobile Private Key Operations for Keyoxide — Implement Private Key Store design in Keyoxide Keyoxide is one of the open-source success stories when it comes to providing an alternative to the proprietary product (Keybase). The UI is straightforward so that the interaction with the site is available to all kinds of users. Unfortunately there is one critical part that differentiates Keyoxide from Keybase - no support for private key operations. Adding proofs requires a complex maze of command line invocations. This project will implement best of both worlds: simple, UI centric way of interaction without technical knowledge required and the strong security of Keyoxide. >> Read more about Private Key Operations for Keyoxide Keyoxide v2 — Add cryptographic signature based to Keyoxide How do you discover which other online accounts across different services and service providers actually belong to the same person? Keyoxide is a secure, privacy-friendly and decentralized platform to manage online identities, uncompromisingly driven by what the user herself wants to share. Keyoxide is a new type of service to allow proving linked account ownership on a variety of platforms. Keyoxide levers existing and battle-tested cryptographic primitives. The goal is to give users more control over their online presence, independent from dominant internet actors - without in fact having to depend on any centralised services or third parties. The project will build on top of the existing OpenPGP Identity Proofs to add other types of profiles based on various cryptographic signature mechanisms from a variety of new tools. To maintain linkable profiles, a new signature-hosting infrastructure needs to be designed and developed. Other improvements are aimed at safeguarding privacy and achieving plausible deniability. >> Read more about Keyoxide v2 Kintex-nextpnr — Open toolchain for high performance FPGAs FPGAs are reconfigurable chips capable of handling many electronic signals in parallel. They are used in network equipment like backbone switches, firewalls, video devices like surveillance cameras and radio equipment like mobile-phone base stations and radar systems and satellites to process high volumes of data with very low latency. FPGAs are also used to test digital circuit designs before they are manufactured as chips. The functionality of FPGAs is determined by a configuration file which is loaded into the FPGA at power-on. The configuration file is usually generated from a design file by a proprietary closed source tool provided by the manufacturer of the FPGA. nextpnr-Kintex will provide a complete set of open source tools to generate a configuration file for the widely used family of Kintex7 FPGAs from manufacturer Xilinx/AMD without having to use any proprietary tools. This will empower digital design engineers to have the guarantee that no backdoor is implemented on FPGA based devices by the proprietary design tool provided by the vendor. The availability of the source code of the FPGA design tool will also allow innovators to come up with new use cases for FPGAs currently not possible with proprietary tools. Overall, the project will help to increase the security of FPGA based wired and wireless network infrastructure in Europe. >> Read more about Kintex-nextpnr Let's Connect! Client-Server to P2P — Add P2P features to Let's Connect! Let's Connect! provides an open-source VPN solution allowing ISPs, hosting providers and businesses to easily set up a secure VPN service. Currently Let's Connect! has been engineered in a traditional client-server VPN model. Basically connecting the client with VPN technology into the organization where the VPN server is deployed. Let's Connect! is also used in the educational and research community under the name eduVPN. Roughly 140 organisations, and estimated 300K users, around the globe are using eduVPN. The current client-server model of Let's Connect! doesn't facilitate directly connecting devices located in various places, like IoT devices at home or services offered in various datacenters or (public) cloud environments. This project focusses on engineering a P2P solution integrated with Let's Connect! VPN, which empowers users to connect safely to all their devices, anywhere on the internet. >> Read more about Let's Connect! Client-Server to P2P LiberaForms — End tot End Encrypted Forms Cloud services that offer handling of online forms are widely used by schools, associations, volunteer organisations, civil society, and even families to publish questionnaires and collect the results. While these cloud services (such as Google Forms and Microsoft Forms) can be quite convenient to create forms with, for the constituency which has to fill out these forms such practices can actually be very invasive because forms may not only include personal details such as their name, address, gender or age, but also more intimate questions including medical details, political information and life style background. In many situations there is a power asymmetry between the people creating the form and the users that have to supply the data through that form. Often there is significant time pressure. No wonder that users feel socially coerced to comply and hand over their data, even though they might be perfectly aware that their own data might be used against them. LiberaForms is a transparent alternative for proprietary online forms that you can easily host yourself. In this project, LIberaForms will add end-to-end encryption with OpenPGP, meaning that the data is encrypted on the client device and only the final recipient of the form data can read it (and not just anyone with access to a server). Also, the team will add real-time collaboration on forms, in case users need to fill out forms together. >> Read more about LiberaForms Audio/Video Calls in Libervia — Encrypted Audio/Video Calls in multi-frontend XMPP client Libervia is a multi-frontend, multi-purpose XMPP client. It doesn't just focus on instant messaging, and uses the open standard to provide features such as blogging/microblogging, calendar events, file sharing, end-to-end encryption, etc. Some of the last major missing features include audio/video conferencing and desktop sharing. The goal of this project is to implement one2one calls first and then multi-user conferencing and desktop sharing, while using the e2e encryption mechanisms provided by the ecosystem where possible. These features will be available on the various front-ends, including web, desktop, and even command line. Compatibility will be ensured with the wider XMPP ecosystem, to ensure that calls can be made without problems with other software such as Conversations or Movim. >> Read more about Audio/Video Calls in Libervia Librecast — E2E encrypted multicast The Librecast project contributes to decentralising the Internet by enabling multicast. It builds transitional protocols and software to extend the reach of multicast and enable easy deployment by software developers. This can for instance help to synchronise large evolving datasets to many users at the same time (even hundreds of gigabytes of blockchain data) in an economic, reliable, transparent and fair way - unlike with unicast, everyone can get a copy of the same packets received by everyone else. Not depending on a centralised structure (anyone can be the upstream source), means it is very robust as well. LibreCast is energy efficient and as a next generation internet technology offers confidentiality and security - and is sustainable, has high scalability and throughput. Librecast Live is a Multicast Live Streaming, Conferencing and Remote Collaborative Work Environment. It is a versatile multicast platform flexible and scalable enough to be used for live-streaming, classrooms and conferences - using an ad hoc or previously established web of trust. While using multicast helps solve the scalability inherent with this kind of setup, actually all messages are transmitted over encrypted channels - providing strong privacy and integrity assurances through E2E encryption. >> Read more about Librecast The Libre-SOC Gigabit Router — Native Open Hardware chip implementation of crypto primitives The Libre-SOC Project is developing a Libre System-on-a-Chip in a transparent fashion to engender end-user trust. Based on the OpenPOWER ISA, the next logical step is to extend and modernise OpenPOWER into the cryptographic and blockchain realm, and to do so in a practical way: design a Router ASIC. Whilst many commercial ASICs would do this using hard-coded non-transparent blocks or instructions, true transparency really only exists if the ISA has general-purpose primitives that can be Formally (mathematically) validated. The Libre-SOC Crypto-router Project therefore goes back to mathematical \"first principles\" to provide general-purpose Galois-Field, Matrix abstraction and more, on top of Simple-V Vectorisation. This provides flexibility for future cryptographic and blockchain algorithms on a firm transparent foundation. >> Read more about The Libre-SOC Gigabit Router LumoSQL at-rest data security — Modern embedded database with encryption and signed data LumoSQL is an embedded database that combines various modern database technologies into a single powerful abstraction while remaining a drop-in replacement for the most-used database worldwide, SQLite. LumoSQL brings to embedded databases features including built-in encryption, per-row checksum verifiability of all data (without the overhead of e.g. a blockchain), and a choice of storage backends. In this project the LumoSQL community works towards the 1.0 version which will add a slew of attractive features such as encrypted embedded data at-rest (which can be unlocked either through role based access control or even outside of unmodified apps with a hardware token like Nitrokey), signed data rows and data tables (so users can cryptographically verify the integrity of data), as well as improved documentation and cross-platform availability. In addition the project is producing valuable tools such as the not-forking project, which addresses the root cause of many real-world security issues as customisation without such a tool requires hard-to-maintain forking. >> Read more about LumoSQL at-rest data security Maemo Leste Telepathy — Modernise open source real-time communications stack Maemo Leste aims to provide a free and open source Maemo experience on mobile phones and tablets. It is an effort to create a true FOSS mobile operating system for the FOSS community. Maemo Leste is based on GNU/Linux, and specifically - Devuan GNU/Linux. The goal is to provide a secure and modern mobile operating system that consists only of free software, obeys and respects the users' privacy and digital rights. The project also works closely with projects that aim to produce hardware that Maemo Leste and other community mobile operating systems could run on. The operating system itself takes much of its design and core components from the Nokia-developed Maemo Fremantle, while replacing any closed source software with open source software. In this effort project the Maemo Leste team will update the Telepathy real time communications framework (which should benefit all other users of that ramework) and add among others double ratched based OMEMO encryption to XMPP. >> Read more about Maemo Leste Telepathy Manyverse Private Groups — Implement SSB Private Groups in Manyverse Manyverse is a peer-to-peer social network built on the SSB protocol where users themselves are responsible for the network. It is used by thousands of people, on both mobile and desktop. Users can share public posts with each other, but there is currently no way to write private messages to closed communities of a dozen members or more. With this project, we want to implement and improve SSB Private Groups for adoption in Manyverse. This is a cryptographic mechanism to ensure that communities can talk in private. Additionally, we want to make sure that these communities have the tools they need to moderate and prune their social space for safety. >> Read more about Manyverse Private Groups Mellium — Add OMEMO support to XMPP library Mellium is an XMPP library that helps other projects safely interoperate using the most widely used, federated, real-time communication protocol in use today. Unfortunately, it does not currently provide a mechanism to enable projects using it to communicate in an end-to-end encrypted manner, meaning those projects must do the hard (and potentially dangerous) work of implementing encryption themselves. This project aims to create an easy to use implementation of the OMEMO encryption standard (XEP-0384: OMEMO Encryption) that is compatible with popular instant messaging clients. This will encourage projects depending on Mellium to implement strong privacy protections by lowering the barrier to entry for end-to-end encryption. >> Read more about Mellium MirageVPN — Robust OpenVPN client and server, and QubesOS client OpenVPN is a virtual private network protocol which is still widely used. We will extend the existing MirageOS OpenVPN implementation in three aspects: develop a unikernel suitable for QubesOS, develop an OpenVPN server, and add recent features (e.g. tls-crypt v2) . The project builds on top of MirageOS: a library operating system developed in OCaml — a memory-safe functional programming language. In MirageOS, each service is a separate unikernel with a minimal attack surface that only contains the code required to run it. These unikernels are normally executed as a virtualized machine such as KVM, VirtIO, Xen. MIrageOS also supports using a strict security feature of the Linux kernel called seccomp. The elliptic curve primitives used in this project are correct by construction (and free of timing side channels), and have been developed in Coq as part of the Fiat-Crypto project. >> Read more about MirageVPN Monal IM — Free Jabber/XMPP client for iOS and macOS Monal is a open source XMPP instant messaging client for MacOS and iOS which strives to be the go-to client for these platforms just like the app Conversations is for Android. XMPP in general is an open and standardized protocol for real time communication. Anyone can host their own server and communicate freely with each other, just like with email and just like email the used addresses are of the form \"user@domain.tld\". In this project, Monal will among others add end-to-end encryption to its chat interface, in this case the OMEMO XEP which uses a so call double ratchet mechanism to provide strong protection of the confidentiality of messages.Within the project, the team will also implement various other XEPs such as audio and Video (A/V calls), adding modern functionality and improving interoperability with other clients. >> Read more about Monal IM SecSync — Efficiently combine end-to-end encryption with CRDTs While popular CRDT implementations like Yjs or Automerge offer several designs and even implementations on how to asynchronously exchange data using servers, there is no plug & play implementation serving end-to-end encrypted systems. Focus of the first version of SecSync is to provide a protocol to efficiently exchange and resolve e2e encrypted CRDTs. It comes with a plug and play reference implementation on top of Yjs and should be well documented. By leveraging snapshots as well as operations logs referencing snapshots the load times should reduced while still offering real-time collaboration. >> Read more about SecSync Namecoin: Electrum-NMC — Security hardening and futureproofing Namecoin and Electrum-NMC Namecoin provides a decentralized naming system and trust anchor. Its flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Among other things, this provides a decentralized trust anchor for Public Key Infrastructure that does not require third party trust. It operates independently from the DNSSEC root trust chain, and can thus offer additional security under some circumstances. This project will focus on improving Namecoin's lightweight client (Electrum-NMC) in the areas of security (e.g. sandboxing and test coverage), scalability (e.g. more compact network protocol), UX (e.g. domain management GUI improvements), and packaging (e.g. for Debian and derived distros). >> Read more about Namecoin: Electrum-NMC NeoChat — Native Matrix encrypted instant messaging client NeoChat is a client for Matrix, an open and decentralized chat protocol. NeoChat is using Qt and KDE technologies to run on many platforms: Linux, Windows, macOS, Plasma Mobile and Android. One of the biggest missing features for NeoChat is support for end-to-end encryption. Currently, all the messages are sent unencrypted and encrypted conversation can't be read in NeoChat. This is not a problem for public rooms since they are usually not encrypted, but it makes NeoChat unsuitable for usage in a private or professional context. The goal of this project is to enable support for encryption in NeoChat. Since NeoChat uses libQuotient, a client library for the matrix protocol, most of the work will take place in libQuotient. This means that the work done in the project will also help other Matrix clients and bots built with Quotient, in particular Spectral and Quaternion. >> Read more about NeoChat Packet classification extensions for Netfilter — High throughput packet classification of tunneled traffic With the advent of virtualization and containers, datacenter traffic is becoming prominently tunneled through layer 2 and layer 3 encapsulation techniques such as VLAN, GRE, VxLAN, GRETAP and Geneve among others. Extended packet classification through advanced string-matching also allows to proactively detect malicious traffic patterns and to improve overall datacenter network security. Performance is also a paramount aspect to improve resource utilization and to allow packet classification to scale up to the increasing demands in latency and bandwidth. Nftables is the next generation packet classification software that replaces {ip,ip6,eb,arp}tables which reuses the existing main components of the Netfilter frameworks such as Connection tracking, NAT and logging. This project aims at three goals: 1) Enhancing Nftables packet classification by extending its tunneled packet classification capabilities to allow to match on inner header, 2) add string-matching infrastructure for Nftables and 3) evaluate performance to analyze bottlenecks and deliver upstream enhancements for the Netfilter packet classification datapath. >> Read more about Packet classification extensions for Netfilter neuropil — DHT based overlay network The neuropil protocol is a new integration protocol for the IoT, which can be embedded into applications and devices. It facilitates and recombines messaging paradigms with distributed hash tables, self-sovereign identities and named-data networks to establish a new kind of privacy- and security-by-design overlay network. The protocol itself embraces self-containment, reducing the need for external systems/dependencies. Our goal is a trustworthy, democratized access control mechanism for the internet of everybody. Within our project we would like to leave the beta-phase and realize the first full release of our protocol. To reach this goal we will add two remaining critical parts to our protocol: distributed time calculations and distributed linked time-stamping authorities. The first addition is not only crucial for systems without an RTC, but it also enables a de-centralized time service with a much lower attack surface. The second builds upon the first and is a key requirement to establish trust between entities using the protocol. It can also be used to ensure the integrity and to keep-track of (search-) contents of peers. Furthermore we will review our current reference implementation for efficiency and use less power-hungry algorithms whenever possible to support the green deal of the European Union. >> Read more about neuropil NextGraph — Interlinked data graphs, with privacy, security, data locality, and interoperability in mind NextGraph brings about the convergence between P2P and Semantic Web technologies, towards a decentralized, secure and privacy-preserving cloud, based on CRDTs. This open source ecosystem provides solutions for end-users and software developers alike, wishing to use or create decentralized apps featuring: live collaboration on rich-text documents, peer to peer communication with end-to-end encryption, offline-first, local-first, portable and interoperable data, total ownership of data and software, security and privacy. Centered on repositories containing semantic data (RDF), rich text, and structured data formats like JSON, synced between peers belonging to permissioned groups of users, it offers strong eventual consistency, thanks to the use of operation-based CRDTs. Documents can be linked together, signed, shared securely, queried using the SPARQL language and organized into sites and containers. Long-term goals include developing or integrating wikis, knowledge bases, search engines, groupware, productivity tools, supply chain solutions, marketplaces and e-commerce solutions, social networks, smart contracts and DAOs. With NextGraph, users can now create and access freely their own interlinked data graphs, while preserving privacy, security, data locality, and interoperability. >> Read more about NextGraph Type Inference for Nix — Adding static typing and type inference to Nix Nix is a tool to configure systems and manage packages. It comes with a programming language, also called Nix, to describe packages and configurations. Typically, when a change is made to the configuration of a system, the new configuration is evaluated and then applied. However, configuration errors are only reported after the failure of the evaluation. So, users often have to edit the configuration, evaluate it, understand the evaluation errors, fix the errors and try again. This feedback loop is very inefficient and frustrating for users. Similarly, developing the abstractions to make the Nix package collection (nixpkgs) work can be challenging. Indeed, dynamically typed languages with reflection like Nix do not provide many safeguards. This project aims to retrofit a static type system, with type inference, on the existing Nix language while being backwards compatible with existing code. Types provide timely feedback to developers to help them during development, thanks to localized error messages. Furthermore, a type system for Nix would supercharge language server protocols and provide immediate feedback to Nix programmers. In addition to acting as some form of documentation, static types enable new exiting possibilities like better optimizations for Tvix in order to get faster evaluation and more advanced type-based function search with Noogle. >> Read more about Type Inference for Nix NixOS/Clevis — Unattented disk decryption with Clevis on NixOS Whether they should or not, organisations are moving their data to third party servers (aka the \"cloud\"). While full disk encryption of servers should be an everywhere standard in order to protect the sensitive data that they inevitably hold, its adoption is still lagging. This isn't just lack of awareness, but also part of the tooling is missing. With full disk encryption comes a big pain point: restarting the server needs for the root file system to be unlocked before booting the OS. While it is possible to remotely log into a server to unlock it remotely, this does create a dependency on a human operation in order to boot a server without compromising security. This is sometimes a non-acceptable drawback : it rules out unattended reboots, recovery from power loss, and it doesn’t scale well with the number of servers. This project will make on disk encryption with remote unlocking part of NixOS - bringing together a number of innovative mechanisms such as system extensions images and stage1-networkd. While this does not make using the cloud safe and private in and by itself (this is impossible), it will contribute to make it somewhat more safe and more private. Additionally the project will port the Proxmox Hypervisor on NixOS, in order to benefit from NixOS-style declarative host configuration and deployment (which is very valuable when managing a cluster of machines to avoid configuration rot). ProxMox is a hypervisor that can run little to middle sized VM clusters and is capable of handling multi-node clusters. >> Read more about NixOS/Clevis Securing NixOS services with systemd — NixOS, with the nix package manager, provides different services that can be installed and configured in a reproducible, declarative way. But how does one know whether software sticks to what it is supposed to do, and prevent a malicious application to spy on others? Systemd provides users with ways to specify fine-grained sandboxing options for their running service, taking advantage of the Linux kernel's security facilities. This project will improve the default configuration of the services that are available in NixOS using systemd, so that users may deploy services without granting them too much trust: the services would only have access to the parts of the system they require. From a security point of view, this limits the attack surface of the system and improves a lot of defense in depth. This also means that services wouldn't be able to snoop on all of the user's system. To gain long-term benefits from this project, we will develop automated tools to help with finding the right configuration for a given service, and we will write documentation to help people who will want to secure other services with their task. >> Read more about Securing NixOS services with systemd UEFI Secure Boot support for NixOS — Add a self-sovereign root of trust as part of supply chain security This project combines the power of the reproducible package manager Nix with the cryptographic protections of UEFI Secure Boot to provide concrete assurances about the authenticity of the software being booted into. Supply chain security works upward from a root of trust, which has to be in place before the very first bytes of code are even executed by a host’s CPU. UEFI Secure Boot helps provide this root of trust. Using UEFI Secure Boot, the host’s firmware will only boot the operating system if it is signed by a key stored in the firmware. This key may be issued by Microsoft, or in this project’s case, be generated by the user. This can help resist attacks from malware or other attacks against the system’s integrity. Obviously, when people use a commodity operating system commercially available to everyone (like Microsoft Windows) the security protection is far less and the risks are far greater than when someone generates a custom operating system with a reproducible tool like Nix. The Host and signing service will use TPM-backed attestation keys to mutually attest the authenticity of the requests. This tool will initially support systemd-boot and uboot, however the project will be specifically designed with the intention of supporting additional bootloaders. >> Read more about UEFI Secure Boot support for NixOS Adopting the Noise Key Exchange in Tox — Improved security of Tox instant messaging with NoiseIK Tox is a P2P instant messaging protocol that aims to provide secure messaging. It's implemented in a FOSS library called \"c-toxcore\" (GPLv3). The project started in the wake of Edward Snowden's disclosure of global surveillance. It's intended as an end-to-end encrypted and distributed Skype replacement. The cryptographic primitives for the key exchange (X25519), authentication (Poly1305) and symmetric encryption (XSalsa20) are state of the art peer-reviewed algorithms. Tox' authenticated key exchange (AKE) during Tox' handshake works, but it is a self-made cryptographic protocol and is known to be vulnerable to key compromise impersonation (KCI) attacks. This vulnerability enables an attacker, who compromised the static long-term private X25519 key of a Tox party Alice, to impersonate any other Tox party (with certain limitations) to Alice (reverse impersonation) and to perform Man-in-the-Middle attacks. The objective of this project is to implement a new KCI-resistant handshake based on NoiseIK in c-toxcore, which is backwards compatible to the current KCI-vulnerable handshake to enable interoperability. Further Noise's rekey feature will be evaluated for adoption. >> Read more about Adopting the Noise Key Exchange in Tox Oil Shell — A new dialect of shell that is less error-prone Oil is a new Unix shell. Shell languages provide an (IEEE standardised) interactive command language and interactive scripting environment used to control computer operating systems. Shell scripts are deployed and used visibly and invisibly to command or glue together different applications and control the execution of tasks. Oil is the upgrade path from traditional shells like bash to a better and more structured language and runtime. It already runs thousands of lines of unmodified POSIX compliant shell scripts (as well as bash scripts which aren't compliant), but in a safer and more reliable way. OSH can be smoothly upgraded to YSH, a new shell language influenced by Python, Ruby, JavaScript, JSON, and YAML. YSH also offers a basic interactive shell UI, and a \"headless\" API for building GUIs on top of shell. Through its set of specification languages, scripts can be translated to fast C++. >> Read more about Oil Shell Oil Shell — Modern shell language and runtime Oil is a new Unix shell. Shell languages provide an (IEEE standardised) interactive command language and interactive scripting environment used to control computer operating systems. Shell scripts are deployed and used visibly and invisbly to command or glue together different applications and control the execution of tasks. Oil is the upgrade path from traditional shells like bash to a better and more structured language and runtime. It already runs thousands of lines of unmodified POSIX compliant shell scripts (as well as bash scripts which aren't compliant), but in a safer and more reliable way. OSH can be smoothly upgraded to Oil, a new shell language influenced by Python, Ruby, JavaScript, JSON, and YAML. Oil also offers a basic interactive shell UI, and a \"headless\" API for building GUIs on top of shell. This project will finish the translation from statically typed Python to C++. This will let it match the speed of bash and existing shells, while offering reliable error handling, safe processing of user-supplied data, the elimination of quoting issues and better error messages and tools. >> Read more about Oil Shell Improve Okular digital signature support — Improve open source tooling for digital signatures Okular is a Free Software document viewer that supports multiple file formats such as PDF and OpenDocument Format, and besides viewing allows for annotation and digital signatures. It was initially created for desktop Linux and UNIX operating systems but meanwhile has grown into a universal, vendor-neutral document tool for all platforms - including an increasing amount of mobile operating systems such as Android, postmarketOS and pureOS. Digital signatures allow people to establish the source of documents, but can also be used to enter into legally binding agreements or contracts - so having a reliable and transparent solution is important. The aim of this project is to improve the support of PDF digital signatures in Okular both from the point of view of features and usability, making it easier for users to interact with this crucial privacy and security functionality. >> Read more about Improve Okular digital signature support Ontogen — From datasets in DCAT catalogs to knowledge graphs Data Catalogs are an important building block for a knowledge graph. Most available open-source data cataloging solutions, however, are tailored either to the needs of dataset publishers or to bigger companies with existing data warehouses or data lakes. Open data communities or smaller-sized companies do have not many options to choose from when it comes to lightweight solutions to catalog their existing data assets or collect existing metadata about relevant datasets for their needs. K-Gen will be such a lightweight data catalog solution. It will be based on DCAT, the W3C standard for data catalogs, which has been widely adopted in the public sector for the publishing of open datasets. In the first development phase, the milestone of a basic data catalog to collect metadata about datasets of a user and a general data processing pipeline to import existing metadata about datasets from various sources and various formats, including ways to keep them in sync with the original source should be developed. Further development should then provide tools to build a knowledge graph over the content of the datasets of the data catalog. >> Read more about Ontogen OpenCryptoHW — CGRA- based reconfigurable open-source cryptographic IP cores OpenCryptoHW aims to develop reconfigurable open-source cryptographic hardware IP cores for Next Generation Internet. With the Internet of Things (IoT) upon us, security and privacy are more important than ever. On the one hand, if the security and privacy features are exclusively implemented in software, the risk of breaches is high. On the other hand, if implemented solely in hardware, it is impossible to fix bugs or deploy critical updates, which is also a threat to security and privacy. Hence, we propose to use reconfigurable hardware, providing the flexibility of software and the trustworthiness of hardware. Hacking into it requires first hacking the device’s configuration infrastructure and then hacking the algorithm itself, which is way more complicated. There have been proposals to implement cryptographic IP cores using Field Programmable Gate Array (FPGAs). However, the FPGA configuration infrastructure is cumbersome and proprietary, increasing device cost and compromising safety. Therefore, we propose to use open-source Coarse-Grained Reconfigurable Arrays (CGRAs) instead of FPGAs. CGRAs have much lighter configuration circuits and are not controlled by any private entity. With OpenCryptoHW, hardware and system designers will be able to download CGRA-based cryptography IP cores for free and under a permissive license, ready to integrate into their silicon designs. >> Read more about OpenCryptoHW OpenCryptoLinux — Make Linux run on OpenCryptoHW OpenCryptoLinux aims to develop an open, secure, and user-friendly SoC template capable of running the Linux operating system, with cryptography functions running on a RISC-V processor. The processor will control a low-cost Coarse-Grained Reconfigurable Arrays (CGRAS) for enhanced security, performance, and energy efficiency. Running Linux on this SoC allows non-hardware experts to use this platform, democratizing it. This project will help build an Internet of Things (IoT) that does not compromise security and privacy. The project will be fully open-source, which guarantees public scrutiny and quality. It will use other open-source solutions funded by the NLnet Foundation, such as the RISC-V processors from SpinalHDL and the OpenCryptoHW project. >> Read more about OpenCryptoLinux OpenCryptoTester — System-on-Chip for hardware/software testing This project aims to develop a System-on-Chip (SoC) used mainly to verify cryptographic systems that improve internet security but can also be used on any SoC. It is synergetic with several other NGI Assure-funded open-source projects – notably OpenCryptoHW (Coarse-Grained Reconfigurable Array cryptographic hardware) and OpenCryptoLinux. The proposed SoC will support test instruments as peripherals and use OpenCryptoHW as the System Under Test (SUT), hopefully opening the way for open-source test instrumentation operated under Linux. >> Read more about OpenCryptoTester Open MLS Infrastructure — End-to-end encrypted group messaging The Open MLS infrastructure project aims at designing and implementing infrastructure components for the MLS (Messaging Layer Security) protocol currently under development by the IETF (https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/). While it is theoretically possible to run MLS peer-to-peer, most use-cases will require central components that take care of ordering and queueing messages, as well as managing group state. Our goal is to create components that are secure, metadata-minimizing, modular, and that allow for federation. This lays a foundation for improving existing and future messaging applications, and will allow to validate a potential future application-layer specification. >> Read more about Open MLS Infrastructure Improving OpenSSH's Authentication and PKI — Improving SSH Authentication with OpenPGP transitive trust It would not be a stretch to say that ssh secures the Internet - it is the protocol most relied on to log into servers of any type. Yet, its authentication model is inflexible, rarely used properly, and inadequate. OpenPGP's transitive trust (aka \"web of trust\") mechanisms and revocation certificates can help to provided additional automated assurances. By publishing and certifying OpenPGP keys for servers, an ssh client may be able to automatically check whether an encrypted connection is not only encrypted, but also authenticated. Similarly, server administrators can automatically find the right public key for users. And when a server key or user key is compromised, using OpenPGP, it is straightforward to ensure that it won't be trusted: just publish a revocation certificate. This project will add OpenPGP support to OpenSSH to improve and simplify these workflows. >> Read more about Improving OpenSSH's Authentication and PKI Hardening OpenPGP CA deployments — HSM support for OpenPGP key infrastructure OpenPGP CA is a tool for managing and certifying OpenPGP keys in organizations. Today, the private key material of OpenPGP CA instances is stored and used locally. This project will add support for two hardened modes of operation: 1) Using a hardware-token OpenPGP Card) based key for the CA, and 2) Split OpenPGP CA deployments, in which critical operations are performed on a highly protected machine (e.g. air-gapped), while regular operation can take place conveniently on an online CA instance. In addition the project will build an OpenPGP CA based tool for version control signing workflows (e.g. git), with a focus on providing a smooth user experience for signing with OpenPGP card devices. >> Read more about Hardening OpenPGP CA deployments OpenQRNG — Open source, certified Quantum Random Number Generator Cryptography is key to protecting our modern secrets, and random numbers form the basis of the technical assurances given by that approach. However, true randomness is hard to achieve. Quantum number generators lever unpredictable physical phenomena to deliver quality randomness, and as such can be of great utility. However, currently there are only proprietary QRNG sources with a significant price tag - which means that the technology is not widely in use and that those people that do have the means have to essentially trust the vendor in question. The project will develop an open hardware QRNG device, which can be inspected from top to bottom - and made available at low cost. >> Read more about OpenQRNG p2panda — p2p protocol and event-driven data store p2panda is a peer-to-peer protocol and framework for building local-first applications that store and exchange user data in a distributed database. p2panda’s goal is to drastically extend the range of software projects that can be realized with a decentralised architecture by providing a wide range of features that alleviate common issues with this approach. A focus is set on data sovereignty, developer friendliness and supporting collaborative software. This project will validate these claims by applying p2panda to a real-world use case and improve p2p networking by extending data replication capabilities. >> Read more about p2panda Adding Web-of-Trust Support to PGPainless — Web-of-Trust specification support for Java Reliable authentication of public key certificates is a hard requirement for strong and effective end-to-end encryption. The \"Web-of-Trust\" (WoT) serves as an example of a decentralized authentication mechanism for OpenPGP. While there are some existing implementations of the WoT in applications such as GnuPG, their algorithms are often poorly documented. As a result, WoT support in client applications is often missing or inadequate. PGPainless is an easy-to-use, secure-by-default OpenPGP library for Java and Android. This project will extend PGPainless with an implementation of a recently published, new Web of Trust specification. The goal is to make the Web of Trust more interoperable and accessible to client applications, overall increasing the usability and ergonomics of OpenPGP for the end-user. >> Read more about Adding Web-of-Trust Support to PGPainless Post-Quantum Crypto in DNSSEC — Experimental platform for DNSSEC with post-quantum cryptography PQ-DNSSEC is an open-source tool set for exploring DNSSEC based on post-quantum cryptography. It includes implementations of authoritative DNS servers and DNS resolvers that support various post-quantum signature schemes as well as tools to evaluate performance and the compatibility of these implementations with the existing DNS infrastructure in the global Internet. PQ-DNSSEC also provides a collection of example zones to the general public. This way, the project will help the DNS community to prepare for transitioning to post-quantum secure DNSSEC. >> Read more about Post-Quantum Crypto in DNSSEC Statime — Memory-safe high-precision clock synchronization Of all severe software security bugs, a big chunk (50-70%) has one single source: memory corruption. The underlying cause is that, traditionally, systems software is implemented in languages that are not memory-safe. The way forward is to replace these pieces of software with memory-safe alternatives, one by one. Doing so will not just mitigate, but eliminate this category of bugs entirely. This project picks out one piece: the Precision Time Protocol (PTP). High-precision clock synchronization plays a crucial role in networking, with application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. Our proof-of-concept implementation will conform to the IEEE standard for PTP and will focus on the software implementation of a slave-only PTP ordinary clock. In the future, our work is expected to become part of a wider open-source roadmap for reliable and memory-safe keeping of network time, that will seek to expand the feature set of our implementation and work towards growing its adoption. Statime is part of Project Pendulum. >> Read more about Statime Peppol for the masses — Hybrid self-hosted e-invoicing with decentralized identities Peppol is an EU-backed e-Invoicing network which uses a top-down certification infrastructure to establish trust between the sender and the receiver of an invoice. In the \"Peppol for the Masses!\" project, we will implement Peppol in PHP (so far only Java and C# implementations are available), and package its core components (the AS4 sender and the AS4 receiver) as a Nextcloud app, so that users of the popular Nextcloud personal cloud server can send and receive invoices over AS4 directly into their self-hosted server. Due to the top-down nature of Peppol's trust infrastructure, it's not possible to self-host a node in the Peppol network unless you go through a reasonably heavy certification process. Therefore, we will extend our implementation with support for self-hosted identities, using the \"WebID\" identity pattern which was popularized by the Solid project. We will also develop a re-signing gateway which replaces the signature on an AS4-Direct invoice with a Peppol-certified signature. In a follow-up project, we will also host an instance of this re-signing gateway and make it available free of charge, similar to how the LetsEncrypt project has made TLS certificates available free of charge. This project will lower the (cost) barrier for machine-readable cryptographically-signed e-Invoicing messages, and at the same time increase the sovereignty of end-users, towards a human-centric internet of business documents. >> Read more about Peppol for the masses Probabilistic NAT Traversal — Last resort ad hoc connections for GNUnet With the Probabilistic NAT Traversal project, we want to significantly improve the ability of users to directly connect with each other. For establishing a peer to peer (p2p) network among regular internet users, unhindered connectivity is anything but self-evident. Today consumer devices are often not directly reachable via the internet but quite often are behind a so called NAT delivering only indirect internet connectivity. There are several methods to reach peers who are behind a NAT, but there are as many reasons those existing methods might fail. Manual configuration for example, as it is possible for example with home routers, often does not work for mobile devices like mobile phones. We will implement a new way of NAT traversal that we think of being independent from the existing network configuration, and does not require a third party with a direct internet connection helping two peers to connect to each other. Existing NAT traversal methods using third parties which are permanently required for communication. Our Probabilistic NAT traversal method does require some third party only at the beginning of the communication. The selection of third parties to start the connection establishment is based on previous work from the Layer-2-Overlay project. Probabilistic NAT Traversal will greatly improve the connectivity of GNUnet and other P2P networks that adopt it. >> Read more about Probabilistic NAT Traversal Prosody IM — Implement SASL authentication mechanism for XMPP XMPP is the most widely deployed standard protocol for real-time messaging today, and is a very popular choice among individuals and organizations who wish to manage their own internet communications, instead of submitting to other (e.g. commercial/data-driven) communication platforms. For an XMPP user to log in to their account today, two things are required: a username and a password. This has remained unchanged for many years, while other technologies have been steadily advancing to support security-enhancing features such as multi-factor authentication or even self-sovereign identities. XMPP uses an authentication umbrella standard known as SASL to authenticate all connections.The way XMPP integrates SASL is defined in RFC 6120 and assumes a very simple challenge-response flow, which has worked well in allowing us to upgrade the network from older SASL mechanisms such as DIGEST-MD5 and onto more modern mechanisms such as SCRAM-SHA-1 and SCRAM-SHA-256. To gain new authentication features beyond simple password authentication, we need to evolve XMPP’s relationship with SASL. This project will deliver just that, and will be the first complete implementation of a proposed standard (XEP-0388: Extensible SASL Profile) into the popular Prosody XMPP server. It will also implement support for per-session access control throughout Prosody, and support for XEP-0386 (Bind 2.0). >> Read more about Prosody IM ProveThis — Prove statements about authenticated API resources ProveThis allows users to prove statements from websites and APIs using TLS without revealing private information. Although efforts like TLSNotary can currently be used to prove the authenticity and origin of a full HTML page, we extend the capabilities of TLSNotary and allow users to make zk-SNARK based zero knowledge proofs about statements in complexity class NP. More concretely, this can allow users to prove statements about e.g. their banking data (how many transactions did you send in a certain period), social media data (how many friends are you away from knowing Barack Obama) or other data sources. Such proofs can generally be used to reduce fraud without compromising privacy and confidentiality. >> Read more about ProveThis PyCM — Evaluate the performance of ML algorithms The outputs and results of machine learning algorithms are usually in the form of confusion matrices. PyCM is an open source python library for evaluating, quantifying, and reporting the results of machine learning algorithms systematically. PyCM provides a wide range of confusion matrix evaluation metrics to process and evaluate the performance of machine learning algorithms comprehensively. This open source library allows users to compare different algorithms in order to determine the optimal one based on their preferences and priorities. In addition, the evaluation can be reported in different formats. PyCM has been widely used as a standard and reliable post-processing tool in the most reputed open-source AI projects like TensorFlow similary, Google's scaaml, torchbearer, and CLaF. >> Read more about PyCM R5N-DHT — Formalisation within IETF of R5N Distributed Hash Table design Decentralization and digital sovereignty are fundamental building blocks to strengthening European values of freedom of information and informational self-determination against particular interests of foreign state and commercial actors. Decentralization is often based on Distributed Hash Tables; DHTs are already an important component for many NGI components such as decentralized web applications (IPFS, Web3) or components in the blockchain ecosystem. The GNUnet/R5N-DHT - a Free Software distributed hash table and P2P protocol - provides additional and relevant properties like Byzantine fault tolerance and censorship resistance. The project will improve, implement and specify the R5N protocol as an IETF RFC (Informational). This supports other efforts such as the GNU Name System protocol (GNS). >> Read more about R5N-DHT rasn — Safe ASN.1 codec framework for Rust ASN.1 is a suite of protocols and data formats first introduced nearly 40 years ago, and is used extensively throughout the industry, from SIM cards to satellites, from web certificates to 5G radios, all of these are using ASN.1 in their communication stack. However parsing ASN.1 remains a large source of security vulnerabilities due its complexity and needing to be written in traditionally memory unsafe languages for speed and portability. Rasn is a codec framework for writing safe ASN.1 code in Rust, that encodes ASN.1's data model into Rust's type system, empowering developers to write Rust code that is as safe, portable, and as easy to write as the original ASN.1 module. Rasn supports BER, CER, and DER encoding rules, and can be extended to support custom data formats. Rasn also provides a number standards out of the box including LDAP, PKIX, and SNMP. >> Read more about rasn Rosenpass — Post Quantum Security Add-On for WireGuard Rosenpass is a formally verified, post-quantum secure VPN that uses WireGuard to transport the actual data. The implementation does not create a VPN connection itself, instead it performs a key exchange and hands this key to WireGuard; i.e. it *enhances* WireGuard's security without replacing it. This reduces the complexity of implementing the protocol and ensures that all the performance-advantages of WireGuard are available with Rosenpass. There is some extra latency to make a connection, but after that, WireGuard and Rosenpass are as fast. The protocol used by Rosenpass is based on the handshake designed by Hülsing, Ning, Schwabe, Weber and Zimmermann and improves upon the protocol by using cookies to provide resistance against state-disruption attacks. State-disruption attacks exist against the first version of the post-quantum WireGuard protocol and against classic WireGuard when NTP is used to synchronize the system-clock. Internally, the protocol uses two post-quantum KEMs (key exchange methods) and no post-quantum signature schemes to provide ephemeral secrecy and deniability. >> Read more about Rosenpass Rosenpass API — Improved API's and platform coverage for Rosenpass Rospenpass deals with post-quantum security for the open-source, linux-kernel VPN WireGuard. It is a production-ready VPN solution, with security proofs and backed up by scientific papers. This solves the problem that classic WG alone will stop being secure once quantum computers are viable. In this phase of the work, we focus on enhancements to support Rosenpass on additional platforms by providing initial support for Windows. Improvements to the Rosenpass protocol protect our key exchange against denial-of-service attacks by integrating WireGuard's cookie-based mechanism. To introduce more granularity with regard to system permissions required by the Rosenpass client, a broker-based architecture is being introduced. Achieving this goal entails creating a Unix sockets API infrastructure, API endpoints, and a special broker process to handle communication with WireGuard. Finally, the work also aims to promote scientific communication and research on post-quantum cryptography by creating scientific illustrations, and by authoring a user tutorial on using Rosenpass to secure TLS connections. >> Read more about Rosenpass API SES - SimplyEdit Spaces — SimplyEdit Spaces - collaborative presentations SimplyPresent allows users to collaboratively create and deliver good looking presentation using CRDT's through Hyper Hyper Space - another project supported by NGI Assure. SimplyPresent is itself based on top of the open source SimplyEdit tool, adding advanced user-friendly presentation features. SimplyPresent allows team members to live edit a presentation and the presenter notes while the presentation is being given, control the presentation from any phone without complicated setup: all that is needed on the presenting system or with remote viewers is a URL which will sync through Hyper Hyper Space. >> Read more about SES - SimplyEdit Spaces Subliminal Messaging — Embedded secure channels within traditional and internet telephony Most of todays telephony consists of digital transmissions, so given a codec without mangling or added noise, it becomes possible to treat (part of) that as a data channel, and pass meaningful data through it while maintaining an acceptable noise floor to the sound being transmitted. That data channel can give rise to information exchange, including key material and alternative contact options. The project will work on various improvements that connect telephony and digital communication: (1) VPN setup with telephony protocols, (2) data communication over the PSTN backbone and its extensions into VoIP, (3) digital security for PSTN and VoIP calls. >> Read more about Subliminal Messaging A Secret Key Store for Sequoia PGP — Standards-compliant private key store for OpenPGP This project implements a private key store for Sequoia, a new OpenPGP implementation. Currently, Sequoia-using programs use private keys directly. A private key store mediates applications' access to private keys, and offers three major advantages relative to the status quo. First, a private key store is in a separate address space. This means that private keys that are in memory are in a different address space from the application. This was underlying cause of the Heartbleed vulnerability. Second, a private key store can provide a uniform interface for accessing keys stored on different backends, e.g., an in-memory key, a key on a smart card, or a key on a remote computer, which is accessed via ssh. This simplifies applications. Third, this architecture simplifies sharing private key material among multiple applications. Only the private key store needs to worry about managing the private key material, which improves security. And, when a user unlocks a key in one application, it is potentially unlocked in all applications, which improves usability. >> Read more about A Secret Key Store for Sequoia PGP Adding TPM Support to Sequoia PGP — Implement use of TPM 2.0 crypto hardware for OpenPGP Protecting cryptographic keys is hard. If they are stored in a file, an attacker can exfiltrate them - even if the harddrive is encrypted at rest. A good practical solution is a hardware token like a Nitrokey, which stores keys and exposes a limited API to the host. For most end users, a token is a hassle: one needs to carry it around, it needs to be inserted, and it is not possible to work if it is left at home. And, it needs to be purchased. There is a better solution, which doesn't cost anything. A trusted computing module (TPM) is like an always-connected hardware token only more powerful (the keys can be bound to a particular OS installation, it can store nearly an unlimited number of keys, not just three) and TPMs are already present in most computers. This project will add support for TPMs to Sequoia PGP including comprehensive test suites and in-depth documentation for both software engineers: as an API and end-users as a way to use TPM bound keys through Sequoia's command-line interface (sq) for decryption and signing. >> Read more about Adding TPM Support to Sequoia PGP Sequoia PGP — Improve interface of Sequoia PGP commandline Sequoia PGP is a new OpenPGP implementation, which is written in Rust and focuses on ease of use. To date, the main product is a library. This project will focus on sq, Sequoia's command line tool. The project consists of three parts. First, useful functionality will be added to sq making sq comparable to gpg. Second, the human-readable interface will be augmented with a JSON interface. This will make it easier and robuster to use sq from scripts. Finally, this project will add an acceptance test suite to sq thereby strengthen the foundation for future changes. >> Read more about Sequoia PGP Sequoia GPG Chameleon — Implement well-known API's for using OpenPGP Sequoia's GnuPG Chameleon is a drop-in replacement for the widely-used encryption software GnuPG. It offers the same interface, while at the same time replacing the underlying OpenPGP implementation. This approach brings security benefits to everyone directly or indirectly using GnuPG before, while providing a smooth migration path that does not require changes to existing software. >> Read more about Sequoia GPG Chameleon Servo Developer Experience Improvements — Improve productivity for Servo developers Servo is a cross-platform, open-source browser engine that next-generation browsers can be built on, including the Verso browser project. However, the current developer experience is lacking in some ways, including CI/CD, benchmarks, and documentation for integration in downstream projects. While the Servo project these things currently, ongoing maintenance to keep them up to date, as well as creation of new documentation and tutorials to aid newcomers to the project, is a task that always needs work. In order to make integration with Servo easier for both the Verso project, as well as new projects that want to use it, this project aims to bring modern enhancements and new content to these areas. >> Read more about Servo Developer Experience Improvements Multi browsing context support in Servo — Allow Servo browser engine to render beyond atomic pages Verso is a browser application based on the Servo web engine. We want to build a new web browser using a different set of technical stacks than existing browsers. Hope it can improve the codebase of browser programming and grow the ecosystem along with it. In order to build an application around Servo, we need to implement several key features with it since Servo is merely a web engine and it doesn’t control anything else outside of its own context. One of the challenges is supporting multiple browsing contexts all at the same time. So we can composite all web views into one single window to make it present as an ordinary application. We will need to improve the compositor of Servo to make it support multiview, and also implement the ergonomic interface in Verso for different purposes. It will be able to render not only web pages, but also UI panels, context menus, prompts, and more. >> Read more about Multi browsing context support in Servo Signature PDF — Self-hosted tool to add signature to PDFs PDF Signature is a free software (FLOSS) for online signing of PDF. Users can add signature, stamp, text or check marks individually, or collectively with the shared mode. The tool aims to be a free alternative to existing proprietary web services, in order to offer users more control and guarantee of what happens to the PDF processed by the software. It is easily deployable on a server, a personal machine, a nano-computer , a container image or a Yunohost instance. The future developments of this project will improve the confidentiality by encrypting the pdf stored on the server, study and improve the compatibility with the electronic signature standards (XAdEs, PAdES), internationalize the interface and add integration with Nextcloud. >> Read more about Signature PDF SignRoom — Zenroom based signature and credential platform Leveraging the quantum-proof cryptographic implementation done in Zenroom (along with Zenroom's other cryptographic flows) we are developing a simple to use web-based platform, allowing users to sign and verify messages and documents (PDF, Office files, pictures etc) using quantum proof signature, ecdsa signature and schnorr signature and multi-signatures. Document signatures are stored inside the document using the PADES and XADES protocols. The tool will also produce and verify zero-knowledge proof credentials, W3C-VC credentials for signature and verification. The platform is built as a PWA, is mobile friendly, has APIs for third party integration a library to integrate into mobile applications along with bindings for multiple programming languages. >> Read more about SignRoom smoltcp RPL — Implement Routing Protocol for Low-Power and Lossy networks Smoltcp is a TCP/IP library written in the Rust programming language. The Rust language offers many advantages, such as memory safety. The smoltcp library recently gained support for the 6LoWPAN protocol, enabling IPv6 for IEEE802.15.4 devices. However, a routing protocol tailored for low power devices is still missing in the library (or even one written in the Rust programming language). In this project, an implementation of the Routing Protocol for Low-Power and Lossy Networks (RPL) will be added to the smoltcp library. This protocol is designed for Low-Power wireless networks that are generally susceptible to packet loss. By adding this protocol to smoltcp, we get closer to a network stack that is safer to use for the Internet of Things (IoT). >> Read more about smoltcp RPL Peer-to-Peer Access to Our Software Heritage — Access Software Heritage data via IPFS DHT Peer-to-Peer Access to Our Software Heritage (SWH × IPFS) is a project aimed at supporting Software Heritage’s mission to build a universal source code archive and preserve it for future generations by leveraging IPFS’s capabilities to share and replicate the archive inadecentralized, peer-to-peer manner. The project will build a bridge between the existing Software Heritage (SWH) API and the IPFS network to transparently serve native IPFS requests for SWH data. In the short term, this allows users using IPFS to form their own Content Distribution Network for SWH data. Longer term, we hope this will serve as a foundation fora decentralized network of copies that, together, ensure that the loss of no one repository, however large, results in the permanent destruction of any part of our heritage. The end product would be a perfect application of IPFS’s tools and a step in the direction of a decentralized internet services infrastructure. >> Read more about Peer-to-Peer Access to Our Software Heritage Solid Wallet — Authorization reasoning, rule-based controls and fluid integration for Solid Solid Apps display information collected by following linked data across the World Wide Web, writing changes to Solid Personal Online Data Stores (PODs). Following links can land an App on a protected resource somewhere on the Web, accessible only to a select group of actors specified in an associated Web Access Control Resource. Solid Wallet aims to build core libraries to reason over Solid Access Control Rules, limit access to what clients can request, publish keys and sign transactions. The same libraries will also be useable by servers to verify such claims. Finally, we will use these libraries to build a flexible prototype Wallet for Solid apps that run in the browser or server. >> Read more about Solid Wallet Dual-level Specification Inference — Make formal verification more practical with dual-level Specification Inference While formal verification of smart contracts gains traction, writing formal specifications can be equally if not more costly than writing code. Spec^2 is a specification inference framework that aims to automatically deduce a high-quality set of specs based on the code only. The inferred specs include both per-transaction pre-post conditions (low-level specs) and invariants on the blockchain-backed storage (high-level specs). Furthermore, the inferred specs should be similar to what experts might develop manually and can be easily examined by people without formal verification training. The funding from NLnet and NGI Assure will be used to prototype Spec^2 against the Move language and infer specifications for Move-based smart contracts. >> Read more about Dual-level Specification Inference Spritely (and OCapN) — Enable secure P2P applications with Object Capabilities OCapN (the Object Capability Network, and featuring CapTP, the Capability Transport Protocol) simplifies building otherwise complicated security-oriented peer to peer systems as a natural extension of ordinary programming patterns. OCapN/CapTP features intentional collaboration amongst networked objects, distributed garbage collection, networked promise pipelining for efficient distributed communication, a peer introduction and consensual resource sharing system, and an abstract networking layer compatible with Tor Onion Services, I2P, libp2p, and even more traditional DNS + TLS. While multiple implementations exist within Spritely and elsewhere, these are all incompatible. The project will produce specifications, documentation, and test suites to encourage consistency, interoperability, and smooth adoption of the technology. >> Read more about Spritely (and OCapN) Statime PTP Master — Statime - Zero-allocation cross-platform Precision Time Protocol High-precision clock synchronization is becoming increasingly important in application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. The Precision Time Protocol (PTP) is widely used for these critical applications and it is therefore important for it to be as secure and reliable as possible. We have previously developed the first iteration of Statime, an implementation of a PTP slave in the Rust programming language. The outcome of that project is a secure-by-design implementation, leveraging the Rust borrow checker to guarantee memory-safety. With this project, we will expand our implementation in two ways. Firstly, we will expand the feature set to include a PTP master, conforming to the IEEE standard for PTP (the 2019 version, IEEE1588-2019), so we can run a full PTP instance with the memory-safety guarantees that our implementation provides. Secondly, our implementation will be able to run without an operating system or system allocator. Those properties make the implementation inherently portable and more reliable. Our concrete goal for this second phase is that it runs on the stm32f7 microcontroller, a device with built-in PTP Ethernet support, but otherwise limited capabilities. >> Read more about Statime PTP Master Sustainable web apps with m-ld — Empower users and developers with distributed interlinked data using local-first principles Our hypothesis in this project is that web app data securely stored in reactive, replicated Linked Data sets can make it possible for app developers to meet today's and tomorrow's feature expectations without the high costs and limitations of today's distributed data architectures. This foundational design principle combines ideas from the semantic web (machine-readable publishable interlinked data), personal data stores (user control of user data) and local-first software (collaboration without obligatory third parties). We believe the high costs of web app development have gone hand-in-hand with unwanted side-effects like user lock-in, attention theft, and abdication of control over personal data. Our core principle, like the ideas behind them, is designed to expedite the development of more sustainable apps: those without dependencies on specific service providers, with user empowerment in terms of service and data portability, and with linking of data between apps – including apps developed against similar technologies having these principles, such as those of the Solid ecosystem. We will produce a set of concrete software components which demonstrate that such an approach is practical, and indeed offers a great experience for app developers, making it simple to create collaborative applications over Linked Data resources with compelling, responsive user interfaces. >> Read more about Sustainable web apps with m-ld Great Black Swamp — Decentralized cloud storage with provider-independent security Tahoe-LAFS is a well-known open source distributed storage solution based on DHT, suited for sharing critical data in production. Currently, Tahoe-LAFS uses the Foolscap protocol for communication between client nodes and storage nodes. Foolscap has a small developer community, is only implemented in Python, and Tahoe-LAFS only uses a small subset of its features. This project will implement an HTTP-based storage node protocol for Tahoe-LAFS (Great Black Swamp, or GBS in short) which will help to eliminate unnecessary complexity, increase the pool of potential contributors, open the door to new implementations and improve runtime performance. >> Read more about Great Black Swamp Tauri Apps — A safer run-time for web technology based apps Tauri is a toolkit that helps developers make more trustworthy applications for the major desktop platforms - using virtually any frontend framework in existence. A popular use case is to create a desktop or mobile version of a web app, rather than wasting effort on creating native clients for each platform. Unlike other solutions (e.g. Microsoft's Electron), it is built in the type-safe language Rust - and the team has a focus on strong isolation, shielding the user from malicious or untrusted code downloaded \"live\" from the internet. After all, once breached, such an app can for instance siphon off cryptocurrencies or bootstrap other more persistent malware. In this project, the team works among others on a particularly innovative feature, to prevent JS injection for all application types. In this approach Rust Code Injection is used alongside dependency-free EcmaScript, Object.freeze(), and a filtering iFrame that is the only subsystem permitted to communicate with the API. This will help to create more secure applications, >> Read more about Tauri Apps Servo Webview for Tauri — Integrated portable webview based on Servo engine into Tauri The web ecosystem lacks a cross-platform, non-corporate controlled system for running web content. Tauri is a system for distributing cross-platform applications that relies on engines present on a system - effectively those owned by Apple, Google, and Microsoft. These permit varying levels of user control. The Servo project is a cross-platform, open source web engine. While Servo's support for web features such as CSS and JS is still incomplete (making it difficult to rely on it for running arbitrary web content) it is actually a great match for Tauri already. This project would incorporate Servo into the Tauri project, enabling it to run applications in a consistent, open source web runtime on major desktop and mobile platforms. In doing so, the project would also identify and address the highest priority web compatibility issues in Servo, while preparing a roadmap for significant compatibility issues that remain unaddressed. Additionally, the project would identify any opportunities for reducing the binary size, supporting broad distribution of Tauri apps to as many users as possible. >> Read more about Servo Webview for Tauri TerosHDL — Assisting hardware developers to deliver safer designs TerosHDL is an open source IDE for FPGA/ASIC development. It includes a backend, a front-end built on VSCodium/VSCode and a command line interface. The goal of TerosHDL is make the ASIC/FPGA development easier and reliable: to reduce the adaptation time for new users of HW languages and help professionals. TerosHDL is multi-platform (Linux, Windows, MacOS), multi language (VHDL, Verilog, SystemVerilog) and it takes advantages of a lot of open hardware projects (such as Edalize, WaveDrom, VUnit…), integrating them in a common graphical user interface. The IDE tries to be as much self-contained as possible and simplify the installation process. Some of the features are: linter, go to definition, syntax highlighting, code formatting, snippets, automatic documentation, dependencies viewer, simulators support... >> Read more about TerosHDL FIDO 2.2 — Open hardware implementation of FIDO CTAP 2.2 WebAuthn in conjunction with FIDO2 is the latest standard for secure and convenient authentication in the Web. The Trussed framework's fido-authenticator is the main open source implementation of a FIDO2 security key and used by Solokeys and Nitrokey. It currently supports FIDO 2.0 and partially 2.1. This project will bring the fido-authenticator to its next stage by fully implementing the upcoming 2.2 standard among appropriate software tests, a hardware-in-loop test suite. The implementation will be confirmed by an official FIDO L1 certification. >> Read more about FIDO 2.2 TrustING — Ultrafast AS-level Public-Key Infrastructure TrustING is a human-transparent and agile Trust Infrastructure for a Next-Generation Internet. This infrastructure enables any two entities to establish secret keys that can be used to encrypt and authenticate data. The foundation of TrustING is the AS-level Public-Key Infrastructure (PKI) of the SCION Internet Architecture that provides sovereignty (ensuring absence of global kill switches), trust transparency, and algorithm agility, among others. The TrustING service establishes symmetric keys with other domains in advance, and then relies on those keys to derive keys for local hosts. The core novelty of this approach is the ability to derive keys purely locally on both sides of the communication, without even requiring key transport. By making TrustING a control-plane mechanism offered by the network infrastructure, higher-level applications can make use of it without having to worry about complexities such as exchanging key material or establishing trust. To show the viability of TrustING, we will implement TLS trust bootstrapping using TrustING and additionally demonstrate the efficiency of TrustING by using it to authenticate SCMP (SCION's equivalent of ICMP) messages. >> Read more about TrustING Trust semantic learning and monitoring — Measure on-going trust between interacting agents Trust semantic learning and monitoring is part of a wide ranging effort to understand trust in network socio-technical systems. The expected outcome of this part is a methodology and proof of concept code library for qualifying and quantifying trust between agents in a network. In IT, trust is often treated as a binary \"crypto token\", based on some validation test, and developers naively speak of zero trust systems without understanding the depth of what trust really is. But, trust is a deeply social phenomenon, which changes in real time based on social and technical interactions. By applying learning algorithms and data analytics to streamed interactions, this project attempts to qualify and quantify a measure of trust as a way of making realtime risk estimates. >> Read more about Trust semantic learning and monitoring Trustix — Make build logs available as publicly verifiable, tamper-proof Merkle trees Software build infrastructure is vastly underestimated in terms of its potential security impact. When we install a computer program, we usually trust downloaded software binaries. But even in the case of open source software: how do we know that we aren't installing something malicious which is different from the source code we are looking at - for instance to put us in a botnet or siphon away cryptocurrencies? Typically, we have confidence in the binaries we install because we get them from a trusted provider. But once the provider itself is compromised, the binaries can be anything. This makes depending on individual providers a single point of failure in a software supply chain. Trustix is a tool that compares build outputs across a group of providers - it decentralizes trust. Multiple providers independently build the software, each in their own isolated environment, and then can vouch for the content of binaries that are the outcome of reproducible builds - while non-reproducible builds can be automatically detected. In this project the team will work on further enabling trust delegation, by offloading log verification to trusted third parties - heavily inspired by the Delegated Proof of Stake consensus algorithm. It will bring Trustix into the Nix and the Guix ecosystems that are most amenable to Trustix' approach. The ultimate goal is for Trustix to integrate seamlessly into the entirely decentralized software supply chain so we can securely distribute software without any central corruptible entity. >> Read more about Trustix Tvix — Alternative Rust-based software build transparency Tvix is a modern design and implementation of the Nix package manager (GPLv3). It brings a modular architecture in which components such as the build environment or package store are replaceable, which enables new use-cases and platforms. A graph-reduction evaluation model will make it possible to use Nix for package definitions and entire system configurations, its proven and tested use case, as well as for granular build definitions for individual components of software. Tvix will be fully compatible with nixpkgs, the existing package definition set for Nix, letting its users leverage more than a decade of community contributions and making it useful right out-of-the-box. >> Read more about Tvix TwPM — Open hardware implementation of Trusted Platform Module The Trusted Platform Module or TPM is a dedicated hardware component designed for providing additional security features for computing platforms. Currently, the market is dominated by the TPMs based on chips from large silicon vendors. The common characteristic of these modules is the proprietary firmware implementation. TwPM project aims to increase the trustworthiness of the TPM module (hence the TwPM), by providing the open-source firmware implementation for the TPM device, compliant to the TCG PC Client Specification. The main goal of the project is an attempt to create open-source firmware stack, implementing the TCG PC Client Platform TPM Profile specification. Project aims to use already available open-source software components whenever possible (such as TPM simulators for TPM commands handling), while developing new code when necessary (such as LPC FPGA module, or low-level TPM FIFO interface handling). Another challenge is to overcome hardware restrictions and allow users to use the open-source TPM implementation on generally-accessible development boards. >> Read more about TwPM TypeCell — CRDT-based collaborative block-based editor TypeCell aims to make software development more open, simple and accessible. TypeCell integrates a live-programming environment as a first-class citizen in an end-user block-based document editor, forming an open source application platform where users can instantly inspect, edit and collaborate on the software they’re using. TypeCell spans a number of different projects improving and building on top of Matrix, Yjs and Prosemirror to advance local-first, distributed and collaborative software for the web. >> Read more about TypeCell UEFI isolation in VM from non UEFI firmware — Safer booting into UEFI-compliant operating system UEFI is the successor to BIOS, which initialises the bare hardware of a computer before handing over to a bootloader. The UEFI specification defines the architecture of platform firmware used for booting and its interface for run-time interaction with operating systems. As such, UEFI is responsible for bootstrapping pretty much every modern computer. In the majority of cases this is done with very little transparency for users - essentially relegating this enormously responsible position to a \"black box\" that just blips on the screen. Unfortunately trust in vendors to live up to their huge responsibility to make this safe and robust is not always justified: quite a few issues and security vulnerabilities in the (mostly proprietary) UEFI implementations have come to the surface via real-world exploits. The key open source booting mechanisms (like coreboot and Linuxboot/u-root) are not UEFI compliant. This project aims to close the gap in a pragmatic way: through virtualization - booting into a stripped down Linux and using the Kernel Virtual Machine (which is generally considered mature) to run the reference open source reference implentation of UEFI until it can hand over to a UEFI compliant boot loader. This is of course a security tradeoff (the early stage Linux used for virtualisation would not be able to use UEFI just yet itself in bootstrapping) , but it allows a single intervention to bridge to all different boot loaders and wholly avoid opaque proprietary ones by switching to open source ones. This also helsp to debug and assist in finding new solutions to cope with the shortcomings of native UEFI implementations. >> Read more about UEFI isolation in VM from non UEFI firmware LIP6 VLSI Tools — Logical validation of ASIC layouts The software we run critically depends on the trustworthiness of the chips we use. LIP6's VLSI tools are one of the few user-operated toolchains for creating ASIC layouts where the full source code is available for inspection by anyone. This provides a significant contrast to commodity chips from vendors like Intel and AMD, where anything beyond coarse technical detail is shielded away by NDA's. This project will improve Coriolis2, HITAS/YAGLE and extend the whole toolchain so that it can perform Logical Validation. It will also upgrade the code to make it faster, able to handle larger ASIC designs, and add support for lower geometries (starting with 130nm) which are more energy-friendly. >> Read more about LIP6 VLSI Tools Servo improvements for Tauri — Verso offscreen + multiview Verso is a new browser initiative that is based on the Servo browser engine - a cross-platform, open source web engine written in Rust managed by Linux Foundation Europe. The project originates from an earlier effort to integrate Servo in Tauri, a widely used open source system for distributing cross-platform applications capable of running content and applications using web technology outside of the browser. The web ecosystem currently lacks a cross-platform, non-corporate controlled system for doing so, meaning that solutions like Tauri need to rely on the platform engines controlled by Apple, Google, and Microsoft. Obviously, this add complexity, has security and stability implications, lacks consistency, and involves limited levels of user agency. Integrating a portable browser engine would be a major step towards being able to run applications in a consistent, open source web runtime on major desktop and mobile platforms. As part of that work, it became clear that several improvements to Servo are urgently needed. In order to speed up the development of those improvement, it turned out to be more efficient to transpose these requirements to a new standalone browser: Verso. The key tasks beyond improving developer efficiency and workflow (also for Mozjs and Spidermonkey) tackled in this project are offscreen rendering and multiwebview support. >> Read more about Servo improvements for Tauri Next Generation Browser Profile Workflow — A profile system for the Verso browser Users currently do not have much ownership over their browser data, including bookmarks, history, which extensions are activated, etc… Current web browsers do not really facilitate user agency, let alone in a standardised way. And we are not even mentioning the fact that synchronisation between devices is only possible through third parties, because there is no real transit between browsers (just imports). Even worse: despite this data being rather private, data is not really encrypted. The solution is complex, and it starts with the rework of browser profiles and browser workflows conceptually. This project aims to define the standards of encapsulation of these profiles separately from the browser while keeping privacy and security in focus. The prototype would be integrated in the Verso browser, but along the way the underlying Servo engine also gets some improvements for accommodating these endeavours properly. >> Read more about Next Generation Browser Profile Workflow Vula — Encrypted ad hoc local-area networking With zero configuration, Vula automatically encrypts IP (v4) communication between hosts on a local area network (LAN) in a forward-secret and transitionally post-quantum manner to protect against passive eavesdropping. When the local gateway to the internet is a Vula peer, internet-destined traffic will also be encrypted on the LAN. With simple verification using QR codes, Vula is also able to disrupt active surveillance adversaries. Vula combines WireGuard for forward-secret point-to-point tunnels with cryptographically enhanced mDNS and DNS-SD for local peer discovery. Vula enhances the confidentiality of WireGuard tunnels by using CSIDH, a post-quantum non-interactive key exchange primitive, to generate a peer-wise pre-shared key for each tunnel configuration. Vula avoids the need for any Single Point of Failure (SPOF) such as a trusted third party. Vula is equally functional on otherwise air-gapped networks. >> Read more about Vula WikiRate: More Sites, More Cites — Persistent citation for Dekko-based open source data collections WikiRate.org is the largest open source registry of ESG data in the world with more than 3.5 million data points for over 100,000 companies. By bringing this information together in one place and making it accessible, comparable and free for all, we aim to provide society with the tools and evidence needed to help and encourage companies to respond to the world's social and environmental challenges. To achieve this systemic change we need corporate accountability at scale. Focusing on the top 10, 100, or even 1000 companies, is not sufficient. Rather we need to monitor and understand impacts at industry and value chain levels, whilst leveraging individual corporate accountability to transform companies into positive agents of change. This follow-up project is focused on adding functionality to the underlying tool (Decko) which will allow in a fine-grained way to point at specific data slices, as well as a history of any updates and corrections to such data. >> Read more about WikiRate: More Sites, More Cites Winden/Magic Wormhole dilation — Improving Magic-Wormhole by implementing dilation and multiple file support for the web Winden is an open-source web app built on the Magic-Wormhole protocol, which allows two devices to connect and exchange data without requiring identity information. We are building Winden to make file-transfers for the web secure and private. With Winden, we are giving users control over their data without them needing to trust us. This project adds support for reconnection (referred to as the ‘Dilation’ protocol) and multiple file-transfers into both Winden and wormhole-william, the Go implementation of Magic-Wormhole used by Winden and other projects. Magic-Wormhole file-transfers require both parties to be online at the same time. Dilation allows for reconnection and changing networks during a transfer. This reduces the risks of connection interruptions during these synchronous transfers. Multiple file support is a much sought after need for transferring data, which requires Dilation (and Dilation’s sub-channels). >> Read more about Winden/Magic Wormhole dilation Wispwot — Implement generalized scalable protection against disruptive behavior in content discovery Spam and intentional disruption are a major problem in the clearnet. They make it infeasible to have comments on websites without moderation teams, privacy invading humanity checking, and access-restrictions, and they force social networks to decide between invasive censorship and exposing their community to abuse, propaganda and targeted harassment. The core of the problem is that spam scales better than spam-blocking. This project brings the spam-defense from the Hyphanet Project to the fediverse. It replaces instant global visibility with incremental local visibility, fueled by positive social interaction and transitive blocking, so spammers quickly become invisible to most. To scale for groups of arbitrary size, it extends the system from Hyphanet by adding pruning of inactive accounts and efficient rediscovery. With this project, spam-protection scales better than spamming, reducing the work needed to cope with hostile communication, so group-communication won’t require the outsourced, underpaid moderation teams that are prevalent in most centralized social networks. >> Read more about Wispwot Yrs — Collaborative editing with CRDT written in Rust Yrs \"wires\" will be a native port (in the Rust programming language) of the Yjs shared editing framework. Abstractly speaking, Yjs allows many users to concurrently manipulate state that eventually converges. It is a popular solution for enabling collaborative editing (Google Docs style) on the web because it is indefinitely scalable, works peer-to-peer, and has a rich ecosystem of plugins. There are plugins that allow you to connect with other peers over different network providers (WebRTC, Websocket, Dat/Hyper, IPFS, XMPP, ..) and there are many editor plugins that allow you to make existing (rich-)text editors collaborative. The Yjs project is about connecting projects with each other and providing a network-agnostic solution for syncing state. A native port will allow native applications (e.g. XI, Vi, Emacs, Android, iPhone, ..) to sync state with web-based applications. We chose Rust because it's well suited to be embedded in other languages like C/C++, PHP, Python, Swift, and Java. With Yrs, we want to connect even more projects with each other and provide a modern collaboration engine for native applications. The Rust implementation will implement the full feature set of the shared types, including the event system. This will enable users to parse existing Yjs documents, manipulate them, and implement collaborative applications. The port will make it easy to \"bind\" to another language so that the shared state is available in other languages as well. There will likely be a WASM binding, a C++ binding, and a Python binding (provided by Quantstack). Other existing features like awareness, selective Undo/Redo manager, relative positions, and differential updates will be added after the initial release. >> Read more about Yrs Yrs Undo — Rust-based CRDT framework for real-time multi-user applications Yrs \"wires\" is a native port (in the Rust programming language) of the Yjs shared editing framework. Abstractly speaking, Yjs allows many users to concurrently manipulate state that eventually converges. It is a popular solution for enabling collaborative editing (Google Docs style) on the web because it is indefinitely scalable, works peer-to-peer, and has a rich ecosystem of plugins. There are plugins that allow you to connect with other peers over different network providers (WebRTC, Websocket, Dat/Hyper, IPFS, XMPP, ..) and there are many editor plugins that allow you to make existing (rich-)text editors collaborative. This project will add a selective Undo/Redo manager, include support for other native clients and to interop with languages like Java, PHP and Swift. The goal is to reach full feature compatibility with Yjs and improve its performance even more - bringing a collaborative, decentralized experience where users' data lies in their own hands. >> Read more about Yrs Undo Quantum-Proof Zenroom — Implementation of Quantum-Proof Cryptography in Zenroom Zenroom is a tiny secure execution environment that integrates in any platform and application, even on a chip or a web page. It executes human-readable smart contracts for all kinds of use cases, such as databases, blockchains and much more. Zenroom is scriptable in an English-like language called Zencode. During this project quantum-proof cryptography will be implemented in Zenroom by strictly adhering to ECDH specifications for common session exchanges, signature and verification, applying liboqs transparently as a back-end to existing Zencode scenarios. This makes it seamless to substitute existing EC implementations with the same Zencode. The result will be a fully portable software (plain C, no hardware acceleration) of the NIST quantum-proof competition winner algorithm and full alignment with its final test vectors. >> Read more about Quantum-Proof Zenroom Reinstatement of crypto.signText() — Cryptographic signatures brought back to the browser Since the 1990s Netscape and Firefox supported the ability to sign an arbitrary piece of text with a digital certificate, and have that signature returned to the webserver. The texts being signed have historically ranged from transaction records, financial declarations, and court documents. This project implements a set of Native Browser Web Extensions that bring the digital signing of text to all modern browsers that support the NMBE standard. The process of choosing the certificates and generating the signatures is performed outside of the browser, using APIs native to each operating system. Web pages communicate with the extensions using the Javascript crypto.signText() function, and the signed documents are returned packaged as a PKCS7 response. The project aims to make digital signing accessible, while being browser agnostic. >> Read more about Reinstatement of crypto.signText() Distributed Mechanism Learning — Privacy preserving ways of distributed data usage Mechanism design is a field concerned with finding rules for economic processes which incentivize self-interested agents to behave in a way, such that a common goal is reached. This project aims to build robust infrastructure for mechanism design via machine learning, to make theoretical results more applicable to practical networked deployments. We plan to do this by finding solutions for the following two problems and making them accessible to developers, while keeping the required domain knowledge to a minimum: On the one hand, a trusted third party is often assumed to exist, which is supposed to learn and execute the mechanism. In practice, finding neutral trusted parties who do not stand to gain anything from cheating can be hard. To solve this problem, we distribute the computation of the trusted party over multiple computers, ideally controlled by different entities, using multiparty computation. This way, we get a more robust trust base with better alignment of incentives. On the other hand, current models often assume prior knowledge about preference distributions of agents to learn optimal mechanisms. In practice, this knowledge is not always available. We exchange finding optimal solutions using prior information with finding approximate solutions using no prior information, by way of differentially private learning. This results in more general applicability, especially in settings with sparse information. >> Read more about Distributed Mechanism Learning imap-codec library — Release version 1.0 of the imap-codec library With an expected volume of 333 billion messages per day in 2022, email is one of today's most common methods to exchange information on the Internet. For better or worse, email is unlikely to go away soon, meaning that even the latest software needs to support it in a trustworthy and resilient way. imap-codec is a misuse-resistant IMAP parsing and serialization library focusing on correctness and security. It should pave the way for a new generation of email clients, servers, and utilities written in Rust and become a reusable building block for the Next Generation Internet. To archive that, it is essential to stabilize the API, improve testing, provide excellent documentation, and establish a welcoming and sustainable open-source environment for imap-codec. >> Read more about imap-codec library libresilient — Create robust web presence with service workers and DHT A browser-based decentralized content delivery network, implemented as a JavaScript library to be deployed easily on any website. LibResilient uses ServiceWorkers and a suite of non-standard in-browser delivery mechanisms, with a strong focus on decentralized tools like IPFS. Ideally, users should not need to install any special software nor change any settings to continue being able to access an overloaded LibResilient-enabled site as soon as they are able to access it once. >> Read more about libresilient lpnTPM — TPM 2.0 compliant open hardware Trusted Platform Module lpnTPM is Open Source Software (OSS), and Open Source Hardware (OSHW) Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. What makes lpnTPM different from generally available solutions is openness. Software and hardware of lpnTPM can, without limits, be audited, fixed, and customized by communities and businesses. Open design address the lack of trustworthiness of proprietary closed source TPM products, which currently dominate the whole market. lpnTPM in production mode protects software by secure boot technology, and only the lpnTPM owner will update it. TPM modules enable measured boot and support verified boot, Dynamic Root of Trust for Measurement, and other security features. Another benefit of lpnTPM would be physical design, which solves the lack of standardization around pinout and connector. The ultimate goal of lpnTPM is to provide a trustworthy platform for future open evolution of Trusted Platform Module software and its application to various computing devices, resulting in better adoption of platform security. >> Read more about lpnTPM Securing Decentralised Live Information with m-ld — Collaborative editing of LInked Data based on CRDT m-ld is a software technology for live information sharing. It enables software engineers to reliably add real-time collaboration, support for offline working, and service resilience to both new and existing software architectures. It achieves this by operating at an \"information\" level, creating reusable patterns for maintaining the consistency and integrity of application content that is being edited from multiple locations at once. m-ld is built from the ground up on a W3C standard information representation, contributing ideas for its evolution, and is committed to open standards and open source. This project will research and prototype modifications to the primitives of the m-ld core protocol to natively support strong assurance of data integrity and traceability, with authority assignable to identified users or groups, so that they can be reliably assured of the integrity and controlled availability of their data. >> Read more about Securing Decentralised Live Information with m-ld oqsprovider — Post-quantum/quantum-safe cryptographic algorithms for OpenSSL Quantum computers will bring to an end integrity and confidentiality provided by \"classic\" public key cryptography such as RSA and implemented in security application frameworks such as OpenSSL. Therefore, a new class of \"post-quantum\" or quantum safe crypto algorithms (QSC) is being standardized by NIST. In order to bring QSC to easy deployment, these algorithms need to be added to existing security installations: oqs-provider is a standalone integration of QSC into the OpenSSL software framework. By simply inserting an oqs-provider binary, any OpenSSL installation as well as all applications built on top of OpenSSL permitting crypto-providers is (to be) automatically enabled to use any QSC algorithm supported by the liboqs open source framework. liboqs in turn provides the QSC algorithms that are either finalists or candidates of the NIST Post-Quantum Cryptography standardization competition. This way, users of oqs-provider-enabled OpenSSL installations can cease to be concerned about the risk that quantum computers create. The Open Source communities working on OpenSSL and OpenQuantumSafe can benefit in turn from mutual validation and re-use of their respective work efforts. >> Read more about oqsprovider p4-nix — Combine Programming Protocol-independent Packet Processors language with declarative Nix packaging This project is aiming to democratize high capacity and high performance networking stacks by integrating the P4 DSL into Nix and making it easy to make an infrastructure relying on the technology by bringing up functional programming to the P4 world. Bringing P4 to Nix gives us amazing flexibility for dealing with network devices, making it easy to deploy, make artifacts, and so on, all the while exposing it to end-users who wouldn't necessarily know or use P4 otherwise. This also gives us the opportunity to look into automated deployment of hardware based networking devices, such as FPGA targets, directly from within Nix. >> Read more about p4-nix ","title":"NGI Assure","url":"https://nlnet.nl/thema/NGIAssure.html"},{"title":"NGI0 Entrust","url":"https://nlnet.nl/thema/NGI0Entrust.html","description":" NGI0 Entrust Trustworthiness and data sovereignty NGI0 Entrust was a grant programme that ran from 2022-2026, funding projects working towards trustworthiness and data sovereignty, as part of the Next Generation Internet initiative of the European Commission. For a more complete description see the home page of the fund: NGI Zero Entrust. This page contains a concise overview of projects funded by NLnet foundation that belong to NGI0 Entrust (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. ARMify — Auto-Identification of MCU Models to Simplify ARM Bare-Metal Reverse Engineering ARMify aims to become a plugin for the open-source reverse engineering tool Ghidra, with its primary goal being to assist security analysts in analyzing ARM Cortex-M bare-metal firmware. This is achieved through automatic microcontroller model identification and annotation of memory-mapped peripherals. It helps analysts to understand how the firmware interacts with microcontroller features, offering significant time savings compared to manual cross-referencing with the microcontroller datasheet. The development entails creating an SVD parser (the SVD standard formalizes Cortex-M microcontroller system details, such as peripheral registers, in XML format) and a comprehensive microcontroller database, both of which will be released as standalone tools alongside ARMify. The SVD parser will enable the processing and preparation of Cortex-M microcontroller system details, while the microcontroller database will provide a repository of technical characteristics and a user-friendly interface for easy access. >> Read more about ARMify AVantGaRDe — Reliable Foundations of Local-first Graph Databases The *AVantGaRDe* (Verified highly-Available and Reliable Distributed Graph Databases) project aims to develop a framework for reliably supporting local-first connectivity. Graph databases have recently been introduced to efficiently manage interconnected, heterogeneous, and semi-structured data. These leverage native graph storage, an expressive property graph model, and dedicated graph query languages. Still, scalably and reliably managing large graphs, while ensuring availability, low latency, and consistency is challenging. While cloud graph databases try to address this, local-first solutions allow users to preserve ownership and agency over their data. Unfortunately, no local-first graph databases exist, as these require customized replicated data types (CRDTs) and compositionally preserving graph invariants. Moreover, as CRDTs are already notoriously difficult to construct, ensuring the correctness of complex graph CRDTs is challenging. The project aims to develop a novel framework for designing foundational models for local-first graph databases, with built-in trustworthiness and reliability guarantees. *AVantGaRDe* sets to design a unified framework for prototyping and extracting correct-by-construction horizontally scaled property graph CRDTs that can preserve complex invariants. >> Read more about AVantGaRDe ActivityPods — Framework for fully-decentralized social apps, combining ActivityPub and Solid Pods ActivityPods brings together two game-changing protocols, ActivityPub and Solid Pods. The goal is to empower developers to create fully-decentralized social apps thanks to an easy-to-use framework. Following the Solid project's principles, ActivityPods apps store all data directly in the user's Pod (Personal Online Datastore). But since these Pods are also ActivityPub actors, they can easily exchange with other Pods and any other ActivityPub-compatible software. Lightweight bots can access the Pod's data, listen to ActivityPub activities and act accordingly. This novel architecture gives users the freedom (1) to choose where they store their data, (2) to share their data with anyone on the web, (3) to switch apps at any time without losing data. The overall benefit is a more resilient and innovative web, where privacy and interoperability are guaranteed by design. >> Read more about ActivityPods Agorakit — Groupware which is a friendly online home to communities Agorakit is a web-based, open source organization tool for collectives. By creating collaborative groups, people can discuss topics, organize events, store files and keep everyone updated as needed. The tool is very easy to use, participants only need to register with an email, the very low barrier of entry and easy to use user interface make it an ideal tool for heterogeneous groups with people of broadly different backgrounds and skills. Those seem like simple features, but to have access to all those in the same product without friction is in our very humble opinion unique to Agorakit. The scope of this project is to enhance documentation, ease use and installation, and allow external communication (including federation). >> Read more about Agorakit AlekSIS — All-libre extensible kit for school information systems AlekSIS' – short for All-libre extensible kit for school information systems – goal is to digitise educational institutions' organizational tasks in a sustainable, individual and independent manner. Educational institutions are complex and diverse places: A fair bit of information has to be managed and made accessible in a way that serves the needs of all groups involved. Furthermore, the needs of schools differ considerably, making a one-size-fits-all solution infeasible. Originating in and being built in close collaboration with schools, the AlekSIS project provides the missing FOSS solution for this application area. It aims to deliver a fully fledged, highly customizable software suite that gives schools full control over operation, data and privacy, while integrating existing FOSS projects. From displaying timetables to providing digital class records or person and group management, AlekSIS already includes a great deal of the features the people involved in education, students and teachers, need in their daily routine. Designed as a web application built around the Django and Vue.js frameworks, its responsive design and offline capabilities cater to various devices and user groups. A further aspect of AlekSIS' FOSS architecture is to provide learning opportunities to its student users by facilitating the creation of extensions and contributions to the project itself. The goals of this project are to further strengthen our efforts in porting the whole legacy frontend to the newer, Vue.js based one, to finish making AlekSIS capable of timetable and substitution planning and to extend AlekSIS' functionality making it even more competitively viable. >> Read more about AlekSIS Apicula — Open source tools for working with Gowin FPGAs Only a few years ago, you could only program FPGAs with the proprietary tools provided by the vendors, locking you into that ecosystem and its features and bugs. But open source FPGA tools have been making great strides, and there are now mature open source synthesis and PnR tools, namely Yosys and Nextpnr. However, only Lattice FPGAs are currently well supported, still de facto locking you into a single vendor. There are a few other projects, such as Apicula, that target other FPGAs, but none of them are feature complete and of production quality. The goal here is to take Apicula to the next level, where it goes from an experimental flow for FOSS enthusiasts to a production ready tool, finally and truly breaking FPGA vendor lock-in. >> Read more about Apicula Apicula IO primitives — Add additional IO primitives to libre Gowin FPGA tools Apicula is a project that aims to provide open source tools to work with Gowin FPGAs. (FPGAs are repurposable chips used in many everyday and specialist electronic products for everything from tying systems together to highly specialized algorithm accelerators). In recent years open source FPGA tools have made great strides to break the vendor lock-in of commercial FPGA tools. But to completely break vendor lock-in a variety of mature toolchains are needed. We have reached a point of general usability, and with this grant Apicula aims to make another large leap forward, improving feature parity, documentation, and support for more advanced and specialized Gowin devices. >> Read more about Apicula IO primitives Automating mobile app interception with Frida — Mobile app network introspection for security research Inspecting mobile app network traffic is a key part of security & privacy research, which helps protect everybody who uses modern mobile devices. It's also an indispensable debugging tool for app developers & QA teams. However, this technique has faced growing challenges from increasing OS restrictions and individual app countermeasures like certificate pinning, such that inspection now often requires advanced reverse-engineering knowledge and significant time-consuming manual setup. In this project, new tools will be built using Frida (a dynamic instrumentation framework) and integrated with HTTP Toolkit (a network debugging tool) to enable one-click targeted interception, making inspecting traffic from mobile apps on a user's own iOS & Android devices accessible to technical users without specialist expertise. >> Read more about Automating mobile app interception with Frida Perspectives: Making Models — Generate software from open models for human interaction patterns The Perspectives project provides a distributed runtime that allows people to collaboratively run a model that supports them in some form of co-operation. This can be as simple as playing a game of chess or as extensive as coordinating parent's cars to transport a junior sports team to away matches. To completely model the latter is the main scope of this grant. The automatic screens generated by the runtime, based on the model, will be customised to provide a pleasant user experience. The end result will be a usable little app, run within the InPlace end user program (that itself runs in the browser as a WebApp). It will also provide a reasonably extensive model that showcases a realistic application of the Perspectives Modelling language, making the distributed runtime better and the modelling language stronger. Perspectives is built on a figure-ground reversal of the structure underlying much of today's internet. Data is not concentrated in a few heaps of similar-looking cases (commonly called databases) but instead on the devices of the people that are its source, subject and users. It is conceived of such that functionality builds upon other functionality, creating a network effect not in terms of numbers of users but in terms of functionality. The more of that, the better, stronger and more useful it becomes. The current project will deliver the first end user functionality that goes beyond maintaining the system environment itself (such as developing models, hooking up to communication services, etc). >> Read more about Perspectives: Making Models Arcan-A12 — Explorative p2p protocol for fast and secure remote desktops Protocols such as VNC, X11 and SSH have long been fundamental components for accessing user facing software or desktop computing as a whole over a network connection, with millions of daily users ranging from simple households to businesses and critical infrastructure. The development of these protocols and their respective tools has unfortunately stagnated, drifting towards proprietary extensions and otherwise dragging behind developments in compression technology, while leaving qualities such as accessibility and usability in a rough state. A12 is a project within the Arcan umbrella (models for future desktop computing) that aims to change this, leaning on decades of experience in system graphics. A12 consolidates the use cases of these - and related - protocols, adding stronger privacy protections against side channel analysis, use of modern compression techniques, providing higher visual quality and lower latency with simplified key management and service discovery. >> Read more about Arcan-A12 Atomic Tables — Self-hostable tabular structured data solution Atomic Tables is a new extension to the open source Atomic Data ecosystem, which aims to make the web more interoperable. In Atomic Tables, users can easily create their own data models using a tables interface, which people know and love from tools like Excel, Notion and Airtable. Having a self-hostable alternative to the existing SAAS offerings helps users retain control over their own data. What makes this project unique, is that the data models created in Atomic Tables are retrievable by a URL and can easily be re-used on other machines. This keeps costs of transforming or mapping data at an absolute minimum. Maintaining a standardized data model suddenly becomes trivial, instead of costing countless of man hours. Additionally, the software is not just designed to be a clean, intuitive end-user facing application, but also a powerful developer API that brings incredible performance and flexibility, making it highly usable as a database in other applications. >> Read more about Atomic Tables BB3-CM4 — CM4 compatible MCU board Chip shortages are causing production problems throughout the industry. A way of getting out of the production trap is to get project boards more modular. Popular open hardware projects like the EEZ BB3 T&M (Test & Measurement) device currently depend on specific scarce microcontroller boards, and prospective users face impossible delays and constantly rising prices. This project will relieve some of the tension by delivering special \"MCU\" boards that are compatible in form factor to widely used MCUs. That way projects gain much more room for fulfilling production needs - allowing them to use alternative pin compatible main modules (like the ULX4M FPGA) without redesign, delivering more flexibility. One additional advantage of this approach is that production of module and base board does not need to be at the same time or by the same company. Hardware upgrades and the right to repair become possible and just involve changing a module, without having to throw out the complete system. Along with the \"MCU\" module the project delivers a new back plane board for the BB3 T&M device - fully compatible with current design, so existing users can upgrade or replace parts. >> Read more about BB3-CM4 Back to source: trust but verify all the packages — Analysis pipeline for mapping and cross-referencing binaries with source code Sometimes, the released binaries of an open source package do not match its source code. Or the source code does not match the code in a version control repo. There are many reasons for this discrepancy, but in all cases, this is a potential serious issue as the binary cannot be trusted. Additional (or different) code in the binary could be malware or a vector for unknown software vulnerabilities, or create FOSS license compliance issues. Back to source creates analysis pipelines to systematically map and cross-reference the binaries of a FOSS package to its source code and source repository and report discrepancies. We call this the deployment to development analysis (d2d) to map deployed code (binaries) to the development code (the sources) and plan to apply this \"trust but verify\" approach to all the binaries! >> Read more about Back to source: trust but verify all the packages Balthazar Casing — Open hardware laptop Balthazar is a project that aims to create an advanced, open-hardware laptop that is affordable and accessible to everyone, while also being well-designed and ergonomic. The laptop will feature a range of hardware and software features designed to protect users' data and prevent third-party intrusion. It will also include physical safety features such as a hot-swappable CPU and hard-wired switches, as well as the ability for users to add external modules based on various instruction sets and systems on the module, as well as spare keyboards. The project's goals include empowering users to take control of their own data, making computing more sustainable through the use of modular components, and creating an educational platform and advanced computing device that is accessible to users of all income levels. >> Read more about Balthazar Casing Bana — Personal network oriented ActivityPub powered social networking Bana is aimed at private social networking. It is both a server and a mobile Web app, and is federated: anyone can operate a server and people on one server can communicate with people on any other Bana server. Bana uses ActivityPub, ActivityStreams, and the Activity Vocabulary protocols. Anthropologist Robin Dunbar speculated humans could only comfortably maintain 150 stable relationships. Bana limits you to 150 connections: the closest friends and family members in your life. The connections are reciprocal, meaning both people follow each other. Bana offers a digital journal shared with only the closest people in your life. Bana allows you to post text, photos, videos, audio, location check-ins, workouts, and media consumption - capturing what you want to remember about this particular day in your life. >> Read more about Bana Blink for Windows — Modern cross-platform SIP client Blink is a mature open source real-time communication application that can be used on different operating systems, based on the IETF SIP standard. It offers audio, video, instant messaging and desktop sharing. It supports end-to-end asynchronous messaging and end-to-end encryption which works both online (OTR) and offline (OpenPGP). Within the scope of the effort, the team will continue the migration to a more modern toolkit based on Qt6, and add support for the still widely used Microsoft Windows platform that currently lacks a high quality, standards compliant FOSS softphone. Additional work is done on OpenXCAP, which allows to manage buddy lists and policy for subscriptions to presence or other type of events published using the SIP protocol. >> Read more about Blink for Windows BlockNote — An modern, open source Block-based editor blocknotejs.org is an open-source block-based rich text editor. BlockNote makes it easier for developers to add user-friendly, modern and collaborative (or \"multiplayer\") text-editing capabilities to their applications. Currently, adding a high-quality document editor to applications often requires deep expertise that is out of reach for many individuals or organizations. BlockNote aims to bridge this gap by offering an open source editor that’s easy-to-adopt for developers, comes with a modern and polished UX, and is block-based. This makes it easier to create structured documents and to programmatically extend the editor and document. Enabling developers to add document authoring capabilities to their software can increase data sovereignty by reducing dependence on a limited range of SaaS applications for document authoring and management. >> Read more about BlockNote Bonfire federated groups — Create, join and manage federated groups across instances Bonfire is an extensible open source federated community platform, that empowers groups to easily configure their spaces from the ground up, according to a variety of needs and visions. Bonfire envisions a web of independent but interconnected social networks (using a wide definition, since we consider the social components of activities in the economic, educational, and political spheres as well) - able to speak and transfer information among each other, according to their own boundaries and preferences. The scope of this project is to give users the tools to create, join and manage federated groups across instances, with their own set of rules and customisable governance. Federated groups on Bonfire will lever the flexible foundation we've recently released: circles and boundaries. Using those building blocks we will ensure that groups have the possibility to define a fine grained set of roles and permissions, with the possibility for each group to define a multitude of roles that fit with how they want to manage membership and participation, and distribute power and responsibility. >> Read more about Bonfire federated groups Bonfire Framework — Elixir-based ActivityPub implementation and library with groups and RBAC Bonfire is an open-source, federated social networking toolkit, designed to empower communities to build custom and federated social networks. The current focus of our project is to improve the stability, performance, and documentation of our codebase, honing a solid framework that enhances user experience and encourages wider adoption. We aim to catch bugs, enhance platform performance, and enrich the developer experience by crafting comprehensive tutorials and documentation. A key aspect of our project involves extending our ActivityPub Library, which underpins the federated nature of Bonfire, and contributing back to the ActivityPub ecosystem by releasing v1.0 of our open-source ActivityPub library. The expected outcomes include a robust, efficient Bonfire framework to be used in production, a surge in developer and community adoption, and contributions to standardize federation protocols. >> Read more about Bonfire Framework BrailleRAP — Low-cost open hardware for creating Braille content BrailleRAP is an open source Braille embosser. AccessBrailleRAP software give you the ability to translate a text document into Braille and emboss the Braille characters on paper with the BrailleRAP device. DesktopBrailleRAP software project aim to build a desktop publishing application suitable to build tactile documents for unsighted people with the Braille embosser BrailleRAP. The application brings the ability to import vector graphics in SVG format, or create text label with a position and orientation on a page layout. Text labels are translated in Braille with the ability to choose the Braille standard (language in a simplified manner). Vector graphics are decomposed in series of dot positions along path. All dots from Braille characters and paths are converted in GCODE commands for the BrailleRAP embosser. The result is a tactile document with accurate embossed Braille and tactile 2d graphics made by a series of close dots. DesktopBrailleRAP aim to build a suitable tool for individual or teacher to build tactile documents for unsighted people, such as geographic maps, building or organization maps (like school or campus), public transportation maps or teaching plans in biology and mathematics (geometry). The funding from NLnet will allow the development of the first public release with suitable documentation. >> Read more about BrailleRAP CRAVEX — Cyber Resilience Application for Vulnerability Exploitability Exchange There is no free and open source vulnerability exploitability management application centered on software packages. Vulnerability management applications traditionally serve the needs of security teams first. There is a fundamental disconnect between the package-centric mindset of a developer and the vulnerability-centric mindset of a security analyst. Developers need modern tools to manage, triage, rate, review, and determine exploitability of package vulnerabilities in a package-centric world. They are the primary stakeholders and best positioned to tackle open source package vulnerabilities at the root. With the impending requirements of the CRA, open source projects and small businesses urgently need a free and open solution to comply with these new emerging mandates with minimal friction and costs. The Cyber Resilience Application for Vulnerability Exploitability (CRAVEX) is a web-based app designed to fulfill these requirements for better software supply chain integrity and security. CRAVEX will make it easier for any organization to comply with the emerging CRA and other regulatory requirements, efficiently, and improve the overall security posture of organizations of all sizes, especially for SMEs. CRAVEX will collect, track, and triage FOSS package vulnerabilities, determine their exploitability in a portfolio of software products and projects, and provide reporting with SBOMs and VEX statements to share with stakeholders. >> Read more about CRAVEX Converged Security Suite +AMD — Add AMD support to Converged Security Suite The Converged Security Suite has been developed as an open-source tool to provision and test systems where proprietary (and closed) Firmware Security Technologies - such as Intel \"Trusted Execution Environment\", Intel \"BootGuard\", and Intel \"Converged BootGuard and TXT\" (CBnT) - are enabled. Since this is a security-critical operation, transparent open-source tooling is needed to securely provision and test the configuration of your system within the limitations of a closed system. The CSS made huge progress provisioning and testing Intel-based security mechanisms, and within this project we extend this to AMD's Platform Secure Boot, AMD's Secure Memory Encryption and AMD's Secure Encrypted Virtualization. The goal is to provide a test suite for those security mechanism in order to understand how they are configured and provide transparency into those features. >> Read more about Converged Security Suite +AMD Canaille — Zero-knowledge opinionated OpenID Connect (OIDC) server. Canaille is a zero-knowledge opinionated identity server. Canaille aims to lower the barrier to entry for identity management, by providing a simple lightweight interoperable software focused on accessibility for end-users, administrators and contributors. It provides user and group management for small and medium sized organizations. It has authorization management and Single Sign-On features based on the OpenID Connect standard. >> Read more about Canaille Castopod Plugins — Add plugins to the Castopod podcast server Castopod Plugins is a new modular framework which will allow anyone to develop their own plugins for the Castopod podcast hosting platform. Adding 3rd party plugins bring many advantages to Castopod, most notably a clean and versioned way to add custom features. This allows developers and users to make different tradeoffs by implementing and deploying features essential to them, whether or not these are acceptable as part of the core platform. It also helps with compliance at a global scale, without unnecessary censorship: some extensions will be legal to deploy in some jurisdictions but might be problematic in others. By further slimming down the core of Castopod server, modularity will improve overall code security. The project will allow the whole community to be an active part of future development, and will help better cater to the widely differing needs that podcasters have. >> Read more about Castopod Plugins Charon — Privacy-enabling account management and SSO solution The overall goal of the Charon project is to build a privacy-enabling account management and SSO solution. For end-users, Charon will allow aggregating multiple existing authenticators (Facebook, Google, etc.) in one place and managing different (and potentially multiple) identities exposed to apps. Apps will not have to worry about user management. And admins of communities using those apps will be able to manage all users in one place, with tools to address abuse. >> Read more about Charon Anchorboot — Pre-built UEFI replacement firmware for ARM-based ChromeOS devices using coreboot/U-Boot Despite their bad reputation as walled-garden systems, ChromeOS devices have huge potential to be FOSS-friendly as most things that make them work are published as free software. However, they use custom platform firmware purpose-built to boot their operating system with non-standard boot mechanisms, whose limitations make it significantly hard to run other OSes on these devices through their stock firmware, stifling this potential. Anchorboot is a new platform firmware distribution for ARM-based ChromeOS devices using coreboot and U-Boot, with the aim to make it easy to install and use conventional Linux distributions on them through UEFI support. As part of this effort, we will first improve and extend integration between both projects to the ARM architectures, then work on a selection of Chromebooks to fix any issues and to port device drivers to either project where necessary. As each board's work is complete, we will prepare and distribute pre-built, tested firmware images ready to be flashed on these boards along with sources, instructions on how to use the images, and other documentation relevant to the devices. >> Read more about Anchorboot Cloud hosting service portability — Service portability for cloud hosting platforms Configurious Monk or cMonk is a combination of a configuration portal and a set of deterministically configured services that can be used to provide ‘common internet services’ like DNS, E-mail, Matrix, Mastodon, Pixelfed, eduVPN, Nextcloud and more. cMonk's intended use is in large scale cloud deployments, intended for thousands or even millions of users. It is not intended for use in self-hosting situations, but might still be used that way. The whole project is meant as a service-platform for 'at scale' operatoins, so we are specifically aiming at 24x7x365 availability which requires redundancy and automatic fail-overs everywhere. Configurious Monk is easy to use, and focuses on being ‘out of the way’ of the user. One of its key features is that it lets the user be in complete control. The ultimate form of control being that you can export all your data and configuration and take it elsewhere. Full service portability is the goal. It uses NixOS and the Nix package manager as its base and has an API that can be used to connect the configuration panel to other services. >> Read more about Cloud hosting service portability Coloquinte — High performance placement of cells inside digital electronic circuitry A core component of the ASIC design toolchain is the placement tool, which must decide where to place the components of the chip so that it can be manufactured and meet the performance target. To build chips reliably, improve performance and improve power consumption, the placement tool must interact with other complex tools (routing, timing, gate sizing, ...). This requires a complex integration, and even necessary to target newer technology nodes. Our goal is to provide high-quality placement algorithms with an easy-to-use interface, so it is easy to use in multiple situations and toolchains. Coloquinte started as a component of the Coriolis toolchain. Since then, it has been made into a library for inclusion in other tools and multiple languages. Current developments target the integration with timing tools (for better chip performance) and routing tools (for power consumption, performance and compilation stability). >> Read more about Coloquinte Commune — User-friendly persistent chat/voice rooms Commune is an open source alternative to Discord, specifically designed for public-by-default communities. Based on Matrix and built as a Synapse server extension combined with a custom client, Commune inverts a lot of Matrix norms: (1) Web-readable channels and threads that are easily shared as links and tended to in a digital garden; (2) shared interest discoverability across spaces via federated webrings; (3) opt-in encryption for ease of onboarding. The mission of Commune is to act as an accessibility layer on top of the Matrix protocol as a backbone for online community building. Commune meets users where they are by integrating tightly with Discord through two-way syncing and social logins (OAuth), allowing for incremental adoption as opposed to competing directly with the networking effects of incumbents. >> Read more about Commune CryptPad Blueprints — Server-side encrypted collaborative editor CryptPad is an end-to-end encrypted collaboration suite that has been under active development for 8 years, and is currently used by hundreds of thousands of people. Its feature set has grown from a simple editor to a full-blown suite with multiple apps, drive, teams, etc. The next generation of CryptPad should be even better - with stronger security guarantees (\"perfect forward secrecy\", post-quantum crypto), offline-first collaborative editing, and user-driven workflows like password resets. This project will take the first steps in this direction. We document the ways in which cryptography is used on the platform, review the state of the art in applied cryptography and then evaluate the right match with available technologies. Finally we will use these foundations to move forward to a new architecture for CryptPad that will allow for future developments, improved usability, and tighter security. >> Read more about CryptPad Blueprints DANCE4All — Implement DANCE specification in GnuTLS and MbedTLS DANE (which stands for \"DNS-Based Authentication of Named Entities\") is a set of mechanisms and techniques standardised within the IETF that allow Internet applications to establish cryptographically secured communications by using information made available through the domain name system. By binding key information to a domain name and protecting that binding with DNSSEC, applications can easily discover authenticated keys for services. The original DANE specification was built around server authentication. Recently a new initiative called DANCE (https://datatracker.ietf.org/wg/dance/about) emerged, extending DANE to include client authentication. The DANCE4All project's goal is to implement the DANCE specification in two major TLS libraries (GnuTLS and MbedTLS) such that client DANE will become widely available. >> Read more about DANCE4All DAVx⁵ WebDAV Push — Share Contacts, Calendars, Tasks, Notes & Journals This project is about drafting an internet standard for push functionality in the WebDAV/CalDav/CardDAV protocols, and implementing it server-side (in NextCloud) and client-side (in DAVx⁵ and NextCloud Calendar). This standard should greatly benefit the already widely available WebDAV/CalDAV/CardDAV ecosystem in general. DAVx⁵ is a two-way sync tool for Android that gives people the power of choice where to store their data, instead of being locked-in to big tech. Besides Google FCM we also want to use UnifiedPush as Push backend, so that this can be used without any Google services. >> Read more about DAVx⁵ WebDAV Push DMT — Implementation of MOSFET Parameter Extraction Flow for Sky130 into DMT DeviceModelingToolkit (DMT) is a Python tool targeted at helping modeling engineers extract model parameters, run circuit and TCAD simulations and automate their infrastructure. Open PDKs like Skywater130 and IHP SG13G2 have brought about significant disruption in the open-source semiconductor landscape, eliminating barriers and reducing costs for all participants. A reoccurring issue of such open-source PDKs are the compact models. In this project, a compact model parameter extraction flow will be implemented into the open-source device modelling software DMT for generating improved MOSFET compact models for open-source PDKs. These models can be leveraged by circuit designers for cutting edge designs. The parameter extraction tool will be applied to the recently released IHP SG13G2 PDK to demonstrate its usefulness. >> Read more about DMT DNSvizor — Privacy-enhanced DNS resolver and DHCP server A secure and robust DHCP server and DNS resolver with a small resource footprint. We will develop a MirageOS unikernel providing these crucial network services. There are various privacy extensions (such as query name minimisation, and recently published opportunistic encryption between the resolver and the authoritative name server), as well as the possibility to deny resolution of configurable domain names (block lists). For enhanced security, we will implement DNSSec. We will provide DNS-over-TLS and DNS-over-HTTPS services. This will be a drop-in replacement for DNSvizor and Pi-hole. The project builds on top of MirageOS: a library operating system developed in OCaml — a memory-safe functional programming language. In MirageOS, each service is a separate unikernel with a minimal attack surface that only contains the code required to run it. These unikernels are normally executed as a virtualized machine such as KVM, VirtIO, Xen. MirageOS also supports using a strict security feature of the Linux kernel called seccomp. >> Read more about DNSvizor DUT Control — Unified Control Interface for Firmware Security Tests The DUT Control project aims to create a unified control interface for real hardware used in firmware security tests. Firmware security plays a crucial role on the internet, especially for servers, as it ensures the reliability and trustworthiness of connected devices. However, firmware development poses unique challenges with regard to testing: Firmware runs directly on the hardware and therefore simulations often fail to cover all edge cases, making it essential to test on actual hardware. Furthermore, firmware is tailored to each hardware type, leading to individualized development. Thus, testing often requires manual intervention, increasing time and effort. DUT Control addresses these challenges by providing an interface to real hardware and an abstraction of hardware inputs and outputs. It is supposed to become the open-source interface between hardware components and testing frameworks. >> Read more about DUT Control Delta Tauri — DeltaChat implemented in Tauri The Delta Chat Desktop app is currently built with Electron and shipped to end-users on all platforms and many app stores. Delta Tauri will port it to instead use Tauri on all platforms, minimizing resource consumption and improving security. The download size is expected to decrease to around a fifth from the present situation, and the use of a system web view instead of the Electron-shipped full Chromium browser improves security because users benefit from operating-system managed security updates. Delta Tauri will also provide an important stepping stone towards a potential Delta Chat Web client, an often requested feature from users. >> Read more about Delta Tauri DeltaTouch — DeltaChat on UBports mobile phones DeltaTouch is a Delta Chat compatible messenger app for the Ubuntu Touch mobile platform. In this project we will enhance Webxdc support, the last big feature missing compared to the mainline Delta Chat apps. Webxdc apps are small, portable web apps that are running inside a host application. At the moment, all official Delta Chat clients and Cheogram, an XMPP-based messenger, are able to act as a host for Webxdc apps. The DeltaTouch Webxdc implementation aims to support the current and also upcoming Webxdc specifications, allowing all existing Webxdc apps to function well with DeltaTouch. >> Read more about DeltaTouch DeviceCode — Structured technical information about consumer devices This project is about reusing crowdsourced technical data about devices. This data is useful for researchers and tinkerers, but it is typically not the data that vendors are willing to give, let alone under a license that allows reuse. Think of: chipset information, serial port layout & speeds, amount of memory, and so on. Several groups of people have collected this data in several places (mostly wikis) under an open data license, but they are hard to reuse by other projects that could be interested in this data. The goal of \"DeviceCode\" is to collect this information, rework it into a format that is easy to reuse by other projects without having to resort to Wiki scraping, and also clean up the data (as humans make data entry mistakes and put useful data in places where it shouldn't be), cross-correlate different sources and automatically enrich the data where possible. >> Read more about DeviceCode Distributed GNU Shepherd — A Secure Distributed System Layer for Networked Cluster Computing The project to convert the GNU Shepherd to a distributed program by porting it to use Spritely's Goblins library will empower users to more securely connect computers for clustered and other forms of cooperative work. As a daemon-managing daemon, the Shepherd exposes control of the system layer. Goblins, as an implementation of the object-capability security paradigm, provides both networking and security abstractions. Together, they will simplify and increase the efficiency of existing networked workflows without sacrificing security while also enabling entirely new kinds of cooperation between disparate machines. >> Read more about Distributed GNU Shepherd Dokieli — Decentralised article publishing, annotations and social interactions Dokieli empowers users with full control and ownership of their content through self-publishing capabilities. As a decentralised authoring, annotation, and notification tool, dokieli enables users to create and share human-readable and machine-processable content. Users can author and annotate a wide range of creative works, including articles, reviews, technical specifications, research and academic works, resumes, journals, and slideshows. They can link significant units of information from various open sources, store their content using their preferred storage systems, and share it with their contacts. Dokieli is committed to leveraging open internet and web standards to ensure interoperability and universal access. Content produced by dokieli is decoupled from the application, allowing users the autonomy to switch to any other standards-compliant application and storage system. The project's goal is to make it usable and accessible for all. To this end, we will replace several key libraries; improve the UI; expand test coverage (including accessibility tests); increase support for offline use; perform security audits; and expand implementation of web standards, and provide implementation experience feedback to technical standards bodies. >> Read more about Dokieli Dolphin authorisation — Avoid privilege escalation in the Dolphin file manager While acting with elevated privileges, software needs to be distraction-free, clear and user-friendly to avoid security issues and other ways of impairing a system. This project is about enabling average users to do administrative file manipulation within the popular file manager Dolphin securely and with confidence. There is a strong demand for proper integration, enabling less technically-savvy users to safely work with all kinds of files. This project will bring improvements to technical and user-friendliness aspects, so the user will know how to securely accomplish their tasks. This will remove some attack vectors, reduce the risk of falling for social engineering, and reduce user error. >> Read more about Dolphin authorisation EDeA — Repeatable, automated measurement data capture EDeA is a set of tools and a web portal which makes it easier for people to share and collaborate on Open Hardware sub-circuits. The scope of this project is to further improve on the collaboration aspect of the portal and to build the EDeA Measurement Server. The EDeA Measurement Server is a tool for automated scientific data capture (not only) for sub-circuits and a library which enables test & measurement as code. This makes it possible to analyze, reason about and share open hardware in a repeatable and consistent manner. >> Read more about EDeA EEZ Studio — Open source tooling for measurement and test equipment EEZ Studio is a free and open source cross-platform low-code visual tool that brings the functionality of legacy solutions for effective control of test and measurement devices. Modern user interface, modular design, debugger, drag&drop flowchart programming will enable easy collection of measurement data as well as automation of test procedures in different environments from classrooms, workshops, laboratories to production lines. EEZ Studio also offers a development environment for efficient creation of GUIs for embedded systems that use touchscreens. Unlike similar solutions, EEZ Studio enables not only drag&drop programming, debugging and GUI simulator, but also the creation of complex business logic for interaction with the user and with underlying hardware functionality. >> Read more about EEZ Studio EEZ flow for EEZ Studio — Open Hardware Test & Measurement equipment EEZ Studio is a free and open source cross-platform tool which offers a development environment for efficient creation of user interfaces for embedded systems that use touchscreens. This allows for visual development of embedded GUIs and dashboards through which which one can manage test and measurement equipment - including for test and measurement automation. In this project, the team will improve communication with test and measuring devices, allowing to manage multiple instruments, add networking capabilities and support for non-SCPI instruments and devices. In addition the project will develop templates for more easily creating dashboards, make the creation of report and working with project scrapbook easier, and improve data and session management. >> Read more about EEZ flow for EEZ Studio ELF tools in Rust — Porting patchelf and install_name_tool to a flexible Rust crate The \"ELF tools in Rust\" project aims to develop a versatile command-line tool/library for manipulating ELF and Mach-O binaries, with a particular focus on enhancing patching functionalities. It will leverage the patchelf tool as a standard, alongside Rust's efficiency and safety features. Additionally, it aims to provide seamless integration with Python via bindings created with PyO3 for enhancing accessibility and usability for a wider range of developers and use cases. >> Read more about ELF tools in Rust EduLuanti — Education platform centered around 3D/cube world Luanti EduLuanti (previously known as the MinetestEdu project) is an open-source initiative designed to provide French teachers with tools for using the Minetest video game in the classroom. The aim is to encourage the adoption of open-source tools among educators and students in France and abroad, while contributing to the Luanti community with the development of educational features and customisable graphical elements with a focus on improved filtering of educational mods and enhanced manipulation of 3D data. This initiative follows on from the UNEJ (Urbanités Numériques En Jeux) project, which was developed in the north of Paris and is one of several projects using Luanti for education. >> Read more about EduLuanti Elm Matrix SDK — Better moderation for Matrix rooms and servers The Elm Matrix SDK project is an initiative within the Matrix protocol ecosystem, designed to streamline the functionality of Matrix bots into intuitive applications. The project, currently in its prototype stage, aims to enhance the accessibility of Matrix moderation tools, catering to users of varying expertise levels. The project focuses on developing lightweight client applications with specific use cases, ensuring a seamless and adaptable user experience. Matrix is an overlay protocol used mostly for instant messaging and audiovisual calls, but it is branching out into VR/XR and other domains as well. In its evolution, the Elm Matrix SDK intends to create tools that improve the usability and security of moderating individual Matrix rooms and entire servers. Examples include a \"suspicious users page\" for managing users banned across multiple rooms and a dedicated \"war room\" to counteract spam attacks. By prioritizing simplicity and effectiveness, the project strives to address social challenges and eliminate barriers to widespread adoption of moderation tools. >> Read more about Elm Matrix SDK EventFahrplan — Conference schedule app with strong offline capabilities EventFahrplan is a privacy-friendly app for attending conferences and events running on Android devices. The development of the project happens continuously by staying up-to-date with new technologies and Android versions, adding useful features and fixing bugs. Current challenges are the migration to Compose UI, architectural refactoring, Kotlin coroutines, accessibility improvements, translation management, behavior changes with Android 13, interface changes to address large devices - and many other topics. This project helps to sustain the development of the app and to work on a selection of these topics. >> Read more about EventFahrplan FABulous Demo SoC — SoC with open source FPGA based on FABulous Until recently, integrated circuits have largely been treated as blackboxes in the realm of trustworthy hardware. FPGAs, devices that can be programmed by the user to implement arbitrary logic functionality, help to open up this realm. But even with open source software stacks such as Yosys and nextpnr compiling for them, FPGAs themselves are still proprietary silicon. Using the FABulous framework and a wide range of other open IP, we are building a FPGA SoC (combination of a FPGA programmable logic fabric and a Linux-capable RISC-V CPU) that is both itself open source and built with open tools, and also supports the open FPGA toolchain. to develop it. Simplicity is a key design decision throughout, so we can use our work to explain how modern computing systems work without the complexity of commercial platforms. >> Read more about FABulous Demo SoC FOSS Code Supply Chain Assurance II — Add approximate matching capabilities to software vulnerability discovery It is of the utmost importance to ensure that FOSS packages from public repositories have not been tampered with by malicious actors. This type of compromise is described as an open source \"supply chain attack\" and these have been increasing significantly. This project is building a new system (which is FOSS itself) to help verify the integrity of deployed code packages and validate their origin with external data sources, with the potential to mitigate attacks on open source packages supply chains such as: detecting if a package in use is matching verified code by matching source and binaries exactly and approximately. Or detecting abnormal code changes that may be signs of malicious modifications and possible attacks on a package. The key components of this open code and data solution are a Package and File Fingerprints Database, a Code Similarity and Changes Detection Engine, utilities to detect possibly malicious changes in upstream projects, and integration in build system(s). While existing approaches may require a tight control of the whole code supply chain, the approach of this project is designed for practical usage with limited changes to a build and CI/CD pipeline. This is the second phase of this ambitious project, the focus of which is to enable approximate matching between a database of FOSS packages resources and an actual FOSS package or other code. Moreover, various architectural improvements will be performed to support use at larger scale. >> Read more about FOSS Code Supply Chain Assurance II FPGA Fault Injection Testing — Better testing towards preventing fault injection in FPGA's Fault injection aims at disrupting the orderly way in which data and instructions in a chip are processed. This can be achieved, e.g., by malicious glitches that briefly interrupt the supplied voltage of the chip. To better protect against faults, countermeasures need to be implemented, such as glitch sensors that can detect these adversarial conditions. Due to the wide range of fault injection methods, the development of glitch sensors is time-consuming and requires a wide range of lab capabilities. Within the context of FPGAs, such testing is often not feasible due to their unique configuration based on a bitstream. In this project we seek to demonstrate that in-situ fault injection by creating short-circuits in an FPGA is possible and that this can be used to emulate similar effects in the circuit that otherwise would require costly external instruments. In addition, since FPGAs can be reconfigured quickly, it is possible to rapidly test a wide range of fault injection configurations. We then implement and compare glitch sensor designs in the FPGA and compare them to the state of the art (attacks and countermeasures) with the expectation to improve over previous results, as the fine-grained in-situ fault injection process is expected to offer more control over the testing process, resulting in a better calibration of the glitch sensor. >> Read more about FPGA Fault Injection Testing Faircamp 1.0 — Self-hostable, maintenance-free websites for audio producers Faircamp is a static site generator for audio producers, empowering artists, labels and everyone else working with sound to distribute their work on their own, with low resource requirements and little to no maintenance effort. The aims within this project are to address usability, accessibility and cultural concerns, to improve documentation, to implement missing core architecture components and complete the embedding functionality, as well as complementary bugfixing and smaller feature additions. >> Read more about Faircamp 1.0 FastWave — Modern waveform VCD parser Whilst the fields of open-source hardware design tooling (including synthesizers and layout tools, and open-source digital logic/VLSI gateware) have recently experienced a significant renaissance, simulation visualization tools have not enjoyed similar advancements. This is noteworthy given that verification comprises approximately 80% of the digital logic development cycle. Efficient visualization and debugging of SOC simulations are thus becoming ever more critical. Fastwave, currently developed as a VCD (Value Change Dump) parser in Rust, along with its visualization frontend, Surfer, aims to address this gap. Future iterations of Fastwave will enable advanced visualization of simulation states through custom user plugins. Potential applications include, but are not limited to, visualizing CPU pipeline states with pipeline diagrams or representing mesh network activity by simply loading a VCD file. Plans for expanding the Fastwave suite include features like tracing signals to their source, allowing users to pinpoint the HDL conditions that prompted changes in simulation signal states. Ultimately, Fastwave intends to reduce the workload for digital logic designers by enabling them to align the tool's visual outputs with the mental models they already have of their hardware systems. >> Read more about FastWave Federated software forges with Forgejo — Add ActivityPub based federation to Forgejo Forgejo is a self hosted software forge where developers can work together on software projects and users can report bugs or request features. As of Forgejo version 1.20, when a project is hosted on a Forgejo instance, every developer is expected to create an account on that instance in order to participate. Compared to email, it is as if it was necessary to create an account on gmail.com to send a message to someone with an @gmail.com email address and another on yahoo.fr to send a message to someone with an @yahoo.fr email address. But in 2022 there are two: the W3C ActivityPub protocol published in 2017 and forgefed, an emerging standard (since 2019) to describe activities happening on software forges. They can be used by Forgejo instances to communicate with each other and create a federation of forges continuously communicating with one another instead of a constellation of isolated silos. A federated Forgejo will enable software developers to work on the same project even when they use different Forgejo instances. There will be bridges between isolated Forgejo instances that software projects can use to synchronize in real time. >> Read more about Federated software forges with Forgejo Software metadata — Decentralized, federated metadata about software applications Modern software systems (and the organizations building and using them) rely on reusing free and open source software (FOSS), which requires quality metadata. Existing FOSS metadata databases are centralized and \"too big to share\" with locked metadata behind gated APIs promoting lock-in and prohibiting privacy-preserving offline usage. FederatedCode is a new decentralized and federated system for FOSS metadata, enabling social review and sharing of curated metadata along with air-gapped, local usage to preserve privacy and confidentiality. FederatedCode's distributed metadata collection process includes metadata crawling, curation and sharing, and its application to open source software package origin, license and vulnerabilities. The project strives to implement the concepts outlined in \"Federated and decentralized metadata system\" (Ombredanne 2023). >> Read more about Software metadata FediMod FIRES — Tooling for Fediverse moderation FediMod is building a set of tools to help assist in the moderation of fediverse servers, thereby reducing the need for each fediverse software to reimplement moderation tooling from scratch. FediMod FIRES (Fediverse Intelligence, Recommendations & Replication Endpoint Server) is a protocol for sharing moderation recommendations and advisories. It introduces two key ideas to the Fediverse, one being a firewall based approach to federation management, the second being that moderation decisions should be labelled using common vocabularies. The current project aims to create a reference server implementation, along with a conformance test suite that can be run by anyone implementing the FIRES protocol. We also intend to contribute features to existing fediverse software to enable the usage of these tools. >> Read more about FediMod FIRES Fidus Writer — Real-time collaborative web-based online editor for academia Fidus Writer is an open-source online editor that enables real-time collaboration among academic researchers. It supports exporting individual documents to various standard formats, but it lacks the ability to import and export document collections (books) to some of the most widely used formats, such as DOCX, ODT and JATS XML. This project aims to enhance the functionality and usability of Fidus Writer by adding import and export function for books (including tracked changes), as well as a generic pandoc export for documents, using the existing code base and infrastructure. This will allow Fidus Writer to reach a broader audience and increase its adoption in the academic community. >> Read more about Fidus Writer Flarum — Add federation and much more to the extensible forum software Flarum. Flarum is a technically advanced, open and extensible discussion platform. Flarum aims to bring people interaction to a new level by how it is designed and engineered. Flarum's key features include a responsive user interface that works seamlessly across all devices, a powerful and flexible extension system that allows users to customize the forum to their specific needs, and a robust set of moderation tools to keep the forum safe and spam-free. Within this project Flarum will add among others support for the W3C ActivityPub standard, to make content accessible in a federated way. >> Read more about Flarum Fleetbase on Solid: A production-ready supply chain solution — Federated open source supply chain solution using Solid One of the most exciting features of Solid is its ability to set up a knowledge graph that connects the data with different owners. This is useful for connecting personal data, but it's even more useful for connecting business data. As such, supply chain management is a field with a high potential for disruption with Solid. Individual companies can share supply chain data with their clients and suppliers, allowing for more insights across the entire supply chain. Building a supply chain solution on top of Solid doesn't only take knowledge of Linked Data, it requires partners who are experts in supply chain management. Fleetbase is an MIT licensed, open-source logistics platform serving companies around the world. The \"Fleetbase on Solid: A production-ready supply chain solution\" project seeks to make Fleetbase solid compatible and flesh out a real-world use-case that relies on the power of linked data sharing enabled by Solid. By the end of the project, shipping companies will be able to used Fleetbase on Solid to sharing information and coordinate with third party delivery companies. >> Read more about Fleetbase on Solid: A production-ready supply chain solution ForgeFed — Federating software forges with ActivityPub The platforms that software developers use for hosting and collaborating on their projects, known as software forges, are centralized systems. And some of the most popular forge websites run proprietary software and controlled by a single company. The values, methods, policies and interfaces of the tools we use with our software projects often don't align with our values and needs, but despite having coding skills, we're powerless to change the situation. ForgeFed aims to put the power back into the hands of the Free Software community, and to allow for systems that are truly trustworthy and support inclusion, freedom, participation, censorship resistance and alignment with needs, by turning software forges into a decentralized network. ForgeFed is a protocol and vocabulary for federation of servers and services related to the Software Development Lifecycle, and an attempt to implement federation into existing free-software forges. ForgeFed has been based on the ActivityPub protocol, which is widely adopted on the Fediverse, and is augmenting it with Object Capabilities, an essential component for distributed secure flexible authorization of collaborative resource access. >> Read more about ForgeFed ForgeFlux — Software Forge independent federation with ActivityPub and F3 Federation accurately models the way free software dynamics work: people and organizations across the globe come together to work on a software project. However, current software forging tools do not reflect this model, which has resulted in centralization in a few software forge instances. This issue is further complicated since a limited amount of tooling creators is committed to implementing federation. ForgeFlux is a project in the forge federation domain that is trying to make forges federate by building external adapters. We use the forge's native APIs and create a translation layer to talk to other nodes on the federating forge network. We aim to make Forgejo and GitHub federate for the first stable release. We are also working on other supporting areas in the forge federation domain, name in search and discovery of software projects, and in developing testing and debugging tools. >> Read more about ForgeFlux Forgejo — An open source software forge with a focus on federation In order to collaborate among global FOSS communities, free and open source software projects need to make their software repositories available somewhere online. Running such repositories on top of a third party proprietary service introduces significant liabilities, including stability and privacy risks. There are also geopolitical issues of depending on such pseudo-infrastructure, where the political situation in one country can have an impact on the availability of technology in other countries. Forgejo is a new software forge designed to scale to millions of users and projects by combining ActivityPub based federated features developed for Gitea and optimizations developed for Codeberg. Forgejo helps to decentralise by enabling many independent forges to emerge, and allow them to federae. Forgejo aims at lowering the technical barrier, facilitate moderation in a federated environment and provide the expected security updates. >> Read more about Forgejo Native IFC for FreeCAD — ISO-compliant Building Information Modeling in FreeCAD IFC, or Industry Foundation Classes, is finally providing a true, gold, open, universal data format for BIM (Building Information Modeling), the CAD paradigm nowadays widely adopted by the architecture, civil engineering and construction (AEC) industry. The IFC format is open-source, maintained by a consortium, open and text-based, and also an ISO standard. FreeCAD, a popular open-source 3D modeling application, has been supporting the IFC format for years already. This project goes one step further, and turns IFC a default file format of FreeCAD. Without the translation layer needed to import and export IFC files, FreeCAD becomes a true, native IFC editor, with a wealth of advantages, such as having minimal, identifiable and version-control-friendly change sets, access to just any piece of IFC data, etc. >> Read more about Native IFC for FreeCAD Data packages — Specification + improved tooling for external data set descriptions Frictionless Standards are lightweight yet comprehensive open standards to help data publishers and consumers to create and use data. The standards include Data Package to describe a dataset, Data Resource to describe a data resource, File Dialect to describe a file format, and Table Schema to describe tabular data. They can be used together within a data package, like when providing a data API within an open data portal, or separately as building blocks for other standards or metadata catalogues, like Table Schema catalogue for public data models. The ultimate goal of Frictionless Standards is fully aligned with the FAIR principles: Findability, Accessibility, Interoperability, and Reuse of digital assets. >> Read more about Data packages Funkwhale — ActivityPub-driven audio streaming and sharing Funkwhale is a federated platform that provides tools for managing, publishing, and sharing audio content using the ActivityPub protocol. In this project, the team will expand the use of ActivityPub and extend the integrations with other ActivityPub-powered platforms. The flagship web app will be redesigned, adding support for more content types in its API, creating new features that integrate with MusicBrainz, and making the mobile Android offering feature-complete as well as adding a (Tauri based cross-desktop app. >> Read more about Funkwhale GNS Migration and Zone Management — Registrar tools for adoption of GNU Name System The GNU Name System is in the final stages of standardization. Consequently, calls for migration and large-scale testing as well as interest in running GNS registrars are increasing. In order to address this development this project aims to facilitate the management of GNS zones by administrators and to provide users with means to resolve real-world names. To ease adoption, a framework for GNS registrars will be developed for zone management. The registrar framework will allow GNS zone administrators to provide a web-interface for subdomain registration by other users.The services may also be provided for a fee similar to how DNS domain registrars operate to cover running costs. The framework is envisioned to support integration of privacy-friendly payments with GNU Taler (https://www.taler.net). To demonstrate the capabilities of GNS with respect to DNS migration, we plan to run multiple GNS zones ourselves which contain the zone information from real-world DNS top-level domains.A selection of existing top-level domains for which open data exists will be hosted and served through GNS in order to facilitate the daily use of the name system. We are are planning to integrate at least three DNS zones and publish them (regularly) in GNS for users to resolve. >> Read more about GNS Migration and Zone Management Taler for local currencies. — Free software banking backend for local currencies This project is about extending GNU Taler’s LibEuFin software to make it suitable as a core banking system for local or regional currencies, in combination with the Taler payment system. The innovation comes from employing FLOSS technology, and having a centrally managed and yet privacy-preserving payment system. Our focus will be on creating interfaces to allow regional currency administrators to control the platform, including account creation, controlling money supply, analyzing transactions, and setting of relevant policies. Additionally, we will support onboarding of customers, including offering them a way to trade fiat currency (e.g. EUR) for the local currency or vice versa (if permitted by the currency conversion policies of the platform). We will work with cities and regions that have deployed regional currencies (or are planning to do so) to better understand their needs and adapt our plans according to their use-cases. >> Read more about Taler for local currencies. GNUnet CONG — Modernise the network stack of GNUnet GNUnet-CONG is an intermediate abstraction layer for decentralized network stacks. The goal of this project is to create a common abstraction for the gnunet layer-2-overlay and libp2p, which can be used by higher level services of GNunet (DHT, CADET and others). In addition to the abstraction GNUnet-CONG adds E2E encryption and protocol versioning for protocols on higher layers. With wrapping these functionalities in a nice abstraction, CONG offers a usable secure protocol/service that enables a controlled way to deal with developmental progress on higher layers. In addition to integrating the latest changes to the layer-2-overlay of GNUnet with its other parts, this project is a step towards interoperability and collaboration between projects for a decentralized internet on a technical as well as on a organisational level. >> Read more about GNUnet CONG Garage — Lightweight geo-distributed data store compatible with Amazon S3 Garage is a lightweight geo-distributed data store that implements the Amazon S3 object storage protocol. Garage is meant primarily for self-hosting at home on second-hand commodity hardware, meaning it has to tolerate a wide variety of failure scenarios such as power cuts, Internet disconnections, and machine crashes or slow response times. It also has to be easy to deploy and maintain, so that hobbyists and small organizations can use it without a hassle. Garage focuses on allowing users to build geo-distributed clusters, with nodes connected through consumer-grade Wide Area Network (Internet) connections. Garage makes this possible by tolerating relatively high latency between nodes thanks to an innovative design based on the principles of the Dynamo database and that makes heavy use of Conflict-free Replicated Data Types (CRDTs). Garage is written in Rust, with a strong emphasis on stability and robustness. The funding from NLnet will allow development of Garage to continue, tackling in particular the following two aspects: improving compatibility with the S3 protocol and guaranteeing the stability and soundness of the core of Garage's storage engine. >> Read more about Garage Genealogos — Nix to SBOM generator targeting the CycloneDX format With the increasing importance of understanding the software supply chain, both for security and legal purposes, it has become necessary to provide users, administrators, and developers with an accurate picture of what's in the software they use. Like with any bookkeeping task, doing that manually is cumbersome and hard to keep up to date. The better course of action is to use the information encoded within functional package management tools like Nix. With Genealogos you can generate a compliance-ready CycloneDX Software Bill of Materials (SBOM) for any package available in the nixpkgs repository or in fact from any nix flake -- and automatically keep it up to date. >> Read more about Genealogos Verilog-AMS in Gnucap (cont'd) — Analog/Mixed modelling and simulation in Gnucap Verilog-AMS is a standardised modelling language widely used in analog and mixed-signal design, but without an open reference implementation. Gnucap is a modular mixed-signal circuit simulator that partially implements Verilog-AMS, that aspires to eventually implement the complete language. In 2023, with NLnet support, we made significant progress in support for Verilog-AMS, the \"analog\" part, also known as Verilog-A, both on the simulator side and in the model compiler. For 2024, we will extend the work, concentrating on three tasks. The first is extensions to modelgen, the model compiler, essentially completing the analog part of Verilog-AMS, with some digital. The second task is enhancements to the simulator, mostly related to fast simulation of large mixed circuits, with both analog and digital parts. The first and second tasks are related to the \"mixed-signal\" aspect of Verilog-AMS. The third task addresses interoperability with other software, including schematic entry and layout, ability for Gnucap to use device models from other simulators, for modelgen to generate code to be used with other simulators, and porting some analysis commands. >> Read more about Verilog-AMS in Gnucap (cont'd) Verilog-AMS in Gnucap — Mixed-signal modelling and simulation with Verilog-AMS Verilog-AMS is a standardised modelling language widely used in analog and mixed-signal design, but without an open reference implementation. The language supports high-level behavioural descriptions as well as structural descriptions of systems and components. This Project will make substantial progress towards a Gnucap based free/libre Verilog-AMS implementation. Gnucap is a modular mixed-signal circuit simulator, and has been released under a copyleft license with the intent to avoid patent issues. Gnucap provides partial support for structural Verilog and encompasses an analog modelling language that has influenced the Verilog standards. We will enhance data structures and algorithms in Gnucap, and improve Verilog support on the simulator level. We will implement a Verilog-AMS behavioural model generator targetting Gnucap with the intent to support simulators with similar architecture later on. >> Read more about Verilog-AMS in Gnucap GoToSocial — Lightweight ActivityPub social network server GoToSocial is an ActivityPub social network server, powered by Golang. It complements existing ActivityPub implementations by providing a lightweight, customizable entryway into decentralized social media hosting. GoToSocial places a high value on ease of deployment and maintenance; this means low system requirements, minimal external dependencies, and clear documentation. GoToSocial empowers self-hosting newcomers to deploy small, personalized instances, from which they connect to others across the Fediverse, using low-powered equipment lying around at home. With GoToSocial, you can follow people and have followers, you make posts which people can favourite and reply to and share, and you scroll through posts from people you follow using a timeline. You can write long posts or short posts, or just post images, it's up to you. You can also, of course, block people or otherwise limit interactions that you don't want by posting just to your friends. >> Read more about GoToSocial GoToSocial — Improvements to ActivityPub server written in Go GoToSocial is an ActivityPub-enabled social network server. It complements existing ActivityPub implementations (Mastodon, Akkoma, etc) by providing a lightweight, customizable and privacy focused entry to decentralized social media hosting. GoToSocial places a high value on ease of deployment and maintenance; this means low power requirements, simple set up, and clear documentation. It empowers self-hosting newcomers and experts alike, to easily and reliably deploy decentralized communities at minimal cost. With something as low-power as a small single-board home server, you can deploy a personal instance to follow your favourite Fediverse users, post content and interact with the decentralized community at large, all while retaining ownership of your personal data. For more experienced and privacy conscious users we offer features like allow-list federation mode, to ensure your data is only circulated among those you explicitly permit. In this project, the team will add two factor authentication, improve interoperability, scalability and add some new features like better archiving capabilities. >> Read more about GoToSocial Gorgon CI — Continuous integration testing for PRs against software dependencies A longstanding challenge of open source development is that few users test development versions of software. This means that bugs make it into stable releases, annoying thousands of downstream users. In extreme but common cases, this results in downstream software getting stuck on outdated versions of dependencies because they missed the opportunity to participate in the upstream release cycle. This is despite the fact that many of those downstream users will have their own CI setups that might have caught the bug had they been run against the development version of the upstream library. Gorgon is a CI system that will test PRs for your project, but it will run your project's tests against PRs for your dependencies as well. By leveraging Nix, Gorgon can make smart decisions about which PRs to test. Changes affecting few derivations will be prioritized over mass rebuilds, to test as many PRs as possible despite limited hardware. This will let you identify which changes to your upstream dependencies you should care about. You'll be able to find and report bugs before they make it into a release, and know which upstream discussions to get involved in. >> Read more about Gorgon CI Haphaestus — Lightweight JavaScript-free browser engine written in Haskell In the pursuit of turning a document publishing system into an application delivery platform modern web browsers have become incredibly complex. Thus frustrating efforts to adapt and modify browsers to people's individual needs, including privacy and accessibility needs. Haphaestus aims to illustrate the potential of a more private JavaScript-free web to provide an optimal experience for any conceivable device, by building upon the dev's previous auditory web browser to prototype one that can conveniently navigate most (but the most popular) sites using a TV remote. Haphaestus will strive to deliver a working independent web browser requiring minimal TV remote button presses, as well as reusable software components for laying out, rendering, & paginating richtext documents written in a range of alphabets. >> Read more about Haphaestus Hardware accelerated 2D graphics — Design hardware accelerated 2D graphics using C to Verilog This project is to develop a hardware accelerated 2D video controller for easily adding user interfaces to industrial and commercial machines. Besides offering a useful product and fulfilling a long-standing need for embedded systems development, it will also encourage people to engage in FPGA-based hardware development by using more friendly tools.Traditionally, to make stand-alone machines and systems (i.e. not based on PCs but on custom computing boards), if developers need to add graphical user interfaces (GUI) they are offered only two inconvenient options: use a complex system like a Linux-capable board, or limit performance to low resolutions that are unsuitable for medium to large displays. The latter case simply prevents successfully marketing those products, while the former requires a high degree of qualifications in embedded systems development, to build simple products like signage systems or vending machines. This project is somewhat inspired by the success of the Arduino project, a product and ecosystem that greatly simplified the design of not too complex machines, and encouraged a lot of people to do their own designs. Currently, with the easier Arduino and similar systems, there's no way to control professional user interfaces, so many developers keep outside of the field. With the proposed system, instead, it is easy: you can send drawing commands to the board right from the Arduino system, through a provided library. The board then loads previously stored images and fonts to render the GUI at a high resolution. The drawing commands are implemented with hardware acceleration to meet speed needs, and the cores for achieving that (FPGA gateware) will be written in the widely known C language. This is solved with a custom tool for conversion to Verilog, that offers fast graphical simulations too. This will encourage people who know the language from software development, to enter the hardware design field. Also, the widely known and easy to learn Micropython language will be offered, to further ease implementing devices. >> Read more about Hardware accelerated 2D graphics OCap layer for Haskell actor library — Implement OCapN and Syndicate in Haskell's troupe This project aims to develop a stratified framework for the Haskell language to utilize ocap-based protocols. This would enable modern, secure, and efficient communication in distributed systems. The target protocols are OCapN and Syndicate, both related to CapTP, but different in focus (RPC vs sharing state). The project will provide a set of packages necessary to participate in a cross-language P2P network of applications. That includes pluggable transports, message codecs, and handling patterns. >> Read more about OCap layer for Haskell actor library Icestudio — Visual developer tool for development of FPGAs Icestudio is an open source integrated development environment (IDE) with a \"no code\" philosophy that, through a block and diagram oriented visual interface, simplifies and streamlines the design of digital electronics on FPGAs. The simplicity of the concept breaks with the complexity of other tools in proprietary EDA environments, being able to meet the educational needs of STEM disciplines for the youngest students in schools, institutes, and universities, as well as providing more advanced users with a tool that simplifies their workflow in a much more user-friendly and visual environment without losing power or control. Through its frictionless installation system and the generation of Verilog code from the visual design, Icestudio allows users to get started immediately, acting as an integrating element between designers and manufacturers of open hardware, with developers of open software solutions for synthesis such as Oss Cad Suite and transpilers such as Silice, Amaranth, or Cflexhdl. Icestudio has the vocation of becoming the standard as a visual IDE for digital design on FPGAs, allowing other code-oriented IDEs to integrate it as part of their solution in the near future. >> Read more about Icestudio Icosa Gallery — Open, decentralised platform for 3D assets Icosa Gallery is an open source 3D model sharing platform, designed to give users total control over their 3D creations. Powered by ActivityPub, users are free to choose their own instance that suits their needs, while still being able to share their creations with the wider fediverse. Users have access to a versatile 3D viewer for the browser, can upload in a wide choice of formats, and have complete control over publishing, licencing, and terms of their own assets. 3D portfolios are made simple for sharing with clients. A powerful API, search, and tagging system allows users to easily integrate their creations into any 3D environment. Instance admins have a versatile toolbox for managing data, including multiple large file storage backends depending on their hosting needs. >> Read more about Icosa Gallery Inko — Programming language with deterministic automatic memory management Inko is a statically typed programming language, aiming to make it easy to write concurrent, reliable, deterministic, and memory safe software. Memory is managed automatically, without the use of a garbage collector. Instead, Inko uses a form of single ownership and runtime reference counting, and memory management is deterministic. Inko's type system makes data race conditions impossible, without the need to use locks and similar synchronisation methods, and without the need to copy data structures when sharing them between threads. As part of this project, we'll finish work on our upcoming native code compiler, overhaul and improve the compilation of generic types and functions, implement a type-safe C FFI, add support for cross-compilation, and expand the standard library with various networking protocols. >> Read more about Inko Inochi2D — Open source 2D animation/puppeteering framework Inochi2D is an open source, BSD 2-clause licensed toolkit and ecosystem for real-time 2D puppet animation, for use in game development, virtual avatars and other multimedia applications. Our ecosystem features a SDK and two tools: Inochi Creator, which allows the user to create a puppet by rigging layered 2D art via warping meshes, physics, dynamic masking and real-time lighting, in order to create the illusion of depth and liveliness. And Inochi Session, which allows the use of Inochi2D puppets for livestreaming, teleconferencing and more, by mapping external tracking data to a puppet's rigging. The SDK and tools together allows anyone to express themselves without restrictive licensing terms. With this grant our goal is to improve the user experience and portability of our tooling via the creation of a new UI toolkit which is purpose-built just for Inochi2D, called libsoba. We also plan to finish and release a major update to Inochi2D, version 0.9, which aims to make Inochi2D more future proof and portable, making it viable to use in game engines such as Godot and Unity, and on the web via WebASM, WebGL and WebGPU. >> Read more about Inochi2D Inventaire Self-hosted — Self-hosted book inventories that share the wikidata-powered bibliographic database The Inventaire Association supports and promotes the use of libre/free software and open knowledge to share information on resources. This ideal results in inventaire.io: a libre book sharing webapp, inviting everyone to make the inventory of their physical books, say what they want to do with it (giving, sharing, selling) and who may see it (friends, groups, or everyone). To provide data on books, inventaire.io reuses, extends, and facilitate contribution to wikidata.org. This allows users to build their inventories on top of a huge open multilingual knowledge graph, connected to Wikipedia, national libraries, the fediverse, and many other resources. As the inventaire software becomes more mature, it is now time to deliver on a promise made years ago: decentralization. Installing and maintaining a self-hosted data-federated inventaire server should soon be as easy as (cyber-)cake! This would allow association libraries, privacy-concerned collectives, or anyone preferring self-hosting, to run their own instance: they would fully control their inventory data (\"We have this book\"), while still having the possibility to benefit from a mutualized bibliographic database (\"This author wrote this book\"). >> Read more about Inventaire Self-hosted Irdest - OpenWRT Image and Bluetooth LE — Add Bluetooth LE connections to Irdest This project extends the Irdest mesh networking stack in two ways: Firstly, adding Bluetooth Low Energy support to Irdest. Bluetooth Low Energy (BLE) is an important technology to support for the mesh to work seamlessly. BLE supports the same communication range as regular Bluetooth protocol, while substantially reducing the energy footprint. Given that almost all mobile devices support BLE, supporting it in Irdest is a great advantage. Secondly, creating an OpenWRT image for Irdest. OpenWRT is a Linux distribution for embedded devices like routers. Like any other operating system, it has apps or packages. Irdest could see wider adoption if we publish an Irdest package for easy installation on OpenWRT. >> Read more about Irdest - OpenWRT Image and Bluetooth LE Irdest spec, db, route scoring — Route scoring and other routing improvements for Irdest meshnets Performant ad hoc mesh networks are an important way to achieve more resilience and reduce the dependency on fixed infrastructure. Irdest is a mature, relevant and up-to-date effort for hardware- and end-user-agnostic mesh networking. This project tackles some of the largest remaining issues in the Irdest stack. The Ratman router is currently not yet usable in production settings without immense supervision. The main goal of this project is to elevate the quality and resilience of Ratman to reach a level that users, who are not directly involved in development, have the capacity to run an instance and get reasonable error messages when something goes wrong - while minimising the amount of intervention actually required. Additional implementation of a few key missing features will make Ratman more useful in a wider set of deployments, and should improve general performance and uptime. >> Read more about Irdest spec, db, route scoring Threat intelligence sharing — Privacy-Preserving Sharing of Threat Intelligence in Trusted Adversarial Environments Iris P2P is a peer to peer system for sharing security detections and threat intelligence with trusted models resilient to manipulation attacks. Most P2P systems are designed for file sharing, storage, chat, etc. but they are not prepared to share security detections, threat intelligence data and alerts. The security world needs better ways to automatically share intelligence data with trusted organizations and peers. If decentralized no single organization has control or can censor, sell or modify the data. Iris is the first global P2P system that is designed to solve this problem. It implements: automatic sharing of threat intelligence data when you are attacked, controlling the spread in the P2P to spread slowly, alerting the network of a new attacker. Controlling the spread in the P2P to be fast, asking peers about the reputation of other peers, and defining ‘organizations’ in the P2P network using the DHT and private/public keys. Organizations can publish their keys in conventional communication systems to attest ownership (social media, etc.) All communication is encrypted with private/public keys. You can control the privacy of your data by defining to which organizations and peers you want to share your data. You can also control the transfer of data with epidemic algorithms. All data is evaluated according to the trust in the other peers. Defining trust of each peer in the network with a new protocol (Fides) which computes the trust in each peer by balancing the direct interactions with peers and reputation of peers according to the rest of the peers. Fides implements a mathematical model to guarantee that no adversarial peer can lie to manipulate the reputation and the trust. >> Read more about Threat intelligence sharing JShelter Manifest V3 — Make JShelter compatible with Manifest V3 JShelter is a freely licensed anti-malware Web browser extension that informs and protects people's freedom and privacy through people's regular use of the Web. These programs often go unnoticed, but run on a user's system -- whenever the Web server says to run them. They are typically served to the user as minified JavaScript, and few provide the corresponding human readable source code, or a free license allowing users to lawfully inspect and modify the program. By definition, these programs infringe user freedom. This Free Software Foundation project started in 2020 and is continuously developing. It is currently used by thousands of users around the world as the project gears up to continue protecting users from potential threats from JavaScript, such as fingerprinting and tracking and data collection while migrating to Google's Manifest V3. Manifest V3 will restrict the capabilities of Web extensions -- especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the Web sites you visit. Because of that, Manifest V3 is a detrimental step back for Internet privacy. With the help of NLNet, JShelter will work to upgrade its functionalities and continue to protect user privacy on the Web, which is even more important after this transition. >> Read more about JShelter Manifest V3 JellyfishOPP — Open Hardware device for power profiling JellyfishOPP (Open Power Profiler) is an affordable open-hardware measurement device designed to provide advanced, bidirectional power measurements and profiling, power optimizations, and battery profiling/simulation. It primarily targets developers of ultra-low power devices such as IoT sensors and wearable electronics, while also serving engineers and hobbyists. OPP will be a portable USB device that can be controlled through a host computer or smartphone app. Additionally, it will feature a simple on-device user interface for basic functionalities, eliminating the need for a host device in certain scenarios. >> Read more about JellyfishOPP Kaidan Auth + portability — Account portability and Client/Server Authentication for the Kaidan XMPP client Kaidan is a user-friendly and modern chat app for every device. It uses the open communication protocol XMPP (Jabber). Unlike other chat apps, you are not dependent on one specific service provider. Instead, you can choose between various servers and clients. Kaidan is one of those XMPP clients. In contrast to many other XMPP clients, it is easy to get started and switch devices with Kaidan. Additionally, it adapts to your operating system and device's dimensions. It runs on mobile and desktop systems including Linux, Windows, macOS, Android, Plasma Mobile and Ubuntu Touch. The user interface makes use of Kirigami and QtQuick. The back-end of Kaidan is entirely written in C++ using Qt and the Qt-based XMPP library QXmpp. >> Read more about Kaidan Auth + portability Improving and extending Kaitai Struct — Rust parsing for binary analysis tool Kaitai Struct Kaitai Struct (KS) is a tool for working with binary formats. It introduces a declarative domain-specific language for describing the structure of arbitrary binary formats. Based on any specification, KS can automatically generate a ready-to-use parsing module in one of 11 programming languages (C++/STL, C#, Go, Java, JavaScript, Lua, Nim, Perl, PHP, Python, Ruby). Serialization is supported in Java and Python. This project aims to add Rust as a target language for parsing and to port the JavaScript runtime library to TypeScript, which will allow type checking and better IDE autocompletion in users' projects. Web IDE has a severe limitation that parsing errors prevent any results from being displayed. This is planned to be fixed, along with several other nuisances that limit user-friendliness. Compiler will be improved too. Support for multi-byte terminators (needed for null-terminated UTF-16 strings) will be added in all target languages, GraphViz generation failures will be resolved by updating to support newer KS features. The `valid` key will be extended by the capability to validate whether a value is part of an enum. The support for imports and unused types will be enhanced. >> Read more about Improving and extending Kaitai Struct Karrot — Location-aware community self-organisation Karrot is a tool to support grassroots community organizing. It is designed to enable community-building and a more transparent, democratic and participatory governance of groups. Some of its defining features are the self-assignment of tasks, full transparency of members’ actions and a trust-based role system that avoids all-powerful group admins. Karrot originates in facilitating food-saving and sharing initiatives but developed a wider scope of community support. Equipped with a better understanding about the diverse ways in which people self-organize and practice commoning, we will further develop the existing roles and permissions system, add features through which groups can run polls and enact graduated sanctions according to their needs. >> Read more about Karrot Katzen Metadata Minimizing Messenger — Privacy preserving instant messaging using a modern mixnet Katzen is a multi-platform messenger application that works with Katzenpost, a mix network framework for building anonymity-enhancing communication services. Katzen minimizes metadata that could potentially be used to reveal the identities, locations, and relationships of its users. Katzen currently supports one-to-one messages between paired users, while also not revealing who is speaking to whom. This project aims to improve Katzen by adding group messaging, multimedia file transfers, and voice chat. These features require a new encrypted-at-rest database, additional UI for file transfers and push-to-talk voice messaging, and implementation of group messaging using the multiparty REUNION protocol, which allows group members to discover each other using a shared passphrase. >> Read more about Katzen Metadata Minimizing Messenger Kazarma Release — Bridge between ActivityPub and Matrix protocol Matrix-Appservice-CommonsPub is a bridge between two decentralized protocols: Matrix and ActivityPub. This allows to exchange private messages between Matrix users and users of different ActivityPub-enabled platforms, like PeerTube, Pixelfed and Mastodon. The bridge comes as an easy-to-deploy, secure and scalable solution. In this project the team works on significantly improvement of interoperability with various ActivityPub-flavours, and extending the feature set - better moderation options, private bridges, internationalisation, etc. >> Read more about Kazarma Release Kbin — ActivityPub based link sharing and microblogging Kbin is a decentralized content aggregator and microblogging platform running on the Fediverse network. It can communicate with many other ActivityPub services, including Mastodon, Lemmy, Pleroma, Peertube. The initiative aims to promote a free and open internet. The platform is divided into thematic categories called magazines. By default, any user can create their own magazine and automatically become its owner. Then they receive a number of administrative tools that will help them personalize and moderate the magazine, including appointing moderators from among other users. Content from the Fediverse is also cataloged based on groups or tags. A registered user can follow magazines, other users or domains and create his own personalized homepage. There is also the option to block unwanted topics. Content can be posted on the main page - external links and more relevant articles or on microblog section - aggregating short posts. All content can be additionally categorized and labeled. Great possibilities to search for interesting topics and people easily is something that distinguishes Kbin. Platform is equally suitable for a small personal instance for friends and family, a school or university community, company platform or a general instance with thousands of active users. >> Read more about Kbin /kbin — Mobile app and feature additions to /kbin The project summary for this project is not yet available. Please come back soon! >> Read more about /kbin KiKit — Tooling for automation of production of PCB designed in KiCAD The EDA suite KiCAD is a widespread libre solution for designing electronics. KiKit is a Python library, KiCAD plugin, and a CLI tool to automate several tasks in a standard KiCAD workflow. The main goal of KiKit is to make the step from finishing a PCB design to having a physical PCB as easy as possible, as fast as possible, and as error-proof as possible. It achieves that via automation of manufacturing data preparation. The automated processes are reliable, repeatable, and require zero designer input. Thus, they are error-proof. KiKit allows you to perform sanity checks of the PCBs, build panels according to the description and generate manufacturing data (gerbers, assembly files, BOMs, stencils), PCB documentation, and more. All this can be fully automated and, e.g., integrated into continuous-integration pipelines. Not only KiKit provides ready-to-use pipelines for the most common scenarios, but it can also serve as a framework for building custom PCB post-processing setups. >> Read more about KiKit Wireguard-1GE FPGA — Implement Wireguard in Verilog WireGuard is a modern data tunneling and encryption protocol for Internet security. Traditional VPN solutions such as OpenVPN and IPSec are outdated, bloated, and have security gaps. While WireGuard in many cases will be a superior alternative, the performance of a software implementation will not always be enough for high-throughput use cases. The project will implement the WireGuard protocol on a cost-effective Artix-7 FPGA, targeting a board supported by open-source tools for Xilinx with four 1Gbps Ethernet ports. The corresponding gateware will be written in the industry-standard Verilog, welcoming everyone to contribute and review our code, helping us make it more secure and widely used. This project promises to deliver a working prototype of WireGuard in hardware in complete alignment with the spirit of the open-source movement. >> Read more about Wireguard-1GE FPGA Krill High Availability — Making Krill RPKI daemon deployment more robust Krill shows users which announcements are seen in BGP based on the resources on their certificate, and uses this information to give suggestions about ROA configurations. Currently, this functionality is built around RIPE Routing Information System (RIS) data, which can be up to 8 hours old. With this funding Krill will be extended so that it will be able to use a local BMP or even BGP feed. This will offer a number of major advantages to users. Most importantly it will allow for near-realtime insight and alerting, and it will ensure the visibility of RPKI Route Origin Validation \"Invalid\" announcements - as those are more and more commonly dropped and therefore increasingly invisible to RIS. >> Read more about Krill High Availability Collabora Online/LibreOffice Accessibility — Private and accessible collaborative editing with Collabora Online/LibreOffice Collaborative online text editing has become undispensable for many, but not everyone can equally benefit from it. The goal of this project is to implement improved accessibility for Collabora Online. The core of the proposal is to add accessibility to the edit view of documents, which are currently just pixels for a screen reader. This means users should be able to migrate off public cloud offerings when it comes to office document editing and this project should improve privacy for the most vulnerable in the society. >> Read more about Collabora Online/LibreOffice Accessibility LibreOffice/Collabora Online typography — Add interoperability and state-of-the-art web typography to LibreOffice/Collabora Online line break The project adds state-of-the-art ISO OpenDocument/web typography features and MS Office line break interoperability to LibreOffice open source office suite (reference application of ISO OpenDocument format) and Collabora Online (open source online office suite built on LibreOffice Technology). This includes the support of ISO OpenDocument text property fo:hyphenate and paragraph property fo:hyphenation-keep (same features in XSL, CSS3 and CSS4); restoring lost text layout interoperability caused by the new default line break algorithm of Microsoft Word; and improving hyphenation zone interoperability (Microsoft Word/CSS4). >> Read more about LibreOffice/Collabora Online typography Lemmy private communities — Add private communities to Lemmy federated link aggregator Lemmy is an open-source, easily self-hostable link aggregator that you can use to share, discover and discuss interesting new ideas - and discuss them with the world. Lemmy is a good decentralized alternative to widely used proprietary services like Reddit. It is designed to work in the Fediverse by virtue of its implementation of the W3C ActivityPub standard, and communicate natively with other ActivityPub services such as Mastodon, Funkwhale and Peertube. User registered on one server from one of these services should be able to effortlessly subscribe to communities on any other server, where they can have discussions with users registered elsewhere. In this project, the team will deliver many noteworthy upgrades ranging from a more stable API, to group federation, two-factor authentication and improved moderation. In addition the project will work on the new native client Jerboa (for the Android OS). Also for the nostalgically inclined, the project is working on a new frontend inspired by traditional web forums like phpBB. >> Read more about Lemmy private communities Libre-SOC HPC — Work on High Performance Compute capabilities for Libre-SOC LibreSOC has made significant progress in the development of Digitally-Sovereign VLSI designs. This project will continue to further that initial research to create High Performance Compute capabilities for ultimate use in end-user products such as smartphones, desktops, laptops and Industrial Embedded PCs is clearly important. We therefore aim to further the IEEE754 Pipelines, associated Formal Correctness Proofs, and continue implementing unit tests, Simulator, Processor Core implementing Power ISA and Draft SVP64, as well as documentation. In order to engage with developers and solicit feedback we wlll present the progress and outcomes at relevant technical conferences. >> Read more about Libre-SOC HPC Libre-SOC OpenPOWER ISA WG — Steward ISA extension proposals through OpenPOWER External RFC Process The Libre-SOC project has developed Draft SVP64 (a Vector Extension for the Power ISA), containing around a hundred new Draft instructions that dramatically improves the Supercomputing-class Power ISA. It also produced a Simulator, thousands of unit tests and over 350 pages of documentation. What we could not do however was submit a Specification to the OpenPOWER ISA Working Group - because the ISA WG was still in the process of being ratified. That has now been done, and we need to begin the formal process of writing up \"Requests For Change\" and submitting them. The end result will be an extremely powerful Vector ISA suitable for use in Digitally-Sovereign end-user products. >> Read more about Libre-SOC OpenPOWER ISA WG SCIM integrations — System for Cross-domain Identity Management (SCIM) Most organizations have a digital work environment that is composed of many applications. With a Single Sign-on (SSO) system they get a unified login and logout experience, but there is a catch. Traditional SSO protocols like OpenID Connect do not support syncing user profiles across applications. For instance, users are deleted in the SSO, but not in the applications. Hence, SSO implementations are not GDPR compliant by default, and organizations have to develop custom process to circumvent violations. SCIM is a standard developed within the Internet Engineering Task Force designed to solve exactly that. The project is to develop a SCIM client for Keycloak and a SCIM service provider for Nextcloud, RocketChat, Matrix and Stackspin. >> Read more about SCIM integrations Libre Car Control — Automotive development platform, protocol analyzer and hacking multi-tool The Engine Control Unit (ECU) is a microprocessor-based system that receives input from various sensors, analyzes the data, and controls various driving functions based on the input. LibreCar is a small and affordable device which can emulate an actual ECU as an electronic control module that manages control of an automotive vehicle. Acting as an all-in-one device for building, testing, monitoring, and experimenting with Automotive ECUs, LibreCar is built around a unique FPGA-based architecture making its digital hardware fully customized to suit the application at hand. As a result, it can act as a no-compromise Automotive protocol analyzer, an Automotive-hacking multi-tool, or an Automotive development platform. It is a fully reconfigurable test instrument that provides all the hardware, gateware, firmware, and software you will need to work with—and, indeed, to master Automotive domain such as rapid prototyping of compliant and non-compliant Automotive devices, Protocol analysis for Automotive protocols like Diagnostics, XCP and DLT for security research etc. >> Read more about Libre Car Control LibreCellular — FOSS technology stack for 4G networks The LibreCellular project makes it easier to create 4G cellular networks with open source software and low cost software-defined radio (SDR) hardware. Achieving this via validated hardware and software configurations that are subjected to rigorous end-to-end testing via a continuous integration (CI) platform, supported by tooling and documentation for repeatable deployment. This NLnet funded work will build on previous efforts and enable the integration of a more advanced core network, together with support for Voice-over-LTE (VoLTE). In support of which the existing CI hardware platform will also be extended and tests developed to provide VoLTE coverage. Finally, a previously developed medium power RF amplifier will be further developed to create a complete RF front-end, and a deployment manual will be created which covers topics such as antenna selection, spectrum licensing and EMF assessments. >> Read more about LibreCellular LibreOffice CRDT — Real-time collaboration between several, distributed LibreOffice instances LibreOffice is the most widely used free and open source office suite, available for desktop, mobile and in the browser. Its most popular application is the text editor Writer, which is used to write billions of document every year. Due to the increase of connectivity and remote work, these days many users look for real-time collaboration capabilities - meaning the ability to work with multiple persons on a single document in parallel. This project seeks to add this critical feature to LibreOffice. As a significant first step towards that goal, this project will therefore embark to re-architect LibreOffice Writer's comment (and later on change tracking) implementation, to make use of a suitable CRDT data structure. This is the first step towards real-time collaboration between several, distributed LibreOffice instances (desktop, mobile and server). >> Read more about LibreOffice CRDT LibrePCB — EDA software suite to develop printed circuit boards LibrePCB is a free and open source electronics design automation (EDA) software suite to develop printed circuit boards (PCBs). It runs on all major platforms and aims to be easy to use, while still beeing able to create professional schematics and PCBs. The goal is to make creating electronics easier, more efficient and less error-prone by using modern technologies and user interface concepts. LibrePCB therefore streamlines the whole PCB design process — from installing part libraries to ordering the final PCB design. Having such a free, powerful EDA software is the basement for the whole open hardware community as it allows us to reduce the dependency to proprietary and expensive technologies and empowers everyone to develop hardware for free, from hobbyists to professionals. >> Read more about LibrePCB LibreQoS — Improve congestion control for wifi networks LibreQoS is a Quality of Experience (QoE) open source platform that leverages state of the art (and IETF standardized) Flow Queueing (FQ) and Active Queue Management (AQM) algorithms to help Internet Service Providers (ISPs) enhance their customers' internet connections. It effectively manages latency and bufferbloat over existing infrastructure. LibreQos ensures fair sharing of bandwidth, prioritizes critical real-time applications and promotes connection quality, equity and access. >> Read more about LibreQoS Liminix — Nix-based OS for domestic WiFi routers, access points etc Today you can reflash your broadband router with Linux (e.g. DD-WRT, OpenWRT, Tomato or variants) to provide unparalleled flexibility to do things that the manufacturer system was not capable of. However, managing this flexibility by hand is challenging, especially when keeping custom configuration in sync across devices or through version upgrades. Liminix aims to provide an OpenWrt-style embedded Linux distribution based on the Nix language for congruent configuration management, and the Nix package system. On top of this we plan to implement seamless management of configuration and secrets across a network of Liminix devices, and robust dependency-based service/process management so that a device can respond usefully when hardware or network connectivity changes. >> Read more about Liminix LiteX — Developer framework for FPGA and ASIC designs LiteX is a versatile Python-based framework designed for building FPGA SoCs, providing a useful tool for developers working with FPGA and ASIC designs. Within this project we will improve LiteX by simplifying its use across three main tasks: creating FPGA-based accelerators and innovative ASIC SoCs, and running CI tests on FPGA boards. For supporting FPGA-based accelerators we will develop a user-friendly infrastructure for developers to create their own accelerators using their preferred HDL language, along with example projects and documentation for various FPGA boards. We will extend LiteX CI tests to hardware to maintain stability, avoid regressions when introducing new features and enable testing of configurations that are difficult or impossible to simulate. And by introduce ASIC support to LiteX we enable people to create innovative ASIC SoCs. We start with a SKY130 build backend, and will extend the framework to streamline switching between different flows: Simulation, FPGA prototyping, and ASIC. We subsequently collaborate with other NLnet-funded projects to create an innovative SoC to validate the toolchain. By delivering these tasks, the project will support the LiteX ecosystem, encourage innovation, and share the outcomes within the open-source hardware community. >> Read more about LiteX LunaPnR Phase 2 — A versatile and fast new open-source place and route tool Making a custom chip (ASIC) requires a vast arsenal of tools, to do synthesis, simulation, parasitic extraction and schematic entry. . LunaPnR aims to add a robust open-source automated place & route tool to the equation. Luna targets ASIC processes larger than 100nm, in which it can perform place & route, do clock-tree synthesis and timing verification. This allows to design e.g. mixed-signal (analogue + digital) chips used in sensors and IOT devices. LunaPnR integrates well with existing open-source tools, such as YosysHQ's Yosys (a logic synthesis tool) and KLayout (a manual ASIC layout tool), but also with commercial tools via industry standard file formats (LEF, DEF and GDS). A fully open toolchain allows for a complete chain-of-trust between the chip designer and the chip manufacturer, from digital design to GDS2 and back (via wafer inspection). In this new project LunaPnR will implement and test detail routing algorithms, enhancing the quality of the parasitic extraction for use with the OpenSTA static timing analyzer, speed up the graphical user interface (so it can render very large design efficiently), implement and test the power structure/special net/padring placer & router, and integrate Logic Equivalence Check (LEC). >> Read more about LunaPnR Phase 2 Mainstreaming Anonymity for Developers (MAD) — Add Onion Services to interactive internet applications A library that allows software developers to build anonymous and secure peer-to-peer services and applications using Tor onion services. Gosling enables a developer to easily build technologically-guaranteed secure, metadata-resistant and anonymous networked applications (both peer-to-peer or client-server). Gosling is a Blueprint for Free Speech-developed, open-source library enabling this functionality via the use of Tor's onion services. Because effectively and safely using Tor onion services programmatically is difficult and requires specialised expertise, very few applications use this technology despite the benefits to users. Most of these existing applications are dependent on the web-browser technology stack and seek to 'bolt-on' anonymity and privacy guarantees to existing clearnet applications. Gosling, inspired by Ricochet Refresh and subsequent peer-to-peer onion service-based instant messaging clients, starts from first-principles and provides developers a tailored, pluggable system for peer-to-peer connectivity with all of the security and privacy properties of Tor onion services. It provides a simple API surface which reduces the chance of errors by developers which may end up compromising users' security and anonymity. Gosling contributes to globally expanding user's defences against ever-more-ubiquitous online surveillance. This project moves Gosling from a functional proof-of-concept toward a trusted library which developers will be happy integrating into their programs to build the next generation of privacy-preserving internet applications. >> Read more about Mainstreaming Anonymity for Developers (MAD) MNT Reform Next — New iteration of the MNT open hardware laptop MNT Reform Next is a new, thinner and higher performance version of the renowned Open Hardware laptop MNT Reform. It adopts connectivity standards like USB-C and PD charging, remains modular and aligned with the Right to Repair, and is built with longevity in mind. The project aims to bring Open Hardware computing and Free and Open Source Software to a larger audience by lowering cost and increasing portability while delivering more processing power. >> Read more about MNT Reform Next The MacBook Liberation Project — Implement Coreboot support to various Apple devices The MacBook Liberation Project aims to bring software freedom to the Apple MacBook by replacing its proprietary boot firmware with freedom respecting boot firmware. This will increase their longevity, privacy and security. Intel based models that are now partially compatible with coreboot will be made fully compatible with not only coreboot, but easily installable coreboot distributions like Libreboot as well. The focus will lie on support for all possible RAM and SPD configurations for these models as well as easy internal installation for end users. >> Read more about The MacBook Liberation Project Machdyne — Modular open compute hardware Machdyne designs and builds small computers intended for timeless applications such as reading, writing, math, education, organization, communication, and automation. We are creating a new series of open-source computer designs based on European-manufactured FPGAs. These computers will use an updatable open-source System on a Chip (SoC) that can be fully audited, understood and trusted. >> Read more about Machdyne Mailpile 2 (moggie) — Building a secure, modern e-mail client for self-hosting Mailpile's mission is to empower users to be more autonomous and private in how they manage, store and communicate over e-mail, simplifying the use of relevant encryption technology (OpenPGP, Tor and encrypted local storage). Mailpile 2 will be an Open Source, secure web-mail application, usable and powerful enough to be a compelling alternative to both mainstream desktop e-mail clients and proprietary web-mail services. Mailpile 2 will offer both local and remote access to an elegant, mobile-friendly web interface, built on web-APIs exposed by Moggie. Moggie is the project's technical toolkit for searching and working with e-mail. This stage of the project is about developing Moggie to the point where it is useful as a stand-alone tool in its own right, and feature complete enough that work on the Mailpile 2 user-interface can commence. >> Read more about Mailpile 2 (moggie) Makatea — An x86, 64-bit Virtual Machine Monitor for the seL4, verified microkernel The security of any software system depends on its underlying Operating System (OS). However, even compartmentalization focused OSes such as Qubes, which are \"reasonably secure\" depend on large trusted computing bases (e.g. hypervisors) with hundreds of thousands of lines of code. seL4 is an open-source, formally-verified microkernel that has matured and been maintained for over a decade. seL4's small size (10,000 Lines of Code) and formal verification make it an appealing base to implement a hardened, open-source, x86 64-bit Virtual Machine Monitor (VMM) on. Makatea is a new hypervisor written from the ground up, capable of paravirtualisation, Hardware-Assisted Virtualisation and device emulation. Makatea also will allow to run software originally written for other platforms wherever seL4 can be made to run - and do so in a very controlled environment. >> Read more about Makatea Manas — Rust modules for Solid clients and servers Manas project aims to make Solid ubiquitous by creating an ecosystem with well-tested, reusable components in rust and js, with which one can assemble customized, feature rich Solid storage servers, clients, and applications, and digital-commons with data-sovereignty collaboration at the core. Using rust, the servers could be run on low resource raspberry-pies to low latency serverless clouds, or as lightweight developer test servers. Can use custom storages from filesystem, object-stores, or consumer cloud storages like google-drive as backends. Support for WAC, ACP authorization systems, Solid-OIDC, HTTPSig authentication schemes, multi pod management, solid-notifications, etc will be provided as reusable layers. And the layered architecture enables adding customized validation, or any other custom features. For clients, a rust client, and other helper crates will be developed for Solid protocol, Solid-notifications, etc, with probable bindings to other languages, that enables small CLIs, and other server-side/client side applications. For the applications, a reusable crate will be created to package them as native applications using tauri, and Manas. This could make Solid an attractive storage api to code web & native apps with a single code base. It can be extended to offer sync solutions, native-first apps, etc in future. >> Read more about Manas MapComplete — Thematics OpenStreetMap-viewer and editor. OpenStreetMap is a libre and free online database of geodata which can be edited by everyone and is used by millions of people. However, contributing can be challenging or intimidating to non-technical users. MapComplete is a webapp whose goal is to make it trivial to see and update information on OpenStreetMap. This is achieved by showing only features related to a single topic of interest on the map - from playgrounds, public toilets and bicycle rental places to charging stations and public tap water spots. MapComplete contains many thematic maps, each built for a certain community of users and use cases. By focusing on a single topic, contributors are not distracted by objects not relevant to them. Furthermore, this allows to show (and ask for) attributes that are highly specialized (e.g. a widget that determines tree species based on pictures) but also to reuse common attributes and elements (such as showing and adding opening hours or pictures). Within this project, performance will be improved and a user interface to create a new topical map will be built, which will allow for more people to contribute on more topics. >> Read more about MapComplete Marginalia Search — A fresh take on search Marginalia Search is an experimental Internet search engine for the independent web designed and optimized to run on cheap consumer hardware. The overarching goal of the development effort is to bring the project into a more mature state; to improve search quality and range, reduce the amount of manual operations, and to produce and offer portable data in order to bolster adjacent efforts in the search and discovery space. >> Read more about Marginalia Search Catalogs in MariaDB — Enable true multi-tenacy in the MariaDB database MariaDB Server is the open source database powering most of the internet. Many deployments of MariaDB are done as part of a shared hosting solution, where the underlying hardware is shared by many different tenants. To achieve scalability, hosting providers typically start a single MariaDB Server instance and impose artificial limitations to tenants, such as disallowing any new user creation, modifications, passwords, access control changes etc. The alternative of starting up dedicated database servers incurs a significant resource overhead, limiting the number of total tenants and implies wasted energy and compute power. Catalogs is a feature built for MariaDB Server to eliminate the need for artificial restrictions, all while maintaining high scalability and user density. Catalogs introduce an extra separation on the SQL layer, allowing a user experience that is almost 100% identical to running a dedicated MariaDB Server instance, without the overhead of starting up multiple servers. With catalogs, hosting providers will be able to optimize hardware usage while their users will be able to modify their own dedicated system tables, without impacting other tenants. >> Read more about Catalogs in MariaDB ActivityPub Quote Posts — Quote Posts in ActivityPub and Mastodon Quote posts are a popular feature of online social media platforms. They offer the ability to share another persons post to ones own followers, while adding a comment. Interestingly, so far this seemingly obvious concept has not been standardised - meaning there is no agreed way to implement this feature into an W3C ActivityPub implementation in a way that is automatically interoperable with the other applications in the Fediverse. Quoting is a simple but powerful feature that can help to quickly grow audiences and convey trust and respect, but in the hands of the wrong people it can also be used for malicious purposes: to misquote people, or to intentionally quote someone out of context. Since people 'have actually said it', quotes can easily be levered to rally hate speech and harass people. This project will design an ActivityPub implementation of quote posts that tries to avoid this. It will attempt to remove some of the liabilities, and reduce the risk of weaponisation. The goals is to write an ActivityPub protocol extension proposal (a so called FEP) for quote posting, which will be implemented directly in Mastodon to see if the design holds up. Having a specification, allows everyone to efficiently implement this same feature in an interoperable way. >> Read more about ActivityPub Quote Posts Modular Meta-Press.es — Reusable decentralised meta-search engine Meta-Press.es is a search engine dedicated to online press. It can work from your computer being shaped as browser WebExtension and gives you back the control of your information sources allowing to choose (and pin-point) the newspapers to search in. Sources can be contributed by users, covering any domain where it's the chronological order that matters : press (TV, radios…), scientific press, online agendas… Using Meta-Press.es is free, avoid ads and does not trigger the tracking mechanisms of online newspapers when discovering the results. With the new developments within this project, Meta-Press.es will break out of web browsers to become available server-side and for mobile users. Also, contributions for your favorite sources will finally be possible \"all by mouse\" and without computer science specific knowledge (traditional method via CSS selectors still being available). >> Read more about Modular Meta-Press.es MobileAtlas — Taking roaming measurements to the next levelMobileAtlas MobileAtlas is an international measurement platform for cellular networks that takes roaming measurements to the next level. Although mobile cellular networks have become a major Internet access technology, mobile data traffic is surging, and data roaming has become widely used, well-established measurement platforms (e.g., RIPE Atlas) are not well-suited for measurements in the mobile network ecosystem. This includes measurements of metered connections and consideration of roaming status and zero-rating offers. MobileAtlas implements the promising approach to geographically decouple SIM card and modem, which boosts the scalability and flexibility of the measurement platform. It offers versatile capabilities and a controlled environment that makes a good foundation for accurate and fine-grained measurements. In the current phase we focus on increasing the coverage of the measurement platform and improving the support for emerging technologies (e.g. eSIM, IPv6, VoLTE, and 5G). >> Read more about MobileAtlas Mobroute — A minimalist FOSS public-transportation router/tool suite Mobroute is a general purpose FOSS public transportation router, enabling people to e.g. plan their trips around town. It is a Go library and command line interface (CLI) that works by directly ingesting timetable data from transit agencies themselves (in GTFS format, obtained via the Mobility Database). After this data has been fetched, route planning can be done offline, on one’s own device. Overall, Mobroute aims to offer an open source framework for integrating data-provider-agnostic GTFS public transit capabilities (integrated GTFS ETL, GTFS multisource support, and routing algorithm) into applications to get users from point A to point B via public transit, without comprising privacy or user freedoms. In addition to the Mobroute Go library & CLI, the related subproject, the Transito app offers fully integrated routing functionality on mobile devices (Android & Linux) utilizing Mobroute's Go library. >> Read more about Mobroute Caster — Open-hardware high-refresh-rate electrophoretic display controller Modos is building an libre, open source and open hardware ecosystem of low-cost, affordable electronic devices that use an E Ink display and are driven by the first open-hardware high-refresh-rate electrophoretic display controller of our own design. Having such a controller will enable the creation of new devices and applications designed around the advantages of this dynamic medium: easier on the eyes, less power consumption, readable in direct sunlight, and persistence. In this project, the team will incrementally improve upon the existing (working) prototypes and establish a Pilot Program . The team provides community support, and makes sure you contribute to the development of the open hardware ecosystem. >> Read more about Caster Monal IM UI — Modern UI for XMPP on iOS and macOS Monal is an open source XMPP instant messaging client for MacOS and iOS which strives to be the go-to client for these platforms just like the app Conversations is for Android. Like other messaging apps on iOS and macOS Monal must deal with the limitations of these platforms. Yet, Monal is able to fully support push messages even for encrypted groupchats without resorting to non-XSF- standardized extensions to the long-lasting XMPP protocol. Since Monal has a quite mature and stable XMPP backend now, the focus is shifting to rewriting the UI of Monal. And all this while adding new features, such as voice and video calls, which have only recently been added. In this project, Monal will receive a new chat UI that provides better UX and is way more maintainable for the developers. Additionally, the audio call functionality previously funded by NLNet, will be extended by a dialpad. This will allow calls to mobile and landlines via appropriated XMPP-VoIP-bridges like jmp.chat. To speed up connection establishment support for Bind2 and FAST will be implemented. This will result in better UX, especially for users on mobile connections with low bandwidth and high latency. >> Read more about Monal IM UI Mox — Modern full-featured open source secure mail server Mox is a modern email server implementation that makes it easy for people and organizations to run their own mail server, allowing them to stay in control of their own email communication, and keeping email decentralized. While high-quality open source mail server software components exist, their code bases are growing old, and getting a working setup involves configuring at least half a dozen of them to work together. That complexity has turned people to a few (centralized) email providers. Mox gives users their power back! All important protocols/mechanisms needed for a modern email setup have been implemented in mox, including: IMAP4, SMTP, SPF, DKIM, DMARC, MTA-STS, TLSRPT, automatic TLS with ACME and Let's Encrypt, IP/domain/bayesian spam filtering, internationalized email, account autoconfiguration. Setting up mox takes just minutes with the quickstart, with no additional tools/dependencies required. The code base is lean, coherent, self-contained, well-tested, cross-referenced with specifications, liberally MIT-licensed, trivially reproducibly built and is defensively written in Go, a modern, safe programming language. Mox's integrated approach has allowed for novel functionality. Development continues on supporting more protocols and extensions, as well as quality improvements such as more automated tests. On the roadmap at the time of writing (but check the project site!): IMAP4 CONDSTORE, QRESYNC, THREAD extensions, DANE and DNSSEC, sending DMARC and TLS reports, OAUTH2, Sieve, JMAP, Webmail, Calendaring and more. >> Read more about Mox Naja — EDA tool focused on post logic synthesis Naja is an EDA (Electronic Design Automation) project aiming at offering open source data structures and APIs for the development of post logic synthesis EDA algorithms such as: netlist simplification (constant and dead logic propagation), logic replication, netlist partitioning, ASIC and FPGA place and route, … In most EDA flows, data exchange is done by using standard netlist formats (Verilog, LEF/DEF, EDIF, …) which were not designed to represent data structures content with high fidelity. To address this problem, Naja relies on Cap'n Proto open source interchange format. Naja also emphasizes EDA applications parallelization (targeting in particular cloud computing) by providing a robust object identification mechanism allowing to partition and merge data across the network. >> Read more about Naja Naja DNL — Add Dissolved and Batch Netlists to Naja EDA Naja is an EDA (Electronic Design Automation) project aiming at offering open source data structures and APIs for the development of post logic synthesis EDA algorithms such as: netlist simplification (constant and dead logic propagation), logic replication, netlist partitioning, ASIC and FPGA place and route, … In most EDA flows, data exchange is done by using standard netlist formats (Verilog, LEF/DEF, EDIF, …) which were not designed to represent data structures content with high fidelity. To overcome this problem, Naja relies on Cap'n Proto open source interchange format. Naja also emphasizes EDA applications parallelization (targeting in particular cloud computing) by providing a robust object identification mechanism allowing to partition and merge data across the network. The core of Naja is formed by two interrelated data structures: the Structured Netlist (SNL) and the Dissolved Netlist (DNL). SNL is tailored for high-fidelity representation of hierarchical netlists, while DNL offers a flattened netlist view, optimized for rapid, multi-threaded analysis and optimization tool development. >> Read more about Naja DNL NaxRiscv core improvements — Open hardware out-order Risc-V CPU This project aims at extending the scope of the NaxRiscv project (a free and open-source out-of-order multi-issue RISC-V CPU, using innovative hardware description technics and optimized for FPGA deployment) by getting the CPU to run Debian in a stable manner and documenting the whole process used to build the required binaries/rootfs, implementing memory coherency, multicore support and a L2 cache to enhance the performances, and finally, optimizing and synthesizing the CPU for ASIC using the free and open-source tooling to pave the way for some future NaxRiscv based silicon chips. >> Read more about NaxRiscv core improvements Nitrokey 3 — PIV/FIPS 201-3 and extended hardware support for Trussed/Nitrokey Nitrokey 3 is an open source hardware USB/NFC key aiming for data encryption and two-factor authentication. Currently it supports FIDO2 authentication and WebCrypt. This project will allow it to extend its Rust firmware, developing additional functionality which makes it into a full-featured open hardware security key. By adding support for new so called 'secure elements' to Trussed, any device using Trussed can benefit from more hardware options. Within the project we will also develop PIV support for Nitrokey 3. PIV is a smart card standard which is used in enterprises and also popular among users of some operating systems like Microsoft Windows. PIV allows for data encryption, signing and authentication. >> Read more about Nitrokey 3 Nitter — Alternative privacy-preserving FOSS UI for Twitter Nitter is an open source alternative Twitter front-end that prioritizes privacy and performance. It acts like a proxy by requesting data on the server using internal twitter APIs, and serving a lightweight front-end without JavaScript or ads, as well as RSS feeds. This bypasses the need for login credentials, and all requests including media go through the Nitter server. It's easy to self-host, and more than 100 public ins tances are available. The scope of this project is to implement features such as an account system for following Twitter users, tweet embeds, missing Twitter features, and general maintenance. The account system will store tweets in a database, paving the way for a future tweet archival feature. >> Read more about Nitter Debug Adapter with Nix — Implement the Debug Adaptor Protocol for Nix The DAWN (Debug Adaptor with Nix) project intends to improve the Nix developer experience by making debugging Nix code easier. As with most programming languages, writing Nix code may be difficult and confusing for those both new to and experienced with Nix, so having a good debugger experience is essential. Today, debugging Nix may be performed either via the Nix debugger's repl or by print statements (builtins.trace). DAWN improves this debugging experience by implementing the adapter portion of Microsoft's Debug Adapter Protocol on top of the Nix debugger. DAWN will provide an ergonomic and first class debugging experience directly from all editors supporting the Debug Adaptor Protocol. >> Read more about Debug Adapter with Nix Nominatim as a library — Self-hostable address/location retrieval for OpenStreetMap Nominatim is an open-source geographic search engine (geocoder). It makes use of the data from OpenStreetMap to built up a database and API that allows to search for any place on earth and lookup addresses for any given geographic location. The conventional wisdom is that geocoding is such a computationally heavy task that it can only be done through a webservice. So far, Nominatim has been following this convention. While it is easy to install your own instance, it is still expected to be run as a service. However, if you care about privacy, then location data is not something you would want to regularly send to an external geocoding provider because it allows to create detailed movement profiles. We need the possibility to do geocoding directly on the device. The goal of this project is to transform Nominatim's code base so that it cannot be only be used as a web service but also as a local application or as a library inside another application. In the first phase, the PHP code of the search frontend will be ported to Python, which is much better suited for such a multi-use task. In the second phase, we explore if the rather heavy-weight PostgreSQL database can be transformed into an SQLite database to even further simplify using Nominatim as a library. >> Read more about Nominatim as a library Nyxt Webextensions — Independent implementation of WebExtensions Nyxt is a web browser that seeks to empower knowledge workers with access to better browsing tools. The Internet is the single largest corpus of human knowledge available. Effective tools to navigate, browse, and index it are important for research/work/empowerment. Nyxt provides these tools. A different take on the \"browser\", Nyxt is a power-browser, designed from the ground-up for work. What was until now missing from Nyxt, and from other third party browsers, is support for common WebExtensions (such as NoScript, ad blockers, etc). In this project we'll extend Nyxt's capabilities to support WebExtensions which will allow users to customise their browsing experience and better protect themselves from abuse. Additionally, our work will pave the way for other libre WebKitGTK+ to support WebExtensions, and thus, increase adoption. >> Read more about Nyxt Webextensions OVT 13 — Open Hardware laptop The open hardware laptop OVT 13 (Open Vision Technology 13\" Laptop) will be a thin and light laptop that is on-par in terms of performance and look-and-feel with established solutions available from market dominating competitors. The OVT 13 is designed to meet the modern standards imposed on thin and light laptops. The fully open-hardware design as well as the modular approach will satisfy both the enthusiast and non-technical user in terms of design openness, upgradability and repairability, performance and formfactor. The vast amount of engineering innovation that goes into designing consumer electronics devices goes unnoticed by many users. These innovations take place behind closed doors and do not advance the technical progress of our society, but only serve to increase the market share of a single company. The OVT 13 will not only be an open hardware design, but also a communication effort that shines a light on the design challenges and the innovations needed to overcome them. By publicly documenting the whole design process no knowledge will be kept behind closed doors and the innovation that goes into designing such a system can be used by everyone. >> Read more about OVT 13 Oils for Unix — Bringing shell environments into the 21st century Oil is a new Unix shell. Shell languages provide an (IEEE standardised) interactive command language and interactive scripting environment used to control computer operating systems. Shell scripts are deployed and used visibly and invisibly to command or glue together different applications and control the execution of tasks. Oil is the upgrade path from traditional shells like bash to a better and more structured language and runtime. It already runs thousands of lines of unmodified POSIX compliant shell scripts (as well as bash scripts which aren't compliant), but in a safer and more reliable way. OSH can be smoothly upgraded to YSH, a new shell language influenced by Python, Ruby, JavaScript, JSON, and YAML. YSH also offers a basic interactive shell UI, and a \"headless\" API for building GUIs on top of shell. Through its set of specification languages, scripts can be translated to fast C++. Goal of this project is to implement various new builtin YSH methods and functions (Str, Dict, IO, ...), implement JSON / J8 Data languages, create a Flag parsing lib and test framework, and significantly improve documentation throughout the entire project. >> Read more about Oils for Unix Oku — A browser and encrypted data vault based on IPFS Oku is a free and open-source browser for the Web, which aims to bring several technologies, some new and some pre-existing, to everyday users of personal computers. It aims to promote the usage of peer-to-peer protocols, such as IPFS, onion routing (using the Arti implementation of the Tor anonymity protocols), and the WebKit browser engine. With the IPFS protocol built into the browser, users will be able to create, share, and view hypermedia without the need for servers; as a consequence, pages accessed through the IPFS protocol will require offline, local-first data storage on 'vaults' residing in the user's device. The browser facilitates the reading of data from the local storage vaults, prompting the user for a password so that the vault may be decrypted; afterwards, the 'hivepage' (a page accessible through a P2P protocol, as opposed to HTTP) is provided with the user's files residing in the relevant decrypted vault. This model will promote a more trustable alternative to the Web, while simultaneously reducing the cost of publicly sharing hypermedia on the Internet, as servers will no longer be responsible for hosting & serving the content. >> Read more about Oku Open Energy Profiler Toolset — Modular open hardware Energy Profiling Battery-powered devices often incorporate high-speed communication protocols that consume power in high peaks. One of the main challenges is to provide a compatible set of hardware and software solutions that will enable easy and high-precision energy profiling tools which enable high-speed sampling rates and high current rates.Energy consumption profiling of such devices requires the use of various hardware and software solutions that are often not compatible, making them difficult to use, or do not provide suitable measurement accuracy. Our primary objective is to provide a unified toolset that encompasses an EEZ bus compatible hardware platform, open-source firmware, customized protocols for external firmware energy debugging, and a user-friendly graphical interface for widely used operating systems like Windows and Linux. This toolset will enable the end user to quantify overall MCU-based device consumption and identify energy-intensive software parts within an IoT end device. The project outcomes will include an EEZ Bus compatible standalone acquisition card that support sampling data rates up to 4 MSPS and high-speed data streaming through an Ethernet interface; an open-source library as support for energy debugging of end device firmware; and open-source GUI application for visual examination of different energy consumption parameters. >> Read more about Open Energy Profiler Toolset Ordie — Designing a SoC for Betrusted The field of open silicon is still in its infancy, and while the story on digital logic generation is good, analogue is still a work in progress, and full system integration is only just beginning. The Ordie project will characterize available analogue and digital blocks, integrate them, and create simulation and test software to validate them both pre- and post-production. In this way, the Ordie project will create open, fully-verified silicon chips where every aspect of the part is inspectable down to the raw GDS files. These parts will be usable in some aspects of projects such as Betrusted, where they may be used to replace some of the proprietary silicon with open variants. Along the way it will develop a circuit that enumerates over USB, be able to address various debug structures using existing Wishbone USB and Spibone debugging, and develop a buck regulator, useful for powering on-die structures.The on-chip blocks will be documented using reference systems such as lxsocdoc. >> Read more about Ordie Organic Maps — Privacy-focused Android & iOS offline maps application Organic Maps is a free and open-source mobile app, that offers fast detailed offline maps of the entire world based on the OpenStreetMap database maintained by millions of people across the globe. The app works with downloaded map files on your device, offering fast power-efficient map rendering, offline turn-by-turn navigation with walking/cycling/driving directions as well as robust offline search and trip planning features. Organic Maps is a community-driven app you can trust – no software bloat, no battery drain, no excessive permissions, no ads, no tracking, no personal data collection, no big tech's prying eyes. Pure and organic, made with love. >> Read more about Organic Maps Overte — Virtual reality based social platform Overte is a virtual social platform that allows its users to socialize in a more involved way than traditional digital communications, by allowing them to enter worlds using Virtual Reality. It can be used not just for recreational activities, but also education, psychotherapy, congresses, and more. The goal is to support peoples need for immersive social platforms, by providing them with something that is privacy respecting and free. As part of this project, we aim to take on bigger maintenance and development tasks that may otherwise happen slowly or remain undone. Such tasks include overhauling the build system, as one of our challenges is enabling volunteers to build, test, and contribute to a software with more than a million lines of code and many major dependencies on multiple different platforms. >> Read more about Overte p2panda: group encryption and capabilities — Add group encryption and capabilities to peer-to-peer SDK p2panda is a protocol and SDK for building decentralised applications with authenticated data, which is stored and synced between computers. Most p2p protocols, including p2panda, face problematic security and privacy challenges, where sensitive data is distributed in a trust-less network. This application aims at the integration of a secure data encryption and fine-grained capability layer to give users more control and protection of their data. Scaleable data encryption for large groups in a decentralised network is hard and has always involved a trade-off between UX and security. We believe that MLS is the first Internet Engineering Task Force (IETF) standard to tackle some of these challenges. p2p applications of all kinds, will benefit from a protocol that gives them a distributed, strongly encrypted database stack. MLS assures Post-Compromise Security (PCS) and Forward Secrecy (FS) and still stays performant for large groups. While MLS is capable of working in a decentralised environment it hasn’t been explicitly specified for it. With p2panda we have all the building blocks to realize MLS in a fully decentralised setting. Highly collaborative p2p and offline-first applications require a robust capability system which facilitates giving and revoking permissions to/from identities on the network. With such a system it becomes possible to give permissions for certain actions to other authors or link devices which should be grouped under a single identity. >> Read more about p2panda: group encryption and capabilities PTP gateware with openXC7 — PTP on FPGA timing cards and SDR cards with openXC7 This project develops open-source gateware for the Precision Time Protocol (PTP), which is essential for accurate timekeeping across servers. Implementing this technology on Xilinx ZYNQ FPGA chips, it offers a secure, reliable alternative to proprietary gateware, reducing the risk of undetected security breaches through server backdoors. This initiative not only enhances Internet security but also enables diverse applications, from 5G networks to research instruments like particle accelerators, making advanced time synchronization accessible, and safeguarding the digital ecosystem for the general public. >> Read more about PTP gateware with openXC7 Passthrough Authentication — Authentication proxy using Kerberos and SPNEGO Adding authentication to an application is an ungrateful part of development - users don't like to log in and there is a lot of duplication of effort. This project proposes an interesting alternative which benefits from the fact that browsers have retained built-in support for HTTP SPNEGO (with Kerberos included) for many years: by forwarding Kerberos tokens through a lightweight proxy to a \"kerberized\" authentication server that is part of the same Kerberos realm where the user logged in at the beginning of the day. The goal of this project is to make web modules, such as Apache, for the proxy and implement the authenticator using Diameter or another broker, and do the same for SASL using GSSAPI. >> Read more about Passthrough Authentication Popularizing PeerTube — Decentralised video platform powered by ActivityPub PeerTube is a software that empowers collectives to create their own video hosting and live-streaming solution, present a federated video catalog, and emancipate themselves from proprietary centralized platforms. It is nowadays used by institutions, educators, collectives of creators and citizens. This development project is aimed toward improving on PeerTube's features and ecosystem in a way that facilitates adoption, experience and usability. Such developments include: user's data export & import, a full accessibility audit (including integrations), splitting audio & video streams, comments review & moderation tools for content creators, automated filters to facilitate moderation, streaming in \"audio only\" mode, a redesign of the video management system, a new content warning/characterization system, a whole UI/UX audit and remodel. We also want to develop the first version of an official mobile app dedicated (at first) to find and enjoy content on the PeerTube vidiverse. >> Read more about Popularizing PeerTube Peertube plugin livechat — Integrated chat for Peertube live streams The Peertube project aims to offer a free, decentralized, and sovereign alternative to video-on-demand platforms. Since its 3.0.0 version it is possible to live stream. However, the Peertube team has chosen not to integrate a chat system, but rather to offer the necessary tools so that it is possible to integrate this functionality via plugins. It is in this context that the \"Peertube Livechat\" plugin was launched in 2021. This project - already installed on nearly 250 Peertube instances - has grown with time, and already provides a serious alternative to existing proprietary systems. However, there are still some steps to be done to offer the same level of service as these commercial platforms: manage the decentralization allowed by Peertube at the chat level, possibility of automatic moderation, streamer/viewer interaction tools, improve and complete the translations of the software, improve its documentation, think about the numerous requests of the community, and so on. >> Read more about Peertube plugin livechat PeerTube - Remote Transcoding — Remote Transcoding for distributed video sharing network PeerTube is a free-libre and federated alternative to centralized video platforms such as YouTube, Twitch or Vimeo. It empowers content creators (institutions, video-makers and live streamers, communities, etc.) to self host their own collective video-platform without being isolated in the wide web. The technical choices behind PeerTube (ActivityPub Federation, peer-to-peer broadcasting) keep the source of this sugestion (the technical and financial bar to self & collective hosting: you no longer need Google's server farm and Amazon's money to host your own PeerTube servers (an instance) and synchronize it with other servers to share video catalogs! There is still one technical bottleneck: video transcoding. This step is essential for a smooth video broadcasting experience. Transcoding happens at every video upload or during live-streams, and consumes a lot of CPU power. Instances hosting lots of content creators or live streamers tend to rapidly need to upgrade the CPU power of their server, to avoid a bottleneck that only happens episodically. Allowing transcoding work to happen remotely could solve a number of important logistical problems in a more efficient, resilient, affordable and eco-friendly manner. >> Read more about PeerTube - Remote Transcoding Manyfold — Manage private collections of 3D models This project will build a web application for managing collections of 3d models, with a focus on the needs of the 3d printing community. It is designed to be self-hosted, and lets users browse, organise, and analyse their downloaded models. With NLnet’s support, we aim to develop it into a decentralized multiuser platform for hosting and distributing 3d content. Using ActivityPub, we aim to build a kind of 'decentralized Thingiverse', allowing anyone to run their own instance to distribute content, and subscribe to content on other servers using any one of the many ActivityPub services out there such as Mastodon. We also aim to develop an innovative open format for progressive transmission of 3d mesh data, allowing both quick previewing of remote models, and low-quality previews for commercial content. >> Read more about Manyfold Pimalaya: email — Open source personal information management Pimalaya aims to improve open-source tools related to Personal Information Management (PIM) which includes emails, contacts, calendars, tasks and more. Its first goal is to provide Rust libraries dedicated to the PIM domain. They serve as a basis for all sorts of top-level applications, which prevents developers to reinvent the wheel. Its second goal is to provide quality house-made applications built on top of these libraries, gathered into projects. Among others this includes Neverest, a command-line synchronisation tool. This grant will help Pimalaya to cover the email domain: improve lib structure, improve synchronization, implement autoconfiguration, implement thread view and initialize a REPL. >> Read more about Pimalaya: email PixelDroid/Media editor — Native PixelFed/ActivityPub image sharing app PixelDroid is an Android app focused on sharing pictures and video through ActivityPub-based services such as Pixelfed and Mastodon. The scope of this project is two-fold: first to improve the application's features and make it more friendly to use for people new to the platform - we want PixelDroid to have the best onboarding experience of the fediverse. Secondly to work on photo and video editing, adding features and streamlining the editing user experience. We will also enable our work on photo and video editing to be used by others outside of the context of our app, by creating a standalone editing application and improving our 'Android media editor' library so that adding media editing to FOSS Android applications is easier than ever. >> Read more about PixelDroid/Media editor Pixelfed — Open source, federated photo sharing platform using ActivityPub Pixelfed is a free and ethical photo sharing platform, powered by ActivityPub federation. The primary scope of this project is to build a federated Groups feature which will enable people to create communities across Pixelfed instances and other fediverse software. Pixelfed Groups will support text, photo and video posts on a separate Group-only timeline feed, as well as support a powerful role based membership system where admins can easily control who can join and the other actions they can perform. >> Read more about Pixelfed pretalx — Open source tooling for events and conferences When attending events like conferences, visitors are often subjected to privacy-invading proprietary apps by organisers. With printed programmes typically no longer made available, visitors are put on the spot: either they install some unknown app and allow themselves to be tracked, or they don't know which sessions to attend. Pretalx is an open source project for events and conferences. It provides a Call for Proposals interface, tools for review (including fully double-blinded ones), scheduling, speaker communication, and attendee feedback. pretalx has a variety of plugins and can be self-hosted. This gives conference organisers, speakers and attendees complete control over the data they share. This project will completely redo the writable API of pretalx, making it a strong privacy-friendly option for any event being organised. Pretalx is one of the leading open source tools capable of handling the full organisation of events from Call for Proposals to user feedback, and is used by many large open source events already (MozFest, FOSDEM, Pycon, NSEC, etc). >> Read more about pretalx Pythonic Slint — Add a full-blown Python API to Slint Slint is a next generation declarative GUI toolkit that supports multiple programming languages such as Rust, C++, and JavaScript. Implemented in Rust, a language known for its memory safety and performance, Slint can run on platforms such as Windows, Linux, Mac, QNX, and microcontrollers. Next to JavaScript, Python is the most popular programming language. While Python developers already have a number of options when it comes to GUI frameworks, most of these are in the form of wrappers or bindings. We aim to make Python a first-class citizen with a dedicated and idiomatic API, to empower developers to create amazing user interfaces for their applications. Python developers will benefit from a modern open source GUI framework that is well-supported. >> Read more about Pythonic Slint RA-Sentinel — FPGA-based Radio Receiver for securing Wifi against hacking attacks The proposed project aims to develop a cost-effective, small, and low-power wide band radio receiver device that automatically detects various malicious attacks on Wifi access points, such as Man in the Middle and Denial of Service attacks. The RA-Sentinel project is designed to protect your home WiFi from unwanted cyber threats. Think of it as a digital watchdog for your internet connection that barks when someone from the outside tries to break in. The device will enhance internet safety for ordinary users by monitoring any Wifi cell. It will consist of low-cost receive-only chips that digitizes 40 MHz of the Wifi radio spectrum at 2.4 GHz and extracts with the FPGA relevant properties from demodulated and decoded packets in real-time without storing them. These properties are fed into a neural network also implemented on an FPGA, which determines if the traffic is genuine or an attack. Only open source FPGA tools will be used. >> Read more about RA-Sentinel RADIUSdesk Multi WAN — Add Multiwan to RADIUSdesk RADIUSdesk is a complete, open source solution for the provision and management of Internet connectivity. The main component is a feature-rich RADIUS server that includes features such as vouchers, BYOD and permanent users. Permanent users have support for Private PSKs and versatile Fair Usage Policies (FUP). MESHdesk allows you to quickly roll out WLAN connectivity over a large area. APdesk can be deployed in enterprise environments and offers support for guest networks and dynamic VLAN assignment. Bandwidth and data usage can be managed via one of the following options: a captive portal, a PPPeE server or private PSKs with RADIUS. MESHdesk and APdesk can be managed via your phone or a desktop browser. The system has an intuitive API that eases integration with other systems. In this project, Multiwan support will be added, together with private Pre-Shared Key (PPSK), Multi-Dwelling Units (MDUs) and Software-defined Wide Area Network capabilities which will allow to support more VPN technologies. >> Read more about RADIUSdesk Multi WAN RAIJIN — Open Hardware brain measurements with near-infrared spectroscopy Low-cost electroencephalographic (EEG) systems have been available for over a decade, such as the open hardware OpenBCI ecosystem. While EEG has been democratized to varying degrees, blood-oxygen-level-dependent (BOLD) methodologies are constrained to medical and niche realms. While magnetic resonance imaging is impractical for a hobbyist, functional near-infrared spectroscopy (fNIRS) may offer a more practical alternative. Similarly, non-visual and non-auditory feedback from a brain-computer interface (BCI) may be streamlined with a tactile or haptic device. Transcranial temporal interference stimulation (TTIS) can be directed and integrated with the existing ecosystem. The Rank-Adjusted Infrared Juxtaposed Interferential Neuromodulation (RAIJIN) marks three components that would significantly improve tools for citizen-scientists. Given recent low-cost projects, it may be possible to bring low-cost fNIRS, non-invasive deep brain stimulation, and tactile response into the OpenBCI ecosystem. Tactile and TTIS enable closed-loop computer-brain interference (CBI). By integrating BCI and CBI, the RAIJIN system will enable mobile, low-cost, BOLD-capable, closed loop, and non-invasive brain-to-brain interface (BBI). >> Read more about RAIJIN RETETRA3 — Security research into TETRA standard Terrestrial Trunked Radio (TETRA) is a European standard for trunked radio used globally by government agencies, emergency services and critical infrastructure. Apart from most European police agencies (such as BOSNET in Germany or RAKEL in Sweden), military operators and emergency services, TETRA is also widely used for SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities. Prior research extracted the secret cryptographic functions underpinning TETRA security and made them available for public scrutiny, resulting in the first public in-depth security analysis of TETRA - uncovering five vulnerabilities including a backdoor. We contributed various improvements and bugfixes to the open-source osmocom-tetra stack, as well as adding support for cryptography. This new project has two main components: developing support for uplink demodulation/decoding and message parsing and implementing a stack able to monitor both downlink and uplink traffic simultaneously, as well as working towards FOSS TETRA base station functionality. And investigate the obscure TETRA E2EE, an optional proprietary solution on top of the standard used in the most sensitive of use cases for TETRA networks, and provide a security analysis as well as a FOSS implementation. This research should shed light on its suitability for mitigating the previously uncovered security issues. Also, we will dig deeper into the security of TETRA as a whole, with a special focus on message injection vulnerabilities. We aim to provide definitive insight in to which extent adversaries are able to compromise confidentiality and integrity (particularly important when used in critical infrastructure) of traffic, and which mitigations can be considered in order to be able to use TETRA securely and safely. >> Read more about RETETRA3 Fast RSA + PQ Blind Signatures — Fast multiprecision integers for blind RSA and Post-Quantum signatures We observed significant performance differences between the different implementations of classic RSA signatures in various widely used Free Software cryptographic libraries. Each of the libraries takes a different approach to implementing modular exponentiation, the core operation when generating and verifying RSA signatures. Naturally, RSA signatures would also not be safe in presence of large-scale quantum computers. In this project, we improve the performance of libgcrypt, mbedTLS, GNU nettle and libgmp to ensure that they are on par with the best secure implementations available today. Furthermore, we implement one of the academic post-quantum blind signature schemes, make it available as Free Software and integrate it with GNU Taler. >> Read more about Fast RSA + PQ Blind Signatures Raptor Lake Desktop — Implement open-source firmware for modern mainboards and chipsets The Raptor Lake Desktop project aims to deliver open-source firmware support for a modern day motherboard (the MSI PRO Z690-A WIFI DDR4/DDR5 workstation/desktop), enabling users to customize and enhance their hardware. Through open-source firmware, users will have the freedom to modify and adapt the software according to their specific requirements. Building on the success of the Alder Lake Desktop initiative, this project focuses on two key goals: adding support for 13th generation Raptor Lake-S CPUs on existing boards and implementing open-source firmware support for the MSI PRO Z790-P WIFI DDR4/DDR5 boards. The project also includes the development of additional firmware features to improve system functionality and security, such as selective Option ROM loading, ESP partition scanning, power state after power fail option, PCIe Resizable BARs, and XMP memory profile selection. Through community involvement and feedback, the project aims to provide a more personalized and flexible computing experience for board owners. >> Read more about Raptor Lake Desktop Python bindings to the rattler library — Rattler is a Rust-based library to interact with the conda package ecosystem (which provides binary, cross-platform software packages for Windows, macOS and Linux). Rattler makes it easy to resolve package dependencies with a SAT solver, download the packages, and create virtual environments on the user’s computer. This main focus of this project are the py-rattler bindings, that give users the power to use rattler from Python, to create virtual environments programmatically. Furthermore, py-rattler will be used by other tools in the ecosystem such as the bot infrastructure that powers “conda-forge”, the largest open source repository in the conda universe. >> Read more about Python bindings to the rattler library ReOxide — Improving Rust Decompilation Modern compiled languages such as Rust and Go are notorious for producing binaries that are difficult to reverse engineer by default. As these languages grow in popularity, they are increasingly being used in proprietary products and are also attracting malware developers. In order to audit binary software and analyze malware, it is therefore necessary to improve reverse engineering tools with special support for specific languages. To fill this gap, we are developing the ReOxide framework, which targets the reverse engineering of Rust programs. In the presence of extensive compile-time code generation and strong memory optimizations, existing decompilers reach their limits when trying to recreate C-like languages. The design goal of ReOxide is therefore to build on top of the Ghidra decompiler and make it extensible for custom analysis passes. This will allow us to gather information that is readily available during decompilation itself, but not through Ghidra's public plugin API. We will use this information to address Rust specific language features, but also try to keep the extensions general enough for other languages. >> Read more about ReOxide Redox Flow Battery — Development Kit for Open-Source Hardware Redox Flow Battery The clean energy transition is underway, and batteries are becoming more common in everyday life. Stationary batteries can perform many roles, like reversibly storing intermittent renewable energy or providing backup power and services to the electrical grid, including internet infrastructure. Right now, lithium-ion batteries—also used in portable electronics and electric vehicles—are increasingly used for stationary applications. Lithium-ion batteries are, however, not ideal in terms of lifetime, cost, safety, and supply chain sustainability. There are viable alternatives to lithium-ion batteries for stationary storage, such as flow batteries, which are being commercialized but are not yet widespread. We plan to democratize flow battery technology by developing an open-source flow battery and starting an associated community around it. We will start with a benchtop-scale development kit, suitable for educational and research use, before progressing towards larger cells. With this NLnet funding, we plan to finish our first release of a 5 cm² kit as well as design and test the subsequent 25 cm² cell. >> Read more about Redox Flow Battery Replicant on Pinephone 1.2 — Add basic support for the Pinephone 1.2 to Replicant Replicant is the only fully free operating system for smartphones and tablets. All the other operating systems for smartphones and tablets use nonfree software to make some of the hardware components work (cellular network modem, GPS, graphics, etc). Replicant avoids that, either by writing free software replacement, by tweaking the system not to depend on it, or, as the last resort by not supporting the hardware component that depends on it. The goals is to first adapt support for the Pinephone and various other hardware (mainly from GLODroid), to make it generic and reusable by other Android distributions and smartphones to improve collaboration between Android distributions using mainline linux kernels. >> Read more about Replicant on Pinephone 1.2 Reproducible F-Droid — Building a trusted app ecosystem with F-Droid F-Droid maintains a complete free software build/sign/deploy stack for securely making signed releases of Android apps in a fully automated way. This has been used since 2010 to run the f-droid.org repository of free software Android apps. Reproducible builds means it is possible to make a strong link between the actual app running on our devices, and the source code which they were built from. When the source code has been thoroughly inspected and is trusted, it is then possible to apply that same trust to the install binary. This project will make this stack much easier for other people and organizations to deploy and use on a daily basis. This allows organizations to run rebuilders to confirm that the releases available on f-droid.org or any F-Droid-compatible repository exactly match the source code. The resulting data can then be automatically consumed by the client app so it can communicate to the user that it was confirmed as a reproducible build. >> Read more about Reproducible F-Droid Reproducible-openSUSE — Reproducible distribution of openSUSE rolling release The Reproducible-openSUSE project is creating a proof-of-concept of a general-purpose Linux distribution based on openSUSE-Tumbleweed. By employing reproducible-builds, it allows independent verification that all its binaries correspond to the sources. This greatly reduces the amount of trust that users need to place in the build infrastructure. It is not only a proving-ground, but also a staging-area for upstreaming changes to make them useful to millions of users. >> Read more about Reproducible-openSUSE pcb-rnd, sch-rnd — Open source EDA suite Ringdove EDA is a modular, portable Electronics Design Automation toolkit mainly targeting the Printed Circuit Board design workflow. The two flagship projects in Ringdove are sch-rnd (schematics capture) and pcb-rnd (printed circuit board editing). Because of the modular layout of the code and the active management of dependencies, both projects are highly portable, both in time (old, present and future systems) and in workflows (interactive graphical design or interactive command line usage or headless automated processing). Ringdove also strives to support file formats of other EDA software, especially for loading proprietary formats, making existing/legacy hardware designs more accessible to the Open Source community. >> Read more about pcb-rnd, sch-rnd Rotonda Secure Extensions — Implement BGPSec in Rust and integrate into Rotonda Rotonda is a modular routing project that brings BGP observability and easy BGP provisioning to networks. Its aim is to improve the safety and security of the inter-domain routing system. In this particular effort we will build two features that will help us further the goal of security and safety. First, we will implement BGPsec as a first-class citizen in Rotonda. BGPsec is a standardised protocol for securing routes in the inter-domain routing system. As far as we know Rotonda will be the first open source routing software that supports BGPsec out-of-the-box. Second, we will implement a run-time configurable plug-in system for Rotonda, that will not only increase its modularity and extensibility, but also its usability. >> Read more about Rotonda Secure Extensions WWW SCION — Path-aware web server/proxy deployment and browsing The WWW SCION project aims to bring innovation to web applications by enabling seamless SCION support to the web ecosystem. SCION is a clean-slate, more secure, and robust path-aware Internet architecture designed to provide route control, fault isolation, and explicit trust information for end-to-end communication. The main outcome of this project will be a full software suite for path-aware web browsing that can be easily adopted by network operators to make their web resources available on the SCION network. To do so, this project will develop (1) a production-grade reverse proxy, which enables web resources to be accessed via SCION, and (2) much improved client-side support. This will have an immediate impact on thousands of users who are already connected to the SCION infrastructure, allowing them to access next-generation network features such as expressing path-selection policies that implement their preferences. For instance, a web user could avoid traversing ASes (Autonomous systems) in certain regions when accessing their e-banking website. Another example from which users may benefit is using distinct paths depending on the web resources. In this case, the server could make use of a high-bandwidth path to increase the throughput when loading a large resource, while it could use a low-latency path for a latency-sensitive resource, e.g., a server control message. >> Read more about WWW SCION SDCC — Small Device C Compiler compiler for 8-bit microcontrollers The Small Device C Compiler (SDCC) is free and open source software for 8-bit microcontrollers. While such 8-bit microcontrollers might seem like outdated technology (most of the popular chips sold today use 32 bit or 64 bit solutions), the fact that there are less transistors to fire up with every cycle means there are quite a few basic use cases where 8-bit systems might very well remain the most energy-efficient option despite . SDCC is competing head to head with various proprietary compilers - such as Keil, IAR, Comsic, Raisonance. The tasks in this project will significantly boosts the capabilities of SDCC and allow developers a more mature tool to design for e.g. eco-friendliness. The project will deliver various improvements in SDCC, in order to make it more complete and competitive in terms of features and workflow. >> Read more about SDCC SIP RELOAD — REsource LOcation And Discovery, a peer-to-peer (P2P) signaling protocol SIP is a mature internet technology to establish sessions of any type across the internet. RELOAD stands for REsource LOcation And Discovery and is a peer-to-peer (P2P) signaling protocol standardised in IETF that provides its clients with an abstract storage and messaging service between a set of cooperating peers that form an overlay network. RELOAD defines a security model based on a certificate enrollment service that provides unique identities. NAT traversal is a fundamental service of the protocol. The goal is to implement a P2P communications network based on IETF standards that allows people to communicate securely without the traditional interposed third parties like SIP service providers. This is done both by establishing direct encrypted channels between the participants as well as using digital identities based on X509 certificates to identify the participants in a conversation, which will prevent third parties from inserting themselves into the conversation by attempting to impersonate one of the participants. The outcome would be a working RELOAD implementation, with a functional backend for connecting and discovering peers based on their identity which is backed by an email address that will then also function as a working SIP address. >> Read more about SIP RELOAD Cell broadcast support for the Linux Mobile Stack — Implement SMS-CB for emergency messages on Linux Cell broadcast is the capability of the mobile network to send messages to multiple mobile devices in an area. It is the common way to alert users about disasters and emergencies. Phosh is a user friendly, graphical interface for Linux based mobile phones using GTK, GNOME and the wlroots compositor library. It uses ModemManager for it's mobile broadband connections. ModemManager is used on Linux systems to control mobile broadband devices and connections. The aim of this project is to add cell broadcast support to ModemManager and the necessary UI elements to Phosh so cell broadcast messages sent to devices running this platform can be properly received and displayed. >> Read more about Cell broadcast support for the Linux Mobile Stack Software Heritage listers + tooling — Performance improvements and new listers/tooling for Software Heritage Software Heritage's ambition is to collect, preserve, and share all software that is publicly available in source code form. The platform currently list and load more than 200 million free and open source projects. One of the bottlenecks for collecting sources is the speed at which these can be collected. We want to address performance improvements on data discovery and ingestion through the usage of the PyPy interpreter, which should help in reducing CPU bound in highly repetitive area of the Python code responsible for data analysis and validation. To expand the list of existing source code origins we will create new listers and loaders for Dlang, Julia and Elm package managers. >> Read more about Software Heritage listers + tooling SeedVault Integrity — Add integrity checking and WebDAV support to SeedVault Android backups SeedVault Backup is an independent open-source app data backup application for Android and derived mobile operating systems. By storing Android users' data and files in a place the user chooses, and by using client-side encryption to protect backed-up data, SeedVault offers users maximum data privacy and resilience with minimal hassle. SeedVault uses Android's storage access framework (SAF) to read and write encrypted app data. This allows it to backup and restore application data on a wide range of platforms (such as Nextcloud) and even USB flash drives. The project will improve the current implementation to allow storing files also on generic WebDAV-based storage without the SAF abstraction layer for improved performance and reliability. It will be possible to decide what apps and files should be restored and to verify the integrity of the backups made. >> Read more about SeedVault Integrity SelfPrivacy — Reproducible self-hosting stack based on NixOS Self-hosting can be a challenge even for a professional, let alone an unprepared user. SelfPrivacy is a free application that helps you set up and manage your self-hosted services. The goal of the project is to create an accessible tool that gives everyone an opportunity to create their own self-hosted infrastructure. Selfprivacy supports multiple platforms and to use it, all you need is to register with a provider and copy the access token into the application. SelfPrivacy will set up the system, domain, DNS and install open source services such as E-Mail, Nextcloud, Jitsi, etc. SelfPrivacy automates the entire lifecycle: provisioning, updates, configuration changes, monitoring, backups and space management. >> Read more about SelfPrivacy #Seppo! — Portable ActivityPub implementation Posting and liking self reliantly and still have a life. #Seppo! empowers you to publish short texts and images to the internet as easily as using an online service but retain full agency and responsibility. What you publish is solely subject to public law. No 3rd parties hold a stake, nobody else imposes any rules on you. This is because you publish on your own property. Which is possible because housekeeping is no more than the known follow/unfollow/block/unblock content moderation of your own single account. You do that by yourself. There are no scripting engines or databases, no technical updates required. You can focus solely on the message to deliver. You build an online presence on your own digital property, robust for decades if you decide so. #Seppo! is built on mature web standards (e.g. ActivityPub), a european technology stack, inspectable plain-text storage, is security aware and decentralised. It is made for but not limited to off-the-shelf static webspace as offered by numerous vendors all over the EU. #Seppo! targets individuals and small organisations joining the #Fediverse with max. 10k followers, optionally cross-posting to the closed platforms. >> Read more about #Seppo! Servo — Independent Rust-based browser engine Servo aims to provide an independent, modular, embeddable web rendering engine, allowing developers to deliver content and applications using web standards. Servo is written in Rust, taking advantage of the memory safety properties and concurrency features of the language. As part of this project we'll add support for more CSS features to the Servo layout. The main areas of work on this project would be support for floats, writing modes and tables; which will increase the number of web pages and applications render properly in Servo. >> Read more about Servo Servo CSS — CSS feature parity for Servo browser engine Servo is a web rendering engine written in Rust, with WebGL and WebGPU support, and adaptable to desktop, mobile, and embedded applications. Built with safety, speed, and concurrency in mind, Servo showcases the potential of Rust for modern web development. Servo's modular design allows for easy adaptation to various use cases. As part of this project we'll continue the work on adding support for more CSS features to the Servo layout. The main areas of work would be to finish Tables and Flexbox support; which will increase the number of web pages and applications render properly in Servo. >> Read more about Servo CSS SiCl4 — Tool for interactive reverse engineering of digital logic. SiCl4 (silicon tetrachloride) is a tool for reverse-engineering digital logic designs. Starting from an FPGA bitstream or other types of netlists, this tool will assist users in interactively recovering higher-level structures. Algorithms will help with tasks such as finding shared subcircuits or identifying known patterns such as adders, counters, comparators, state machines, etc., so that the user can focus on understanding the higher-level functions of the target design. SiCl4 will be scriptable in order to allow for easy extension, and it will also integrate with the existing open-source EDA ecosystem. >> Read more about SiCl4 Silicon verification — Non-destructive, in-situ inspection of physical chips The global nature of supply chains presents an existential question for the trustworthiness of hardware: how do I know the chips in my device are genuine and pristine? Trusted domestic fabs only solve a facet of the problem: after a silicon wafer leaves the fab, it criss-crosses the globe multiple times as it is packaged, tested, and assembled into an end user product, presenting a huge attack surface for post-fab substitutions and alterations. The \"Silicon Verification\" project lays foundations for high resolution end-user, direct, and non-destructive optical inspection of chips. Our research aims to create a set of techniques for hardware packages that fill the analogous role of \"digital signature verification\" for software packages: a ubiquitous method to establish trust in a package, after it has been delivered to the user. >> Read more about Silicon verification FuSa proven Slint — Certifiable functional safety for Slint UI toolkit Functional safety (FuSa) is a core requirement in domains like automotive industry, the medical sector, and aerospace. For safety-critical systems often certifications for entire solutions are part of the regulatory requirements before a solution may be deployed, including all free and open source components which are part of such a solution. The entire solution often also includes graphical user interface elements as well, meaning of course that any underlying frameworks for developing GUIs need to be functional-safety-proven to even be considered. Slint is a versatile declarative UI solution written in Rust. Rust's strong guarantees of memory safety and thread safety make it a suitable language for developing applications that require Functional Safety (FuSa) certification. The goal of this project is to make Slint compliant with the requirements for certification, making it into a compelling option for building robust graphical user interfaces requiring functional safety. Having FOSS solutions opens up the door for trustworthy and user friendly tools within industry - open for scrutiny and wide reuse. >> Read more about FuSa proven Slint Solid Compound — A software library/framework to simplify designing for W3C Solid Solid Compound is an innovative library designed to streamline the integration of web applications into the Solid ecosystem. It provides functionality to Solid App developers to make their Solid Apps usable without end-users needing a Solid Pod or a WebID. This lowers the barrier of entry for new end-users and allows everyone to use newly crafted and innovative Solid applications. Solid Compound offers a hybrid data storage approach, allowing for data to be stored either in the application's datastore (but Solid-ready) or in the user's Solid pod. It also enables user authentication (either done by the application or Solid-OIDC). This merging of traditional web development with Solid-compatible systems also extends the functionality to include a feature that enables data and identity migration from an application's datastore to a user's pod when they are ready. The hybrid approach ensures a smooth transition towards a more decentralized web, while simultaneously broadening the reach of Solid developers to users who may not yet be familiar with the Solid ecosystem. >> Read more about Solid Compound Solid Data Modules — Improve data accessibility and prevent data corruption in Solid Pods The Solid Project enables a \"Bring your own Data\" architecture, but this is only useful if apps understand the data they find on the pod. Client-client specs are the crucial but underdeveloped core part of the Solid project which needs urgent attention now. Solid Data Modules will build on the existing remoteStorage modules work and the Solid Application Interoperability spec. They will support the data types already documented in the PDS Interop (https://pdsinterop.org/conventions/overview) and Shaperepo (https://shaperepo.com) initiatives. Apart from making data more easily accessible, reliably updating index files, and preventing data corruption, the Solid Data Modules will also automatically show the app developer which fine-grained Data Grants to request. That way, we hope to finally stop the bad practice of even demo apps that request root access to your pod. >> Read more about Solid Data Modules Solid Application Interoperability — Interoperable Data sharing flows and discovery for Solid Solid Application Interoperability specification details how Agents in the Solid ecosystem can read, write, and manage data stored in a Solid pod using disparate Applications, either individually or in collaboration with other Agents. Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. When data is stored in someone's Pod, they control which people and applications can access it. Solid Application Interoperability provides clear way to create intuitive data boundaries and higher level patterns to manage access to that data following the principle of least privilege. The focus of this project is on three parts: i18n for the Authorization Agent, data sharing flows and verifying WebID of social peers. >> Read more about Solid Application Interoperability Solid Usable App Tools Project — Improve developer experience for W3C Solid The Solid project is one of the best known efforts promising to bring individual data ownership to the people of Europe and the world. While Solid has many use cases, a common example is an alternative to Facebook, Instagram, and Twitter where a user can own their own social media data. But, Solid's current specification, implementations, and developer tools are not yet able to support a full-fledged social media alternative. This project will aide the ongoing specification and developer tool development for Solid by filling in the gaps that are currently preventing a \"home-run\" app from being created on Solid. Particular areas of concern for this project are: Authentication for Mobile Apps and Bots, Real-Time Notifications, and Easier Devtools (which caters also for developer that lack much prior knowledge of linked data). In addition, the project will produce a tutorial series to make developing apps on Solid as easy as learning how to use more mainstream technologies like React. >> Read more about Solid Usable App Tools Project Space Tube — Group-to-group instant messaging Space Tube is a service utilising the Matrix protocol to allow groups to communicate with other groups. A group member adds the Space Tube bot to their shared chat platform e.g. discord server, slack organisation, element space etc, then they can create a channel (or tube) that sends messages to and from another group's chat platform. This allows groups to form relationships as groups that don't rely on individual people within those groups connecting them together. These group relationships can then scale to much larger directly participatory structures. This project will automate the process of creating tubes so that it can be done in a few seconds by a non-technical user. It will also expand tube functionality by allowing tubes to connect more than two groups at once and providing links to a graphical interface to support more complex group interactions such as agreeing to proposals or sharing resources. >> Read more about Space Tube Spectrum Applications — Add running graphical applications to the compartmentalized desktop OS Spectrum Spectrum is a project that aims to develop a secure, compartmentalized desktop operating system with security and usability improvements over other existing implementations. This project will improve Spectrum's support for running graphical applications. Currently, users have to manually create virtual machines by laying out a configuration directory themselves (or using a helper Nix function). Running a new application often requires some customisation work on the VM to set up the environment suitably for the application to run and defining access controls - and there is no facility to create a VM on the fly. After this project is done, the system will be able to automatically start VMs on the fly for applications packaged as AppImages, and applications will be able to dynamically request access to files using the existing XDG Desktop Portals interface that is already implemented by major toolkits (so File→Open… will just work in unmodified applications, with the user able to select from all their files without the application being able to see them). The foundations will have been laid to go on to support applications packaged in other ways, such as Flatpak (which could be follow-up work, should this initial stage be successful). >> Read more about Spectrum Applications Squishy — SCSI multi tool and gateware library Squishy is a SCSI multi-tool aimed at long term access to computer systems and equipment. It accomplishes this by having capable hardware combined with an extremely flexible software ecosystem, allowing Squishy to act not only as nearly any device under the sun, but also as a SCSI bus initiator with high flexibility. Enabling it to be used for archival work to interact with obscure or arcane hardware to read magnetic tapes, or allowing modern systems to interface with and control older, but still reliable and used lab and scientific equipment. Squishy is currently in it's second prototyping phase, after lessons were learned from the first revision of the hardware. This involves a full redesign to grant it more capabilities and serve as a more solid foundation. The end goal is a relatively  small fully compliant device for multiple SCSI standards along with a robust software ecosystem, allowing for it to speak to any equipment be it a SCSI-1 tape drive, or an ULTRA-320 SCSI-based data acquisition system. >> Read more about Squishy Stalwart Mail Server — Robust full featured mail infrastructure in Rust Self-hosting an e-mail server is notoriously difficult. While privacy is a top concern for many individuals and businesses, the complexities of self-hosting a mail server often outweigh the benefits, leading many to choose to sacrifice some privacy and pay a third-party provider to manage their email instead. One of the key challenges of self-hosting an email server is the outdated and complex nature of most available open-source mail server software. Stalwart Mail Server is an open-source email server written in Rust that aims to help modernize, democratize, and promote decentralization of email. The server offers a robust and privacy-focused solution that is easy for individuals and businesses to set up and maintain on their own. Stalwart Mail Server consists of three components: a JMAP server, an IMAP4 server with support for ManageSieve as well as many extensions, and an SMTP server with support for DMARC, DKIM, ARC, and SPF. The server does not require any external software or databases to run and can easily scale to multiple servers thanks to its native Raft support. Furthermore, the use of Rust in Stalwart Mail Server allows it to offer improved performance, safety, and concurrency compared to other solutions, making it a versatile and robust choice for those looking to self-host their own email server. >> Read more about Stalwart Mail Server Stract — Explorative search engine Search has become an intrinsic part of the way we explore the web. Sadly as of late, most of the current search engines fail to live up to this responsibility. Stract is a fully open source, independent and user-centric search engine for the web. In short, our goal is to do web search right. The funding from NLnet will be used to improve the performance of our index, improve the performance of our web graph, adding a live index for news articles and blog posts and finally improving our currently insufficient documentation. >> Read more about Stract StreetComplete/AllThePlaces — Ingest data from AllThePlaces into StreetComplete This project will contribute to more accurate data about shops and other businesses in OpenStreetMap, by suggesting mappers at which places shops might be missing. The detection of places where a shop may exist but nothing is mapped in OpenStreetMap will be powered by the All The Places project, which crawls store location webpages across of many businesses. Mappers will thus be able to quickly add a shop to OpenStreetMap, after adjusting location as needed. >> Read more about StreetComplete/AllThePlaces TISG trustable image sensor gateware — FPGA based camera providing encrypted video streams The TISG project is set to develop a groundbreaking open-source, FPGA-based camera system, focusing on the implementation of the MIPI-CSI2 standard for connecting a wide range of image sensors to FPGAs. The development process involves leveraging open-source FPGA tools and formal verification methods to ensure robust security and functionality. The primary purpose is to create a secure, versatile, and accessible video processing platform that addresses current security vulnerabilities in video-based systems. By eliminating reliance on proprietary software and enabling formal hardware verification, the project aims to significantly reduce the risk of backdoors and cyber threats. The general public will benefit from enhanced security in areas like home surveillance, public safety, and infrastructure monitoring. Additionally, the open-source nature of the project promotes innovation and inclusivity, allowing developers worldwide to contribute and extend the technology. This democratization of advanced video processing technology not only fosters global collaboration but also paves the way for further advancements in various fields reliant on reliable and secure video technology. >> Read more about TISG trustable image sensor gateware TOS;DR OTA backend — Integrate Terms of Service;Didn't Read with Open Terms Archive Open Terms Archive is a digital common that produces (since 2020) datasets of the evolution of contractual documents (Terms of Service, Privacy Policy…) over time, enabling analysis and comparison. It aims at shifting the power balance from big tech actors towards researchers, end users and regulators. The “Terms of Service; Didn't Read” (ToS;DR) project enables (since 2011) crowd-reading and rating of these same contractual documents. These documents are obtained from the web with a dedicated engine that stores them in a private database and suffers from lack of maintenance. The goal of the effort is to replace the historical ToS;DR crawler with the public Open Terms Archive datasets, thus increasing the reliability and auditability of the source data, since the annotations will be based on public datasets produced by replicable instances instead of being based on a one-off database used only by ToS;DR itself. This will also enable establishing a common data format for annotating documents. >> Read more about TOS;DR OTA backend GNU Taler wallet app for iOS — Mobile GNU Taler payments for portable Apple devices GNU Taler (Taxable Anonymous Libre Electronic Reserves) is a privacy-preserving electronic instant payment system that is fully free software. It uses electronic coins stored in wallets on customer’s device. Coins are like cash. Users can use Taler to pay in existing currencies (i.e. EUR, USD, BTC), or use it to for instance create new regional currencies. The Taler wallet is currently available as a browser-based WebExtension and as Android app, but not yet as iOS app. This project will develop a user-friendly and accessible iOS wallet app for the GNU Taler payment system. With the iOS Taler wallet app, users will be able to make payments with their iPhone -- similar to how they would use proprietary payments systems like Apple Pay. >> Read more about GNU Taler wallet app for iOS TerosHDL: OSS, GHDL, NVC — IDE with support for Open SYthesis Suite and GHDL/NVC simulators TerosHDL is an open-source graphical IDE tailored to FPGA/ASIC development. The goal is to empower engineers, hobbyists, and students to easily engage in RTL design, fostering innovation and growth in the field. TerosHDL serves as a comprehensive platform, supporting RTL design, synthesis, simulation and common code edition (linting, formatting, etc). In this project, TerosHDL will incorporate support for a number of additional powerful RTL design tools: Yosys, GHDL, and NVC. This will give users an interface which is friendly to first time users, equipped with real-time feedback and debugging capabilities. This further streamlines the chip design process, enhancing efficiency and making RTL design more accessible and productive. >> Read more about TerosHDL: OSS, GHDL, NVC Threshold OPRFs — Bringing the power of Threshold OPRFs to the people \"Bringing the power of Threshold OPRFs to the people\" is a project trying to jump the gap between academic research and robust free software implementations. Oblivious Pseudo-random Functions (OPRFs) and Threshold constructions bring some very interesting and strong security properties that go beyond the state-of-the-art. Besides low-level implementations, reusable libraries, servers, and command-line clients, also concrete applications will be delivered, such as password and secret storages, encrypted data-at-rest, authentication, and secure channel setup. >> Read more about Threshold OPRFs Topola — Topological (rubberband) router for printed circuit boards Topola is an open-source topological (rubberband) router for printed circuit boards (PCBs). Unlike traditional maze routers, topological routers like Topola are not constrained by a grid or 45° angles, allowing for more efficient circuit board layouts (denser arrangement of components and traces, lower crosstalk, reflection, and electromagnetic interference). The goal of the project is to develop a dutifully maintained engine for interactive and automatic routing that can be used both as a standalone application and reusable software library integrated in popular open-source PCB electronic design automation (EDA) packages, giving designers a tool for developing high-quality open hardware designs without having to pay for expensive proprietary software. >> Read more about Topola Tracking weasel — Detect privacy violations in mobile apps Privacy and data protection are fundamental rights and already well protected by legal frameworks in the EU. Yet, tracking—often without consent—is ubiquitous and often unavoidable. While tech-savvy users can defend themselves against that to a certain degree with tools like tracking blockers, we want to attack the problem at its root to make the web safe for everyone, regardless of expertise. With this project, we want to build infrastructure to detect privacy violations in apps on Android and iOS and crowdsource complaints against this behaviour with the data protection authorities. The result will be a web app where users can select an app from the app stores, which we will then download and run in an emulator or on an actual device. We will analyse the apps’ network traffic and detect privacy violations not just based on server connections but the actual data being transmitted. We will also check any consent dialogs. The website will then show a report to the user and, depending on the results, give them the option to generate a complaint under the GDPR and ePrivacy Directive, complete with the collected evidence from the analysis in the form of screenshots and traffic dumps. >> Read more about Tracking weasel TrenchBoot for AMD platform in Linux kernel — Upstream TrenchBoot AMD support to the Linux kernel TrenchBoot is a framework that allows individuals and projects to build security engines to perform launch integrity actions for their systems. Trenchboot is a unified framework to verify if bugs or vulnerabilities have compromised a system, based on dynamic RTM (DRTM). The framework builds upon Boot Integrity Technologies (BITs) that establish one or more Roots of Trust (RoT) from which a degree of confidence that integrity actions were not subverted is derived. A previous effort successfully developed support for DRT technologies for AMD platforms in the Linux kernel. This project intends to upstream TrenchBoot support to the mainline Linux kernel and to the widely used GRUB boot manager. >> Read more about TrenchBoot for AMD platform in Linux kernel Trenchboot as Anti Evil Maid — Integrate Trenchboot into Qubes OS as defense mechanism against physical compromise Enhancing the security measures of Qubes OS is the primary objective of this initiative, which involves integrating the TrenchBoot Project into the Anti-Evil Maid (AEM) implementation. Traditional firmware security measures, such as UEFI Secure Boot and measured boot, have limitations that can be overcome by leveraging Dynamic Root of Trust (DRT) technologies and TPM 2.0. TrenchBoot provides a secure environment for operating system launch and integrity measurements, ensuring greater protection. The project aims to extend support to both Intel and AMD hardware, addressing the current lack of TPM 2.0 support and AMD compatibility in the AEM implementation. Key objectives include implementing TPM 2.0 support in Xen, updating AEM scripts, and ensuring seamless integration with AMD hardware. The successful execution of this initiative will significantly enhance the security of Qubes OS and promote the adoption of DRT technologies in open-source and security-oriented operating systems. Thorough testing on various hardware configurations will validate the solution's effectiveness and reliability. >> Read more about Trenchboot as Anti Evil Maid UEFI Capsule Update for coreboot with EDK II — Implement more robust firmware updates in coreboot UEFI capsule update is an industry-standard approach widely supported by hardware vendors, providing a secure method for delivering firmware updates. By adopting capsule update methods, the project aims to simplify the update process and enhance the user experience, providing a more reliable approach compared to complex flashrom-based updates, which are still common in the open-source firmware distributions based on coreboot. Due to security measures, OS-level access to firmware is intentionally restricted, which in turn makes it increasingly challenging to apply firmware updates from the operating system. This limitation poses difficulties in utilizing traditional flashrom-based methods for firmware updates. The expected outcomes of the project include enhanced firmware update capabilities, a simplified user experience, heightened security, and enhanced compatibility, all achieved by seamlessly integrating with fwupd, a popular firmware update management tool for Linux systems. >> Read more about UEFI Capsule Update for coreboot with EDK II UberDDR3 — Open Hardware DDR3 memory controller UberDDR3 is set to transform the landscape of open-source technology as this will be above and beyond any previous opensourced DDR3 controller gatewares. This aims to unlock the full potential of DDR3 memory, aligning with the latest technological needs. We are dedicated to enhancing compatibility across diverse memory types and reaching higher speed. By integrating innovative features such as on-the-fly configuration, thermal management, ECC integration, and self-refresh mode, our goal is to elevate this open-source gateware to rival the performance of proprietary DDR3 controllers. This endeavor will empower the open-source community, ensuring that dependence on proprietary DDR3 controllers becomes a thing of the past, and setting a new benchmark for open-source hardware capabilities. >> Read more about UberDDR3 Reverse Engineering Toolkit — Reducing e-waste through Reverse Engineering According to the Global E-waste Statistics Partnership (GESP), electronic waste is estimated to increase to 74.4 Million Tonnes by 2030. A strong factor in the continuing increase of e-waste is the electronic industry artificially shortening the lifespan of their devices. Planned obsolescence, the inability to repair and abandoned software support all contribute to devices prematurely ending up in a waste stream. Older high-end consumer electronics devices have powerful components that, once open schematics, firmware and documentation has been created for them through reverse engineering, can be repurposed to create new and different devices. To meet this aim, Unbinare is creating an open hardware reverse engineering toolkit consisting of the OI!STER (a tool for debugging and glitching MCUs), the UNBProbe (a passive, spring-loaded needle probe for probing PCBs), the UNBProbebase (a magnetic base with a prototyping area) and a breakout board - which allow to repurpose components salvaged from e.g. discarded mobile phones. >> Read more about Reverse Engineering Toolkit Enhancing vula with IPv6 and REUNION rendezvous — IPv6, hybrid post-quantum improvements & REUNION support for Vula With zero configuration, Vula automatically encrypts IP (v4) communication between hosts on a local area network (LAN) in a forward-secret and transitionally post-quantum manner to protect against passive eavesdropping. When the local gateway to the internet is a Vula peer, internet-destined traffic will also be encrypted on the LAN. With simple verification using QR codes or other peer verification methods, Vula is also able to disrupt active surveillance adversaries. Vula combines WireGuard for forward-secret point-to-point tunnels with cryptographically enhanced mDNS and DNS-SD for local peer discovery. Vula enhances the confidentiality of WireGuard tunnels by using CSIDH as provided by highctidh, a post-quantum non-interactive key exchange primitive, to generate a peer-wise pre-shared key for each tunnel configuration. Vula avoids the need for any Single Point of Failure (SPOF) such as a trusted third party. Vula is equally functional on otherwise air-gapped networks. >> Read more about Enhancing vula with IPv6 and REUNION rendezvous DeltaChat/WebXDC — Portable private apps that can be shared in e.g. chat Webxdc is a fresh and still evolving effort to explore \"private apps\", essentially 'portable' web apps through which users can interact in any number of ways outside of the traditional client-server paradigm, e.g. over E2EE chat. These mini-apps offer interesting interaction patterns -- without any dependency on centralised infrastructure, additional logins etc. It grew from Delta Chat, a highly innovative solution that uses secure email-based communication technology for social networking, protected with OpenPGP/Autocrypt. The project will further develop the concept of Webxdc apps, and make it for instance possible for users to make data portable (which is currently not possible due to missing security controls for that). >> Read more about DeltaChat/WebXDC webxdc PUSH — Towards an usable, interoperable and trustworthy web app ecosystem Webxdc PUSH advances a new paradigm for writing and distributing web apps, majorly improving interoperability, usability, reliability, trustworthiness and and interactivity of chat-shared web apps (webxdc) across messengers and platforms. PUSH enables webxdc app developers to use new P2P real-time messaging facilities, new notification, deeplinking and context APIs, majorly leveling up the cross-messenger webxdc effort and specifications. >> Read more about webxdc PUSH WebXDC XMPP — Standardisation effort for WebXDC integration in XMPP WebXDC is a fresh and still evolving effort to explore \"private apps\", essentially 'portable' web apps through which users can interact in any number of ways outside of the traditional client-server paradigm, e.g. over E2EE chat. Originally developed for Delta Chat over SMTP, we will bring the latest version of this experience to the XMPP ecosystem, including a standardized interchange format for other XMPP clients to use, and a gateway for communication with existing Delta Chat WebXDC users. >> Read more about WebXDC XMPP Whisperfish — Cross-platform mobile client for Signal and derivatives Whisperfish is a third-party open source client for the popular Signal instant messaging network. Whisperfish is an advanced beta stage, and is available for SailfishOS. In collaboration with the Axolotl project, within this project we aim for implementing full-fledged clients for various mobile operating systems. >> Read more about Whisperfish WireGuard on FPGA — FPGA implementation of Wireguard protocol written in SpinalHDL This project will do an open hardware implementation of the WireGuard VPN protocol. The data plane with symmetric cryptography is implemented in HDL and should be able to handle 100 Gbit/s IP/Ethernet, whereas the asymmetric handshake is implemented on VexRiscv with accelerators and will be capable of maintaining thousands of concurrent connections. An off-the-shelf FPGA card handles the full protocol transparently: Ethernet/Ethernet or Ethernet/PCIe with one side ciphered and the other side plaintext. >> Read more about WireGuard on FPGA Wolvic — Web browser designed for use in XR devices Everybody will meanwhile have come across people wearing strange glasses, immersed in a world beyond the here and now. But what are they looking at, and how does the web fit in there? Wolvic is a web browser dedicated to work with virtual reality (VR) and enhanced reality (XR). The goal of this project is to add a number of important features such as VR peripheral awareness (placing contextual information on the edge of the user's vision) and spatial reasoning (3D representation of navigation-related information) to the Wolvic browser. Wolvic is the only open source browser available in the XR space, and as such any device maker or other third party can create their own version of Wolvic to explore the burgeoning XR space. >> Read more about Wolvic Wolvic User Interface — Flexible windows, tabs, zooming and web rendering in Wolvic Wolvic is an Open Source Web browser developed for XR (Extended Reality) devices, focusing on delivering both traditional web browsing and immersive experiences across multiple platforms. Led by Igalia, with its significant expertise in browser engine development and standards organizations, Wolvic aims to broaden the accessibility and functionality of web browsing in the XR space. This project will further the development of Wolvic by improving its user experience and adding support for more content, standards, and platforms. We will enhance the flexibility of window management, improve browsing functionality like tabs and zoom, and refine hand tracking and related features in the 3D space. Although Wolvic currently uses the Gecko browser engine, its architecture is designed to be independent of any particular engine; for improved support and performance, we will integrate the Chromium engine and make available a Chromium-based version of Wolvic alongside the existing Gecko-based one. Furthermore, we will extend compatibility to new device formats, such as lightweight Augmented Reality (AR) glasses. Finally, we are enhancing our support of AR experiences on the Web and implementing the WebPayments standard for secure online transactions. >> Read more about Wolvic User Interface Event Federation Plugin for WordPress — Add ActivityPub to events created with most common WordPress event plugins Freedom in announcing events. The WordPress Event Federation plugin allows events created in WordPress with the most popular event plugins to be seamlessly published to Fediverse via ActivityPub. The core problem is that events need to be discoverable, listable and subscribable by potential visitors. Since organisers' personal websites do not meet this requirement, most of them publish their events on multiple (commercial) platforms, which results in people searching for events being tied to these platforms. Currently, many to most event organisers use WordPress to run their own website. With this plugin, they can make their events even more visible without changing their workflow. At the same time, they gain data sovereignty and independence from traditional search engines and platforms that give less control over how content can be filtered. The goal is to realise typical use cases, such as server-to-server federation with Mobilizon instances, or another example: to allow Fediverse users, such as those of Mastodon, to follow events directly from the organisers. >> Read more about Event Federation Plugin for WordPress XR Fragments — Discover, reference, navigate and query 3D online content After the hype of early (and proprietary) virtual reality technologies like Second Life cooled down, there is recently a renewed push towards the “3D” web which uses virtual reality technologies (also marketed under new brand names like \"Metaverse\"). While many technological building blocks are meanwhile available, seamlessly surfing the 3D web however seems quite far away still for a simple reason — browsers exit fullscreen/WebXR mode when switching web addresses, essentially removing the immersive experience when navigating. While such a limitation comes from obvious security considerations, it also pushes VR/AR-Headset owners into walled gardens for a more pleasant experience. XR Fragments is developing a simple public protocol for networked 3D webrings to discover, reference, navigate and query 3D online content (read-only). This allows to enable immersive 3D navigation, liberate 3D content from being locked away inside games / walled gardens and to query objects inside a 3D asset files, without the need of serverside backends. >> Read more about XR Fragments Yrs weak links — More efficient CRDT by interconnecting and synchronising data structures inside documents Yrs weak links project aims to extend existing implementation of Yjs/Yrs - one of the most popular free and open source libraries for building collaborative peer-to-peer applications - with new primitives such as cursors allowing for a seamless integration with rich text editors, and an ability to cross-reference and react to changes occuring in a different parts of an application: be it for display or other evaluation purposes like referencing cells in spreadsheet calculations. All of these will be possible while preserving eventual consistency in an environment where applications need to be operable and accept changes coming from many different users even when offline or when the standard Internet access is not available. >> Read more about Yrs weak links Bcachefs — Next generation file system bcachefs aims to be a next generation Linux filesystem, with a fully modern featureset and vastly improved performance, scalability and reliability as compared to other next generation filesystems. Additionally, we aim to improve upon the state of the art in a number of areas such as extensibility, which will aid in development in other areas that have historically had to reinvent technology that already exists in local filesystems (distributed systems), repairability (online check and repair, self healing), and ease and correctness of development with the use of Rust. >> Read more about Bcachefs Cpdf Accessibility — Implement PDF/UA in cpdf The Cpdf accessibility project extends the popular open-source PDF processing tool Cpdf to support PDF/UA (ISO 14289), the standard for accessible PDF. PDF/UA helps those with disabilities who use screen readers and other tools to navigate documents by tagging PDFs with metadata describing the logical structure of the content. Such metadata can also help all users by allowing reliable text re-flow, and better searching within documents. There is very little open-source tooling for accessible PDF at present, so this will represent a significant step forward. The work will involve adding functionality to Cpdf for the inspection and manipulation of existing PDF/UA files, and the creation of new ones from scratch. These tools will be useful to PDF/UA developers as well as to end users. >> Read more about Cpdf Accessibility cables.gl — Creative tool for graphics and 3D content Cables is a tool which allows people to create beautiful, interactive, visual web content without knowing how to type a line of code. Your work is easily exportable at any time, so you can embed it into your website, use it an immersive VR experience, or integrate into other kinds of creative output. Cables patches can be published, shared, copied and remixed by the entire community. This allows people to constantly learn new things from each other. By developing a standalone version, that works outside of the browser, cables will open up even more for contributions from the open source community. It will be, at the same time, a development environment for contributors, and an offline version of the cables editor. As a side effect, using it with native modules on any major platform and operating system will open up a whole new area of how and where to use cables to create content. >> Read more about cables.gl Elliptic curve encryption speed-up using SIMD — Low-level instructin optimisation for curve25519-dalek & Arkworks This project aims to enhance the speed and security of elliptic curve cryptography using the Rust programming language, with a particular focus on mobile and IoT devices. Leveraging SIMD instructions, specifically ARM NEON, we can speed up elliptic curve cryptography in existing libraries such as curve25519-dalek with the goal to optimise encryption processes in software such as Signal. Additionally, we implement double-odd curves in Arkworks to bolster zero-knowledge protocols, and aim to abstract our optimisations to work on any CPU architecture and elliptic curve. By implementing improvements in these libraries, this project seeks to address the growing demand for efficient and secure cryptographic solutions, especially in mobile and IoT environments. >> Read more about Elliptic curve encryption speed-up using SIMD django-allauth — Versatile authentication for Django The goal of django-allauth is to offer a free, secure, well integrated, reusable authentication solution for the Django framework, covering all functionality related to local and social user accounts, multi-factor authentication, in various configurations, with flows that just work. By simpliyfing the complexities associated with user authentication, django-allauth empowers Django developers of all kinds to focus on building their web applications without compromising on the authentication features provided to their end users. >> Read more about django-allauth it — Radically decentralised version control with CRDTs The project summary for this project is not yet available. Please come back soon! >> Read more about it jaq — Implementation of jq in Rust with formal semantics JSON is a data format that is frequently used to publish Open Data. jq is a widely used programming language that allows citizens to easily process JSON data. There are several tools to run jq programs, including jq, gojq, and jaq. Of these three tools, jaq is the fastest (judging from several benchmarks), despite having the smallest code base. This project centers on improving jaq and the wider jq ecosystem: First, we want to advance the development of jaq, in particular to support more features of jq. Next, we want to make jaq more accessible, by creating JavaScript bindings for jaq. This will allow developers to integrate jaq into websites. Furthermore, this will allow users to run jaq from a browser, respecting their privacy by processing data on their machines. Finally, we want to create formal semantics for jq, based on jaq's execution approach. This will allow users to better understand how jq programs behave. >> Read more about jaq lib25519 for ARM — Add 64bit ARM optimisations to lib25519 Modern network protocols rely on elliptic-curve cryptography (ECC) to protect communication against espionage and sabotage. lib25519 is a new software library for the Curve25519 elliptic curve, including the X25519 encryption system and the Ed25519 signature system. Curve25519 is the fastest curve in TLS 1.3, and the only curve in Wireguard, Signal, and many other applications. So far lib25519 has exploited the features of Intel CPUs to provide top speeds for those CPUs, while meeting the security constraint of not leaking secret information through timing. This project will extend lib25519 to target 64-bit ARM CPUs, and in particular the Cortex-A53 CPU, which for instance powers the Raspberry Pi 3. >> Read more about lib25519 for ARM libspng APNG — Add Animated PNG (APNG) image read- and write support to libspng libspng is a modern C library for reading and writing images in the Portable Network Graphics (PNG) file format. Created from the ground up with security and ease of use in mind, it provides an alternative to the reference implementation and a migration path to a simpler API, an extensive test suite ensures interoperability. The goal of this project is to implement Animated PNG (APNG) support and make it a more viable alternative to the reference implementation. >> Read more about libspng APNG mCaptcha — Privacy-friendly Proof of Work (PoW) based CAPTCHA system Existing CAPTCHA systems expect visitors to identify objects to prevent spam, which makes the web inaccessible to persons with cognitive, auditory, and visual special needs. They log Internet Protocol (IP) addresses and use tracking technologies, like cookies, to track and profile their users across the internet. IP logging and cookie-based tracking are privacy-invasive, inaccurate, and impossible to use with anonymizing technologies like Tor and VPNs. Censors can abuse the opaque nature of these systems to prevent certain groups from accessing certain types of information. Independent testing for bias is not possible since the documentation doesn't exist for their methods and algorithms. mCaptcha is an attempt at creating a self-hosted alternative to reCAPTCHA and hCaptcha with a focus on privacy, transparency, user experience, and accessibility. mCaptcha’s Proof of Work (PoW) mechanism uses strong cryptographic principles that guarantee idempotency and transparency. mCaptcha doesn’t log IP addresses and doesn’t require tracking user activity across the internet. Censors can’t use mCaptcha to deny access to information without detection. Also, the PoW mechanism requires minimal user interaction to solve the CAPTCHA, which will significantly improve the accessibility of the web. >> Read more about mCaptcha mikroPhone — Open Hardware feature phone mikroPhone is currently a basic feature phone with extensible open source firmware. It is a fully open hardware device and it can easily be built in a home lab. It is intended to protect user's privacy to the highest possible level and to bring data sovereignty back to its users. This project focuses on further improvement of the basic phone device and integration of ARM module that runs GNU/Linux OS. Since linux module is entirely optional, it is not used for handling any critical functions of the device (e.g. cellular voice and secure VoIP calls, SMS messaging) and it can be powered-up on demand. This would solve common problems of linux smartphones such as poor basic phone functionality and short battery life. The goal of the project is to provide an option of enjoying a fully usable linux smartphone. >> Read more about mikroPhone mitmproxy — HTTP/3 Support and OS Proxy Mode for intercepting local proxy mitmproxy is a versatile tool for debugging, testing, privacy measurements, and penetration testing. It can be used to intercept, inspect, modify and replay network communication from websites and mobile applications. This project is about the development of two new major features to mitmproxy: HTTP/3 Interception and a new OS proxy mode. With an increasing number of apps using the HTTP/3 protocol to communicate, we are adding support for it in mitmproxy so that it can be observed just as well as other protocols. For the second part of this project, we will be adding a new operating mode that makes it possible to inspect applications running on the user's device with a single click. These features collectively empower users to gain insights into what data their own devices are sending out. >> Read more about mitmproxy Improvements for next generation Linux firewalling — Netfilter kernel improvements, user space tools and testing This project comprises a series of preventive and corrective actions as well as improvements for the next generation firewall software offered by the Netfilter project (https://www.netfilter.org) available in the Linux kernel, such as the enhancement of the set and map infrastructure, the resolution of existing limitations in the user space tool and libraries, enhancements to the filtering policy optimisation infrastructure, improved string match support and the extension of the test coverage for early detection of regression. >> Read more about Improvements for next generation Linux firewalling Strengthening NTP and NTS in ntpd-rs — Memory-safe implementation of IETF time standards including NTPv5 and NTS NTP is one of the building blocks of the internet, and it and its security improvements are, therefore, of vital importance for a safer internet. Over the last year, we have created a new implementation of the Network Time Protocol called ntpd-rs, which includes Network Time Security support. In this project, we will work on growing adoption and strengthening our implementation. On the one hand, that means expanding platform support, packaging options, and implementing improvements suggested by early adopters. On the other hand, we see the need to increase the usability of NTS, which is not deployed widely. By contributing to improvements of NTP (NTPv5) and exploring the creation of an NTS pool, we aim to foster NTS adoption. >> Read more about Strengthening NTP and NTS in ntpd-rs openCologne — CM4 form factor SoM for GateMate chips Currently there are few FGPA vendors in Europe. One of these vendors, CologneChip, produces the GateMate chips which have some high quality features compared to other FPGA's, such as a high speed SerDes. Recently we have seen the appearances of a number of affordable boards with these FPGA's. The challenge (and opportunity) is now to make sure that the open hardware community can benefit from these FGPA's as soon as possible. This project will design a new iteration of the popular open hardware ULX-boards (ULX5M) featuring GateMate chips, which will be compatible with the widely used CM4 form factor - so it can be slotted into many existing designs instantly. This opens up this strategic new FPGA target for a broader audience, and help breach the market. In addition, the project will make a portfolio of entry level projects that selectively put GateMate resources to good use, including its unique SerDes. Be they in RTL or HLS, implemented as pure hardware FSMs, or by using HW/SW co-design and SOC techniques, or integrated with LiteX - delivering a variety of real-life use cases. >> Read more about openCologne openXC7 — Improve hardware support for open source FPGA tooling FPGAs are reconfigurable chips capable of handling many electronic signals in parallel. They are used in network equipment like backbone switches, firewalls, video devices like surveillance cameras and radio equipment like mobile-phone base stations, radar systems and satellites to process high volumes of data with very low latency. FPGAs are also used to test digital circuit designs before they are manufactured as chips. The functionality of FPGAs is determined by a configuration file which is loaded into the FPGA at power-on. The configuration file is usually generated from a design file by a proprietary tool provided by the manufacturer of the FPGA. openXC7 will provide a complete set of open source tools to generate a configuration file for the widely used family of Xilinx Series 7 FPGAs from manufacturer Xilinx/AMD without having to use any proprietary tools. This will empower digital design engineers to have the guarantee that no backdoor is implemented on FPGA based devices by the proprietary design tool provided by the vendor. The availability of the source code of the FPGA design tool will also allow anyone to come up with new use cases for FPGAs currently not possible with existing tools. In this project the team will implement gigabit transceiver support, both for the widely used Artix7 and the Kintex7 families of devices, thus enabling complete open source network infrastructure (e.g. an open source 10 GB Ethernet switch). The second focal point will be identifying and fixing issues that arise from the community of users of the toolchain. >> Read more about openXC7 S-SATA for openXC7 — Open source SATA phy and interface for FPGA's This project develops an open-source SATA controller for use with FPGA technology, specifically targeting the Xilinx Kintex/Artix7 family. SATA, which stands for Serial Advanced Technology Attachment, is a technology used to transfer data between a CPU and an attached persistent storage device. By creating an open-source hardware controller, this project will make it easier and more affordable for researchers and developers to implement dependable high-speed data storage solutions in their FPGA-based projects. Initially, the controller will support the 1500Mb/s data transfer speed typical of earlier SATA versions. Our development plan includes both building this controller, a hardware simulation of it, and software to demonstrate it. We then intend to implement it on actual hardware and prove it works. >> Read more about S-SATA for openXC7 purl2all — Discover metadata for software packages While we often simplify our mental model of the software supply chain by only looking at how source code is maintained and compiled with other source code into binaries which are distributed, in reality there are many more stakeholders that provide or curate information about software which is used by others as part of their decision process - and there are many supply chains concurrently, some of which are intertwined. The purl (package-url) initiative allows this information to be aggregated from all the different stakeholders in the software supply chains. The purl2all project aims to build a real-time, on-demand, decentralized and distributed knowledge base for all kinds of software packages metadata that can be used by other services that need the metadata; such as ScanCode, VulnerableCode, or any system, application or library using package-url (purl) as a way to identify packages and versions to lookup this data. The outcome will be a decentralized, on-demand software metadata collection system that will complement or replace centralized batch systems. >> Read more about purl2all purl2sym — FOSS code symbols indexing system Identifying corresponding source code compiled in natively compiled binaries is complex and important – only by knowing the code origin can one know if the code is subject to known vulnerabilities or licensing issues. In IoT and embedded devices, most of the code is composed of natively compiled binaries, with a significant Android-based ecosystem using Java with specific constraints: multiple programming languages (Java and Kotlin) and bytecode-compiled binaries. Many devices also embed secondary code (typically for admin and UI), such as Lua, JavaScript, Python, or PHP. To help with identification of binaries, it is important to aggregate collection of identifiers and symbols from FOSS code and index them to easily retrieve the data in efficient detection engines, based on automations and binary scanners. These symbols or identifiers are essential to software identification tools such as BANG that can match symbols in source and binaries and determine the corresponding source code for a given binary code input. purl2sym is a new data collection and indexing system to collect code symbols from FOSS source packages (and binaries in the future) and store them for reuse in other software analysis processes. >> Read more about purl2sym scalePNR — New place and route algorithms for large FPGAs The scalePNR project focuses on enhancing digital circuit design for large Field-Programmable Gate Arrays (FPGAs), which are complex chips used in everything from consumer electronics to mobile phone base stations to cameras to AI accelerators to internet backbone infrastructure to advanced computing systems. Traditionally, designing these chips has been a highly specialized and time-consuming task, due to the complexity and computational demands of arranging and determining efficient wiring between the millions of tiny logic blocks they contain. The goal of this effort is to tackle larger, more advanced FPGAs and make the process of designing circuits for these high-capacity chips more accessible and efficient, potentially leading to faster, more energy-efficient electronic devices. By researching and implementing new algorithms, the project aims to make it easier and quicker to design circuits that run cooler, faster, and more reliably, bringing the benefits of the latest technology to a broader audience and fostering innovation in numerous tech-driven sectors. >> Read more about scalePNR Σ-protocols — Formalise and implement zero-knowledge proof Σ-protocol Σ-protocols are mature and widely-used cryptographic protocols used for digital signatures and for zero-knowledge proofs. This project is centered around their standardization and the development of a comprehensive specification and reference implementation. The main goal is to create a detailed and accessible specification for Σ-protocols and the Fiat-Shamir heuristic, to be presented in formats like HTML or PDF, along with a reference implementation. This effort aims to make these technologies understandable and usable by a broad audience, including developers, practitioners, students, and engineers. The end goal is to make this technology more accessible for privacy-preserving applications and non-cryptographers. >> Read more about Σ-protocols uFork — A memory-safe pure-actor virtual machine Applying the design principle of actors-all-the-way-down, uFork implements a virtual-machine that is memory-safe at the level of assembly-language instructions. All operations occur in the context of an actor message-event, which provides object-capability security throughout the system. The effects of individual instructions are isolated so they can only affect the state of their host actor until a transactional commit releases additional asynchronous message-events into the system. This isolation allows interleaved execution of multiple instruction streams, so multiple actors can make progress concurrently. The virtual-machine implements automatic memory management with garbage-collection, and fine-grained resource quotas are enforced by the processor. >> Read more about uFork uMap — Collaborative custom mapping with OpenStreetMap data uMap is an online open source application to make custom maps. It aims to make creating maps easy for anyone in a few clicks. It’s simple for basic use cases, whether you want to prepare a bike travel with your friends or communicate the current roadworks for your city. But it’s also flexible and extendable for more complex or custom ones: drawing or importing data, customizing style and interface, sharing access to a map… uMap is also easy to install and to maintain to enforce a decentralized model. It is already deployed in several European countries, and is translated in dozen of languages. Plus, it also allows to create maps anonymously. In this project, we will adding real-time collaboration on maps with local-first support - which will for instance help a lot with live events and mapping sprints - and clean up the user interface. >> Read more about uMap vdirsyncer/pimsync — Synchronise calendars and contacts In this digital age, we all have digital address books with the phones and addresses of our loved ones, friends, and those with whom we work. We keep calendars with meetings we need to attend and places we are expected to be. And we need to keep this information synchronised across devices, shared with others, but only with those whom we choose to collaborate. Like its predecessor Vdirsyncer, Pimsync synchronises address books and calendars between webcal, caldav, and local vdir collections. This empowers users to manage their own data, synchronising with servers of their choice - and take their data offline to their own devices at any point, to interact with it any way they please. Pimsync is written in Rust. >> Read more about vdirsyncer/pimsync xrsh — Interactive text/OS terminal inside WebXR xrsh (xrshell) brings the FOSS-soul of unix/linux to WebXR, promoting the use of (interactive text) terminal and user-provided operating systems inside WebXR (=xrsh). Technically, xrsh is a bundle of freshly created re-usable FOSS WebXR components. These provide a common filesystem interface for interacting with WebXR, offering the well-known linux/unix toolchain including a commandline to invoke, store, edit and run WebXR utilities - regardless of their implementation. Think of it as termux for the VR/AR headset browser, which can be used to e.g. livecode (using terminal auto-completion!) for XR component (registries). >> Read more about xrsh "},{"description":"","url":"https://nlnet.nl/thema/NGI0Core.html","title":""},{"description":" NGI0 Commons Fund NGI0 Commons Fund is a grant programme funding projects about reclaiming the public nature of the internet, as part of the Next Generation Internet initiative of the European Commission. For a more complete description see the home page of the fund: NGI Zero Commons Fund. This page contains a concise overview of projects funded by NLnet foundation that belong to NGI0 Commons Fund (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. The goal of NGI Zero Commons Fund is to help deliver, mature and scale new internet commons across the whole technology spectrum, from libre silicon to middleware, from P2P infrastructure to convenient end user applications. We have a holistic, full-stack approach, simply because there is no other way. If we want to reclaim the public nature of the internet and yield the full benefits from technology as a society, we need to have full coverage — period. NGI Zero Commons Fund is an ambitious grant programme led by NLnet as part of the Next Generation Internet initiative, which focuses on the development and maintenance of internet commons that support the vision of a resilient, trustworthy and sustainably open technology stack that empowers users, and grants everyone full autonomy. All projects become available under a free and open source license so you will be able to study, use, modify and share everything with anyone you want! Why not propose a project yourself, calls are currently open! Applications are still open, you can apply today. 5C — Continuous Code Compliance Control Center Modern software products routinely include over 10,000 packages. Smaller teams often do not have the bandwidth to evaluate everything for cybersecurity and CRA compliance, and do not have the budget or resources for proprietary tools or complicated processes. Continuous Code Compliance Control Center (5C) is a new DejaCode and AboutCode app that will provide an accessible overview dashboard, necessary for teams to focus on critical cybersecurity and compliance issues, and track security and compliance at scale with less effort. 5C will continuously monitor and aggregate events, from AboutCode tools and other FOSS tools integrated in AboutCode, to provide a visual compliance observability. The goals are to provide key features such as: actionable insights, shareable across stakeholders, drill-down from summary to investigate issue details and on-demand workflows for teams to resolve issues. 5C will facilitate proactive risk management with aggregated data and \"Key Compliance Indicators\", using a set of predefined and customizable rules for policies and thresholds to trigger alerting and reporting noncompliance and cybersecurity issues as events when needed. 5C plans to deliver the top layer for a FOSS solution to simplify meeting complex regulatory requirements and cybersecurity technical data management for effective and efficient automated compliance operations, across engineering, security, legal, and business teams. >> Read more about 5C Adno — Annotate and share curated cultural and scientific content Adno is a user-friendly web application designed for creating annotation series on online, static and IIIF-compliant images. Designed in collaboration with cultural and scientific mediators, it enables users to create, present and share guided or self-guided tours within images. Adno is also of interest to researchers and has potential applications for a broad audience. Adno is built on open standards: specifically, the W3C Web Annotation Model and the International Image Interoperability Framework (IIIF). IIIF refers to both a shared technical framework and a community of people who develop APIs, implement them in software, and expose interoperable content. IIIF is used by an increasing number of cultural and scientific institutions. Its features extend to audio and video, and 3D soon. IIIF makes hundreds of millions of images accessible, searchable, comparable, manipulable, citable, annotatable, and mixable by any compatible application that can connect to each other's repositories. Adno is part of this ecosystem. >> Read more about Adno iOS support for AccessKit — Cross-platform abstraction over accessibility APIs AccessKit makes it easier to implement accessibility, for screen readers and other assistive technologies, in toolkits that render their own user interface elements. It provides a cross-platform abstraction over accessibility APIs, so toolkit developers only have to implement accessibility once. The aim of this project is to create the UIKit backend to support devices running iOS, feature-parity with Android being the target. An existing UI toolkit will be modified to show how other open-source UI projects can take advantage of this new capability. >> Read more about iOS support for AccessKit ActivityPods 3.0 — Encrypted Solid-compatible Pods ActivityPods brings together two game-changing protocols, ActivityPub and Solid Pods, and empowers developers to create fully-decentralized social apps thanks to an easy-to-use framework. In the planned version 3.0, Solid clients will be able to connect to ActivityPods just like any other Solid Pod provider. Furthermore, ActivityPods 3.0 will build a bridge with the world of P2P protocols, since it will be using NextGraph (a local-first P2P solution based on CRDT) as a triple store. The result is that all Pod data will be encrypted. In addition, users will be able to create a NextGraph wallet and use it to give NextGraph apps access to their Pod data. This will allow ActivityPods to provide the first \"social Pods\" with built-in Fediverse communication and improved data security, potentially attracting more developers and users to the Solid and ActivityPub ecosystems. >> Read more about ActivityPods 3.0 Ada Bootstrap Compiler — Full source bootstrap for Ada Ada is an important computer language with a long history, with the compilers being built for new architectures in an ad-hoc basis based on previously existing Ada compilers from other architectures. This project aims to create a bootstrap path from the C language to an Ada compiler without relying on an existing Ada compiler binary. This will allow us to have a fully auditable trail from C to a working Ada compiler, removing concerns about hidden backdoors or other issues that may arise from using a compiler without a clear bootstrap path. >> Read more about Ada Bootstrap Compiler Aerogramme 1.0 — Standards-compliant, reliable and secure groupware Aerogramme is an open source email server that aims to provide a natively geo-distributed IMAP/CalDAV/CardDAV server with high availability guarantees. The vision behind Aerogramme is to allow newer, more diverse, ethical, local email providers to provide the same reliability as current industry behemoths. In this project, we aim to work on the last steps needed to envision first production deployments, with the following three core goals: correctness and reliability, operations, and feature completeness (CardDAV and a Webmail). >> Read more about Aerogramme 1.0 Aiohttp type checking — Improve typechecking for Aiohttp HTTP Client/Server framework aiohttp is a widely used asynchronous HTTP Client/Server framework for async IO within the popular Python language ecosystem. The advantage of asynchronous frameworks is that they don't block the client while the server process HTTP requests. Instead, the user can do other operations client side. This grant will improve the coverage for type annotation of the Python test code of its dependencies, providing a more robust framework to downstream users and developers alike. >> Read more about Aiohttp type checking Alaveteli GDPR and Search — Better search and redacting capabilities for Alaveteli FOI request portal Alaveteli is an open source platform deployed in 20+ countries that helps citizens make Freedom of Information requests and publishes them and the responses online. Access to Information laws are powerful tools by which citizens, journalists, and civil society organisations can obtain information to scrutinise government. Such legislation is an important prerequisite for accountability and bottom up participation, making it one of the cornerstones of a healthy democracy. Alaveteli’s architecture was designed long before the introduction of GDPR. This makes it challenging to balance public access to information with protection of citizens' individual data rights. The project aims to redesign and replace Alaveteli’s antiquated search architecture and technology and implement key missing functionality to effectively locate and, when appropriate, remove personally identifiable information to ensure GDPR compliance. >> Read more about Alaveteli GDPR and Search Alps Webmail — Minimalist open source webmail in Go Alps Webmail is a minimalist, stateless webmail client designed for modern IMAP infrastructure. Built with simplicity, speed, and extensibility in mind, it avoids central databases and heavy frameworks, making it ideal for scalable deployments and low-maintenance environments. Alps supports multi-tenancy, responsive theming, CalDAV/CardDAV integration, and a lightweight plugin system using Lua or Go. It is already used by thousands of users and aims to become the default webmail layer for self-hosted and provider-grade email platforms, emphasizing usability, transparency, and long-term sustainability. >> Read more about Alps Webmail Amaranth HDL — Design FPGAs and ASICs in Python Amaranth is a hardware definition langauge for synchronous digital logic embedded within Python. It aims to be easy to learn and use, reduce or eliminate common coding mistakes, and simplify the design of complex hardware with reusable components. While the language has been successfully used for many years for both FPGA projects and ASIC tapeouts, it is not yet at the \"1.0\" level of maturity. This grant will enable the project to ensure that all of the core abstractions are up to the same high bar of quality, as well as to bring documentation coverage to near 100%. >> Read more about Amaranth HDL Yama Analytics — Privacy-friendly analytics microservice using server logs For small organisations and individuals who wish to respect their visitors' privacy while needing to obtain analytics, there are limited options. The most elegant option (and the most privacy-respecting one) is to provide real-time analytics by ingesting the web server logs. This doesn't involve/require doing anything client-side (no scripting, no invisible pixels, etc): all the information needed can be derived from these log files without resorting to tricks. The form factor of a drop-in microservice allows for easy integration into other tools (which offers a significant improvement in terms of usability), and makes it portable. The end result will provide a neat solution for small actors to make self-hosting of their website 'batteries included'. >> Read more about Yama Analytics Mifos X (Apache Fineract) — Type safety for/refactoring of Apache Fineract banking software Apache Fineract is a sophisticated core banking system that provides comprehensive financial technology solutions. It offers features for client data management, loan and savings portfolio management, integrated real-time accounting, as well as extensive reporting capabilities. By commoditising core banking infrastructure, Fineract empowers communities and organisations of any size to integrate financial services everywhere. Mifos X includes a payment orchestration engine and mobile banking apps, lowering the threshold to participate in the digital economy. In the scope of this project, type-safety is added to the software, QueryDSL is introduced to generate code and a significant amount of technical debt is resolved. >> Read more about Mifos X (Apache Fineract) Arcan-A12 Endpoints — Unifying distributed remote desktops A12 is a next generation remote desktop protocol built on the principles of \"one desktop, many devices\" and \"your desktop, reaching out\". This means that all your devices, big and small, should be able to join together to form a unified whole and for you to be able to share slices of this with others. It has a complementary extension, 'A12-Directory' which adds a network of servers for load balancing, distributed storage, search/retrieval, application hosting and discovery. With 'A12-Endpoints' we seek to expand the range of applications, media and document formats that can be hosted, as well as the kinds of devices that can participate. >> Read more about Arcan-A12 Endpoints Archiyou — Parametric design and building Archiyou is an online platform for codifying design and building knowledge and making it accessible to everyone. In the Archiyou Editor, one can create scripts that generate everything needed to begin building custom objects, furniture, constructions, and even houses: parametric 3D CAD models, calculations, data tables, and documents. Archiyou also serves as a library of customizable designs, which people can download directly to start building or to use as a foundation for their own projects. This project will grow Archiyou as an open (source) design platform, with better documentation, improved portability and export options, deeper integrations and some exciting new features. >> Read more about Archiyou Arkin — Optical Tweezers Microscope Arthur Ashkin published the science of optical tweezers openly, work that earned him the 2018 Nobel Prize in Physics. Yet commercial instruments remain expensive, restricting access to well-funded laboratories. Arkin honours this legacy by developing a fully open-source optical trapping microscope using globally available components. The design includes 3D-printable optomechanical modules, a precision translation stage, and a control software, integrating with established open-hardware platforms (OpenUC2 and OpenFlexure). Beyond optical trapping, a key deliverable is a precision positioning stage for laser alignment, imaging, and micromanipulation—filling a gap in the open-hardware ecosystem and bringing advanced biophysical tools to educational institutions, citizen-scientists, and researchers worldwide. >> Read more about Arkin AtomicServer Local-First — AtomicServer Local-First Headless CMS AtomicServer is a graph database written in Rust. Atomic Data is an modular specification for sharing, modifying and modeling graph data based on (a strict subset of) RDF compatible with regular JSON. AtomicServer uses links to connect pieces of data, and therefore makes it easier to reuse data and to connect datasets to each other - even when these datasets exist on separate machines. In the scope of this grant AtomicServer will go \"local-first\", by integrating with NextGraph in order to enable users to collaboratively model, share and edit graph data. The project will create a publishing flow with robust real-time connected/offline capabilities, as well as create client-side apps with Tauri for desktop and mobile. >> Read more about AtomicServer Local-First Authlib — Reliable OAuth and OIDC handling in Python Authlib is a Python library used to build OAuth and OpenID Connect clients and servers. It is designed from low level specifications implementations to high level frameworks integrations, to meet the needs of everyone. It implements 20+ specifications and offers integration for 5 web frameworks. Our goal is to straighten the project by achieving long-due quality, security and janitoring tasks, and implement popular features requested by our community (including type hints, async support and FastAPI integration). >> Read more about Authlib Autogram 2.0 — Create and validate eIDAS-compliant digital signatures Autogram is an open-source (EUPL) multiplatform desktop application for creating and validating eIDAS-compliant electronic signatures. Designed for both non-technical citizens and professional users, it provides native support for various hardware security modules, including national identity cards across the EU. This project focuses on three primary objectives: aligning the software with the requirements of the upcoming eIDAS 2.0 regulations, performing security hardening through external penetration testing, and expanding the tool's core functionality based on community requirements. Key technical developments include the implementation of secure batch signing, visual signature support, and enhanced document archiving capabilities. By offering an easy to use, accessible and vendor-independent alternative to proprietary signing software, Autogram 2.0 facilitates interoperable and secure digital interactions within the European digital ecosystem. >> Read more about Autogram 2.0 BB3-CM5 — Modular OSHW test & measurement equipment EEZ BB3 is a mature and recognized open source project that, in combination with EEZ Studio, offers a wide range of options for test & measurement development and automation. This project will further improve its performance, modularity and attractiveness by adding support for different MCUs and CPUs as a detachable module (Raspberry Pi CM4 form factor), new interfaces and by reorganizing the firmware in a way to simplify the addition of new EEZ DIB peripheral modules and enable running Linux.Design optimization will be carried out to reduce manufacturing and maintenance costs while taking into account that the existing certified EMC is not compromised. Finally, the new design will enable an increase in capacity (hosting up to 5 instead of 3 DIB modules), and the existing Mixed I/O modules will be adapted to work with a faster interface in a new more compact, half-width form factor. >> Read more about BB3-CM5 Bab — Efficient proof of validity of streamed data Content-addressable storage (CAS) lets peers resolve secure digests to strings, but faces a dilemma: if a string cannot be transferred in full, peers cannot tell whether what they received so far is legitimate data. Discarding the data leads to redownloads and might make large downloads in spotty networks impossible. Persisting untrusted data allows peers to place arbitrary data on your machine. We write a Rust implementation of the Bab hash functions which solve this issue. >> Read more about Bab BeaconDB — Libre wireless positioning database BeaconDB is an open-source wireless positioning database that aims to be a privacy-friendly, ethically sourced alternative to for-profit location services which are not privacy-friendly. It crowdsources approximate locations of WiFi networks and cell towers worldwide, which devices can use to estimate their geographic position. The project plans to release the database into the public domain, allowing third parties to self-host compatible APIs and enabling devices to determine their location entirely offline for greater privacy. >> Read more about BeaconDB BigBlueButton server-side plugins — Server-side extensions for BBB videoconferencing tool BigBlueButton is a widely used free and open source conferencing tool. This project will create a server-side extension mechanism for BBB, which would allow additional functionality to be exposed. Third-party applications such as for instance a Learning Management System like Moodle, can then request that BigBlueButton send a POST request with credentials to connect back when a room is created - meaning it can access real-time session data, process it, and interact dynamically with the session. >> Read more about BigBlueButton server-side plugins Borg - European Graphics Processing Unit — Foundational workflow for an open-source GPU The Borg (Bring your Own Graphics) project aims to establish the complete foundational workflow for an open-source GPU using entirely free and open Electronic Design Automation (EDA) tools. Recognizing that full GPU development is highly complex, the initiative capitalizes on recent advances in low-cost chip manufacturing to make individual tape-outs feasible for small teams. The initial, focused objective is to successfully design, verify, and manufacture a tiny floating-point unit (FPU)—the central component of modern graphics processors—by validating every step of the pipeline, from high-level design and FPGA prototyping to the final RTL-to-GDS-flow. This strategic focus proves the viability of an open-source manufacturing and development pathway for future graphics hardware. >> Read more about Borg - European Graphics Processing Unit Bottles — Bridges the gap between Linux and Windows software Bottles enables users to run Windows applications on Linux through sandboxed and reproducible environments built on top of Wine and advanced transpilation technologies. The upcoming major release, Bottles Next, introduces atomic and isolated installation of individual applications within shared environments, ensuring reliability in critical scenarios. The project focuses on transparency, long-term reproducibility and user control, improving installation traceability and supply chain trust by making every step verifiable and repeatable. >> Read more about Bottles BrailleRAP — Open source Braille and graphics embosser BrailleRAP is an open source Braille embosser. Available in 2 sizes, A4 and A3, BrailleRAP is designed to be easily built in fablab with widely available parts. The project also provide open source software to translate text into Braille in various standards, and publishing application to compose page design with a mix of vector graphics and Braille. BrailleRAP provide an open source ecosystem to produce suitable documents for visually impaired, Braille of course, but also country or city maps, pedagogic illustrations, etcetera. The project aims to provide accurate translation in Braille for mathematics notations, which is a specific standard. Improve accessibility and edition features, and provide wireless connectivity to ease use in public places like libraries, schools or university. >> Read more about BrailleRAP Bromal — Lightweight messaging server for Matrix protocol Bromal is a lightweight opensource messaging server, that uses the Matrix protocol. It is being developed for the efficient deployment of federated messaging systems with modest resource requirements, as a result, it could be deployed even on small servers, including VPS, without sacrificing essential functionality. The project aims to support server-to-server federation, state resolution for different room versions, end-to-end encryption, a full-featured messaging module, built-in VoIP, automatic TLS certificate acquisition via Let's Encrypt using the ACME protocol, as well as the ability to create a cluster for larger installations. >> Read more about Bromal Bubble-up — Declaritive schema migrations for sqlite databases SQLite is widely regarded as the most-used database engine, with sqlite.org even suggesting that it surpasses all other engines combined. One of its main advantages is its simplicity—operating on a single file. However, while getting started with SQLite is straightforward, modifying the database schema can be more complex due to its limited support for ALTER commands compared to other databases. Bubble-up is a command-line tool designed to ease this challenge. It enables seamless schema migrations for SQLite databases by comparing your desired schema (written in a simple SQL file with standard DDL statements) to the current database structure, and performing the necessary changes. >> Read more about Bubble-up C/C++ Package Registry — Common registry for software written in C/C++ Much of the internet and many devices run on C/C++ code. There are many build and packaging systems for C/C++, but without a common registry, it is difficult to discover, catalog, and identify C/C++ packages used in products, devices, and apps. The C/C++ Package Registry resolves this by creating an open and distributed registry of C/C++ packages keyed by Package-URL (PURL), with associated metadata, but neutral towards any build system. It will also maintain open source tools to discover and detect C/C++ code commonly vendored and patched in software codebases. This will be combined with a database of known security vulnerabilities that affect these C/C++ packages, also keyed by PURL. This enables C/C++ software teams to more efficiently and reliably manage and automate their C/C++ software supply chain and vulnerability management operations. Using open data and open source code, the C/C++ Package Registry strengthens security postures and helps teams meet regulatory compliance requirements. Our goal is to develop the foundational data formats, build the core infrastructure for collecting and indexing C/C++ packages, and create comprehensive documentation that will nurture and sustain a thriving community around this initiative. >> Read more about C/C++ Package Registry CARGO — Automatic Generation of Analog + Mixed Integrated Circuits with Coriolis This project will develop a set of tools and libraries for analog and mixed-signal integrated CMOS circuits design, on the basis of the Coriolis toolchain initially designed and optimized for place and route of digital VLSI circuits. The project aims at providing IC designers with library of portable analog cells, which are defined as a set of scripts and libraries containing a generic description of the transistor sizing procedure, a description of portable placement of transistors on the layout, and a routing engine optimized for analog cells. The project will adapt the Coriolis toolchain to fulfill some specific needs of analog design, such as accommodating of the routing constraints of different kind of signals (supply, critical signals), automatic reading of the netlist, management of analog hierarchy. In addition it will extend the analog device library, with integrated capacitors/resistors, and create a library of elementary analog cells aiming at covering basic needs of analog designers (such as Bandgap, Comparator, S/H, ADC, PLL, etc.). >> Read more about CARGO TramaBOL — Optimising COBOL compiler and memory-safe runtime COBOL remains among the most widely executed programming languages in the world. However, the COBOL ecosystem is largely isolated from modern software development communities, hindering the adoption of open-source solutions in this market. The TramaBOL project aims at developing a comprehensive COBOL interpreter in OCaml, serving as a foundational tool for various initiatives to push free and open-source software into the COBOL ecosystem. It can be used as a core component for a full step-by-step debugger, complementing open-source compilers like GnuCOBOL. Furthermore, it will facilitate experimentation with new additions to the ISO COBOL standards. Finally, it represents an initial stride towards designing a robust open-source optimizing compiler for performance-critical COBOL applications. >> Read more about TramaBOL Pushing forward for CSS Print — High end print from HTML and CSS The Web is one of the largest common resources, accessible to everyone across the globe, based on standards maintained by the World Wide Web Consortium (W3C). Certain CSS modules have been developed specifically for paginated design and publication: the fragmentation model, which divides content into pages, columns, or regions, and includes features such as controlling flow breakpoints (page breaks, column breaks, etc.). Additionally, three W3C CSS modules focus on formatting for \"paginated media\", defining how pages are structured and providing essential functionality for printed page layouts, including margin sizes, page numbering, running headers, footnotes, templates, and element positioning on the page. However, these modules remain in the Working Draft phase, and currently no web browser has fully implemented them. In response to this limited browser support, several open-source initiatives (such as WeasyPrint and Paged.js) have emerged over the past 15 years, each with a unique approach to addressing these challenges. The user community continues to grow, new layout requirements have arisen, revealing that the current specifications are insufficient to meet the demands of modern paginated layout. As developers, maintainers and users of these open-source solutions, our goal is to address these gaps by collaborating on the development of new specifications in a structured and collective manner, demonstrating the feasibility of these new specifications by implementing them in various tools and engaging in advocacy with the CSS Working Group (CSSWG) to promote the adoption of these new specification proposals. >> Read more about Pushing forward for CSS Print CalDAV Notes — Standards-based approach to notetaking levering VJOURNAL CalDAV Notes is an open-source effort to make personal notes and journals independent from proprietary cloud platforms by using long-established open internet standards. The project delivers a cross-platform app for Android, iOS and the Web that allows users to store, sync and manage their notes on their own CalDAV servers, based on the iCalendar standard and its VJOURNAL component for journal entries. By demonstrating a practical, standards-based approach to note and journal management, the project addresses fragmentation in today ecosystem by demonstrating, in practice, how interoperable note and journal storage can work across servers and platforms - not only helping to establish digital sovereignty but also achieving long-term accessibility of personal data. >> Read more about CalDAV Notes Capability-based security for Redox — Capsicum style cabilities in Redox Redox OS is a Unix-like microkernel-based operating system written in Rust, intended for both the cloud and the desktop. In this project we will replace Redox's internal file descriptor representation with capability descriptors, optimized for both security and performance. This will provide a foundation for capability-based security on Redox, and possibly capability extensions from other UNIX-like systems, while also supporting POSIX-style file descriptors for application compatibility. >> Read more about Capability-based security for Redox Circuit Painter — Creative tool for programmable PCB creation Circuit Painter is a creative coding tool for generating functional printed circuit boards (PCBs). It enables users to easily automate circuit designs that involve repetitive tasks such as LED matrixes, sensors, and test boards. Circuit Painter is implemented as a simplified Python-based language, using vector graphics-inspired techniques such as matrix transformation to simplify board generation. It uses KiCad as a backend for rendering PCBs, and can directly export manufacturing files, or be used in conjunction with traditional routing for more complex designs. A web-based interface being developed to allow the tool to be used in a classroom or ad-hoc setting. >> Read more about Circuit Painter CityBikes — Open access API for bike sharing information Citybikes is the most comprehensive open access API for bike sharing information, with support for more than 700 cities all around the world. The goal of the project is to promote open data policies and showcase the benefits of open data to city councils and companies that provide public services to society. Less than 25% of Citybikes data comes from open data standard feeds—for every city in citybikes publishing their bike sharing information in a reusable format, there are at least three more that do not use a standard format. Citybikes aims to change that by providing developers, researchers and organizations with a standard resource to bridge this gap and contribute towards an interoperable open data ecosystem for mobility services. >> Read more about CityBikes Implement inline Verilog/VHDL through Yosys — Functional simulation in Haskell from existing Verilog/VHDL code This project will improve integration between Clash (Haskell-based hardware design) and existing Verilog/VHDL code. It will create a pipeline that converts HDL designs into a native Haskell simulator using Yosys. The outcome will allow developers to reuse existing Verilog/VHDL directly within Clash workflows and use Haskell’s powerful testing tools for verification — without custom build systems or external simulators. The project will lower adoption barriers, simplify verification, and strengthen the Clash ecosystem by making existing hardware designs more easily available. >> Read more about Implement inline Verilog/VHDL through Yosys ClassQuiz — Libre quizing tool ClassQuiz is a quiz application designed for, but not limited to, classrooms. It allows anyone to create live quizzes to engage the audience in a fun way, where each player also competes against the others by answering questions as fast as possible to score high. By providing a simple setup for self-hosting, it also allows many educators to host quizzes without any privacy concerns. ClassQuiz was born as an alternative to Kahoot! because educational software for students should be built with privacy in mind. >> Read more about ClassQuiz Clearance — Curating changes to OpenStreetMap data of interest Clearance is an open-source tool designed to enhance the reliability and increase confidence in collaborative OpenStreetMap (OSM) data by acting as a quality control proxy between OSM and data consumers and functioning as a standard OSM data source (OSM PBF or overpass API). OSM map data is created collaboratively and continuously updated by the contributor community. While most changes are made in good faith, low quality changes or mistakes may occur, especially by beginners. Bad faith changes also exist, but are less frequent. When you rely on OSM data, as a service provider or end user, quality and avoiding breaking changes is important. That's the issue Clearance addresses. Clearance holds suspicious or potentially problematic changes, while keeping replication up to date for those respecting quality rules. It reworks OSM changes into coherent groups based on topological, geospatial, and semantic object relationships. Rejected data groups must be corrected in OSM or accepted manually. It provides local atomic changes that preserve data integrity. It helps identify semantically equivalent objects despite technical changes (splits, merges, redraws, dimension changes). >> Read more about Clearance Code Genetics — Scanning tool for identifying code origins It is inherent to the nature of FOSS to be reused and remixed. But it is difficult to find which project is the actual correct, upstream original project where the code was created first. And this is critical for both security and license compliance. For example, there are several known cases of people forking a FOSS project and changing its main license to suit their needs. Reviewing a codebase for its origin cannot be fully automated (yet) and requires extensive human review to disambiguate and establish correct provenance of code detected through scanning, matching, package manifests and other clues. AboutCode's Code Genetics features will be integrated in DejaCode, ScanCode.io and PulrDB to aggregate scan results from complementary FOSS tools including ScanCode, MatchCode, and will also work to integrate other tools such as BANG, OWASP depscan or BIDS, and helps to automatically identify the true, correct code origin. The purpose of the Code Genetics project is to significantly reduce the amount of human scan result reviews required to only a small ambiguous subset of complex cases where we cannot automatically identify the correct code origin. The outcome for this project will be to aggregate origin scans in AboutCode, design a policies and rules system to automate scan reviews and integrate these features in PurlDB, ScanCode.io, MatchCode and DejaCode as needed to efficiently review and curate scan results, and finally shared curated data as open digital commons using FederatedCode . >> Read more about Code Genetics Miru Collaborative Video Editor — Local-first video and AR editing Miru is a set of web-based tools for media editing on the Web with the aim of allowing the general public to create and share engaging, dynamic image and video content of the quality that's normally only found on centralized, commercial platforms. This project develops Miru's video editor to make it capable of creating more engaging short and medium form content in collaborative workflows. This will involve adding support for animated text and images, integrating Miru's AR effects, implementing local-first collaborative editing with CRDTs, and integrating with other social apps and back end platforms. >> Read more about Miru Collaborative Video Editor Upstreaming Sailfish OS ConnMan improvements — Consolidation of improvements to ConnMan connection manager ConnMan is a core Linux networking component used in mobile, embedded, and desktop systems. Sailfish OS has maintained a fork with over a decade of production-tested improvements — including multiuser support, firewall integration, CLAT (IPv4-over-IPv6), conf.d configuration, and improved DNS handling with systemd-resolved — many of which are not yet upstream. This project focuses on upstreaming these Sailfish OS features to reduce fragmentation, improve security and privacy, and increase interoperability across Linux platforms. By integrating these enhancements into the main ConnMan project, they will become available and sustainably maintained for the wider open-source ecosystem, benefiting both existing ConnMan users and future privacy-preserving mobile systems. >> Read more about Upstreaming Sailfish OS ConnMan improvements OpenPGP refresh for Conversations — Modernise OpenPGP implementation for Android XMPP client This project aims to modernize PGP encryption within Conversations, a Jabber/XMPP client, by integrating cryptographic operations and adopting updated messaging standards. Currently, the application relies on a third-party tool, OpenKeychain, which is no longer actively developed and utilizes brittle Inter-process communication (IPC). This work will replace this dependency with the pgpainless library, integrating encryption, decryption, and key management directly into the app to improve reliability and user experience. Furthermore, the project will implement and update the modern OpenPGP standards for XMPP (XEP-0373 and XEP-0374) by making use of Stanza Content Encryption (SCE). This transition not only benefits users who prefer PGP-based encryption but also serves as a critical building block for the development of OMEMOv2. >> Read more about OpenPGP refresh for Conversations Support for Microblogging and Social Feeds to Converse — Add social networking functionality to Converse Converse is an open source and standards based chat client that can be integrated into any website or web app. For example, it is integrated into Peertube via a plugin, allowing for real-time chat features within the video platform. Converse uses the XMPP protocol and is compatible with other compliant XMPP servers and clients. Besides allowing for full integration into web-based platforms, Converse also functions as a standalone chat client, and is one of the most popular and full-featured XMPP clients available and has been translated into over 45 languages. This project add social feeds and microblogging capabilities to Converse. >> Read more about Support for Microblogging and Social Feeds to Converse Converse XMPP Chat on Mobile — Embeddable XMPP client for mobile usage Converse is an open source and standards based chat client that can be integrated into any website or web app. For example, it is integrated into Peertube via a plugin, allowing for real-time chat features within the video platform. Converse uses the XMPP protocol and is compatible with other compliant XMPP servers and clients. Besides allowing for full integration into web-based platforms, Converse also functions as a standalone chat client, and is one of the most popular and full-featured XMPP clients available and has been translated into over 45 languages. >> Read more about Converse XMPP Chat on Mobile Latest OMEMO support to Converse.js with libomemo.js — E2EE for web-based XMPP client Converse.js is a web-based chat client written in JavaScript, built around XMPP (\"Extensible Messaging and Presence Protocol\") - the designated IETF standard for instant messaging. OMEMO is a standardised way to provide end to end encryption within XMPP based on the Noise protocol/Double Ratchet Algorithm which provides forward secrecy. This project will finalise support for the latest version of OMEMO protocol in Converse.js, bringing both state-of-the-art security based on the Noise protocol in private messaging, as well as standards-based interoperability between several messaging applications and services. >> Read more about Latest OMEMO support to Converse.js with libomemo.js Convo XMPP client — Federated E2EE messaging for KaiOS feature phones Convo is a messaging application designed for feature phones. It follows the XMPP messaging standard which enables decentralised, provider-independent communication, while allowing interaction with other apps and services on the XMPP network. Powered by ConverseJS and based on web technologies, Convo is currently released as an unofficial proof-of-concept app for KaiOS, but has the potential to (in future) be ported to other web-based platforms too. The primary goal of this project is to develop Convo into a fully functional app that forms a viable messaging solution for KaiOS users, and publish it on the official KaiOS Store. Specifically, the plan is to replace the current homegrown UI with a better designed one based on the solid-telekram project, ensure compliance with the basic XMPP Core and IM Compliance Suites (defined in XEP-0479), and expose end-to-end encryption (OMEMO v0.3) functionality currently implemented upstream in ConverseJS. While not a direct goal, the project will also explore the possiblity of running Convo on other platforms, including button-centric platforms like CloudMosa's Cloud Phone (used in some devices by Nokia/HMD) as well as more \"traditonal\" touchscreen platforms which support webapps like Phosh and Ubuntu Touch. >> Read more about Convo XMPP client Coreblocks RISC-V processor core — Out-of-order RISC-V processor in Amaranth Coreblocks is an experimental, modular out-of-order RISC-V core generator implemented in Amaranth (a hardware description language based on Python). It combines the Amaranth HDL with the hardware transactions library Transactron which implements an abstraction layer for inter-component interaction. This results in flexibility and low-level extensibility while preserving readable and decoupled code. This grant will enable us to advance our generator towards synthesis of modern soft processor cores. Principally, we will overhaul the key internal modules (checkpointing, multi-stage branch prediction, LSU), allowing us to transition to high-performance processing. Next, we are going to implement processor features enabling rich OS support (MMU, FPU, supervisor mode). We will also extend our documentation in order to make this project more accessible and improve the debugging capabilities on FPGA deployments. The longer term goal of Coreblocks is to deliver a working high-performance application-class CPU, capable of supporting modern systems - an open, independent, European general-purpose processor. >> Read more about Coreblocks RISC-V processor core Open-source firmware for modern AMD boards — Base port of Coreboot to AMD platform using OpenSIL Intel has a strong position in coreboot support, but parity on hardware from other vendors such as AMD is essential for real choice, security, and auditability. This project brings coreboot support to modern AMD platforms using OpenSIL across server, desktop, and, through shared infrastructure, mobile segments. The project advances a unified, reusable path for AMD platforms and contributes everything upstream. >> Read more about Open-source firmware for modern AMD boards Open-source firmware for modern AMD boards part 2 — Extending coreboot support for AMD Phoenix SoC to AM5 socket Intel has a strong position in coreboot support, but parity on hardware from other vendors such as AMD is essential for real choice, security, and auditability. The first part of this project brought coreboot support to modern AMD platforms using OpenSIL across server, desktop, and, through shared infrastructure, mobile segments. Within this new grant, coreboot support for AMD Phoenix SoC will be extended to AM5 socket desktop variants, adding network peripherals (WiFi, Bluetooth, and PXE), and ensuring compatibility for users of Windows 11. The project advances a unified, reusable path for AMD platforms and contributes everything upstream. >> Read more about Open-source firmware for modern AMD boards part 2 Fully Open Chip Design — Silicon-proven toolchain for VLSI design Coriolis is an open-source toolchain dedicated to chip design. It integrates several open-source tools like Yosys, KLayout etc. and provides also dedicated tools for place & route. It addresses the actual open technologies (SkyWater, IHP and Global Foundries) to make open chips possible. The goal of this project is to improve the usability and the users' experience using Coriolis, from installing and configuring their flow to elaborating their designs. At the end, tutorials, documentation and packages will be available to make Coriolis a more usable toolchain to increase the European’s sovereignty in chips’ design and to promote open chips. >> Read more about Fully Open Chip Design Adding redaction to Cpdf — Robust, standards-compliant PDF redaction Proper PDF redaction is becoming vital. It no longer suffices to crudely black out text and rasterize pages, nor to use basic PDF redaction which is unaware of modern metadata, since the resulting PDF would have been stripped of all accessibility information and no longer meet common regulatory requirements such as PDF/UA. This project extends the open-source Cpdf PDF processor to support the full spectrum of PDF redaction facilities in a robust, standards-compliant fashion. The result will be suitable for human-guided individual and batch redaction to a quality suitable for personal, legal and governmental work. >> Read more about Adding redaction to Cpdf CryptPad Notes — E2EE collaborative rich text editor The project summary for this project is not yet available. Please come back soon! >> Read more about CryptPad Notes CryptPad Scalable Server — Improve the architecture of CryptPad The project summary for this project is not yet available. Please come back soon! >> Read more about CryptPad Scalable Server CurveForge — Add optimized post-quantum arithmetic to cryptographic toolkit CurveForge focuses on developing efficient and secure implementations of elliptic-curve cryptography (ECC) using automatic optimization techniques. The project aims to deliver high-performance, portable, and maintainable ECC solutions that can be widely adopted. By leveraging automatic optimization, CurveForge avoids the need for curve-specific implementations, making advanced cryptographic techniques more accessible and practical for real-world applications. Future efforts will also target post-quantum primitives. Work within this grant focuses on those post-quantum primitives, towards a demonstrator in form of a rustls crypto provider, improve the performance, as well as improving the test coverage with wycheproof. >> Read more about CurveForge Securing Internet protocols with decentralized identity — DIDs and Verified Credentials as SASL method There has been much innovation in the last few years in the area of decentralized digital identity, including the development of standards such as Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs). These technologies have led to large-scale initiatives around the world to develop digital identity wallets, including for example the European Digital Identity Wallet (EUDI). These initiatives aim at making it possible to obtain and use digital versions of identity documents such as drivers' licenses, birth certificates, university diplomas, and more. The potential of these technologies however is much greater than just logging in to websites. In this project, we work on integrating decentralized digital identity technologies into widely used Internet protocols themselves, such as XMPP for instant messaging. In this case, a combination of identity and messaging means that you can authenticate to a messaging service using a digital identity wallet, rather than username and password. We accomplish this by specifying and building a DID-based extension for the Simple Authentication and Security Layer (SASL). >> Read more about Securing Internet protocols with decentralized identity DataLab Experimental Web interface (DEW) — Scientific platform for processing and analysing signals and images DataLab Experimental Web interface (DEW) explores extending DataLab, an open-source scientific platform for signal and image processing, with a browser-based interface that preserves its local-first and offline-capable philosophy. The project builds on DataLab's recently modularized architecture and on Sigima, its standalone scientific computation engine designed for reuse across desktop applications, scripting environments and automated workflows. Rather than developing a web stack from scratch, DEW focuses on leveraging existing, well-established web and interactive computing technologies to expose DataLab's capabilities through the browser. The objective is not to replace the desktop application, but to complement it by enabling easier access, interactive experimentation and flexible deployment on local machines or trusted networks without cloud dependency. The project will deliver a functional web interface prototype, deployment scenarios and technical documentation to inform future development choices. >> Read more about DataLab Experimental Web interface (DEW) Data Package implementation in TypeScript — Reference implementation of data definition language and data API Data Package is a standard consisting of a set of simple yet extensible specifications to describe datasets, data files and tabular data. It is a data definition language (DDL) and data API that facilitates findability, accessibility, interoperability, and reusability (FAIR) of data. TypeScript implementation of the Data Package standard provides all the necessary functionality for working with data packages in Node.js or similar environments — including validating and extending metadata, and reading or writing data in various formats such as CSV, TSV, JSON, and OpenDocument Format (ISO/IEC 26300) as used by e.g. Excel and LibreOffice. >> Read more about Data Package implementation in TypeScript DatamiPods — Visualisations for (federated) Solid data Datami is a tool to edit, visualize and share your data. It allows to transform datasets into discoverable, understandable and reusable data. ActivityPods is a collective data space solution based on Solid and ActivityPub. The DatamiPods project creates a bridge between these two existing open source tools, and aims to simplifies the use of the datasets involved - also for less technical users. >> Read more about DatamiPods Decidim revamp — Tools for participatory democracy Decidim is a free and open, digital infrastructure for participatory democracy. Decidim allows to create and configure a web platform to be used as a political network for democratic participation. The platform is freely available for organisations and institutions seeking to initiate participatory processes such as deliberation, decision-making, collaboration, direct democracy and co-design. In order for the project to reach a new stage of technical maturity, the project will overhaul the user experience through a complete redesign of its interface. It is necessary to review, order and, if necessary, remove features. This project is focused on doing the less visible, but necessary work, to make the code clean and sustainable in the long term. >> Read more about Decidim revamp Diesel CLI — Safe and performant database queries in Rust Diesel is a safe and performant query builder and ORM written in Rust. It aims to eliminate security issues like SQL injections by providing a type safe domain specific language to express your SQL query as Rust code. This domain specific language enables checking the query at compile time to turn insecure or otherwise invalid SQL queries into compile time errors. Diesel supports the relational database systems SQLite, MySQL and PostgreSQL out of the box. Support for other database systems can be added by libraries built on top of Diesel. The Diesel project provides a command line tool to simplify the development workflow of projects using Diesel as database library. This command line tool currently cannot be extended by others, which puts a large maintenance burden on the main project. As part of this project we want to develop an extension interface for the Diesel command line tool so that other projects can integrate seamlessly with the tool. This feature allows projects depending on Diesel to integrate support for other database systems with a similar developer experience than the database systems supported by the main project. The extension interface also unblocks other use-cases as it provides a way to consume information about the database schema in other ways than implemented by Diesel itself. Such a extension interface enables experimentation and the development of features rejected by the main project due to limited maintenance resources. >> Read more about Diesel CLI Dino — User-friendly and secure instant messaging based on XMPP Dino is an open-source messaging application. It uses XMPP as an underlying protocol, which allows federated, provider-independent communication and offers a world-wide network of interconnected servers. Dino aims to be secure and privacy-friendly while at the same time offering a good user experience and a modern feature set. This project is about adding various additional usability and privacy features such as Message moderation in groupchats (XEP-0425), message deletion (XEP-0424) and local message deletion, improved password handling and connection establishment via SASL2 (XEP-0388), Bind2 (XEP-0386), FAST (XEP-484) and storing secrets in the system keyring, improved file transfers including sending multiple images in the same message via Stateless File Sharing (XEP-0447), improving the UX in MUCs by using more efficient protocols like MUC Affiliation Versioning (XEP-0463) and by making further use of occupant IDs (XEP-0421) in the context of message correction and message deletion. It will also extending support of message formatting via Message Markup (XEP-0394). >> Read more about Dino DjNRO upgrade and wifi mapping — Find nearby wifi access points in federated wifi communities DjNRO is an open-source tool for a wifi roaming community. It supports the organisational participants, their wireless hotspot locations and configurations. It is suitable as a public or internal tool for managing distributed wifi deployments, and already powers the world-wide eduroam community. This project aims to improve the wifi location mapping by correlating independent wifi hotspot data and OSM location data with the manually maintained organisational participant information. By importing additional information on the deployment of roaming wifi services, they can be validated to give users more accurate information on service availability, and assist administrators in identifying broken or invalid networks, or even \"evil twin\" networks in proximity of legitimate deployments. >> Read more about DjNRO upgrade and wifi mapping DocSpec to Rust/WASM — Document conversion SDK for rich text formats DocSpec is an open-source document conversion SDK for modern web editors such as BlockNote and Tiptap. It currently supports document import in La Suite Docs, a European sovereign collaboration platform used by public-sector teams. This project will port DocSpec from Elixir to Rust and compile it to WebAssembly so it can run directly in the browser. That matters for end-to-end encrypted and local-first applications, where document conversion cannot happen on a server because the server must not see the document's contents. The goal is to make privacy-preserving document interoperability practical for European public-sector, sovereign, and open-source ecosystems, especially where both OOXML and OpenDocument formats need to coexist. >> Read more about DocSpec to Rust/WASM Dokieli Collaborative — Secure decentralised and collaborative content authoring Dokieli empowers users with full control and ownership of their content through self-publishing capabilities. As a decentralised authoring, annotation, and notification tool, dokieli enables users to create and share human-readable and machine-processable content. Users can author and annotate a wide range of creative works, including articles, reviews, technical specifications, research and academic works, resumes, journals, and slideshows. They can link significant units of information from various open sources, store their content using their preferred storage systems, and share it with their contacts. Dokieli is committed to leveraging open internet and web standards to ensure interoperability and universal access. Content produced by dokieli is decoupled from the application, allowing users the autonomy to switch to any other standards-compliant application and storage system. This project will modularize key components to improve maintainability and encourage reuse across applications; rewrite the browser extension using modern standards to enhance usability and security; integrate real-time collaborative editing; add internationalization support to make dokieli accessible through language and locale awareness; and end-to-end encryption to enable secure, private collaboration across documents, annotations, and messages. >> Read more about Dokieli Collaborative Domino: Security Proofs that Scale — Analysis and verification of real-world cryptographic protocols Cryptographic protocols are the backbone of a secure and free internet. They need to be thoroughly analyzed to ensure that breaking the protocol is as hard as breaking well-studied hardness assumptions. Domino addresses this need by making the analysis and verification of real-world cryptographic protocols practical and accessible by finding a new sweet spot between reasonable expressiveness and automation. Building on our existing work, we will now further reduce the amount of work that has to be done manually, clean up our syntax and further increase usability by improving error reporting, adding editor integration using LSP, experimenting with more modular code and investing in user-facing documentation.​​​​​​​​​​​​​​​​ >> Read more about Domino: Security Proofs that Scale Drupal ActivityPub Social Recipe — Add ActivityPub capabilities to existing Drupal sites The ActivityPub module for Drupal implements the W3C ActivityPub protocol for websites based on this popular website management system. With the module, a website becomes an actual ActivityPub server. People are able to follow content from your site on Mastodon and other federated platforms that support ActivityPub. Responses are possible too (Reply, Like, Announce) - with more to come. If you need a client, you can install the Drupal Personal Reader project, which allows you to view and interact with followers from your own Drupal instance. Soon you will also be able to use any (ActivityPub/Mastodon-compatible) client to connect with the in-built API. >> Read more about Drupal ActivityPub Social Recipe Drupal ActivityPub module usability enhancements — Improved UX and Client-to-Server capabilities for Drupal ActivityPub The Activitypub module for Drupal is the module that powers up this widely used content management system and connects it to the fediverse. The module is designed in a way it can be installed and configured in several ways, suitable for many workflows and environments: a microblogging site, a news personal reader, or a media distribution site. The next steps will be dedicated to make this module more usable and adaptable, while keeping it generic. The ActivityPub specification can cater to a variety of needs, so a mutable way to implement it in Drupal can help many sites to connect to decentralised social networks. Also we will implement the client-to-server specification and adopt other common practices to make it easier to use third party clients to connect to ones site. >> Read more about Drupal ActivityPub module usability enhancements Embeddable Common Lisp — Common Lisp for browser environments Embeddable Common Lisp is a Free and Open Source Software implementation of the Common-Lisp language as described in the X3J13 ANSI specification with focus on conformance, practical use and portability. This project follows through after a recent port of the runtime to Web Assembly to implement convenient environment for Common Lisp development and for deploying Common Lisp applications directly in web browsers and other WASM-enabled runtimes. This includes further improving ECL internals for interoperability and modularity by porting it to WASI. >> Read more about Embeddable Common Lisp EMerge — Open Source tool in Python for RF Finite Element simulation EMerge is an open source (GPL v2.0) Python based all-in-one finite element simulator for high frequency electromagnetic simulations. Python is used as a scripting language to define geometry, boundary conditions, simulations, and post processing all within a single workflow. Existing finite element tools for radio frequency and telecommunication design are often very expensive or require extensive prior expertise. EMerge lowers this barrier by providing an accessible and flexible solution for small businesses and researchers to simulate antennas, filters, and other passive components at no cost. EMerge includes most of the commonly required functionalities offered by commercial tools and leverages powerful libraries to deliver competitive performance. Grant funding will support further development, including additional file format support, expanded simulation capabilities, and the potential introduction of a graphical user interface to reduce the need for programming knowledge. >> Read more about EMerge EPE (Ecran-Papier-Editer | Screen-Paper-Editing) — Creative libre software tools for print media Ecran-Papier-Editer is a first phase of construction of a set of innovative, open and alternative, reasoned and sustainable editorial software tools, resulting from graphic design practices and intended for the cultural and creative sectors - and for all players in publishing and publishing in all sectors. The project involves European and international universities (graphic design departments), a national arts & sciences scene, a paper engineering school, and a computer engineering school. >> Read more about EPE (Ecran-Papier-Editer | Screen-Paper-Editing) E-Paper Open Standards (EPOS) — Standards, reference implementation and test suite for e-paper E-Paper Open Standards (EPOS) aims to deliver an openly licensed specification/draft standard for e-paper display controller interfaces, APIs, and waveform formats. It will deliver a comprehensive developer reference including schematics, firmware, and tutorials. In addition it will produce an interoperability test suite with open-source firmware, scripts, and a reference testing fixture to evaluate latency, ghosting, power consumption, and refresh behavior. To validate the specification, there will be three working reference implementations (6\", 13.3\", and 23.8\" panels) with compliance reports. The goal is to set up a community-led standards group to maintain and evolve the specifications. The outcome will be an open foundation for e-paper, lowering entry barriers, enabling reproducibility, and supporting adoption by engineers, researchers, educators, industry, and open-source projects. >> Read more about E-Paper Open Standards (EPOS) Asynchronous ESP32 802.11 MAC — IEEE 802.11 MAC Stack for ESP32 family chips in Rust Ferris-on-Air is an IEEE 802.11 (WLAN) stack for ESP32 microcontrollers, designed as a free and open source replacement for the closed source Wi-Fi stack provided by the manufacturer. This allows for greater flexibility in the protocols we implement, as well as granting full security auditability for the entire stack. It is written in asynchronous Rust and aims to be useful for both research purposes and free and open source projects. >> Read more about Asynchronous ESP32 802.11 MAC EVQI — Unified data exchange for electrical Vehicle charging The project addresses a central structural weakness of today’s e-mobility ecosystem: fragmented communication between EVs, charging stations, operator backends, grid systems, regulators, and end-user applications. This fragmentation leads to slow, opaque, and error-prone charging processes for drivers, while manufacturers and operators face inconsistent data models, weak security guarantees, and growing regulatory demands. Building on long-standing and award-winning open-source work in e-mobility and metrology, the project tackles these challenges by introducing an open, real-time communication and validation layer. This layer unifies and extends existing e-mobility protocols and enables EV drivers to interact directly and securely with all components of the charging infrastructure. By adding cryptographic integrity anchors, metrological correctness, and proactive low-latency communication beneath current standards, it delivers transparent and verifiable charging information that can be independently validated — strengthening EV drivers trust, supporting grid safety, and meeting future regulatory compliance especially under EU CRA, EU NIS2 and the upcoming revision of the EU MID. >> Read more about EVQI EcoNet Linux — Add Linux kernel support for EcoNet MIPS processors There are millions of Fiber and DSL modems around the world based on the EcoNet processor family. When telecoms upgrade their networks, these devices are discarded as e-waste because they are only supported by an aging and proprietary OS based on Linux 2.6. Most of these devices have 128 to 512MB of memory and often even USB ports, making them even more capable than many pure wifi routers. The EcoNet Linux project is firstly about supporting these EcoNet processors in mainline Linux and OpenWRT so that these devices can have a second life as wifi routers or even small home servers. Secondly, the project aims to make the first headway into open source support for the EPON fiber optic modem component. This will (for the first time) open up the possibility for using open source fiber modems with ISPs deployments as well as for private and community passive fiber optic networks. >> Read more about EcoNet Linux Empowering Mobilizon — Find, create, organise and curate events Mobilizon empowers users to create collaborative platforms for promoting local events, activities, and groups. Utilizing the ActivityPub protocol, these platforms facilitate information sharing, allowing users to publish their events on one Mobilizon instance and broadcast them across others when appropriate. Designed with user-friendliness in mind, Mobilizon aims to reduce local advertisers' reliance on major tech companies. Currently, dozens of Mobilizon instances are operational, collectively attracting thousands of users. However, this is not enough to harness the full potential of the network effect and drive meaningful societal change. Numerous enhancement requests and areas for improvement have been identified, and it is crucial to refine and prioritize these initiatives. Should we enhance federation with ActivityPub? Develop solutions to combat spam? Allow users to join a waiting list for fully booked events? Improve categorization and search functionalities? Address persistent bugs? Optimize response times? To tackle these challenges, we aim to establish a governance structure involving other instance administrators. Together, we can prioritize the most impactful changes and integrate them into our roadmap, ultimately making it easier for the community to discover and engage with local activities. >> Read more about Empowering Mobilizon Erik Synchronization Protocol for RPKI — Protect BGP with Resource Public Key Infrastructure signatures The Resource Public Key Infrastructure (RPKI) is a critical component of the global Internet routing system: it plays a key role in safeguarding both national and international routing infrastructure. Expedient and reliable distribution of up-to-date RPKI data helps Internet providers make better BGP routing decisions. The Erik Synchronization Protocol seeks to develop a novel HTTP-based data replication system for the RPKI using Merkle trees, content-addressable naming, and concurrency control using monotonically increasing sequence numbers. The protocol's design is intended to be efficient, fast, and easy to implement. The goal of the current project is to develop the Erik Synchronization Protocol specification as an open standard and produce open-source reference implementations based on rpki-client. >> Read more about Erik Synchronization Protocol for RPKI Every Door — Efficient and customizable mobile OpenStreetMap editor Every Door is an open-source OpenStreetMap editor for Android and iOS devices. It focuses on efficient on-the-ground surveying, mainly on points of interest and addresses. With the app, one can fully map an entire shopping mall or an entire village in a matter of hours. The next steps for the editor are vector tiles and customization: tailoring Every Door for focused mapping and adding interoperability with third-party services. >> Read more about Every Door F-Droid Architecture for Reproducible Apps — Reusable stack for reproducible builds of FOSS apps F-Droid has been bringing reproducible builds to the Free Software Android ecosystem since 2015. We have complete build automation for managing source from upstream, building them and publishing them via a secure pipeline. We have automatic rebuilders that confirm that apps have been reproducibly and point out the differences when not. We include best practices for trustworthy software: open source, transparent reviews, reproducible builds, user-chosen curation, etc. In this project, we will research how users evaluate trustworthiness, and use this to fix pain points and develop better strategies for communicating our key benefits. We will also improve F-Droid's automation to ship more reproducibly built, reviewed apps at a faster pace. We'll expand reproducible builds as a practice by improving integration and easing deployment. This makes it easier for people to not only understand and appreciate the importance of these essential practices, but to adopt them in practice. >> Read more about F-Droid Architecture for Reproducible Apps F3D — Cross-platform, fast and minimalist 3D viewer F3D is an open source, community-driven, cross-platform, fast and minimalist 3D viewer. Already integrated into many Linux distributions, F3D is packed with features that let users visualize and render their 3D models efficiently. F3D supports dozens of file formats and aims to be the go-to solution for simply taking a look at any 3D model, it also supports thumbnails and integrates well in the desktop experience on Windows and most Linux desktop environments. F3D is also the libf3d, a C++ API to simply and efficiently render 3D models, with Python, Java and Javascript bindings. As such, the libf3d is available as a python wheel on pypi and will soon be available as an npm package. The F3D community thrives to be inclusive and welcoming, with a clear contribution and maintenance process where everything is discussed openly with any interested parties. >> Read more about F3D F3D Animations, Rendering and Integrations — Cross-platform, fast and minimalist 3D viewer F3D is an open source, community-driven, cross-platform, fast and minimalist 3D viewer. Already integrated into many Linux distributions, F3D is packed with features that let users visualize and render their 3D models efficiently. F3D supports dozens of file formats and aims to be the go-to solution for simply taking a look at any 3D model, it also supports thumbnails and integrates well in the experience of many desktop environments. F3D is also the libf3d, a C++ API to simply and efficiently render 3D models, with C, Python, Java and Javascript bindings. As such, the libf3d is available as a python wheel on pypi, as an npm package to make F3D available as web 3D viewer, and will soon be available as a mobile app. The F3D community thrives to be inclusive and welcoming, with a clear contribution and maintenance process where everything is discussed openly with any interested parties as well as a dedicated mentoring track. This project will make a large set of improvements in many places, from web rendering and animation enhancements to improving integrations (including proper libf3d integration in FreeCAD), packaging, a friendlier and better usable user interface, polyscope-like features, support for new file formats, better CI and much more. >> Read more about F3D Animations, Rendering and Integrations FederatedCode Next — UI and curation queue for VulnerableCode data enrichment VulnerableCode is an open-source database that aggregates and enriches data concerning CVE with metadata to make it easier to track CVEs across packages and dependencies. VulnerableCode was designed from its inception to correlate and aggregate multiple data sources and not have a single point of failure. The FederatedCode Next project aims to create a UI and curation queue for VulnerableCode in order to take the next step towards an open, peer-to-peer federated database of code vulnerabilities. This allows to to ensure cybersecurity professionals have the essential information they need to do their work when new vulnerabilities are unveiled - such as PURL and VERS version ranges for impacted and fixed package versions, Common Weakness Enumeration details to qualify the weakness exposed by a CVE, severity scoring, mitigation possibilities beside updating and patching, the actual commits/patches that introduce/fix a vulnerability for reachability analysis, related PoC for exploits, etcetera. >> Read more about FederatedCode Next Interoperability of Events in the Fediverse — A common approach to using the ActivityPub Event object type Events are at the heart of social life and deserve to be treated accordingly in the Fediverse. Although events are already supported by many ActivityPub applications, they often lack standardised implementation, which limits interoperability within the network. A fundamental milestone of this project is therefore to finalise and refine the current Fediverse Enhancement Proposals (FEPs) for events, in particular FEP-8a8e, and to investigate enhancements for advanced features such as super/child events, recurring events and RSVP actions. In addition, we will investigate the Fediverse Auxiliary Service Provider Specifications (FASPs) for discoverability and filtering of public events. Other aspects include further development of the Event Bridge for the ActivityPub WordPress plugin, working with GatherPress to make it a comprehensive ActivityPub event solution for WordPress, and contributing to other Fediverse projects on a case-by-case basis to align their event implementations. This may also include improving event support in applications that currently have very limited support. In addition, the project will serve as a knowledge hub and facilitate communication between developers working on events in ActivityPub. This includes hosting presentations to raise public awareness about the progress and (social) potential of events in the Fediverse. >> Read more about Interoperability of Events in the Fediverse Expanding the Felix86 emulator — x86 and x86-64 userspace emulator for RISC-V Linux Felix86 is an open-source x86 and x86-64 userspace emulator for RISC-V Linux. By enabling the high-performance execution of complex x86 and x86-64 applications, including Windows software via Wine, Felix86 removes a large barrier to adopting the open-standard RISC-V architecture for personal computing: legacy software dependence. The emulator implements a fast Just-In-Time recompiler that translates x86 machine code to optimized RISC-V code, while utilizing many RISC-V extensions such as the vector extension for SIMD operations. This project will help us support AVX and AVX2 with RISC-V vector, improve compatibility with Linux signals, support programs that use ptrace, >> Read more about Expanding the Felix86 emulator Fidus Writer modularisation — Semantic word processor for collaborative writing and structured documents Fidus Writer is an open-source, real-time collaborative web-based editor specifically designed for the academic community, enabling researchers to co-author documents with semantic structuring and discipline-specific formatting while preserving data sovereignty and privacy. Fidus Writer contributes to a more open scholarly communication ecosystem by offering alternatives to proprietary platforms, ensuring transparency, interoperability, and long-term accessibility of academic work. This project is about modernizing the look of Fidus Writer and modularizing the code to make it deployable in a wider range of scenarios and interoperable with other open source software. >> Read more about Fidus Writer modularisation Filling the Gaps in Testing Open-Source Firmware — Improved infrastructure for Open-Source Firmware quality assurance The project summary for this project is not yet available. Please come back soon! >> Read more about Filling the Gaps in Testing Open-Source Firmware Flatline Server — Independent server for Signal protocol This project develops a self-hosted, single-node prototype of the Signal server by removing its cloud service dependencies, allowing users and organizations to run their own private, secure communication networks independent of centralized US-based infrastructure. Key tasks include forking and adapting the Signal server codebase, building a containerized infrastructure stack, modifying the Molly client to support server selection, and creating DevOps scripts for easy deployment. The result will be a proof-of-concept server, a public demo deployment for testing, documentation for connecting libsignal-based clients such as Whisperfish, and proposals for further research into decentralizing Signal. The project aims to preserve Signal's high security standards and compatibility while increasing autonomy and privacy in secure messaging. >> Read more about Flatline Server Flock XR — 3D visual creativity and coding tool Flock XR is a visual creativity and coding tool that allows young people to create 3D experiences in a web browser. Flock XR allows young people and beginners to create apps relevant to the virtual worlds that they use socially. Through creating with Flock XR, young people develop technical and creative skills such as coding and working in 3D space with 3D models and animations. They will be able to create using extended reality features including VR, Augmented Reality, 3D printing and spatial audio. This puts them on the path to amazing career opportunities across many industries. Flock XR is being developed with an inclusion first approach using co-design techniques with young people in our pilots. After a successful schools pilot we are focussing on improving user experience, stability and access for all. Flock XR builds on established open source tools, Blockly and Babylon.js to bring modern 3D creation to young people on the devices they already use. We’re designing Flock XR for users who may have older hardware and limited data access. And we take young people’s rights, safety and data privacy very seriously. We’re extending young people’s reality with Flock XR and giving them the skills to create the virtual worlds that humanity needs. >> Read more about Flock XR Flock XR: Keyboard + Mobile/Touchscreen UX — Creative coding platform for 3D virtual worlds and spatial apps Flock XR is a visual creativity and coding tool that allows young people to create 3D experiences in a web browser. Flock XR allows young people and beginners to create apps relevant to the virtual worlds that they use socially. Through creating with Flock XR, young people develop technical and creative skills such as coding and working in 3D space with 3D models and animations. They will be able to create using extended reality features including VR, Augmented Reality, 3D printing and spatial audio. This puts them on the path to amazing career opportunities across many industries. Flock XR is being developed with an inclusion-first approach using co-design techniques with young people in our pilots. Our current focus is on making Flock XR accessible to more users with work to add keyboard controls for block-based coding and 3D creation, and improvements on the user experience on mobile and touch screen devices. >> Read more about Flock XR: Keyboard + Mobile/Touchscreen UX flohmarkt — Self-hostable web app for creating, sharing and answering classified ads Flohmarkt is a solution for creating, sharing and answering classified ads. It strives to be the online equivalent of a classical supermarket bulletin board. It enables anyone to set up a marketplace for connecting private sellers and buyers of second hand items, without reliance on third parties, while interconnecting via the ActivityPub protocol with other instances of Flohmarkt and even with other services on the fediverse. Operators could for example be associations organising clothing-bazaars, interest-groups focussed on very specific kinds of spare-parts, or neighborhood-based sharing communities. >> Read more about flohmarkt flop! — Automatic generation of optimised time rosters flop! is customisable software for cooperative scheduling and automatic timetable generation. It offers a low friction management of educational schedules by betting on cooperation. Each user (educator, student, etc) is encouraged to freely express their preferences and constraints through a large catalog of expressible wishes, designed for exhaustiveness. The best possible timetable is then calculated using MILP (Mixed-Integer Linear Programming) solvers. The generated timetable can be fine-tuned by any educator directly within the interface, without the need for time-consuming exchanges with a supervisor. This approach, which improves working conditions for everyone, is made possible by an intuitive interface for expressing preferences and a secure framework with granular permission management, ensuring all constraints to be satisfied at all time. A version dedicated to cooperative professional teams is also under development. >> Read more about flop! Follow-me slideshow for Collabora Online — Accessible slideshows for videoconferencing tools Collabora Online is an open source online office suite built on LibreOffice technology, enabling web-based collaborative real-time editing of word processing documents, spreadsheets, presentations, and vector graphics. This project improve the presentation mode with a feature where one leader can control the presentation and others can remotely follow this easily, including slide transitions, animations and other complex content. This includes some accessibility support and integration into existing open-source video call software. >> Read more about Follow-me slideshow for Collabora Online Forgejo — Self-hosted lightweight software forge In order to collaborate among global FOSS communities, software repositories need to be made available online. Running such repositories on top of a third party proprietary service introduces ethical concerns, privacy risks and geopolitical issues, where the political situation in one country can have an impact on the availability of technology in other countries. Forgejo is a forge application with a focus on software freedom, transparency, privacy and accessibility, but also pays great attention on stability, usability / user experience and federation in the long term. To address usability issues with the current contribution workflow, that was in large parts inherited from proprietary platforms like Microsoft GitHub, we want to innovate and improve the way contributions can be made using Forgejo, inspired by existing workflows such as Gerrit and AGit. Further, more important usability around LFS, accessibility issues and moderation features will be worked on in the scope of this grant. >> Read more about Forgejo Formulas — Programmatic reuse of spreadsheet formula's Formulas is a high-performance open-source computation engine that brings complete Excel-compatible formula evaluation to the Python ecosystem, without relying on proprietary software. It enables .xlsx and .ods spreadsheets to be loaded, parsed, and executed as standalone, programmable units. The project transforms traditional spreadsheet logic into reusable, callable functions that can be embedded in data pipelines, automation workflows, and modern applications. Instead of mimicking spreadsheet UIs, it exposes the logic layer of Excel as a scriptable backend component — ideal for ETL pipelines, CI workflows, APIs, notebooks, and low-code/no-code platforms. By treating spreadsheets as function-as-a-node components, Formulas empowers developers, analysts, and low-code/no-code builders to automate reports, validate models, and scale spreadsheet logic across data science, finance, and enterprise infrastructure. Fully scriptable, portable, and extensible, Formulas bridges the gap between spreadsheet modelling and modern programmable environments. >> Read more about Formulas Wikirate Frameworks — Open corporate data in Wikirate through the lens of standards Wikirate.org is the largest open-source open-data registry of Environmental, Social and Governance (ESG) data about companies. The project, “A Frameworks Framing: Open Corporate data through the lens of standards”, aims to enhance Wikirate.org by integrating ESG standards and frameworks as key navigational and analytical tools. The enhancements will make it easy for diverse stakeholders – such as researchers, CSOs and investors – to navigate the many existing frameworks conceived to organize ESG data. It can be very difficult to wrap one’s head around any single ESG framework, much less to see how all the frameworks interrelate. There is, however, quite a lot of interrelation. Frameworks end up needing the answers to overlapping questions (or, in Wikirate terms, metrics). The functionality developed in this grant will enable users to see how Wikirate metrics and datasets align with one or more frameworks. The project will facilitate better understanding and use of corporate data for stakeholders by streamlining the organization of ESG topics, advancing open standards, and making frameworks central to exploring metrics. >> Read more about Wikirate Frameworks Frictionless libraries — Make Frictionless libs compatible with latest version Data Package is a standard consisting of a set of simple yet extensible specifications to describe datasets, data files and tabular data. It is a data definition language (DDL) and data API that facilitates findability, accessibility, interoperability, and reusability (FAIR) of data. This project will be updating and refactoring core libraries in the popular programming languages Python, R, and JavaScript to fully support Data Package v2 - the new version of the standard which was published in 2024. This ensures these tools remain reliable and interoperable. >> Read more about Frictionless libraries KiCad Frontpanel Generator — Create matching front panels for KiCad PCBs automatically The most popular free and open source design suite for Printed Circuit Boards (PCBs) likely is KiCad. When designing a PCB with buttons and switches, that's meant to be operated by an end user, the PCB usually is covered by a front panel. The front panel has cut-outs and labels for switches, displays and indicator lights. Designing a suitable front panel often is a time-consuming extra step, because all the cut-outs and labels must be placed manually at precise locations to match the PCB components. KiCad Frontpanel Generator creates matching front panels for KiCad PCBs automatically. The PCB designer defines cut-outs and labels in unused layers of footprints and in the PCB. The Front Panel Generator then uses the shapes from these layers to generate a suitable cover plate. >> Read more about KiCad Frontpanel Generator Funfedi.dev — Testing correct implementation of W3C ActivityPub FunFedi.dev collects and displays information on how Fediverse applications parse incoming objects to display them. The aim of this project is to extend this to first further object types: polls, events,locations, articles. It will also provide a method to validate the parsing is correct (rules), e.g. if the object contains bold text, so should the output. Another target is to to handle methods of object transmission, e.g. FEP-1b12: Group federation (https://fediverse.codeberg.page/fep/fep/1b12/). And finally, we will provide new tools to collect information on the objects applications create. >> Read more about Funfedi.dev Funkwhale Federation — Extend ActivityPub capabilities for Funkwhale Funkwhale is an open-source platform for music and podcast streaming, exploration and publishing that empowers users to publish, share, and enjoy audio content across the Fediverse and beyond. By using open standards like ActivityPub for federation between websites that host Funkwhale, RSS for integrating with other platforms, and Subsonic for client compatibility, Funkwhale bridges communities and tools seamlessly. Its mission is to help listeners and audio content creators break free from corporate monopolies by opening up the music industry through a decentralized, community-driven approach. Funkwhale wants to give artists and audiences more control, freedom, and ownership over how music is distributed and experienced by freeing it from commercial exploitation. >> Read more about Funkwhale Federation FuseSoc-compatible Web Catalog — A catalog of gateware that can be easily used with FuseSoC FuseSoC is a package manager for chip designs, allowing for easy reuse and sharing of IP cores as well as combining them into larger systems. Its native core description format (CAPI2) allows describing IP cores in a tool- and vendor-independent way. Together with FuseSoC's backend library Edalize this enables creating and using portable IP cores and SoCs for a large number of EDA tools and flows. This project will extend FuseSoC with a collaborative database and a web frontend that allows users to upload their core description files to a central repository to make it easier for others to find and inspect them. In addition, signing, SBOM generation and a web frontend will be added to increase transparency, trust and security. >> Read more about FuseSoc-compatible Web Catalog GLOW-SG13G2 (Gate Library for Open Flow - SG13G2) — Digital standard cell library for IHP SG13G2 process GLOW-SG13G2 is an open-source digital standard cell library for IHP SG13G2 process. It will provide a methodology for the design of standard cells, flow for characterization and a library of 150+ designed and characterized cells. Standard cells will be designed for use with open source digital flow tools to build complex SoCs. Methodology and characterization flow will in most part be process-agnostic, and can be used as a foundation for streamlined development of additional standard cells, or for development/porting to other open source CMOS processes. >> Read more about GLOW-SG13G2 (Gate Library for Open Flow - SG13G2) New data types for GNU Octave — Advanced data analysis workflows in GNU Octave The datatypes package is an extension for GNU Octave, which provides a set of new data classes for tabular, categorical, and time-related data. These new data types are essential to statistical and time-series analysis and aim to facilitate advanced data analysis workflows in GNU Octave. The vision behind datatypes is provide robust and well-tested implementations of table, timetable, and geotable objects, which in addition to their MATLAB-compatible features will also provide integration and data exchange functionality with other widely used data formats, thus enhancing interoperability with the GNU Octave ecosystem. Besides the tabular classes, the datatypes package already supports classes for calenderDuration, categorical, datetime, duration, and string arrays and it is within the scope of this project to extend its support to timeseries arrays and dictionary objects. This project aims to the complete the missing features of the datatypes package along with the development of comprehensive documentation and testing suite in order to provide production-ready data types for the GNU Octave language. >> Read more about New data types for GNU Octave Galene — Libre high quality videoconfering solution Galene is a videoconferencing system that is easy to install and to administer and to use moderate server resources. Galene comes bundled with a web client, and therefore requires no client-side installation, but the protocol is fully documented and designed to make it easy to write native clients. The goal of this project is to improve Galene, on the server side but especially on the client side. This includes optimising server-side algorithms, improving the functionality of the bundled web client (including a responsive video grid layout) and better accessibility, adding a waiting room, improve the SIP gateway and many other small improvements - also to other projects (such as developing a WHIP remote for Pipewire, and adding SIP/TCP and SIP/TLS as well as a UAS role to the the SIP library that is used by Galene). >> Read more about Galene Maturing the Gancio back-end — Better scale Fediverse-capable shared agenda for local communities Gancio is a shared agenda for local communities. It is focused on decentralisation and simplicity, enabling users to discover events and communities to connect and collaborate, while avoiding attention-based business models and intrusive advertisements. With Gancio about to release its next major version involving a rewrite of the whole application, this projects aims to increase the maturity of the Gancio back-end. It will build on top of the 2.0 effort and work on improving the reliability, interoperability, and maintainability of the system - as well as lowering the barriers to entry for new contributors. >> Read more about Maturing the Gancio back-end Garage Administration UI — Easier administration for selfhosted storage buckets Garage is a lightweight geo-distributed data store that implements the Amazon S3 object storage protocol. Garage is meant primarily for self-hosting at home on second-hand commodity hardware, and aims be easy to deploy and maintain, so that hobbyists and small organizations can use it without a hassle. To further this goal, the Garage admin interface project aims to develop a web UI to make cluster administration easier and more intuitive. This interface will cover the most common operations on Garage cluster: visualizing cluster status; joining new nodes, removing nodes, and changing node configuration; and management of S3 access keys, buckets and bucket configurations. >> Read more about Garage Administration UI Garage reliability and performance — Open-source S3 compatible distributed object storage service The project summary for this project is not yet available. Please come back soon! >> Read more about Garage reliability and performance USB 3 PHY implementation on GateMate FPGAs — USB 3 PHY implementation with Cologne Chip GateMate FPGA Transceiver Since its introduction at the end of the previous century, USB has developed into the most widely used interface to connect all sorts of electronic devices. Recent versions of the USB standard provide serial communication at speeds of 5Gbps and higher, which require a dedicated hardware block (transceiver) inside a chip. Throughout the last decade, FPGA devices are gaining popularity in many applications and this trend will not stop. Even small and low-cost modern FPGA devices, such as GateMate FPGA from Cologne Chip AG, include transceivers capable of communication at 5Gbps. However, no Open Hardware and FOSS implementation of USB 3.x is available. This project will enable a universal and libre USB 3.2 Gen.1 x1 (5Gbps) connectivity on the GateMate FPGA. >> Read more about USB 3 PHY implementation on GateMate FPGAs Geoloquent — Location service for desktop and mobile Linux Geoloquent is a memory safe re-implementation of the Geoclue2 D-Bus location service API from freedesktop.org. Location services are used by location-aware apps within projects like Gnome and KDE and they range from utilities with low location accuracy requirements (automatic timezone and night-mode setting) to GPS navigation apps and sports tracking apps. Geoloquent is implemented in Rust with the Tokio async framework. The requirements for an improved, but backwards compatible location service API will be explored during the project in collaboration with the user community. >> Read more about Geoloquent SIP improvements for GNOME Calls — Add DTLS-SRTP to GNOME Calls Audio (and video) calling over the internet have become ubiquitous and the Session Initiation Protocol (SIP) has often been used for establishing connections between peers. Calls can be used for calling both over GSM and VoIP using SIP. It is a component of the GNOME/Phosh mobile ecosystem and is included in operating systems targetting Linux smartphones, such as Mobian or postmarketOS. One of the goals of this project is to implement the DTLS-SRTP protocol which comes with better security properties over the current SRTP implementation, while another would be general user experience improvements. GNOME/Phosh and Calls run on multiple different phones on a variety of fully FLOSS operating systems, today. This project should help increasing existing users privacy while also broadening the appeal of open source soft- and hardware, which do not exploit the user's data by default. >> Read more about SIP improvements for GNOME Calls Verilog-AMS in Gnucap — Improve performance and Verilog-AMS coverage in Gnucap Verilog-AMS is a widely used standardised modelling language for physical systems, such as electronic circuits. In this project we will continue the work on a first free/libre reference implementation. The overall goals are to improve simulation in terms of speed and feature coverage. In this project Gnucap will implement more of the standards, specifically features related to the digital domain. New features will include the delay and signal strength modelling capabilities as well as sparse output in form of value change dumps. We will reassess and improve the performance of Verilog behavioural models and revise the mixed mode simulation algorithm. We will enhance the compatibility with Spice simulators improving the upgrade path from Spice based modelling applications. This includes the syntactical support for popular behavioural modelling devices enhancing the use of existing Spice macros within a Verilog environment. Basic scripting commands compatible with Nutmeg will be provided. We will continue the work related to data exchange between EDA tools, such as schematic and layout editors. We will extend towards compatible device representation that works across different applications enabling the seamless interchange of complete circuit models. >> Read more about Verilog-AMS in Gnucap GoActivityPub — Help people develop Fediverse software in Go GoActivityPub provides a batteries included suite of modules for making the creation of ActivityPub applications easier for Go developers. It was designed to offer a middle ground between the highly dynamic nature of the Activity-Vocabulary and the constraints of the Go programming language, with emphasis on strong typing, minimal resource footprint and very little \"magic\". It has distinct components for the vocabulary types and processing of activities, an HTTP client which supports authorizing to servers with both ActivityPub specific and traditional methods, multiple storage backends, and other low level helper modules. The current goal is to improve the experience for new developers through better documentation, increased robustness and a stabilized API, while also adding the support for Activity-Vocabulary extensions through code generation. >> Read more about GoActivityPub GoToSocial performance & connectivity — Advanced moderation and federation features for GoToSocial GoToSocial is an ActivityPub social network server, written in Go. It complements existing ActivityPub implementations by providing a lightweight, customizable entryway into decentralized social media hosting. GoToSocial places a high value on ease of deployment and maintenance; this means low system requirements, minimal external dependencies, and clear documentation. GoToSocial empowers self-hosting newcomers to deploy small, personalized instances, from which they connect to others across the Fediverse, using low-powered equipment lying around at home. In this project, the GoToSocial team adds new moderation and federation features to GoToSocial, bringing it towards a version 1.0 release (projected end 2026). >> Read more about GoToSocial performance & connectivity Graphite 2D graphics editor — Keyframe animation and vector editing intuitive UI enhancements Graphite is a graphics editor for creative professionals that brings a uniquely modern, yet traditional-feeling, 2D design workflow to artists across all desktop platforms. It is a digital content creation application built to integrate nondestructive layer-based vector graphics editing with node-driven procedural design and animation. Its future vision also aims to encompass fully-fledged publishing, painting, and raster (image/photo) editing toolsets as part of a comprehensive, all-in-one graphics suite. The software is built with generality in mind, structured as a programmatic graphics engine capable of rendering any form of 2D visuals representable as data. The engine's GUI editor exposes familiar, artist-friendly, industry-standard visual design tools that translate edits into artwork by interactively constructing a node graph that procedurally generates the authored content. The node-based visual programming language unifies algorithms with art, data with design, and coding with creativity. >> Read more about Graphite 2D graphics editor (H)IDE for Guile Hoot — Scheme on WASM The goal of the project is to provide a high-quality development tooling (IDE, reflection libraries, nREPL) for Guile Hoot and make that tooling reusable across different ecosystems and text editors. Good development tooling is important to make technologies like Guix, Spritely Goblins, other Guile-based projects (and their WebAssembly counterparts) more accessible, and the development of them (and their ecosystems) more efficient and enjoyable. The reusability is achieved by using standardized protocols and technologies like nREPL and tree-sitter. The enjoyment and efficiency achieved by thorough and careful design and implementation. >> Read more about (H)IDE for Guile Hoot Bring x86_64-gnu (the 64bit Hurd) to Guix — Port Guix to the GNU Hurd microkernel \"The Hurd\" is the GNU project's microkernel-based replacement for the Unix kernel. This system has long promised enhanced privacy and security for computer users. This promise has been noted by RISCV-64 researchers who are currently looking to standardize and add RPC hardware features to support microkernels. GNU Guix currently supports i586-gnu (the 32bit Hurd) and is the only supported GNU/Hurd distribution apart from Debian/Hurd that is used by the Hurd developers. Guix introduced running the Hurd as a system service under Linux (a Childhurd) which has made it very easy to try-out the Hurd which has significantly increased interest in it. As the current 32bit Hurd system can use only a fraction of the system's memory, and using only one processor it is not a very attractive proposition. This project will bring the 64bit intel port of the Hurd to Guix which aims to be another significant step in the adoption and development of the Hurd. >> Read more about Bring x86_64-gnu (the 64bit Hurd) to Guix Reproducible bootstrap path for 'Node.js' based on GNU Guix — Build Node.js from source with Guix Node.js is used directly or indirectly in the bootstrap path of most modern web browsers. Contemporary versions of Node.js depend on a HTTP parser called llhttp. Building llhttp requires an ECMAScript runtime such as Node.js to generate C sources from a declarative parser specified with TypeScript. This project aims to create a bootstrap path for Node.js in GNU Guix without relying on an existing older version of the Node.js runtime. This approach ensures there won't be an evergrowing list of insecure and unmaintained versions of Node.js required to bootstrap future versions Node.js. >> Read more about Reproducible bootstrap path for 'Node.js' based on GNU Guix Blind crypto and OAuth2 for ARPA2 — Advancing HTTP-SASL and keyless identity HTTP-SASL is a generic mechanism for HTTP login, which can be used to incorporate new cryptography into HTTP flows. To allow this as a starting point from one's own domain, a trampoline from that domain to others might use OAth2, which is broadly adopted as trust crossover for web authentication. This project will develop a design connecting OAuth2 to HTTP-SASL, and will also add blind signatures to KIP - a protocol for identity based encryption. This allows KIP to be used e.g. for sharing keys between HTTP-SASL parties. >> Read more about Blind crypto and OAuth2 for ARPA2 Heavy Compiler Collection — Unified DSP and Interface Design for Audio Plugins HVCC is a python-based dataflow audio programming language compiler that generates C/C++ code and a variety of specific framework wrappers. It leverages creative coding and the Pure Data visual programming language as a design interface for optimized and embeddable DSP code. It has found uses in different fields like procedural game audio, desktop production plugins and embedded hardware systems. This project aims to use the Pure Data visual language to allow for the immediate design of the user interface of these applications. The user will then be able to creatively put together both the underlying audio processing and at the same time the visual control interface of their project. >> Read more about Heavy Compiler Collection Nix Integration for Hop3 — Nixify the Hop3 self-hosted cloud platform Hop3 is an open-source orchestration platform designed to simplify the deployment and management of distributed applications across cloud and edge environments. With a focus on flexibility, security, resilience, and ease of use, Hop3 empowers developers and small organisations to take full control of their IT infrastructure and data, ensuring digital sovereignty and avoiding vendor lock-in. The project will enhance the Hop3 platform by integrating Nix, a powerful package manager known for its ability to create reproducible environments, to improve build-time flexibility and ensure consistent, reliable run-time performance. As a test bed and showcase of this integration, we will package 20 diverse and impactful F/OSS applications. Additionally, we will develop new resilience and cybersecurity features to further strengthen the platform's robustness and security. >> Read more about Nix Integration for Hop3 Hubzilla performance improvements — Make Hubzilla more efficient and expand Superblock This project will explore and implement profiling tools to help measure and improve the performance of the Hubzilla fediverse server using existing tools, and where necessary, by expanding Hubzilla itself to provide useful performance metrics. The goal is to be better able to flag performance regressions, and to identify performance bottlenecks. A second goal of the project is to improve the Superblock addon by adding requested features and fixing reported bugs, as well as allowing non-admin channels to suggest site blocks to the admins. >> Read more about Hubzilla performance improvements Husk — Pass-through solution for automatic OpenPGP encryption Husk is an email filter (milter) for MTAs which encrypts emails while they pass through it. It facilitates Web-of-Trust technologies to use decentralized and federated certificate authorities as sources for authenticated OpenPGP certificates. It aims to reduce the amount of administrative effort of obtaining and keeping them up to date by establishing narrow, focused trust delegations. Husk can be used to encrypt emails for services which cannot encrypt on their own – like notification systems or issue trackers, or being used at the end of transport to implement zero-access encryption (for email at rest). Husk is written in Rust and uses Sequoia PGP for encryption and certificate handling. >> Read more about Husk Hyper 8 Video System — Self-hostable, maintenance-free video publishing tool The Hyper 8 Video System re-envisions video publishing on the web using static site generation – a familiar PeerTube/YouTube-like web interface for viewers meets a fast, indestructible, maintenance-free, local-first backend that can be operated both through a beginner-friendly, cross-platform GUI, as well as with advanced terminal-based and scripted workflows. In this project the feature scope, accessibility and usability will be leveled up, introducing new theming and customization options, support for chapters, built-in SFTP-based deployment, code-protected videos, and much more. >> Read more about Hyper 8 Video System Universal Sensor Libraries — Shared libraries for different types of sensors The aim of this project is to provide a group of open source, portable (embedded + Linux) C/C++ libraries which interface with a wide selection of popular I2C sensors. The I2C de-facto standard of using numbered registers for configuring and taking readings from sensors allows for some user-friendly abilities. These include the ability to auto-detect most sensors based on their fixed I2C addresses and, if present, WHO_AM_I register. It also allows for a common set of functions to work with sensors from a wide variety of vendors. These two elements together gave me the inspiration to create this project - a set of sensor libraries not written for individual devices, but for a whole class of sensors. For example, IMUs (inertial measurement units) share many similarities across vendors and sensor types (e.g. accelerometer, gyroscope and magnetometer). These commonalities allow for a single API to use a long list of sensors while still supporting their unique features. This in turn will liberate users from being locked in to a specific vendor - at any point in their project development they can switch components without having to rewrite their code. The sensor categories included so far in this project are: temperature/humidity/pressure, realtime clocks, IMUs, capacitive touch screens and CO2 gas sensors. A secondary benefit of this system of auto-detecting sensors is that less experienced users can simply tell the library what GPIO pins connect the sensor to the MCU and the library will \"just work\" without having to be told what specific sensor is in use, nor the I2C address it uses. >> Read more about Universal Sensor Libraries Space grade Instrumentation Amplifier ASIC — Validate open toolchains with Open Hardware with high quality ASIC This project will develop an instrumentation amplifier (INA) with programmable gain (through I2C / SPI interfaces) which achieves high accuracy(< 1% gain error), low noise (< 20nV/rtHz at 1kHz), and high common mode rejection (> 80dB). It will produce an ASIC using free and open tools which will be taped out on IHP’s 130nm open source PDK, with performance guaranteed across process (slow / fast silicon), voltage (± 5%) and temperature. Because of its high performance, the INA will be applicable to high accuracy sensing applications (pressure, strain, temperature) typical to those found in a wide variety of industry / medical applications. In addition, the INA will be made robust to high radiation environments, making it applicable to low earth orbit / high energy particle applications, where single even latch up can be problematic. The final chip will be characterised as a tangible proof of the maturity of today's free and open source toolchains and their readiness to produce high performance semiconductors. >> Read more about Space grade Instrumentation Amplifier ASIC Incroxigraph — Extend Oxigraph with continuous live evaluation of SPARQL queries Dynamic applications, such as real‑time dashboards, local‑first clients, IoT analytics, and collaborative data platforms, increasingly require SPARQL queries that react instantly to changing RDF data. Today, most engines fully recompute query results, causing unnecessary delays. This project introduces Incroxygraph, which extends Oxigraph (a fast, Rust‑based graph database implementing the SPARQL standard) to support Incremental View Maintenance (IVM) for SPARQL queries. By updating query results incrementally as data changes, Incroxigraph will enable highly responsive SPARQL applications with significantly lower latency and computation overhead. The work re‑implements proven incremental techniques in Rust and delivers them as an open‑source, production‑grade engine with bindings for Python and potentially WebAssembly/JavaScript. A key integration target is NextGraph, a decentralized CRDT‑driven platform where Incroxigraph will allow efficient querying over continuously evolving, collaborative data. The resulting technology will strengthen the open Linked Data ecosystem by making responsive SPARQL evaluation broadly accessible for modern, data‑intensive, and decentralized applications. >> Read more about Incroxigraph Icosa Gallery — Community-led 3D creation and sharing tools Icosa maintains three projects that build upon the legacy of Google's Tilt Brush, Blocks and Poly. We are developing open-source, community-led 3D creation and sharing tools. Open Brush, which allows users to paint in 3D space, creating immersive artworks. Open Blocks provides intuitive tools for low poly 3D modeling, enabling the construction of virtual objects and environments. Icosa Gallery serves as a 3D model hosting platform, providing a central location for sharing, viewing, and distributing 3D assets. We aim to enhance the interoperability and content processing pipeline with improved format conversion, and streamlined workflows. The reusability of the Icosa Gallery will be improved making it more useful for integrating into existing websites, editor tools for the Gallery Viewer will be created, and integrations with Blender and Godot will be enhanced. These improvements will solidify the foundation of this open-source 3D ecosystem, facilitating wider creation and distribution of 3D content. >> Read more about Icosa Gallery Federating pedagogical immersive experiences — Framework for playful learning content in enhanced reality Emerging technologies like augmented and virtual reality (XR) provide incredible avenues to teach and learn. Unfortunately, nearly all content and ways to create it remain centralized through large captive platforms. Such platforms lock users and their creations to their closed source environment and filtering mechanisms. This process risk reflecting assumptions on how teaching can be done. The project \"Federating pedagogical immersive experiences\" proposes a self-hostable platform to remix simple pedagogical XR games. Learners themselves can then, together with parents and teachers, freely share back pedagogically, culturally and linguistically adapted content - curated by their own instance and benefiting from immersive technologies without being locked to a platform. >> Read more about Federating pedagogical immersive experiences Collabora Online Multi-user Infinite Canvas — Infinite Canvas / collaborative presentation mode for Collabora Online Collabora Online is an open source online office suite built on LibreOffice technology, enabling web-based collaborative real-time editing of word processing documents, spreadsheets, presentations, and vector graphics. This project will implement an infinite canvas for presentations, a presentation mode where individual slides are positioned in a 2.5D plane - which becomes apparent when moving from one slide to another. This allows for non-linear presentation modes, as well as presenting the overall outline of the whole presentation in a visual way which users can intuitively grasp. >> Read more about Collabora Online Multi-user Infinite Canvas IronCalc for Nextcloud — Embed IronCalc spreadsheet engine into Nextcloud Nextcloud is a free and open source system for online collaboration with file sharing as a cornerstone feature. While it has decent text editing capabilities in the form of its Markdown editor, it relies on external office suites such as Collabora Online and OnlyOffice for working with spreadsheet files. This project provides a leaner alternative through integration with IronCalc, a fast, lightweight spreadsheet engine built from the ground up for collaboration, online use and integration. This benefits Nextcloud by providing its users with a simpler option for working with spreadsheet files and benefits IronCalc by expanding its user base and ecosystem. >> Read more about IronCalc for Nextcloud IronCalc — Fast spreadsheet engine in Rust IronCalc is a versatile open-source spreadsheet engine written in Rust from the ground up, employing modern programming best practices. IronCalc aims to be an all-purpose alternative to Excel or Google Sheets, filling an important gap in the democratisation of spreadsheets. Suited for companies, individuals, and schools alike, the project aims to be feature-rich, international, fast, and lightweight. As IronCalc is quickly gaining adoption as a spreadsheet engine, this project will push the engine to a next level providing a solid foundation with tests, better documentation, common spreadsheet features such as search, global navigation, more cell styles and most notably conditional formatting. It will also give us the opportunity to add templates and document the widgets in the storybook. >> Read more about IronCalc Ironclad - Networking developments — Real-time capable, UNIX-like operating system kernel in SPARK/ADA Ironclad is a partially formally verified, hard real-time capable kernel for general-purpose and embedded uses, written in SPARK and Ada. It is comprised of 100% free software, free in the sense that it respects the user's freedom. By providing a UNIX-like interface which ensures an easy porting process from Linux and BSD distributions, Ironclad aims to be a solution for developers searching for a security-first, resilient platform with the smallest barrier to entry. This project will work on rewriting the networking subsystem from the ground up, adding a formally verified networking stack to Ironclad. >> Read more about Ironclad - Networking developments JShelter UX — Upgrading JShelter to increase functionality and user adoption JShelter is a free browser extension that protects user privacy by limiting JavaScript APIs to prevent fingerprinting, tracking, and other security threats. Users can control which browser APIs websites can access, reduce the precision of data accessible through these APIs, or even provide fake values to mitigate risks from potentially harmful sites. While JShelter is a well-established tool, it faces usability challenges as the web landscape evolves rapidly. This project focuses on addressing these usability issues, new privacy threats, and improving user retention. It will leverage new APIs available for web extensions to enhance protection. The aim is to improve usability, documentation, and testing, ultimately making JShelter more reliable and user-friendly. >> Read more about JShelter UX Accessible KDE File Management — Accessible file dialogs throughout KDE applications This project aims to make a core part of computing with KDE software, namely file management, fully accessible. Many applications and frameworks by KDE are used in high-profile institutions and the public sector. Even though a main point of focus of this project is the improvement of accessibility in KDE's default file manager Dolphin, most of the work benefits framework code which is used in many of the most popular applications in the FLOSS ecosystem. As such, this project will empower people with disabilities around the world to perform more computer-driven tasks efficiently. The accessibility improvements to \"Open/Save\" dialogs, the keyboard shortcut editor, and various other panels and dialogs will simplify integration of people with handicaps in various social and work contexts including public institutions and private companies, which in turn will allow more of them to base their digital infrastructure on open standards and digital commons in line with EU's value \"to be free from discrimination on the basis of […] disability\". >> Read more about Accessible KDE File Management KDE Plasma Gestures — Advanced customisable gesture input on desktop and mobile Plasma Desktop, made by the KDE community, is a powerful free and open source platform that competes with proprietary operating systems. This project will introduce new functionality for multi-touch and stroke gestures. Multi-touch gestures allow a user to easily switch between virtual desktops, or to open Plasma's Overview mode. They will become customizable, with a wide selection of available desktop actions. Stroke gestures allow drawing shapes to trigger actions, launch apps, and more. They will be introduced into Plasma's core desktop experience, complete with a configuration page in System Settings. Together, these features will make Plasma Desktop even more productive and intuitive to use. >> Read more about KDE Plasma Gestures Kaidan MUC + legacy OMEMO — Multi-user chat and improved legacy interoperability for Kaidan XMPP client Kaidan is a user-friendly and modern chat app for every device. It uses the open communication protocol XMPP (Jabber). Unlike other chat apps, you are not dependent on one specific service provider. Instead, you can choose between various servers and clients. Kaidan is one of those XMPP clients. It is easy to get started and switch devices with Kaidan. Additionally, it adapts to your operating system and device's dimensions. It runs on mobile and desktop systems including Linux, Windows, macOS, Android, Plasma Mobile and Ubuntu Touch. The user interface makes use of Kirigami and Qt Quick. The backend of Kaidan is entirely written in C++ using Qt and the Qt-based XMPP library QXmpp. This project will make improvements to Kaidan across the board, ranging from multi-user chat, backups, bookmarks, support for legacy OMEMO encryption, SASL improvements, message retraction and more media sharing functionality. >> Read more about Kaidan MUC + legacy OMEMO Support for 64-bit integer expressions in Kaitai Struct — Cross-language code generation for binary parsing Kaitai Struct (KS) is a tool for working with binary formats. It introduces a declarative domain-specific language for describing the structure of arbitrary binary formats. Based on any specification, KS can automatically generate a ready-to-use parsing module in one of 12 programming languages (C++/STL, C#, Go, Java, JavaScript, Lua, Nim, Perl, PHP, Python, Ruby, Rust). Serialization is supported in Java and Python. This project aims to improve Kaitai Struct through several enhancements. The main goal is to implement full support for 64-bit integers in expressions across all target languages. Currently, results of integer operations often get truncated to 32 bits in JavaScript and statically typed languages. This also causes incorrect parsing in the popular Kaitai Web IDE and may render it unusable for some formats. Another goal is to improve enum handling. This includes ensuring consistent behavior for unknown enum values across languages like Java, Lua, and Nim, enabling full support for 64-bit integers in enums, and introducing a way to add documentation for whole enums in the .ksy specification that appears as a docstring in the generated code. The project also includes dropping support for Python 2 and integrating modern Python 3 features. This will improve performance and code quality. >> Read more about Support for 64-bit integer expressions in Kaitai Struct Kdenlive — Parametrised keyframes for modern non-linear video editor Kdenlive is an open source video editing application with advanced features. Besides the usual editing tools, effects and color scopes, we also have advanced features like proxy editing, speech to text and automatic background removal. This project improves the editing experience by bringing a dope sheet to adjust the effects. Users will be able to decide which parameters to animate and how in a central place, within a single timeline. >> Read more about Kdenlive KiCad-10 — Cross Platform Electronics Design Automation Suite The project summary for this project is not yet available. Please come back soon! >> Read more about KiCad-10 Linked Data Objects (LDO) Upkeep and Upgrade — SHACL and other improvements for Linked Data Objects library Linked Data Objects (LDO) is an open-source developer tool library that makes working with Linked Data and Solid easy and safe for JavaScript developers. This project aims to address a backlog of feature requests that have been requested by the community as well as bugfixes and other issues. These include, but are not limited to, support for modern technologies adopted by the Solid community, native validation support, and cross-functionality with other popular frameworks. These upgrades will ensure LDO continues to ease the adoption of open data tools. >> Read more about Linked Data Objects (LDO) Upkeep and Upgrade LLM2FPGA — Run Open Source LLMs locally on FPGAs LLM2FPGA aims to enable local inference of open-source Large Language Models (LLMs) on FPGAs using a fully open-source toolchain. While LLM inference has been demonstrated on proprietary hardware and software, we are not aware of any widely recognized project running open-source LLMs on FPGAs through a fully open-source EDA (Electronics Design Automation) flow. To fill this gap, the project will produce an HDL implementation of a lightweight open-source LLM, verify it via simulation, and then attempt synthesis and place-and-route on freely supported FPGA devices. By providing a fully open alternative to proprietary and cloud-based LLM inference, LLM2FPGA will offer a transparent, flexible, and privacy-friendly way to run your own LLM on local hardware. >> Read more about LLM2FPGA LUNA SuperSpeed USB Improvements — FPGA implementation of USB 3 LUNA is an open source gateware library for creating USB devices with FPGAs. It includes mature support for USB 2.0 Low-, Full-, and High-speed devices. It also has experimental support for USB 3.x SuperSpeed devices with support for using built-in SerDes transceivers on some FPGAs, avoiding the need for an external PHY. This project will stabilise LUNA's SuperSpeed support by improving timing closure, implementing low-power link states, and running physical-layer electrical compliance testing using the Lattice ECP5's built-in transceivers. >> Read more about LUNA SuperSpeed USB Improvements Domain-specific LabPlot — Domain specific visualisations and fit models for LabPlot LabPlot is a free, open source and cross-platform Data Visualization and Analysis software. The project will focus on making LabPlot more accessible and powerful for domain-specific scientific work across multiple disciplines (biology, medicine, physics, etc.) and support the domain-specific terminology. The focus on domain-specific features and simplified workflows aims to broaden LabPlot's adoption beyond technically-oriented users into specialized scientific communities. Furthermore, this project will address feedback from power users and improve the performance of the applications and its usability and reduce technical barriers. >> Read more about Domain-specific LabPlot Land — Code editor building on Tauri and VSCodium Land is a customisable open-source code editor that puts users in control and emphasizes rebuildability. Land in particular aims to provide a smooth and responsive alternative to VS Code™, the proprietary code editor on which many developers currently depend. Land allows you to continue to use the key features developers rely on in VS Code, but also allows to remove intrusive integrations and undesirable dependencies. Because Land is powered by Tauri instead of Electron, it won't hog your resources. Compared to VS Code it has enhanced modularity and extensibility, and obviously telemetry is disabled by default. Take back control of your code, rebuild your tools your way. >> Read more about Land LeanFTL — Flash Translation Layer library for embedded systems LeanFTL is a \"Flash Translation Layer\" library targeting embedded systems. An FTL library is needed on all embedded systems to deal with the constraints inherent to flash memories and to be able to resume operations safely after an unexpected loss of power (AKA \"tearing events\"). LeanFTL aims at being a minimal library easily portable to any MCU and able to manage both internal and external flash memories. LeanFTL goal is to avoid fragmentation by design, this means that fragmentation never occurs no matter the usage pattern. Another important feature is the emulator which allows running LeanFTL on a personal computer, allowing the integrator to provide such an emulator for its firmware. Last but not least, the emulator is able to simulate \"tearing events\" - this is key to ensure robustness and security of an embedded system. In other words, LeanFTL not only provide the Flash Translation Layer, it also provides a tool for validating it is correctly used, something which is typically lacking even in commercial libraries. >> Read more about LeanFTL LeanFTL Extreme Wear Leveling — EWLF support for Flash Translation Layer library This project extends Lean-FTL, a Flash Translation Layer C library targeting MCUs. This means a number of new features, such as support for very high numbers of updates, an innovative 'health status' feature (which indicates how much the device used each flash page) as well as new integrations including pico2 and arduino boards and the Zephyr real-time OS. All this will be added while preserving the fundamental advantage of lean-ftl over competing solutions: it does not need 'defragmentation' nor 'garbage collection' - so the run time of each call is bounded and independent of the total size of data managed by the Flash Translation Layer. >> Read more about LeanFTL Extreme Wear Leveling Lens/FreeCAD integration — Collaborate on parametric CAD Models for hardware design This project advances an open source software stack that enables the free exchange of parametric CAD models for Open Source Hardware. FreeCAD -- software for designing and manufacturing physical objects in 3D -- has recently reached its 1.0 release milestone. Ondsel Lens, now also open source, is server software that complements FreeCAD. Together, Lens and FreeCAD enable users to share and configure designs: FreeCAD users can use Lens to collaborate, while others can customize parametric models through a Lens website and download them, for example for 3D printing. This project will enhance FreeCAD to better support collaboration via Lens and to incorporate models hosted on Lens servers into new designs. We will also improve the Lens plugin for FreeCAD, providing tight and seamless integration, for example enabling users to embed online models directly into their projects. This taps into the internet as a digital commons for open hardware, powered by a fully open software stack. >> Read more about Lens/FreeCAD integration LiberaForms — Self-hostable E2EE libre form server LiberaForms is an online form tool to easily create and manage forms. It can be used by neighbours, friends, colleagues and anyone else who values privacy. The server can be self-hosted and form answers can be end-to-end OpenPGP encrypted. LiberaForms comes with a comprehensible list of features for both form authors and site administrators alike, such as integrated GDPR policies. This grant will be used to make a number of usability improvements, to make LiberaForms a relevant tool for educational use cases, and add many new features requested by the people who already use it. >> Read more about LiberaForms Libre-Chip CPU with proof of No Spectre bugs — Open Hardware high performance CPU with speculative execution Modern computers suffer from a constant stream of new speculative-execution security flaws (Spectre-style bugs). To address this major category of flaws, we are working towards building a high-performance computer processor (CPU) with speculative execution and working on a mathematical proof that it doesn't suffer from any speculative-execution data leaks, thereby demonstrating that this major category of flaws can be eliminated without crippling the computer's performance. >> Read more about Libre-Chip CPU with proof of No Spectre bugs LibreCellular 5G — Open hardware SDR-based 5G cellular network The LibreCellular 5G project makes it easier to create 5G cellular networks with open source software and low cost software-defined radio (SDR) hardware. Achieving this via validated configurations that are subjected to rigorous end-to-end testing, supported by tooling and documentation for repeatable deployment. This work builds on previous NLnet funded projects which made it easier to create 4G cellular networks, by adding support for a 5G New Radio (NR) base station, together with 5G Core (5GC) network functions, native voice calls via Voice-over-New Radio (VoNR), and implementing a Python library for base station control. >> Read more about LibreCellular 5G Portable Libre Diagnostic — Reliable open automotive diagnostics stack Portable Libre Diagnostic will deliver a mobile and hardware-based diagnostic solution that expands vehicle diagnostics beyond traditional tools. The project includes a native Android application developed in Kotlin, bringing full diagnostic capability to mobile devices. Users will be able to connect directly to their vehicles via Bluetooth to perform live data monitoring, read error codes, and log diagnostic sessions in real time.In parallel, the project will develop an open-hardware gateway based on Raspberry Pi, designed to run diagnostic logic independently of commercial adapters. This gateway will function as a self-contained server, capable of reading vehicle data via CAN Bus and exposing it through a TCP interface. Together, these components create a flexible and open diagnostic ecosystem, enabling both direct mobile access and scalable data integration for future applications. >> Read more about Portable Libre Diagnostic LibrePCB 2.0 — New UI & powerful features for a future-proof LibrePCB LibrePCB is a free and open source electronics design automation (EDA) software suite to develop printed circuit boards (PCBs). It runs on all major platforms and aims to be easy to use, while still beeing able to create professional schematics and PCBs. While it is already used productively by people all around the world, the development of new features became to stuck because of limitations of the current UI concept. To pave the way for new features, a completely new UI will be developed with the goal of having a unified, tabbed window as known and proven by many other applications. In addition, a first attempt of moving from C++ to the safer language Rust will help us to benefit from modern technologies. Together with more import/export capabilities, performance improvements and other frequently requested features the outcome will be released to users by a new major version LibrePCB 2.0. >> Read more about LibrePCB 2.0 LibreSilicon: Pad Cell Generator — Custom pad cells for integrated chip layout generation The LibreSilicon pad cell generator is the last missing puzzle piece needed for an integrated chip layout generation flow, from Design Rules and Mixed Signal designs to a layout which can be manufactured by foundries. A straightforward solution to turn the mixed signal HDL (Verilog-AMS) into a unified layout, helps to get rid of hairy IP issues when it comes to using standard cells and pad cells and other gateware from third party provider. Pad cells are used to generate the pad frame, the part of the chip around the internal logic which actually connects silicon circuits to the outside world through the pins of the package. Pad cells also protect the internal circuitry from overvoltage, overcurrent and electrostatic discharge (ESD). >> Read more about LibreSilicon: Pad Cell Generator Librecast Studio — Community platform for multimedia collaboration and events Multicast is both a network technology and a design methodology where the recipient is always in control of the data they receive and the medium in which they receive it. Multicast design is based on consent. Building on Librecast's multicast network layer, Librecast Studio is developing a multi-purpose community platform enabling communities to build their own spaces for multimedia collaboration and events. This will allow groups of people to organize, work, play, and participate in communities for any purpose. Unlike many other platforms used for live events and playback, Librecast Studio delivers separate streams of raw data, letting the end user choose what they hear, see, and how it is rendered. >> Read more about Librecast Studio Updating Solid test harnesses for Linked Web Storage — Add W3C Linked Web Storage Specification to Solid test suite The project summary for this project is not yet available. Please come back soon! >> Read more about Updating Solid test harnesses for Linked Web Storage Dual SIM for Mobile Linux — Support multiple SIM cards in open mobile OS-es As key parts of the mobile Linux ecosystem Phosh, ModemManager, and mobile-focused GNOME applications provide a featureful alternative to Android and iOS. They do not yet, however, support multiple SIMs for business/personal privacy, cost-effective roaming, and full network coverage. This project will add the low-level modem frameworks for multi-SIM capability and use those to add simple, intuitive management of multiple mobile subscriptions to the user interface of the Phosh mobile shell and the GNOME Calls and settings applications. With these enhancements mobile Linux users will gain full control over which mobile subscription to use for calls, messages, and data connections. >> Read more about Dual SIM for Mobile Linux LinuxBoot for all — Small, auditable and reproducible firmware stack LinuxBoot is a proven approach to replacing the proprietary UEFI DXE phase or U‑Boot runtime environment with a Linux kernel and an open initramfs, offering a smaller, auditable and reproducible firmware stack, with u‑root as the standard initramfs in hyperscale deployments and Heads used on user‑facing devices where local attestation and measured boot matter, while LinuxBoot itself remains deliberately agnostic to the initramfs used. Despite this proven track record in data centres, the knowledge has not flowed back to the broader hardware community, leaving servers, workstations and single‑board systems without accessible documentation, tooling or deployment recipes. This project brings together expertise from different areas of the open firmware ecosystem to close that gap and create a feedback loop that draws hyperscaler experience back into the LinuxBoot project itself rather than letting it remain siloed. Over the course of the project, the team will document the use of Fiano to remove unneeded DXE modules from UEFI firmware, establish reproducible build pipelines with CycloneDX/SPDX SBOMs for x86, ARM and RISC‑V hardware, and produce a revised LinuxBoot book with concrete deployment recipes for servers, workstations and single‑board systems, while a U‑Boot + LinuxBoot proof‑of‑concept on a Rockchip SBC, where LinuxBoot replaces the U‑Boot runtime environment as the in‑firmware operating system, will serve as a vendor‑facing reference to lower the barrier for hardware manufacturers to adopt LinuxBoot. >> Read more about LinuxBoot for all Livebook — Robust and distributed data and ML workflows with Python, Elixir, and Livebook Livebook is an open-source interactive notebook application for the Elixir programming language and the Erlang VM ecosystem. It enables users to write, execute, and document code in real-time within a browser interface, making it ideal for exploratory programming, data analysis, teaching, and documentation. Livebook features built-in markdown support, real-time collaboration, custom visualizations, \"smart cells\" to automate common workflows, as well as built-in concurrent and distributed execution. The project supports the Elixir and Erlang languages and is integrating additional ones. >> Read more about Livebook Loops Live — Federated short video platform for the Fediverse Loops is a federated short-video platform - think TikTok, but open-source and built on the ActivityPub protocol so no single company controls the network. It ships as a self-hostable server with a modern web app and native mobile apps for iOS and Android, giving people a full creative toolkit including camera recording, AR filters, duets, playlists, and discovery features like Starter Kits. It exists because the most popular content format on the internet shouldn't be locked inside a single company's walled garden. Every feature, from federation to moderation tooling, is designed around the idea that communities should own their spaces. >> Read more about Loops Live MetaMorph — New modules, functionalities and interfaces for voxel engine Luanti This project aims to develop new original modules, features and interfaces for the open source voxel game engine Luanti. It focuses on several topics such as: collective and personal analytics with a player interaction analyzer and a gaming timer, artistic expression with a sculpture module, ecological knowledge with a water and solar energy management modules, geology and archeology with time based block dynamics, object deep linking based on XR Fragments. This will open and scale the potential applications of Luanti for education, rural and urban architecture as well as cultural awareness and expression with a better linking to the physical world and the web. >> Read more about MetaMorph Porting the Lucid Language to Open Platforms — Make writing high-performance data-plane software easier Lucid is an open-source programming language designed to make writing high-performance data-plane software easier. It fills an important gap between existing paradigms. Compared with pipeline-oriented languages like P4, Lucid introduces higher-level abstractions that are more expressive and modular. Compared with run-to-completion frameworks like eBPF, Lucid provides a simpler serial packet-processing model with compiler-managed parallelization. While Lucid has been used successfully in a number of research projects, wider adoption is limited because it currently only supports specialized pipeline processors found in proprietary switches. In this project, we will port Lucid to standard architectures (e.g., ARM, x86, RISC-V), found in devices from home routers to SmartNICs and enterprise servers. Key tasks include extending Lucid's compiler to generate parallelized C for general-purpose CPUs, adding a type-safe foreign function interface, and developing a suite of example and benchmark applications. Our goal is to make Lucid useful for a much larger community, to accelerate innovation in open-source data-plane software. >> Read more about Porting the Lucid Language to Open Platforms Open source MILAN hardware and software stack — Reliable real-time media streaming over ethernet networks The open-source MILAN project implements a MILAN audio interface (a.k.a. a “sound card”) and companion software stack. MILAN is a standard for transporting precisely timed digital audio in real time and with extremely low latency over Ethernet. By delivering an open hardware circuit board with analogue audio I/O and an Ethernet port, together with the free and open source software required to operate the board as a MILAN endpoint, this project democratises audio networking and enables makers and musician communities to come up with new applications for reliable, real-time, high-fidelity audio networking. >> Read more about Open source MILAN hardware and software stack MNT Reform Touch — Open Hardware tablet device For an increasing amount of people tablets are the main computing device - as a simpler, more portable alternative to laptop or desktop computers. Tablets are particularly suited for consuming entertainment and web browsing. They also serve some specialized use cases in digital design, AR, and education. This rise in usage has not been accompanied by an equivalent openness in terms of development and maintenance. Desktop computers are typically easy to take apart and upgrade with commodity components, and for laptops this is often possible to some extent as well. The tablet devices consumers typically use are locked down black boxes running operating systems that consistently compromise privacy and security. This project aims to develop an open source hardware table based on modular principles, with a focus on Linux Mobile integration. A such its contributes meaningfully to a growing ecosystem of FOSS devices. >> Read more about MNT Reform Touch Test Procedures for MOSFET SPICE Model Validation — Verilog-A compact models validation for Open PDK's The emergence of open PDK initiatives reduce barriers to entry for integrated circuit (IC) design and manufacturing, serves thelong term goal of promoting academic/industrial collaboration, and stimulate innovation in the field of semiconductor IC design. Open PDKs have the potential to \"standardize\" PDKs (process design kit), and move away from proprietary/licensed EDA vendor formats. This is needed to democratize open source IC design flow and manufacturing. Open PDKs provide open access to IC design resources. The compact/SPICE models of semiconductor devices are the core of open PDK efforts. SPICE executes implemented Verilog-A compact models. A model of a semiconductor device (passive elements and active, eg: diodes, mosfets, bjts) is primarily a \"compact device model\". Validation benchmarks are not yet available in the public domain. This project represents the very first attempt to implement these tests for the compact model available in open PDKs. It aims to establish such tests for the compact models in open PDKs, which are intended to be generic enough for model quality assurance testing with FOSS circuit simulators such as GnuCAP, ngspice, xyce, Qucs, among others. >> Read more about Test Procedures for MOSFET SPICE Model Validation MOTIS — European Public Transport Door to Door Real-Time Routing with MOTIS This project aims to enhance MOTIS, an open-source, scalable, intermodal real-time routing system that powers the provider-neutral public transport routing service transitous.org. This grant will add support for the relevant European Transmodel data standards NeTEx, SIRI-ET, SIRI-SX, and OJP. Hereby, we will enable open and privacy friendly borderless routing across Europe from door to door using data published by European National Access Points (NAP) in compliance with EU regulation 2017/1926. Its results will be deployed via transitous.org and integrated into applications such as KDE Itinerary, KTrip, and Gnome Maps, fostering a fully open alternative to proprietary solutions. >> Read more about MOTIS Multipath TCP on Linux — C Flag support and path-manager improvements for MPTCP Multipath TCP (MPTCP) is a standardised technology extending TCP and invented in Europe. TCP is one of the key protocols of the TCP/IP protocol stack, designed in the 1970s when hosts were attached to the network through a single cable. Today's hosts have several network interfaces, but TCP only uses one of them for a given connection. Multipath TCP solves this problem by enabling TCP connections to exchange packets over different network interfaces. With the current version of MPTCP in the Linux kernel, most of the features listed in the RFC8684 are implemented. Common use-cases are supported but still, it doesn't mean the solution is covering all needs. In short, MPTCP works well in controlled environments, but there is room for improvement in heterogeneous and more uncommon ones. Some work is then still needed to cover more use-cases -- like when MPTCP is deployed in Content Delivery Networks (CDNs) -- plus to improve the usability and performances in order to have Multipath TCP adopted by a broader audience. >> Read more about Multipath TCP on Linux Mainline Linux on ARM Chromebooks — Open firmware and standards-based boot for Mediatek MT818x/MT819x based devices If we want to truly own our computing devices, ARM Chromebooks with Mediatek CPUs have much potential for liberation. Unlike most other personal computers (such as laptops with Intel CPUs), the software and firmware for these devices is user-replaceable. There's no need to worry about manufacturer firmware being able to control the entire computer: the TrustZone firmware can be replaced with an audited version the owner trusts. While Chromebooks are shipped with ChromeOS, a system intimately tied to a single proprietary vendor, we can bring a standards-based boot to these devices by adding support for them to u-boot. Then, booting a standard Linux distribution becomes easy - so we'll co-operate with distributions like postmarketOS to provide the needed drivers. We will release better coreboot firmware for the Mediatek \"Kompanio\" families of SoC, found in Chromebooks from various manufacturers (MT8183, MT8186, MT8195, MT8196 and MT8188. Firmware is also software, and equally deserves to be free. While this effort is pragmatically focused on bringing basic, reliable functionality to as many laptops as we can, we also keep an eye on freeing more low-level firmware. Perhaps it'll be the RAM initialization, or power management. Regardless, those laptops could push the envelope of user freedom. >> Read more about Mainline Linux on ARM Chromebooks Macaw Instant Messenger Web/Desktop — XMPP client written in Rust Macaw Instant Messenger is a cross-platform retro-modern federated chat client utilising the Jabber/XMPP protocol. It takes the best from all of the eras of instant messaging to build a fast, featureful and fun application which runs on Linux, Windows, macOS, the web, and eventually mobile, all backed by a shared core logic in Rust. The intention for this grant is to port the current web client to Tauri, which enables the client logic to run natively within a desktop application, as well as to implement new features such as group chats and sticker/emoji packs to improve usability. Further, to lay the groundwork for later development of features such as group video calls and end-to-end message encryption, as well as ports to other platforms. >> Read more about Macaw Instant Messenger Web/Desktop Machine Usable Output for Sequoia — Reliable, scriptable memory-safe OpenPGP with JSON input/output OpenPGP is a well-established protocol for encrypting, and signing data with a powerful, and decentralized PKI. Over the past few years, the Sequoia PGP project has developed several libraries, and command-line tools that facilitate working with OpenPGP data. The focus has been on usability, robustness, and security. sq, Sequoia's primary command-line tool, is intended for end users, but it is also being used in scripts. This is problematic, because sq is designed for humans and not machines. For instance, sq displays free-form text, which is not guaranteed to remain the same from version to version. This way of operating is amenable to humans, but means that scripts have to parse unstructured output whose format may change in the future. This increases complexity and decreases robustness. The goal of this project is to design and implement a machine-usable interface for sq. The most important and visible change will be support for JSON-formatted output. We will also rework user interactions like prompting for a password to be usable with scripts. >> Read more about Machine Usable Output for Sequoia Maemo Leste Daedalus — Improve device coverage and advanced security for mobile Linux distro Maemo Leste is a Free and Open Source mobile operating system based on GNU/Linux. The goal of the initiative is to provide a secure and modern mobile operating system that consists only of free software, obeys and respects the users' privacy and digital rights. Maemo Leste is currently focussing on upgrading and modernising it's core to the latest Debian and Devuan versions, improving the stability and security of the system as well as widening the array of supported devices. >> Read more about Maemo Leste Daedalus Web on Managarm: Usability, Stability, Security — Microkernel-based OS with consistent asynchronous I/O Managarm is an open source, community-developed, microkernel-based operating system that uses asynchronous I/O throughout the entire system, while also providing good source-level compatibility with preexisting Linux userspace software. This project aims to enhance the capabilities of Managarm as a platform for the web. We will improve its usability both on the client and server side, improve overall stability, and harden the system. In particular, the project will enable users to run Managarm on a diverse set of hardware to securely navigate the web and to host web services. Due to the stronger isolation offered by our microkernel and the fact that all I/O is asynchronous, our system will provide a compelling alternative to existing OSes in this space. >> Read more about Web on Managarm: Usability, Stability, Security Manyfold — ActivityPub-powered tool for storing and sharing 3d models Manyfold is a web application for managing collections of 3d models, with a focus on the needs of the 3d printing community. It is designed to be self-hosted, and lets users browse, organise, and analyse their downloaded models. With NLNet’s support, the project has recently launched federation features using ActivityPub, progressive transmission of 3d models, and a wide range of core feature enhancements. The next phase of the project will build on this base to create richer social features, better ways to get models into and out of the system, features to help financially support creators, and improvements to search and discovery features, all of which will help build an open, decentralised ecosystem for 3d model hosting. >> Read more about Manyfold Manyfold; Printing, Customisation, and Versioning — ActivityPub-powered tool for storing and sharing 3d models Manyfold is a self-hosted web application for managing, organising and publishing 3D models for printing. Users can use it to manage their own model collections, or follow others across the Fediverse. This round of NGI Zero funding will support the addition of highly-requested features such as a plugin system to allow the addition of optional capabilities, versioning of models, and the ability to slice and print directly from the Manyfold application. Other features include user-specific lists, liking and commenting via ActivityPub, and additional capabilities to help other projects build XR systems on top of Manyfold. >> Read more about Manyfold; Printing, Customisation, and Versioning Mapterhorn Imagery — Aggregating open data orthophoto imagery Government agencies across Europe collect and share aerial imagery, also known as orthophoto or visual RGB imagery, as open data. This data can be particularly useful for making street-level satellite maps. But so far only commercial actors have aggregated Europe’s open-data imagery into a unified product which developers can rely on.​ The Mapterhorn Imagery project aims to aggregate all available open imagery and share it free of charge as PMTiles downloads. ESA’s Copernicus Sentinel-2 data will serve as a global backdrop with a comparatively low resolution of 10 m per pixel. Imagery datasets with resolutions of 10 cm and better produced by local governments will enrich the map where coverage is available. >> Read more about Mapterhorn Imagery Massive FOSS scan — License scan on the whole Software Heritage archive ScanCode is a comprehensive open source license and code origin scanner. It is actively used by many proprietary and FOSS tools for Software Composition Analysis. This project will make detecting FOSS licenses an issue of the past by running a massive license scan on the whole Software Heritage archive of over 20 billion unique source code files from more than 327 million projects, and the PurlDB index of all major package registries and linux distro's. The outcomes will be a massive commons reference database to speed up future scanning and matching processes with accurate license information, and a massive collection of fingerprints to enable approximate code matching at scale. This will be applied to the Software Assurance/MatchCode project, and available for other users and organizations as open data to improve FOSS code matching and discovery at an unprecedented scale. >> Read more about Massive FOSS scan Mastodon for institutions — Features for institutional instances of Mastodon Mastodon is a widely used open-source social media platform and the best alternative to the big tech text-based social media. This proposal aims to enhance its suitability for institutional use deploying their own server by introducing features such as customizable branding and landing pages, stronger security options like enforced 2FA and WebAuthn, the ability to embed timelines on external websites, and email-based post subscriptions for broader public reach. Those features have been asked by many organizations that are working on establishing a presence on the open social networks and will allow them to use Mastodon as their official Fediverse presence. >> Read more about Mastodon for institutions Matridge spaces — Gateway for XMPP users to transparently chat in Matrix rooms Matridge is a gateway for XMPP users to transparently chat in Matrix rooms. It is an XMPP server-side component that acts as a Matrix client and makes it possible to pilot a Matrix client from any XMPP client. It implements modern instant messaging features such as rich replies, spaces, attachments, emoji reactions and threads. It is self-hosting friendly, community-lead, written in python and based on slidge, an XMPP gateway library. >> Read more about Matridge spaces Mautic Portability Phase 2 — Portable marketing campaigns for Mautic Mautic is an open source marketing automation platform. It helps organizations to better understand their customers throughout their lifecycle, and, combined with what they already know about the customer and how they interact with marketing campaigns, enables full personalization of the digital experience across multiple channels. Building on the success of Phase 1 —which facilitated the importing and exporting of campaigns and resources— this project introduces a user-facing interface within a Campaign Library to streamline finding, importing, and exporting campaigns in Mautic. This not only accelerates the deployment of common marketing automation campaigns but also integrates community-submitted templates with those shipped with the core system. This enhancement positions Mautic as a formidable open source competitor to platforms like Marketo, Salesforce, and HubSpot, which offer similar features, such as ActiveCampaign's recipes. Additionally, the library serves as an educational tool, instructing users on best practices related to compliance and workflow management. >> Read more about Mautic Portability Phase 2 Mautic Portability — Portable marketing campaigns for Mautic Mautic is an open source marketing automation platform. It helps organizations to better understand their customers throughout their lifecycle, and, combined with what they already know about the customer and how they interact with marketing campaigns, enables full personalization of the digital experience across multiple channels. This project lays the foundation for an important feature which is much-requested and much-needed, to create a library of example campaign workflows and associated resources which marketers can install with a single click, saving time and improving best practice adoption. This project sees the establishment of an export and import functionality for campaigns and all associated resources. This project will also enable the export and import of this data between Mautic instances, further improving data portability. >> Read more about Mautic Portability Maven Heaven — Scan, review, curate and fix metadata of Java packages The Apache Maven Central repository is the center of the Java development world, where all open source dependencies are fetched from, hosting over 3 million Java packages. Java JAR origin metadata and licensing documentation is declared by the authors as part of a POM metadata, but this can be misleading or incorrect. There are also thousands of copies of Java packages, such as Log4J embedded (or shaded) in other JARs, and these go undetected by most tools. Accurate Java origin and license metadata is essential to safely automate the consumption of Java packages in the software supply chain. Maven Heaven fixes this problem in multiple steps: it will scan, review, curate and fix the metadata of the most popular Java packages. The data will be released under an open license, and the project will work with the Maven community to provide it as part of the Maven services and repo, allowing to cross-check and report code borrowing and reuse between Java projects. The team will deploy an AboutCode toolchain as a service for all Java authors to review, validate and enrich metadata. This project is a collaboration between AboutCode and Log4J maintainers to help uncover issues, and help upstream authors fix these issues. It should allow Maven packages to be shared with better, more accurate origin and license metadata, possibly right at creation time. The increased level of trust in Maven Java JARS will make it easier to consume more Java packages safely. >> Read more about Maven Heaven WireGuard as a MirageOS unikernel — Implement WireGuard in OCaml and run as unikernel MirageOS unikernels are tiny self-contained operating systems (often used as virtual machines), and WireGuard is a widely used modern VPN protocol. Our main aim of this project is to implement a WireGuard client, installable on all Linux and BSD systems. Instead of encrypting/decrypting information in user space (as all WireGuard clients) do, this client will however deploy a unikernel which will take care of this task. We extend this work to the implementation of a server running as a unikernel, as well as the development of a dedicated unikernel-based QubesOS integration. The implementation of this protocol will benefit the OCaml community and should be reusable outside the unikernel context. >> Read more about WireGuard as a MirageOS unikernel Federating Mirlo — Connecting artists and audiences with ActivityPub Mirlo provides a user-friendly space to help artists sell digital music and merch, receive financial support, manage mailing lists, and share with their supporters. The goal of federating Mirlo is to connect more artists with more supporters, towards a resilient and lively ecosystem of audio art. Federating Mirlo also presents an opportunity to improve the self-install story: as Mirlo instances will be able to communicate with one another and connect with the wider fediverse through the ActivityPub protocol, organizations managing their own instance of Mirlo can effortlessly tap into a broader discovery landscape for their artists. >> Read more about Federating Mirlo Mobile Typst editor — Mobile editor/viewer for Typst documents Typst is a new markup-based typesetting system that is designed to be as powerful as LaTeX while being much easier to learn and use. The Typst for iOS project focuses on creating a smooth Typst document editing experience akin to Swift Playground's editing experience. Additionally it allows the compilation, presenting and sharing of pdf files all from an iPhone or iPad. >> Read more about Mobile Typst editor Open Terms Archive vendor lock-in break — Public tracking of the evolution of terms and conditions Open Terms Archive is a digital public good that archives every version of the terms of over 800 digital services to support democratic oversight by regulators, lawmakers, journalists, researchers, and civil society. Open Terms Archive has prioritized adoption in multiple industries and jurisdictions over the past four years, by enabling easy connection from its fully open-source engine to free but proprietary platforms. The \"Open Terms Archive vendor lock-in break\" project aims at replacing the hardcoded interconnections with proprietary software with standardized APIs and connectors for at least one open-source platform for issue reporting, email notifications, dataset distribution, and RSS feeds publishing, while keeping compatibility with existing integrations that are used by community members. >> Read more about Open Terms Archive vendor lock-in break muchrooms — XMPP group chat implementation in Rust Muchrooms is an XMPP group chat implementation in Rust. This project stems from the desire to have a well-tested, memory safe and type correct implementation of Multi-User Chat (XEP-0045). It focuses on privacy and moderation. It is part of the xmpp-rs ecosystem and will be used as a testbed for improving the library. >> Read more about muchrooms Multitenant CAS — Better scalable Single Signon Enterprise Authentication Apereo CAS is an open-source enterprise-grade identity and single sign-on (SSO) platform designed to securely authenticate users across multiple applications while centralizing identity management and authentication concerns. Built for flexibility and scalability, CAS supports modern authentication standards such as SAML, OAuth, and OpenID Connect, integrates with a wide range of directories and identity stores, and offers robust features like multifactor authentication, delegated authentication, and comprehensive auditing. Its modular architecture allows organizations to tailor deployments to their security and usability needs, while its active community and transparent governance ensure continuous innovation and long-term reliability. >> Read more about Multitenant CAS Mustang - UI components — Integrated email, team chat, video conference, calendar and file exchange Mustang is an Open-Source desktop and mobile app that seamlessly integrates email with team chat, video conference, calendar and file exchange into a single app for communication. It is available for Windows, macOS, Linux and planned for Android and iOS. It respects user privacy and data sovereignty, keeping the data on your own computer systems. By supporting various open protocols (and optionally through extensions also closed protocols of multiple vendors), it allows for a smooth transition to openness. In this project, certain UI components will be developed, the File Sharing UI be improved, and a prototype UI for Structured Data in email (SML) be implemented. As time permits, other components will be developed as well. >> Read more about Mustang - UI components Mustang UX — Integrated email, team chat, video conference, calendar and file exchange Mustang is an Open-Source desktop and mobile app that seamlessly integrates email with team chat, video conference, calendar and file exchange into a single app for communication. It is available for Windows, macOS, Linux and planned for Android and iOS. It respects user privacy and data sovereignty, keeping the data on your own computer systems. By supporting various open protocols (and optionally through extensions also closed protocols of multiple vendors), it allows for a smooth transition to openness. In this project, the focus is on UX design, connecting the various apps together to create a unified whole. >> Read more about Mustang UX NVE — Co-simulation framework for hardware designers NVE (Nebula Verification Environment) is an open-source co-simulation framework, that lets hardware designers verify their RTL implementations against a software reference model with cycle-accurate checking and time-travel debugging. The engine is architecture-agnostic and ships with a RISC-V reference model. The grant funds its extraction into a standalone, documented library usable by the broader open-source hardware community. >> Read more about NVE Timing Modeling and Integrated Verification in Naja — Timing aware netlist optimisation with Logic Equivalence Checking Naja is an open-source Electronic Design Automation (EDA) project focused on the editing, optimization, and verification of post-synthesis netlists—data structures that describe the logical connectivity of electronic circuits after synthesis. This project will introduce two key components to Naja and the broader open hardware and EDA ecosystems: a flexible high-performance timing model engine designed for tight integration with placement and routing algorithms, and a built-in logic equivalence checking (LEC) infrastructure, optimized for incremental verification of netlist modifications—particularly in the context of Engineering Change Orders (ECOs). By addressing these important gaps in timing-aware design and incremental formal verification, the project aims to contribute important technological bricks to the open-source community, supporting the development of more capable and reliable open source EDA tools. >> Read more about Timing Modeling and Integrated Verification in Naja Nanoarguments — Global, federated graph of scientific claims as LinkedData Scientific knowledge is currently scattered across papers, repositories, and disconnected platforms, with no structured way to trace how claims connect to evidence or how arguments develop. Nanoarguments builds a framework and tools for creating, browsing, and contributing to a global, federated graph of scientific discourse and evidence. Researchers and their communities can collaboratively structure claims, evidence chains, and discussion as nanopublications, which are small, cryptographically signed Linked Data snippets with precise provenance and authorship, published to a decentralized peer-to-peer network. The project builds upon the Nanodash interface to help users browse, edit, and aggregate discourse and evidence graphs, and integrates with dokieli to enable in-context authoring of nanopublications as inline annotations while reading or writing a document. A bidirectional ActivityPub connector bridges the nanopublication network and the fediverse, allowing discourse threads to start as social exchanges and crystallize into persistent, machine-readable evidence records. The project will be piloted with early adopter research groups in discourse and evidence modeling. All components will be released as open-source modules that other systems can build upon. >> Read more about Nanoarguments NextGraph Framework — SDK's and API's for the NextGraph Framework NextGraph is an open source ecosystem that provides solutions for end-users (a platform) and software developers (a framework), wishing to use or create decentralized apps featuring: real-time collaboration, peer to peer communication with end-to-end encryption, local-first, portable and interoperable data, total ownership of data and software, security and privacy. Centered on repositories containing semantic data (RDF), rich text, and structured data formats like JSON, synced between peers belonging to permissioned groups of users, it offers strong eventual consistency, thanks to the use of CRDTs. Documents can be linked together, signed, shared with others, queried using the SPARQL language and organized into sites and containers. Using our framework, SDK and APIs, developers will be able to create standalone or embedded apps that can make capability-based access requests on the user's data, define smart-contracts and implement any business logic within cross-document transactions. With NextGraph, users and apps can securely access and traverse their authenticated data graph (web of data) and social graph (social network), while enabling resilience and data integrity, and preserving privacy and decentralization. >> Read more about NextGraph Framework Nitrokey 3 Storage — Add encrypted storage capabilities to Nitrokey 3 The Nitrokey 3 Storage project develops a next-generation variant of the successful Nitrokey Storage 2 USB security key that combines modern authentication and cryptographic token capabilities with high-performance encrypted storage functionality. Building upon Nitrokey's extensive experience in secure USB devices and leveraging a more powerful microcontroller with embedded eMMC storage, this project addresses the significant performance limitations of existing solutions while maintaining open-source principles. The development will also ensure the device is future-proof for post-quantum cryptography applications. Unlike proprietary encrypted storage solutions currently available, the Nitrokey 3 Storage will be fully open-source device to seamlessly integrate security token features with high-performance encrypted storage, providing organizations and individuals with a comprehensive security solution that bridges the gap between pure authentication devices and secure storage systems, while contributing valuable open-source reference implementations to the broader security community. >> Read more about Nitrokey 3 Storage Nitrokey 3 FIDO2 Level 2 — Achieve formal certification for open hardware security key The Nitrokey 3 Mini is an open-source and open hardware FIDO-compliant USB security key that currently holds FIDO2 level 1 certification. This project aims to achieve FIDO2 level 2 certification, which requires significantly higher security through hardware-based protection of cryptographic keys and operations. By ensuring all sensitive operations occur within secure hardware boundaries, this will become the first open-source FIDO authenticator with L2 certification. As governments increasingly deploy citizen services requiring L1-certified+ devices for authentication, this project addresses a critical gap in the market where only proprietary solutions from large manufacturers currently meet these standards. The certification process and technical implementation will be openly documented and shared with the community, providing a reference implementation that benefits the entire open-source security ecosystem and enables citizens and companies to use truly open hardware for accessing government services. >> Read more about Nitrokey 3 FIDO2 Level 2 NoScript Commons Library: Surrogate Scripts — Reusable script replacement functionality for privacy/security browser extensions The NoScript Commons Library is a collection of reusable modules facilitating the cross-browser development and maintenance of privacy and security browser extensions such as NoScript. This projects aims to add a \"Surrogate Scripts\" component, for on-the-fly replacement of blocked scripts with configurable shims. This would help ensure that web pages continue to function even if they depend on harmful scripts or actively try to obstruct protections against them. >> Read more about NoScript Commons Library: Surrogate Scripts NodeBB context discovery — Improving safety, long-form text + threaded discussion elements NodeBB is a forum software built with speed and efficiency at the forefront. A prior NLNet-funded project enabled NodeBB to implement the ActivityPub protocol for seamless communication with others NodeBBs and other ActivityPub-capable software. However, ActivityPub design is not primarily designed for forum-like software; for example users cannot easily discover the context (such as forum category) of posts. This follow-up project involves research into various shortcomings of the ActivityPub protocol specifically with threadiverse and long-form implementors, such as NodeBB, Lemmy, Piefed, Mbin, WordPress and Ghost (among many others), including the development of solutions to these problems via established protocol enhancement processes. Additionally, the project implement ActivityPub-related quality-of-life improvements to the NodeBB software stack, including trust & safety work (including integration with FIRES and the new updated content warning FEP), cross-posting, emoji reactions, polls, and a system upgrade to RFC 9421 (HTTP Signatures). >> Read more about NodeBB context discovery Noise Nugget — FOSS digital audio processing Noise Nugget is an ultra-compact development board for audio synthesis and processing, providing all the complexity of digital audio in a simple, reusable, open-source, and open-hardware module. With an emphasis on low cost, small form factor, and design for manufacturing. The end goal is to provide a complete solution (hardware and software) for anyone to discover and experiment with digital audio, while opening an easy way to transition to production of audio products in series. The project is entering a new stage, with an upgraded hardware and a new ecosystem of software libraries to fully exploit the processing capabilities. >> Read more about Noise Nugget Open Beam Interface Lite — Generic interface for high end scanning and patterning devices The Open Beam Interface project aims to make getting data into and out of scanning and patterning systems (like electron/ion microscopes and e-beam lithography ststems) substantially more accessible. The Open Beam Interface Lite is a new hardware design and associated software to bring the capabilities of the OBI ecosystem to lower cost hardware, applicable for systems in use by smaller research organizations, maker/hackerspaces and other grassroots semiconductor/nanofabrication/materials research labs. >> Read more about Open Beam Interface Lite Distributed object programming in Dart — Easily create peer-to-peer and federated software This project provides a distributed object programming system in Dart that enables developers to create peer-to-peer or federated software for devices running Linux, macOS, Windows, iOS, and Android. Communication takes place over OCapN (the Object Capability Network) and provides a programming experience that does not require developers to be experts in (or spend a lot of time focusing on) the intricacies of distributed protocol design. Features include promise pipelining to reduce waiting for network round-trips, distributed garbage collection, and third-party handoffs to enable passing object references among more than two peers. An abstract networking layer allows developers to use the transport mechanism that works best for their application's context. >> Read more about Distributed object programming in Dart E2EE OCapN Federated Relays — Add relays to OCapN's capability-based networking Spritely has been spearheading the work on creating a capability-based networking protocol called OCapN (the Object Capability Network). This network transport protocol unlocks a new way to implement peer-to-peer, distributed programming based applications. This project builds upon existing OCapN work by implementing a relay (a node that is allowed to send and receive messages from remote devices) in which all messages are end-to-end encrypted. This end-to-end encrypted relay also supports federation: users can use relays hosted wherever they wish, and the relays can seamlessly talk to each other, bridging users all over the internet while preserving their privacy and securing their communication. This relay design will also be submitted as a specification to the OCapN group, allowing for interoperable implementations across programming languages. >> Read more about E2EE OCapN Federated Relays ORION — INspire-aligned raster map tiles for gvSIG ONline ORION (Open Ready-for-INSPIRE OSM tiles for gvSIG Online) will deliver an open-source, self-hosted processing pipeline to generate and serve INSPIRE-aligned raster map tiles from OpenStreetMap data, fully integrated as a native module within the free/libre software gvSIG Online. The project closes the existing gap between the widespread use of OSM and the interoperability requirements of European public administrations and Spatial Data Infrastructures, enabling them to deploy sovereign, standards-compliant base maps without relying on proprietary services. ORION will provide ready-to-use INSPIRE-aligned cartographic styles, incremental update workflows that will ensure near real-time data freshness, reusable components and documentation, all released under libre and open licenses. By aligning OSM with INSPIRE and integrating the solution into a widely adopted open-source SDI platform, ORION strengthens the European digital commons, supports data sovereignty, and lays the groundwork for future innovations such as the adoption of vector tiles. >> Read more about ORION Oils for Unix — An upgrade path for legacy shell The Oils project is an upgrade path from the widely used GNU bash and POSIX shell to a better language and runtime. OSH runs existing shell scripts of any size, while YSH is a new shell without legacy, and with real data structures and reflection. Oils is implemented with high-level, memory safe languages, but it's as fast as shells written in C. In this grant, we focus on validating OSH with real-world Linux distro builds. We also investigate new use cases for shell programming (with reflection) and new shell interfaces (GUIs). >> Read more about Oils for Unix Owi 2 — Cross-language symbolic execution via Wasm Owi is a toolkit for Wasm. It features a symbolic execution engine that can be used to analyze languages compiling to Wasm. So far, it has built-in support for Wasm, C, C++, Rust and Zig. It allows to perform automatic bug-finding, test-case generation, solver-aided programming and proof of programs. It differs from other engines by a few characteristics: it performs *parallel* symbolic execution, it does not perform approximations, it supports multiple SMT solvers, and can be used for cross-languages programs analysis. For instance, it identified a bug in the Rust standard library. The most exciting current goals are to extend it to be able to support new programming languages such as Haskell, TinyGo, OCaml and Guile, along with the ability to analyze real world projects by adding compatibility with various build systems and modeling complex interactions with the host system. >> Read more about Owi 2 Ontogen and Mud — Advanced versioning and identity management for RDF datasets Ontogen is a specialized version control system for RDF datasets, addressing unique challenges in semantic web data management. In this project, we aim to significantly enhance Ontogen's capabilities and usability. A key improvement is extracting and expanding Ontogen's configuration language into Mud, a standalone RDF preprocessing language for comprehensive identity management. Mud will extend beyond configuration, offering expanded identity management for all resources in RDF datasets and providing extensible support for other common operations when working with RDF data, like RDF smushing for example. Also a robust synchronization protocol should be implemented in Ontogen, enabling a complete repository copy in the file system, allowing seamless use of text editors and other file-based utilities for working with the versioned dataset, as well as integration with Git or other file-based version control systems. Additionally, support for datasets with multiple graphs should be extended. These advancements will make Ontogen more flexible, accessible, and secure, paving the way for its adoption in production environments and opening up new possibilities in RDF data management. >> Read more about Ontogen and Mud Open Source Battery Management System (OpenBMS) — Complete FOSS solution for battery management OpenBMS is a combined hardware and software solution designed to monitor and protect Li-Ion and Li-Po rechargeable batteries throughout their lifetime. When attached to a single-cell or multi-cell battery pack, OpenBMS functions as a fuel gauge, cell balancer, and battery protection system. It provides key information to higher-level systems, including state of charge (SoC), state of health (SoH), number of charge and discharge cycles, voltage, current, and temperature. OpenBMS actively balances cells and protects the battery during both charging and discharging, including fault conditions caused by external system failures. Using a desktop application, OpenBMS can be easily configured for a specific battery by defining parameters such as battery chemistry, number of cells, and capacity, and by running a battery learning cycle. OpenBMS is suitable for a wide range of applications, including drones, IoT devices, laptops, e-bikes, and other battery-powered systems. >> Read more about Open Source Battery Management System (OpenBMS) WPA3 support for OpenBSD 802.11 wireless — Wi-Fi Protected Access 3 for OpenBSD This project delivers the second open-source implementation of WPA3, the current industry standard for Wi-Fi encryption, specifically for the OpenBSD operating system. Its code can also be integrated by other operating systems to enable modern Wi-Fi encryption, thereby enhancing the diversity and resilience of the global IT ecosystem. >> Read more about WPA3 support for OpenBSD 802.11 wireless OpenCartoCam — 360-degree camera with hardware-accelerated object detection OpenCartoCam is an open source 360-degree camera that leverages edge computing to support cartographing the world. Equipped with precise positioning systems and hardware-accelerated object detection, it enables semi-automatic mapping and categorization while maintaining a compact form factor. With very few companies offering options for cartography in the first place and those that do, often restricting access through high prices and closed-source systems, OpenCartoCam lowers these barriers to entry. The widespread adoption of OpenStreetMap data shows the great potential of open data initiatives. Designed with accessibility and affordability in mind, this project contributes to said initiatives and represents a meaningful step towards more open and collaborative cartography efforts. >> Read more about OpenCartoCam OpenCloud Federation — Implement Open Cloud Mesh Specification in OpenCloud The project summary for this project is not yet available. Please come back soon! >> Read more about OpenCloud Federation openCologne/PCIe — Create PCIe EndPoint for GateMate FPGA's This project is about creating open source PCIE EndPoint gateware, without requiring vendor locked components. It will be delivered as a well-structured, easy to follow, unencrypted System Verilog RTL; free to use, inspect and modify, and portable to other FPGAs and opensource ASICs. Together with the PCIE RootComplex project, this creates a solid foundation for flexible peripheral connectivity and high-end accelerators of video, DSP and AI workloads; all open source and community-maintained. >> Read more about openCologne/PCIe OpenEPT Ecosystem — High-end open hardware to analyse energy consumption With the increasing prevalence of battery-powered embedded systems, the efficient utilization of limited energy resources has become a critical priority in firmware development. Our goal is to provide a compatible set of hardware and software tools that will facilitate analysis of energy consumption and support systematic firmware energy optimization. The Open Energy Profiler Toolset (OpenEPT) ecosystem will provide diverse hardware solutions, a user-friendly interface encapsulated in a GUI application, and a collaborative database infrastructure that brings together engineers and researchers to drive innovations in the field of battery-powered technologies. OpenEPT hardware will enable energy measurements for a diverse range of applications from low-power, single-cell battery-powered embedded systems to multi-cell LiPo battery-powered systems with high current consumption. The user-friendly OpenEPT Graphical User Interface will incorporate advanced features for analyzing firmware energy footprints and easy identification of energy bottlenecks in the system. The OpenEPT database infrastructure will facilitate collaboration between engineers and researchers by promoting data exchange. This shared data will be crucial for battery models development and validation, energy optimization in embedded systems, algorithm training and testing, educational purposes, and the further development of open-source solutions in battery-powered embedded systems. >> Read more about OpenEPT Ecosystem Open Everything Facts — Powering consumer choice on anything with a bar code When we started Open Food Facts, it already seemed like a bold endeavour to compile comprehensive food product data into a single database, with far-reaching positive impacts, and the rest is history. Why not extend this concept further? Why should consumers not have the same level of informed decision-making power for products beyond food, like their shampoo, bicycles, refrigerators, or ventilation systems? Our ambition is to integrate our existing product databases — Open Food Facts, Open Product Facts, Open Beauty Facts, and Open Pet Food Facts — into one unified, easy-to-navigate mobile application. This will include a universal scan, a new unified versatile and simplified product page, simplified personal and private preferences, as well as the matching contribution experience. Ultimately, this project is a stride towards a world where transparency and informed choices are the norms, not the exception, in every aspect of consumer goods. >> Read more about Open Everything Facts OpenFlexure Microscope — Enabling telepathology with open hardware high end microscopes The OpenFlexure Microscope is an open-source laboratory-grade robotic digital microscope. Robotic digital microscopy opens up huge potentials for remote collaboration in the diagnosis of disease, i.e. telepathology. Telepathology allows remote second opinions, or specialist diagnosis when no local specialist is available. It also opens up possibilities for scientific collaboration and online education. This project will enable us to work on the usability and robustness of our open source telepathology features. Clinical teams should be able to use the OpenFlexure Microscope for diagnosis in field conditions, anywhere in the world. >> Read more about OpenFlexure Microscope Open Logic - Signal Processing Elements — Standard Library for FPGA development Open Logic is an open-source FPGA standard library focused on delivering production-ready building blocks for digital design. Open Logic focuses on high-quality for example by providing simulations with 100% code coverage, a proper CI setup and being portable between all toolchains. The proposed funding is targeted to expand the library with 32 specialized fixed-point DSP components, including NCOs, FIR filters, CIC filters, and function-approximation units. Each component will be delivered with a bit-exact Python reference model to enable model-based design and seamless verification. While some blocks can draw on existing PSI-Fix implementations, significant engineering work is required to elevate them to the robustness, maintainability, and documentation standards established by Open Logic. This includes refactoring, bug fixes, clean interfaces, uniform test structures, and full integration into the library’s tooling ecosystem. The resulting DSP suite will substantially broaden Open Logic’s applicability, reduce development risk for adopters, and strengthen its position as a comprehensive, industry-grade open-source FPGA library. >> Read more about Open Logic - Signal Processing Elements Modern High-Level Python OpenPGP library — Python integration of Stateless OpenPGP This project will implement a new Python OpenPGP library based on the Rust rPGP implementation. The API design will be guided by the vendor-independent \"Stateless OpenPGP (SOP)\" standard, to cover the most common operations. The library will support the traditional OpenPGP \"v4\" formats, modern \"v6\" formats (from RFC 9580), and the IETF standardized OpenPGP PQC formats. >> Read more about Modern High-Level Python OpenPGP library Open Prices - Scaling price collection — Crowdsourced consumer product price collection Open Prices is the first open database of food prices collected through crowdsourcing. In less than a year, over 100,000 prices have been added by the Open Food Facts community. This project aims to scale price collection by developing machine learning tools to extract prices and barcodes from store shelf images. We will also build tools to improve data quality and enable community moderation. The overall goal is to make price data openly available for consumers, researchers, and public bodies, and to foster transparency, accessibility, and reuse of food pricing information. >> Read more about Open Prices - Scaling price collection OpenStreetMap-NG — Alternative implementation of OpenStreetMap OpenStreetMap-NG is an innovative rethinking of how open mapping platforms can be built and maintained, as an alternative to the current openstreetmap.org setup. Leveraging Python and other widely used technologies and guided by user-centric design principles, this project creates a more accessible, privacy-respecting, and developer-friendly mapping platform. By prioritizing both solid technical foundations and ease of use, OpenStreetMap-NG wants to make open-source mapping more approachable while pushing the boundaries of what's possible. >> Read more about OpenStreetMap-NG OpenTough — Open-source rugged enclosure for modular laptop mainboards The project enables reliable computing in harsh and off-grid environments where consumer laptops often fail - including disaster response, field research, outdoor education, and industrial use. At the same time, it explicitly targets everyday consumers who want a reliable, mechanically robust, long-lasting laptop for normal work and life - similar in spirit to older, durability-first professional machines. By reusing existing components in a durable, repairable enclosure, OpenTough extends device lifespans, reduces e-waste, and lowers the barrier to accessing digital tools and the open internet. All design files, documentation, and test results will be published under open hardware licenses, enabling local manufacturing, repair, and further adaptation. OpenTough is vendor-neutral by design and contributes to digital sovereignty through open, reusable hardware components. >> Read more about OpenTough Open Virtual File System (VFS) for Linux — Create a standard API for files stored across the net The project summary for this project is not yet available. Please come back soon! >> Read more about Open Virtual File System (VFS) for Linux OpenVoiceOS - From Beta to Breakthrough — Free and open, self-hostable voice assistant OpenVoiceOS (OVOS) is a fully open-source, modular voice assistant framework designed to provide a privacy-first, transparent alternative to proprietary voice assistants dominated by Big Tech. Building on the legacy of the Mycroft AI project, OVOS enables users, developers, organizations and companies to create highly customizable voice assistants while maintaining complete control over their data. In this project, the OVOS aims to create a first stable release. It will streamline onboarding for new users, enhance multi-language support, stabilize the platform, and expand documentation for users and developers to create custom skills and/ or plug-ins. >> Read more about OpenVoiceOS - From Beta to Breakthrough Openki Roles — Restructuring role management in libre tool for crowd-sourced education How do you discover what you can learn from the people around you? How do you search what other people in the same region have to offer, like a training course or a debating event? Openki is an interface between technology and culture. It provides an interactive web platform developed with the goal to remove barriers for universal education for all. The platform makes it simple to organise and manage \"peer-to-peer\" courses. The platform can be self-hosted, and integrates with OpenStreetMap. At the moment Openki is focused on facilitating learning groups and workshops. The project will add course templates, streamline roles when organising courses and redesign parts of the interface in order to improve the overall user experience. >> Read more about Openki Roles Reduce osm2pgsql resource usage — More efficient database usage for OSM data Osm2pgsql is used to import OpenStreetMap (OSM) data into a PostgreSQL/PostGIS database and keep it up to date. It is an essential tool of many map creation and OSM data analysis toolchains. It is used to serve millions of users daily on the OpenStreetMap project's own raster and vector map infrastructure. It is also a basis for the Nominatim geocoder. With the amount of data in OSM climbing continually, the memory and disk requirements of osm2pgsql have risen as well. In this project we want to reduce the memory and disk usage of osm2pgsql by implementing more efficient storage formats, specifically for \"intermediate\" data used while processing. This will not only help with resource consumption on the community run OSM servers, but also enable wider use of OSM data, even on planet-scale, in low-resource environments available to small NGOs or to students. >> Read more about Reduce osm2pgsql resource usage Configurable Communication Channels for qaul — Distributed messaging over verifiable P2P channels qaul is a privacy-preserving, internet-independent, off-the-grid, delay-tolerant P2P mesh messenger that can be used even in emergency situations. In this project, we will implement configurable communication channels in qaul. This implementation will create an enhanced proximity-aware and connection-aware publish/subscribe protocol with verifiable channels. These channels can be configured for open discussions, trusted information channels, distributed spam protection, or distributed network protection. The project will also optimize the onboarding process for new users in local communities. >> Read more about Configurable Communication Channels for qaul Open-source accelerator platform for large FPGAs — Low cost hardware accelerated workloads with open toolchains Affordable Kintex-7 FPGA cards with DDR3 and PCIe have recently become accessible to hobbyists, researchers and small companies, but the open-source tooling and gateware ecosystem has not yet caught up. This project bridges that gap by delivering an end-to-end open platform: a Raspberry Pi with PCIe root port will be used for easy bring-up and remote access, while a fully open PCIe endpoint and DMA engine drives high-speed host-device transfers, with an open-source uberDDR3 memory controller for data storage. Users will be able to run large FPGA designs, integrate high-bandwidth memory and PCIe interfaces, and reuse the PCIe/DMA infrastructure in their own projects, all without vendor tools. The project also ports the ZTAchip accelerator to Kintex 7 with openXC7 and prepares real-world AI demos such as video object detection and local LLM inference. This gives users a practical, low-cost entry point into hardware acceleration, enabling experimentation with custom architectures, RISC-V extensions, SDR pipelines, image processing or general compute offloading. Improvements to openXC7, nextpnr and scalePnR benefit the wider community, making large-device timing closure and GTX transceivers more accessible. Overall, this work expands the possibilities for developers who want high-performance FPGA capabilities without proprietary toolchains. >> Read more about Open-source accelerator platform for large FPGAs Open PCIe and M.2 hardware and software platform — Standard form factor open hardware extension cards Developing hardware for PC slots like PCIe and M.2 is currently very difficult because most design details are hidden behind NDAs and expensive specifications. This makes it almost impossible for hobbyists and students to build their own peripherals or experiment with new ideas. The 'Open PCIe and M.2 Hardware and Software Platform' project aims to change this by offering an easy entry point for education and makers. By providing open-source hardware templates and libraries that work with familiar tools like Arduino and MicroPython, the project simplifies the complex world of PCIe expansion. Through documented breakout boards and video guides, it turns the PC’s internal slots into a safe, accessible playground for learning, allowing anyone to build custom hardware without needing professional-grade resources. >> Read more about Open PCIe and M.2 hardware and software platform Native DTLS 1.3 implementation in Go — Add DTLS 1.3 to PION real-time media stack Pion is an open-source community aiming to create a cross-platform stack for real-time communication in Go. As part of the stack, Pion has implemented Datagram Transport Layer Security version 1.2. DTLS is a protocol that brings the security properties of TLS to UDP transports, preventing eavesdropping, tampering, and message forgery. This protocol is essential to secure real-time communication applications like WebRTC, IoT, and VPNs. The latest version, DTLS 1.3, offers major improvements in performance, security, and privacy. While Go’s standard library includes TLS support, it lacks any DTLS implementation. This project will add native DTLS 1.3 support to the Pion DTLS library, enabling developers in the commons to build secure and low-latency applications in Go. >> Read more about Native DTLS 1.3 implementation in Go Secure Apache PLC4J — Unified interface to PLCs and industrial devices Apache PLC4X is an open-source, industrial connectivity framework that provides a unified, vendor-agnostic way to communicate with a wide range of PLCs and industrial devices. It eliminates the complexity of proprietary fieldbus protocols by offering consistent, high-level APIs for reading, writing, and subscribing to industrial data, enabling faster integration, improved interoperability, and reduced maintenance costs across OT/IT systems. With a modular driver architecture, strong multi-language support (Java, C++, Go, Python, etc.), and production-proven performance, PLC4X helps organizations modernize their automation landscapes, build scalable data pipelines, and accelerate digital-transformation initiatives—without being locked into a single vendor’s ecosystem. >> Read more about Secure Apache PLC4J Padne — Open source power delivery network analyser padne padne is a KiCad-native tool for power delivery network analysis using the finite element method. It simulates DC voltage drops and current density on printed circuit boards, bringing capabilities to the open-source EDA ecosystem that have traditionally required expensive proprietary software. This project focuses on validating computational accuracy through test PCB fabrication and measurement, improving performance through parallelization, and building documentation to support wider adoption. >> Read more about Padne Modernizing Paged.js Web-to-Print — Quality typesetting based on HTML and CSS Paged.js is a free and open source JavaScript library that paginates content in the browser to create print/PDF output from HTML and CSS content. This is necessary for instance for delivering browser-native office productivity solutions - users expect these to produce good output but don't want to have the burden of legacy formats. The proposed project will fundamentally revisit/upgrade the architecture of paged.js. to support additional layouts, add advanced layout capabilities and implement PDF/UA tagging. >> Read more about Modernizing Paged.js Web-to-Print Panoramax — Digital, collaborative immersive street level imagery Panoramax is an immersive views project. It is a digital, collaborative, free and open community. Access to the photos is free. Panoramax operates as an instance or federation of instances for hosting images. Today, most contributions are made using web interfaces that are not suitable for smartphones. However, this is an important lever for increasing the number of contributions. The aim of the “A mobile app for Panoramax” project is to enable contributions from smartphones, while making them easy for everyone. The application will enable geolocated and sequenced photos to be taken and uploaded to the various community instances. >> Read more about Panoramax Panoramax video uploads — Add street level imagery from user-provided video Panoramax is an open-source software stack to create street level imagery open alternatives. It is an open collaborative immersive views project nurtured by an international community of contributors and users, operating as a federation of instances. Currently, Panoramax only accept uploading images whereas typical cameras used for image acquisition enable \"timelapse\" video recordings that can provide more photos (several frames per second instead of one picture every two seconds at best, which limits the acquisition for higher-speed vehicles). As of today, contributors are required to pre-process their video files using local scripts to extract compatible images before uploading them. The aim of the “Video uploading for Panoramax” project is to integrate this processing on the server side to make direct video contributions possible and much simpler. The developments will have to be adapted for at least the most common cameras available on the market (GoPro, Qoocam) and deal with the different metadata formats. >> Read more about Panoramax video uploads Papis — Highly extensible document and bibliography manager Researchers use Papis to search their digital libraries, manage bibliographies, organise notes, and move documents between formats. This command-line tool has become essential to many researchers' daily work. We've since added a terminal user interface (TUI) and a web interface, but the TUI remains underdeveloped -- it doesn't yet cover all of Papis's core capabilities in a way that feels intuitive or modern. This project addresses that gap. We'll build a client/server architecture that separates Papis's database logic from its interfaces, making the codebase more maintainable and enabling new features. With this foundation in place, we'll expand the TUI to handle all core functionalities. Along the way, we'll restructure our documentation to match the new architecture, making it easier to keep current as the project evolves. These changes should make Papis more powerful while lowering the barrier for newcomers. >> Read more about Papis Parley — Rich text layout and editing library Parley is a Rust library for implementing rich text layout and includes utilities for text selection and editing, as well as font enumeration and fallback through the companion library Fontique. Parley depends on the production-quality text shaping engine HarfRust. This project aims to prove Parley's flexibility through modularity, allowing users to choose the high low-level APIs that are suitable to them and making it easier to implement various layout strategies. Additionally, more layout and bidirectional text features will be implemented, especially targeting web use-cases. Further goals are to improve handling of font loading and font fallback behavior, focusing on performance as well as allowing richer web-style font selectors and fallback. >> Read more about Parley Parley - rich text layout library — Cross-app rich text copy/paste for Parley High quality, consistent text display across applications and platforms is a fundamental part of a good user experience, yet it often depends on embedding cumbersome web browser components. Parley is an open source project building a powerful, independent alternative for rich text layout. By providing a performant library for native desktop and mobile apps, especially in modern languages like Rust, it empowers developers to create resilient, trustworthy, and good looking software without relying on the dominant web ecosystem. This grant will significantly mature Parley by expanding its international text layout capabilities, delivering cross-app rich text copy/paste, and providing performance benchmarks and documentation, making it a cornerstone for a more diverse and sovereign software landscape. >> Read more about Parley - rich text layout library PdfDing — Webbased selfhosted PDF manager, viewer and editor PdfDing is a web based PDF manager, viewer and editor. It offers a seamless user experience on multiple devices and functionality for sharing PDFs with external users. PDF is an omnipresent file type with users in all walks of life. This project aims to be a free all-in one solution for managing and consuming PDFs while having small resource requirements and offering users control over their data. For this reason it is designed be to be minimal, fast, and easy to set up using Docker. >> Read more about PdfDing Peertube plugin livechat — Public and private messaging for Peertube content + live streams Peertube is a free, decentralized and sovereign alternative to video-on-demand and live-streaming platforms. The Peertube Livechat project is a popular plugin for PeerTube that adds chatting capabilities to Peertube, so the audience can interact with streamers during their live streams. The functionality goes way beyond a mere chat system: it also provides moderation tools, polls, chat integration in the live stream, TODO-list for streamers and moderation team, and more. Its ambition is to become a complete ecosystem for live streaming. >> Read more about Peertube plugin livechat PeerTube for Institutions — Make PeerTube easier to manage and moderate at scale PeerTube is a free-libre and federated video platforms that empowers anyone to self host video content without being isolated in the wide web. Many institutions have started using PeerTube, to reclaim control over their video hosting. By choosing PeerTube, they offer a wider audience the opportunity to familiarize themselves with PeerTube. A significant part of this project focuses on enabling these institutional use cases, and is designed from their feedback. We plan to add ownership transfer and shared administration for video channels, quality of life features for moderation and administration, more control on an instance look and experience and a set-up wizard with relevant presets (and more). We also want to adapt the mobile app to tablet and TV devices, and add a watch offline option. >> Read more about PeerTube for Institutions Hassle-free Peppol bootstrapping and onboarding — Open, reproducible, certification-ready e-invoicing stack for Peppol This project aims to make participation in the Peppol network genuinely accessible by providing a fully open-source, hassle-free way to deploy, operate, and validate a Peppol Access Point (AP) and Service Metadata Publisher (SMP). Building on existing, production-grade components such as Oxalis-NG and phoss SMP, we focus on eliminating the operational and deployment complexity that currently restricts Peppol infrastructure to large vendors and system integrators. The project will deliver reproducible, certification-ready deployments, automated onboarding and conformance testing workflows, and clear documentation that allows others to independently validate their setup. In addition, we will ensure interoperability with other open-source Peppol tooling, including Let’s Peppol, to demonstrate a coherent and composable free-software ecosystem. By packaging the complete solution in a reproducible environment such as NixOS, this project lowers the barrier for SMEs, public bodies, and developers to run their own Peppol infrastructure without vendor lock-in, while staying fully aligned with open standards and free-software values. >> Read more about Hassle-free Peppol bootstrapping and onboarding Yrs persistent documents — Yrs/Yjs compatible layer for persistent key-value stores Yrs is a local-first collaboration library widely used for real-time collaborative editing. Yrs is a a CRDT-based solution that currently works on documents fully loaded into memory, with disk storage happening through plug-ins. The primary goal of this effort is to make it more robust (and less resource-heavy) by creating an alternative implementation that works directly with the on-disk database. All of this needs should happen while remaining compatible with the existing in-memory Yrs implementation as well as the original Yjs JavaScript implementation. >> Read more about Yrs persistent documents Port Phosh to GTK4/libadwaita — Open source user interface for mobile phones The Phosh project aims to provide a daily usable, robust and easy to use graphical user environment for mobile devices running mainline Linux. The goal of this project is to move the phone shell to the current version 4 of the underlying GUI toolkit GTK. This involves implementing the needed interfaces as well as updating the code base to the changed APIs allowing us to make use of GTKs improvements like GPU rendering and smoother scrolling. >> Read more about Port Phosh to GTK4/libadwaita pimsync — Reliable synchronisation for contacts and calendars Pimsync is standards-based tool to synchronise contacts and calendars, using CalDAV, CardDAV, WebCal and/or a local filesystem. It has proven a reliable and stable evolution of its predecessor vdirsyncer, but lacks some of the extended features on which some users rely. This project aims to implement all those extended features and edge cases, such that remaining users of vdirsyncer can migrate to a modern replacement. >> Read more about pimsync Pinbot — Design and deploy test jigs for electronics Pinbot is an open-source platform that makes it easy to design and deploy test jigs for electronics. It brings together mechanical fixtures, control electronics, jig-level software, and a backend that stores and analyzes every test result. With Pinbot, you can achieve fast, reliable, and fully automated testing of printed circuit board assemblies (PCBAs), whether on a production line or in your garage. Think of it as CI/CD for your hardware nothing ships until it been verified by automation and every detail is logged for full traceability. >> Read more about Pinbot Pnut — Reproducible build of GCC on POSIX shell The C programming language underpins many critical components of modern infrastructure, with most programming languages relying on it, directly or indirectly, for their bootstrap. Given this pivotal role, reproducible builds for C are fundamental for the adoption of reproducible builds across the software landscape. The Pnut project aims to create a new bootstrapping path for GCC and the C ecosystem, leveraging Diverse Double-Compilation and POSIX shell instead of the usual auditable binary seed approach. This approach reduces the number of steps by starting at a higher abstraction level, in addition to not having platform specific seeds. The ultimate goal of Pnut is to deliver fully reproducible and auditable bootstrap for GCC, starting with Linux x86, requiring only a POSIX compliant shell and human-readable source files. >> Read more about Pnut Pnut everywhere — Compiles (a subset of) C to human-readable POSIX shell or binary The C programming language underpins many critical components of modern infrastructure, with most programming languages relying on it, directly or indirectly, for their bootstrap. Given this pivotal role, reproducible builds for C are fundamental for the adoption of reproducible builds across the software landscape. Previously, the Pnut project has demonstrated the viability of bootstrapping GCC and the C ecosystem from POSIX shell - offering an alternative to the \"usual\" auditable binary seed approach. The next goal for Pnut is to broaden the platforms supported by this new bootstrapping path, from x86 only to ARM and RISC-V, in addition to making the Pnut compiler easier to bootstrap from more platforms. >> Read more about Pnut everywhere PodOS — Personal Online Data Operating System aimed at exploring W3C Solid pods PodOS is an operating system for data on Solid Pods, designed to bridge the gap between specialized apps and raw data management. It is built from the ground up for mobile-first UX, accessibility and maintainability, on top of re-usable custom elements. In the upcoming phase, PodOS will introduce new ways for users to structure, link, and repurpose their data, allowing them to organize information beyond the constraints of individual applications. Users will be able to extract information from classic documents or notes and transform them into structured resources that could be used with other Solid Apps. New developments will emphasise modularity and interoperability by integrating existing data modules, dynamically loaded dashboards and seamless transitions between PodOS and specialized apps. These advancements will give individuals and organizations greater flexibility and control over their data, making the Solid ecosystem more practical, interactive, and user-friendly. >> Read more about PodOS Podlibre — Dedicated, customizable podcast editor Podlibre is an all-in-one, customizable podcast editor designed to empower podcasters with a tool they can rely on daily. In the past decade, the popularity of podcasts has exploded - but so far there was no good podcast-specific workflow for creators to handle the process. Obviously one can use generic sound editors, but these are typically geared toward music production and lack features that make it easy for podcasters and journalists to produce consistent podcast content. With a customizable workflow and plugin architecture, Podlibre allows users to tailor their experience while integrating with third-party services. It provides all essential features in one place, including noise reduction, mouth noise editing, multi-channel audio editing, music insertion, local transcription with manual correction, chapter editing, metadata editing (ID3, RSS), local publishing, and publishing to hosting platforms (Castopod, Funkwale, Faircamp). >> Read more about Podlibre Polyglot jaq — Data wrangling tool focusing on correctness, speed, and simplicity. Data often needs to be processed going from one tool to another. Doing that is potentially a point of failure, as 'quick and dirty' solutions often fail to take into account edge cases. This project will build on top of Jaq, a Rust re-implementation of the widely popular jq syntax with rigorously defined semantics, and extend its approach to other data formats - from legible formats such as XML, YAML, TOML, CSV and Markdown to binary formats. For the latter, the project builds on the versatile parsing toolbox of Kaitai Struct. >> Read more about Polyglot jaq Pomme d’API — Improvements around the Open Food Facts API Open Food Facts is an open and collaborative database of 3.5M food products from around the world. This project will improve the Open Food Facts API to make it easier for the 250+ apps and services that use it daily to access and contribute food products data. In particular, it will focus on providing easier means to contribute photos and data, better structured data, OpenAPI specifications, and extensive documentation. >> Read more about Pomme d’API PowerCommons — OpenPower A2O Core Revival The PowerCommons project treats computing infrastructure as a commons—open, composable, and collectively maintained—built on the OpenPOWER architecture. It emerges from a recognition that computational infrastructure shapes society as fundamentally as roads, utilities, and communications networks. When this infrastructure is opaque and privately controlled, democratic oversight becomes impossible. We are building the alternative: infrastructure that is transparently operated and publicly auditable by design. This philosophy is backed by architectural depth: a composable platform where cores and components can be selected and combined freely for any given use case. The long-term vision is a fully sovereign, open alternative to x86 and ARM across the entire computing spectrum: from embedded and IoT devices, through mobile and laptops, to workstations, servers, and high-performance computing. The A2O Core Revival project restores full functionality to IBM's A2O processor core and lays the foundation of that composable platform. It addresses build system incompatibilities with modern toolchains, resolves critical timing and synthesis issues, and establishes a reproducible LiteX SoC integration capable of booting Linux on modern Xilinx FPGA platforms (Zynq and VCU-118). Deliverables include simulation and testbench infrastructure, initial open-toolchain synthesis flows targeting the IHP 130nm open PDK, comprehensive documentation, and a roadmap for ISA modernization toward Power ISA 3.1C compliance. >> Read more about PowerCommons Provability Fabric — Verifiable evidence and run-time security for AI systems Provability Fabric is an open-source infrastructure project for making AI and software systems trustworthy through evidence that can be independently verified. It integrates formal verification, runtime security, and end-to-end audit trails so that claims about what a system was allowed to do, what it actually did, and whether it remained within specification can be checked across tools and workflows instead of accepted on trust. The project provides common schemas, specifications, replay mechanisms, and reference implementations for packaging and validating proofs, attestations, and execution traces. In doing so, it aims to create a shared public infrastructure for reproducibility, interoperability, and auditability in high-stakes automated systems. >> Read more about Provability Fabric PyCM — Machine learning post-processing and analysis PyCM is an open-source Python library designed to systematically evaluate, quantify, and report the performance of machine learning algorithms. It offers an extensive range of metrics to assess algorithm performance comprehensively, enabling users to compare different models and identify the optimal one based on their specific requirements and priorities. Additionally, PyCM supports generating evaluation reports in various formats. Widely recognized as a standard and reliable post-processing tool, PyCM has been adopted by leading open-source AI projects, including TensorFlow, Google’s scaaml, Torchbearer, and CLaF. In this grant, the team will implement several new features, such as data distribution analysis, dissimilarity / distance matrices and curve analysis. In addition the project will improve benchmarking and confidence, and introduce an API and GUI for wider adoption. >> Read more about PyCM PyUVM SPI Verification Component — Add Serial Peripheral Interface support to PyUVM verification tool In recent years, many open source projects have emerged making chip design and verification possible without the need for the common proprietary SystemVerilog tools. The emergence of PyUVM brought the power of the Universal Verification Methodology (UVM) to the Python ecosystem. To strengthen this ecosystem, reliable and re-usable verification components are key factors to shift left and focus verification effort on functional bugs of complex designs. The PyUVM SPI verification component is a configurable agent designed for SPI protocol based on PyUVM. Tutorials, documentation and test bench examples will be available to promote its usage and ensure that the ability to deliver high-confidence, verified silicon is no longer a privilege of well-funded corporations, but a standard accessible to the entire open-source community. >> Read more about PyUVM SPI Verification Component Adding 32-bit ARM support to QBE and Hare — Full Arm32 support for QBE compiler Many affordable and widely used devices, ranging from older smartphones to embedded systems, rely on 32-bit ARM processors. In fact for many devices it doesn't make sense to use 64-bit CPU's. Hare is a new systems programming language, designed to be simple and reliable, that depends on QBE, a lightweight compiler backend, to generate target machine code. However programs compiled with Hare cannot currently run on these devices because its compiler backend (QBE) only supports 64-bit hardware. This project will add full ARM32 support to QBE, making Hare usable on millions of existing computers. By extending the lifetime of older hardware and opening Hare to more platforms, the project helps developers and users alike benefit from a more diverse and sustainable open source ecosystem. >> Read more about Adding 32-bit ARM support to QBE and Hare QGIS Panoramax Plugin — Extension to manage Panoramax data with QGIS Panoramax is a digital resource for sharing and using street pictures. Anyone can take photographs of places visible from the public space and add them to the Panoramax database. This data is then freely accessible and reusable. It offers a similar service to StreetView, Mapillary, KartaView... but a with a completely open-source software stack, and fully managed by a growing open community. QGIS is widely deployed geographic information system (GIS) software, allowing for geospatial data visualization, processing, dissemination, analysis and more. This project will implement an industry-grade QGIS extension to manage Panoramax data directly with QGIS : get Panoramax trajectories and display images in 2D and 3D, search, download and upload batch data. Our goal is to bridge the gap between GIS users and field surveyor to promote open data. >> Read more about QGIS Panoramax Plugin Vector based similarity search index for QLever database — Improved search for scalable open-source graph database This project extends QLever, an extremely efficient and scalable open-source graph database, by implementing a generic vector-based similarity search index. By integrating this feature alongside existing support for full-text and geo-spatial search, the project creates a unified engine that efficiently combines structured graph queries with semantic vector search. This makes massive Linked Open Data datasets readily available for AI-driven Retrieval Augmented Generation (RAG), including datasets such as Wikidata, UniProt, and OpenStreetMap. >> Read more about Vector based similarity search index for QLever database Qryptr — Air-gapped open hardware encryption device As a a smartphone user you might be worried about spyware, advanced actors, backdoors, zero-days or side-channel attacks? These routinely bypass end-to-end encryption through keyloggers, screen capture and compromised keys. Smartphones are part of complex ecosystems with dozens of hardware and software components and remain vulnerable despite vendor and political efforts. Qryptr is a simple, offline, airgapped device to counter such threats. Plain text messages entered via its keyboard are ECC encrypted and displayed as QR codes. These QR codes can be photographed and shared using your smartphone. This method offers additional endpoint security as plaintext and cryptographic keys are kept physically separate from your smartphone. >> Read more about Qryptr RA-Sentinel AoA — Direction aware sensing of RF-based attacks RA-Sentinel is a small, low-power wide band radio receiver device that automatically detects various malicious attacks on Wifi access points, such as Man in the Middle and Denial of Service attacks. The RA-Sentinel project is designed to protect your home WiFi from unwanted cyber threats. Think of it as a digital watchdog for your internet connection that barks when someone from the outside tries to break in. The device will enhance internet safety for ordinary users by monitoring any Wifi cell. The RA-Sentinel Multi-Channel project aims to enhance the existing RA-Sentinel system by developing a 4-channel, 2.4 GHz RF front-end. This upgrade will enable the system to determine the direction of RF-based attacks. By introducing a multi-channel, phase-coherent reception system, we can estimate the Angle of Arrival (AoA) of incoming signals. This will help identify and locate threats such as jamming, spoofing, or unauthorized transmissions. >> Read more about RA-Sentinel AoA RA-Sentinel Code Liberation — Royalty free synthesizable Verilog code for signal processing RA-Sentinel is a small, low-power wide band radio receiver device that automatically detects various malicious attacks on Wifi access points, such as Man in the Middle and Denial of Service attacks. The RA-Sentinel project is designed to protect your home WiFi from unwanted cyber threats. The RA-Sentinel Code Liberation project replaces hardware-specific \"black box\" components in RA-Sentinel with fully portable, openly licensed code that anyone can use, modify, and redistribute. The project will lower entry barriers to FPGA development, ensure long-term sustainability free from vendor licensing restrictions and product deprecation, and empower the global community to innovate without costly proprietary constraints. This work directly supports digital sovereignty, inclusive access to technology, and fostering community-driven innovation. >> Read more about RA-Sentinel Code Liberation Reduced Feature-set Packet Filter — High throughput software firewall The RFPF project aims at bridging the performance gap between the traditional software firewalls (typically choking at 10 Gbit/s line speeds or less) and the already ubiquitous 100 Gbit/s Ethernet. We are developing a user-space software firewall capable of sustaining 100 Mpps processing rates while doing multiple longest prefix matching (LPM) lookups in large datasets (such as BGP or GeoIP) on each packet. The main focus is on locally dampening large-scale packet-flooding attacks, while still being sufficiently flexible for many general-purpose firewalling application scenarios. RFPF uses a multithreaded, lockless userspace datapath, and forwards 60+ Mpps while doing multiple LPM lookups per packet with randomized traffic load, all at a fraction of max. CPU frequency. Working both on Linux and FreeBSD, RFPF currently relies on Netmap for fast packet I/O in user space, with a more efficient DPDK based datapath variant being on the near-term roadmap, along with improvements in our LPM lookup engine. >> Read more about Reduced Feature-set Packet Filter RIVET — Cointegration of RISC-V systems with Ethernet The goal of the RIVET project is to develop and incorporate an Ethernet Media Access Controller (MAC) into an already existing organized open-source framework for agile development of RISC-V Systems-on-Chip (SoC) such as Chipyard. This work enables development engineers and researchers to equip their custom compute ASIC and FPGA prototypes with a \"plug-and-play\" Internet access feature while providing a ready testbed for next-generation networking devices. By upstreaming the results to Chipyard, the project will deliver the first fully parameterizable Chisel-based Gigabit Ethernet MAC design generator solution in that ecosystem, dramatically lowering the barrier for the global open-hardware and VLSI communities to build network-capable RISC-V systems and subsequently integrate them on a chip. >> Read more about RIVET Lix RPC — RPC framework for scaling Nix Nix is becoming increasingly important in build environments and deployment systems around the world, but the communication protocols it uses internally harken back to a much simpler time and are neither easy to extend with new features nor easy to use from anything except the `nix` CLI tools (which are even harder to version and evolve without breaking things). We will tackle both of these problems by adding a modern and extensible RPC protocol to Lix, using widely supported frameworks available in many languages. >> Read more about Lix RPC Re-isearch Schmate — Extending re-Isearch with a flat vector datatype for embeddings Schmate is the development name for the evolving next iteration of re-Isearch adding vector datatypes for embeddings and applications like retrieval augmented generation (RAG). Schmate (pronounced \"SHMAH-teh\") is Yiddish for rag (שמאטע). In contrast to typical vector stores the proposed re-Isearch+ shall offer a full passage information retrieval system (index and retrieval) using a combination of dense and sparse vectors as well as structure. It is dense passage retrieval (DPR) and a whole lot more. It addresses the stumbling blocks of chunking, has a tight integration of ingest, tokenisation, a number of alternative vector stores and similarity algorithms and, above all, uses a novel combination of understanding document structure (implicit and explicit) to provide a better contextual passage retrieval to solve the problem of misaligned context. This builds on the observation that meaning is also communicated through structure so needs to be viewed in the context of structure. Since structure like the words are meant by the sender (writer) to be received and understood (reader) our approach is to exploit the original author's organization of content to determine appropriate passages rather than relying solely on the chunks. >> Read more about Re-isearch Schmate Reach — Cryptographic Infrastructure for Anonymous Communication Reach addresses a gap in privacy-preserving communication infrastructure for scenarios involving surveillance risks, device seizure threats, and the need for safe ongoing dialogue between anonymous individuals and trusted groups. The open-source platform uses ECDH-based Oblivious Message Retrieval to enable anonymous individuals to establish first-contact and maintain bidirectional communication while preventing semi-honest infrastructure providers and third-party observers from learning communication patterns. By implementing asymmetric forward secrecy, organisations that deploy Reach maintain full forward secrecy with persistent keys, while anonymous parties achieve privacy and confidentiality without storing or outsourcing any cryptographic material. Reach delivers self-hostable infrastructure and formally verified cryptographic schemes for the broader privacy ecosystem. >> Read more about Reach io_uring-like IO for Redox — Introduce ring buffers in Redox to increase I/O performance Redox OS is a Unix-like microkernel-based operating system written in Rust, intended for both the cloud and the desktop. The purpose of this project is to implement ring buffers for requests and data transfers between key microkernel components, and to measure the potential for performance gains. We will be examining ring buffers connecting drivers to system services, system services to the kernel, and system services to applications. We will also investigate compatibility APIs such as liburing. >> Read more about io_uring-like IO for Redox Redwax Server Modernisation — Self-hostable X509 certificate based identity management solution The Redwax Project is a set of tools and web server modules to make it easy to build and deploy secure services on the web. The Redwax modular certificate authority mod_ca provides a set of Apache http server modules that can be combined to form various types of certificate authorities, issuing certificates from a Certificate Sign Request, or with the SPKAC and SCEP protocols, servicing certificate revocation with CRLs and OCSP, and creating timestamps. The Redwax tool provides a mechanism to read certificates and keys from a wide variety of sources, automatically associating leaf, intermediate, and trusted certificates, and optionally their private keys, then showing the metadata of or writing the certificates in a wide variety of target formats. This project will update the key modules, adjust to the current Apache API's and also fully implement the meanwhile published RFC 8894. >> Read more about Redwax Server Modernisation Renderling ecosystem — Renderling Renderling is a state-of-the-art, GPU-driven renderer that focuses on maximizing GPU capabilities for efficient scene rendering. The project is currently in the alpha stage and aims to enhance its adoption by addressing ecosystem challenges and collaborating with insdustry leaders from Mozilla and more. Renderling's development prioritizes performance, safety, and modern rendering techniques such as forward+ rendering, physically based shading and global illumination. The project is designed to support both native and web platforms, with a particular focus on the creation of \"instant games\" that are portable across platforms. >> Read more about Renderling ecosystem Repath Studio — SVG editor written in Clojurescript Repath Studio is a cross platform vector graphics editor, that combines procedural tooling with traditional design workflows. It includes an interactive shell, which allows evaluating code to generate shapes, or even extend the editor on the fly. Supporting multiple programming languages and enriching the existing API is planned. The tool relies heavily on the SVG specification, and aims to educate users about it. Creating and editing SMIL animations - an SVG extension – is an important aspect of the project, that is yet to be fully implemented. An advanced undo/redo mechanism is used to maintain a full history tree of actions in memory, so users will never lose their redo stack. We are exploring ways to persist this history to disk. Some built-in accessibility testing tools are already included, but we want to add more. Extensibility is also something that we want to enhance, in order to allow creating and sharing custom tools and workflows. Integrations with third party tools will also be investigated. >> Read more about Repath Studio Reproducible Builds in the Scala ecosystem — Deterministic builds for software written in Scala While open source components can be audited through their open version history, there is no guarantee that any binaries that are distributed actually correspond to those sources. The technique to validate this is known as \"Reproducible Builds\": by building the same code on independent infrastructure and verifying the results are identical, you can verify the binary artifacts have not been tampered with. This is useful both for project members who want to verify no malware was inserted via their CI system or developer build machine, and for 'external' auditors who can independently verify the project as a whole is not compromised. This project intends to improve Reproducible Builds for software written in the Scala language, which typically use the 'sbt' build tool. It will do so by making improvements to the sbt-reproducible-builds sbt plugin and other toolchain components such as sbt plugins and the Scala compiler, so that projects will be reproducible 'out of the box' as much as possible. >> Read more about Reproducible Builds in the Scala ecosystem Ricochet Refresh UX — Making privacy more user-friendly Ricochet-Refresh is a decentralised, open-source instant-messaging client that allows people to chat with each other anonymously and securely, via the Tor network. This project will strengthen Ricochet-Refresh’s privacy and anonymity guarantees by basing it on the Gosling library. The project will also improve user experience and implement various new features one expects from contemporary instant-messaging software, and prepare the way to bring Ricochet-Refresh to Android devices. >> Read more about Ricochet Refresh UX Element Call on Cisco Room hardware — E2EE Matrix video conferences on existing Cisco hardware This projects aims to develop plugins for using browser-based video conferencing software on existing Cisco Roomkit devices (Matrix/Element). This means a functional upgrade and longer utilisation for existing Cisco/Webex meeting room hardware, as found in both private companies and public institutions. The project will develop plugins for deployment and operation of Matrix/Element - a browser-based, open source video conferencing solution. This will remove the dependency on the proprietary cloud-based back-end provided by the vendor and thus allow this expensive hardware to continue to be used after Cisco stops supporting the hardware. The same equipment can even be upgraded to support end-to-end encryption for secure communication. >> Read more about Element Call on Cisco Room hardware Rusted Platform Module (RPM) — Programming TPMs in pure Rust The Rusted Platform Module (RPM) project strives to improve and advance Trusted Platform Module (TPM) v2 support and ease of use for the Rust programming language. This includes programming the TPM in pure Rust, without C-based libraries in the background, as well as (commandline) tools for common tasks, etc. This project strives to increase adoption of memory-safe languages for programming of security components like the TPM. >> Read more about Rusted Platform Module (RPM) SDCC — Modern compiler for 8-bit microcontrollers The Small Device C Compiler is the free (apart from GCC having an AVR port) compiler for 8-bit microcontrollers (µC). It is competing with various non-free compilers. 8-bit µC are common in peripheral devices of larger systems, SDCC is an essential part of the free software ecosystem, in particular for developing firmware. We aim to both improve SDCC support for various target hardware, as well as implement machine-independent improvements to make SDCC more competitive vs. non-free compilers. Hardware-specific improvements planned include improving support for Padauk's popular low-cost microcontrollers, improving support for the Rabbit microcontrollers common in older IoT devices, improving code generation for the f8 port, and improving support for Toshiba TLCS microcontrollers. The focus for machine-independent improvements will be in enhancing support for recent ISO C standards, an optimization to reduce memory usage for local variables, and implementing a link-time optimization to optimize out unused functions and objects. The latter is the one feature most-requested by SDCC users in recent years. >> Read more about SDCC SSH Stamp — Secure SSH-to-UART bridge for devices with a serial port. SSH Stamp is a secure wireless-to-UART bridge implemented in Rust (no_std, no_alloc and no_unsafe whenever possible) with simplicity and robustness as its main design tenets. The firmware runs on a microcontroller running Secure SHell Protocol (RFC 4253 and related IETF standards series). This firmware can be used for multiple purposes, conveniently avoiding physical tethering and securely tunneling traffic via SSH by default: easily add telemetry to a (moving) robot, monitor and operate any (domestic) appliance remotely, conduct remote cybersecurity audits on network gear of a company, reverse engineer hardware and software for right to repair purposes, just to name a few examples -a \"low level-to-SSH Swiss army knife\". >> Read more about SSH Stamp An OpenScience flavour of Bonfire on NixOS for preprints — Discuss preprints based on W3C ActivityPub federation Preprints have revolutionised scholarly publishing, offering a rapid and open way to share research findings, establishing priority, receiving early feedback, and accelerating scientific discovery. Online discussions around preprints regularly take place on social media, but there still exists a gap in encouraging fluid discourse around science and making it a recognised academic activity. This project aims to address the gap by facilitating and integrating these conversations into the scholarly framework using FOSS tooling. Outcomes include; establishing a Bonfire network tailored for preprints, with reproducible deployment made possible via NixOS, bringing existing communities into the Fediverse, amplifying contributions using existing scholarly infrastructure, exploring new models of peer evaluation, and supporting recognition of this crucial scholarly activity. >> Read more about An OpenScience flavour of Bonfire on NixOS for preprints SecurEAP: Secure Enterprise Wi-Fi on Linux — Improve Wi-Fi security and privacy SecurEAP will improve Enterprise Wi-Fi security and privacy on Linux by adding modern protections such as Trust on First Use (TOFU) and automatic anonymous identities. The project will extend open-source components such as wpa_supplicant, iwd and popular network managers like “NetworkManager”. As a result, SecurEAP will make it much harder to carry out rogue access point attacks against Linux, which recent research has shown is still a problem in practice. Additionally, the project will study and prototype improvements of TOFU to mitigate “first use” attacks. Taken together, this finally adds modern protections to Linux that other platforms already offer, but Linux has still lacked. >> Read more about SecurEAP: Secure Enterprise Wi-Fi on Linux SelectCast: Anycast in Path Aware Networks — Anycast for SCION and other path-aware networks The project summary for this project is not yet available. Please come back soon! >> Read more about SelectCast: Anycast in Path Aware Networks Quantum-Safe Cryptography in Sequoia PGP — Implement draft-ietf-openpgp-pqc in Sequoia PGP Sequoia is a complete implementation of OpenPGP (as defined by IETF RFC 9580), and various related standards. To address the challenges of quantum computing, cryptographic standards are incorporating new algorithms. For OpenPGP, the new algorithms are specified in a draft which is close to being finalized. This project will add support for post-quantum cryptography to Sequoia when using the Botan cryptographic library as backend, the RustCrypto backend, and the Windows CNG backend. Another closely related effort involves using symmetric cryptography in places where traditionally asymmetric cryptography is used in OpenPGP. Symmetric cryptography is less susceptible to attacks from quantum computing, and provides performance benefits, enabling novel workflows that improve the user experience and alleviate some of the challenges that post-quantum cryptography brings. This project will therefore also add support for the new symmetric cryptography mechanisms in Sequoia using a number of backends. >> Read more about Quantum-Safe Cryptography in Sequoia PGP Serverless and Metadata Reduction for XMPP — Enable XMPP on local networks, and reduce medata exposure This project will enhance XMPP’s privacy and resilience by reducing metadata exposure and enabling decentralized, serverless communication. Work will focus on developing new protocol specifications to minimize metadata, particularly by encrypting roster (contact list) information, and implementing these changes in the Libervia ecosystem through Tor integration to anonymize connections and reduce IP tracking, as well as roster end-to-end encryption. A second focus area is advancing serverless communication by implementing the RELOAD protocol (XEP-0415) and leveraging end-to-end authentication via XEP-0416 and XEP-0417. By reducing reliance on centralized servers and minimizing metadata, this project strengthens XMPP and Libervia’s privacy and availability, enabling their use in environments where servers may be unavailable or inaccessible. >> Read more about Serverless and Metadata Reduction for XMPP Project SERVFAIL — Tools for DNS hosting SERVFAIL is a globally distributed, community-run authoritative DNS service. It is based on PowerDNS with a custom web frontend to support multi-tenancy on the different primary servers. Ther is also a proxy provide for the PowerDNS API — existing tooling should integrate nicely! The goal of this project is to challenge and improve upon existing DNS management solutions by taking different UI and UX choices which are not hiding the internals of DNS. For this to work, we are also providing documentation on DNS apart from running and developing the OSS infrastructure. Our main goal is to promote more decentralization of the internet by providing general resources on DNS, helping people get started and to encourage them to ultimately maybe run their own nameservers. >> Read more about Project SERVFAIL Servo Editability and Interactivity Enhancements — Keyboard interaction within the Servo browser The Servo Editability and Interactivity Enhancements project is about making Servo more responsive to user input. The project will greatly improve interacting with form controls in Servo as well as allowing for selecting page content. In addition, the keyboard will become much more useful as users will be able to navigate with the keyboard via arrow keys, page up, page down, home, end as well as using the tab key to cycle through page content. All of these capabilities are essential for using the Servo engine to build a fully functional browser. >> Read more about Servo Editability and Interactivity Enhancements Servo WebAPIs for Service Worker — Non-blocking, async Service Workers for Servo browser engine The project summary for this project is not yet available. Please come back soon! >> Read more about Servo WebAPIs for Service Worker ShapeThing SHACL renderer — View, edit and filter semantic data Linked data (RDF) is very good on a data storage level to enable interoperability and standardization. However user interfaces on top of linked data are often complex and not user friendly. This project is a developer library which generates user interfaces from SHACL shapes or RDF data itself. These user interfaces are forms to create and edit data, displays of data and facets to search through the data. Alongside the visual user interfaces it can generate, it can also generate TypeScript types from SHACL shapes and it can transform linked data to Javascript objects. All of these functionalities help a developer easily create applications on top of Linked data. This library uses the SHACL W3C standard and will integrate with the upcoming SHACL UI 1.2 standard. >> Read more about ShapeThing SHACL renderer Shinobi — An incremental AOSP build tool using Nix dynamic derivations Starting with AOSP (Android Open Source Project) and other ninja-based projects, Shinobi aims to offer a common platform - standalone or as a part of wider ecosystem collaboration - for Nix tools looking to provide granular, incremental, reproducible and distributed builds for their respective language ecosystems, by leveraging the up and coming dynamic derivations feature and aiming to prove it at scale. >> Read more about Shinobi Signature PDF — PDF editing and server-based digital signing workflow Signature PDF allows users to sign PDFs online, individually or with others. The project offers as well the possibilities to reorganize pages (merge, sort, rotate, delete, extract pages, etc.), edit metadata, and compress PDFs. This tool aims to be a free alternative to existing proprietary web services, offering users more control and guarantee of what happens to the PDF processed by the software. Signature PDF is easily deployable on a server of any size, a laptop, a container image or a Yunohost instance. Scope of the project is to implement verification of signed PDFs, integration into third-party software, improve smartphone ergonomy and accessibility, and other improvementes to meet the requests/needs identified by users. >> Read more about Signature PDF Internationalization (i18n) for Silex — Add i18n to GraphQL-aware static site generator This project develops a local-first, fully open infrastructure for web publishing. Building on Silex free/libre website builder, it introduces a git-native, forge-agnostic architecture that removes dependency on centralized platforms and allows users to work and publish entirely locally. Because it implements GraphQL, it allows to for instance synchronise content from a dynamic CMS like Wordpress - and publish it as a fast and secure static site. This project will build a cross-platform desktop client, that can be used by anyone to develop and maintain performant websites. >> Read more about Internationalization (i18n) for Silex Herbees — Scalable intermediated P2P messaging based on Simplex Messaging protocol Herbees is an independent, unofficial, community-focused, open-source Rust implementation of the Simplex Messaging Protocol (SMP). It's designed as a robust and scalable foundation for relay-intermediated communication applications (intermediated p2p). Built upon the protocol’s elegant threat model and design principles established by the ingenious creators of SMP, Herbees provides middleware libraries and a high-performance SMP relay server. It also includes a reference, minimalistic CLI client to inform client developers how to construct user-centric clients and decentralized applications that leverage the protocol and its features – secure, authenticated, end-to-end encrypted (E2EE), private message exchanges – without requiring direct peer-to-peer connectivity or metadata exposure. >> Read more about Herbees Slint Visual Editor — User-friendly design of graphical user interfaces The project summary for this project is not yet available. Please come back soon! >> Read more about Slint Visual Editor Slintify LibrePCB 2.0 — Add missing features to Slint UI toolkit to accommodate demanding applications The project summary for this project is not yet available. Please come back soon! >> Read more about Slintify LibrePCB 2.0 Slips Immune I — Active IDP using ARP poisoning The \"Slips Immune I\" proposal marks the initial step in building an \"Immune System for the Internet,\" aimed at enhancing cybersecurity by fostering collaboration among computers using local and global decentralized P2P technology. The project focuses on improving the Slips Intrusion Detection System on local networks using Raspberry Pi devices, incorporating advanced detection ML models, isolation capabilities, and blocking techniques to mitigate cyberattacks. Key goals include implementing defense mechanisms, such as ARP poisoning for isolation and firewall-based protection, as well as training a Large Language Model (LLM) assistant to support security orchestration and decision-making. By leveraging machine learning and a collaborative architecture, Slips aims to evolve into a comprehensive, resilient Internet Immune System, where interconnected devices collectively detect, share information, and defend against cyber threats, enhancing protection through shared knowledge and adaptive responses. >> Read more about Slips Immune I Slipshow — A different paradigm for presentations including flipchart style annotations Slipshow is an innovative presentation tool that moves away from the traditional slide-based approach. Instead, it provides a dynamic experience similar to using a blackboard, while leveraging the advantages of digital technology. Presentations are created from Markdown files with specific annotations, and users can interact with the content during presentations by drawing directly on it using a mouse or tablet. With the scope of this project, Slipshow will be enhanced by introducing the ability to record annotations, seamlessly integrating them into the presentation for future use. >> Read more about Slipshow Smart lookup & inference for Semantic Data — Knowledge mapping within a postgresql database Semantic knowledge representations have not evolved since the Semantic Web was proposed during the 1990s. Modern graph databases offer new possibilities for knowledge representation, but the methods are poorly developed and require the use of specialized query languages and clumsy outdated formats. This project aims to make semantic maps easy for general use, using standard SQL databases and modern lightweight data formats. A user workflow starts from a simple note-taking language, then ingesting into a database using a graph model based on the causal semantic spacetime model, to the use of a simple web application for supporting graph searches and data presentation. The aim is to make a generally useful library for incorporating into other applications, or running as a standalone notebook service. >> Read more about Smart lookup & inference for Semantic Data Sniffnet — User-friendly network monitoring application Sniffnet is a cross-platform, Rust-based, fully open-source network monitoring application to help everyone keep an eye on their Internet traffic. Sniffnet is a technical tool, but at the same time it strongly focuses on the overall user experience: most of the network analyzers out there are cumbersome to use, while one of Sniffnet's cornerstones is to be usable with ease by virtually anyone. In an era dominated by network traffic encryption, Sniffnet doesn’t follow the standard monitoring approach that included reporting full packets’ payloads, but rather it provides flow-level details such as the country, the organization, the domain name, the upper-layer service, and other parameters that enable a more immediate understanding about the nature of the network traffic. >> Read more about Sniffnet Remote Sniffnet — Network monitoring tool + traffic analyser Sniffnet is a cross-platform, Rust-based, fully open-source network monitoring application to help everyone keep an eye on their Internet traffic. Sniffnet is a technical tool, but at the same time it strongly focuses on the overall user experience: most of the network analyzers out there are cumbersome to use, while one of Sniffnet's cornerstones is to be usable with ease by virtually anyone. Sniffnet plans to grow a lot in terms of functionalities in the coming period, implementing the most desired features raised directly users. This includes the ability to identify the process/application responsible for a given network connection in a cross-platform way, the development of a Sniffnet agent and server capable of sending/receiving traffic from devices that don't support running a UI (such as routers or headless machines). Other interesting additions include support for the Linux SLL link type that will allow monitoring the 'any' interface, configuration of complex network filters following the Berkeley Packet Filter syntax, the ability to send remote notifications via POST webhooks, support for custom IP blacklists to warn users about suspicious traffic. A whole new application page will display more insights about the saved favorites, which will be extended to also support services and processes in addition to network hosts. >> Read more about Remote Sniffnet Solar FemtoTX motherboard — Low-power motherboard that can run on solar power Solar FemtoTX motherboard is an open, collaborative effort towards designing an ultra-low power motherboard in a mobile device-sized form factor. It aims to enable seamless integration into an open-source hardware laptop for easy repair/replacement/upgrade, and focusses on low power consumption, faclitating solar-powered devices and quick recharging. Furthermore, the project aims to make the open-hardware framework extensible by supporting socket-based or embedded processors and peripheral devices that meet a defined size and TDP limit. This interoperability allows newer, ultra low power microprocessors to work within the FemtoTX specification, and is optimized for solar power. The current project focusses on the initial design and validation of a System-on-Chip to be used in this low-power single board computer. >> Read more about Solar FemtoTX motherboard Solid-ActivityPub Interop — Bridge W3C Solid and ActivityPub The project summary for this project is not yet available. Please come back soon! >> Read more about Solid-ActivityPub Interop FedCM for Solid — User-friendly Federated logins for Solid Community Server \"FedCM for Solid\" bridges the gap between the emerging Federated Credential Management API and the Solid ecosystem. By implementing an extension for the Community Solid Server, this project enables Solid-OIDC identity providers to become compatible with FedCM. This makes it possible for users to log into Solid apps without needing to remember and manually enter their Identity Provider URL, significantly improving user experience. In parallel, the project will deliver a FedCM test suite, helping others to integrate FedCM in their own decentralized systems. Together, these efforts will promote a more user-friendly authentication flow for Solid, and help ensure that the development of FedCM accommodates decentralized web architectures. >> Read more about FedCM for Solid SolidOS — Data management tool and browser for Solid SolidOS is envisioned as a full-featured web-based operating system for any Solid-compliant personal data store, offering a window into Sir Tim Berners-Lee’s vision for a decentralized web. It serves as the default frontend for the community server, like solidcommunity.net. This project will deliver a modern, modularized SolidOS frontend with a streamlined CSS theme and clearly defined user-friendly \"happy paths\". >> Read more about SolidOS solidtime — Privacy-friendly time tracking for teams and individuals Solidtime is a powerful open-source time tracking application built for both teams and individuals. It supports multi-organization setups, offers a flexible role- and permission-based user system, and includes comprehensive tools for managing projects, tasks, and clients. With both web and desktop applications, solidtime ensures a seamless and consistent experience across devices and work environments. Our mission is to provide an open, extensible, and self-hostable time tracking platform that gives users full control over their sensitive, business-critical, or personal data, helping organizations stay compliant with data privacy regulations such as GDPR. >> Read more about solidtime Sortix os-test — POSIX test suite os-test measures interoperability and differences between every POSIX operating system (Linux, BSD, macOS, and many more). This project expands os-test with full coverage for the POSIX standard library for the C programming language. This new test coverage will check that each C header properly provides all the mandated definitions, and that each function succeeds on basic inputs. Detailed new suites will be written for the areas where defects or deviation from the standard are likely, or where edge cases otherwise might not be correctly implemented or even standardized. os-test continuously publishes test results for every POSIX OS as open data. os-test improves interoperability, since application vendors are able to know what behaviors they can actually use to write portable applications for all operating systems, operating system vendors can identify and fix their conformance issues, and the POSIX standard authors can measure adoption/rejection of the new POSIX.1 2024 standard. os-test is developed as a side project to fully implement POSIX in the new Sortix operating system. >> Read more about Sortix os-test Spacylize — Use LLMs to train more efficient and reliable NLP models Small, task-specific language models remain essential for efficient, interpretable and privacy-preserving NLP, even as large language models dominate the field. Spacylize enables the distillation of LLM capabilities into compact spaCy models by generating, validating, and iteratively refining training data to improve model performance. The software can be used both through a simple command-line interface and as a Python library, allowing seamless integration into diverse workflows. By automating LLM-based data creation for tasks such as named entity recognition and text classification, Spacylize strengthens the spaCy ecosystem and supports sustainable, open-source NLP development. >> Read more about Spacylize Spectrum: Virtualisation Platform — A secure OS with app isolation Spectrum is an implementation of a security through compartmentalization based operating system, built on top of the Linux kernel. Unlike other such implementations, user data and application state will be managed centrally, while remaining isolated, meaning that the system can be backed up and managed as a whole, rather than mixed up in several dozen virtual machines. This project will continue the implementation of important features in Spectrum. In most cases, this work will also include the implementation of new primitives in Spectrum's underlying technologies — in particular the rust-vmm ecosystem — to enable those features. In addition, we aim to grow the ecosystem further in response to clear demand from developers, by extracting more reusable components from the monolithic Spectrum system, and by providing comprehensive documentation to teach developers how to create their own virtualization solutions from the growing universe of available components. By investing in growth of the free virtualization ecosystem, we expect we will expand the pool of potential future contributors to Spectrum and its components, increasing the speed at which the project can move in the future. >> Read more about Spectrum: Virtualisation Platform SpinalWaves & SpinalTrace — Typed waveform viewing and error source tracing for SpinalHDL This project will develop two open-source debugging tools — SpinalWaves and SpinalTrace — to simplify the debugging of hardware designs written in SpinalHDL, a high-level hardware generator language (HGL) used to design various computing hardware systems. HGLs like SpinalHDL compile down to industry-standard hardware descriptions such as VHDL and Verilog. Debugging HGL designs is challenging because errors observed in signal values at the compiled low-level hardware are often difficult to trace back to the high-level code that generated them. SpinalWaves will extend waveform visualization by preserving and displaying high-level type information for hardware signals, while SpinalTrace will enable tracing faulty signal transitions back to their source in the original SpinalHDL code. The tools will build on prior work from the Tydi ecosystem, which includes Tywaves and ChiselTrace for the Chisel hardware design language. However, adapting these concepts to SpinalHDL requires new techniques due to differences in the compilation flow, particularly the absence of an intermediate representation such as FIRRTL. The project will therefore develop new mechanisms for extracting program dependency information and inserting instrumentation within the SpinalHDL compilation process. The expected outcome is an integrated, open-source debugging toolkit for SpinalHDL that improves developer productivity, lowers the barrier to hardware design, and strengthens the broader open-source hardware development ecosystem. >> Read more about SpinalWaves & SpinalTrace StreetComplete Multiplatform — OpenStreetMap editing beyond Android The goal of this project is to migrate StreetComplete from an Android app to a multiplatform app, making use of Kotlin Multiplatform and Compose Multiplatform for the UI, thus, allowing the app to be released on other platforms, such as iOS and eventually Linux. This will allow for a significantly larger audience that is able to casually contribute missing data to OpenStreetMap on the go, as StreetComplete is the go-to app for this purpose, aimed at non-tech-savvy people and presented in a slightly gamified fashion. OpenStreetMap, in turn, is the free wiki worldmap. >> Read more about StreetComplete Multiplatform Sylk Contacts — Cross-protocol real-time communications client The connection between the end-user experience of communication applications and the open standards that power them has long been sought, yet often remains unresolved. Sylk Contacts provides this missing link—a crucial building block that makes SIP and WebRTC protocols more user-friendly in terms of interface and overall customer experience. It offers a solid foundation for developing applications that start from an existing or newly created contact list, and automatically synchronize those contacts across multiple devices, whether desktop or mobile, when using the same SIP account. This, in turn, enables a clean and reliable way to handle calls and chat messages seamlessly across devices, significantly improving the usability of SIP-based applications. >> Read more about Sylk Contacts T-Rust - In Rust we Trust — Scan, review, curate and fix metadata of Rust crates crates.io hosts over 160 thousand Rust packages that have been downloaded over 90 billion times. The origin metadata and licensing documentation for Rust crates is declared by the authors as part of the metadata, but can be misleading or incorrect. Accurate origin and license metadata for Rust crates is essential to safely automate the friction-free consumption of Rust packages in the software supply chain of safety-critical applications. T-Rust intends to fix this problem in multiple steps: it will scan, review, curate and fix the metadata of the most popular crates. This data will be released as open data, working with the Rust community to provide the data as part of the crates.io API, cross-check and report code borrowing and reuse between crates. Subsequently an AboutCode toolchain will be deployed as a service for all crates authors to review, validate and enrich metadata. The outcome should be be that crates.io packages are shared with better, more accurate origin and license metadata at creation time. And that the increased level of trust in Rust crates will make it easier to consume more Rust packages safely. >> Read more about T-Rust - In Rust we Trust TBD DSP toolkit — Open hardware audio processing module TBD DSP Toolkit is an open-source platform for audio DSP for experimentation, learning, and audio research. It brings together more than 50 high-quality generators and effects within a modular, easily extensible architecture. TBD has a flexible approach to embedded audio processing, and tries to deliver an accessible, musician-friendly environment, both in software and hardware. A key new component is a standalone desktop version of the hardware, including standard MIDI connectivity, designed to welcome users beyond the Eurorack community and make the platform easier to adopt for education, prototyping, and instrument design. This includes a redesigned, intuitive web user interface and UX guidelines to help developers build playable, musician-centered DSP modules, clear documentation and example use-cases and reference workflows. By uniting developer flexibility with musician usability, TBD aims to offer a resilient, open-source alternative in a landscape dominated by proprietary platforms. All software is released under GPL 3.0, and updated open hardware designs will be published in KiCad. >> Read more about TBD DSP toolkit The Ultimate Bookkeeping System — Bookkeeping but in a portable, offline-first and privacy-friendly way Bookkeeping systems, databases, and computer systems in general, tend to act as a \"System of Record\" (SOR) in which only one truth can exist. This project will develop tools for interconnecting such \"Systems of Record\", for instance to copy data from one API to another), and a schema transformation library. It will develop a set of domain-specific data set containers called \"tubs\", between which reflectors can form the tubing that make sure the data state in one tub is eventually converging to the data state in each connected tub - in particular aimed at the domain of bookkeeping and business documents (invoices). Apart from providing these generic data-portability tools and domain-specific tubs, a start will be made with an actual live network of SORs, where data is continuously mirrored through reflectors, even over multi-hop routes, with schema translations, and over various transports. Just like the World Wide Web was started with a single HTML page, this first live dataset of invoices, transactions, tasks and timesheets will be the start of TUBS - a network of computer systems that feels like a single system when a user interacts with it through one of the connected SORs. >> Read more about The Ultimate Bookkeeping System Tenzu — Lightweight project management tool for agile teams Tenzu is a lightweight project management tool for agile teams. It is the official successor to Taiga. Tenzu aims to provide a modern experience for healthy project management practices while remaining simple to use at heart. It is an easy-to-deploy web app that uses very few resources. The first stable version was released in September 2025. Today, Tenzu offers workspaces with KANBAN boards that include rich content which can be collaboratively edited in real time. Other features include single sign-on (SSO), detailed permissions, translation into three languages, and a dark theme. >> Read more about Tenzu TerosHDL usability — Open source IDE for FPGA/ASIC development TerosHDL improves the accessibility and usability of digital design workflows by providing a modern, vendor-neutral environment for working with HDL languages. It streamlines editing, simulation, FPGA interaction and project management, enabling students, researchers and professionals to work more confidently and efficiently while strengthening the broader open-hardware ecosystem. This project will deliver substantial usability and infrastructure improvements: a place-and-route manager, an FPGA loader interface based on OpenFPGALoader, and a binary manager for NVC; enhanced drag-and-drop capabilities within the project manager; frontend testing through ExTester; structured triage and resolution of existing issues; and targeted improvements to documentation, accessibility and security. The work also includes onboarding and supporting new contributors to ensure long-term sustainability and reduce the dependency on a single maintainer. >> Read more about TerosHDL usability TeXlyre — Local-first typesetting editor for LaTeX and Typst with real-time collaboration TeXlyre is a browser-based editor for LaTeX and Typst designed for academic institutions and researchers seeking alternatives to proprietary platforms, particularly in environments with limited connectivity or strict data governance requirements. It enables real-time collaboration without vendor lock-in, while keeping all user data in browser storage for complete data sovereignty and privacy. Documents compile directly in the browser using WebAssembly engines, supporting full offline editing and professional typesetting. Real-time collaboration is implemented via peer-to-peer connections that synchronize edits directly between participants, removing the need for centralized servers and reducing platform reliance. This funding will modernize TeXlyre’s compilation infrastructure by upgrading its WebAssembly-based LaTeX engines to support contemporary packages and LuaLaTeX. It will also develop Chelys, a companion local application providing access to Language Server Protocol integrations, local typesetting engines, and distributed storage. >> Read more about TeXlyre Tiliqua — Open audio DSP for FPGAs Tiliqua is an open-hardware DSP library and reference hardware design which aims to make it easier for musicians and engineers to get started in the world of audio DSP in the context of FPGAs. The Tiliqua DSP library is a suite of commonly-used audio DSP components, written in Amaranth HDL, that can be easily composed in Python to construct a custom FPGA-based DSP pipeline. The Tiliqua reference platform is fully compatible with open-source FPGA toolchains and designed to the Eurorack standard (the most popular hardware synthesizer format) lowering the barrier to entry for those with low/no hardware development experience. >> Read more about Tiliqua Tin Snipe DAQ — Digital Aquisition module The Tin Snipe DAQ is a digital acquisition (DAQ) module targeting diverse professional measurement applications typically found in mid to high end hand-held Multimeters. It focuses on digital mixed signal systems while offering an upgrade over traditional Multimeters in terms of sample rate, giving usable time series data for signal integrity analysis of low speed signals. It's designed as a compact fully integrated module that comes with the necessary AFE, ADC and Signal Processor. It exposes a digital control interface over various buses (UART, I2C, USB and potentially more) to be controlled and read out via an external system processor, thus making it easy to integrate into other systems. It is targeting battery operation like traditional handheld Multimeters and will be heavily optimized for low power consumption but can also be used for bench top applications. >> Read more about Tin Snipe DAQ TinkerFlow — Graph based editor for VR/XR process‑authoring TinkerFlow is a process-building system for the open-source Godot Engine that enables non-programmers to build 2D, 3D, and XR/VR applications. By lowering the technical barrier to app development within a 3D engine, it empowers educators, students, independent researchers, and industrial engineers to create educational trainings, object viewers, and showcases. At the same time, it provides software developers with a robust, pre-built system to jumpstart new projects, skipping the boilerplate like VR setup and bootstrapping usually required when starting from scratch. Unlike visual scripting tools that focus on low-level operations, TinkerFlow uses high level actions such as 'grab object', 'highlight element', and 'move object'. It structures application logic into chapters of sequential steps. Each step triggers predefined behaviours (such as playing audio, highlighting objects, or spawning visual effects) and has specific conditions (such as an object being grabbed, a hardware button being pressed, or a timeout occurring). Objects can easily be added to the scene, modified by behaviours, and evaluated by conditions. This workflow-first approach delivers immediate, stable results that can be easily tested and refined. It allows users to effortlessly reuse workflows from previous applications or scenes in new processes, while advanced developers retain the flexibility to write their own code, create custom behaviours and conditions, or integrate TinkerFlow into their own systems. >> Read more about TinkerFlow Automatic component and via placement for Topola — Complete PCB schematic-to-layout flow The first step in designing a printed circuit board (PCB) layout is choosing where to place the components. This task is tedious and time-consuming, often requiring just as much effort as the process of routing the traces that comes afterwards. Fortunately, component placement can be automated with software called an autoplacer, just as routing traces can be automated with a program known as an autorouter. The goal of this project is to develop a component autoplacer for the PCB autorouting system Topola, turning it into a complete PCB schematic-to-layout flow. To find the best locations for components, the autoplacer will use a probabilistic optimization algorithm known as simulated annealing. >> Read more about Automatic component and via placement for Topola Torch Lens Maker — Open-source optical systems engineering Torch Lens Maker is an open-source Python library for modeling and designing optical systems. It can be used to design simple mirrors and lenses, all the way to compound optical systems made of a sequence of optical surfaces, such as camera lenses. Torch Lens Maker is based on PyTorch and implements differentiable geometric optics. This gives access to the full power of modern GPU-based numerical optimization methods. Designing an optical system with Torch Lens Maker is a new approach to optical engineering based on explicit description of the system design parameters with Python and powerful numerical optimization. The project also focuses on interactive visualization and exploration of optical systems with a web-based viewer called tlmviewer. This offers deep integration with the Jupyter Notebook environment which has become a standard in the open source numerical computing community. Torch Lens Maker aims at becoming a complete solution for code-based open-source optical systems engineering. >> Read more about Torch Lens Maker TouchUp — Enhance the GNOME Shell User Experience on Touch Devices GNOME Shell is a widely used Linux desktop environment, but it was not designed to be used on touch devices in everyday life. TouchUp helps improve the Shell’s usability on touchscreen devices and makes it a viable, free alternative: users no longer need to compromise on user experience for freedom, control and privacy. Being a Shell extension, TouchUp enables users to use their well-known and stable upstream GNOME Shell (with their favorite extensions) and still have a decent touch interaction with their device. The project already provides essential features such as a gesture and button navigation bar or notification swipe gestures, and has first-class support for devices with removable keyboards or convertibles. The next big step is to expand TouchUp’s scope to higher-level features, with the goal of making the choice to daily-drive Linux on a touch device easier and more rewarding. TouchUp is primarily targeted towards the tablet form factor (since this is where FOSS options are scarcest), though most features also benefit mobile phones. Most importantly – just like GNOME Shell itself – TouchUp stays out of your way. >> Read more about TouchUp TrailBase — Backend-as-a-Service for building networked applications TrailBase is an open, fast and easy to self-host Firebase-like application platform, i.e. it provides solutions for common application needs out of the box, such as: storage for relational data and files, an admin UI, auth, type-safe APIs, sync via change subscriptions, plugins for custom logic, etcetera. Its open, portable and single-executable nature helps developers to reduce their supply chain dependence, e.g. cloud or infrastructure lock-in, and in-turn provides more control over data sovereignty. The server is built on Rust and SQLite. Integrations are provided for many popular client environments: JavaScript/TypeScript, Dart, Swift, Kotlin, C#, Rust, Go and Python. A TanStack/DB integration greatly simplifies sync for web applications. This project will add a slew of improvements, ranging from schema management, API/traffic routing, tenant management, guest and email-less accounts and an audit-trail for admin-API interaction. >> Read more about TrailBase TrenchBoot - DRTM launch between coreboot and UEFI payload — Protect coreboot payload with dynamic Roots of Trust The project summary for this project is not yet available. Please come back soon! >> Read more about TrenchBoot - DRTM launch between coreboot and UEFI payload Typed Nix — Static type system for Nix programming language. Nix is a tool that takes a unique approach to package management and system configuration, enabling developers to build reproducible, declarative, and reliable systems. This project introduces a typed layer for the Nix language, adding optional static typing, type inference, and structural type checking for Nix expressions while compiling down to standard Nix so existing tooling continues to work. Its primary goal is to improve the developer experience through straightforward yet flexible tooling, addressing long-standing ecosystem challenges such as dated documentation, opaque error messages, inconsistent formatting conventions, unreliable language server support, and a lack of interactive, extensible development tools. By improving clarity, tooling, and developer ergonomics, the project aims to do for the Nix ecosystem what TypeScript did for the JavaScript community: make large codebases easier to understand, maintain, and collaborate on. >> Read more about Typed Nix Typst PDF Accessibility — Increase a11y of Typst's output PDF files are often the only venue through which vital information is shared in business, education, and government. Even so, these files more often than not inaccessible to those of low or no vision. This not only prevents compliance with the European Accessibility Act and similar legislation in other countries, but prevents equal participation. This project proposes to implement all the features and tools needed for accessible PDF creation into Typst, a growing open-source automated writing platform. With this project, Typst will implement technical standards for accessibility and give authors tools to accommodate human factors of accessible documents. >> Read more about Typst PDF Accessibility Advanced UEFI Capsule Update for coreboot with EDK II — Secure firmware updates, also via fwupd The project summary for this project is not yet available. Please come back soon! >> Read more about Advanced UEFI Capsule Update for coreboot with EDK II uberDDR4 — High-performance, standalone DDR4 memory controller. UberDDR4 aims to deliver a high-performance, standalone, fully open-source DDR4 memory controller. Building on the proven success of UberDDR3, which remains the fastest and most capable open-source DDR3 controller available today and is already supported on all AMD/Xilinx 7-series FPGAs as well as the Lattice ECP5. As DDR3 phases out, this project helps maintain high-performance memory solutions for the open hardware community. The work includes developing a new DDR4 controller for next-generation FPGA families such as AMD/Xilinx UltraScale Plus using an architecture designed for easy portability to future tape-out silicon projects, porting UberDDR3 to additional platforms, and improving its performance when used with open FPGA toolchains including openXC7 and scalePnR. >> Read more about uberDDR4 Universal EInk Solutions — Consistent API for e-paper Electrophoretic displays (aka EPD, Eink, E-Paper) are reflective display devices which use colored granules suspended in clear oil to display text and graphics. Their unique property is that they can maintain their state without power. They've become ubiquitous as e-book readers, digital signage and as dynamic price displays in retail. Small, low cost displays are also desirable to use in personal and small maker projects. The challenge in using these displays compared to more traditional displays such as LCDs (liquid crystal displays) is that their unique properties require unique software, hardware and knowledge. Adding to this challenge are the lack of availability of all of the above. The manufacturers and resellers provide minimal software and documentation, so users are usually left frustrated. This project aims to greatly reduce these barriers to use through software, hardware and documentation. On the software side, are two new portable C/C++ (embedded + Linux) software libraries which can generate text and graphics on the vast majority of these displays, using a common API. For the hardware side, the goal is to make the hardware available at a reasonable cost to individual users through open source hardware definition files and the ability to buy finished PCBs through worldwide retail channels. The documentation will come in the form of detailed info about the physical displays, their controllers and ample example code to show their use. There are two main types of EPDs, one has a controller built into the glass of the display and needs a few external components for a DC-DC boost circuit. The other type requires an external CPU and multiple external power rails to control all aspects of the display updates. Both will be supported by this project. >> Read more about Universal EInk Solutions VACASK — High-performance Analog Simulation VACASK (Verilog-A Circuit Analysis Kernel) is an open, high-performance analog circuit simulation platform designed to modernize the foundations of electronic design automation. By cleanly separating device modeling from numerical analysis and embracing a modular, Verilog-A centric architecture, VACASK enables efficient, extensible, and maintainable simulation workflows optimized for modern CPUs. The project introduces into VACASK essential core analyses, including AC stability, S-parameter characterization, transient noise simulation, and adjoint-based small-signal transfer function and noise evaluation, while improving numerical robustness through integration with established linear algebra libraries. Tight integration with the Python-based PyOPUS design automation library enables reproducible circuit sizing, sensitivity and yield analysis, Monte Carlo evaluation, and yield optimization workflows using VACASK as the underlying simulator. >> Read more about VACASK Verified Credentials with zero-knowledge SPARQL queries — Enabling derived W3C Verifiable Credentials with Zero Knowledge Proof (ZKP) The project summary for this project is not yet available. Please come back soon! >> Read more about Verified Credentials with zero-knowledge SPARQL queries VeriBench — Verilog-AMS Testbench Framework for Open EDA Verification Verilog-AMS is a hardware description language developed to standardise the description of device models and circuits in analog and mixed-signal design. It is widely used across both proprietary and open-source Electronic Design Automation (EDA) toolchains. While Verilog-AMS standardises hardware descriptions, the behaviour and numerical accuracy of simulators and model compilers remain tool-dependent and require systematic verification. VeriBench will provide automated Verilog-AMS testbenches that enable systematic verification of semiconductor device models and representative analog and logic circuits. The testbenches will support realistic simulation contexts using open Process Design Kits (PDKs). They will enable cross-validation, regression testing, and benchmarking across open-source simulators such as Gnucap and ngspice, as well as Verilog-A/AMS model compilers, including OpenVAF and Gnucap’s modelgen-verilog. By providing documented benchmarks, reference results, and ready-to-run examples, VeriBench will validate open-source simulation toolchains, build trust in their results, improve reproducibility, and lower the barrier to entry for users and contributors. >> Read more about VeriBench Verilog-A distiller — Automated porting of models from C to Verilog-A Analog circuit simulators require compact device models in order to be able to simulate circuits. The de-facto standard language for compact device model dissemination is Verilog-A. Many legacy models exist that are coded for the SPICE3 circuit simulator in the C programming language. Manual conversion from C to Verilog-A is resource-intensive, time-consuming, and error-prone. This reduces the accessibility of legacy models and limits innovation. The Verilog-A Distiller project aims to automate conversion of SPICE3 device models from C to Verilog-A. By automating this conversion, we aim to streamline model implementation, reduce development time, and enhance compatibility across different simulators. Verilog-A Distiller is a converter written in Python that utilizes the pycparser library for reading the C code of SPICE3 models. The parsed models are pruned of unnecessary SPICE3-specific parts, upon which Verilog-A code is emitted. Projects like Ngspice put a lot of effort into cleaning up and improving legacy SPICE3 models. Verilog-A Distiller makes these models available across a wide range of simulators that support Verilog-A. >> Read more about Verilog-A distiller VersaTiles — Simplify vector map tile creation, hosting, and interaction VersaTiles provides vital digital infrastructure for web maps, offering a free, flexible alternative to commercial services. Web maps are essential in fields like data journalism, research, and emergency response, but current commercial solutions are often costly, proprietary, and pose privacy concerns. VersaTiles addresses this by dividing the complex process of map creation, distribution, and visualization into manageable layers, ensuring interoperability and scalability. With its open, transparent approach, VersaTiles promotes digital sovereignty in Europe, empowering public institutions, media, and developers with an accessible, high-quality map infrastructure that avoids vendor lock-in and supports free access to geospatial data. >> Read more about VersaTiles SWD Debug support in VexRiscv — Functional SWD debugging support for VexRiscv/VexiiRiscv The VexRiscv-Debug project aims to extend the popular open-source VexRiscv RISC-V soft CPU core with functional debugging support enabling essential development and bring-up capabilities for developers building debuggable RISC-V SoCs on custom ASIC or FPGA platforms. This includes making Vexriscv fully Riscv Debug specification compliant and additionally adding support for Serial Wire Debug (SWD), which is a widely used industry specification set forth by ARM. >> Read more about SWD Debug support in VexRiscv Vivliostyle — Typesetting system leveraging web technologies Vivliostyle is an open-source typesetting system that uses web technologies to create print and digital publications. It extends the layout capabilities of modern web browsers to support advanced CSS features for paged media, such as page floats, footnotes, and cross-references. The project includes Vivliostyle.js, the core library that runs on all modern browsers and enables advanced page layout, and Vivliostyle CLI, a command-line tool for generating PDFs and EPUBs from HTML or Markdown files with specified themes and stylesheets. Lastly there is Vivliostyle Pub, a web application that simplifies the creation and editing of publications, with content and style editors and real-time preview. The goal is to empower people to create beautiful publications without relying on proprietary software and leverage the power of web standards and ecosystems. >> Read more about Vivliostyle Enhancing vula and related libraries — Automatic local network encryption for IPv4/IPv6 with PQC With zero configuration, Vula automatically encrypts IP (v4) communication between hosts on a local area network (LAN) in a forward-secret and transitionally post-quantum manner to protect against passive eavesdropping. Improvements within the scope of this project include enhancing highctidh with autoconf and to provide a pkg-config enabled shared C library with additional language bindings. The project will also enhance privacy preserving peer discovery with REUNION, and increase implementation diversity of the protocol with a Golang version to enhance mobile device support. Initial Bluetooth integration will be added, and IPv6 support will be enhanced. As a final result, a network traffic enforcement library will be created (Guardrail) which can be used by vula and similar projects with IP traffic routing security needs. >> Read more about Enhancing vula and related libraries ActivityPub Polls for WordPress — WordPress plugin for social polls This project will develop an ActivityPub-based poll plugin for WordPress that integrates with the WordPress ActivityPub plugin. The plugin will feature a modern editor interface using Gutenberg blocks, a public-facing view for displaying polls and results, and robust ActivityPub-based vote handling. While the WordPress ActivityPub plugin originally focused on broadcasting content to the Fediverse, it is increasingly becoming a foundation for interactive features. This project will contribute to this evolution by enhancing internal APIs where necessary to support third-party extensions. The goal is to strengthen WordPress as a sovereign platform for online identity, enabling to host polls natively without having to create additional identities/accounts on other platforms to carry out common Fediverse activities. >> Read more about ActivityPub Polls for WordPress Wsdr — Cloud-based Cellular Network in a Browser While several open-source cellular network implementations have emerged over the past decade, most remain complex and inaccessible to non-experts—limiting broader exploration and innovation in the field. This project aims to change that by introducing a browser-based cellular network powered by WebUSB and WebAssembly. By connecting a USB software-defined radio (SDR), users can deploy cellular networks without requiring deep engineering knowledge or complex setups. The WebSDR architecture runs a full BTS (Base Transceiver Station) directly in the browser, while BSC/MSC components operate in the backend - either locally or in the cloud. This allows rapid, plug-and-play deployment of 2G networks for a wide range of use cases, including emergency response, off-grid expeditions, temporary installations, and prototyping. By making cellular technology more accessible, the project fosters openness, hands-on experimentation, and inclusive innovation in wireless communications - establishing 2G as a practical starting point for building and understanding more advanced 4G and 5G networks. >> Read more about Wsdr Waytale — Spatially organized interactive 2D social space The space around us impacts us. Different spaces (like your living room, the office, or a café) influences how we perceive others (like dear ones, work colleagues, or strangers) or which behaviours we engage in (like studying, relaxing, or chatting). What if online spaces would better support what we want to do and how we interact with others? Waytale provides spatially organised online spaces that can be flexibly designed, customised, and extended. Navigate your avatar intuitively through 2D spaces and discover the interlinked spaces of your friends' friends. Meet people, feel their presence of others in different ways, and engage with the world. Create your personal space and express your creativity with tools matching your skill level. Link your space to others and extend it with functionality like video calling, productivity tools, or games. Self-host your personal instance only requiring minimal technical knowledge and without cost. Stay in control of your data and who you federate with using modern peer-to-peer technology. Share what you know, empower others, and form communities. Are you there? >> Read more about Waytale Waterfall — Agile framework for the development and deployment of watermarking schemes Traffic watermarking is a powerful but underutilized technique for network traffic analysis, primarily applied today in evaluating the security of anonymity systems like Tor. This project aims to develop Waterfall, a system designed to provide a unified, flexible framework for the development and deployment of a variety of traffic watermarking schemes. Waterfall operates by intercepting network traffic, embedding and detecting watermarks at multiple points in the network. The goal of Waterfall is to be versatile enough to replicate representative watermarking schemes from the research literature, while adapting them to be more effective and creating new versions. In addition, Waterfall allows the analysis of new protocols such as Tor's Conflux protocol, a recent improvement in Tor's performance that may also increase its susceptibility to watermarking attacks. >> Read more about Waterfall Wiktionary QA tools — QA tools to improve the quality, reliability, and consistency of Wiktionary Part of the Wikimedia family, Wiktionary offers a global open data set pertaining to many languages. This project will create QA infrastructure and tools to further improve the quality, reliability, and consistency of Wiktionary. Expected outcomes include higher quality data, data that is easier to process and consume, and more collaboration among different language editions of Wiktionary. >> Read more about Wiktionary QA tools XR Fragments Teamware — Design, deploy, federate and integrate portable XR experiences XR Teamware will develop a publishing platform/forge for XR content, and a Blender plugin with direct import export capabilities to said forge and to Icosa gallery. This would allow 3D creators to easily publish and share their ideas, and preview metadata in Blender before exporting. XR Fragments itself is a simple public protocol for networked 3D content to discover, reference, navigate and query 3D online assets (read-only), making it part of the web and thus liberating 3D content creation and content from only existing inside gated products. Within the scope of this project, XR Fragments will streamline the design, deployment, hosting, and integration of portable XR experiences - and thus further simplify embedding, cross-platform support and hosting, as well as add vendor specific support. >> Read more about XR Fragments Teamware Yanartas — Libre intertial hardware security module Yanartas is an open-source hardware security module (HSM). Yanartas is a secure storage for cryptographic secrets that is protected against advanced attackers including nation-state adversaries using an array of active tamper detection sensors. Unlike something like a smartcard or crypto wallet, the sensors of an HSM like Yanartas are always on and the attacks are detected the moment they happen. As part of the project, everything needed to build your own HSM including hardware source files, firmware, and documentation will be published. >> Read more about Yanartas Privacy-friendly online age verification — Age verification done right There is a broad need for open source privacy-friendly age verification, now that countries around the world are starting to impose age limits for online platforms. Often it is left to providers to come up with a working solution. A privacy-friendly mechanism is badly needed, especially for smaller platforms (including self-hosted instances of decentralised social media in the fediverse) with limited own capacities. This project will create a reusable library which will enable mobile apps to read and parse data from electronic passports (MRTDs) using the device’s NFC capability. This library will implement the necessary standards (ICAO 9303) and protocols to communicate with the passport chip, retrieve personal data, and ensure security measures are upheld. The library will automatically perform Basic Access Control (BAC) or Password Authenticated Connection Establishment (PACE) as needed to establish a secure channel with the chip. Users will be able to give a proof of age (without further exposing any private information) simply by holding their phone near a passport or ID card in the correct manner. The project aims for interoperability with passports from a wide range of countries (EU, US, UK, etc.), accounting for different standards or optional features. Additionally, the project will extend the Yivi identity wallet app with functionality to read personal attributes (like name, date of birth, etc) from passports, via NFC, and issue them to the app. >> Read more about Privacy-friendly online age verification YunoHost Packaging + Declarative Settings — Frugal and ergonomic selfhosting YunoHost is a turnkey self-hosting solution based on Debian, designed to simplify server administration while being reliable, secure, and lightweight. In the scope of this grant, YunoHost will implement OIDC and introduce a new generation of packaging mechanism. The OIDC support will align YunoHost with modern SSO practices through the OpenID Connect protocol, with improved security aspects compared to the current homemade SSO. It also facilitates integration with third-party services that support OIDC, while maintaining consistency with YunoHost’s current architecture and centralizing identity management. Packaging v3 will define a more declarative and standardized approach to application packaging. It restructures package design by consolidating scripts and formalizing configuration management, with the aim of limiting redundancy and complexity. Common operations such as system configuration, service management, and lifecycle tasks (install, remove, backup / restore, upgrade) will be abstracted and automated. This approach is expected to improve maintainability and consistency across packages, determinism, security aspects, and pave the way to advanced features. >> Read more about YunoHost Packaging + Declarative Settings ZSWatch — Open smartwatch including software, hardware, and mechanics ZSWatch is a free and open source smartwatch you can build almost from scratch - including software, hardware, and mechanics. Everything from the lowest level BLE radio driver code to PCB and casing is available for introspection or to be customised to suit your needs.In this project, the team will add interesting new capabilities such as Heart Rate and Blood Oxygen sensor hardware, create a new iteration of hardware to improve wearability, improve documentation, make it easier to upgrade, and make various improvements to the software including optimising power consumption >> Read more about ZSWatch Zosimos — GPU accellerated image buffer and compute system Zosimos is a statically typed language with an embeddable interpreter for raster graphics compositing pipelines. Built on Rust's `wgpu` to target WebGPU it abstracts, through native capabilities or emulation, color-space aware editing capabilities across platforms including the web. The implementation builds on SPIR-V graphics and compute shaders to execute largely asynchronously and close to hardware capabilities. The user facing programming language provides an image manipulation interface with operations similar to those found in GEGL and imagemagick. >> Read more about Zosimos Zrythm — Libre digital audio workstation Zrythm is a digital audio workstation (DAW) that enables musicians and producers to create professional-quality music. Built with modern C++ using Qt/QML and JUCE, it targets electronic music workflows with advanced capabilities such as signal-based modulation and clip looping that proprietary tools have long monopolized. Building on lessons learned from the v1 release, this grant accelerates development toward Zrythm v2, porting core functionality to the new Qt/QML stack: audio and MIDI recording, arranger editing, and chord assistance. The goal is a stable, mature alternative to proprietary DAWs that guarantees users the freedom to study, modify, and share their creative tools. >> Read more about Zrythm allowd — Memory-safe policy rules using D-Bus Authentication and authorization are crucial components of a modern Linux system's security. For the desktop Linux environment, Polkit is used as a central authentication and authorization component. But ever since 2012, its policy rules have been based on JavaScript. Requiring a garbage-collected programming language to be started up for the tiny snippets of rules is excessive, especially in resource-constrained environments. We will prototype an alternative approach to the current Polkit daemon, utilizing the existing external D-Bus interfaces, but improving the internal design. We also aim to demonstrate to the Freedesktop community, especially the systemd team, that Rust is well-suited for these core desktop applications, producing small and efficient binaries with limited dependencies. >> Read more about allowd Bcachefs userspace integration — Next generation filesystem bcachefs is a next generation filesystem for Linux, with a fully modern featureset and vastly improved performance, scalability and reliability as compared to legacy filesystems. The main focus of this grant is achieving stability, but on the side there will be work on userspace integration with systemd, reworking the cryptographic API to be more robust, as well as adding the potential for users to generate telemetry data - in order to capture edge cases in the real-world. >> Read more about Bcachefs userspace integration bhyve idle load mitigation — Reduce overhead on bhyve Type-2 hypervisor bhyve is a BSD-licensed Type-2 hypervisor originating from the FreeBSD project. Apart from FreeBSD, it also runs on the OpenSolaris-derived illumos distributions such as OmniOS, OpenIndiana, and SmartOS. It is capable to run unmodified guest operating systems such as Windows, Linux, various BSDs, and various illumos Distributions. As any hypervisor, bhyve operates with a certain overhead, one aspect of which is the idle load caused by otherwise idle guest VMs on the host system. Naturally, less idle load means more efficient operation of the host, less energy use, and increased host capacity without the need for additional hardware. This project aims to analyze the idle load behaviour of various guest operating systems running on bhyve to identify the causes of increased idle load. Additionally, this project intends to improve the idle load behaviour by implementing support for at least one additional hypervisor feature such as paravirtualized timecounters. >> Read more about bhyve idle load mitigation cables.gl editor features — Create beautiful, interactive, visual web content Cables is a tool which allows people to create beautiful, interactive, visual web content without knowing how to type a line of code. Your work is easily exportable at any time, so you can embed it into your website, use it an immersive VR experience, or integrate into other kinds of creative output. Cables patches can be published, shared, copied and remixed by the entire community. This allows people to constantly learn new things from each other. There is both a browser based version and a standalone, offline version offering a user-friendly development environment. This new grant adds an improved keyframing- and animation user interface (timeline) that makes cables.gl much more accessible for animators and motion designers. The team will also add a physics engine, Gaussian Splatting (a new method of rendering realistic 3d scenes), dynamic operator instancing/repeating, a stepping debugger and a comprehensive shadergraph system that allows to create complex shaders by combining small modules. >> Read more about cables.gl editor features claim.li — Decentralised annnotation tool based on Dokieli The Web is full of claims that are often hard to verify, leaving readers to rely on trust in the author or in the source document itself which is a risky approach when evidence is scarce. Expert annotations can help, but they too may contain unverified statements, so simply annotating original claims isn’t enough. The claim.li project addresses this by enabling a client-side editor that supports annotating both claims and their annotations, creating a transparent, layered system of accountability. Built on the decentralized annotation tool dokieli, it promotes open authoring, annotation, and collaboration across the Web. >> Read more about claim.li ePoc — Micro learning platform for decentralized educational resources ePoc (Electronic Pocket Open Course) is an open-source project designed to provide a full, decentralized, and privacy-first microlearning solution. This is achieved through a mobile and web reader (with web support coming soon), a simple file format specification, and an intuitive visual editor on desktop. The tools prioritize user-friendliness, privacy, and decentralization, ensuring users avoid vendor lock-in (no central server or account is needed). For educators, organizations, and learners, ePoc enables the creation and consumption of bite-sized, interactive modules (such as quizzes, videos, or flashcards) and allows sharing via links, QR codes, or local files. >> Read more about ePoc Ejabberd Great Invitations — More pleasant user registration for ejabberd XMPP server One of the biggest hurdles for XMPP in terms of widespread adoption compared to single vendor solutions is a somewhat more complicated onboarding process. To not open their service to unsolicited messages and abuse administrators often opt to not allow open registration, which complicates things even more. To counter these obstacles, recently the concept of „Great Invitations“ was introduced by one of the XMPP servers, aiming to make the onboarding process as seamless as possible - a single link is enough to guide a potential future participant. The goal of this project is to follow this pleasant way of onboarding, and implement it for ejabberd. >> Read more about Ejabberd Great Invitations embedded-cal — An embedded systems-friendly verified crypto provider Embedded-cal develops a verified implementation of the cryptographic provider in Rust which is compatible with popular embedded platforms. This cryptographic provider will be 1) fast on popular embedded platforms; 2) resistant to certain classes of side-channel attacks; 3) usable without the Rust standard library. The module will lever the available hardware acceleration support of popular microcontroller units for embedded systems and fill in the gaps in hardware support through software implementations. The module will be formally verified for secret independence using the hax framework, a verification tool for high assurance code. >> Read more about embedded-cal iTowns — Visualise 2D and 3D geospatial data on virtual globes & maps iTowns is an open-source framework designed for web-based visualisation, navigation and interaction with 2D and 3D geospatial data on globes and maps. Built on Open Geospatial Consortium (OGC) open standards, it is developed with data and service interoperability in mind. It seamlessly integrates with geographical services, offering support of standard raster and vector data, including aerial imagery and terrain models. The framework supports large, heterogeneous 3D datasets such as OGC's 3D Tiles, making it ideal to build application for urban-planning and environmental monitoring. It can be easily extended to support other open formats, offering a highly customizable platform for developers. iTowns is a geographic commons, developed collectively by a diverse community of contributors, comprising independent developers, public organizations, research laboratories and private companies. It aims to provide an European alternative to Big Tech products which often overlook a broad class of users. Instead, iTowns offers a modular framework to build a wide range of use cases, including visualisation, GIS, environmental and educational applications, making it versatile and adaptable for different geospatial projects. >> Read more about iTowns Kernel DMA Protection Patcher (kdmap-patcher) — Automated UEFI patching for pre-boot DMA protection Direct Memory Access (DMA) attacks remain an often overlooked vector in many threat models, despite increasing attention in recent I/O interconnects. While Thunderbolt 4 introduces spec-mandated mitigations via Kernel DMA Protection, millions of systems using USB4, Thunderbolt 1–3, and similar modern DMA-capable interconnects remain vulnerable due to unpatched or misconfigured firmware. Kernel DMA Protection Patcher (kdmap-patcher) is a Free Software, OS-agnostic UEFI (BIOS) extension designed to harden systems against DMA attacks from the pre-boot stage. It programmatically detects and remediates vendor-specific UEFI firmware bugs that disable or misconfigure DMA protection. Where protections are entirely absent, kdmap-patcher extends UEFI firmware with a device-tailored configuration enabling Kernel DMA Protection. Once mitigations are applied, kdmap-patcher seamlessly hands off control to the OS bootloader, enabling a significantly improved DMA security posture from the earliest stages of the boot process. >> Read more about Kernel DMA Protection Patcher (kdmap-patcher) Improving asynchronous execution in GNUnet — Add synchronous processing to GNUnet This project concerns foundational improvements to GNUnet, a Free Software framework for building secure, decentralised and privacy-preserving applications. Rather than adding a new end-user feature to this GNU project, this effort will focus on strengthening shared core components that affect how efficiently GNUnet operates in practice. The aim is to modernise parts of the system’s internal execution model so that GNUnet can remain more responsive under load, make better use of available resources, and provide a stronger technical foundation for future development. In practical terms, the project will improve how core GNUnet components coordinate work, exchange information and interact with supporting services, especially in configurations where multiple subsystems run closely together. The expected results include higher overall performance, lower battery consumption on mobile devices, and a more responsive user experience across higher-level services and applications built on top of these core components. >> Read more about Improving asynchronous execution in GNUnet librice — Pure Rust implementation of IETFs real-time communication standard ICE The Interactive Connectivity Establishment (ICE) protocol is everywhere in real-time communication, providing a rendezvous mechanism allowing to establish e.g. a SIP or WebRTC connection. Addition of another protocol, TURN, allows hosts which are behind a middleware box or CPE (which is the most common scenario in the IPv4 realm) to still successfully set up a bi-directional path. This puts ICE/TURN at the heart of communication. This project will implement the four key TURN RFCs in librice - a pure Rust implementation of ICE. >> Read more about librice Machine-check usability — Formal verification of software written in machine code Machine-check is a tool for formal verification of digital systems, able to automatically determine whether a system described in a subset of the Rust language fulfills some specification. This project aims to improve it in multiple areas such as the usability of its graphical user interface, the ease of writing system descriptions and properties, and the ability to compose systems from parts. >> Read more about Machine-check usability mgmt config — Real-time system automation tool mgmt is a fast and modern automation tool for managing services and servers. It lets users model how that infrastructure should look, behave and react over time. Instead of separating provisioning, configuration management, and orchestration, it unifies these concepts and lets you build elegant distributed systems while also running as a distributed system. It can manage anything from home labs to full production infrastructure and helps organizations reduce operational overhead while repatriating workloads. Within this grant the project will among others work on performance enhancements, add new models, function error locations and lsp/syntax highlighting, improve documentation as well as making it easier to import automation rules from external resources. >> Read more about mgmt config minipgp6 — Lean implementation of modern OpenPGP minipgp6 is a very lean OpenPGP software stack. It implements a modern subset of the OpenPGP standard as specified in RFC 9580. It intentionally doesn't aim for backward compatibility with many currently common OpenPGP formats in favor of simplicity. However, all modern OpenPGP implementations will interoperate seamlessly with the formats minipgp6 supports. >> Read more about minipgp6 Nix Store disk usage improvements — Reduce storage overhead for Nix deployments The project summary for this project is not yet available. Please come back soon! >> Read more about Nix Store disk usage improvements Building blocks for Resilient Time — Implement NTPv5 in ntpd + bootstrap procedure Time is essential for most security-critical protocols on the internet, such as DNS and TLS. As our time sources, such as GNSS signals, are coming under attack, making time synchronization as resilient as possible becomes even more critical. We need reliable time, even when time sources are unavailable or not trustworthy. This project will enhance time synchronization by improving how we synchronize time, both when systems are starting up and when they are in operation. Concretely it will contribute to stabilizing the draft of the next version of NTP, NTPv5, and implementing NTPv5 in ntpd-rs, and build a library for synchronizing multiple local clocks, maximizing the use of local stability (thereby providing a resilient building block for time synchronization for others to use). The team will also develop a resilient startup procedure, documenting the approach for implementers - and then implementing it for ntpd-rs. >> Read more about Building blocks for Resilient Time openENOC — Scalable Ethernet-based Network-on-Chip openENOC is an open-source hardware and software project that develops a scalable Ethernet-based Network-on-Chip (NoC) architecture to enable modular and interoperable MPSoC designs. By using standard Ethernet Layer-2 as the native on-chip transport protocol, openENOC connects processors, accelerators, and peripherals in a flexible, packet-switched network that lowers barriers to building complex systems and bridges the gap between on-chip and off-chip networking. The project provides a complete, permissively licensed stack, including RTL components, integration APIs, verification infrastructure, and reference designs and targets workloads where traditional interconnects struggle to scale, such as cryptography and edge computing. All results will be released openly to support reuse, strengthen the open hardware ecosystem, and empower developers and organizations to build future-proof, interoperable, and community-driven MPSoC solutions. >> Read more about openENOC p2panda System Service — Real-time collaboration, private sharing and unified local storage of desktop apps p2panda provides modular components for building modern, privacy-respecting and secure local-first applications. Our goal for the System Service Project is to help GTK and GNOME developers build apps that store data locally, share it privately across devices, and support collaboration — all without requiring an internet connection. For this grant we’re planning to integrate the p2panda stack into a shared system layer that multiple apps can reuse, simplifying development and moving towards a modern, local-first GNOME desktop. The system service will allow automatic, peer-to-peer synchronisation of data in the background and will expose a general sync API via an XDG Desktop Portal. >> Read more about p2panda System Service postmarketOS v25.12 + v26.06 — New versions of the mobile operating system postmarketOS postmarketOS keeps smartphones useful after they don't receive updates anymore: the original operating system gets replaced with an up-to-date lightweight open source software stack based on Alpine Linux. With Google's announcement to develop Android behind closed doors and the changing political landscape it is now more important than ever to fund truly open source smartphone operating systems that are developed in the open and independently of Silicon Valley. This project is for the v25.12 and v26.06 releases of postmarketOS, which will bring great improvements to reliability through more continuous testing and will also make the security feature of encrypting phones with postmarketOS easy to use. >> Read more about postmarketOS v25.12 + v26.06 Project Unnamed — Full-featured, libre FPGA compilation toolchain The project summary for this project is not yet available. Please come back soon! >> Read more about Project Unnamed PurlValidator — Check validity of software package identifiers online and offline Package-URL, or PURL, is the de-facto standard for identifying software packages, used by open source SCA tools, SBOM and VEX specs, and vulnerability databases. But using a standard syntax does not prevent errors: A recent (not yet published) study on the quality of software bill of materials (SBoM) revealed that for too often PURLs in SBOMs are still inconsistent, fake, incorrect, or misleading. This is a major impairment to any application of SBOMs, and industry-wide cybersecurity and application security. The PurlValidator project is a public service, based on PurlDB, to validate all the PURLs. An extension of the purl2all project, PurlValidator validates the PURL syntax against any known PURLs by exposing PurlDB's reference data of 20M+ PURLs. PurlValidator also provides decentralized libraries for offline use that can be integrated in multiple tech stacks for all major ecosystems, beyond what is already available for PURL tools. The goal of this project is to provide an accessible, single source of truth to the security and SBOM ecosystem at large and improve the quality and accuracy of PURLs in use, imperative for CRA compliance. >> Read more about PurlValidator raylib — Project creator/builder + feature development for raylib graphics library raylib is a C library intended for high-performance graphics applications creation. It was originally created for education with a focus on simplicity, not only on its exposed API but also on its open source code architecture and its build system. In 12 years raylib has greatly went beyond education to many other fields and today it's being used for videogames development, tools development, data visualization, graphics programming, academic research, embedded devices and, in general, for low-level graphics output in any kind of display. raylib has been binded to +50 programming languages and a very strong community and ecosystem have been created around it. Future plans for raylib include multiple modules improvements, with a new software backend to support GPU-less computers, with a focus on RISC-V powered devices; improved high-DPI support and skeletal animation system for 3d models; full collection of examples review (+150 examples) with the addition of new ones; new support tooling to ease raylib usage and setup: raylib project creator and raylib project builder; and multiple actions to increase raylib visibility and users reach. >> Read more about raylib rust-query — Ergonomic API to write composable and nested relational queries The 'rust-query' library provides an API for the Rust programming language, to work with SQLite databases and build composable database queries with confidence. While the library already has many innovative features, it still lacks some of the essential features that are required for most applications. That is why this project adds support for booleans and datetimes in the schema (using check-constraints), more SQL operators, and custom non-unique indices. We will also improve developer experience with a guide, better error messages, and support for using rust-query with existing migration systems. >> Read more about rust-query schc-rs — Faster low power networking for constrained devices Static Context Header Compression (SCHC), defined in RFC 8724, is a framework designed to provide efficient header compression and fragmentation for constrained devices in Low Power Wide Area Networks (LPWANs). The IETF has been working on standardizing SCHC over IEEE 802.15.4 networks, which are commonly used in Internet of Things (IoT) applications. The aim of schc-rs is to provide a Rust implementation of the SCHC protocol, enabling developers to leverage its benefits in their Rust-based applications. Together with the dot15d4-rs project and the smoltcp network stack, schc-rs aims to provide a future-proof solution for IoT devices communicating over IEEE 802.15.4 networks. >> Read more about schc-rs Ties — Federated bookmark manager based on ActivityPub Ties (formerly: Linkblocks) is a federated bookmark manager. By combining a web-like graph structure with collaborative features, it aims to make knowledge discovery on the web more open and productive, providing an alternative to social networks and search engines. >> Read more about Ties uMap Vector Tiles — Use vector tiles to build custom maps with OpenStreetMap data uMap is a web application which lets you quickly build custom maps with OpenStreetMap’s background layers and integrate them on your own website. Vector tiles allow two main things: less duplicated content, and data transmitted at the same time as the tiles, enabling scenarii where data and background could be styled according to the user needs, which required previously to serve custom tiles. >> Read more about uMap Vector Tiles uberWAVE — Full featured live interactive waveform viewer UberWave is a fully featured, open-source, interactive, analog waveform viewer. It is designed to enable analog and mixed-signal chip designers to view simulation results generated by NGSpice. >> Read more about uberWAVE wcoord (wireless-coordination) — Easy configuration of wireless networks This project aims to create a standard management system for groups of networked devices by integrating with core components of the OpenWrt embedded operating system. The management system integrates the latest developments in lightweight OpenWrt software: ucode (a powerful and small alternative to Bash or Lua), and unetd (a daemon that aides in the creation of fully-meshed WireGuard VPNs). OpenWrt, already one of the most prominent operating systems for embedded devices, plays a fundamental (often invisible) role in internet commons on the network edge. Improvements in deployment and management of groups of devices empower people to take collective control of the hardware they already own and use. >> Read more about wcoord (wireless-coordination) ","url":"https://nlnet.nl/thema/NGI0CommonsFund.html","title":"NGI0 Commons Fund"},{"description":" Middleware and identity Middleware + identity, including DNS, authorisation, authentication, distribution/deployment, operations, reputation systems This page contains a concise overview of projects funded by NLnet foundation that belong to Middleware and identity (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. 0KNOW — Group Theoretic Zero-knowledge Proofs (0KNOW) Zero-knowledge proof (ZKP) systems help principals verify the veracity of a piece of information without sharing the data. The overall goal of 0KNOW is to develop a lightweight group-theoretic zero-knowledge proof (GT-ZKP) system that can be employed as a cryptographic primitive in many security protocols such as identification, authentication, or credential ownership. They are widely used to preserve confidentiality and ownership of data. GT-ZKP can be seen as a reusable building block for making the future internet trustworthy and secure. In 0KNOW, we will focus on NP group-theoretic problems and design GT-ZKP by finding an appropriate platform group based on the selected difficult problem considering its applicability in the post-quantum era and we will develop an open-source implementation of GT-ZKP. >> Read more about 0KNOW Aerogramme — Standards-compliant open-source IMAP server with server-side encryption Aerogramme is an open-source IMAP server targeted at distributed infrastructures and written in Rust. It is built on top of Garage, a (geographically) distributed object storage software. Aerogramme thus inherits Garage resiliency: its mailboxes are spread on multiple distant regions, regions can go offline while keeping mailboxes available, storage nodes can be added or removed on the fly, etc. Not only does it inherit its resiliency, but it also shares the burden of data management. Aerogramme can be seen as a proxy between the IMAP protocol and Garage protocols (S3 and K2V); it does not handle any data on its own and can be freely moved between machines. Multiple instances can also be run in parallel. As emails are very sensitive, Aerogramme encrypts users' mailboxes with their passwords. Data is decrypted in RAM upon user login: the Garage storage layer handles only encrypted blobs. Aerogramme is to our knowledge the first IMAP server to be designed from the ground up with object storage in mind. Thanks to this design, it is resilient and easy to scale. >> Read more about Aerogramme Automating mobile app interception with Frida — Mobile app network introspection for security research Inspecting mobile app network traffic is a key part of security & privacy research, which helps protect everybody who uses modern mobile devices. It's also an indispensable debugging tool for app developers & QA teams. However, this technique has faced growing challenges from increasing OS restrictions and individual app countermeasures like certificate pinning, such that inspection now often requires advanced reverse-engineering knowledge and significant time-consuming manual setup. In this project, new tools will be built using Frida (a dynamic instrumentation framework) and integrated with HTTP Toolkit (a network debugging tool) to enable one-click targeted interception, making inspecting traffic from mobile apps on a user's own iOS & Android devices accessible to technical users without specialist expertise. >> Read more about Automating mobile app interception with Frida Autocrypt for Thunderbird — Make email encryption extremely simple Autocrypt is a specification that provides guidance for e-mail clients on how to achieve a seamless user experience. It does so by transparently exchanging keys, almost entirely automating public key management. This reduces the UI to \"single click for encryption\". The project will create an extension for the Thunderbird e-mail client that brings this experience to its users. The goal is to provide a new extension with a streamlined user experience that requires as little user interaction as possible, without \"poweruser\" features and performing practical user testing to identify open pain points. The extension will be based on OpenPGP.js, since this can be packaged directly. This will simplify installation and maintenance a great deal. >> Read more about Autocrypt for Thunderbird Back to source: trust but verify all the packages — Analysis pipeline for mapping and cross-referencing binaries with source code Sometimes, the released binaries of an open source package do not match its source code. Or the source code does not match the code in a version control repo. There are many reasons for this discrepancy, but in all cases, this is a potential serious issue as the binary cannot be trusted. Additional (or different) code in the binary could be malware or a vector for unknown software vulnerabilities, or create FOSS license compliance issues. Back to source creates analysis pipelines to systematically map and cross-reference the binaries of a FOSS package to its source code and source repository and report discrepancies. We call this the deployment to development analysis (d2d) to map deployed code (binaries) to the development code (the sources) and plan to apply this \"trust but verify\" approach to all the binaries! >> Read more about Back to source: trust but verify all the packages Bonfire Framework — Elixir-based ActivityPub implementation and library with groups and RBAC Bonfire is an open-source, federated social networking toolkit, designed to empower communities to build custom and federated social networks. The current focus of our project is to improve the stability, performance, and documentation of our codebase, honing a solid framework that enhances user experience and encourages wider adoption. We aim to catch bugs, enhance platform performance, and enrich the developer experience by crafting comprehensive tutorials and documentation. A key aspect of our project involves extending our ActivityPub Library, which underpins the federated nature of Bonfire, and contributing back to the ActivityPub ecosystem by releasing v1.0 of our open-source ActivityPub library. The expected outcomes include a robust, efficient Bonfire framework to be used in production, a surge in developer and community adoption, and contributions to standardize federation protocols. >> Read more about Bonfire Framework Charon — Privacy-enabling account management and SSO solution The overall goal of the Charon project is to build a privacy-enabling account management and SSO solution. For end-users, Charon will allow aggregating multiple existing authenticators (Facebook, Google, etc.) in one place and managing different (and potentially multiple) identities exposed to apps. Apps will not have to worry about user management. And admins of communities using those apps will be able to manage all users in one place, with tools to address abuse. >> Read more about Charon Cloud hosting service portability — Service portability for cloud hosting platforms Configurious Monk or cMonk is a combination of a configuration portal and a set of deterministically configured services that can be used to provide ‘common internet services’ like DNS, E-mail, Matrix, Mastodon, Pixelfed, eduVPN, Nextcloud and more. cMonk's intended use is in large scale cloud deployments, intended for thousands or even millions of users. It is not intended for use in self-hosting situations, but might still be used that way. The whole project is meant as a service-platform for 'at scale' operatoins, so we are specifically aiming at 24x7x365 availability which requires redundancy and automatic fail-overs everywhere. Configurious Monk is easy to use, and focuses on being ‘out of the way’ of the user. One of its key features is that it lets the user be in complete control. The ultimate form of control being that you can export all your data and configuration and take it elsewhere. Full service portability is the goal. It uses NixOS and the Nix package manager as its base and has an API that can be used to connect the configuration panel to other services. >> Read more about Cloud hosting service portability Coko Docs — A modern, open source replacement for Google Docs and Drive Coko Docs is an open source solution for storing and editing documents using Coko’s publishing technologies. It is the first part of an Open Suite, which will be integrated with professional Open Publishing products. Coko Docs will have a modern collaborative environment for creating, sharing and hosting files in various formats. We aim to build inclusive tools as powerful as Google Drive and Docs, our initial target audience ranges from individuals to small organisations. Our primary goal is an Open Source product with strong Privacy and Security protocols and elegant accessible design. We will utilize the NLnet funding for the first phase of development where we are adding collaborative editing to the integrated document editor, with offline support (for low-bandwidth scenario's). >> Read more about Coko Docs Connect by Name — Library for easy connection setup Connect by Name will be a C library providing an interface that allows a software developer to setup internet connections from an application in the most private and secure manner using well-established and open standards. The interface provided to the software developer will be as simple as “Connect to a service on a domain name” and be flexible enough to fit with different programming paradigms and environments. The library will facilitate composability with other systems and will be extensible with future standards. Our goal is to lower the barrier for developing high-quality software and thereby improve the security and privacy of end users. >> Read more about Connect by Name Record Federation for Corteza Clouds — Data federation over ActivityPub Corteza is a low code platform for building cloud-based web applications. This is typically for private, records-based management purposes (e.g. case management, insurance claims processing, public sector management applications, CRM, ERP), but the uses can also be public if required. It has a modular architecture and its data later, presentation layer and automation layer can each be treated individually. Corteza Record Federation makes innovative use of the ActivityPub standard to describe how content from the Corteza data layer can be broadcast across large federations of Corteza clouds. All data types, simple or compound, entire records and entire data models are supported. Whether it be energy, finance, health, education or smart cities, many industries need to share complex data in real-time or near real-time, while preserving the digital sovereignty of a large number of disparate actors, protecting the privacy of user data and acknowledging the law of whichever territories in which they find themselves operating. Corteza Record Federation allows for the creation of private networks of decentralised “mini-clouds”, all self-hosted and controlled by their owners, where this data exchange can happen as efficiently and more effectively than on any single centralised cloud. >> Read more about Record Federation for Corteza Clouds CryptPad Auth — Implement external identity mechanisms to E2EE collaborative editor CryptPad is a real-time collaboration environment that encrypts all user-generated content in users' browsers, making it illegible to the host of the service. In this project we'll develop optional extensions to the platform to provide additional layers of protection for such data by pursuing two broad strategies in parallel. For the first, we'll take a top-down approach to security through integration with identity provider services like LDAP or SSO, allowing organizations to apply centrally managed access control policies. For the second, more bottom-up approach, we'll offer tighter control of user accounts through various secondary authentication methods like app-based TOTP or email \"magic-links\". These new features will provide more choices for the protection of data stored in CryptPad, while also making the platform more approachable for conventional organizations by leveraging their existing points of trusted infrastructure. >> Read more about CryptPad Auth CryptPad Blueprints — Server-side encrypted collaborative editor CryptPad is an end-to-end encrypted collaboration suite that has been under active development for 8 years, and is currently used by hundreds of thousands of people. Its feature set has grown from a simple editor to a full-blown suite with multiple apps, drive, teams, etc. The next generation of CryptPad should be even better - with stronger security guarantees (\"perfect forward secrecy\", post-quantum crypto), offline-first collaborative editing, and user-driven workflows like password resets. This project will take the first steps in this direction. We document the ways in which cryptography is used on the platform, review the state of the art in applied cryptography and then evaluate the right match with available technologies. Finally we will use these foundations to move forward to a new architecture for CryptPad that will allow for future developments, improved usability, and tighter security. >> Read more about CryptPad Blueprints CryptoLyzer — Cryptographic settings analyzer library CryptoLyzer is a cybersecurity tool that can analyze the cryptography-related settings of clients and servers in the case of several different protocols. The tool’s primary purpose is to support end users as well as system administrators, security engineers, auditors, etc., in their work by telling them the details of the currently applied setting and informing them about the potential weaknesses and vulnerabilities. Unlike many other notable free software projects that focus on just one protocol family, CryptoLyzer wants to be as comprehensive as possible. On the one hand, users can analyze several cryptographic mechanisms (e.g., SSH, HTTP security headers, JA3 tag, and later OpenVPN), not just the most popular TLS protocol. On the other hand, it is possible to test both the standard and special or corner cases. Latter means the tool can test hardly supported, experimental, obsoleted, or even deprecated mechanisms or algorithms, which may carry significant risks. The project intends to learn from the existing projects and integrate their solutions to lower the barrier to good cryptographic settings making communication on private and public networks more secure. >> Read more about CryptoLyzer CryptPad — Real-time collaboration with client-side encryption Cryptpad is a secure and encrypted open source collaboration platform. The CryptPad teams project will fund the development of a number of group-focused features to Cryptpad. We'll improve our current implementation of encrypted shared folders to display the permissions possessed by team members for different documents. The capacity to remove a member from a group is difficult in an encrypted system, as the knowledge of encryption keys cannot be taken away once given. We'll implement key-rotation protocols, and develop encrypted mailboxes to facilitate the delivery of new keys to authorized members. The same mailbox system will enable the development of notifications, allowing users to request additional permissions for documents, to invite new members to a group or session, or to inform friends that a document has been updated. Teams organize in many ways, and with the technical components available we'll focus on interfaces which support different modes of coordination, whether the team is hierarchical or self-organizing. Overall, we hope to make it so that the most intuitive way to collaborate is also the most secure. >> Read more about CryptPad GNU Guix - Cuirass — Continuous integration system for GNU Guix/Linux + Hurd GNU Guix is a universal functional package manager and operating system which respects the freedom of computer users. The number of supported packages, almost 15.000 on 5 different architectures, is constantly increasing. With the recent efforts adding support for the GNU Hurd operating system, and the ongoing work to easily provide Guix System images for various boards, the need for a strong continuous integration system is critical. This project aims to improve Cuirass, the GNU Guix continuous integration software to provide binary substitutes for every package or system image within the shortest time. This way, the user won't have to allocate important time and computation power resources into package building. The plan is to add to Cuirass an efficient offloading and work-balancing mechanism between build machines, an improved web interface allowing to monitor machine loads and other build related metrics. A user account section to setup customized monitoring dashboards and subscribe to build failures notifications will also be developed. >> Read more about GNU Guix - Cuirass Securing Internet protocols with DIDs — Bridge Decentralized Identifiers with standardised authorisation mechanisms Many Internet protocols require authentication, e.g. when we check our email account with a username and password, when we authenticate to SSH hosts with public keys, or when we log in to websites using OpenID Connect. Decentralized Identifiers (DIDs) are a new type of identifier that have associated private keys and can be used for authentication purposes. DIDs are in practice mostly used for exchanging Verifiable Credentials (VCs) between Issuers, Holders, and Verifiers. However, on a more basic level, DIDs can also simply be used as a replacement for usernames/passwords or static public keys, to authenticate by proving control over one's DID. Unlike other identifiers such as usernames or domain names, DIDs do not require a central authority for creating and using them. In this project, we will work on integrating DIDs with existing Internet protocols that require authentication by developing a new SASL mechanism. The idea is that for example you could log in to your SSH host, email account, IRC server, XMPP server, etc. using your DID, which can improve both usability and security. >> Read more about Securing Internet protocols with DIDs DNSvizor — Privacy-enhanced DNS resolver and DHCP server A secure and robust DHCP server and DNS resolver with a small resource footprint. We will develop a MirageOS unikernel providing these crucial network services. There are various privacy extensions (such as query name minimisation, and recently published opportunistic encryption between the resolver and the authoritative name server), as well as the possibility to deny resolution of configurable domain names (block lists). For enhanced security, we will implement DNSSec. We will provide DNS-over-TLS and DNS-over-HTTPS services. This will be a drop-in replacement for DNSvizor and Pi-hole. The project builds on top of MirageOS: a library operating system developed in OCaml — a memory-safe functional programming language. In MirageOS, each service is a separate unikernel with a minimal attack surface that only contains the code required to run it. These unikernels are normally executed as a virtualized machine such as KVM, VirtIO, Xen. MirageOS also supports using a strict security feature of the Linux kernel called seccomp. >> Read more about DNSvizor Anonymisation for Data Donations — Facilitate platform scrutinization through anonymised data contributions Recommendation systems are gatekeepers of online content. Despite their huge influence, these systems are opaque and unaccountable. Thanks to user data donations (e.g. users sharing their personal recommendations), researchers are able to scrutinize algorithms from the outside, even in the absence of official APIs. Because recommendations are personalised and thus can expose sensitive information, it is essential to guarantee the privacy of our data donors. The project will design and implement a private-by-design data donation infrastructure. With such a scheme, contributions do not have any form of user identification in the database. They are indexed by a cryptographic token, generated from a user-owned secret key. This ensures that there is no visible link between a contribution and a user, or between two contributions from the same user, even with full access to the database. Users can re-generate the indexes of their contributions using their secret key, allowing them to retrieve or delete their data in part or whole, as required by the GDPR. This project will not only a major enabler for broder platform scrutinization, but also a reusable building block for other projects who need to collect sensitive data with strong privacy guarantees. >> Read more about Anonymisation for Data Donations Distributed Private Trust — Decentralised trust and reputation system The project \"Distributed Private Trust\" wants to develop a prototype for a trust and reputation system that does not rely on a centralized trusted party and provides users with more privacy than current systems. It uses secure multi-party computation to calculate aggregate ratings without having to reveal individual users ratings to any other party. The project also applies techniques from mechanism design to make the system robust to malicious behaviour of participants, for example by diminishing incentives to submit dishonest ratings. >> Read more about Distributed Private Trust Dolphin authorisation — Avoid privilege escalation in the Dolphin file manager While acting with elevated privileges, software needs to be distraction-free, clear and user-friendly to avoid security issues and other ways of impairing a system. This project is about enabling average users to do administrative file manipulation within the popular file manager Dolphin securely and with confidence. There is a strong demand for proper integration, enabling less technically-savvy users to safely work with all kinds of files. This project will bring improvements to technical and user-friendliness aspects, so the user will know how to securely accomplish their tasks. This will remove some attack vectors, reduce the risk of falling for social engineering, and reduce user error. >> Read more about Dolphin authorisation dream2nix — Automate reproducible packaging for various language ecosystems Dream2nix is part of the overal effort to create more technical assurances, transparency and robustness within the software supply chain. Dream2nix as a framework allows more open source projects to achieve reproducible builds easier, and helps to create an auditable toolchain across different technical dependencies. The ability to reproduce software builds is of major importance when it comes to verifying if a given binary is the product of a given source code. Reproducibility also increases the maintainability and reliability of small and large software deployments. The nix build system allows for such reproducibility even for complex software systems. dream2nix integrates existing well known programming language specific package managers like npm, yarn or cargo with the nix build system, which will allow many open source projects to benefit from nix' unique properties. >> Read more about dream2nix Python supply-chain with dream2nix —  Towards a secure, extensible & reproducible Python supply-chain with dream2nix We aim to improve the software supply chain of Python with Nix by extending Dream2nix. While the Nix build system offers great reproducibility and auditability features, the effort required to manual write build expressions for all transitive dependencies has lead to the creation of various \"lang2nix\" tools. Dream2nix is a collection of such tools and a library handling shared concerns, with existing implementations for NodeJS, Rust and Haskell. This project is going to implement first class Python support in dream2nix. Packagers and developers will be able to build standards-compliant projects with nix automatically, while still being able to transparently apply patches where necessary. >> Read more about Python supply-chain with dream2nix EGIL SCIM client — System for Cross-domain Identity Management Managing student information in an effective, secure and GDPR compliant way is crucial for the digitalized school. EGIL is an open source client that facilitates the exchange of student information to external providers of study material or administrative services in a standardized way. It supports attributes based on SCIM (RFC 7642-7644) and extensions, it provides an interface to common directory services and supports federated solutions between a large number of school principals and service providers. This project will improve EGIL's federative capabilities, submit an Internet-Draft on the subject federated accounts provisioning, as well as providing a proof of concept for using SCIM as the standard for exchange of student information. This will eliminate the problems caused by using several different exchange protocols and formats between school principals and service providers. >> Read more about EGIL SCIM client The search for ethical Apps — Create custom, self-hostable app stores for Android(-like) OS-es Once you own a smartphone, often you will want to install additional apps to add additional functionality. In some cases there isn't much choice, like when you as a citizen need to use digital services provided by your government and these are exclusively available through apps. Pre-configured vendor app stores such as the Google Play store and the Apple App store actually require you to agree to privacy-unfriendly terms of service and introduce tracking behaviour - even if you are only going to be installing ethical apps that themselves are open source and privacy-friendly. On top of that, these apps \"warehouses\" contain a confusing amount of lookalike and dishonest applications that take advantage of naive consumers. Sending users into an app jungle with hundreds of thousands of apps that often resemble each other, leaves users unprotected. In fact, in many cases the whole idea of a \"store\" doesn't make sense - like when an app is paid for by public funding. So why not create alternative mechanisms, that give easy and convenient access to apps do not force citizens to sign contracts with commercial third parties. This project will created custom app distribution mechanisms based on F-Droid, allowing anyone to curate a set of applications and distribute these to users directly - without them having to sign away any rights to third parties. >> Read more about The search for ethical Apps FOSS Code Supply Chain Assurance — Mitigate attacks through software dependencies It is of the utmost importance to ensure that FOSS packages from public repositories have not been tampered with by malicious actors. This type of compromise is described as an open source \"supply chain attack\" and these have been increasing significantly. This project is building a new system (which is FOSS itself) to help verify the integrity of deployed code packages and validate their origin with external data sources, with the potential to mitigate attacks on open source packages supply chains such as: detecting if a package in use is matching verified code by matching source and binaries exactly and approximately. Or detecting abnormal code changes that may be signs of malicious modifications and possible attacks on a package. The key components of this open code and data solution are a Package and File Fingerprints Database, a Code Similarity and Changes Detection Engine, utilities to detect possibly malicious changes in upstream projects, and integration in build system(s). While existing approaches may require a tight control of the whole code supply chain, the approach of this project is designed for practical usage with limited changes to a build and CI/CD pipeline. >> Read more about FOSS Code Supply Chain Assurance FOSS Code Supply Chain Assurance II — Add approximate matching capabilities to software vulnerability discovery It is of the utmost importance to ensure that FOSS packages from public repositories have not been tampered with by malicious actors. This type of compromise is described as an open source \"supply chain attack\" and these have been increasing significantly. This project is building a new system (which is FOSS itself) to help verify the integrity of deployed code packages and validate their origin with external data sources, with the potential to mitigate attacks on open source packages supply chains such as: detecting if a package in use is matching verified code by matching source and binaries exactly and approximately. Or detecting abnormal code changes that may be signs of malicious modifications and possible attacks on a package. The key components of this open code and data solution are a Package and File Fingerprints Database, a Code Similarity and Changes Detection Engine, utilities to detect possibly malicious changes in upstream projects, and integration in build system(s). While existing approaches may require a tight control of the whole code supply chain, the approach of this project is designed for practical usage with limited changes to a build and CI/CD pipeline. This is the second phase of this ambitious project, the focus of which is to enable approximate matching between a database of FOSS packages resources and an actual FOSS package or other code. Moreover, various architectural improvements will be performed to support use at larger scale. >> Read more about FOSS Code Supply Chain Assurance II Federated software forges with Forgejo — Add ActivityPub based federation to Forgejo Forgejo is a self hosted software forge where developers can work together on software projects and users can report bugs or request features. As of Forgejo version 1.20, when a project is hosted on a Forgejo instance, every developer is expected to create an account on that instance in order to participate. Compared to email, it is as if it was necessary to create an account on gmail.com to send a message to someone with an @gmail.com email address and another on yahoo.fr to send a message to someone with an @yahoo.fr email address. But in 2022 there are two: the W3C ActivityPub protocol published in 2017 and forgefed, an emerging standard (since 2019) to describe activities happening on software forges. They can be used by Forgejo instances to communicate with each other and create a federation of forges continuously communicating with one another instead of a constellation of isolated silos. A federated Forgejo will enable software developers to work on the same project even when they use different Forgejo instances. There will be bridges between isolated Forgejo instances that software projects can use to synchronize in real time. >> Read more about Federated software forges with Forgejo ForgeFed — Federating software forges with ActivityPub The platforms that software developers use for hosting and collaborating on their projects, known as software forges, are centralized systems. And some of the most popular forge websites run proprietary software and controlled by a single company. The values, methods, policies and interfaces of the tools we use with our software projects often don't align with our values and needs, but despite having coding skills, we're powerless to change the situation. ForgeFed aims to put the power back into the hands of the Free Software community, and to allow for systems that are truly trustworthy and support inclusion, freedom, participation, censorship resistance and alignment with needs, by turning software forges into a decentralized network. ForgeFed is a protocol and vocabulary for federation of servers and services related to the Software Development Lifecycle, and an attempt to implement federation into existing free-software forges. ForgeFed has been based on the ActivityPub protocol, which is widely adopted on the Fediverse, and is augmenting it with Object Capabilities, an essential component for distributed secure flexible authorization of collaborative resource access. >> Read more about ForgeFed GNU Name System — Authenticated naming system for the internet from GNU project Today, the starting point of any discovery on the Internet is the Domain Name System (DNS). DNS suffers from security and privacy issues. The GNU project has developed the GNU Name System (GNS), a fully decentralized, privacy-preserving and end-to-end authenticated name resolution protocol. In this project, we will document the protocol on a bit-level (RFC-style) and create a second independent implementation against the specification. Furthermore, we will simplify the installation by providing proper packages that, when installed, automatically integrate the GNS logic into the operating system. >> Read more about GNU Name System GNS Migration and Zone Management — Registrar tools for adoption of GNU Name System The GNU Name System is in the final stages of standardization. Consequently, calls for migration and large-scale testing as well as interest in running GNS registrars are increasing. In order to address this development this project aims to facilitate the management of GNS zones by administrators and to provide users with means to resolve real-world names. To ease adoption, a framework for GNS registrars will be developed for zone management. The registrar framework will allow GNS zone administrators to provide a web-interface for subdomain registration by other users.The services may also be provided for a fee similar to how DNS domain registrars operate to cover running costs. The framework is envisioned to support integration of privacy-friendly payments with GNU Taler (https://www.taler.net). To demonstrate the capabilities of GNS with respect to DNS migration, we plan to run multiple GNS zones ourselves which contain the zone information from real-world DNS top-level domains.A selection of existing top-level domains for which open data exists will be hosted and served through GNS in order to facilitate the daily use of the name system. We are are planning to integrate at least three DNS zones and publish them (regularly) in GNS for users to resolve. >> Read more about GNS Migration and Zone Management GNU Taler KYC — Know-Your-Customer support for GNU Taler This work is about adding proper Know-Your-Customer (KYC) support to GNU Taler to satisfy regulatory requirements to operate the Taler payment service. However, we will not implement our own KYC solution but instead provide a generic way to interface with existing KYC providers and implement several concrete adapters. By supporting multiple providers we will ensure that our KYC abstraction is reasonably generic. The KYC integration will be configurable to adjust the deployment to the legal requirements of different countries. Finally, we will support attestation of collected KYC information to third parties. This will allow the payment system to assure consumers receiving a bill about the identity of the invoicing business. >> Read more about GNU Taler KYC Garage — Lightweight geo-distributed data store compatible with Amazon S3 Garage is a lightweight geo-distributed data store that implements the Amazon S3 object storage protocol. Garage is meant primarily for self-hosting at home on second-hand commodity hardware, meaning it has to tolerate a wide variety of failure scenarios such as power cuts, Internet disconnections, and machine crashes or slow response times. It also has to be easy to deploy and maintain, so that hobbyists and small organizations can use it without a hassle. Garage focuses on allowing users to build geo-distributed clusters, with nodes connected through consumer-grade Wide Area Network (Internet) connections. Garage makes this possible by tolerating relatively high latency between nodes thanks to an innovative design based on the principles of the Dynamo database and that makes heavy use of Conflict-free Replicated Data Types (CRDTs). Garage is written in Rust, with a strong emphasis on stability and robustness. The funding from NLnet will allow development of Garage to continue, tackling in particular the following two aspects: improving compatibility with the S3 protocol and guaranteeing the stability and soundness of the core of Garage's storage engine. >> Read more about Garage Garage Administration UI — Easier administration for selfhosted storage buckets Garage is a lightweight geo-distributed data store that implements the Amazon S3 object storage protocol. Garage is meant primarily for self-hosting at home on second-hand commodity hardware, and aims be easy to deploy and maintain, so that hobbyists and small organizations can use it without a hassle. To further this goal, the Garage admin interface project aims to develop a web UI to make cluster administration easier and more intuitive. This interface will cover the most common operations on Garage cluster: visualizing cluster status; joining new nodes, removing nodes, and changing node configuration; and management of S3 access keys, buckets and bucket configurations. >> Read more about Garage Administration UI Nix Integration for Hop3 — Nixify the Hop3 self-hosted cloud platform Hop3 is an open-source orchestration platform designed to simplify the deployment and management of distributed applications across cloud and edge environments. With a focus on flexibility, security, resilience, and ease of use, Hop3 empowers developers and small organisations to take full control of their IT infrastructure and data, ensuring digital sovereignty and avoiding vendor lock-in. The project will enhance the Hop3 platform by integrating Nix, a powerful package manager known for its ability to create reproducible environments, to improve build-time flexibility and ensure consistent, reliable run-time performance. As a test bed and showcase of this integration, we will package 20 diverse and impactful F/OSS applications. Additionally, we will develop new resilience and cybersecurity features to further strengthen the platform's robustness and security. >> Read more about Nix Integration for Hop3 A proof of concept of identity-based encryption — Make encryption simpler The project aims to extend the existing attribute-based identity platform IRMA with easy-to-use encryption. The kind of encryption is called Identity-Based. Its main advantage is that key management is simple, so that encryption becomes easy to use, via a plugin to an email client (only Thunderbird in this proof of concept project). The plugin computes the public key of the recipient of a message, from some uniquely identifying attribute of the recipient (typically an email address, but phone number, or citizen registration number could work as well). The receiver of the message will have to prove, via IRMA, possession of the uniquely identifying attribute to some Trusted Third Party (TTP), which will then provide the corresponding private key. Within this project a working set-up will be built. Turning it into a widely usable product will require more work, in follow-up projects. >> Read more about A proof of concept of identity-based encryption IRMA made easy — Usability research into attribute based authentication Authentication methods, like passwords, often involve a trade-off between usability and security. Secure passwords are a hassle to use, and easy-to-use passwords are often also easy to guess or to brute force. Clearly, there is a need for authentication methods that are both secure and user-friendly. The IRMA mobile app can fill this gap. It was originally developed with a strong focus on providing secure and privacy-friendly authentication. This project will focus on making IRMA easy to use for everyone. We will conduct a formal large-scale evaluation of IRMA that focuses on usability in general as well as on accessibility (i.e. for users with disabilities) in particular. By doing so, usability hindrances can be identified and improved, making IRMA user-friendly and accessible for users with the widest range of capabilities. >> Read more about IRMA made easy Icebreaker — Gemini centric viewpoint of coding issues and bug tracking Modern software projects not only require source code repository management but also tools to plan projects and solve technical problems. Closed source solutions and online commercial services may be convenient, but create significant concerns around control, autonomy and privacy - and they skew discoverability. Icebreaker believes in decentralised approaches which keep the coding repo separate from the project management repo. In terms of cooperation and teamwork, this helps to encourage new, flexible and dynamic approaches. These expectations are solved through the minimalism of the Gemini protocol and its terse Markdown format, Gemtext. It is modern because it is easy to understand; accessible to interact with (whether as a consumer or a contributor); and treats privacy as a foremost priority. Icebreaker's flagship project, gLean, provides building blocks for navigating and interpreting one or more Gemini content sources (with settings, rulesets, and regex magic). (Non core) modules provide output in alternative formats, including Kanban boards. Creators will control their issue trackers. Creators' terms. Creators' conditions. 'Off-the-shelf' solutions can't compete against gLean's tailored approaches. FOSS communities can choose workflows that match their technical requirements, while supporting autonomy and adhering to their ethical values. >> Read more about Icebreaker YunoHost and the Internet Cube — Solutions for DIY-ISP's and self-hosters YunoHost is a free and open-source server distribution that provides a self-hosted alternative to commercial centralized services, and allows people to take back control over their data. Yunohost aims to make server administration accessible to the general public and ultimately make personal servers as common as desktop computers. Based on YunoHost, the Internet Cube project develops an affordable plug-and-play server that can be bought and easily deployed at home by the general public. In addition to its self-hosting capabilities, it provides a privacy-enhancing WiFi hotspot which protects its users from censorship and metadata leaks. And because it is low-power, it can be used even in remote and offline situations. >> Read more about YunoHost and the Internet Cube Interpeer SDKs — Secure and efficient peer-to-peer networking stack The Interpeer Project's purpose is to research and develop novel peer-to-peer technologies for open and distributed software architectures. The goal is to enable serverless modes of operation for collaborative software with rich feature sets equal to or surpassing centralized client-server architectures. In order to make the Interpeer technology stack accessible to software developers, the goal is to provide SDKs for a desktop and a mobile platform, complete with examples. These SDKs should enable seamless cross-platform data exchange and live editing capabilities by multiple authors. >> Read more about Interpeer SDKs Keyoxide — Self-hostable identity proofs with bidirectional linking verification How do you discover which other online accounts across different services and service providers actually belong to the same person? Keyoxide is a secure, privacy-friendly and decentralized platform to manage online identities, uncompromisingly driven by what the user herself wants to share. Keyoxide is a new type of service to allow proving linked account ownership on a variety of platforms. Keyoxide levers existing and battle-tested cryptographic primitives. The goal is to give users more control over their online presence, independent from dominant internet actors - without in fact having to depend on any centralised services or third parties. The project will improve the usability of the current Keyoxide, and its emerging underlying technology (Decentralized OpenPGP Identity Proofs). More service providers will be added and additional tools to provide proofs will be developed, to create a smooth and easy onboarding process for less tech-savvy people. >> Read more about Keyoxide Private Key Operations for Keyoxide — Implement Private Key Store design in Keyoxide Keyoxide is one of the open-source success stories when it comes to providing an alternative to the proprietary product (Keybase). The UI is straightforward so that the interaction with the site is available to all kinds of users. Unfortunately there is one critical part that differentiates Keyoxide from Keybase - no support for private key operations. Adding proofs requires a complex maze of command line invocations. This project will implement best of both worlds: simple, UI centric way of interaction without technical knowledge required and the strong security of Keyoxide. >> Read more about Private Key Operations for Keyoxide Keyoxide v2 — Add cryptographic signature based to Keyoxide How do you discover which other online accounts across different services and service providers actually belong to the same person? Keyoxide is a secure, privacy-friendly and decentralized platform to manage online identities, uncompromisingly driven by what the user herself wants to share. Keyoxide is a new type of service to allow proving linked account ownership on a variety of platforms. Keyoxide levers existing and battle-tested cryptographic primitives. The goal is to give users more control over their online presence, independent from dominant internet actors - without in fact having to depend on any centralised services or third parties. The project will build on top of the existing OpenPGP Identity Proofs to add other types of profiles based on various cryptographic signature mechanisms from a variety of new tools. To maintain linkable profiles, a new signature-hosting infrastructure needs to be designed and developed. Other improvements are aimed at safeguarding privacy and achieving plausible deniability. >> Read more about Keyoxide v2 Improve Email Encryption in KMail — Adopt improvements in Email Encryption in KMail The goal of this project is to make it more simple for inexperienced users to just use encrypted mails, at the click of a button. Autocrypt is a new method for email encryption, that needs nearly no user interaction. It performs the needed key exchange transparently in the background, and does key management automatically. Encrypted Headers is a protocol to send mail headers in the encrypted mail part. Traditional encryption methods leaked meta-data, which could be used for mass surveillance purposes. The result will be part of the KDEPIM codebase, so you don't have to install anything else than KMail to use these improvements. >> Read more about Improve Email Encryption in KMail LDAP Synchronization Connector — Synchronize data from/to various data sources with LDAP LSC (LDAP Synchronization Connector) is a community open source software designed to get rid of all customized scripts developed by system admistrators to sync their files or databases to maintain accounts and groups in an LDAP directory. LSC works with one configuration file and can connect to any database, LDAP directory (including Active Directory) or REST API. It solves use cases like \"create an account for every new people hired in the company\", \"lock this account in Active Directory because it was locked in OpenLDAP\", \"create a group for all people of this department\" or \"push accounts to this application API\". The project will refresh all the dependencies, and add new features such as allowing javascript in LDAP filters. >> Read more about LDAP Synchronization Connector ARPA2 LDAP Middleware — Privacy enhancing middleware Some protocols are far better known than others. Everyone will recognise the HTTP protocol we use to transfer web pages. LDAP is not as well known, but it is also a key technology we use on a daily basis - in fact it shapes how most organisations are organised online. LDAP is a proven technology but can be cumbersome to work with, and as a result it has seen little innovation in recent years. This project develops a number of innovatie middleware components from the ARPA2 project. This includes a privacy enhancing middleware for LDAP (LEAF), which allows to do attribute filtering and selectively transforming of LDAP; SteamWorks, which allows for responsive large scale configuration and trust delegation; and Lillydap, a library that can be used to easily add LDAP to any application. The project also delivers on (broad)er deployability of these building blocks, by providing tools for distropackaging the innovative solutions produced by the project. >> Read more about ARPA2 LDAP Middleware SCIM integrations — System for Cross-domain Identity Management (SCIM) Most organizations have a digital work environment that is composed of many applications. With a Single Sign-on (SSO) system they get a unified login and logout experience, but there is a catch. Traditional SSO protocols like OpenID Connect do not support syncing user profiles across applications. For instance, users are deleted in the SSO, but not in the applications. Hence, SSO implementations are not GDPR compliant by default, and organizations have to develop custom process to circumvent violations. SCIM is a standard developed within the Internet Engineering Task Force designed to solve exactly that. The project is to develop a SCIM client for Keycloak and a SCIM service provider for Nextcloud, RocketChat, Matrix and Stackspin. >> Read more about SCIM integrations Distributed Trust for Web Servers — Establishing a Distributed Trust Authority The M-Pin protocol, and its implementation in the Milagro project currently incubating at Apache, provides cryptographic security using a distributed trust model. In place of the single point of failure (and high-value target for social engineering attacks) of today's Certificate Authorities (CAs), cryptographic verification is assembled from two or more mutually independent authorities, all of which would need to be subverted at once to break security. This project helps bring distributed trust to the Web, by implementing M-Pin support via Milagro's libraries in leading Open Source web servers. This will pave the way both to a distributed trust alternative to monolithic CAs and browser trust lists, and to a distributed trust alternative to protocols such as OpenID for user identification. >> Read more about Distributed Trust for Web Servers MTE - the MirageOS Taler Exchange — Implement Taler Exchange functionality in OCaml-based unikernel This project will develop a drop-in implementation for a GNU Taler exchange with the unikernel framework MirageOS. The GNU Taler Exchange is a service that needs to be robust and high secure (plus allow very high security deployments). MirageOS uses OCaml, a functional programming language with a static type system which catches lots of errors at compile time, and provides memory-safety. With MirageOS, one only embeds the code that is really required to run the service in the virtual machine image - resulting in a relatively much smaller attack surface. The resulting solution will use very little resources (memory usage / CPU cycles), which is beneficial both from a green computing perspective, and from a performance perspective. The plan is to use existing tests of GNU Taler exchange, in addition to our own fuzz testing, to ensure that MTE acts the same as GNU Taler exchange. >> Read more about MTE - the MirageOS Taler Exchange MoboSearch — Providing an alternative view on the Android App ecosystem Mobile phones play a major role in our society, yet they still suffer from severe limitations in how they handle apps. As a result, most people are unaware of the dangers of privacy leaks and are typically offered very constrained search capabilities within one single source of information, the app store. MoboSearch is a new search engine and information portal for apps, empowering users beyond the existing app stores. The system exposes privacy and security information, like app permissions, and gives users new easy and flexible search capabilities that allow to make an informed choice and to increase people's awareness. Openness and interoperability ensure that the system can offer and receive data, so to cooperatively enable a better and healthier app ecosystem. >> Read more about MoboSearch Namecoin: ZeroNet and Packaging — Make ZeroNet work with Namecoin Namecoin provides a decentralized naming system and trust anchor. Its flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Among other things, this provides a decentralized trust anchor for Public Key Infrastructure that does not require third party trust. It operates independent from the DNSSEC root trust chain, and can thus offer additional security under some circumstances. ZeroNet is a decentralized web-like network of peer-to-peer users, which provides an alternative to TOR hidden services. In the project, Zeronet will be adapted to support a local Namecoin client, and provide additional assurances such as a Host Header-like mechanism to protect users from spoofing. Namecoin will be used as a human-readable naming layer for Tor onion services and ZeroNet sites. This eliminates the user problem of pseudorandom, unmemorable website addresses for onion services and ZeroNet sites, which can facilitate phishing attacks. >> Read more about Namecoin: ZeroNet and Packaging Namecoin: Core Infrastructure — Alternative domain name system Namecoin is a blockchain project that provides a decentralized naming system and trust anchor. Our flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. This project is meant to improve the security and usability of core components of Namecoin. >> Read more about Namecoin: Core Infrastructure NixOS/Clevis — Unattented disk decryption with Clevis on NixOS Whether they should or not, organisations are moving their data to third party servers (aka the \"cloud\"). While full disk encryption of servers should be an everywhere standard in order to protect the sensitive data that they inevitably hold, its adoption is still lagging. This isn't just lack of awareness, but also part of the tooling is missing. With full disk encryption comes a big pain point: restarting the server needs for the root file system to be unlocked before booting the OS. While it is possible to remotely log into a server to unlock it remotely, this does create a dependency on a human operation in order to boot a server without compromising security. This is sometimes a non-acceptable drawback : it rules out unattended reboots, recovery from power loss, and it doesn’t scale well with the number of servers. This project will make on disk encryption with remote unlocking part of NixOS - bringing together a number of innovative mechanisms such as system extensions images and stage1-networkd. While this does not make using the cloud safe and private in and by itself (this is impossible), it will contribute to make it somewhat more safe and more private. Additionally the project will port the Proxmox Hypervisor on NixOS, in order to benefit from NixOS-style declarative host configuration and deployment (which is very valuable when managing a cluster of machines to avoid configuration rot). ProxMox is a hypervisor that can run little to middle sized VM clusters and is capable of handling multi-node clusters. >> Read more about NixOS/Clevis Securing NixOS services with systemd — NixOS, with the nix package manager, provides different services that can be installed and configured in a reproducible, declarative way. But how does one know whether software sticks to what it is supposed to do, and prevent a malicious application to spy on others? Systemd provides users with ways to specify fine-grained sandboxing options for their running service, taking advantage of the Linux kernel's security facilities. This project will improve the default configuration of the services that are available in NixOS using systemd, so that users may deploy services without granting them too much trust: the services would only have access to the parts of the system they require. From a security point of view, this limits the attack surface of the system and improves a lot of defense in depth. This also means that services wouldn't be able to snoop on all of the user's system. To gain long-term benefits from this project, we will develop automated tools to help with finding the right configuration for a given service, and we will write documentation to help people who will want to secure other services with their task. >> Read more about Securing NixOS services with systemd Nym Credentials — A decentralised solution for authentication Nym Credentials provides open-source code for privacy-enhanced authentication and authorization in a decentralized environment. Today, when using \"single-sign in\" solutions, users hand over their personal data to third-party identity providers such as Facebook Connect and Sign-In with Google. Nym Credentials tackles this problem by allowing users to securely authenticate and transfer personal data (and proofs of private data) while maintaining privacy without a centralized identity provider. Each credential is cryptographically unlinkable between usages and multiple decentralized identity providers can verify this data. Open-source Nym credential libraries can be easily integrated into existing services, with a focus on federated and decentralized European environments. >> Read more about Nym Credentials Opaque Sphinx — Secure password-based authentication with Opaque/Sphinx Opaque Sphinx is a project that aims to secure password-based authentication by deploying the state-of-the-art SPHINX and OPAQUE cryptographic protocols to eliminate almost all common attack vectors - such as weak guessable passwords, password reuse, phishing, password databases, offline dictionary attacks, database leaks - plaguing current solutions. These protocols provide the strongest available cryptographic properties with cryptographic proofs. The project intend to port its already existing free software SPHINX implementation - besides already existing support for Linux and Windows - to Android so it can also be used on smartphones. >> Read more about Opaque Sphinx Opaque Sphinx Server and Clients — Server and tools for modern authentication Passwords are probably the most common way to remotely use private services, which makes them a major liability - humans on average find it very hard to memorize strong passwords. Luckily, passwords - or more particularly tools to work with passwords more safely - are evolving as well. SPHINX is a novel approach to password storage that is information theoretically secure. And unlike most online password managers, the user does not even have to trust the server. OPAQUE is a novel protocol that can be used to eliminate phishing as an attack vector when authenticating to servers. The combination of SPHINX and OPAQUE provides some very strong guarantees while still allowing users to only need to remember one or just a few passwords. This project will develop a SPHINX server in a safe, compiled language, with ample tests. It will also further develop and refine a protocol above SPHINX, handling creation, deletion, backup and changing of data. In addition it will add the OPAQUE protocol to various free software ecosystems such as PHP, java, nodejs, ruby, golang, erlang and rust, as well as to the two most used webservers: nginx and apache2. >> Read more about Opaque Sphinx Server and Clients OpenPGP Certificate Authority — Managing OpenPGP keys for communities and organisation OpenPGP CA is a tool for managing OpenPGP keys within an organization. Its primary goal is to make it trivial for end users to authenticate the OpenPGP keys of users in their organization, and in adjacent organizations. In an OpenPGP CA-using organization, users delegate authentication to an in-house CA. This allows users to securely and seamlessly communicate via PGP-encrypted email without having to manually compare fingerprints, without having to understand OpenPGP keys or signatures, and without having to trust a third-party with potentially conflicting interests. This goal is achieved by shifting the authentication burden from individual users to an organization's administrator, and providing a tool that largely automates key creation, and signing as well as key dissemination. Importantly, because OpenPGP CA works within the existing OpenPGP framework, users do not need any new software to take advantage of OpenPGP CA's benefits; they can continue to use existing email clients and encryption plugins. Further, OpenPGP CA can co-exist with other authentication approaches, like traditional key signing workflows. >> Read more about OpenPGP Certificate Authority Improving OpenSSH's Authentication and PKI — Improving SSH Authentication with OpenPGP transitive trust It would not be a stretch to say that ssh secures the Internet - it is the protocol most relied on to log into servers of any type. Yet, its authentication model is inflexible, rarely used properly, and inadequate. OpenPGP's transitive trust (aka \"web of trust\") mechanisms and revocation certificates can help to provided additional automated assurances. By publishing and certifying OpenPGP keys for servers, an ssh client may be able to automatically check whether an encrypted connection is not only encrypted, but also authenticated. Similarly, server administrators can automatically find the right public key for users. And when a server key or user key is compromised, using OpenPGP, it is straightforward to ensure that it won't be trusted: just publish a revocation certificate. This project will add OpenPGP support to OpenSSH to improve and simplify these workflows. >> Read more about Improving OpenSSH's Authentication and PKI Interoperable Certificate Store for OpenPGP — Standardisation effort for shared OpenPGP certificate storage This project will build a public cert store for OpenPGP keys, with well defined data structures and access mechanisms to facilitate interoperability between OpenPGP implementations. It builds on pgp-cert.d, which stores certs, and has an API to access them. Beyond the common format and API, the project will also add Sequoia-specific indices, where standardization doesn't make sense. sq, Sequoia's command line tool, will be adapted to use the cert store. In addition the project aims to develop a privacy-preserving way to update the certs from keyservers. >> Read more about Interoperable Certificate Store for OpenPGP Hardening OpenPGP CA deployments — HSM support for OpenPGP key infrastructure OpenPGP CA is a tool for managing and certifying OpenPGP keys in organizations. Today, the private key material of OpenPGP CA instances is stored and used locally. This project will add support for two hardened modes of operation: 1) Using a hardware-token OpenPGP Card) based key for the CA, and 2) Split OpenPGP CA deployments, in which critical operations are performed on a highly protected machine (e.g. air-gapped), while regular operation can take place conveniently on an online CA instance. In addition the project will build an OpenPGP CA based tool for version control signing workflows (e.g. git), with a focus on providing a smooth user experience for signing with OpenPGP card devices. >> Read more about Hardening OpenPGP CA deployments Owncast — ActivityPub powered Livecasting Owncast is a self-hosted, open source live streaming platform for people to easily host and manage their own live streams. It has become an increasingly popular option for many people to break away from the large centralized services. The project will add Fediverse (ActivityPub) integration in order to provide better means of discovery, increase engagement, and to have interoperability with other applications. The goal is for Owncast to become a fully fledged member of the Fediverse, focusing on people's streams being discovered with existing timelines and search indexes. This would allow people to for instance contribute comments directly from their own ActivityPub powered website or ActivityPub-powered link aggegators like Lemmy. >> Read more about Owncast Adding Web-of-Trust Support to PGPainless — Web-of-Trust specification support for Java Reliable authentication of public key certificates is a hard requirement for strong and effective end-to-end encryption. The \"Web-of-Trust\" (WoT) serves as an example of a decentralized authentication mechanism for OpenPGP. While there are some existing implementations of the WoT in applications such as GnuPG, their algorithms are often poorly documented. As a result, WoT support in client applications is often missing or inadequate. PGPainless is an easy-to-use, secure-by-default OpenPGP library for Java and Android. This project will extend PGPainless with an implementation of a recently published, new Web of Trust specification. The goal is to make the Web of Trust more interoperable and accessible to client applications, overall increasing the usability and ergonomics of OpenPGP for the end-user. >> Read more about Adding Web-of-Trust Support to PGPainless Peppol for the masses — Hybrid self-hosted e-invoicing with decentralized identities Peppol is an EU-backed e-Invoicing network which uses a top-down certification infrastructure to establish trust between the sender and the receiver of an invoice. In the \"Peppol for the Masses!\" project, we will implement Peppol in PHP (so far only Java and C# implementations are available), and package its core components (the AS4 sender and the AS4 receiver) as a Nextcloud app, so that users of the popular Nextcloud personal cloud server can send and receive invoices over AS4 directly into their self-hosted server. Due to the top-down nature of Peppol's trust infrastructure, it's not possible to self-host a node in the Peppol network unless you go through a reasonably heavy certification process. Therefore, we will extend our implementation with support for self-hosted identities, using the \"WebID\" identity pattern which was popularized by the Solid project. We will also develop a re-signing gateway which replaces the signature on an AS4-Direct invoice with a Peppol-certified signature. In a follow-up project, we will also host an instance of this re-signing gateway and make it available free of charge, similar to how the LetsEncrypt project has made TLS certificates available free of charge. This project will lower the (cost) barrier for machine-readable cryptographically-signed e-Invoicing messages, and at the same time increase the sovereignty of end-users, towards a human-centric internet of business documents. >> Read more about Peppol for the masses Privacy Enhancements for PowerDNS and DNSdist — Make it easier to deploy private DoT/DoH resolvers DNS over TLS (DoT) and DNS over HTTPS (DoH) are two recent developments in the DNS field, and currently these are dominated by US based providers. The project will enhance the availability of open, trustworthy, privacy respecting DNS Resolvers in such a way that it allows any DNS provider, operator, or user to provide encrypted DNS service. This project aims to speed up implementation, improvement and standardisation of the most important Privacy enhancing features of DNSdist and PowerDNS resolvers to allow for the entire DNS-chain (from client, to caching-resolver, to authoritative nameserver) to be encrypted. The project will add support to the (open source) PowerDNS components (dnsdist, recursor and Authoritative server) for the privacy features necessary. >> Read more about Privacy Enhancements for PowerDNS and DNSdist Prosody IM — Implement SASL authentication mechanism for XMPP XMPP is the most widely deployed standard protocol for real-time messaging today, and is a very popular choice among individuals and organizations who wish to manage their own internet communications, instead of submitting to other (e.g. commercial/data-driven) communication platforms. For an XMPP user to log in to their account today, two things are required: a username and a password. This has remained unchanged for many years, while other technologies have been steadily advancing to support security-enhancing features such as multi-factor authentication or even self-sovereign identities. XMPP uses an authentication umbrella standard known as SASL to authenticate all connections.The way XMPP integrates SASL is defined in RFC 6120 and assumes a very simple challenge-response flow, which has worked well in allowing us to upgrade the network from older SASL mechanisms such as DIGEST-MD5 and onto more modern mechanisms such as SCRAM-SHA-1 and SCRAM-SHA-256. To gain new authentication features beyond simple password authentication, we need to evolve XMPP’s relationship with SASL. This project will deliver just that, and will be the first complete implementation of a proposed standard (XEP-0388: Extensible SASL Profile) into the popular Prosody XMPP server. It will also implement support for per-session access control throughout Prosody, and support for XEP-0386 (Bind 2.0). >> Read more about Prosody IM Python bindings to the rattler library — Rattler is a Rust-based library to interact with the conda package ecosystem (which provides binary, cross-platform software packages for Windows, macOS and Linux). Rattler makes it easy to resolve package dependencies with a SAT solver, download the packages, and create virtual environments on the user’s computer. This main focus of this project are the py-rattler bindings, that give users the power to use rattler from Python, to create virtual environments programmatically. Furthermore, py-rattler will be used by other tools in the ecosystem such as the bot infrastructure that powers “conda-forge”, the largest open source repository in the conda universe. >> Read more about Python bindings to the rattler library Rauthy — Reliable OpenID Connect IdP and IAM solution. Rauthy is a lightweight and easy to use OpenID Connect Identity Provider. It aims to be simple to both set up and operate, with very secure defaults and lots of config options, if you need the flexibility. It puts heavy emphasis on Passkeys and a very strong security in general. The project is written in Rust to be as memory efficient, secure and fast as possible, and it can run on basically any hardware. If you need Single Sign-On support for IoT or headless CLI tools, it's got you covered as well. You get High-Availability, client branding, UI translation, a nice Admin UI, Events and Auditing, and many more features. By default, it does not depend on an external database but runs on top of Hiqlite, an embeddable SQLite database that can form a Raft cluster to provide strong consistency and high availability - although it can use e.g. Postgres as an alternative. This makes it simple to operate, while scaling up to millions of users easily. >> Read more about Rauthy Redwax — Standardisation of client side PKI interfaces The internet was not designed as a public infrastructure and most of the engineering trade-offs of the lower-layer technologies have generally erred on the side of accommodating fast growth and ease rather than values such as security, confidentiality and privacy. Yet today the internet is everywhere from providing a place for democratic discourse to healthcare to finance and personal communication. Redwax aims to decentralise trust management so that the values security, confidentiality and privacy can be upheld in public infrastructure and private interactions. The overarching goal of Redwax is to strengthen the existing technologies and infrastructure by providing a modular and practical set of tools to manage public key based trust infrastructures as currently used. These tools capture and hard code a lot of industry best practice and specialist PKI knowledge so that they can be put into the hands of a much wider community than currently served by a few specialist industries. With this project the Redwax team hopes to help re-establish (and/or strengthen) the support for these non-centralized trust management technologies inside web browsers and other relevant applications by working with standards organizations and industry coordination groups, and to create the initial reference implementations for their standardisation. >> Read more about Redwax Reproducible F-Droid — Building a trusted app ecosystem with F-Droid F-Droid maintains a complete free software build/sign/deploy stack for securely making signed releases of Android apps in a fully automated way. This has been used since 2010 to run the f-droid.org repository of free software Android apps. Reproducible builds means it is possible to make a strong link between the actual app running on our devices, and the source code which they were built from. When the source code has been thoroughly inspected and is trusted, it is then possible to apply that same trust to the install binary. This project will make this stack much easier for other people and organizations to deploy and use on a daily basis. This allows organizations to run rebuilders to confirm that the releases available on f-droid.org or any F-Droid-compatible repository exactly match the source code. The resulting data can then be automatically consumed by the client app so it can communicate to the user that it was confirmed as a reproducible build. >> Read more about Reproducible F-Droid Robur private DNS resolver and DHCP server — Secure network configuration and DNS resolution DHCP and DNS are fundamental Internet protocols, DHCP is used for dynamic IP address configuration in a local network, DNS for resolving hostnames to IP addresses. In this project, we develop a robust DHCP server and DNS resolver as a MirageOS unikernel. MirageOS unikernels are self-contained virtual machine images which are composed of the required OCaml libraries, leading to a binary with a minimal trusted code base, and thus minimized attack surface. The choice of the memory-safe, functional, and statically typed language OCaml avoids common attack vectors, such as buffer overflows and double frees. MirageOS unikernels can be deployed on various hypervisors (Xen, KVM, BHyve), microkernels (Genode, Muen), or as Unix binary (also with seccomp rules that allow only 10 system calls) on x86-64 and arm64. Several DHCP and DNS privacy extensions, extensive testing, and documentation is worked on to allow everyone to use it on their home router or in the data center. Migration of existing configuration (e.g. dnsmasq) to Robur DNS resolver and DHCP server will be provided as well. >> Read more about Robur private DNS resolver and DHCP server Rocket CWMP — Remote governance and configuration for internet equipment CWMP (CPE WAN Management Protocol) or TR-069 is a technical specification of a Broadband Forum designed for remote governing of a CPE. CWMP is a standardized and widely-used text-based protocol enabling communication between CPE and Auto Configuration Server (ACS). Rocket CWMP is a modular CWMP-client capable of supporting TR-069, TR-181 and other technical reports. The project was started out of an industry gap regarding a production-ready, FOSS solution that meets the ISP requirements and the feature and security requirements of modern embedded devices. It is capable of integrating into existing solutions for automatic and remote software installation or provisioning of CPEs. The client is designed to be easily portable to different Linux platforms (OpenWrt and other Linux distributions such as Yocto, Debian, Ubuntu and others). Its modularity implies that developers can easily build new features based on their requirements. It would serve as a light weight glue between CWMP and embedded Linux software standards for configuration and statistics. The end goal of this project would be to create and FOSS delivering mandatory remote management features in ISP ecosystem. ISPs would finally be equipped with a CWMP client that: a) is an open and extendable replacement of the closed software alternatives, b) is designed to easily include and configure various backend systems and c) allows replacing proprietary firmware and leveraging Open Source components. >> Read more about Rocket CWMP SASL Works for the InternetWide Architecture — Integrate new authentication mechanisms into SASL The SASL Works allow clients to use authentication mechanism that meet their requirements, and use it in virtually all protocols, which includes but is not limited to the web. Servers on the other hand, can flexibly adapt to clients from any domain, by backporting authentication inquiries to the client's own realm for the desired level of approval. Once configured, this process frees service providers from the need to manage user accounts and secure storage of credentials. Clients finally get a choice to use strong cryptographic authentication mechanisms instead of being forced to use a site programmer's poor approach to security. This in turn is helpful for setting higher levels of security policies in formal bodies such as organisations and governments, while generally simplifying the user interaction. >> Read more about SASL Works for the InternetWide Architecture SCION-RAINS — RAINS, Another Internet Naming Service (or, a DNS alternative) RAINS (which recursively stands for RAINS, Another Internet Naming Service) is an alternative name resolution protocol that has been designed with the aim to provide an ideal naming service for the SCION Internet architecture. SCION is one of the most ambitious and realistic alternative Internet architectures currently in play, and has interesting traits such as route control, failure isolation, multipath capabilities and explicit trust information for end-to-end communication. The RAINS architecture is simple but effective, while it resembles the architecture of DNS it also benefits from being a clean-slate design and provides security across all TLD's - where DNS with DNSSEC fails to provide such capabilities across the board. RAINS, unlike DNS, has no relative clocks: the DNS TTL is replaced by the absolute validity timestamps on the signature. All records are signed. >> Read more about SCION-RAINS Geographic tagging of Routing and Forwarding — Geographic tagging and discovery of Internet Routing and Forwarding SCION is the first clean-slate Internet architecture designed to provide route control, failure isolation, and explicit trust information for end-to-end communication. As a path-based architecture, SCION end-hosts learn about available network path segments, and combine them into end-to-end paths, which are carried in packet headers. By design, SCION offers transparency to end hosts with respect to the path a packet travels through the network. This has numerous applications related to trust, compliance, and also privacy. By better understanding of the geographic and legislative context of a path, users can for instance choose trustworthy paths that best protect their privacy. Or avoid the need for privacy intrusive and expensive CDN's by selecting resources closer to them. SCION is the first to have such a decentralised system offer this kind of transparency and control to users of the network. >> Read more about Geographic tagging of Routing and Forwarding Software Heritage listers + tooling — Performance improvements and new listers/tooling for Software Heritage Software Heritage's ambition is to collect, preserve, and share all software that is publicly available in source code form. The platform currently list and load more than 200 million free and open source projects. One of the bottlenecks for collecting sources is the speed at which these can be collected. We want to address performance improvements on data discovery and ingestion through the usage of the PyPy interpreter, which should help in reducing CPU bound in highly repetitive area of the Python code responsible for data analysis and validation. To expand the list of existing source code origins we will create new listers and loaders for Dlang, Julia and Elm package managers. >> Read more about Software Heritage listers + tooling Subliminal Messaging — Embedded secure channels within traditional and internet telephony Most of todays telephony consists of digital transmissions, so given a codec without mangling or added noise, it becomes possible to treat (part of) that as a data channel, and pass meaningful data through it while maintaining an acceptable noise floor to the sound being transmitted. That data channel can give rise to information exchange, including key material and alternative contact options. The project will work on various improvements that connect telephony and digital communication: (1) VPN setup with telephony protocols, (2) data communication over the PSTN backbone and its extensions into VoIP, (3) digital security for PSTN and VoIP calls. >> Read more about Subliminal Messaging Secure Web Tokens for Linux — TPM 2.0 backed FIDO2/U2F tokens on Linux This project aims to develop a systemd daemon that utilizes the TPM 2.0 security chip to provide FIDO2/U2F tokens for web browsers and operating system applications on Linux. Leveraging the ubiquitous presence of TPM2 in modern PCs, the daemon will enhance security and usability for Linux users. It will allow the integration of security chips as access tokens with web extensions, secure local passwords and HOTP/TOTP managers, and enable hardware-based lock screen authentication mechanisms. The daemon will interface with the TPM2 chip to manage FIDO2 token generation. It includes support for the \"uhid\" kernel driver for button press emulation when no fingerprint reader is available for authentication. The project involves developing the daemon, ensuring seamless integration with systemd, and conducting extensive testing for functionality and security. Comprehensive documentation will be provided for setup and use, along with user guides for web extension integration. The outcome will be a robust, secure, and user-friendly solution for Linux users, elevating the baseline security and leveraging existing hardware capabilities to the fullest. >> Read more about Secure Web Tokens for Linux SeedVault Integrity — Add integrity checking and WebDAV support to SeedVault Android backups SeedVault Backup is an independent open-source app data backup application for Android and derived mobile operating systems. By storing Android users' data and files in a place the user chooses, and by using client-side encryption to protect backed-up data, SeedVault offers users maximum data privacy and resilience with minimal hassle. SeedVault uses Android's storage access framework (SAF) to read and write encrypted app data. This allows it to backup and restore application data on a wide range of platforms (such as Nextcloud) and even USB flash drives. The project will improve the current implementation to allow storing files also on generic WebDAV-based storage without the SAF abstraction layer for improved performance and reliability. It will be possible to decide what apps and files should be restored and to verify the integrity of the backups made. >> Read more about SeedVault Integrity SelfPrivacy — Reproducible self-hosting stack based on NixOS Self-hosting can be a challenge even for a professional, let alone an unprepared user. SelfPrivacy is a free application that helps you set up and manage your self-hosted services. The goal of the project is to create an accessible tool that gives everyone an opportunity to create their own self-hosted infrastructure. Selfprivacy supports multiple platforms and to use it, all you need is to register with a provider and copy the access token into the application. SelfPrivacy will set up the system, domain, DNS and install open source services such as E-Mail, Nextcloud, Jitsi, etc. SelfPrivacy automates the entire lifecycle: provisioning, updates, configuration changes, monitoring, backups and space management. >> Read more about SelfPrivacy A Secret Key Store for Sequoia PGP — Standards-compliant private key store for OpenPGP This project implements a private key store for Sequoia, a new OpenPGP implementation. Currently, Sequoia-using programs use private keys directly. A private key store mediates applications' access to private keys, and offers three major advantages relative to the status quo. First, a private key store is in a separate address space. This means that private keys that are in memory are in a different address space from the application. This was underlying cause of the Heartbleed vulnerability. Second, a private key store can provide a uniform interface for accessing keys stored on different backends, e.g., an in-memory key, a key on a smart card, or a key on a remote computer, which is accessed via ssh. This simplifies applications. Third, this architecture simplifies sharing private key material among multiple applications. Only the private key store needs to worry about managing the private key material, which improves security. And, when a user unlocks a key in one application, it is potentially unlocked in all applications, which improves usability. >> Read more about A Secret Key Store for Sequoia PGP Adding TPM Support to Sequoia PGP — Implement use of TPM 2.0 crypto hardware for OpenPGP Protecting cryptographic keys is hard. If they are stored in a file, an attacker can exfiltrate them - even if the harddrive is encrypted at rest. A good practical solution is a hardware token like a Nitrokey, which stores keys and exposes a limited API to the host. For most end users, a token is a hassle: one needs to carry it around, it needs to be inserted, and it is not possible to work if it is left at home. And, it needs to be purchased. There is a better solution, which doesn't cost anything. A trusted computing module (TPM) is like an always-connected hardware token only more powerful (the keys can be bound to a particular OS installation, it can store nearly an unlimited number of keys, not just three) and TPMs are already present in most computers. This project will add support for TPMs to Sequoia PGP including comprehensive test suites and in-depth documentation for both software engineers: as an API and end-users as a way to use TPM bound keys through Sequoia's command-line interface (sq) for decryption and signing. >> Read more about Adding TPM Support to Sequoia PGP SignRoom — Zenroom based signature and credential platform Leveraging the quantum-proof cryptographic implementation done in Zenroom (along with Zenroom's other cryptographic flows) we are developing a simple to use web-based platform, allowing users to sign and verify messages and documents (PDF, Office files, pictures etc) using quantum proof signature, ecdsa signature and schnorr signature and multi-signatures. Document signatures are stored inside the document using the PADES and XADES protocols. The tool will also produce and verify zero-knowledge proof credentials, W3C-VC credentials for signature and verification. The platform is built as a PWA, is mobile friendly, has APIs for third party integration a library to integrate into mobile applications along with bindings for multiple programming languages. >> Read more about SignRoom Solid Application Interoperability — Solid Application Interoperability specification details how Agents in the Solid ecosystem can read, write, and manage data stored in a Solid pod using disparate Applications, either individually or in collaboration with other Agents. Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. When data is stored in someone's Pod, they control which people and applications can access it. Solid was initiated and is currently led by the inventor of the World Wide Web, sir Tim Berners-Lee. Solid Application Interoperability provides clear way to create intuitive data boundaries and higher level patterns to manage access to that data following the principle of least privilege. Specification is accompanied by a primer and sample implementations. >> Read more about Solid Application Interoperability Solid Application Interoperability — Interoperable Data sharing flows and discovery for Solid Solid Application Interoperability specification details how Agents in the Solid ecosystem can read, write, and manage data stored in a Solid pod using disparate Applications, either individually or in collaboration with other Agents. Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. When data is stored in someone's Pod, they control which people and applications can access it. Solid Application Interoperability provides clear way to create intuitive data boundaries and higher level patterns to manage access to that data following the principle of least privilege. The focus of this project is on three parts: i18n for the Authorization Agent, data sharing flows and verifying WebID of social peers. >> Read more about Solid Application Interoperability Solid Wallet — Authorization reasoning, rule-based controls and fluid integration for Solid Solid Apps display information collected by following linked data across the World Wide Web, writing changes to Solid Personal Online Data Stores (PODs). Following links can land an App on a protected resource somewhere on the Web, accessible only to a select group of actors specified in an associated Web Access Control Resource. Solid Wallet aims to build core libraries to reason over Solid Access Control Rules, limit access to what clients can request, publish keys and sign transactions. The same libraries will also be useable by servers to verify such claims. Finally, we will use these libraries to build a flexible prototype Wallet for Solid apps that run in the browser or server. >> Read more about Solid Wallet Dual-level Specification Inference — Make formal verification more practical with dual-level Specification Inference While formal verification of smart contracts gains traction, writing formal specifications can be equally if not more costly than writing code. Spec^2 is a specification inference framework that aims to automatically deduce a high-quality set of specs based on the code only. The inferred specs include both per-transaction pre-post conditions (low-level specs) and invariants on the blockchain-backed storage (high-level specs). Furthermore, the inferred specs should be similar to what experts might develop manually and can be easily examined by people without formal verification training. The funding from NLnet and NGI Assure will be used to prototype Spec^2 against the Move language and infer specifications for Move-based smart contracts. >> Read more about Dual-level Specification Inference Statime PTP Master — Statime - Zero-allocation cross-platform Precision Time Protocol High-precision clock synchronization is becoming increasingly important in application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. The Precision Time Protocol (PTP) is widely used for these critical applications and it is therefore important for it to be as secure and reliable as possible. We have previously developed the first iteration of Statime, an implementation of a PTP slave in the Rust programming language. The outcome of that project is a secure-by-design implementation, leveraging the Rust borrow checker to guarantee memory-safety. With this project, we will expand our implementation in two ways. Firstly, we will expand the feature set to include a PTP master, conforming to the IEEE standard for PTP (the 2019 version, IEEE1588-2019), so we can run a full PTP instance with the memory-safety guarantees that our implementation provides. Secondly, our implementation will be able to run without an operating system or system allocator. Those properties make the implementation inherently portable and more reliable. Our concrete goal for this second phase is that it runs on the stm32f7 microcontroller, a device with built-in PTP Ethernet support, but otherwise limited capabilities. >> Read more about Statime PTP Master Client Proof-of-Work in TLS — Mitigation against DoS amplification on the TLS handshake The computationally expensive nature of asymmetric crypto in TLS makes it vulnerable to denial-of-service attacks. We propose an extension to TLS that mitigates this attack vector, shifting the advantage from the attacker to the defender. The project will deliver a draft spec, mergeable patches for leading TLS libraries, and a measurement report explaining the results. >> Read more about Client Proof-of-Work in TLS Threadiverse Reproducible Deployment — Reproducible deployment for Threadiverse servers Fediverse is more than short form microblogging. The ActivityPub protocol connects all kinds of software for various communication needs. Some of those are concentrated on long blogs and threaded discussion forums. A common understanding of conversations in ActivityPub and their secure and safe-from-spam implementation is being developed in several fediverse projects. This project focuses on stable and documented automated deployment for two of them - Hubzilla and Streams, including interoperability tests. This will support threadiverse standardization efforts, and help to bring features like group photoalbums and full channel portability between instances. >> Read more about Threadiverse Reproducible Deployment TrustING — Ultrafast AS-level Public-Key Infrastructure TrustING is a human-transparent and agile Trust Infrastructure for a Next-Generation Internet. This infrastructure enables any two entities to establish secret keys that can be used to encrypt and authenticate data. The foundation of TrustING is the AS-level Public-Key Infrastructure (PKI) of the SCION Internet Architecture that provides sovereignty (ensuring absence of global kill switches), trust transparency, and algorithm agility, among others. The TrustING service establishes symmetric keys with other domains in advance, and then relies on those keys to derive keys for local hosts. The core novelty of this approach is the ability to derive keys purely locally on both sides of the communication, without even requiring key transport. By making TrustING a control-plane mechanism offered by the network infrastructure, higher-level applications can make use of it without having to worry about complexities such as exchanging key material or establishing trust. To show the viability of TrustING, we will implement TLS trust bootstrapping using TrustING and additionally demonstrate the efficiency of TrustING by using it to authenticate SCMP (SCION's equivalent of ICMP) messages. >> Read more about TrustING Trust semantic learning and monitoring — Measure on-going trust between interacting agents Trust semantic learning and monitoring is part of a wide ranging effort to understand trust in network socio-technical systems. The expected outcome of this part is a methodology and proof of concept code library for qualifying and quantifying trust between agents in a network. In IT, trust is often treated as a binary \"crypto token\", based on some validation test, and developers naively speak of zero trust systems without understanding the depth of what trust really is. But, trust is a deeply social phenomenon, which changes in real time based on social and technical interactions. By applying learning algorithms and data analytics to streamed interactions, this project attempts to qualify and quantify a measure of trust as a way of making realtime risk estimates. >> Read more about Trust semantic learning and monitoring Tvix — Alternative Rust-based software build transparency Tvix is a modern design and implementation of the Nix package manager (GPLv3). It brings a modular architecture in which components such as the build environment or package store are replaceable, which enables new use-cases and platforms. A graph-reduction evaluation model will make it possible to use Nix for package definitions and entire system configurations, its proven and tested use case, as well as for granular build definitions for individual components of software. Tvix will be fully compatible with nixpkgs, the existing package definition set for Nix, letting its users leverage more than a decade of community contributions and making it useful right out-of-the-box. >> Read more about Tvix Universal DID Resolver and Registrar — Tooling for decentralized identifiers The Universal DID Resolver and Registrar are open-source software components that implement Decentralized Identifiers (DIDs). DIDs lie at the heart of an emerging technical and social paradigm known as \"self-sovereign identity\" (SSI), which allows individuals, organizations, and things to create and manage their digital identities without dependence on any central authority or intermediary. This technology is highly aligned with Next Generation Internet values such as human-centricity, openness, trust, and reliability. DIDs as a building block for protocols are of similar importance to Internet infrastructure as other identifiers such as domain names or e-mail addresses. The Universal DID Resolver and Registrar are aligned with corresponding W3C community group specification efforts. Development and maintainance of the code takes place in close collaboration with relevant community and industry stakeholders such as the Decentralized Identity Foundation, uPort, Jolocom, Sovrin, Civic, Veres One, Blockstack, ERC725 Alliance, etc. >> Read more about Universal DID Resolver and Registrar XWiki — Bring wiki capabilities into the Fediverse XWiki is a modern and extensible open source wiki platform. Up until now, XWiki had been focusing on providing the best collaboration experience and features to its users. We're now taking this to the next level by having XWiki be part of the larger federation of collaboration and social software (a.k.a. fediverse), thus allowing users to collaborate externally. XWiki is embracing the W3C ActivityPub specification. Specifically we're implementing the server part of the specification, to be able to both view activity and content happening in external services inside XWiki itself and to make XWiki's activity and content available from these other services too. A specific but crucial use case, is to allow content collaboration between different XWiki servers, sharing content and activity. >> Read more about XWiki Wispwot — Implement generalized scalable protection against disruptive behavior in content discovery Spam and intentional disruption are a major problem in the clearnet. They make it infeasible to have comments on websites without moderation teams, privacy invading humanity checking, and access-restrictions, and they force social networks to decide between invasive censorship and exposing their community to abuse, propaganda and targeted harassment. The core of the problem is that spam scales better than spam-blocking. This project brings the spam-defense from the Hyphanet Project to the fediverse. It replaces instant global visibility with incremental local visibility, fueled by positive social interaction and transitive blocking, so spammers quickly become invisible to most. To scale for groups of arbitrary size, it extends the system from Hyphanet by adding pruning of inactive accounts and efficient rediscovery. With this project, spam-protection scales better than spamming, reducing the work needed to cope with hostile communication, so group-communication won’t require the outsourced, underpaid moderation teams that are prevalent in most centralized social networks. >> Read more about Wispwot MLS for XMPP — Add Message Layer Security to XMPP XMPP (Extensible Messaging and Presence Protocol) is an IETF- standardized (RFC 6120/6121) communication protocol designed for instant messaging and other near-real-time exchange of structured data between two or more network entities. MLS (Messaging Layer Security) is an emerging, IETF-standardized (RFC 9420) protocol for end-to-end encryption of messages and a central part of the IETF MIMI (More Instant Messaging Interoperability) effort to allow communication across messaging apps, for example in the context of the EU Digital Markets Act. This project adds support for MLS encrypted messaging to XMPP group chats. This includes creating a prototype implementation, standardizing an XMPP Extension Protocol (XEP) and introducing support in two existing XMPP clients. >> Read more about MLS for XMPP ARPA2 resource ACL and HTTP SASL modules for NGINX — Extend consistent access control to NGINX webserver In most of our daily interactions with a remote server we depend on the application running on the server to properly authenticate the user within the browser session, and to manage who can do what. However, if we want to enforce stronger guarantees with regards to restricted resources and tasks, our options are much more limited. This project from the ARPA2 community wants to move the state of the art in access control forward by combining the extensible SASL standard with a well-defined generic ACL mechanism that also allows for pseudonimity. The project will produce a self-contained library and two modules for a popular web server (NGINX) that use the new library. With the NGINX HTTP SASL module a user-agent can authenticate to the web server using any SASL mechanism the server supports. With the NGINX ARPA2 ACL module the web server can determine whether an authenticated user has authorization for the request that he/she sent. I.e. a user makes the request: \"DELETE /messages/10\" and the server can then decide based on the authenticated user, the action and resource whether this is allowed or not. >> Read more about ARPA2 resource ACL and HTTP SASL modules for NGINX Bitmask — User-friendly and secure VPN configuration Bitmask is a Desktop and Android client designed to achieve a zero-configuration end-user experience for setting up a VPN that connects to a given set of providers - those that follow the LEAP platform specification. To do so, clients rely on providers exposing configuration files on well-known urls, according to their particular setup regarding the available VPN gateways and transports. This project aims at adding low-end routers a new extra platform that users can choose when installing BitmaskVPN. Running VPN software in a commonly available router, with hardware-based user interfaces, will greatly extend the target audience for Bitmask. To achieve this goal, a porting of the BitmaskVPN client will be done in nim, a statically typed language that generates small native and dependency-free executables, allowing the setup of the VPN with the switch of a hardware button. Finally, the resulting port will be packaged for OpenWRT, and build scripts will be made available for providers to offer to their users a ready-to-use flashing image for a selection of routers. >> Read more about Bitmask Distributed Mechanism Learning — Privacy preserving ways of distributed data usage Mechanism design is a field concerned with finding rules for economic processes which incentivize self-interested agents to behave in a way, such that a common goal is reached. This project aims to build robust infrastructure for mechanism design via machine learning, to make theoretical results more applicable to practical networked deployments. We plan to do this by finding solutions for the following two problems and making them accessible to developers, while keeping the required domain knowledge to a minimum: On the one hand, a trusted third party is often assumed to exist, which is supposed to learn and execute the mechanism. In practice, finding neutral trusted parties who do not stand to gain anything from cheating can be hard. To solve this problem, we distribute the computation of the trusted party over multiple computers, ideally controlled by different entities, using multiparty computation. This way, we get a more robust trust base with better alignment of incentives. On the other hand, current models often assume prior knowledge about preference distributions of agents to learn optimal mechanisms. In practice, this knowledge is not always available. We exchange finding optimal solutions using prior information with finding approximate solutions using no prior information, by way of differentially private learning. This results in more general applicability, especially in settings with sparse information. >> Read more about Distributed Mechanism Learning django-allauth — Versatile authentication for Django The goal of django-allauth is to offer a free, secure, well integrated, reusable authentication solution for the Django framework, covering all functionality related to local and social user accounts, multi-factor authentication, in various configurations, with flows that just work. By simpliyfing the complexities associated with user authentication, django-allauth empowers Django developers of all kinds to focus on building their web applications without compromising on the authentication features provided to their end users. >> Read more about django-allauth imap-codec library — Release version 1.0 of the imap-codec library With an expected volume of 333 billion messages per day in 2022, email is one of today's most common methods to exchange information on the Internet. For better or worse, email is unlikely to go away soon, meaning that even the latest software needs to support it in a trustworthy and resilient way. imap-codec is a misuse-resistant IMAP parsing and serialization library focusing on correctness and security. It should pave the way for a new generation of email clients, servers, and utilities written in Rust and become a reusable building block for the Next Generation Internet. To archive that, it is essential to stabilize the API, improve testing, provide excellent documentation, and establish a welcoming and sustainable open-source environment for imap-codec. >> Read more about imap-codec library DNSSEC Key Signing Suite — A best practise for DNSSEC Key Signing DNSSEC provides trust in the DNS by guaranteeing the authenticity and integrity of DNS responses. As DNS is of fundamental importance to most Internet communication, this is a vital function that needs safeguarding. Beyond providing trust in the DNS, DNSSEC is a key enabler for other technologies that improve the security, privacy and trust of Internet users. In the DNSSEC Key Signing Suite project we build a set of tools, scripts and guidelines (a playbook) to facilitate simple key signing with a standardised ceremony that has automated checks and audits where possible. The impact of this will be twofold. First, it leads to reliable, predictable and verifiable key ceremonies, which improves the trust in DNSSEC. Second, it will significantly ease the burden of operation, bringing the use of a validated and trustworthy signing procedure within reach for many more DNSSEC operators than today (e.g. smaller or less profitable top-level domain operators). >> Read more about DNSSEC Key Signing Suite Maintenance and portability of sudo-rs — Make sudo-rs available cross-platform The sudo and su utilities guard a critical privilege boundary on just about every free and open-source operating system that powers the Internet. Memory safety bugs occur in the original sudo from time to time, and there is only one maintainer to fix them. For these reasons sudo-rs was written: a Rust drop-in replacement for sudo on Linux. For it to be a success, it needs to gain adoption. In this project, we will 1) address bugs and incompatibilities between sudo-rs and sudo and 2) port it to platforms other than Linux, to grow its user base and viability. >> Read more about Maintenance and portability of sudo-rs ","url":"https://nlnet.nl/thema/Middlewareandidentity.html","title":"Middleware and identity"},{"description":" Measurement Measurement, monitoring, analysis and abuse handling This page contains a concise overview of projects funded by NLnet foundation that belong to Measurement (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. 0WM — Measure and visualize Wi-Fi coverage Wi-Fi coverage is key in corporate and BYOD environments, as the mobility offered by wireless protocols often outweighs criteria such as speed and stability, offered by wired alternatives. These criteria are however critical to guarantee a suitable quality of service, and reliable options to help network operators are scarce and unaffordable to small organizations. 0WM will provide feature-rich tools to produce quality coverage maps, leveraging affordable COTS components, to quickly and efficiently identify coverage problems affecting end users. >> Read more about 0WM Firmwire full-system 5G baseband emulation — Easier testing of 5G baseband modems with FirmWire FirmWire is an open source full-system baseband firmware emulation framework for emulating, fuzzing, debugging, and root-cause analysis of smartphone baseband firmware. This project builds upon the framework to support newer, 5G capable, smartphones. Baseband processors are used in all modern smartphones for cellular network connectivity and are a remote attack surface. As such, baseband security is of utmost importance. Baseband firmware is complex, proprietary, and lacks public scrutiny. Emulation and reverse engineering are one of the few public ways to analyze baseband processors. These efforts will provide more transparency in baseband firmware and improve the community’s ability to analyze 5G security through emulation and fuzzing. Additionally, the reverse engineering efforts could aid in developing better open source drivers in the future. >> Read more about Firmwire full-system 5G baseband emulation Yama Analytics — Privacy-friendly analytics microservice using server logs For small organisations and individuals who wish to respect their visitors' privacy while needing to obtain analytics, there are limited options. The most elegant option (and the most privacy-respecting one) is to provide real-time analytics by ingesting the web server logs. This doesn't involve/require doing anything client-side (no scripting, no invisible pixels, etc): all the information needed can be derived from these log files without resorting to tricks. The form factor of a drop-in microservice allows for easy integration into other tools (which offers a significant improvement in terms of usability), and makes it portable. The end result will provide a neat solution for small actors to make self-hosting of their website 'batteries included'. >> Read more about Yama Analytics Detecting Forged-Origin BGP hijacks — Probabilistic detection of BGP hijacking Hackers often exploit vulnerabilities in BGP, the primary inter-domain routing protocol (essentially the “glue” that connects all networks on the Internet), to hijack Internet traffic. Our project builds on our work in detecting forged-origin BGP hijacks, a specific type of BGP hijack that remains unaddressed by recent cryptographic efforts aimed at securing BGP. Our objective is to enhance the accuracy of our detection system, which relies on a probabilistic model to compensate for the lack of cryptographic tools, ensuring that no attack goes unnoticed. Additionally, we plan to share our data and improve access to our inferences by developing APIs. This will enable both network operators and the research community to benefit from our findings and apply them to improve the security of their networks. >> Read more about Detecting Forged-Origin BGP hijacks BIDS: Binary Identification of Dependencies with Search — Identify known open source elements present in binaries Embedded device firmware is assembled from many FOSS package dependencies. Knowing which dependencies have been used is essential for security and licence compliance. However this is a complex task for native ELF binaries built from languages such as C/C++ that do not have package managers for metadata and simpler conventions for bytecode like Java or Python. The BIDS (Binary Identification of Dependencies with Search) project will build a tool (in Python) to analyse ELF binaries and find dependencies contained and built in these binaries. The BIDS project will deliver tooling to analyse ELF binaries and extract key features and store these for indexing, tooling to index these binary features in a search engine using inverted indexing, and a query tool and library to process large binaries to query this inverted index. The latter will return results as lists of ranked FOSS packages and files found to be present in the analysed binary. The data and tools will also be packaged to allow for further integration and reuse by other FOSS tools and analysis pipelines. >> Read more about BIDS: Binary Identification of Dependencies with Search Back2Source next — Better matching of binaries with source code Sometimes, the released binaries of an open source package do not match its source code. Or the source code does not match the code in a version control repository. There are many reasons for this discrepancy, but in all cases, this is a potential serious issue as the binary cannot be trusted. Additional (or different) code in the binary could be malware or a vector for unknown software vulnerabilities, or create FOSS license compliance issues. \"Back to source\" creates analysis pipelines in ScanCode.io to systematically map and cross-reference the binaries of a FOSS package to its source code and source repository and report discrepancies. We call this the deployment to development analysis (d2d) to map deployed code (binaries) to the development code (the sources) and we enable applying this \"trust but verify\" approach to all the binaries. >> Read more about Back2Source next CRAVEX — Cyber Resilience Application for Vulnerability Exploitability Exchange There is no free and open source vulnerability exploitability management application centered on software packages. Vulnerability management applications traditionally serve the needs of security teams first. There is a fundamental disconnect between the package-centric mindset of a developer and the vulnerability-centric mindset of a security analyst. Developers need modern tools to manage, triage, rate, review, and determine exploitability of package vulnerabilities in a package-centric world. They are the primary stakeholders and best positioned to tackle open source package vulnerabilities at the root. With the impending requirements of the CRA, open source projects and small businesses urgently need a free and open solution to comply with these new emerging mandates with minimal friction and costs. The Cyber Resilience Application for Vulnerability Exploitability (CRAVEX) is a web-based app designed to fulfill these requirements for better software supply chain integrity and security. CRAVEX will make it easier for any organization to comply with the emerging CRA and other regulatory requirements, efficiently, and improve the overall security posture of organizations of all sizes, especially for SMEs. CRAVEX will collect, track, and triage FOSS package vulnerabilities, determine their exploitability in a portfolio of software products and projects, and provide reporting with SBOMs and VEX statements to share with stakeholders. >> Read more about CRAVEX CRAVEX integration — Integrated vulnerability exploitability management CRAVEX makes it easier for any organization to efficiently comply with the emerging CRA. The solution is based on the AboutCode stack of open source tools, but no solution is an island. This project integrates CRAVEX with other tools to better orchestrate software supply chain and compliance automation, including: packaging for Linux distributions to maximize the ease of deployment, business systems to create tailored SBOMs and VEX, other FOSS SCA tools to accommodate different software stacks, CI/CD pipelines with scripts and workflows to improve usability, and container cluster analysis to allow users to point to a Kubernetes cluster to collect and scan all the images, and then detect vulnerabilities. The CRAVEX Integration project orchestrates the different tools critical for practical and efficient software supply chain management and compliance automation processes. >> Read more about CRAVEX integration CRAVEX 2 Code Reachability — Do vulnerable dependencies actually impacts security or not? CRAVEX makes it easier for any organization to efficiently comply with the emerging CRA. CRAVEX collects, tracks, and triages FOSS package vulnerabilities, determines their exploitability in a portfolio of software products and projects, and provides reporting with SBOMs and VEX statements to share with stakeholders. CRAVEX 2 enables CRAVEX users to triage vulnerabilities faster and more efficiently with automation and more accurate vulnerability data. An integrated, rule-based system automatically filters or reranks the vulnerabilities in the context of the managed application, system or device. This will integrate the emerging SSVC scoring for decision trees-driven automation. Vulnerable code \"reachability\" determines if the code impacted by a CVE is present, used, and exploitable. It will integrate and extend the features of NGI0-funded and FOSS projects, such as BANG. With increased automation and more accurate data, CRAVEX 2 further facilitates CRAVEX users' ability to efficiently manage vulnerabilities towards CRA compliance. >> Read more about CRAVEX 2 Code Reachability Supersizing the Gun — Chipwhisperer open hardware for side channel analysis ChipWhisperer is an open hardware and software toolchain that has been a mainstay of hardware security research. ChipWhisperer is used in academic curricula and in industrial R&D implementation security research labs for high speed side-channel power analysis and glitching attacks. The objective of this project is to explore design changes to the current ChipWhisperer hardware, so as to allow capturing of longer power analysis traces and to cater to higher clock speeds than currently supported. Here, the intent is to make it easier to perform side-channel-related analysis of public-key algorithms, without the need to artificially break down the algorithms into multiple components due to platform constraints. This allows for more realistic and practically relevant attacks. This project additionally entails the development of fine-grained post-processing tools, which would make further analysis of captured traces of public-key algorithms easier. Ultimately, the goal is to work towards candidate post-quantum algorithms, which are known to be more resource-hungry. The project funded by NGI Zero would specifically target design changes to considerably increase the sampling rate (towards 200-250 MS/s) and to provide for a streaming mode (initially envisioned to be roughly 15-30 MS/s). It includes both a new hardware design and a significant update to the current open-source software of the ChipWhisperer platform, as well as demonstration of how to successfully use this with practically relevant ECC public-key algorithms. >> Read more about Supersizing the Gun Darkstar — Open source vulnerability management solution Build an open source, self hostable, commercial grade attack surface management/vulnerability management solution, for web, network, agent based and cloud security. Our idea is to build a self hostable (container based) vulnerability management solution, which allows companies and people worldwide to monitor their security trough finding vulnerabilities. The main focus lies on creating the basic features that are required for a functional vulnerability management solution: on demand scanning, reporting, prioritization, scanning internal networks via container appliances you can place on your network, scanning external attack surface (web security scanning/DAST), network based external security scanning and g and agent-based vulnerability management. >> Read more about Darkstar EDeA — Repeatable, automated measurement data capture EDeA is a set of tools and a web portal which makes it easier for people to share and collaborate on Open Hardware sub-circuits. The scope of this project is to further improve on the collaboration aspect of the portal and to build the EDeA Measurement Server. The EDeA Measurement Server is a tool for automated scientific data capture (not only) for sub-circuits and a library which enables test & measurement as code. This makes it possible to analyze, reason about and share open hardware in a repeatable and consistent manner. >> Read more about EDeA EEZ Studio — Open source tooling for measurement and test equipment EEZ Studio is a free and open source cross-platform low-code visual tool that brings the functionality of legacy solutions for effective control of test and measurement devices. Modern user interface, modular design, debugger, drag&drop flowchart programming will enable easy collection of measurement data as well as automation of test procedures in different environments from classrooms, workshops, laboratories to production lines. EEZ Studio also offers a development environment for efficient creation of GUIs for embedded systems that use touchscreens. Unlike similar solutions, EEZ Studio enables not only drag&drop programming, debugging and GUI simulator, but also the creation of complex business logic for interaction with the user and with underlying hardware functionality. >> Read more about EEZ Studio EEZ flow for EEZ Studio — Open Hardware Test & Measurement equipment EEZ Studio is a free and open source cross-platform tool which offers a development environment for efficient creation of user interfaces for embedded systems that use touchscreens. This allows for visual development of embedded GUIs and dashboards through which which one can manage test and measurement equipment - including for test and measurement automation. In this project, the team will improve communication with test and measuring devices, allowing to manage multiple instruments, add networking capabilities and support for non-SCPI instruments and devices. In addition the project will develop templates for more easily creating dashboards, make the creation of report and working with project scrapbook easier, and improve data and session management. >> Read more about EEZ flow for EEZ Studio Tracking the Trackers — Automated scanning for spyware in mobile applications F-Droid is a free software, community app store that has been working since 2010 to make all forms of tracking and advertising visible to users. It is the trusted name for privacy in Android, and app developers who sell based on privacy make the extra effort to get their apps included in the F-Droid.org collection. These include Nextcloud, Tor Browser, TAZ.de, and Tutanota. Auditing apps for tracking is labor intensive and error prone, yet ever more in demand. Our tools already aide F-Droid contributors in this process. This project creates new tools using machine learning to drastically speed up this process by augmenting the human review process. Since the prime motivation of the F-Droid community is ethical software distribution, algorithms will never replace humans in making ethical decisions. We will also explore using machine learning to detect tracking in a more generic way, without requiring manually compiled lists of key information. The resulting tools will be generally available for any use case needing to reliably detect trackers in Android apps. This builds upon our collaboration with Exodus Privacy and LibScout. >> Read more about Tracking the Trackers FPGA Fault Injection Testing — Better testing towards preventing fault injection in FPGA's Fault injection aims at disrupting the orderly way in which data and instructions in a chip are processed. This can be achieved, e.g., by malicious glitches that briefly interrupt the supplied voltage of the chip. To better protect against faults, countermeasures need to be implemented, such as glitch sensors that can detect these adversarial conditions. Due to the wide range of fault injection methods, the development of glitch sensors is time-consuming and requires a wide range of lab capabilities. Within the context of FPGAs, such testing is often not feasible due to their unique configuration based on a bitstream. In this project we seek to demonstrate that in-situ fault injection by creating short-circuits in an FPGA is possible and that this can be used to emulate similar effects in the circuit that otherwise would require costly external instruments. In addition, since FPGAs can be reconfigured quickly, it is possible to rapidly test a wide range of fault injection configurations. We then implement and compare glitch sensor designs in the FPGA and compare them to the state of the art (attacks and countermeasures) with the expectation to improve over previous results, as the fine-grained in-situ fault injection process is expected to offer more control over the testing process, resulting in a better calibration of the glitch sensor. >> Read more about FPGA Fault Injection Testing FederatedCode Next — UI and curation queue for VulnerableCode data enrichment VulnerableCode is an open-source database that aggregates and enriches data concerning CVE with metadata to make it easier to track CVEs across packages and dependencies. VulnerableCode was designed from its inception to correlate and aggregate multiple data sources and not have a single point of failure. The FederatedCode Next project aims to create a UI and curation queue for VulnerableCode in order to take the next step towards an open, peer-to-peer federated database of code vulnerabilities. This allows to to ensure cybersecurity professionals have the essential information they need to do their work when new vulnerabilities are unveiled - such as PURL and VERS version ranges for impacted and fixed package versions, Common Weakness Enumeration details to qualify the weakness exposed by a CVE, severity scoring, mitigation possibilities beside updating and patching, the actual commits/patches that introduce/fix a vulnerability for reachability analysis, related PoC for exploits, etcetera. >> Read more about FederatedCode Next GoatCounter — Privacy-friendly web analytics for small websites GoatCounter aims to provide meaningful privacy-friendly analytics for businesspurposes, while still staying usable for non-technical users to use onpersonal websites. The choices that currently exist are between hosted online services that have serious privacy issues, running your own complex software, or extremely simplistic \"vanity statistics\". GoatCounter attempts to strike a good balance between various interests. Major features include an easy to run self-hosted option, an intuitive user interface that is also accessible to website maintainers with accessibility needs, and meaningful statistics that go beyond \"vanity stats\" but still respect user privacy. >> Read more about GoatCounter Lightmeter — Email server configuration lifecycle management Lightmeter will make it easy to run email servers large and small by visualising, monitoring, and notifying users of problems and opportunities for improved performance and security. People will regain control of sensitive communications either directly by running their own mailservers, or indirectly via the increased diversity and trustworthiness of mail hosting services. >> Read more about Lightmeter LANShield — Constrain local network access for mobile devices LANShield is a tool that will give users control over which apps and programs are allowed to access devices in the local network. This is done to defend against malicious apps that may try to scan the user's local network and subsequently leak sensitive information. For instance, when an app tries to access the local network for the first time, the user is asked whether this app should be allowed to access local devices. The project will also investigate models and protocols to safely enable an app to communicate with local devices, with the idea that apps can use this protocol to access local devices without requiring explicit user permission. The project will also investigate how to integrate this defence into Android. >> Read more about LANShield MPTCP — MultiPath TCP How do you find the best way to communicate with a computer on the other side of the internet? And why bet everything on a single connection? Multipath TCP (MPTCP) extends the most widely used transport protocol on the internet (TCP) so that it can discover and use several physical paths (e.g., Wifi, cellular, between multihomed servers) in parallel. This allows to speed up transfers, smoothly transition from wifi to cellular when leaving one's house or potentially prevent traffic spying. While the protocol is proven to work well in certain conditions (the fastest TCP connection ever was using MPTCP), it is configuration-sensitive and can degrade badly under adverse conditions (for instance in heterogeneous networks with small buffers). The aim of this project is to provide the tool to help analyze the performance of a multipath protocol as well as the software to (auto)configure the system depending on the application objective and network conditions. >> Read more about MPTCP Massive FOSS scan — License scan on the whole Software Heritage archive ScanCode is a comprehensive open source license and code origin scanner. It is actively used by many proprietary and FOSS tools for Software Composition Analysis. This project will make detecting FOSS licenses an issue of the past by running a massive license scan on the whole Software Heritage archive of over 20 billion unique source code files from more than 327 million projects, and the PurlDB index of all major package registries and linux distro's. The outcomes will be a massive commons reference database to speed up future scanning and matching processes with accurate license information, and a massive collection of fingerprints to enable approximate code matching at scale. This will be applied to the Software Assurance/MatchCode project, and available for other users and organizations as open data to improve FOSS code matching and discovery at an unprecedented scale. >> Read more about Massive FOSS scan MobileAtlas — A distributed open hardware test infrastructure to analyse mobile networks MobileAtlas is an international measurement platform for cellular networks that takes roaming measurements to the next level. Although mobile cellular networks have become a major Internet access technology, mobile data traffic is surging, and data roaming has become widely used, well-established measurement platforms (e.g., RIPE Atlas) are not well-suited for measurements in the mobile network ecosystem. This includes measurements of metered connections and consideration of roaming status and zero-rating offers. MobileAtlas implements a promising approach by geographically decoupling SIM card and modem, which boosts the scalability and flexibility of the measurement platform. It offers versatile capabilities and a controlled environment that makes a good foundation for qualitative measurements. We want to establish the framework with at least twenty open hardware probes, and create a platform for shared usage among scientists and Internet activists. >> Read more about MobileAtlas MobileAtlas — Taking roaming measurements to the next levelMobileAtlas MobileAtlas is an international measurement platform for cellular networks that takes roaming measurements to the next level. Although mobile cellular networks have become a major Internet access technology, mobile data traffic is surging, and data roaming has become widely used, well-established measurement platforms (e.g., RIPE Atlas) are not well-suited for measurements in the mobile network ecosystem. This includes measurements of metered connections and consideration of roaming status and zero-rating offers. MobileAtlas implements the promising approach to geographically decouple SIM card and modem, which boosts the scalability and flexibility of the measurement platform. It offers versatile capabilities and a controlled environment that makes a good foundation for accurate and fine-grained measurements. In the current phase we focus on increasing the coverage of the measurement platform and improving the support for emerging technologies (e.g. eSIM, IPv6, VoLTE, and 5G). >> Read more about MobileAtlas NoScript Contextual Policies & LAN protection — Application Boundaries Enforcer (ABE) for new generation of browsers NoScript is a FOSS browser extension for Firefox, Chromium and its derivatives. It can be used on desktop and mobile browsers, and enhances security by providing control over JavaScript and other active content. It is the first and still most effective XSS filter. NoScript is an integral part of the Tor Browser, as the back-end of its \"Security Level\" settings. ABE-Quantum is the next generation of the Application Boundary Enforcer (ABE), a NoScript module that provided protection against several cross-site and cross-network attacks. When Mozilla abandoned the legacy Firefox add-ons platform in 2017, ABE did not survive the painful transition to the new cross-browser (but backward incompatible) WebExtensions API. The ABE-Quantum project aims to bring the main ABE features to WebExtension-capable browsers, and specifically: 1) contextual content blocking policies depending both on the origin and the destination of the request, e.g. \"Block facebook.net scripts everywhere unless the parent site is facebook.com\"; 2) protecting LAN endpoints (i.e. routers or other internal applications) against browser-based attacks from the WAN using the web layer to work-around traditional firewalls. These features will be integrated in NoScript's user interface - rather than leveraging a firewall-inspired policy definition language like in the original ABE - in order to provide a simpler, more accessible and more intuitive user experience. >> Read more about NoScript Contextual Policies & LAN protection O-ESD — Open-hardware for ElectroStatic Discharge testing The goals of the Open-hardware for ElectroStatic Discharge testing (O-ESD) is to design, produce and verify an open-hardware and accompanying open-software for a device for electrostatic discharge testing. Electrostatic discharge is a phenomenon that occurs daily between humans and electronics and can irreversibly damage the electronics. All consumer electronics sold in EU, including all internet hardware, must satisfy Electromagnetic Compatibility (EMC) Directive. One of the most hardest tests within EMC directive deals with electrostatic discharge as defined by IEC/EN 61000-4-2 standard. Standardized tests are typically done with special equipment in accredited EMC laboratories and are costly. The O-ESD tester will minimize the costs of pre-compliance testing and make it publicly available. >> Read more about O-ESD OWASP dep-scan — Security and risk audit tool OWASP dep-scan is a next-generation Software Composition Analysis (SCA) tool based on known vulnerabilities, advisories, and license limitations for applications, container images, and Linux virtual machines. Powered by abc - AppThreat atom, OWASP blint, and CycloneDX Generator (cdxgen) - dep-scan performs a range of advanced code hierarchy and lifecycle analysis (for example, reachability analysis) to improve precision and reduce false positives, thus helping developers and AppSec people focus on supply chain vulnerabilities and risks that needs real attention. Dep-scan is purpose-built to be integrated in CI, Vulnerability Management platforms, and air-gapped environments. Dep-scan can perform all the analysis offline, with no code or SBOM leaving your environment. The tool supports generating reports in CycloneDX VDR, OASIS CSAF VEX, HTML, PDF, and Markdown formats. >> Read more about OWASP dep-scan OnBaSca — Tor Bandwidth Scanner The Tor network is comprised of thousands of volunteer-run relays around the world, and millions of people rely on it for privacy and freedom online everyday. To monitor the Tor network's performance, detect attacks on it, and better distribute load across the network, we employ what we call Tor bandwidth scanners. The bandwidth scanners are run by the directory authorities, which are special relays that maintains a list of currently-running relays. This project will make a number of improvements to the new bandwidth scanner call sbws, to make it easier for directory authorities to deploy it, for relay operators to better diagnose issues and for end users to benefit from increased quality of experience. >> Read more about OnBaSca Pijul ecosystem — A modern patch-based version control system Pijul is a modern patch-based version control system that addresses many shortcomings found in existing tools. While its foundations are already mature and well-tested, it lacks many conveniences users expect from the ecosystems of popular tools such as Git. This project aims to significantly reduce Pijul's barrier to adoption by addressing common areas of user feedback - documentation, usability, robustness, and integration into other tools such as text editors or CLI prompts. We believe this will improve the workflow of existing users, and enable many more to adopt Pijul and its benefits without sacrificing other parts of their workflow. >> Read more about Pijul ecosystem Reaction — Event-based system programming A lot of bots roam the internet, scanning server ports and web endpoints, and filling out any web form they come across - continuously on the lookout for vulnerabilities to exploit. In order to maintain server security, one of the currently most common defense mechanisms is to monitor logs for repetitive behaviour, or specific patterns implying the involvement of bots. With tools like fail2ban, one can write simple rules to automatically isolate machines identified as suspect. Reaction wants to provide a more modern and efficient approach to regex-based log scanning, allowing multiple reaction instances to communicate, sharing bans across an entire infrastructure as well as more intelligent and user-friendly soft bans. This extends the scope of this class of tooling allowing it to act as a light monitoring tool, or an orchestrator for any other event-based actions. >> Read more about Reaction Servo: Benchmarking and Statistics — Infrastructure for benchmarking and testing Servo Servo is a web engine written in Rust that already provides results from the Web Platform Test Suite. However, these results may be difficult for newcomers to understand, as they lack a clear indication of the progress in supporting modern web standards. This creates challenges for the community in assessing the current state of development. When the community inquires about the support for specific features, these capabilities can often only be verified through manual testing. Moreover, finding information about Servo's performance can be equally challenging. To address these issues, this project aims to develop an infrastructure to benchmark and report on the current state of Servo, monitor performance differences between commits, and present these metrics and supported features in a more comprehensible way. This will give the community a clearer understanding of the state of the Servo project, leading to a more active and engaged contribution environment. >> Read more about Servo: Benchmarking and Statistics Sniffnet — User-friendly network monitoring application Sniffnet is a cross-platform, Rust-based, fully open-source network monitoring application to help everyone keep an eye on their Internet traffic. Sniffnet is a technical tool, but at the same time it strongly focuses on the overall user experience: most of the network analyzers out there are cumbersome to use, while one of Sniffnet's cornerstones is to be usable with ease by virtually anyone. In an era dominated by network traffic encryption, Sniffnet doesn’t follow the standard monitoring approach that included reporting full packets’ payloads, but rather it provides flow-level details such as the country, the organization, the domain name, the upper-layer service, and other parameters that enable a more immediate understanding about the nature of the network traffic. >> Read more about Sniffnet Statime PTP Master — Statime - Zero-allocation cross-platform Precision Time Protocol High-precision clock synchronization is becoming increasingly important in application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. The Precision Time Protocol (PTP) is widely used for these critical applications and it is therefore important for it to be as secure and reliable as possible. We have previously developed the first iteration of Statime, an implementation of a PTP slave in the Rust programming language. The outcome of that project is a secure-by-design implementation, leveraging the Rust borrow checker to guarantee memory-safety. With this project, we will expand our implementation in two ways. Firstly, we will expand the feature set to include a PTP master, conforming to the IEEE standard for PTP (the 2019 version, IEEE1588-2019), so we can run a full PTP instance with the memory-safety guarantees that our implementation provides. Secondly, our implementation will be able to run without an operating system or system allocator. Those properties make the implementation inherently portable and more reliable. Our concrete goal for this second phase is that it runs on the stm32f7 microcontroller, a device with built-in PTP Ethernet support, but otherwise limited capabilities. >> Read more about Statime PTP Master Timing-Driven Place-and-Route (TDPR)  — Open hardware tool to synthesize digital silicon circuits The lack of an open-source timing-driven place-and-route tool is one of the major barriers to creating technically fully transparent digital integrated circuits such as microprocessors. The most popular open-source place-and-route tools available today are not timing-driven, hence the generated layouts are generally not guaranteed to satisfy the timing constraints. This requires tedious and time-consuming manual interventions. This project will combine published algorithms with existing open-source projects to fill this gap. The tool will be released with the free/libre AGPLv3 licence together with extensive documentation and tutorials. >> Read more about Timing-Driven Place-and-Route (TDPR)  Tracking weasel — Detect privacy violations in mobile apps Privacy and data protection are fundamental rights and already well protected by legal frameworks in the EU. Yet, tracking—often without consent—is ubiquitous and often unavoidable. While tech-savvy users can defend themselves against that to a certain degree with tools like tracking blockers, we want to attack the problem at its root to make the web safe for everyone, regardless of expertise. With this project, we want to build infrastructure to detect privacy violations in apps on Android and iOS and crowdsource complaints against this behaviour with the data protection authorities. The result will be a web app where users can select an app from the app stores, which we will then download and run in an emulator or on an actual device. We will analyse the apps’ network traffic and detect privacy violations not just based on server connections but the actual data being transmitted. We will also check any consent dialogs. The website will then show a report to the user and, depending on the results, give them the option to generate a complaint under the GDPR and ePrivacy Directive, complete with the collected evidence from the analysis in the form of screenshots and traffic dumps. >> Read more about Tracking weasel Trustix — Make build logs available as publicly verifiable, tamper-proof Merkle trees Software build infrastructure is vastly underestimated in terms of its potential security impact. When we install a computer program, we usually trust downloaded software binaries. But even in the case of open source software: how do we know that we aren't installing something malicious which is different from the source code we are looking at - for instance to put us in a botnet or siphon away cryptocurrencies? Typically, we have confidence in the binaries we install because we get them from a trusted provider. But once the provider itself is compromised, the binaries can be anything. This makes depending on individual providers a single point of failure in a software supply chain. Trustix is a tool that compares build outputs across a group of providers - it decentralizes trust. Multiple providers independently build the software, each in their own isolated environment, and then can vouch for the content of binaries that are the outcome of reproducible builds - while non-reproducible builds can be automatically detected. In this project the team will work on further enabling trust delegation, by offloading log verification to trusted third parties - heavily inspired by the Delegated Proof of Stake consensus algorithm. It will bring Trustix into the Nix and the Guix ecosystems that are most amenable to Trustix' approach. The ultimate goal is for Trustix to integrate seamlessly into the entirely decentralized software supply chain so we can securely distribute software without any central corruptible entity. >> Read more about Trustix Enhance the vulnerability database — Enhance the VulnerableCode vulnerability database Using Components with Known Vulnerabilities\" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (funded by the US CISA and Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage, we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools. This project delivers unique FOSS tools to aggregate software component vulnerability data from multiple sources, privileging upstream data directly from project maintainers. VulnerableCode organizes that data with a de-facto industry standard Package URL identifier (Package URL or PURL) enabling efficient and straightforward automation for the search for FOSS component security vulnerabilities. The benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source, or a few foreign commercial data providers. In the new context of the upcoming Cyber Resilience Act (CRA), the access to an open, free and curated FOSS package vulnerability data source is now an imperative. And the organization of vulnerability data by Package URL or PURL identifiers in VulnerableCode enables easy frictionless integration with Software Composition Analysis (SCA) code analysis tool chains, direct enrichment of SBOMs (Software Bill of Materials) to find if SBOM-listed packages have known vulnerabilities, and creation of VEX (Vulnerability Exploitability Exchange) document to communicate the impact of known vulnerabilities >> Read more about Enhance the vulnerability database WebXray Discovery — Expose tracking mechanism in search hubs WebXray intends to build a filter extension for the popular and privacy-friendly meta-search Searx that will show users what third party trackers are used on the sites in their results pages. Full transparency of what tracker is operated by what company is provided to users, who will be able to filter out sites that use particular trackers. This filter tool will be built on the unique ownership database WebXray maintains of tracking companies that collect personal data of website visitors. Mapping the ownership of tracking companies which sell behavioural profiles of individuals, is critical for all privacy and trust-enhancing technologies. Considerable scrutiny is given to the large players who conduct third party tracking and advertising whilst little scrutiny is given to large numbers of smaller companies who collect and sell unknown volumes of personal data. Such collection is unsolicited, with invisible beneficiaries. The ease and speed of corporate registration provides the opportunity for data brokers to mitigate their liability when collecting data profiles. We must therefore establish a systematic database of data broker domain ownership. The filter extension that will be the output of the project will make this ownership database visible and actionable to end users, and to curate the crowdsourced data and add it to the current database of ownership (which is already comprehensive, containing detailed information on more than 1,000 ad tech tracking domains). >> Read more about WebXray Discovery XWiki — Bring wiki capabilities into the Fediverse XWiki is a modern and extensible open source wiki platform. Up until now, XWiki had been focusing on providing the best collaboration experience and features to its users. We're now taking this to the next level by having XWiki be part of the larger federation of collaboration and social software (a.k.a. fediverse), thus allowing users to collaborate externally. XWiki is embracing the W3C ActivityPub specification. Specifically we're implementing the server part of the specification, to be able to both view activity and content happening in external services inside XWiki itself and to make XWiki's activity and content available from these other services too. A specific but crucial use case, is to allow content collaboration between different XWiki servers, sharing content and activity. >> Read more about XWiki badkeys — Detect compromised cryptographic public keys Public key cryptography is an important building block of Internet security through protocols like TLS or SSH. Key generation vulnerabilities in cryptographic implementations can compromise the security of these mechanisms. The tool badkeys allows identifying public keys affected by known vulnerabilities. The project will implement improvements to badkeys' coverage of known-compromised keys and regular monitoring of public keys in TLS certificates, DNSSEC, and DKIM for known vulnerabilities. >> Read more about badkeys happyDomain — Simplify DNS zone management happyDomain is an interface designed to make domain name management more accessible, intuitive, and efficient. By consolidating domain names from multiple providers and abstracting technical complexities that often lead to common mistakes, happyDomain empowers operational teams to handle their domain needs effortlessly, saving time and reducing friction. Its modern interface offers essential features such as history tracking, one-click rollbacks, logical groupings for services, and a REST API for automation. Built with carefully selected technologies, happyDomain provides a fast and lightweight experience, suitable for both large-scale infrastructures and personal use. Our mission is to help individuals and organizations regain independence on the Internet by simplifying domain management and fostering confidence. Whether for system administrators, agencies, freelancers, or privacy-conscious users, happyDomain transforms domain management into an accessible and seamless task for all. >> Read more about happyDomain Handling Data from IPv6 Scanning — Scanning tools for scaling up IPv6 scans Scanning is state of the art to discover hosts on the Internet. Today’s scanning relies on IPv4 and simply probes all possible addresses. But global IPv6 adoption will render brute-forcing useless due to the sheer size of the IPv6 address space, and demands more sophisticated ways of target generation. Our team developed such an approach that generally allows to probe all subnets in the currently deployed IPv6 Internet within reasonable time. Positive responses are however scarce in the IPv6 Internet; thus, we include error messages in our analysis as they provide meaningful insight into the current deployment status of networks. First experiments covering only parts of the Internet were promising and at least 5% of our probes trigger error messages. However, a full scan would lead to approx. 10^14 responses causing Petabytes of data, and demands an adequate solution of data handling. In this project, we will develop a data storage and analysis solution for high-speed IPv6 scanning. It will process the high amount of received data concurrently with scanning, and provide continuous results while scanning for long periods. This effort enables full scans of the IPv6 Internet. >> Read more about Handling Data from IPv6 Scanning iso14229 — Universal Diagnostic Services for automotive diagnostics iso14229 is an open-source portable C implementation of Universal Diagnostic Services (ISO 14229-1:2020). UDS is a communications protocol used for diagnostics, tuning and firmware updates on embedded devices such as those in your car, tractor, robot, IoT device, or renewable energy system. Insecure UDS implementations expose software to security exploits. By providing an open source implementations including the security features of UDS, this project addresses an important gap. Within the scope of this grant, the team will work on the integration of static analysis, improve documentation and develop a number of security-focused examples. >> Read more about iso14229 Software vulnerability discovery — Automating discovery of software update and vulnerabilities nixpkgs-update automates the updating of software packages in the nixpkgs software repository. It is a Haskell program. In the last year, about 5000 package updates initiated by nixpkgs-update were merged. This project will focus on two improvements: One, developing infrastructure so that the nixpkgs-update can run continuously on dedicated hardware to deliver updates as soon as possible, and Two, integrating with CVE systems to report CVEs that are addressed by proposed updates. I believe these improvements will increase the security of nixpkgs software and the NixOS operating system based on nixpkgs. >> Read more about Software vulnerability discovery offen — Ethical site analytics, controlled by the user Transparently handling data in the open creates mutual trust: Offen is a web analytics software that gives users insights into the data they are generating by giving them access to the same suite of analytics tools site operators themselves are using. Usage metrics come with explanations about their meaning, relevance, usage and possible privacy implications, and also details which kind of data is not being collected. Offen treats both users and operators as parties of equal importance. Users can expect full transparency and are encouraged to make autonomous and informed decisions regarding the use of their data, and operators are being enabled to collect needed usage statistics while fully respecting their users' privacy and data. No user data is being collected until the user has explicitly opted-in. All data can be deleted either selectively or in its entirety by the users. >> Read more about offen purl2all — Discover metadata for software packages While we often simplify our mental model of the software supply chain by only looking at how source code is maintained and compiled with other source code into binaries which are distributed, in reality there are many more stakeholders that provide or curate information about software which is used by others as part of their decision process - and there are many supply chains concurrently, some of which are intertwined. The purl (package-url) initiative allows this information to be aggregated from all the different stakeholders in the software supply chains. The purl2all project aims to build a real-time, on-demand, decentralized and distributed knowledge base for all kinds of software packages metadata that can be used by other services that need the metadata; such as ScanCode, VulnerableCode, or any system, application or library using package-url (purl) as a way to identify packages and versions to lookup this data. The outcome will be a decentralized, on-demand software metadata collection system that will complement or replace centralized batch systems. >> Read more about purl2all purl2sym — FOSS code symbols indexing system Identifying corresponding source code compiled in natively compiled binaries is complex and important – only by knowing the code origin can one know if the code is subject to known vulnerabilities or licensing issues. In IoT and embedded devices, most of the code is composed of natively compiled binaries, with a significant Android-based ecosystem using Java with specific constraints: multiple programming languages (Java and Kotlin) and bytecode-compiled binaries. Many devices also embed secondary code (typically for admin and UI), such as Lua, JavaScript, Python, or PHP. To help with identification of binaries, it is important to aggregate collection of identifiers and symbols from FOSS code and index them to easily retrieve the data in efficient detection engines, based on automations and binary scanners. These symbols or identifiers are essential to software identification tools such as BANG that can match symbols in source and binaries and determine the corresponding source code for a given binary code input. purl2sym is a new data collection and indexing system to collect code symbols from FOSS source packages (and binaries in the future) and store them for reuse in other software analysis processes. >> Read more about purl2sym PurlValidator — Check validity of software package identifiers online and offline Package-URL, or PURL, is the de-facto standard for identifying software packages, used by open source SCA tools, SBOM and VEX specs, and vulnerability databases. But using a standard syntax does not prevent errors: A recent (not yet published) study on the quality of software bill of materials (SBoM) revealed that for too often PURLs in SBOMs are still inconsistent, fake, incorrect, or misleading. This is a major impairment to any application of SBOMs, and industry-wide cybersecurity and application security. The PurlValidator project is a public service, based on PurlDB, to validate all the PURLs. An extension of the purl2all project, PurlValidator validates the PURL syntax against any known PURLs by exposing PurlDB's reference data of 20M+ PURLs. PurlValidator also provides decentralized libraries for offline use that can be integrated in multiple tech stacks for all major ecosystems, beyond what is already available for PURL tools. The goal of this project is to provide an accessible, single source of truth to the security and SBOM ecosystem at large and improve the quality and accuracy of PURLs in use, imperative for CRA compliance. >> Read more about PurlValidator rrdnsd — DNS based load balancing and high availability rrdnsd implements DNS-based load balancing and failover in order to increase the reliability of geographically-distributed Internet services. It is designed to both scale up to managing hundreds of services but also scale down to small scale deployments. Written in Rust, it prioritizes resilience, ease of deployment and hands-off maintenance - without depending on 3rd-party services. It provides distributed connectivity monitoring using a quorum protocol. This allows detecting partial network outages without causing false positive alarms. >> Read more about rrdnsd ","url":"https://nlnet.nl/thema/Measurement.html","title":"Measurement"},{"description":" Internet Infrastructure Protocols and software for managing and advancing low-level internet infrastructure This page contains a concise overview of projects funded by NLnet foundation that belong to Internet Infrastructure (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. ARPA2 — Working towards a decentralised global internet that offers security and privacy by design. The ARPA2 project is an ambitious attempt to make the internet work the way we all expect it to work: a distributed, secure and private infrastructure that serves as a solid basis for a global information society. The internet brought so many advantages that it grew explosively, but that unprecedented growth of an experimental infrastructure that had many (and sometimes intentional) fundamental weaknesses - in terms of e.g. scalability and more importantly of security - resulted in an ossified network that has a lot of technical debt accumulated. It takes a concerted effort to fix these holes and bring secure internet technologies towards real end-users and deep into the infrastructure where many important upgrades are waiting for adoption. >> Read more about ARPA2 Atom-Based Routing — Improving global internet routing by implementing atom-based routers. Atom-Based Routing aims at significantly reducing the growth of BGP table size and updates, in particular in the internet backbone, through the use of BGP policy atoms. The intent is to devise a routing protocol (or adapt a routing protocol such as BGP) which makes use of atoms to achieve a protocol of lower complexity. >> Read more about Atom-Based Routing BIND DLZ — BIND 9 Dynamically Loadable Zones implementation BIND DLZ allows DNS data to be modified without interrupting the DNS server's normal operation. It accomplishes this by moving DNS data out of BIND's in memory database into an external database. BIND DLZ works with a large variety of databases and has made flexibility a priority in its design. Additionally, BIND DLZ makes available an API which can be used to create custom drivers to access nearly any database, or provide other functionality such as DNS load balancing. >> Read more about BIND DLZ Bricophone — community-oriented mobile phone infrastructure The Bricophone is a community-oriented mobile phone infrastructure in Open Source. It is a low cost, low energy, open hardware, open source project built for communities up to ten thousand people within regional distances. The characteristic of the Bricophone infrastructure is that it does not require any static infrastructure like relays, antennas, or digital data centers. This provides the opportunity for special uses in poor communities, mass rescueing in disastered areas, and cultural and social activities like festivals and other mass events. >> Read more about Bricophone CeroWRT — an experimental firmware to push forward the state of the art of edge networks and routers. This project aims to be a reference implementation of the Comprehensive Queue Management Made Easy (CAKE) project based on CeroWrt, the experimental firmware aiming to push forward the state of the art of edge networks and routers. >> Read more about CeroWRT CuteHIP — lightweight implementation of Host Identity Protocol (HIP) on Java The project of the Helsinki Institute for Information Technology (HIIT) will create a lightweight implementation of Host Identity Protocol (HIP) on Java. Existing HIP implementations have been evolving since 2004 and became complex and hard to maintain and use. There is a need for new simple implementation of RFC5201-5202 that is cross-platform (not bound to any Operating System) and not limited to run on any vendor hardware. The project will make CuteHIP implementation using Java. It will be based on SourceForge open repository for public access and contributions. Although there are more open-source HIP implementations (HIPL, OpenHIP, Hip4inter.net), those are limited to certain platforms like Linux; no implementation is written on Java yet. The CuteHIP implementation shall be interoperable with existing implementations but shall be new and hence free of accumulated bugs. >> Read more about CuteHIP DNSCCM — DNS NSCP implementation for BIND and NSD There is a clear need for a common DNS(SEC) name server management and control system. DNS is such a vital part of any organization's network infrastructure that it is common to run multiple different DNS implementations. However, each implementation has its own distinctive configuration and control utilities. A common interface should greatly simplify management of diverse infrastructures. In 2007, the IETF working group determined there was a need for standardized management of nameservers for DNS and in 2011 the requirements draft addressing this got accepted as RFC6168. An IEFT draft is under development, which proposes a Nameserver Control Protocol (NSCP) to meet these requirements. The primary focus of this prokect is to develop an implementation of NSCP for current releases of BIND and NSD, the most widely used open source authoritative nameservers. >> Read more about DNSCCM Dowse — Dowse is a smart digital network appliance for home based local area networks. Dowse is a smart digital network appliance for home based local area networks (LAN), but also small and medium business offices, that makes it possible to connect objects and people in a friendly, conscious and responsible manner. >> Read more about Dowse eduVPN app — Add Wireguard protocol to federated VPN suite Let's Connect aims to provide a comprehensive and reliable, open source VPN solution for all platforms. For the codebase containing the Mac/iOS implementation of the EduVPN app a continuous integration setup is needed, which should be inspectable by the wider internet community and based on open and/or freely available tooling. Furthermore, the iOS and Mac apps of Let's Connect/EduVPN should rely on as few third party dependencies as possible - as such dependencies introduce risk, for example due to bugs or dependency poisoning. This project will set up the CI infrastructure and prune the dependency to reduce the attack surface on the app. >> Read more about eduVPN app eduVPN on Apple — eduVPN for Apple devices eduVPN is a program under the Commons Conservancy, a non-for-profit foundation focusing on free and open source projects. The goal of the project is to provide a comprehensive and reliable, open source VPN solution for all platforms. This project aims to improve the security and usability of the macOS- and iOS-apps. >> Read more about eduVPN on Apple eduVPN on Apple part II — Improved version of eduVPN for Apple devices eduVPN is a program under the Commons Conservancy, a non-for-profit foundation focusing on free and open source projects. The goal of the project is to provide a comprehensive and reliable, open source VPN solution for all platforms. The project is plagued by some nasty bugs that have been found hard to fix by the community. This particular project aims to deliver a new and more user-friendly user interface for the macOS and iOS-app, as well as implement a new server discovery mechanism in these apps. >> Read more about eduVPN on Apple part II eduVPN multi-protocol — Review of the eduVPN multi-protocol project. The eduVPN framework is currently build on top of OpenVPN 2.x. A new design will be delivered in order to accommodate WireGuard next to OpenVPN. WireGuard is a very simple, fast and modern VPN that utilizes state-of-the-art cryptography. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployable. >> Read more about eduVPN multi-protocol eduVPN — Making secure VPN network technology available to everyone eduVPN/Let's Connect is an effort to make VPN technology commonly available, by building better and more user-friendly tools to connect to trusted parts of the internet. >> Read more about eduVPN Fairwaves — Fairwaves Fairwaves project is aiming at removing one more obstacles on the way to cheap and ubiquitous wireless networks --absence of free (open source), yet production quality building blocks for wireless equipment. There are plenty of expensive proprietary solutions you can use for coding. Fairwaves is set to develop an Open Source framework for PHY and MAC levels of wireless protocols which will allow \"free as in beer\" development. It should foster innovation in the wireless communications and allow more projects like OpenBTS and Opendigitalradio to emerge. >> Read more about Fairwaves FTEproxy — FTE enables developers to build systems resistant to surveillance and censorship. fteproxy provides transport-layer protection to resist keyword filtering, censorship and discriminatory routing policies. Its job is to relay datastreams, such as web browsing traffic, by encoding streams as messages that match a user-specified regular expression. >> Read more about FTEproxy GetDNS — Deliver DNSSEC as a building block in harsh environments Encrypted communication between two random end points on the internet cannot happen without additional infrastructure through which security parameters are exchanged. The getdns library is an modern asynchronous DNS library for application developers, with an API vetted by application developers. getdns has especially good stub-resolving capabilities, and has been developed alongside and in close co-operation with recent standards for stub resolving; such as DNS over TLS (RFC7858), and acquiring DNSSEC at stub resolving level (DNSSEC roadblock avoidance - RFC8027). >> Read more about GetDNS GISS — independent infrastructure for streaming radio and TV G.I.S.S. is an international network of free media activists, joining to build an infrastructure for free media experiences, radios and televisions like the Horitzo TV project (Spanish) in Barcelona. More concretely, right now the G.I.S.S. is an infrastructure with different components and tools for setting up an independent radio or TV channel easily. New work to be done in the course of the project focuses on the following aspects: Improvement of the topology of the network: currently all transmissions are passing through a main server and the upload to that server is saturated, so we should introduce new main servers and rebuild the architecture of the servers. Development of a specific version of icecast: for now the version we use lacks some essential features for us like the encryption of IPs (anonymizing like requested by the Indymedia network), a more specific load-balancing mechanism (using the instant load of each server) and more complementary features regarding the master/slave configuration. The live CD is in a usable state, but it should be improved to include more audio-visual and streaminig tools, like Cinelerra, free, gstreamer and other useful tool for video editing and broadcasting. Another component of the system is a kind of 'mediabase' archive tool, similar to you-tube but using only free software and Ogg/Theora format. Although a prototype already exists, it should be improved and be customizable for every user. The new GPL package will be called 'Distributed Multimedia Database System' (DMDBS). Most of our activities are located in Europe and South America, we would like to extend that network to other countries (India, Bolivia, Morocco). We already have some contacts to organize some workshops there. >> Read more about GISS IIDS — Interactive Intelligent Distributed Systems The IIDS research group at the Technical University of Delft (TUDelft) initially started as an NLnet initiative in 2000 at the Vrije Universiteit Amsterdam. The group's research focuses on management of large-scale interactive distributed systems, in particular on mobile agent systems. Self-management is the ultimate goal. The AgentScape framework, services, applications, and analyses of legal implications of the use of agent systems, are all factors to increase the potential of this new technology. >> Read more about IIDS ISC BIND 9 — implementation of DNS protocols with full IPv6 and DNSsec support BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. The BIND DNS Server is used on the vast majority of name serving machines on the Internet, providing a robust and stable architecture on top of which an organization's naming architecture can be built. The resolver library included in the BIND distribution provides the standard APIs for translation between domain names and Internet addresses and is intended to be linked with applications requiring name service. >> Read more about ISC BIND 9 iuh-openbsc — An open source implementation of 3G OpenBSC is a project aiming to create a Free Software, (A)GPL-licensed software implementations for the GSM/3GPP protocol stacks and elements. OpenBSC was created by the Osmocom project, a not-for-profit, community-driven project creating various FOSS projects related to mobile communications. OpenBSC is not just a standard BSC, but a GSM network in a box software, implementing the minimal necessary parts to build a small, self-contained GSM network. OpenBSC includes functionality normally performed by the following components of a GSM network: BSC (Base Station Controller), MSC (Mobile Switching Center), HLR (Home Location Register), AuC (Authentication Center), VLR (Visitor Location Register), EIR (Equipment Identity Register). >> Read more about iuh-openbsc Koruza — KORUZA is an innovative open-source open-hardware wireless communication system, employing a new low-cost approach to designing free-space optical network systems, enabling building-to-building connectivity with a highly collimated light beam at a capacity of 1 Gbps (1000 Mbps) at distances up to 100 m. It is designed to be suitable for home as well as professional users, enabling organic bottom-up growth of networks by eliminating the need for wired fiber connections and associated high installation costs. The simplicity of use, low-cost and compact size allow the system to be deployed in any network. >> Read more about Koruza LOAP — The DNS: A Life of a Protocol \"The DNS: Life of a Protocol\" is the working title for a new project by Carl Malamud. This technopolitical analysis of the Internet from the viewpoint of the life of one protocol attempts to provide some insight into both technology and politics. >> Read more about LOAP Meshtool — Mesh network toolkit, database and web-based API. This project aims to advance open mesh technology by providing the communities behind these networks with a comprehensive toolkit to build and maintain their networks. Meshtool aims to assist in mesh network monitoring, administration and research. It is designed to aggregating multiple data sources into useful 2D/3D geographic map overlays, provide remote node management and facilitate the use of live mesh segments as protocol testbeds. Mesh DB (or simply Mdb), provides the data-layer implementation for this task. Mdb aims to make it easier for mesh communities to share data, exposing it through a generic web-based API. This provides a framework against which portable mesh community applications may be developed and shared, much like OpenSocial. >> Read more about Meshtool Namecoin — Decentralized, censorship resist Internet infrastructure for e.g. DNS and identities Namecoin is a blockchain project that provides a decentralized naming system and trust anchor. Its flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Among other things, this provides a decentralized trust anchor for Public Key Infrastructure that does not require third party trust. It operates independent from the DNSSEC root trust chain, and can thus offer additional security under some circumstances. >> Read more about Namecoin nat64 — Implement a NAT64 gateway to run on open-source operating systems IPv4 and IPv6 networks are incompatible. The IETF recommendation has usually been to rely on dual-stack deployment: have both networks coexist until IPv6 takes over Ipv4. However, IPv6 growth has been much slower than anticipated. Therefore, new IPv6-only deployments face an interesting challenge communicating with the predominantly IPv4-only rest of the world. A similar problem is encountered when legacy IPv4-only devices will need to reach the IPv6 Internet. This project is about implementing an open-source NAT64 gateway to run on open-source operating systems such as Linux and BSD. The NAT64 Open Source implementation would benefit the engineering of the solution as well as providing initial implementation feedback. Moreover, an Open Source implementation will become the reference for the whole community, such as end users, network administrators, and protocol designers. Users will finally be able to deploy IPv6 connectivity without fear of being cut off from the rest of the Internet. In many situations, dual-stack deployment is not possible. For these cases, a gateway such as the proposed one is needed. It will enable completely new deployments, and users will automatically benefit. Moreover, an Open Source implementation will empower users by giving them access to the source code and letting them customize the gateway to accommodate new scenarios. The implementation will target both Linux and BSD (FreeBSD, NetBSD, OpenBSD). It will be portable to other POSIX systems. DNS ALG functionality will be added to Bind and Unbound. A patch will be produced and submitted to the Bind project and to the Unbound project for inclusion in their main distributions. IPv4/IPv6 translation functionality will be added to the Linux and BSD kernels. >> Read more about nat64 NetEventKit — building an open source Network Event Kit The Network Event Kit (NEK) is a kit allowing to quickly and cheaply build a network for various types of events. This kit will offer both cabled and over-the-air infrastructure. Besides to building an Open Source Network Event Kit, the purpose is to gain knowlegde and experience in a practial setup that has value for Open communities. >> Read more about NetEventKit nftables — A modular packet filtering framework providing enhanced userspace control nftables is the intended successor of the popular iptables, providing a new modular packet filtering framework e.g. for operating systems based on the popular Linux kernel. Besides a modular code base that is better suited for modern multiprotocol networking environments, the nftables project aims to introduce powerful new userspace tools which will allow users to dynamically perform packet filtering on custom protocols (including but not limited to new proposed internet standards as defined by the Internet Engineering Task Force). Existing packet filtering solutions would require a recompiled kernel module in the same situation. The end result is that users will have more autonomy on what gets filtered and how, which make them less dependent on the technical choices of vendors and communities. The nftables project has been accepted in Linux mainstream kernel. >> Read more about nftables Faster and configurable datapath/Linux xfrm — Rewriting nftables to optimise for xfrm The project entails rewriting nftables (which is a subsystem of the Linux kernel responsible for packet filtering and classification) to make it easier to combine with xfrm (which is the common framework to work with IPSec in Linux). IPsec was originally developed in conjunction with IPv6 but is just as often used with IPv4 as well. IPSEC encrypts traffic, providing key features absent in the regular IP layer - like data integrity, data origin authentication and confidentiality. The project is expected to make an important contribution to improving the IPSEC capabilities, usability, speed and robustness in many systems. >> Read more about Faster and configurable datapath/Linux xfrm NLnet Labs — Independent lab for Internet infrastructure development NLnet Labs was originally founded in 1999 by Stichting NLnet to develop, implement, evaluate, and promote new protocols and applications for the Internet. Its activities are focused on topics directly relating to the Internet's infrastructure, such as DNS, DNSsec, IPv6, and routing. Meanwhile NLnet Labs is an independently governed, public benefit organisation. >> Read more about NLnet Labs Nodewatcher — A comprehensive and scalable node management system for community wireless network. Project aimed at creating a wireless network node management system that can be used to manage and update large amounts of nodes in wireless networks such as community networks. >> Read more about Nodewatcher OpenBTS-HW — OpenBTS hardware This project is a part of a bigger effort to create a completely open GSM network, from a low level hardware to high level software. The network is intended to be built with open-source software, such as OpenBTS, OpenBSC, FreeSwitch, Linux, etc. The hardware part of the project is more complex, because to date there is no open hardware for GSM base-stations. As a practical implementation this will set up completely open network providing affordable mobile service to people from Mayotte island. >> Read more about OpenBTS-HW Cryptech.is — An open source open hardware security module to protect communications Cryptech.is is a project that want to design an open-source hardware cryptographic engine that can be built by anyone from public hardware specifications and open-source firmware. Anyone can then operate it without fees of any kind. >> Read more about Cryptech.is OSLD — Open-Source LTE Deployment (OSLD) Wireless communication technology is mostly proprietary, despite that we are using it every day. The mission of the Open-Source LTE Deployment (OSLD) project is promoting open-source radios, to get more people involved in developing software to create modern wireless communications systems. The project will develop an open-source LTE (Long Term Evolution, an 4G radio standard) library and tools for building sophisticated radios at low cost. LTE provides bandwidth on demand for different amounts of speeds and so improving the quality of service to people on the move. Available LTE processing chains are either proprietary or unsuitable for commercial products. This project will therefore use the open-source SDR framework ALOE. The primary objective of this OSLD project is promoting open-source SDRs and shared development of software for wireless communications systems. Specificly, the project will develop a modular LTE library for mobile terminals and base stations as well as improve the accessibility of ALOE for building sophisticated radio systems at low cost. Both, ALOE and the open-source LTE library, will leverage open-source R&D, complement university labs, facilitate and encourage shared development, and be a solid basis for innovation and commercialization. The expected project products are: modular, open-source LTE library for building base stations and mobile terminals on a cluster of general-purpose processors, new ALOE release and improved accessibility for shared development, user guides, installation manuals, frequently asked questions, renewed FlexNets web site containing OSLD section, virtual support office, collaborations, and commercial interest for ALOE and LTE library. >> Read more about OSLD Palea — Finding unauthorized routes leaving your network Palea is a tool to help discover if devices on your (secured and firewalled) network are also unknowingly connected to unknown other networks that would facilitate attacks and information leaks to the outside. Such an unknown network could for instance be a known device on your trusted network that also has a USB dongle in it connected to the open internet over GSM/2G/3G/xG. By spoofing packets, Palea can be used to trick systems into exposing their connections to the internet. Palea can be run 24/7 on your network to also discover temporary connections. >> Read more about Palea RaptorJIT — RaptorJIT is a high-performance Lua virtual machine for network dataplanes. RaptorJIT is a fork of LuaJIT focused on predictably high performance. RaptorJIT takes a quantitive approach to performance. The value of an optimization must be demonstrated with a reproducible benchmark. Optimizations that are not demonstrably beneficial on recent CPU generations are removed. RaptorJIT was initially developed by the team behind Snabb Switch. >> Read more about RaptorJIT RPKI-RTRlib — RPKI/RTRlib The Resource Public Key Infrastructure (RPKI) is a component of secure interdomain routing and has recently been standardized in the IETF SIDR group (RFCs 6810/6811). RPKI is currently being rolled out, and is a significant and necessary step towards fully protecting BGP. However, the mechanism does incur additional load at BGP routers. In order to reduce that load, RPKI objects can be fetched and cryptographically validated by cache servers. The RPKI/RTR protocol defines a standard mechanism to maintain the exchange of valid RPKI data between cache server and router. RTRlib is one of the two open source reference implementation of RTR, originally created by researchers from the Computer Systems & Telematics group at Freie Universität Berlin and reseachers from the INET research group at Hamburg University of Applied Sciences, under the supervision of dr. Matthias Wählisch and Thomas Schmidt. The RTRlib is a real-time capable, open-source (MIT licensed) C library that implements the RPKI router part. Basically, it fetches data from an RPKI cache server and allows for prefix origin validation as well as initial steps of BGP path validation (draft 6810bis). The RTRlib can serve as the backend for BGP daemons and monitoring tools in real-world operations, as well as user guidance. >> Read more about RPKI-RTRlib SCTP-Linux — A better Linux SCTP The Internet transport layer has been extremely rigid since its inception. The very diverse requirements of today’s applications are mapped to only two services, provided by the two protocols that are broadly available, TCP and UDP. The Stream Control Transmission Protocol (SCTP) offers promising benefits to applications, but faces significant deployment problems. One of these problems is certainly related to shortcomings of its Linux implementation (\"LKSCTP\"), which cause it to perform much worse than TCP under most circumstances. It is obvious that, for SCTP to be an attractive option for application designers, it should always perform at least as good as TCP. The two most important TCP features that are not required according to the standard are missing in LKSCTP: auto-buffer tuning and pluggable congestion control. In this project: Auto-buffer tuning will be added to SCTP. Work towards adding pluggable congestion control will be carried out. An investigation of other, less significant differences between TCP and SCTP in Linux will be carried out. >> Read more about SCTP-Linux SDR PHY — Create a GSM mobile phone consisting of completely open source software and SDR radio SDR (Software Defined Radio) allows for a low cost setup to serve a wide variety of changing radio protocols in real time. SDR is gaining popularity in the world of Open Source mobile communications. Thanks to the work of projects like Osmocom and OpenBTS, it is already possible to run a custom GSM network using Open Source software. Moreover, there is a few Open Source projects for LTE, such as OpenLTE, srsLTE and OpenAirInterface. However up to now there was no software defined GSM mobile phone. The \"SDR PHY for Osmocom BB\" project aims to fill this void. The project is focused on the client side of GSM protocol stack, and bridging the gap between existing GSM stack implementation project and SDR hardware. >> Read more about SDR PHY Serval — Mobile communication anywhere. Communicate anywhere, any time ... without infrastructure, without mobile towers, without satellites, without wifi hotspots, and without carriers. Use existing off-the-shelf mobile cell phone handsets. Serval enables mobile communications no matter what your circumstance: mobile communications in the face of disaster, in the face of poverty, in the face of isolation, in the face of civil unrest, or in the face of network black-spots. In short, Serval provides resilient mobile communications for all people. This system is the only mesh mobile telephony system that works on ordinary handsets, and is open source. It lets you use existing telephone numbers and can work without needing an internet connection. >> Read more about Serval Serval-LR — SERVAL Long-range WiFi Add-on Serval Project's goal is making mobile phones useful, even when there is no cellular network or internet available. This particular project prototypes a \"helper device\" for long-range WiFi. Serval has developed various technologies that allow voice calls, SMS, file sharing and other services in a completely distributed manner. Robust security is being progressively introduced into these technologies, with voice calls already enjoying end to end encryption, and our UDP-like Mesh Datagram Protocol (MDP) also enjoying automatic encryption. The Serval Project is intended to be useful in disaster and emergency situations anywhere in the world, as well as for people in rural, remote and developing world settings where traditional cellular service may not be available or may be too expensive. The Serval Project's technologies also have obvious application to enabling freedom of speech and communications for people under oppressive regimes. Serval currently uses ad-hoc WiFi on mobile phones to form the mesh network. This requires root access on Android, and is unlikely to ever be possible on iPhone. Also, ad-hoc WiFi, while useful, has many limitations, including limited range and relatively high power consumption. This particular project aims to prototype a \"helper device\", that would consist of a WiFi-enabled Arduino-compatible device attached to a low-cost radio module, and then to integrate that hardware with the Serval platform. The result will be a box that allows any WiFi enabled phone (Android, iPhone, Blackberry, Nokia S60 etc) to connect to the mesh. Some platforms will have a first-class native client, e.g., Android, while others will be able to use an HTML client to access mesh functions. Moreover, the box will be capable of long-range communications to other such boxes. Current estimates suggest that ranges of 6x-18x WiFi range are possible, allowing line-of-sight range of perhaps 1km or more. Finally, the box will be able to be integrated with satellite data terminals and short-burst data modules (basically satellite SMS) to allow the connection of mesh networks to the outside world. >> Read more about Serval-LR SnabbWall — SnabbWall is a layer-7 network flow detector and firewall application. Layer-7 firewalls, or application firewalls, empower technical users and administrators near the endpoints of networks. They can provide one centralized, flexible tool to subsume many other ones, simultaneously reducing the burden to learn how to achieve certain ends, and freeing people from the confines of very specific tools. Software Defined Networking has been revolutionizing the network space over the last couple of years. SDN uses commodity hardware to implement network elements and functionalities which were generally provided by very expensive, and usually inflexible, special-purpose network appliances. SnabbWall is designed as a modular, application-level (Layer-7) firewall suite built on the foundations of the popular open source SDN Snabb Switch, allowing it to be used with cheap commodity hardware. As an application-level (Layer-7) firewall, it will be able to: Inspect network traffic and detect flows of related data, and pinpoint which application has produced a certain data flow. Filter (drop, reject, or accept) packets using criteria specified in a set of rules, which can use the information inferred by inspecting the packets. As a suite, it will include a complete firewall program out of the box. As a modular system, it will provide a set of components which can be reused in other Snabb Switch designs. >> Read more about SnabbWall SocketHUB — A polyglot communication server for the decentralized internet This project aims to implement a service which enables developers to use common social functions regardless of the 'language' of the various protocols out in the wild. Call it \"polyglot\" of the social web. The implementation revolves around a socket server, with a clearly defined protocol/API that the developers can use as a tool to execute actions mainly focused on social interaction on the internet. Identifying users, sending messages, subscribing, sharing, chatting. It will speak whatever language (protocol) necessary to carry out the action, abstracting the implementation details of the various APIs from the developer. Leaving them to focus on creating rich web applications and providing as much compatibility as possible. The app developer can utilize one tool, indicate what they'd like to do, and that tool goes out and 'speaks the right language' to get the job done. This project is born from the Unhosted community and shares ideologies and goals with projects such as remoteStorage.js. >> Read more about SocketHUB Magic Wormhole/SPAKE2 — Securely send files between two computers with minimum fuss SPAKE2 is a modern academic password-authenticated key exchange mechanism, originally designed by two security researchers from Ecole Normale Superieure. It allows to set up an ad hoc encrypted channel between two users that share a combination of words in real-time. Magic Wormhole is an open source implementation of SPAKE2 (both client and server) by Brian Warner, one of the founders of the TAHOE-LAFS. The server part of Magic Wormhole can creating a rendez-vous/relay, so it can be used in a LAN, behind firewalls, NATs, etc. There are many cases in which a person wants to quickly exchange a file in an untrustworthy environment (say a presentation deck) without running either the risk of an Evil Maid attack or uploading to a trusted server and then giving someone access to that. Most people do not even have such a trusted infrastructure, which forces them to trust their data to third parties. This solution allows for very user-friendly exchange of files with modern encryption, without the need for anything else. Secure exchange of files is a critical problem of all ages, this solution has potentially disruptive qualities. This project will try to make SPAKE2 primitives available to mobile app developers and will support standardisation of SPAKE2 inside the IETF. >> Read more about Magic Wormhole/SPAKE2 Stratosphere IPS — A behavioral-based free software Intrusion Prevention System. The Stratosphere IPS is a free software Intrusion Prevention System that uses Machine Learning to detect and block known malicious behaviors in the network traffic. The behaviors are learnt from highly verified malware and normal traffic connections in our research laboratory. Its goal is to provide the community and especially vulnerable targets with low budgets such as NGO's and civil society groups with an advanced tool that can protect against targeted attacks. >> Read more about Stratosphere IPS Stubby — A local DNS Privacy stub resolver using DNS-over-TLS Stubby is an open source project to develop a DNS stub resolver for use on client devices which will provide DNS Privacy for end users by implementing DNS-over-TLS (RFC 7858). This service will provide encrypted first-hop access to DNS services protecting users’ DNS queries from eavesdropping at any point along the path between their device and a privacy-enabling DNS server. More information about DNS-over-TLS: https://tools.ietf.org /html/rfc7858 >> Read more about Stubby TCP-multipath — Design and empirical evaluation of secure and efficient multipath communication The goal of the project is to implement open source extension of TCP/IP stack to support multipath communication in the Internet. With this approach, users will be able to improve their connection speed and reliably by utilizing several network interfaces simultaneously and receiving aggregate bandwidth. Modern mobile devices, equipped with several network interfaces, as well as multihomed residential Internet hosts are capable of maintaining multiple simultaneous attachments to the network. This can be favorable for applications that are aiming to increase the overall throughput or minimize the delays caused by roaming between the networks. This project will design and evaluate an efficient and secure multipath solution on a wedge-layer. Based on Host Identity Protocol (HIP) the design will support multihoming, mobility, NAT traversal, advanced security features, network coding for efficiency in lossy networks and will match the requirements of the most modern applications. Who will benefit? General network users requiring faster Internet access e.g. over two ADSL lines at home, service provides in Internet requiring higher fault tolerance for their services, network operators providing high speed connectivity e.g. over WLAN and 3G combined. >> Read more about TCP-multipath Timesheets — Adaptive time-based application development Platform This project aims to create a platform to develop Adaptive Time-based web applications. This is applied to developing Single-Page Interfaces (SPIs). A SPI can reduce network bandwidth needs, specially important in the fast-growing use of mobile networks. Despite its importance, use of SPIs has not proliferated because it is highly complicated to develop and maintain. A novel approach based on a W3C specification is proposed: SMIL Timesheets. This approach simplifies the design of time-based web applications and web sites. These interactive applications use time as a major structuring paradigm, i.e. time and events dictate which parts of the application are presented. SMIL Timesheets are the time counterparts of layout focussed Stylesheets. SMIL Timesheets use the W3C standard SMIL Timing & Synchronization. Timesheets are a perfect match for CSS styles and CSS3 Transitions/Animations. Also, it is designed to synchronize multimedia (HTML5's audio and video) with web content. In addition the following issue is tackled: wasting network bandwidth is common in multi-device applications. This project aims to dynamically adapt to the capabilities of devices, to save bandwidth and processing power. Such adaptation is achieved via capability-based resource loading for different devices (e.g. media resources, CSS3 emulation, and other). >> Read more about Timesheets TLS-KDH — Combined Kerberos and Diffie-Hellman as an authentication mechanism for TLS This project develops a number of additions to the open source TLS library GnuTLS. Based on the prototype for TLS-KDH (http://tls-kdh.arpa2.net) that was developed as a branch of GnuTLS, we now need to do a full implementation that incorporate the features from this development branch into GnuTLS’ main branch. By doing so our TLS-KDH mechanism becomes automatically available for the general public worldwide. However, additional work needs to be done for these two branches to be merged. Compatibility issues need to be checked and resolved and test cases need to be written to ensure proper functioning of the library, now and in the future. Additionally, TLS-KDH relies on RFC7250 (https://tools.ietf.org/html/rfc7250). The functionality described in this RFC is not yet implemented in any TLS library and concerns Raw public keys. As part of our TLS-KDH implementation we have implemented RFC7250 partially (what was needed for TLS-KDH). However, we have noticed the interest of the GnuTLS community in the complete RFC7250 functionality. Therefore, in order to deliver a complete ‘product’ we also want to implement the rest of RFC7250 and incorporate it into GnuTLS. Thereby creating the first TLS library that support Raw public keys. This enables a more light-weight mechanism for transmitting public key material between peers. Finally, to ease adoption of the TLS-KDH mechanism and to provide in a default Kerberos binding for TLS, we want to implement a gnutls - krb5 library (similar to the already existing gnutls-dane library). The current TLS-KDH implementation separates the TLS and Kerberos layers by design. While this is good design practice and offers the user great flexibility for choosing its own Kerberos implementation, it also requires (a lot) more work to be done in order to get the TLS-KDH mechanism going. By introducing a gnutls - krb5 library ( choosing MIT Krb5 ) users can benefit from a default TLS Kerberos binding thereby relieving themselves from having to implement such a binding. It therefore eases adoption and use of the TLS-KDH mechanism. At the same time, keeping the TLS and Kerberos layers separated still enables different Kerberos libraries to be used when desired. Also a layered architecture works in favor of code acceptance. >> Read more about TLS-KDH Uberflow — An Open-Source OpenFlow Controller Implementing the North-Bound Interface OpenFlow is a cornerstone and the de-facto standard protocol for software-defined networking (SDN). The API for manipulating the network state is currently being standardised by the Open Networking Foundation (ONF) as NBI (which stands for 'North-Bound Interface'). As an emerging standard NBI has significant potential to create the ecosystem for network architectures. >> Read more about Uberflow UmTRX — UmTRX, cheaper mobile communication Mission of the UmTRX project is to radically drop price of mobile communications in developing, rural and remote areas. UmTRX aims at providing an open-source, inexpensive yet carrier grade transceiver for GSM Base Station. This project is a part of a bigger effort to create a completely open GSM network, from a low level hardware to high level software. UmTRX will be the first open hardware to work within the core telecom networks. This open hardware is being designed specifically to work with OpenBTS and OsmoBTS/OpenBSC open-source projects. While those software projects enjoy quick growth, the hardware side is remaining proprietary. The main reason for this is that such hardware is extremely hard to develop, it requires specific skills and specialists like high-profile RF designers and lots of effort to be put in it. The results of this project have been used to provision affordable mobile service to people at Mayotte island. >> Read more about UmTRX WireGuard — A fast and modern VPN that utilizes state-of-the-art cryptography In hostile environments such as the open internet, Virtual Private Network technology play a major role in protecting users both from snooping and malicious traffic injection. WireGuard is a general purpose VPN - the new kd on the block that is fast, simple and lean. It can run on embedded interfaces and super computers alike, fit for many different circumstances. Its goal is to be the most secure, easiest to use, and simplest VPN solution in the industry. >> Read more about WireGuard Wisper — long distance wifi internet infrastructure Wisper is a concept (an idea) in the field of long distance wifi network infrastructures with a practical and concrete internet service provision goal. Wisper is the buzz word in order to stimulate concrete project proposals and cooperative initiatives focussed on creating a new mesh-type: solely based on wifi and IPv6 internet connections. The access nodes in Wisper are projected to be low cost (US$ 100) wifi boxes some Public Domain (fully self-configuring) networking software (probably on Linux and/or BSD OS's). Access and usage to the Wisper network should be free of charge. The plan is to create clouds of Wisper nodes. And then clouds of Wisper-clouds, expanding all over the globe. >> Read more about Wisper ","url":"https://nlnet.nl/thema/InternetInfrastructure.html","title":"Internet Infrastructure"},{"description":" Internet Hardening Fund Projects funded from the Internet Hardening Fund This page contains a concise overview of projects funded by NLnet foundation that belong to Internet Hardening Fund (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Interesting in applying for a grant yourself? Check our active theme funds, such as NGI Zero Commons Fund, NGI Fediversity or NGI TALER. Applications to this particular fund are currently closed and no new projects are accepted for now. Donate to help us fund more projects like these. Certbot ECDSA support — Certbot, part of EFF’s larger effort to encrypt the entire Internet, is a free, open source software tool used to encrypt traffic to tens of millions of websites. By automatically generating and configuring Let’s Encrypt certificates on webservers to enable HTTPS, Certbot improves the privacy and security of hundreds of millions of users worldwide. The project strives to provide the highest standard of security, which is why we are keen to implement Elliptic Curve Digital Signature Algorithm (ECDSA) support. ECDSA support in Certbot will improve privacy, performance, and trust for Internet users via improved authentication and security. >> Read more about Certbot ECDSA support Improving Matrix E2E encryption UX — Better usability of Matrix.org E2E encryption When using end-to-end encryption without a centralized oracle, the mechanisms to distribute and verify keys are critical. Matrix.org is an non-profit open source project dedicated to creating and maintaining an open and secure global network for decentralised real-time communication. Its mission is to make encrypted decentralised open communication a basic human right: empowering users to choose which services they use to communicate without being fragmented and held hostage within proprietary communication silos. Matrix currently has over 1.8M addressable users, 2,800 deployments, and the Matrix.org server receives over 1.1M messages a day. One can consider Matrix an open real-time data fabric for the web, providing somewhere for users and devices to publish and persist arbitrary data that can be subscribed to as desired. This project tries to fix the biggest blockers of E2E encryption, which partly lie with technology but partly also are due to overall UX issues. It solves various issues such as key sharing completion, making sure that E2E VoIP calls work. At the same time it will address user driven features such as the ability to request history from before the point you're invited to a room and have that safely decrypted for reading. Finally, the project will deal with better UX for displaying keyshare requests rather than modal popup, and delivering configurable paranoia levels per room. >> Read more about Improving Matrix E2E encryption UX Namecoin: TLS — Various TLS integrations for Namecoin Namecoin is a blockchain project that provides a decentralized naming system and trust anchor. Our flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Namecoin can be used as a decentralized method of authenticating TLS certificates, without relying on public certificate authorities. This eliminates the risk of compromised certificate authorities facilitating MITM attacks, as well as the risk of authorities refusing to issue certificates for specific websites in order to censor them. This project aims to improve the security, usability, and code quality of the TLS use case of Namecoin. >> Read more about Namecoin: TLS ARPA2 Steamworks — ARPA2 Steamworks Computer systems nowadays are entangled with networks, and a simple server may in fact depend on other systems to be online to be able to fulfill its services. This constitutes a degree of fragility that is not always desirable; for instance, where security policies or system access is concerned. To make things worse, there is a growing tendency to combine information sources from various parties, and crossing the technical and political boundaries of organisations can introduce many new issues that complicate normal system management. So what we need is a system that can share (configuration) information across such parties, and reduce their cross-dependency. This is where SteamWorks steps in; it enables a central site to configure settings for a large conglomeration or a distributed enterprise, and each of the sites can clone this information and spread it internally. Updates are automatically spread out as soon as possible, but in case of network failure the old information is retained and used until the downtime is resolved. >> Read more about ARPA2 Steamworks GnuTLS — Implement TLS-KDH in GnuTLS TLS-KDH is a mechanism that adds Kerberos authentication to the Transport Layer Security (TLS) network protocol. TLS-KDH is developed under the flag of ARPA2 (www.arpa2.net) and is formalized in the form of a draft Internet specification for the IETF RFC standards track. This project serves to create a prototype implementation of the protocol within GnuTLS. For a more extensive overview of advantages of TLS-KDH we refer to the project homepage (http://tls-kdh.arpa2.net). >> Read more about GnuTLS DIME — A new encrypted, end-to-end email protocol The DIME project has three distinct goals: to make end-to-end email encryption transparent and automatic, to minimize the leakage of metadata, and to enshrine the standards which make automation resistant to manipulation by advanced persistent threats. This has led to the development of a set of protocols and data formats which combine the best of current technologies into an integrated system that gives adequate protection, yet remains flexible. It allows for people to improve their security without sacrificing functionality. >> Read more about DIME GetDNS — Deliver DNSSEC as a building block in harsh environments Encrypted communication between two random end points on the internet cannot happen without additional infrastructure through which security parameters are exchanged. The getdns library is an modern asynchronous DNS library for application developers, with an API vetted by application developers. getdns has especially good stub-resolving capabilities, and has been developed alongside and in close co-operation with recent standards for stub resolving; such as DNS over TLS (RFC7858), and acquiring DNSSEC at stub resolving level (DNSSEC roadblock avoidance - RFC8027). >> Read more about GetDNS Pretty Easy Privacy — At scale simulation over GNUnet with different realistic user behavior scenarios The “Emulation over GNUnet for large user numbers and diferent realistic user behavior scenarios plus tuning“ serves as a preparation and prerequisite for the integration of GNUnet into p≡p‘s encryption app-solutions to obfuscate not only content but also metadata of written digital communications. p≡p wants to protect not just the contents of communications, but also its metadata (who communicates with whom, from who etc.) to allow for anonymous communications. p≡p has the goal, to have GNUnet (one of the official GNU projects) integrated in its core technology as the “holy grail” to fully restore privacy by technical means and to bridge people from classical means of communications (email, existing chat protocols) towards the fully decentralized GNUnet peer-to-peer network. With the simulation of GNUnet's behavior for large user numbers and different realistic user behavior scenarios we want to test and improve its stability and scalability. GNUnet protects metadata by tunneling text messages on identity- as well as account-level. GNUnet is a framework for secure peer-to-peer (P2P) networking, which is censorship-resistant, provides end-to-end encryption and is able to not just protect contents, but also metadata, thus anonymizing who’s communicating with whom and finally restoring full privacy. GNUnet's functioning doesn’t rely on any central infrastructure. It allows to bypass classic communication channels like email, if both peers have GNUnet. So far there is no information if GNUnet is reliable for large numbers of users. The integration into p≡p will be the first real-world mass-deployment of GNUnet. In order to facilitate a scalable configuration or adaption of GNUnet in p≡p, we thus want to build a simulation of user behavior for p≡p over GNUnet. We will model which shares of written digital communication can be expected on which devices and how GNUnet behaves for these data traffics. The simulation will be done for different user numbers (e.g. 1k, 10k, 100k, 1mio) as well as for various user behavior scenarios and net structures (e.g. preconditions for net neutrality/censorship by governments etc.). Scientific groundwork and expertise (e.g. “Large Scale Distributed Evaluation of Peer-To-Peer Protocols”, Sree Harsha Totakura, 2013) as well as close contact with the GNUnet team is at hand. This simulation will gain crucial insights for GNUnet deployments in real world situations being of major importance for related FOSS projects far beyond the integration into p≡p, so secure communication over a free Internet can be achieved. >> Read more about Pretty Easy Privacy GUN P2P Encryption — A realtime, decentralized, offline-first, graph database engine Gun is a realtime, decentralized, offline-first, graph database engine. GUN works peer-to-peer by design, meaning you have no centralized database server to maintain or that could crash. It allows to build decentralized, federated, or centralized apps. The SEA (Security, Encryption, Authorization) framework allows to use the latest native Web Crypto API for cryptographic functions like ECDSA, PBKDF2, AES, and more. With GUN developers can build fully decentralized end-to-end encrypted applications, using a \"web of trust\" mechanism. >> Read more about GUN P2P Encryption Key Management — Key Management The life cycle of cryptographic credentials which can be used for servers to serve up services with TLS typically contains a lot of manual steps. This administrative burden is a significant cost factor and built-in delay that needs to be overcome if we want to harden the internet at scale. Especially rollovers are cumbersome and error-prone. Automation is needed to make strong encryption the default on the internet, and this project aims to create a set of integrated open source tools to manage cryptographic keys in a provably correct way. The project stems from the ARPA2 project, and builds on/integrates with the NCSC/NLnet funded TLS Pool from the SecureHub project. >> Read more about Key Management lib25519: Secure and efficient computation of X25519 and Ed25519 — Modern network protocols rely on elliptic-curve cryptography (ECC) to protect communication against espionage and sabotage. ECC is faster than RSA, but it still consumes many CPU cycles, especially when an attacker floods a server's CPU with requests. This project's lib25519 is a new software library for the Curve25519 elliptic curve, including the X25519 encryption system and the Ed25519 signature system. Curve25519 is the fastest curve in TLS 1.3, and the only curve in Wireguard, Signal, and many other applications. This library exploits the features of Intel CPUs to provide top speeds for those CPUs, in particular setting new speed records for X25519 key generation and Ed25519 signing, while meeting the security constraint of not leaking secret information through timing. >> Read more about lib25519: Secure and efficient computation of X25519 and Ed25519 Namecoin — Decentralized, censorship resist Internet infrastructure for e.g. DNS and identities Namecoin is a blockchain project that provides a decentralized naming system and trust anchor. Its flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Among other things, this provides a decentralized trust anchor for Public Key Infrastructure that does not require third party trust. It operates independent from the DNSSEC root trust chain, and can thus offer additional security under some circumstances. >> Read more about Namecoin Faster and configurable datapath/Linux xfrm — Rewriting nftables to optimise for xfrm The project entails rewriting nftables (which is a subsystem of the Linux kernel responsible for packet filtering and classification) to make it easier to combine with xfrm (which is the common framework to work with IPSec in Linux). IPsec was originally developed in conjunction with IPv6 but is just as often used with IPv4 as well. IPSEC encrypts traffic, providing key features absent in the regular IP layer - like data integrity, data origin authentication and confidentiality. The project is expected to make an important contribution to improving the IPSEC capabilities, usability, speed and robustness in many systems. >> Read more about Faster and configurable datapath/Linux xfrm Pitchfork — Open hardware for compartmentalizing key material and cryptographic operations The PITCHFORK is a free/libre hardware device for compartmentalizing key material and cryptographic operations in a small and durable USB device. It uses a minimalist Cortex-M3 processor and stores all keys in the CPU flash memory. The PITCHFORK has an embedded radio interface over which it can do secure key exchanges with other devices, including \"post-quantum\" cryptography. Over USB it can send and receive messages using various modern low-level crypto protocols, providing different aspects of overall security. >> Read more about Pitchfork Pitchfork PKCS#11 — Contribute to OASIS standardisation PKCS#11 v3 PKCS #11 is the de facto standard for cryptographic tokens controlling authentication information (personal identity, cryptographic keys, certificates, digital signatures, biometric data). Due to the age of the standard, it was lacking a number of modern, so called 'quantum-resistant' algorithms. This small project enables open source developers from the Pitchfork project to contribute a number of important algorithms to the OASIS PKCS #11 standards committee in time for the pending new version of PKCS #11. The PITCHFORK is a free/libre hardware device for compartmentalizing key material and cryptographic operations in a small and durable USB device. It uses a Cortex-M3 processor and stores all keys in the CPUs flash. The PITCHFORK has an embedded radio interface over which it can do secure key exchanges with other devices, including \"post-quantum\" cryptography. Over USB it can send and receive messages using various modern low-level crypto protocols providing different aspects of overall security. Stef Marsiske from the Pitchfork project team joined the OASIS PKCS #11 standards committee to make sure the intersection of PKCS#11 supported algorithms and Pitchfork algorithms is no longer empty. >> Read more about Pitchfork PKCS#11 Modular CA — Modular infrastructure for building secure internet services The Redwax Project provides a number of small and modular security tools to make it easy to build security services on the web. These can be combined to form various types of certificate authorities, issuing certificates with SPKAC and SCEP, servicing certificate revocation with CRLs and OCSP, and creating timestamps. The aim of the project is keep the security footprint and the number of dependencies as low as possible. >> Read more about Modular CA Remote PKCS#11 — Remote usage of PKCS#11 Setting up an encrypted connection across the internet requires establishing trust between the two endpoints. There are multiple ways, one of which is the use of asymetric keys. However, in many cases there will not be a suitable hardware crypto device available - and storing crypto credentials in userspace on lots of insecure devices (such as mobile phones) is quite risky. Managing and auditing usage of those credentials in such a case is a problem. The project entails two innovative ideas to isolate and organise credentials: \"Hosted PKCS#11\" which allow users to use a trusted remote crypto store instead of a local store (which is of course much easier to audit, assuming that the back end system on which the keys are stored is professionally managed by someone trustworthy), and \"Layered PKCS #11\" which can downgrade or upgrade identities to roles, groups and other attributes of a user (such as \"age\"). >> Read more about Remote PKCS#11 SecuShare — A framework for sufficiently safe social interaction The SecuShare project implements a social messaging service based on the GNUnet peer-to-peer framework offering scalability, extensibility, and end-to-end encrypted communication. The scalability property is achieved through multicast message delivery, while extensibility is made possible by using PSYC (Protocol for SYnchronous Communication), which provides an extensible RPC (Remote Procedure Call) syntax that can evolve over time without having to upgrade the software on all nodes in the network. Another key feature provided by the PSYC layer are stateful multicast channels, which are used to store e.g. user profiles. End-to-end encrypted communication is provided by the mesh service of GNUnet, upon which the multicast channels are built. Pseudonymous users and social places in the system have cryptographical identities &emdash; identified by their public key &emdash; these are mapped to human memorable names using GNS (GNU Name System), where each pseudonym has a zone pointing to its places. >> Read more about SecuShare Secushare Box — Operating system extension of Secushare for hardware devices An operating system extension for hardware devices that turns them into automatable nodes in a distributed social mesh network, independent of central control. The objective is to offer an alternative to cloud-controlled IoT, empowering the owner of a device instead of its manufacturer. IoT devices are cryptographically linked to their owner's smartphones, PCs or other interfaces, using an initial vicinity rendez-vous procedure, akin to how bluetooth devices \"pair\". This integrates the new IoT device into the owner's social graph as a resource that can potentially be shared with others without the hassle of exchanging unsafe passwords. >> Read more about Secushare Box Magic Wormhole/SPAKE2 — Securely send files between two computers with minimum fuss SPAKE2 is a modern academic password-authenticated key exchange mechanism, originally designed by two security researchers from Ecole Normale Superieure. It allows to set up an ad hoc encrypted channel between two users that share a combination of words in real-time. Magic Wormhole is an open source implementation of SPAKE2 (both client and server) by Brian Warner, one of the founders of the TAHOE-LAFS. The server part of Magic Wormhole can creating a rendez-vous/relay, so it can be used in a LAN, behind firewalls, NATs, etc. There are many cases in which a person wants to quickly exchange a file in an untrustworthy environment (say a presentation deck) without running either the risk of an Evil Maid attack or uploading to a trusted server and then giving someone access to that. Most people do not even have such a trusted infrastructure, which forces them to trust their data to third parties. This solution allows for very user-friendly exchange of files with modern encryption, without the need for anything else. Secure exchange of files is a critical problem of all ages, this solution has potentially disruptive qualities. This project will try to make SPAKE2 primitives available to mobile app developers and will support standardisation of SPAKE2 inside the IETF. >> Read more about Magic Wormhole/SPAKE2 Stubby — A local DNS Privacy stub resolver using DNS-over-TLS Stubby is an open source project to develop a DNS stub resolver for use on client devices which will provide DNS Privacy for end users by implementing DNS-over-TLS (RFC 7858). This service will provide encrypted first-hop access to DNS services protecting users’ DNS queries from eavesdropping at any point along the path between their device and a privacy-enabling DNS server. More information about DNS-over-TLS: https://tools.ietf.org /html/rfc7858 >> Read more about Stubby TLS-KDH — Combined Kerberos and Diffie-Hellman as an authentication mechanism for TLS This project develops a number of additions to the open source TLS library GnuTLS. Based on the prototype for TLS-KDH (http://tls-kdh.arpa2.net) that was developed as a branch of GnuTLS, we now need to do a full implementation that incorporate the features from this development branch into GnuTLS’ main branch. By doing so our TLS-KDH mechanism becomes automatically available for the general public worldwide. However, additional work needs to be done for these two branches to be merged. Compatibility issues need to be checked and resolved and test cases need to be written to ensure proper functioning of the library, now and in the future. Additionally, TLS-KDH relies on RFC7250 (https://tools.ietf.org/html/rfc7250). The functionality described in this RFC is not yet implemented in any TLS library and concerns Raw public keys. As part of our TLS-KDH implementation we have implemented RFC7250 partially (what was needed for TLS-KDH). However, we have noticed the interest of the GnuTLS community in the complete RFC7250 functionality. Therefore, in order to deliver a complete ‘product’ we also want to implement the rest of RFC7250 and incorporate it into GnuTLS. Thereby creating the first TLS library that support Raw public keys. This enables a more light-weight mechanism for transmitting public key material between peers. Finally, to ease adoption of the TLS-KDH mechanism and to provide in a default Kerberos binding for TLS, we want to implement a gnutls - krb5 library (similar to the already existing gnutls-dane library). The current TLS-KDH implementation separates the TLS and Kerberos layers by design. While this is good design practice and offers the user great flexibility for choosing its own Kerberos implementation, it also requires (a lot) more work to be done in order to get the TLS-KDH mechanism going. By introducing a gnutls - krb5 library ( choosing MIT Krb5 ) users can benefit from a default TLS Kerberos binding thereby relieving themselves from having to implement such a binding. It therefore eases adoption and use of the TLS-KDH mechanism. At the same time, keeping the TLS and Kerberos layers separated still enables different Kerberos libraries to be used when desired. Also a layered architecture works in favor of code acceptance. >> Read more about TLS-KDH Vita — A fast IPSEC-based VPN gateway VPN technology is a key enabler for end user security in insecure environments. Vita aims to achieve high performance (beyond 10G speeds) on commodity server hardware. Vita is intended to be both simple in terms of code, as well as in terms of deployment, and non-invasive to deploy in existing networks. Vita also strives to be affordable, in terms of both energy footprint and cost of maintenance: its goal is to make the best possible use of commodity hardware while remaining easy to deploy safely. >> Read more about Vita Nixcloud — Declarative internet services based on NixOS This project aims to make NixOS the first computer operating system to package TLS Pool as a service component, and will allow to combine the power of declarative packaging with the unique security characteristics of TLS Pool to create a solid and versatile delivery channel for decentralised internet applications. >> Read more about Nixcloud WireGuard — A fast and modern VPN that utilizes state-of-the-art cryptography In hostile environments such as the open internet, Virtual Private Network technology play a major role in protecting users both from snooping and malicious traffic injection. WireGuard is a general purpose VPN - the new kd on the block that is fast, simple and lean. It can run on embedded interfaces and super computers alike, fit for many different circumstances. Its goal is to be the most secure, easiest to use, and simplest VPN solution in the industry. >> Read more about WireGuard WPIA CA Infrastructure — Deployment infrastructure for certificate authorities World Privacy and Identity Association is an effort to create and setup a Trusted Service Provider to deploy digital certificates to the public for free. One part of this project (and the association behind it) is the development of software to setup and operate a Certificate Authority. The software is developed from scratch, and is released under an AGPL license. The repository resides on code.wpia.club. The primary goal of the publication of the software is to grant check and control to the public. Trust is the basis of all. If someone wants to use the software for his own business he may do so. The real target of the project is to provide individuals and organisations with reliable and accountable digital certificates using PKI technique. Certificates should always match the CA/Browser Forum Baseline Requirements and be compatible with ETSI. Individuals will get their certificates for free (free as in free beer). Digital certificates help all people to keep fundamental rights as e.g. privacy and identity. As such, WPIA intends to provide an alternative to Let’s Encrypt. >> Read more about WPIA CA Infrastructure ","title":"Internet Hardening Fund","url":"https://nlnet.nl/thema/InternetHardeningFund.html"},{"title":"Information Retrieval","url":"https://nlnet.nl/thema/InformationRetrieval.html","description":" Information Retrieval Projects primarily related to internet information retrieval technologies. This page contains a concise overview of projects funded by NLnet foundation that belong to Information Retrieval (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. AGFL — parser generator system for natural languages With the AGFL (Affix Grammars over a Finite Lattice) formalism for the syntactic description of Natural Languages, very large context free grammars can be described in a compact way. AGFLs belong to the family of two level grammars, along with attribute grammars: a first, context-free level is augmented with set-valued features for expressing agreement between parts of speech. The AGFL parser includes a lexicon system that is suitable for the large lexica needed in real life NLP applications. >> Read more about AGFL AHA! — transparent adaptive functionality for web servers AHA! is a general-purpose adaptive hypermedia add-on for web servers. It enables a web server to serve pages with conditionally included page fragments, and with link anchors that are conditionally colored or hidden. Adaptation is based on a domain model, a user model, and an adaptation model, using concepts, pages, fragments and condition-action rules. >> Read more about AHA! ALIAS — analysis of legal and technical implications of the use of software agents Properties associated to agents such as autonomy, pro-activity, reasoning, learning, collaboration, negotiation, and social and physical manifestation are properties developed by man. Notions such as anonymity and privacy acquire new meanings in the \"digital world.\" New concepts such as pseudo-anonymity emerge. Until now, much research on deployment of information technology has been done as a separate discipline. Computer Science and AI develop the technical expertise and applications. Law then fits these applications into existing legal frameworks (taking US, European and Dutch traditions into account), proposing new frameworks if and when needed. In this project, members of the two disciplines AI and Law are collaboratively investigating the legal possibilities and limitations of agent technology, ultimately leading to recommendations for both disciplines. >> Read more about ALIAS CPAN6 — collecting collections of digital information People are designed to collect things, whether it is food, postal stamps, or digital information. On our hard-drives, we collect software, photos, development sources, documents, music, e-mail, and much more. The typical application sees this `collecting' as secundary problem to their main task, offering little help in administering the data produced with it. CPAN6 focusses purely on this aspect, and can therefore improve the way people work in general. >> Read more about CPAN6 Global Directories — Distributed contact information discovery mechanism A global directory is a way of retrieving contact information from others, using standard technology, so you can employ automatic tools that download and update contact information without manual intervention - or without any third parties snooping into your private or business social environment. Moreover, you can use the same technology to share any relevant information (such as keys for protection of your email) to anyone. >> Read more about Global Directories Globule — user-centric Content Delivery Network Globule is a research project that aims at developing a user-centric Content Delivery Network (CDN). Such a network consists as an overlay in which the nodes are owned by end users rather than ISPs. In Globule, nodes transparently collaborate to provide strong guarantees with respect to performance and availability of Web documents. To this end, modules were developed that extend the basic functionality of the Apache2 Web server, and take care of automatically replicating Web documents, and redirecting clients to the replica server that can best service the request. >> Read more about Globule LCC — local content caching system for new search engine architecture This six month pilot-project will investigate what would be needed to create a system of local content caching, in which a content provider can notify a Local Content Cache of new (or updated or deleted) content. This content will then be collected by that Local Content Cache. The cache can then be used by a search engine, or any other content \"user\" such as an intelligent agent, for its own purposes. A proof of concept implementation of the software needed for a Content Provider, a Local Content Cache and Content Users, such as search engines and intelligent agents, will be part of this pilot-project. >> Read more about LCC Parselov — Syntactic analysis of documents and protocol messages based on formal descriptions Parselov is a system for the syntactic analysis of documents and protocol messages based on formal descriptions, as well as the analysis and manipulation of such formal descriptions. It makes it easy to build parsers, validators, converters, test case generators, and other tools. It also explains the process of syntactic analysis slightly differently than usual, which has helped me tremendously to \"understand parsing\". At the heart of the system is a computer program that converts a formal grammar (the IETF standard \"ABNF\" is used as input for testing, but it is easy to support W3C's \"EBNF\" format and similar formats thanks to this system) into a graph and additionally computes all possible traversals of this graph. The result is stored in a simple JSON-based data format. >> Read more about Parselov Searsia — Searsia is a protocol and implementation for large scale federated web search. Searsia provides the means to create a personal, private, and configurable search engine, that combines search results freely from a very large number of sources. Searsia enables existing sources to cooperate such that they together provide a search service that resembles today’s large search engines. In addition to using external services at will, you can also use it to integrate whatever private information from within your organisation - so your users or community can use a single search engine to serve their needs. >> Read more about Searsia Sesame — storage and querying middleware for the Semantic Web Sesame is a storage framework for RDF data, the proposed W3C standard modeling languages for the Semantic Web. The RDF format is used to describe all sorts of things (the meta-data); besides the content of documents and web pages, RDF can be used to describe real life things like persons and organisations. This data can, for instance, be used as basis for news readers, search applications, or indexing. Sesame is a modular architecture for persistent storage and querying of RDF and RDF Schema. Sesame supports various querying languages and databases. Sesame also offers ontology management functionality such as change tracking and security. >> Read more about Sesame SIRS — Scalable Internet Resource Service The SIRS project focuses on the development of a service that allows resources to be widely distributed and replicated across the Internet in a scalable way. >> Read more about SIRS ARPA2 Steamworks — Near-instantaneous controlled configuration settings over any network ARPA2 SteamWorks is a set of tools that co-operate to transmit more-or-less centrally controlled configuration settings over any network, and make these settings available to individual programs. Updates are passed around instantaneously when network connections are good, but the last version of the information can be used when the network temporarily degrades. The project is part of the ARPA2 project, which is engineering towards an overall architecture scalable to run a future internet that is secure by design. >> Read more about ARPA2 Steamworks "},{"title":"Hardware","url":"https://nlnet.nl/thema/Hardware.html","description":" Hardware Trustworthy hardware and manufacturing. This page contains a concise overview of projects funded by NLnet foundation that belong to Hardware (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Hardware 2D graphics engine — Additional functionality and better performance for FPGA-based 2D video controller This project is to develop hardware accelerated 2D display controller boards for easily adding interactive user interfaces to single-purpose industrial and commercial machines. Traditionally, to make stand-alone machines and systems (i.e. not based on PCs but on custom computing boards), if developers need to provide a high resolution graphical user interfaces (GUI) they are offered only two inconvenient options: use a complex system like a Linux-capable single board computer, or limit performance to low resolutions that are unsuitable for medium to large displays. The latter case simply prevents successfully marketing those products, while the former requires a high degree of qualifications in embedded systems development, where the requirements are simple products like signage systems or vending machines. The controller boards (CPU and FPGA based, released as open hardware) are capable of loading previously stored images (lossy or lossless), plus movies, fonts and other resources required. The drawing commands are implemented with hardware acceleration on the FPGA board, using a custom C-to-hardware tool: CflexHDL, making it possible to use a fully open-source toolchain. Interactivity is achieved by the use of a USB host capable of handling mouse, keyboards and touchscreens. Displays of multiple kinds are supported by the use of PCB adapters, including: Analog VGA, DVI protocol (compatible with HDMI monitors), LVDS for direct connection to laptop replacement displays, among other options. The controllers can be used stand-alone (like a development platform) or be controlled by other systems like Arduino or similar boards. >> Read more about Hardware 2D graphics engine AALT (Accelerated Analog Layout Tool) — More efficient analog layout generation for chips) AALT (Accelerated Analog Layout Tool) aims to increase the productivity of analog integrated circuit layout by keeping the human in the loop but automating the time consuming, monotonous activities. The tool will generate matched structures in guard rings and wells with DRC aware optimisation of sub-circuit block placement and simple auto-routing. The goal is to improve analog layout speed by 50% by letting the computer do the boring work and leave the human to do the thinking. It will support existing open-source projects KLayout and PDKMaster. >> Read more about AALT (Accelerated Analog Layout Tool) Analog/Mixed-Signal Library — OSHW component library for ASIC design One of the gaps in the open chip toolchain is a libre-licensed analog/mixed-signal library. Having access to such a library contributes to having a fully open ASIC design infrastructure through which secure and trustworthy open hardware can subsequently be built. This project is trying to fill that void. The first part of the project consists of enhancing and stabilising the underlying PDKMaster project, and allow it to facilitate programmatic co-generation of circuit and layout with integrated support for circuit simulation. This should make resulting circuits DRC and LVS clean by design. Second part of the bootstrapping effort is then to implement a set of scalable analog/mixed-signal blocks which can be integrated into PDKMaster. The initial set will consist of the following 4 core blocks: a voltage reference, a PLL (phase-locked loop), a low frequency, low accuracy ADC and a low frequency, low accuracy DAC. The overall focus is on proving the overall suitability of the PDKMaster framework, rather than on the complexity and difficulty of the individual analog/mixed-signal blocks which are to be added. Thanks to proper documentation and examples, users can start expanding the available building blocks by adding their own contributions. >> Read more about Analog/Mixed-Signal Library ARMify — Auto-Identification of MCU Models to Simplify ARM Bare-Metal Reverse Engineering ARMify aims to become a plugin for the open-source reverse engineering tool Ghidra, with its primary goal being to assist security analysts in analyzing ARM Cortex-M bare-metal firmware. This is achieved through automatic microcontroller model identification and annotation of memory-mapped peripherals. It helps analysts to understand how the firmware interacts with microcontroller features, offering significant time savings compared to manual cross-referencing with the microcontroller datasheet. The development entails creating an SVD parser (the SVD standard formalizes Cortex-M microcontroller system details, such as peripheral registers, in XML format) and a comprehensive microcontroller database, both of which will be released as standalone tools alongside ARMify. The SVD parser will enable the processing and preparation of Cortex-M microcontroller system details, while the microcontroller database will provide a repository of technical characteristics and a user-friendly interface for easy access. >> Read more about ARMify Apicula — Open source tools for working with Gowin FPGAs Only a few years ago, you could only program FPGAs with the proprietary tools provided by the vendors, locking you into that ecosystem and its features and bugs. But open source FPGA tools have been making great strides, and there are now mature open source synthesis and PnR tools, namely Yosys and Nextpnr. However, only Lattice FPGAs are currently well supported, still de facto locking you into a single vendor. There are a few other projects, such as Apicula, that target other FPGAs, but none of them are feature complete and of production quality. The goal here is to take Apicula to the next level, where it goes from an experimental flow for FOSS enthusiasts to a production ready tool, finally and truly breaking FPGA vendor lock-in. >> Read more about Apicula Apicula IO primitives — Add additional IO primitives to libre Gowin FPGA tools Apicula is a project that aims to provide open source tools to work with Gowin FPGAs. (FPGAs are repurposable chips used in many everyday and specialist electronic products for everything from tying systems together to highly specialized algorithm accelerators). In recent years open source FPGA tools have made great strides to break the vendor lock-in of commercial FPGA tools. But to completely break vendor lock-in a variety of mature toolchains are needed. We have reached a point of general usability, and with this grant Apicula aims to make another large leap forward, improving feature parity, documentation, and support for more advanced and specialized Gowin devices. >> Read more about Apicula IO primitives BB3-CM4 — CM4 compatible MCU board Chip shortages are causing production problems throughout the industry. A way of getting out of the production trap is to get project boards more modular. Popular open hardware projects like the EEZ BB3 T&M (Test & Measurement) device currently depend on specific scarce microcontroller boards, and prospective users face impossible delays and constantly rising prices. This project will relieve some of the tension by delivering special \"MCU\" boards that are compatible in form factor to widely used MCUs. That way projects gain much more room for fulfilling production needs - allowing them to use alternative pin compatible main modules (like the ULX4M FPGA) without redesign, delivering more flexibility. One additional advantage of this approach is that production of module and base board does not need to be at the same time or by the same company. Hardware upgrades and the right to repair become possible and just involve changing a module, without having to throw out the complete system. Along with the \"MCU\" module the project delivers a new back plane board for the BB3 T&M device - fully compatible with current design, so existing users can upgrade or replace parts. >> Read more about BB3-CM4 Balthazar — One laptop for the new internet age. Project's ambition is to design and deliver an innovative and technically advanced open hardware (RISC-V/ISA) based, European made, inexpensive, FOSS laptop as a personal computing device, containing on board all desirable (FOSS compliant) hardware and software features and functionalities needed to prevent any 3rd party intrusion into the system. It adds physical safety features currently not available in the market such as hot-swappable CPU, hardwired switches for e.g. camera and audio devices, and a quickly removable encrypted hard drive and peripherals. A goal of Balthazar is to enable and educate end users to be private, safe and careful with their own data, and that of others. Another goal is to make computing more sustainable and reach eco-friendly footprint, by empowering users to take up their 'right to repair', through a modular laptop that allows components to be easily exchanged and upgraded - up to the CPU itself. The goal is to lead by example and gently lead other hardware manufacturers to become fully open and transparent. And create an educational platform, as well as an advanced computing device where its users (including those with low income ) to feel secure, safe and comfortable using it. For the children of all ages. >> Read more about Balthazar Balthazar Casing — Open hardware laptop Balthazar is a project that aims to create an advanced, open-hardware laptop that is affordable and accessible to everyone, while also being well-designed and ergonomic. The laptop will feature a range of hardware and software features designed to protect users' data and prevent third-party intrusion. It will also include physical safety features such as a hot-swappable CPU and hard-wired switches, as well as the ability for users to add external modules based on various instruction sets and systems on the module, as well as spare keyboards. The project's goals include empowering users to take control of their own data, making computing more sustainable through the use of modular components, and creating an educational platform and advanced computing device that is accessible to users of all income levels. >> Read more about Balthazar Casing Balthazar - One laptop for the new internet age. — A secure fully open hardware laptop Project's ambition is to design and deliver an innovative and technically advanced open hardware (RISC-V/ISA) based, European made, inexpensive, FOSS laptop as a personal computing device, containing on board all desirable (FOSS compliant) hardware and software features and functionalities needed to prevent any 3rd party intrusion into the system. It adds physical safety features currently not available in the market such as hot-swappable CPU, hardwired switches for e.g. camera and audio devices, and a quickly removable encrypted hard drive and peripherals. A goal of Balthazar is to enable and educate end users to be private, safe and careful with their own data, and that of others. Another goal is to make computing more sustainable and reach eco-friendly footprint, by empowering users to take up their 'right to repair', through a modular laptop that allows components to be easily exchanged and upgraded - up to the CPU itself. The goal is to lead by example and gently lead other hardware manufacturers to become fully open and transparent. And create an educational platform, as well as an advanced computing device where its users (including those with low income ) to feel secure, safe and comfortable using it. For the children of all ages. >> Read more about Balthazar - One laptop for the new internet age. Betrusted OS — An embedded OS for cryptographic devices Betrusted OS will underpin the Betrusted ecosystem, and will enable secure process isolation. It will be written a safe systems language - namely Rust - to ensure various components are free from common programming pitfalls and undefined behavior. Unlike modern operating systems that trade security for speed, the Betrusted OS will prioritize security and isolation over performance. For example, it will be a microkernel that utilizes message passing and services rather than a monolithic kernel with modules. Unlike other deeply-embedded operating systems, it will require an MMU, and support multiple threads per process. This will let us add features such as service integrity and signature verification at an application level. >> Read more about Betrusted OS Betrusted Storage — Plausably deniable encrypted storage Betrusted aims to be a secure communications device that is suitable for everyday use by non-technical users of diverse backgrounds. We believe users shouldn’t have to be experts in supply chain or cryptography to gain access to our ultimate goal: privacy and security one can count on. Today’s “private key only” secure enclave chips are vulnerable to I/O manipulation. This means there is no essential correlation between what a user is told, and what is actually going on. Betrusted will build a full technology stack, including silicon, device, OS, and UX that is open for inspection and verification. We've passed the first hurdle of creating an FPGA-based device, which we have spun out into a development platform we call Precursor. We are now advancing deeper into the technology stack to improve FPGA, drivers, OS, and UX elements, all driving toward the common goal of making Betrusted a simple, secure, and strong device that aims to advance Internet freedom. >> Read more about Betrusted Storage BrailleRAP — Low-cost open hardware for creating Braille content BrailleRAP is an open source Braille embosser. AccessBrailleRAP software give you the ability to translate a text document into Braille and emboss the Braille characters on paper with the BrailleRAP device. DesktopBrailleRAP software project aim to build a desktop publishing application suitable to build tactile documents for unsighted people with the Braille embosser BrailleRAP. The application brings the ability to import vector graphics in SVG format, or create text label with a position and orientation on a page layout. Text labels are translated in Braille with the ability to choose the Braille standard (language in a simplified manner). Vector graphics are decomposed in series of dot positions along path. All dots from Braille characters and paths are converted in GCODE commands for the BrailleRAP embosser. The result is a tactile document with accurate embossed Braille and tactile 2d graphics made by a series of close dots. DesktopBrailleRAP aim to build a suitable tool for individual or teacher to build tactile documents for unsighted people, such as geographic maps, building or organization maps (like school or campus), public transportation maps or teaching plans in biology and mathematics (geometry). The funding from NLnet will allow the development of the first public release with suitable documentation. >> Read more about BrailleRAP Libre-SOC Cavatools: Power ISA Simulator — Power ISA Simulator Cavatools is a high performance ISA simulator, similar to qemu. However unlike qemu, cavatools is designed with two goals in mind: to provide accurate guidance on instruction effectiveness, and to run at close to real-time performance on multi-core host systems. The only hardware that cavatools currently supports is cycle-accurate emulation of RISC-V: this Grant is intended to add not only the Power ISA but also add the Draft SVP64 Cray-style Vector Extensions being developed by Libre-SOC (and sponsored by NLnet). Other work includes being able to verify and compare multiple independent implementations, running the same program, to check interoperability, whether in emulators, hardware simulations, simulators or actual ASICs. >> Read more about Libre-SOC Cavatools: Power ISA Simulator LibrEDA — An integrated development environment for chip design Because digital circuits are a core part of today’s society there is a significant value in free and open chips and, equally important, free and open design software that is accessible also to small entities. Not only would this enhance trust through transparency and digital sovereignty through distributed knowledge but it would also be a fertile ground for education, hobbyists and small enterprises. The main goal of this project is to create a new libre-software framework for the physical design of digital integrated circuits. The framework is meant to simplify the development of chip layout tools, i.e. the tools used to convert a gate-level netlist into a fabrication-ready layout. This includes fundamental data structures and algorithms, interface definitions of the design algorithms (e.g. placement, routing or timing analysis), input/output libraries for commonly used file formats as well as documentation and example implementations. Two variants will be pursued in parallel: One with a clear focus on simplicity and education and another with a focus on performance and scalability. Another part of the project is the continuation of the ‘LibreCell’ standard-cell generator and characterization tool. >> Read more about LibrEDA Zerocat Chipflasher Flashrom Interface — Hardware to flash alternative/libre firmware to BIOS chips The Zerocat Chipflasher Project aims to provide a fully user controlled electronic device, that helps users to remove the proprietary BIOS firmware from their laptops. The tool allows them to instead run verifiable and Free Firmware, produced by the Coreboot and Libreboot project. Proprietary BIOS is opaque with regards to functionality, and may contain known and unknown security issues. Also controversial elements like the Intel Management Engine can be deactivated. The project helps to empower everyone to create trustworthy digital hardware on her or his own and has been successfully certified by the Respects-Your-Freedom (RYF) Certification Program, set up by the Free Software Foundation in Boston, USA. The device combines the Do-it-Yourself concept with free-design hardware development, even down to chip level. This is achieved by skipping convenient functionalities which would require chips of a proprietary design and by instead using a free-design microcontroller, only. The flasher’s integration into the grid of related existing free software projects yet is to be improved by an additional interface and an in depth firmware review. >> Read more about Zerocat Chipflasher Flashrom Interface Chips4Makers ASICs — Current scaling of micro-electronics is focused on improving power, performance and cost per device but with an exponentially increasing start-up cost related to the increased process complexity. For the design of custom chips currently expensive proprietary electronic design automation (EDA) tools need to be used and hefty license fees are due for blocks implementing specific functions like the CPU, USB etc. All this together makes custom chip development only accessible for high-volume production and proprietary designs. In this project a development version of the libre licensed Libre-SOC system-on-a-chip will be manufactured in a 0.18um process combined with development on the open source tools and open source chip building blocks to make this possible. Development on the free and open source tools will be focused on making them compatible with the selected process and the building block development will be focused on the so-called standard cell library, the IO library and the SRAM compiler. This project fits in the longer term goal of the Chips4Makers project to make low-volume custom chip production possible using mature process technologies and free and open source tool chains and building blocks. Purpose is to get innovation using custom chips within reach of small start-ups, makers and even hobbyists. >> Read more about Chips4Makers ASICs Supersizing the Gun — Chipwhisperer open hardware for side channel analysis ChipWhisperer is an open hardware and software toolchain that has been a mainstay of hardware security research. ChipWhisperer is used in academic curricula and in industrial R&D implementation security research labs for high speed side-channel power analysis and glitching attacks. The objective of this project is to explore design changes to the current ChipWhisperer hardware, so as to allow capturing of longer power analysis traces and to cater to higher clock speeds than currently supported. Here, the intent is to make it easier to perform side-channel-related analysis of public-key algorithms, without the need to artificially break down the algorithms into multiple components due to platform constraints. This allows for more realistic and practically relevant attacks. This project additionally entails the development of fine-grained post-processing tools, which would make further analysis of captured traces of public-key algorithms easier. Ultimately, the goal is to work towards candidate post-quantum algorithms, which are known to be more resource-hungry. The project funded by NGI Zero would specifically target design changes to considerably increase the sampling rate (towards 200-250 MS/s) and to provide for a streaming mode (initially envisioned to be roughly 15-30 MS/s). It includes both a new hardware design and a significant update to the current open-source software of the ChipWhisperer platform, as well as demonstration of how to successfully use this with practically relevant ECC public-key algorithms. >> Read more about Supersizing the Gun Coloquinte — High performance placement of cells inside digital electronic circuitry A core component of the ASIC design toolchain is the placement tool, which must decide where to place the components of the chip so that it can be manufactured and meet the performance target. To build chips reliably, improve performance and improve power consumption, the placement tool must interact with other complex tools (routing, timing, gate sizing, ...). This requires a complex integration, and even necessary to target newer technology nodes. Our goal is to provide high-quality placement algorithms with an easy-to-use interface, so it is easy to use in multiple situations and toolchains. Coloquinte started as a component of the Coriolis toolchain. Since then, it has been made into a library for inclusion in other tools and multiple languages. Current developments target the integration with timing tools (for better chip performance) and routing tools (for power consumption, performance and compilation stability). >> Read more about Coloquinte Libre-SOC, Coriolis2 ASIC Layout Collaboration — Open tooling for ASIC Layout One of the key issues in a trusted, trustable ASIC is for the toolchain to be libre-licensed, so that there is no possibility for hardware-level spying or backdoor compromises. The Alliance / Coriolis2 ASIC layout toolchain by LIP6.fr is one of the leading tools in this area. The Libre-SoC is another project being funded through NGI Zero, and at this moment that project needs to get beyond FPGA-proven status. The challenging next phase is to do an actual ASIC layout. With the System-on-Chip being developed in nmigen (a python-based HDL), Alliance / Coriolis2 also makes sense as it is written in Python as well. The funding will go towards doing an ASIC layout in 180nm. >> Read more about Libre-SOC, Coriolis2 ASIC Layout Collaboration DMT — Implementation of MOSFET Parameter Extraction Flow for Sky130 into DMT DeviceModelingToolkit (DMT) is a Python tool targeted at helping modeling engineers extract model parameters, run circuit and TCAD simulations and automate their infrastructure. Open PDKs like Skywater130 and IHP SG13G2 have brought about significant disruption in the open-source semiconductor landscape, eliminating barriers and reducing costs for all participants. A reoccurring issue of such open-source PDKs are the compact models. In this project, a compact model parameter extraction flow will be implemented into the open-source device modelling software DMT for generating improved MOSFET compact models for open-source PDKs. These models can be leveraged by circuit designers for cutting edge designs. The parameter extraction tool will be applied to the recently released IHP SG13G2 PDK to demonstrate its usefulness. >> Read more about DMT DUT Control — Unified Control Interface for Firmware Security Tests The DUT Control project aims to create a unified control interface for real hardware used in firmware security tests. Firmware security plays a crucial role on the internet, especially for servers, as it ensures the reliability and trustworthiness of connected devices. However, firmware development poses unique challenges with regard to testing: Firmware runs directly on the hardware and therefore simulations often fail to cover all edge cases, making it essential to test on actual hardware. Furthermore, firmware is tailored to each hardware type, leading to individualized development. Thus, testing often requires manual intervention, increasing time and effort. DUT Control addresses these challenges by providing an interface to real hardware and an abstraction of hardware inputs and outputs. It is supposed to become the open-source interface between hardware components and testing frameworks. >> Read more about DUT Control EEZ DIB — EEZ DIY Instrument Bus The aim of the EEZ DIB project is to enable the creating and management of modular open hardware T&M (Test & Measurement) solutions. Born out of frustration that solutions from reputable manufacturers are feature rich but closed in design and with expensive software licenses, an attempt have been made to fill the gap between such solutions and DIY/hobbyists solutions which although often open in design lack structure, documentation and completeness that could ensure further growth, development and support. The hardware part of the project is EEZ BB3, an open source DIB chassis in a compact format that can accommodate up to 3 peripheral T&M modules which can be monitored locally via touchscreen display with responsive and attractive user interface or remotely via USB or Ethernet using Telnet, MQTT, JS and Node-RED. Additional autonomy and programmability has been achieved by adding support for MicroPython scripting. The software part of the project is EEZ Studio, a free and open source cross-platform application that has two functions: a) visual editor that simplify and accelerate touchscreen GUI development and b) management of multiple EEZ BB3 and 3rd party T&M devices for the purpose of simple communication and acquisition, search and presentation of measurement data. >> Read more about EEZ DIB Edalize ASIC backend — Create open hardware silicon with a fully free software toolchain Affordable Open Source ASIC development and custom silicon has been a long-standing goal in the community. This will unlock innovation that has previously only been possible for the largest tech companies, allowing for the creation of deployable, trusted Open Source based hardware. Step by step, this goal has come closer in the last few years as individuals, companies and academic institutions have filled in the missing pieces. Today we have a fully open source end-to-end flow for building open source ASIC - but the effort of on-boarding existing designs remains high. This project aims to provide an easy way to onboard existing gateware and full designs to an open source ASIC flow by creating a FuseSoC backend that targets this toolchain. This will enable a smoother transition from projects already running on FPGAs to also be targeting ASIC flows. It will also allow easier switching between different open source ASIC flows at the point when there are several alternatives to choose from. In addition to the backend itself, a reference design containing SERV, the world’s smallest RISC-V CPU, will be run through the flow and committed to actual silicon. This will provide a way to guarantee a working flow and provide a simple but usable reference for everyone else looking to onboard their designs. Enabling and demonstrating this path will allow a fully trustworthy path for the fabrication of system-on-a-chip ICs, with no proprietary or closed tools as part of the flow and hence completely inspectable at all stages. This paves the road for other more complex FuseSoC-based open source silicon projects such as OpenTitan and SweRVolf. >> Read more about Edalize ASIC backend EDeA — A forge suitable for open hardware development The short version: EDeA is a novel approach to allow exploration of and improve discovery within the open hardware ecosystem - in order to help make open hardware designs and components discoverable and reusable. At this moment in time, pretty much everything surrounding open hardware development is manual. Beyond just typing something into a generic search engine there isn't really suitable tooling available to search across what already exists. Accessible and usable distributions, collaboration tools and version control are what drove the free and open source software revolution, now open hardware needs to take the same leap forward. Open hardware electronics projects are growing in numbers, thanks to crowdfunding, a strong developer community, and sophisticated open source electronic design automation (EDA) tools like KiCad. Between circuit schematic and printed circuit board (PCB) layout there is a logical association, but are being handled by separate programs, and therefore one can’t simply copy-paste design blocks. In 2020 it is still next to impossible to reuse proven parts of different designs without needless reimplementation. By leveraging KiCad’s pcbnew and eeschema scripting, a new way of building modular, reusable electronics opens. We are creating a catalog and community portal for discovery and development of proven circuit modules: power management, signal conditioning, data conversion, micro-controllers, etc. >> Read more about EDeA FABulous Demo SoC — SoC with open source FPGA based on FABulous Until recently, integrated circuits have largely been treated as blackboxes in the realm of trustworthy hardware. FPGAs, devices that can be programmed by the user to implement arbitrary logic functionality, help to open up this realm. But even with open source software stacks such as Yosys and nextpnr compiling for them, FPGAs themselves are still proprietary silicon. Using the FABulous framework and a wide range of other open IP, we are building a FPGA SoC (combination of a FPGA programmable logic fabric and a Linux-capable RISC-V CPU) that is both itself open source and built with open tools, and also supports the open FPGA toolchain. to develop it. Simplicity is a key design decision throughout, so we can use our work to explain how modern computing systems work without the complexity of commercial platforms. >> Read more about FABulous Demo SoC FPGA-ISP-UVC-USB2 — Open hardware FPGA-based USB webcam The USB UVC project is designed to create an innovative and adaptable webcam that easily connects to any laptop, providing high-quality video without the need for special drivers. Unlike ordinary USB webcams that often come with proprietary software and limited functionality, this project aims to deliver a flexible, open-source solution that can be tailored and improved by anyone. The webcam will offer superior video quality with features like automatic brightness adjustment, color correction, and real-time video compression, making it ideal for video calls, streaming, and other visual applications. By focusing on open-source principles, this project ensures that the technology is accessible, modifiable, and transparent, allowing for continuous community-driven enhancements. This project stands out because it is not locked into proprietary ecosystems, offering users greater control and flexibility over their hardware. It can work with a wide range of computer models, providing a versatile tool for both personal and professional use. Additionally, the open-source nature of the project means that it can be continuously improved and customized by developers around the world, fostering innovation and collaboration. >> Read more about FPGA-ISP-UVC-USB2 FPGA Fault Injection Testing — Better testing towards preventing fault injection in FPGA's Fault injection aims at disrupting the orderly way in which data and instructions in a chip are processed. This can be achieved, e.g., by malicious glitches that briefly interrupt the supplied voltage of the chip. To better protect against faults, countermeasures need to be implemented, such as glitch sensors that can detect these adversarial conditions. Due to the wide range of fault injection methods, the development of glitch sensors is time-consuming and requires a wide range of lab capabilities. Within the context of FPGAs, such testing is often not feasible due to their unique configuration based on a bitstream. In this project we seek to demonstrate that in-situ fault injection by creating short-circuits in an FPGA is possible and that this can be used to emulate similar effects in the circuit that otherwise would require costly external instruments. In addition, since FPGAs can be reconfigured quickly, it is possible to rapidly test a wide range of fault injection configurations. We then implement and compare glitch sensor designs in the FPGA and compare them to the state of the art (attacks and countermeasures) with the expectation to improve over previous results, as the fine-grained in-situ fault injection process is expected to offer more control over the testing process, resulting in a better calibration of the glitch sensor. >> Read more about FPGA Fault Injection Testing FastWave — Modern waveform VCD parser Whilst the fields of open-source hardware design tooling (including synthesizers and layout tools, and open-source digital logic/VLSI gateware) have recently experienced a significant renaissance, simulation visualization tools have not enjoyed similar advancements. This is noteworthy given that verification comprises approximately 80% of the digital logic development cycle. Efficient visualization and debugging of SOC simulations are thus becoming ever more critical. Fastwave, currently developed as a VCD (Value Change Dump) parser in Rust, along with its visualization frontend, Surfer, aims to address this gap. Future iterations of Fastwave will enable advanced visualization of simulation states through custom user plugins. Potential applications include, but are not limited to, visualizing CPU pipeline states with pipeline diagrams or representing mesh network activity by simply loading a VCD file. Plans for expanding the Fastwave suite include features like tracing signals to their source, allowing users to pinpoint the HDL conditions that prompted changes in simulation signal states. Ultimately, Fastwave intends to reduce the workload for digital logic designers by enabling them to align the tool's visual outputs with the mental models they already have of their hardware systems. >> Read more about FastWave FemtoStar Project — Open Hardware Communications Satellite The FemtoStar Project is developing a low-cost communications satellite, intended for use as part of a scalable, decentralized network enabling verifiably anonymous, geolocation-resistant communications on a global scale. While many anonymizer services are currently available to users of existing communications systems, these serve simply to separate knowledge of identity (which still lies with the communications service provider) from knowledge of activity (which lies at the exit of the anonymizer service). All current wide-area communications networks are fundamentally identifying (users and their hardware are, at minimum, pseudonymous to the network) and no two-way communications system offers any meaningful degree of resistance to geolocation of the user. The FemtoStar Project intends to use a constellation of FemtoStar satellites to provide global, space-based open communications infrastructure linking users to services (which can be operated by anyone, and require no special ground station installation beyond a regular FemtoStar user terminal) or directly to other users, and requiring no identification or geolocation of user terminals. We are seeking funding for the development of a prototype satellite and user terminal, implementation and testing of the FemtoStar protocol on this hardware, and, dependent on funding amount and regulatory approval, the licensing and launch of one FemtoStar satellite to low earth orbit for system testing and, possibly, for use in a limited open beta service. With prototype hardware and, ideally, with one production satellite in orbit, the FemtoStar Project will be able to validate the FemtoStar system and move towards our goal of operating a scalable constellation for global, verifiably-private communications service - a world-first in privacy technology. >> Read more about FemtoStar Project Flashkeeper — Write Protection on SOIC-8 flash chips without soldering Firmware security projects such as Heads assume the firmware itself to be protected against tampering. Outside of proprietary solutions Boot Guard, partial write protection (WP) of the SPI flash chip (recently implemented by 3mdeb) is one solution. However, WP requires grounding the chip's WP pin, something that currently requires users to solder to the chip. As many users find this difficult, this has limited \"retrofit\" adoption of WP. This project is developing Flashkeeper, a device that can be permanently installed on a common SOIC-8 flash chip. It attaches to the chip with a peel-and-stick layer and spring-loaded contacts or low-profile solder-down flex cable, interfacing with the SPI flash pins for easy write protection and external reprogramming (unbricking). For users concerned with physical attacks on their systems, for whom easy access to SPI flash pins may be seen as a risk, a variant including a microcontroller (MCU) is also being developed, allowing authenticated external reprogramming and WP control, and independently verifying the SPI flash image against a user-controlled signature each boot. >> Read more about Flashkeeper Fobnail — Remote attestation delivered locally The Fobnail Token is a tiny open-source hardware USB device that provides a means for a user/administrator/enterprise to determine the integrity of a system. To make this determination, Fobnail functions as an attestor capable of validating attestation assertions made by the system. As an independent device, Fobnail provides a high degree of assurance that an infected system cannot influence Fobnail as it inspects the attestations made by the system. Fobnail software is an open-source implementation of the iTurtle security architecture concept presented at HotSec07; in addition, it will leverage industry standards like TCG D-RTM trusted execution environment and IEFT RATS. The Fobnail project aims to provide a reference architecture for building offline integrity measurement servers on the USB device and clients running in Dynamically Launched Measured Environments (DLME). It allows the Fobnail owner to verify the trustworthiness of the running system before performing any sensitive operation. Fobnail does not need an Internet connection what makes it immune to the network stack and remote infrastructure attacks. It brings the power of solid system integrity validation to the individual in a privacy-preserving solution. >> Read more about Fobnail Frugal EDA — Energy-efficient circuits and systems through quantum superconductivity FRUGAL EDA is an open-source user-friendly software design suite dedicated to energy-frugal electronics based on the amazing quantum physical properties of superconductivity. Its objective is to enable the design of energy-efficient ultra-high-speed (up to clock frequencies of several hundreds GHz) quantum-based circuits and systems for the widest possible audience. FRUGAL will emulate the development of new circuits and functionalities so that disruptive quantum electronics can take its place in the current highly-competitive emerging technology landscape. One goal is to increase the number of students and newcomers interested to design quantum-based circuits without the need of unaffordable tools, proprietary technologies or steep learning curves. FRUGAL embeds a set of open-source software tools comprising a schematic editor(LibrePCB), a SPICE netlist converter (L2SPICE), quantum time-domain simulators (JSIM and JoSIM) and a layout editor (KLayout). More designer-oriented features will be added along the course of development. >> Read more about Frugal EDA Libre/OpenCores FuseSoc backend — Discovery and use of open hardware gateware through LibreCores and OpenCores Chip (FPGA/ASIC) development is normally done in a very hierarchical manner where gateware is used to build up subsystems which are combined to a full chip design. On paper, this leans very well for reusing parts in many different chip designs, but the actual amount of reuse has always been hampered by the lack of tooling to manage and combine gateware. Compare this to the software world where languages such as JavaScript, Python or Rust have a rich ecosystem of user-created reusable parts that can be used as a base to quickly build new applications. This project aims to provide a similar ecosystem for chip development where users can publish their cores, find the cores they need and build upon these to rapidly create new designs. >> Read more about Libre/OpenCores FuseSoc backend Collection of Verified multi-platform Gatewares — Comprehensive repository of open source gateware designs The \"Verified Multi-Platform Gatewares\" project will create a comprehensive repository of gateware designs that are compatible with various FPGA development environments and boards. The goal is to reduce the barriers to FPGA development by providing designs that are rigorously tested and maintained for compatibility. The project will host these open source designs on a dedicated website, ensuring they work seamlessly across multiple toolchains and boards. The collection will range from beginner to advanced designs, serving as educational resources and benchmarking tools, continually updated to prevent bitrot. >> Read more about Collection of Verified multi-platform Gatewares Verilog-AMS in Gnucap (cont'd) — Analog/Mixed modelling and simulation in Gnucap Verilog-AMS is a standardised modelling language widely used in analog and mixed-signal design, but without an open reference implementation. Gnucap is a modular mixed-signal circuit simulator that partially implements Verilog-AMS, that aspires to eventually implement the complete language. In 2023, with NLnet support, we made significant progress in support for Verilog-AMS, the \"analog\" part, also known as Verilog-A, both on the simulator side and in the model compiler. For 2024, we will extend the work, concentrating on three tasks. The first is extensions to modelgen, the model compiler, essentially completing the analog part of Verilog-AMS, with some digital. The second task is enhancements to the simulator, mostly related to fast simulation of large mixed circuits, with both analog and digital parts. The first and second tasks are related to the \"mixed-signal\" aspect of Verilog-AMS. The third task addresses interoperability with other software, including schematic entry and layout, ability for Gnucap to use device models from other simulators, for modelgen to generate code to be used with other simulators, and porting some analysis commands. >> Read more about Verilog-AMS in Gnucap (cont'd) Verilog-AMS in Gnucap — Mixed-signal modelling and simulation with Verilog-AMS Verilog-AMS is a standardised modelling language widely used in analog and mixed-signal design, but without an open reference implementation. The language supports high-level behavioural descriptions as well as structural descriptions of systems and components. This Project will make substantial progress towards a Gnucap based free/libre Verilog-AMS implementation. Gnucap is a modular mixed-signal circuit simulator, and has been released under a copyleft license with the intent to avoid patent issues. Gnucap provides partial support for structural Verilog and encompasses an analog modelling language that has influenced the Verilog standards. We will enhance data structures and algorithms in Gnucap, and improve Verilog support on the simulator level. We will implement a Verilog-AMS behavioural model generator targetting Gnucap with the intent to support simulators with similar architecture later on. >> Read more about Verilog-AMS in Gnucap Porting Guix to Riscv64 — Port Guix software collection to Riscv64 architecture This project will work on bringing the Rust support of GNU Guix on Riscv64 up to fully supported, with the bootstrap chain from source. It will also bring Riscv64 in Guix up to the full level of support that is expected of commonly used architectures, ready to be used in all the applications where GNU Guix is already found. Riscv64, being an Open Architecture, freely available to anyone who wants to implement processors, goes a long way towards ensuring that our future computing platforms are free of hidden backdoors. GNU Guix, being a true Free Software Operating System and compiled from source from a small bootstrap binary, with reproducibility guarantees, is as close as the computing community has come to a fully auditable software chain that makes sure all the software we run on our computers is what we intend, and nothing more. By combining the Riscv64 architecture and GNU Guix for software we can reach toward a fully secure and auditable computing platform that we might consider trusting. >> Read more about Porting Guix to Riscv64 Hardware accelerated 2D graphics — Design hardware accelerated 2D graphics using C to Verilog This project is to develop a hardware accelerated 2D video controller for easily adding user interfaces to industrial and commercial machines. Besides offering a useful product and fulfilling a long-standing need for embedded systems development, it will also encourage people to engage in FPGA-based hardware development by using more friendly tools.Traditionally, to make stand-alone machines and systems (i.e. not based on PCs but on custom computing boards), if developers need to add graphical user interfaces (GUI) they are offered only two inconvenient options: use a complex system like a Linux-capable board, or limit performance to low resolutions that are unsuitable for medium to large displays. The latter case simply prevents successfully marketing those products, while the former requires a high degree of qualifications in embedded systems development, to build simple products like signage systems or vending machines. This project is somewhat inspired by the success of the Arduino project, a product and ecosystem that greatly simplified the design of not too complex machines, and encouraged a lot of people to do their own designs. Currently, with the easier Arduino and similar systems, there's no way to control professional user interfaces, so many developers keep outside of the field. With the proposed system, instead, it is easy: you can send drawing commands to the board right from the Arduino system, through a provided library. The board then loads previously stored images and fonts to render the GUI at a high resolution. The drawing commands are implemented with hardware acceleration to meet speed needs, and the cores for achieving that (FPGA gateware) will be written in the widely known C language. This is solved with a custom tool for conversion to Verilog, that offers fast graphical simulations too. This will encourage people who know the language from software development, to enter the hardware design field. Also, the widely known and easy to learn Micropython language will be offered, to further ease implementing devices. >> Read more about Hardware accelerated 2D graphics Open Hardware Manuals — Automatically generate user-friendly documentation for open hardware elements This project will create a tool that automatically generates Computer-Aided Design (CAD) models, assembly documentation, graphics, and user guides based on user provided configurations. These documents can be continuously updated, localized, and are shareable - akin to an always up-to-date Ikea-style assembly guide. The tools developed during this project will also be applicable to other open hardware projects, empowering designers to produce hardware that is more adapted to specific contexts, without creating fragile documentation that always goes out of date when a change is made to the design. >> Read more about Open Hardware Manuals IC workspace — Open Source IC Design Management Tool IC workspace is a design management tool that addresses the complexity of working with scattered design domains that span analog, digital, EDA tools, flows and process development kits (PDKs). In the process of designing a chip, multiple people need an common organized structure to work on design capturing schematics, generator, custom layout, high level digital design combined with test benches in various domain specific formats. Each tool in the open source domain has it own file structure. IC workspace is an open source framework with tools that individual designers and teams use to organize design files in a local workspace. IC workspace integrates interface to source code version control systems, the various tools in the design flow and organizes the files in a workspace with an unified component structure with dependency attributes. IC workspace sets common language and methodologies for both analog and digital – frontend/backend designer to maximize productivity within the open source chip design ecosystem of tools, PDK’s and people. >> Read more about IC workspace Icestudio — Visual developer tool for development of FPGAs Icestudio is an open source integrated development environment (IDE) with a \"no code\" philosophy that, through a block and diagram oriented visual interface, simplifies and streamlines the design of digital electronics on FPGAs. The simplicity of the concept breaks with the complexity of other tools in proprietary EDA environments, being able to meet the educational needs of STEM disciplines for the youngest students in schools, institutes, and universities, as well as providing more advanced users with a tool that simplifies their workflow in a much more user-friendly and visual environment without losing power or control. Through its frictionless installation system and the generation of Verilog code from the visual design, Icestudio allows users to get started immediately, acting as an integrating element between designers and manufacturers of open hardware, with developers of open software solutions for synthesis such as Oss Cad Suite and transpilers such as Silice, Amaranth, or Cflexhdl. Icestudio has the vocation of becoming the standard as a visual IDE for digital design on FPGAs, allowing other code-oriented IDEs to integrate it as part of their solution in the near future. >> Read more about Icestudio YunoHost and the Internet Cube — Solutions for DIY-ISP's and self-hosters YunoHost is a free and open-source server distribution that provides a self-hosted alternative to commercial centralized services, and allows people to take back control over their data. Yunohost aims to make server administration accessible to the general public and ultimately make personal servers as common as desktop computers. Based on YunoHost, the Internet Cube project develops an affordable plug-and-play server that can be bought and easily deployed at home by the general public. In addition to its self-hosting capabilities, it provides a privacy-enhancing WiFi hotspot which protects its users from censorship and metadata leaks. And because it is low-power, it can be used even in remote and offline situations. >> Read more about YunoHost and the Internet Cube JellyfishOPP — Open Hardware device for power profiling JellyfishOPP (Open Power Profiler) is an affordable open-hardware measurement device designed to provide advanced, bidirectional power measurements and profiling, power optimizations, and battery profiling/simulation. It primarily targets developers of ultra-low power devices such as IoT sensors and wearable electronics, while also serving engineers and hobbyists. OPP will be a portable USB device that can be controlled through a host computer or smartphone app. Additionally, it will feature a simple on-device user interface for basic functionalities, eliminating the need for a host device in certain scenarios. >> Read more about JellyfishOPP KiCad-IPC — Add RPC API, multichannel designs and schematic variant system to FOSS EDA suite KiCad is an open source electronics design application (EDA) suite. The program includes schematic capture, printed circuit board (PCB) layout, circuit simulation, 3D viewer, and many other tools to provide the best possible user experience for professional electronics designers while still remaining approachable for new and inexperienced users. It is available for Windows, macOS, and Linux and is released under the GPL3+ license. >> Read more about KiCad-IPC KiKit — Tooling for automation of production of PCB designed in KiCAD The EDA suite KiCAD is a widespread libre solution for designing electronics. KiKit is a Python library, KiCAD plugin, and a CLI tool to automate several tasks in a standard KiCAD workflow. The main goal of KiKit is to make the step from finishing a PCB design to having a physical PCB as easy as possible, as fast as possible, and as error-proof as possible. It achieves that via automation of manufacturing data preparation. The automated processes are reliable, repeatable, and require zero designer input. Thus, they are error-proof. KiKit allows you to perform sanity checks of the PCBs, build panels according to the description and generate manufacturing data (gerbers, assembly files, BOMs, stencils), PCB documentation, and more. All this can be fully automated and, e.g., integrated into continuous-integration pipelines. Not only KiKit provides ready-to-use pipelines for the most common scenarios, but it can also serve as a framework for building custom PCB post-processing setups. >> Read more about KiKit Kintex-nextpnr — Open toolchain for high performance FPGAs FPGAs are reconfigurable chips capable of handling many electronic signals in parallel. They are used in network equipment like backbone switches, firewalls, video devices like surveillance cameras and radio equipment like mobile-phone base stations and radar systems and satellites to process high volumes of data with very low latency. FPGAs are also used to test digital circuit designs before they are manufactured as chips. The functionality of FPGAs is determined by a configuration file which is loaded into the FPGA at power-on. The configuration file is usually generated from a design file by a proprietary closed source tool provided by the manufacturer of the FPGA. nextpnr-Kintex will provide a complete set of open source tools to generate a configuration file for the widely used family of Kintex7 FPGAs from manufacturer Xilinx/AMD without having to use any proprietary tools. This will empower digital design engineers to have the guarantee that no backdoor is implemented on FPGA based devices by the proprietary design tool provided by the vendor. The availability of the source code of the FPGA design tool will also allow innovators to come up with new use cases for FPGAs currently not possible with proprietary tools. Overall, the project will help to increase the security of FPGA based wired and wireless network infrastructure in Europe. >> Read more about Kintex-nextpnr Wireguard-1GE FPGA — Implement Wireguard in Verilog WireGuard is a modern data tunneling and encryption protocol for Internet security. Traditional VPN solutions such as OpenVPN and IPSec are outdated, bloated, and have security gaps. While WireGuard in many cases will be a superior alternative, the performance of a software implementation will not always be enough for high-throughput use cases. The project will implement the WireGuard protocol on a cost-effective Artix-7 FPGA, targeting a board supported by open-source tools for Xilinx with four 1Gbps Ethernet ports. The corresponding gateware will be written in the industry-standard Verilog, welcoming everyone to contribute and review our code, helping us make it more secure and widely used. This project promises to deliver a working prototype of WireGuard in hardware in complete alignment with the spirit of the open-source movement. >> Read more about Wireguard-1GE FPGA Langsec in Pectore — A secure pacemaker created from formal grammars Design and build a Proof-of-Concept (PoC) cardiac pacemaker circuit with an analog/mixed-signal CMOS ASIC based on a description of the device functionality as formal grammar/automaton based on language security (langsec) design principles. Internet-of-things (IoT) devices are usually designed around a general purpose microcontroller with a much larger state space than needed for their purpose. Only after the initial design, interface capabilities of the IoT device are artificially restricted for privacy and security. An implanted pacemaker is a safety-critical IoT device that fits into a very small state space, as proven by early pacemaker designs that did not use high performance microcontrollers. Langsec methods use formal grammars to specify minimal interface parsers to reduce the attack surface, but not the attack volume behind the attack surface. As PoC, formal langsec methods are adapted to reduce the attack volume of a pacemaker: A domain-specific language (DSL) translates requirements of a cardiac pacemaker patient and an information security researcher (ideally one and the same person) into an implantable minimum state space analog/mixed signal pacemaker application specific integrated circuit (ASIC). Such a minimum automaton methodology can be transfered to less life-critical IoT devices. ASICs for minimum automaton IoT designs are a use case for completely free CMOS IC fabrication processes, e.g., LibreSilicon. Non-essential state space that isn't implemented can't be hacked. >> Read more about Langsec in Pectore Libre-SOC — A fully open hardware System-on-a-Chip It is 2019 and it is not possible to buy a mass-produced laptop, tablet or smartphone and replace all of its software (with software that a user can trust) without loss of functionality. Processor boot-loaders are DRM-locked; WIFI, 3D Graphics and Video Processors are proprietary, and Intel's processors contain problematic features and intransparent elements such as the \"Management\" Engine. The most logical way to restore and engender trust is to literally make a new processor - one that is developed transparently and may be independently audited to the bedrock. The project develops a low-power, mobile-class, 64-bit Quad-Core OpenPower SoC at a minimum 800mhz clock rate, suitable for tablet, netbook, and industrial embedded systems. Full source code files are available for the operating system and bootloader, and the actual processor, its peripherals and its 3D GPU and VPU. Details at https://libre-soc.org/3d_gpu/ >> Read more about Libre-SOC Libre-SOC HPC — Work on High Performance Compute capabilities for Libre-SOC LibreSOC has made significant progress in the development of Digitally-Sovereign VLSI designs. This project will continue to further that initial research to create High Performance Compute capabilities for ultimate use in end-user products such as smartphones, desktops, laptops and Industrial Embedded PCs is clearly important. We therefore aim to further the IEEE754 Pipelines, associated Formal Correctness Proofs, and continue implementing unit tests, Simulator, Processor Core implementing Power ISA and Draft SVP64, as well as documentation. In order to engage with developers and solicit feedback we wlll present the progress and outcomes at relevant technical conferences. >> Read more about Libre-SOC HPC Libre-SOC OpenPOWER ISA WG — Steward ISA extension proposals through OpenPOWER External RFC Process The Libre-SOC project has developed Draft SVP64 (a Vector Extension for the Power ISA), containing around a hundred new Draft instructions that dramatically improves the Supercomputing-class Power ISA. It also produced a Simulator, thousands of unit tests and over 350 pages of documentation. What we could not do however was submit a Specification to the OpenPOWER ISA Working Group - because the ISA WG was still in the process of being ratified. That has now been done, and we need to begin the formal process of writing up \"Requests For Change\" and submitting them. The end result will be an extremely powerful Vector ISA suitable for use in Digitally-Sovereign end-user products. >> Read more about Libre-SOC OpenPOWER ISA WG LibreCellular — FOSS technology stack for 4G networks The LibreCellular project makes it easier to create 4G cellular networks with open source software and low cost software-defined radio (SDR) hardware. Achieving this via validated hardware and software configurations that are subjected to rigorous end-to-end testing via a continuous integration (CI) platform, supported by tooling and documentation for repeatable deployment. This NLnet funded work will build on previous efforts and enable the integration of a more advanced core network, together with support for Voice-over-LTE (VoLTE). In support of which the existing CI hardware platform will also be extended and tests developed to provide VoLTE coverage. Finally, a previously developed medium power RF amplifier will be further developed to create a complete RF front-end, and a deployment manual will be created which covers topics such as antenna selection, spectrum licensing and EMF assessments. >> Read more about LibreCellular LibrePCB — EDA software suite to develop printed circuit boards LibrePCB is a free and open source electronics design automation (EDA) software suite to develop printed circuit boards (PCBs). It runs on all major platforms and aims to be easy to use, while still beeing able to create professional schematics and PCBs. The goal is to make creating electronics easier, more efficient and less error-prone by using modern technologies and user interface concepts. LibrePCB therefore streamlines the whole PCB design process — from installing part libraries to ordering the final PCB design. Having such a free, powerful EDA software is the basement for the whole open hardware community as it allows us to reduce the dependency to proprietary and expensive technologies and empowers everyone to develop hardware for free, from hobbyists to professionals. >> Read more about LibrePCB LibrePCB 2.0 — New UI & powerful features for a future-proof LibrePCB LibrePCB is a free and open source electronics design automation (EDA) software suite to develop printed circuit boards (PCBs). It runs on all major platforms and aims to be easy to use, while still beeing able to create professional schematics and PCBs. While it is already used productively by people all around the world, the development of new features became to stuck because of limitations of the current UI concept. To pave the way for new features, a completely new UI will be developed with the goal of having a unified, tabbed window as known and proven by many other applications. In addition, a first attempt of moving from C++ to the safer language Rust will help us to benefit from modern technologies. Together with more import/export capabilities, performance improvements and other frequently requested features the outcome will be released to users by a new major version LibrePCB 2.0. >> Read more about LibrePCB 2.0 The Libre-SOC Gigabit Router — Native Open Hardware chip implementation of crypto primitives The Libre-SOC Project is developing a Libre System-on-a-Chip in a transparent fashion to engender end-user trust. Based on the OpenPOWER ISA, the next logical step is to extend and modernise OpenPOWER into the cryptographic and blockchain realm, and to do so in a practical way: design a Router ASIC. Whilst many commercial ASICs would do this using hard-coded non-transparent blocks or instructions, true transparency really only exists if the ISA has general-purpose primitives that can be Formally (mathematically) validated. The Libre-SOC Crypto-router Project therefore goes back to mathematical \"first principles\" to provide general-purpose Galois-Field, Matrix abstraction and more, on top of Simple-V Vectorisation. This provides flexibility for future cryptographic and blockchain algorithms on a firm transparent foundation. >> Read more about The Libre-SOC Gigabit Router LibreSilicon — Free/open source semiconductor manufacturing process LibreSilicon aims to reduce the steep entry barriers to full custom application-specific integrated circuit (ASIC) design and help people to regain trust in their computing devices, right at the bedrock: When they are manufactured. LibreSilicon provides a standard for manufacturing semiconductors which allows platform independent process design kits (PDKs) and design rules that allow manufacturing the same chip layout in any factory that has calibrated their process according to the LibreSilicon specs. By introducing this process standard, full custom ASIC design should become available to private persons without corporate or academic access to IC foundries. After democratizing software development with tools like Arduino, and PCB design with tools like KiCAD, LibreSilicon will democratize ASIC design, and GDS2 intends to become the new Gerber file format for semiconductor manufacturing. >> Read more about LibreSilicon Libre Silicon compiler — Synthesize, place and route hardware description to silicon LibreSilicon Compiler (LSC) is a place + route suite for silicon. The main focus of this project is to produce legal and efficient silicon layouts from digital netlists (e. g. BLIF, EDIF). Traditionally the placement and routing problem are handled separately and in sequence and the final layout is given by the routing step. In this setup the routing step gains information from placement but not the other way around. LSC attempts to shift this paradigm to create a feedback loop between the two main problems to improve the solution. Furthermore we are incorporating formal methods to produce the compiler software and to verify resulting layouts. While the latter is standard practice, proving properties of the compiler software itself is only widespread in the domain of software compilers. This exercise will be favored by the use of the programming language Haskell and advanced theorem provers. Finally this software aims to profit from explicit module hierarchies given by the developers of digital logic in register-transfer level (e. g. Verilog, Chisel). Greedy solutions can be found for highly modularised chips: when logic is not inlined in the conventional software compiler sense, the size of problem instances is kept small. This also gives parallelism for free, as the dependency tree is resolved from the bottom up. >> Read more about Libre Silicon compiler Standard Cell Library — Open Standard Cell Library with automated dimensioning of transistors Without having an open standard cell library, any open hardware project depends on unknown components. This significantly hampers innovation, and is on the critical path of delivering truly open hardware chips. LibreSilicon's approach to this problem is generative, working from a (potentially verifiable) algorithm for automated sizing of transistors. All commercial available Standard Cell Libraries contain a small subset of all useful cells only, limited by the manpower of the vendor. They are hand-crafted and error-prone, and typically require Non-disclosure agreement (NDAs) while heavily depending on the underlaying PDKs - meaning that the outcome is hard to verify and trust. Goal it so produce a production quality free and open source Standard Cell Library. >> Read more about Standard Cell Library Port of AMDVLK/RADV 3D Driver to the Libre-SOC — Adapt Vulkan Drivers to the Libre-SoC The Libre SoC is being developed to provide a privacy-respecting modern processor, developed transparently and as libre to the bedrock as possible. As a hybrid processor, it is intended to be both a CPU and a GPU. GPUs are typically proprietary (and thus not fully transparent), as is the 3D driver software. The SoC design requires a Vulkan compliant hybrid hardware-software API. The development of the Kazan 3D Driver (developed from scratch inside the Libre SoC) that aims to provide such an API is therefore on the critical path to final release. Given the complex nature of 3D driver development, and because Kazan is a novel approach (written in rust, for security reasons) that dependency is considered a liability. This project develops a second, more traditional Mesa3D driver in c++. This reduces the pressure on the Kazan development, and allows for benchmarking and increased transparency and collaboration on this ambitious project. >> Read more about Port of AMDVLK/RADV 3D Driver to the Libre-SOC Libre-SOC Formal Correctness Proofs — Mathematical unit tests for open hardware System-on-Chip Hardware projects like the Libre-SOC Project involve writing an inordinate amount of comprehensive unit tests to make sure everything functions the way it should. This is a critical and expensive part of the overall design process. Formal Mathematical Proofs (already quite popular in secure software development) provide an interesting alternative for several reasons: they're mathematically inviolate, which we believe makes them more trustworthy. And they are simpler to read and much more comprehensive (100% coverage), saving hugely on development and maintenance. From a security and trust perspective, both aspects are extremely important. Security mistakes are often accidental due to complexity: a reduction in complexity helps avoid mistakes. Secondly: independent auditing of the processor is a matter of running the formal proofs. The project aims to provide proofs for every module of the Libre RISC-V SoC, and therefore contributes significantly with the larger goal of developing a privacy-respecting processor in a way that is independently verifiable. >> Read more about Libre-SOC Formal Correctness Proofs Libre-SOC Formal Standards Development — Formal Standards for OpenPower extensions from Libre-SoC Libre-SOC was first funded from NLnet in 2018. This was for the core of the project, based on an informally-developed Hybrid CPU-GPU 3D instruction set that had been written (and implemented in a simulator) in the 18 months prior to contacting NLnet. During the implementation it became clear that a lot more work is needed, and, further, that to meet proper transparency criteria, the proposed instruction set enhancements would need to be properly written up. In addition, negotiations and communications with the Standards Body responsible for POWER ISA (the OpenPower Foundation) also needed to be taken into consideration. The goal of this project is to deliver on those requirements, and achieve full transparency and understanding of the Libre-SoC. >> Read more about Libre-SOC Formal Standards Development Libre-SOC Video Acceleration — Optimised video acceleration instructions for Libre RISC-V SoC The Libre-SoC Project, has been funded by NLnet to get to FPGA-proven status. This was for the \"core\" (the main processor). One of the next, specialist, phases, is to ensure that its capabilities are useable to perform Video Acceleration. To do so, Video Software such as ffmpeg, gstreamer and their low-level libraries need to actually use the hardware-accelerated capability. A \"normal\" commercial processor usually has a separate proprietary VPU, along with proprietary software: both unfortunately are vectors for attack against users, undermining trust and privacy. Without access to Video Acceleration, users are left with the stark choice: be compromised, or don't watch any video, period. This project therefore provides a commercial-grade Video Decoder (minimum 720p) and helps restore trust in the software *and* hardware. >> Read more about Libre-SOC Video Acceleration LiteX — Developer framework for FPGA and ASIC designs LiteX is a versatile Python-based framework designed for building FPGA SoCs, providing a useful tool for developers working with FPGA and ASIC designs. Within this project we will improve LiteX by simplifying its use across three main tasks: creating FPGA-based accelerators and innovative ASIC SoCs, and running CI tests on FPGA boards. For supporting FPGA-based accelerators we will develop a user-friendly infrastructure for developers to create their own accelerators using their preferred HDL language, along with example projects and documentation for various FPGA boards. We will extend LiteX CI tests to hardware to maintain stability, avoid regressions when introducing new features and enable testing of configurations that are difficult or impossible to simulate. And by introduce ASIC support to LiteX we enable people to create innovative ASIC SoCs. We start with a SKY130 build backend, and will extend the framework to streamline switching between different flows: Simulation, FPGA prototyping, and ASIC. We subsequently collaborate with other NLnet-funded projects to create an innovative SoC to validate the toolchain. By delivering these tasks, the project will support the LiteX ecosystem, encourage innovation, and share the outcomes within the open-source hardware community. >> Read more about LiteX LunaPnR Phase 2 — A versatile and fast new open-source place and route tool Making a custom chip (ASIC) requires a vast arsenal of tools, to do synthesis, simulation, parasitic extraction and schematic entry. . LunaPnR aims to add a robust open-source automated place & route tool to the equation. Luna targets ASIC processes larger than 100nm, in which it can perform place & route, do clock-tree synthesis and timing verification. This allows to design e.g. mixed-signal (analogue + digital) chips used in sensors and IOT devices. LunaPnR integrates well with existing open-source tools, such as YosysHQ's Yosys (a logic synthesis tool) and KLayout (a manual ASIC layout tool), but also with commercial tools via industry standard file formats (LEF, DEF and GDS). A fully open toolchain allows for a complete chain-of-trust between the chip designer and the chip manufacturer, from digital design to GDS2 and back (via wafer inspection). In this new project LunaPnR will implement and test detail routing algorithms, enhancing the quality of the parasitic extraction for use with the OpenSTA static timing analyzer, speed up the graphical user interface (so it can render very large design efficiently), implement and test the power structure/special net/padring placer & router, and integrate Logic Equivalence Check (LEC). >> Read more about LunaPnR Phase 2 MEGA65 Phone Modular MVP — OSHW mobile device with form-factor of hand-held game consoles The previous MEGAphone project laid the groundwork for creating personal communications devices that are secure through simplicity. This project extends that work by making the hardware modular, at some cost of minimum size, so that it becomes much more feasible for small communities to produce and maintain their own units, even in the face of supply chain challenges and other contributors to the \"digital winter\", i.e., the situation where open innovation becomes more difficult due to number of factors. This will also make it easier to include diverse resilient communications options, whether RF, optical or acoustic, so that peer-to-peer communications networks can be sustained even in environments that are hostile to freedom of communications. For this reason energy sovereignty will also be part of the design, so that even if all civil infrastructure is denied, that basic communications and computing functions can be sustained, with a single device whose security can be much more easily reasoned about. >> Read more about MEGA65 Phone Modular MVP MNT Reform — A trustworthy open hardware laptop MNT Reform is a modular open hardware laptop, the first of its kind - designed and built in Europe. The project has high ambitions in terms of usability and user experience. A mechanical keyboard and an elaborate industrial design provide for professional ergonomics. MNT Reform uses RISC processors like ARM and has no built-in recording technology. It runs a free and open source software stack from the ground up. Third parties can easily contribute to the development of new modules. The modular approach does not only make the laptop more extensible but also improves sustainability, and supports the right to repair. During the project, the team will develop two open hardware System-on-Modules. The first module is based on NXP LS1028A, and will increase RAM capacity to up to 16GB and make external GPUs usable. The second open hardware SoM uses an FPGA (field programmable gate array) to support the validation of open silicon SoC projects in a real laptop. Modules like this make the development of embedded computers easier for open hardware engineers by pre-solving risky and expensive challenges. Finally, we will develop an optional camera module for MNT Reform as part of the project, which will allow the laptop to be used for remote learning and video conferencing. >> Read more about MNT Reform MNT Reform Next — New iteration of the MNT open hardware laptop MNT Reform Next is a new, thinner and higher performance version of the renowned Open Hardware laptop MNT Reform. It adopts connectivity standards like USB-C and PD charging, remains modular and aligned with the Right to Repair, and is built with longevity in mind. The project aims to bring Open Hardware computing and Free and Open Source Software to a larger audience by lowering cost and increasing portability while delivering more processing power. >> Read more about MNT Reform Next Test Procedures for MOSFET SPICE Model Validation — Verilog-A compact models validation for Open PDK's The emergence of open PDK initiatives reduce barriers to entry for integrated circuit (IC) design and manufacturing, serves thelong term goal of promoting academic/industrial collaboration, and stimulate innovation in the field of semiconductor IC design. Open PDKs have the potential to \"standardize\" PDKs (process design kit), and move away from proprietary/licensed EDA vendor formats. This is needed to democratize open source IC design flow and manufacturing. Open PDKs provide open access to IC design resources. The compact/SPICE models of semiconductor devices are the core of open PDK efforts. SPICE executes implemented Verilog-A compact models. A model of a semiconductor device (passive elements and active, eg: diodes, mosfets, bjts) is primarily a \"compact device model\". Validation benchmarks are not yet available in the public domain. This project represents the very first attempt to implement these tests for the compact model available in open PDKs. It aims to establish such tests for the compact models in open PDKs, which are intended to be generic enough for model quality assurance testing with FOSS circuit simulators such as GnuCAP, ngspice, xyce, Qucs, among others. >> Read more about Test Procedures for MOSFET SPICE Model Validation Machdyne — Modular open compute hardware Machdyne designs and builds small computers intended for timeless applications such as reading, writing, math, education, organization, communication, and automation. We are creating a new series of open-source computer designs based on European-manufactured FPGAs. These computers will use an updatable open-source System on a Chip (SoC) that can be fully audited, understood and trusted. >> Read more about Machdyne MEGA65 Phone — A phone simple enough to understand in full Much of the insecurity and lack of privacy is the simple result of how complex computers, the internet and all of the protocols and technologies that they include. It seems that the majority of proposals to fix this solution consist of adding something to this complicated mess. While this has helped to reduce the symptoms of the problem, by adding complexity it has actually made the problem worse. There are simply too many places for insecurities and privacy violating software to hide in modern complex systems. Even the hardware itself is not immune, with problems like SPECTRE, MELTDOWN and vulnerabilities in the management processors of modern computers and phones showing that even the processors we use today carry significant risks due to their complexity. This project takes a contrarian approach of seeing just how simple a system can be make, that would still be useful for a core set of functionality. The project takes inspiration from the simple and effective computers of the 1980s: it explores how to retain their simplicity and transparency, and combine them with modern improvements in security and capability. The goal is to allow even a single determined person to completely verify that a device has not been compromised, and that there are no unwanted listening ears when performing privacy sensitive tasks. The project will advance its current proof-of-concept to a functioning hardware and software system that can demonstrate profoundly improved security and privacy, and in a way that allows a determined user to verify that the device is still truly under their exclusive control and serving them alone. >> Read more about MEGA65 Phone Caster — Open-hardware high-refresh-rate electrophoretic display controller Modos is building an libre, open source and open hardware ecosystem of low-cost, affordable electronic devices that use an E Ink display and are driven by the first open-hardware high-refresh-rate electrophoretic display controller of our own design. Having such a controller will enable the creation of new devices and applications designed around the advantages of this dynamic medium: easier on the eyes, less power consumption, readable in direct sunlight, and persistence. In this project, the team will incrementally improve upon the existing (working) prototypes and establish a Pilot Program . The team provides community support, and makes sure you contribute to the development of the open hardware ecosystem. >> Read more about Caster Mosaic — Trustworthy open hardware design tool for electrical engineers Today, the chip design industry is deeply proprietary with NDAs at every level, which means it is not possible to share design files at all, which in turn stifles innovation and transparency in chip design. In order to create a chip design industry that can be trusted with our digital lives, and is accessible to educational institutions and small business, it is essential to develop powerful open source tools for chip design, which can be used by anyone and allows unhindered collaboration. Mosaic is a tool that attacks the first design phase of an analog chip, or analog peripherals for a digital one: design and simulation of the schematic. It will also interact with other phases of the design as needed. Unlike existing open source solutions it will be catered towards chip design, based on modern technologies, and extensive UX design. >> Read more about Mosaic Naja — EDA tool focused on post logic synthesis Naja is an EDA (Electronic Design Automation) project aiming at offering open source data structures and APIs for the development of post logic synthesis EDA algorithms such as: netlist simplification (constant and dead logic propagation), logic replication, netlist partitioning, ASIC and FPGA place and route, … In most EDA flows, data exchange is done by using standard netlist formats (Verilog, LEF/DEF, EDIF, …) which were not designed to represent data structures content with high fidelity. To address this problem, Naja relies on Cap'n Proto open source interchange format. Naja also emphasizes EDA applications parallelization (targeting in particular cloud computing) by providing a robust object identification mechanism allowing to partition and merge data across the network. >> Read more about Naja Naja DNL — Add Dissolved and Batch Netlists to Naja EDA Naja is an EDA (Electronic Design Automation) project aiming at offering open source data structures and APIs for the development of post logic synthesis EDA algorithms such as: netlist simplification (constant and dead logic propagation), logic replication, netlist partitioning, ASIC and FPGA place and route, … In most EDA flows, data exchange is done by using standard netlist formats (Verilog, LEF/DEF, EDIF, …) which were not designed to represent data structures content with high fidelity. To overcome this problem, Naja relies on Cap'n Proto open source interchange format. Naja also emphasizes EDA applications parallelization (targeting in particular cloud computing) by providing a robust object identification mechanism allowing to partition and merge data across the network. The core of Naja is formed by two interrelated data structures: the Structured Netlist (SNL) and the Dissolved Netlist (DNL). SNL is tailored for high-fidelity representation of hierarchical netlists, while DNL offers a flattened netlist view, optimized for rapid, multi-threaded analysis and optimization tool development. >> Read more about Naja DNL NaxRiscv core improvements — Open hardware out-order Risc-V CPU This project aims at extending the scope of the NaxRiscv project (a free and open-source out-of-order multi-issue RISC-V CPU, using innovative hardware description technics and optimized for FPGA deployment) by getting the CPU to run Debian in a stable manner and documenting the whole process used to build the required binaries/rootfs, implementing memory coherency, multicore support and a L2 cache to enhance the performances, and finally, optimizing and synthesizing the CPU for ASIC using the free and open-source tooling to pave the way for some future NaxRiscv based silicon chips. >> Read more about NaxRiscv core improvements Nitrokey — Open hardware for encryption and authentication Nitrokey is an open source hardware USB key for data encryption and two-factor authentication with FIDO. While FIDO is supported by web browsers, using Nitrokey as a secure key store for email and (arbitrary) data encryption requires a native software. Therefore email encryption in webmail isn’t possible with Nitrokey. At the same time strong end-to-end encryption in web applications all share the same challenge: To store users' private keys securely and conveniently. Therefore secure end-to-end encryption usually requires native software too (e.g. instant messenger app) or - less secure - store the user keys password-encrypted on servers. Nitrokey aims to solve these issues by developing a way to use Nitrokey with web applications. To avoid the necessity of device driver, browser add-on or separate software this project is going to utilize the FIDO (CTAP) protocol. As a result the solution will work with any modern browser (which all support WebAuthn), on any operating system even on Android. This will give any web application the option to store private keys on ones own Nitrokey devices. >> Read more about Nitrokey Nitrokey 3 — PIV/FIPS 201-3 and extended hardware support for Trussed/Nitrokey Nitrokey 3 is an open source hardware USB/NFC key aiming for data encryption and two-factor authentication. Currently it supports FIDO2 authentication and WebCrypt. This project will allow it to extend its Rust firmware, developing additional functionality which makes it into a full-featured open hardware security key. By adding support for new so called 'secure elements' to Trussed, any device using Trussed can benefit from more hardware options. Within the project we will also develop PIV support for Nitrokey 3. PIV is a smart card standard which is used in enterprises and also popular among users of some operating systems like Microsoft Windows. PIV allows for data encryption, signing and authentication. >> Read more about Nitrokey 3 Trussed — Open hardware for encryption and authentication The project summary for this project is not yet available. Please come back soon! >> Read more about Trussed O-ESD — Open-hardware for ElectroStatic Discharge testing The goals of the Open-hardware for ElectroStatic Discharge testing (O-ESD) is to design, produce and verify an open-hardware and accompanying open-software for a device for electrostatic discharge testing. Electrostatic discharge is a phenomenon that occurs daily between humans and electronics and can irreversibly damage the electronics. All consumer electronics sold in EU, including all internet hardware, must satisfy Electromagnetic Compatibility (EMC) Directive. One of the most hardest tests within EMC directive deals with electrostatic discharge as defined by IEC/EN 61000-4-2 standard. Standardized tests are typically done with special equipment in accredited EMC laboratories and are costly. The O-ESD tester will minimize the costs of pre-compliance testing and make it publicly available. >> Read more about O-ESD Open Know-How Search — Search Open Hardware Projects Open Know-How Search is a project to create a search engine for the open source hardware designs. We are building a modern, clean and accessible search experience for makers. Our index will span the entire internet and all existing ways to share designs. Users and platforms will be able to make use of the Open Know-How meta-data standard to help get their projects into the index and surface those that are in advanced stages of development and worth looking at and attempting to re-build. The front page and top results in the search will be a useful resource to someone looking for a new open source hardware project to build and contribute to. >> Read more about Open Know-How Search OVT 13 — Open Hardware laptop The open hardware laptop OVT 13 (Open Vision Technology 13\" Laptop) will be a thin and light laptop that is on-par in terms of performance and look-and-feel with established solutions available from market dominating competitors. The OVT 13 is designed to meet the modern standards imposed on thin and light laptops. The fully open-hardware design as well as the modular approach will satisfy both the enthusiast and non-technical user in terms of design openness, upgradability and repairability, performance and formfactor. The vast amount of engineering innovation that goes into designing consumer electronics devices goes unnoticed by many users. These innovations take place behind closed doors and do not advance the technical progress of our society, but only serve to increase the market share of a single company. The OVT 13 will not only be an open hardware design, but also a communication effort that shines a light on the design challenges and the innovations needed to overcome them. By publicly documenting the whole design process no knowledge will be kept behind closed doors and the innovation that goes into designing such a system can be used by everyone. >> Read more about OVT 13 OpenCryptoHW — CGRA- based reconfigurable open-source cryptographic IP cores OpenCryptoHW aims to develop reconfigurable open-source cryptographic hardware IP cores for Next Generation Internet. With the Internet of Things (IoT) upon us, security and privacy are more important than ever. On the one hand, if the security and privacy features are exclusively implemented in software, the risk of breaches is high. On the other hand, if implemented solely in hardware, it is impossible to fix bugs or deploy critical updates, which is also a threat to security and privacy. Hence, we propose to use reconfigurable hardware, providing the flexibility of software and the trustworthiness of hardware. Hacking into it requires first hacking the device’s configuration infrastructure and then hacking the algorithm itself, which is way more complicated. There have been proposals to implement cryptographic IP cores using Field Programmable Gate Array (FPGAs). However, the FPGA configuration infrastructure is cumbersome and proprietary, increasing device cost and compromising safety. Therefore, we propose to use open-source Coarse-Grained Reconfigurable Arrays (CGRAs) instead of FPGAs. CGRAs have much lighter configuration circuits and are not controlled by any private entity. With OpenCryptoHW, hardware and system designers will be able to download CGRA-based cryptography IP cores for free and under a permissive license, ready to integrate into their silicon designs. >> Read more about OpenCryptoHW OpenCryptoLinux — Make Linux run on OpenCryptoHW OpenCryptoLinux aims to develop an open, secure, and user-friendly SoC template capable of running the Linux operating system, with cryptography functions running on a RISC-V processor. The processor will control a low-cost Coarse-Grained Reconfigurable Arrays (CGRAS) for enhanced security, performance, and energy efficiency. Running Linux on this SoC allows non-hardware experts to use this platform, democratizing it. This project will help build an Internet of Things (IoT) that does not compromise security and privacy. The project will be fully open-source, which guarantees public scrutiny and quality. It will use other open-source solutions funded by the NLnet Foundation, such as the RISC-V processors from SpinalHDL and the OpenCryptoHW project. >> Read more about OpenCryptoLinux OpenCryptoTester — System-on-Chip for hardware/software testing This project aims to develop a System-on-Chip (SoC) used mainly to verify cryptographic systems that improve internet security but can also be used on any SoC. It is synergetic with several other NGI Assure-funded open-source projects – notably OpenCryptoHW (Coarse-Grained Reconfigurable Array cryptographic hardware) and OpenCryptoLinux. The proposed SoC will support test instruments as peripherals and use OpenCryptoHW as the System Under Test (SUT), hopefully opening the way for open-source test instrumentation operated under Linux. >> Read more about OpenCryptoTester DRTM implementation for AMD processors — Unified framework for dynamic RTM The Trenchboot project aims to create a unified framework for dynamic RTM (DRTM) implementation for all platforms. (D)RTM is used to verify if bugs or vulnerabilities have compromised a system, and as such is an important component to get to advanced stages of trustworthiness for our hardware. >> Read more about DRTM implementation for AMD processors OpenEMSH — Automatic mesher for FDTD simulation OpenEMS is arguably the only free and open source FDTD solver out there that is usable out of the box for RF (Radio Frequency electromagnetics) design. Its main competitive disadvantage is that FDTD requires simulated models to be meshed according to specific rules, yet it does not provide an automatic mesher to create such meshes. Some facilities already do exist but meshing by hand is time-consuming and error-prone - enough to stand in the way of broader adoption. OpenEMSH aims to be a mesher for OpenEMS that makes it as simple to use as any proprietary solution. >> Read more about OpenEMSH Open Energy Profiler Toolset — Modular open hardware Energy Profiling Battery-powered devices often incorporate high-speed communication protocols that consume power in high peaks. One of the main challenges is to provide a compatible set of hardware and software solutions that will enable easy and high-precision energy profiling tools which enable high-speed sampling rates and high current rates.Energy consumption profiling of such devices requires the use of various hardware and software solutions that are often not compatible, making them difficult to use, or do not provide suitable measurement accuracy. Our primary objective is to provide a unified toolset that encompasses an EEZ bus compatible hardware platform, open-source firmware, customized protocols for external firmware energy debugging, and a user-friendly graphical interface for widely used operating systems like Windows and Linux. This toolset will enable the end user to quantify overall MCU-based device consumption and identify energy-intensive software parts within an IoT end device. The project outcomes will include an EEZ Bus compatible standalone acquisition card that support sampling data rates up to 4 MSPS and high-speed data streaming through an Ethernet interface; an open-source library as support for energy debugging of end device firmware; and open-source GUI application for visual examination of different energy consumption parameters. >> Read more about Open Energy Profiler Toolset OpenQRNG — Open source, certified Quantum Random Number Generator Cryptography is key to protecting our modern secrets, and random numbers form the basis of the technical assurances given by that approach. However, true randomness is hard to achieve. Quantum number generators lever unpredictable physical phenomena to deliver quality randomness, and as such can be of great utility. However, currently there are only proprietary QRNG sources with a significant price tag - which means that the technology is not widely in use and that those people that do have the means have to essentially trust the vendor in question. The project will develop an open hardware QRNG device, which can be inspected from top to bottom - and made available at low cost. >> Read more about OpenQRNG openwifi: 802.11a/g/n maturity — Improved stability, data rate and reach of openwifi Wi-Fi has become ubiquitous in modern society. While many people might assume that the Wi-Fi chip in their device is a dumb component that merely sends and receives packets over the air, the reality is far more complex. Even the most affordable Wi-Fi chips are sophisticated heterogeneous computing systems, as highlighted by many researchers and hackers. These chips contain multiple types of firmware and silicon fabric working together. The lack of open-source Wi-Fi chips and the transparency of commercial Wi-Fi chips have raised many security concerns, and security threats over Wi-Fi have been around for years. Openwifi pioneered the first open-source soft-MAC Wi-Fi chip/FPGA design in 2019, with 802.11n added in 2020. As more users, researchers, and hackers engage with the project, they have identified issues related to stability, data rate, and communication distance. This maturity-elevating project aims to tackle these issues through improvements in the Linux driver, FPGA, and RF control. The enhanced version will be comparable to commercial Wi-Fi4 chips, such as the ath9k series, and will be capable of operating in more realistic electromagnetic environments rather than just short-range, controlled environments. These advancements will facilitate broader adoption of the project and lay a solid foundation for future developments, including the creation of a real chip. >> Read more about openwifi: 802.11a/g/n maturity Ordie — Designing a SoC for Betrusted The field of open silicon is still in its infancy, and while the story on digital logic generation is good, analogue is still a work in progress, and full system integration is only just beginning. The Ordie project will characterize available analogue and digital blocks, integrate them, and create simulation and test software to validate them both pre- and post-production. In this way, the Ordie project will create open, fully-verified silicon chips where every aspect of the part is inspectable down to the raw GDS files. These parts will be usable in some aspects of projects such as Betrusted, where they may be used to replace some of the proprietary silicon with open variants. Along the way it will develop a circuit that enumerates over USB, be able to address various debug structures using existing Wishbone USB and Spibone debugging, and develop a buck regulator, useful for powering on-die structures.The on-chip blocks will be documented using reference systems such as lxsocdoc. >> Read more about Ordie Securing PLCs via embedded protocol adapters — Open hardware protocol adapters for industrial automation Industrial Programmable Logic Controllers have been controlling the heart of any production machinery since the mid-70s. However have these devices never been built for the usage in completely unprotected environments such as the Internet. Currently most PLCs out in the wild have absolutely no means to protect them from malicious manipulation (Most don't even have an effective password protection). Unfortunately \"Industry 4.0\" is all about connecting these devices to the Cloud and hereby attaching them to potentially unsecure networks. In the \"Securing PLCs via embedded Open-Source protocol adapters\" initiative we are planning on porting the Apache PLC4X drivers to languages that can also be used in embedded hardware. Additionally we also want to create secure protocol-adapters using these new drivers together with Apache MyNewt, to create protocol-adapters that could eventually even be located inside the network connectors which are plugged into the PLC in an attempt to reduce the length of the unsecured network to an absolute minimum without actually modifying the PLC itself. >> Read more about Securing PLCs via embedded protocol adapters PTP gateware with openXC7 — PTP on FPGA timing cards and SDR cards with openXC7 This project develops open-source gateware for the Precision Time Protocol (PTP), which is essential for accurate timekeeping across servers. Implementing this technology on Xilinx ZYNQ FPGA chips, it offers a secure, reliable alternative to proprietary gateware, reducing the risk of undetected security breaches through server backdoors. This initiative not only enhances Internet security but also enables diverse applications, from 5G networks to research instruments like particle accelerators, making advanced time synchronization accessible, and safeguarding the digital ecosystem for the general public. >> Read more about PTP gateware with openXC7 Patchouli — Arbitrary-sized open hardware EM pen products Patchouli is an open-source electro-magnetic drawing tablet hardware implementation, including a coil array, an RF front end built using commercially available parts, and digital signal processing algorithms. The design is compatible with most commercial pens from different vendors, offering an ultra-low-latency pen input experience for your customized hardware projects. The hardware is released under the CERN-OHL-S license, and the firmware/simulation code is released under the GPL3+ license. >> Read more about Patchouli Py2HWSW — A tool to manage embedded HW/SW project This project aims to develop an open-source Python framework for managing files, automating project flows of embedded hardware/software codesign projects, and partially generating Verilog hardware components. The framework simplifies the project structure, addresses challenges in Hardware Design Languages like Verilog and VHDL, and automates emulation, simulation, FPGA, and ASIC flows. The proposed Verilog generator offers flexibility, user control and ease of use, producing human-readable code compatible across FPGAs and ASICs. >> Read more about Py2HWSW RA-Sentinel — FPGA-based Radio Receiver for securing Wifi against hacking attacks The proposed project aims to develop a cost-effective, small, and low-power wide band radio receiver device that automatically detects various malicious attacks on Wifi access points, such as Man in the Middle and Denial of Service attacks. The RA-Sentinel project is designed to protect your home WiFi from unwanted cyber threats. Think of it as a digital watchdog for your internet connection that barks when someone from the outside tries to break in. The device will enhance internet safety for ordinary users by monitoring any Wifi cell. It will consist of low-cost receive-only chips that digitizes 40 MHz of the Wifi radio spectrum at 2.4 GHz and extracts with the FPGA relevant properties from demodulated and decoded packets in real-time without storing them. These properties are fed into a neural network also implemented on an FPGA, which determines if the traffic is genuine or an attack. Only open source FPGA tools will be used. >> Read more about RA-Sentinel RAIJIN — Open Hardware brain measurements with near-infrared spectroscopy Low-cost electroencephalographic (EEG) systems have been available for over a decade, such as the open hardware OpenBCI ecosystem. While EEG has been democratized to varying degrees, blood-oxygen-level-dependent (BOLD) methodologies are constrained to medical and niche realms. While magnetic resonance imaging is impractical for a hobbyist, functional near-infrared spectroscopy (fNIRS) may offer a more practical alternative. Similarly, non-visual and non-auditory feedback from a brain-computer interface (BCI) may be streamlined with a tactile or haptic device. Transcranial temporal interference stimulation (TTIS) can be directed and integrated with the existing ecosystem. The Rank-Adjusted Infrared Juxtaposed Interferential Neuromodulation (RAIJIN) marks three components that would significantly improve tools for citizen-scientists. Given recent low-cost projects, it may be possible to bring low-cost fNIRS, non-invasive deep brain stimulation, and tactile response into the OpenBCI ecosystem. Tactile and TTIS enable closed-loop computer-brain interference (CBI). By integrating BCI and CBI, the RAIJIN system will enable mobile, low-cost, BOLD-capable, closed loop, and non-invasive brain-to-brain interface (BBI). >> Read more about RAIJIN RISC-V Phone — Open hardware RISC-V Phone The goal of the \"RISC-V Phone\" project is to develop a simple, fully featured and privacy enhanced mobile phone. It is built using off-the-shelf inexpensive components which are easy to assemble even in a home lab. The software for it is small, simple and easy to audit. Basic phone functionality is running on a secure RISC-V microcontroller (FE310 from SiFive) which controls all peripherals: microphone, speaker, display/touch controller, camera. The phone will be using esp32 for WiFi and Bluetooth, along with industry standard mPCIe modem for cellular communication. Graphics/touch panel controller FT813 enables advanced user experience. The phone will provide VOIP/messaging application using packet data protocol similar to CurveCP which features end-to-end encryption and onion routing. There is also a socket for optional ARM SoM which shares display/touch panel with the main board. >> Read more about RISC-V Phone Radio-Meshnet — Self-sustained Community and Emergency Radio Networking The project summary for this project is not yet available. Please come back soon! >> Read more about Radio-Meshnet Real Time Litex Extension — Real time capabilities for FPGA-based RISC-V core The Core-Local Interrupt Controller (CLIC) is a RISC-V standard extension that enhances real-time performance by enabling the prioritization of interrupts based on levels and priorities. This feature allows developers to have fine-grained control over interrupt prioritization, leading to more efficient handling of real-time events. In this project, we propose to replace the original interrupt controller of the VexRiscv based processor core family with CLIC. By implementing the CLIC, VexRiscv can efficiently propagate the highest-level, highest-priority pending interrupt to the core, significantly improving real-time responsiveness. The CLIC implementation also introduces features like selective hardware vectoring and the special register (xnxti CSR), which further optimize interrupt handling. >> Read more about Real Time Litex Extension Redox Flow Battery — Development Kit for Open-Source Hardware Redox Flow Battery The clean energy transition is underway, and batteries are becoming more common in everyday life. Stationary batteries can perform many roles, like reversibly storing intermittent renewable energy or providing backup power and services to the electrical grid, including internet infrastructure. Right now, lithium-ion batteries—also used in portable electronics and electric vehicles—are increasingly used for stationary applications. Lithium-ion batteries are, however, not ideal in terms of lifetime, cost, safety, and supply chain sustainability. There are viable alternatives to lithium-ion batteries for stationary storage, such as flow batteries, which are being commercialized but are not yet widespread. We plan to democratize flow battery technology by developing an open-source flow battery and starting an associated community around it. We will start with a benchtop-scale development kit, suitable for educational and research use, before progressing towards larger cells. With this NLnet funding, we plan to finish our first release of a 5 cm² kit as well as design and test the subsequent 25 cm² cell. >> Read more about Redox Flow Battery pcb-rnd, sch-rnd — Open source EDA suite Ringdove EDA is a modular, portable Electronics Design Automation toolkit mainly targeting the Printed Circuit Board design workflow. The two flagship projects in Ringdove are sch-rnd (schematics capture) and pcb-rnd (printed circuit board editing). Because of the modular layout of the code and the active management of dependencies, both projects are highly portable, both in time (old, present and future systems) and in workflows (interactive graphical design or interactive command line usage or headless automated processing). Ringdove also strives to support file formats of other EDA software, especially for loading proprietary formats, making existing/legacy hardware designs more accessible to the Open Source community. >> Read more about pcb-rnd, sch-rnd SDCC — Small Device C Compiler compiler for 8-bit microcontrollers The Small Device C Compiler (SDCC) is free and open source software for 8-bit microcontrollers. While such 8-bit microcontrollers might seem like outdated technology (most of the popular chips sold today use 32 bit or 64 bit solutions), the fact that there are less transistors to fire up with every cycle means there are quite a few basic use cases where 8-bit systems might very well remain the most energy-efficient option despite . SDCC is competing head to head with various proprietary compilers - such as Keil, IAR, Comsic, Raisonance. The tasks in this project will significantly boosts the capabilities of SDCC and allow developers a more mature tool to design for e.g. eco-friendliness. The project will deliver various improvements in SDCC, in order to make it more complete and competitive in terms of features and workflow. >> Read more about SDCC SpinalHDL, VexRiscv, SaxonSoc — Open Hardware System-on-Chip design framework based on SpinalHDL The goal of SaxonSoc is to design a fully open source SoC, based on RISC-V, capable of running linux and optimized for FPGA to allow its efficient deployment on cheap and already purchasable chips and development boards. This would provide a very accessible platform for individuals and industrials to use directly or to extend with their own specific hardware/software requirements, while providing an answer to hardware trust. Its hardware technology stack is based on 3 projects. SpinalHDL (which provides an advanced hardware description language), VexRiscv (providing the CPU design) and SaxonSoC (providing the facilities to assemble the SoC). In this project, we will extend SpinalHDL, VexRiscv and SaxonSoc with USB, I2S audio, AES and Floating point hardware capabilities to extend the SoC applications to new horizons while keeping the hardware and software stack open. >> Read more about SpinalHDL, VexRiscv, SaxonSoc SiCl4 — Tool for interactive reverse engineering of digital logic. SiCl4 (silicon tetrachloride) is a tool for reverse-engineering digital logic designs. Starting from an FPGA bitstream or other types of netlists, this tool will assist users in interactively recovering higher-level structures. Algorithms will help with tasks such as finding shared subcircuits or identifying known patterns such as adders, counters, comparators, state machines, etc., so that the user can focus on understanding the higher-level functions of the target design. SiCl4 will be scriptable in order to allow for easy extension, and it will also integrate with the existing open-source EDA ecosystem. >> Read more about SiCl4 Silicon verification — Non-destructive, in-situ inspection of physical chips The global nature of supply chains presents an existential question for the trustworthiness of hardware: how do I know the chips in my device are genuine and pristine? Trusted domestic fabs only solve a facet of the problem: after a silicon wafer leaves the fab, it criss-crosses the globe multiple times as it is packaged, tested, and assembled into an end user product, presenting a huge attack surface for post-fab substitutions and alterations. The \"Silicon Verification\" project lays foundations for high resolution end-user, direct, and non-destructive optical inspection of chips. Our research aims to create a set of techniques for hardware packages that fill the analogous role of \"digital signature verification\" for software packages: a ubiquitous method to establish trust in a package, after it has been delivered to the user. >> Read more about Silicon verification Simmel — A wearable contact tracing beacon/scanner Simmel is a platform that enables COVID-19 contact tracing while preserving user privacy. It is a wearable hardware beacon and scanner which can broadcast and record randomized user IDs. Contacts are stored within the wearable device, so you retain full control of your trace history until you choose to share it. The Simmel design is open source, so you are empowered to audit the code. Furthermore, once the pandemic is over, you are able to recycle, re-use, or securely destroy the device, thanks to the availability of hardware and firmware design source. The contact tracing algorithm is programmed using CircuitPython, to facilitate ease of code audit and community participation. The Simmel project does not endorse a specific contact tracing platform, but it is inherently not compatible with contact tracing proposals that rely on the constant upload of data to the cloud. >> Read more about Simmel Spade — Standalone Hardware Description Language Spade is a hardware description language that draws inspiration from modern software languages to make hardware development more productive, more fun, and less error-prone. A big part of what makes this possible is the type system which helps prevent bugs and makes the code more maintainable. A common source of errors in hardware designs is clock domain crossing: signals should never cross domains accidentally, and when they do cross, it must be done correctly. Failures to correctly cross domains leads to intermittent problems that can take significant effort to find and fix. By making the language and compiler aware of clock domains through the type system, we will be able to detect and warn programmers about accidental clock domain crossings at compile time. We will to do this in an ergonomic way, where the user only has to specify clock domains on module inputs and outputs with the compiler being able to infer the rest. In addition, the default case of a module that only spans a single domain should not require any explicit domain information form the user to avoid unnecessary verbosity. >> Read more about Spade Squishy — SCSI multi tool and gateware library Squishy is a SCSI multi-tool aimed at long term access to computer systems and equipment. It accomplishes this by having capable hardware combined with an extremely flexible software ecosystem, allowing Squishy to act not only as nearly any device under the sun, but also as a SCSI bus initiator with high flexibility. Enabling it to be used for archival work to interact with obscure or arcane hardware to read magnetic tapes, or allowing modern systems to interface with and control older, but still reliable and used lab and scientific equipment. Squishy is currently in it's second prototyping phase, after lessons were learned from the first revision of the hardware. This involves a full redesign to grant it more capabilities and serve as a more solid foundation. The end goal is a relatively  small fully compliant device for multiple SCSI standards along with a robust software ecosystem, allowing for it to speak to any equipment be it a SCSI-1 tape drive, or an ULTRA-320 SCSI-based data acquisition system. >> Read more about Squishy Transitioning SMM Ownership to Linuxboot — More robust defense Against Firmware Vulnerabilities In an era marked by escalating cybersecurity threats, firmware security is one of biggest blind spots. One pervasive weakness lies in an architectural design called System Management Mode (SMM). Sometimes referred to as “Ring -2”, SMM is used by device manufacturers to interact with hardware like NVRAM, emulate hardware functionality, handle hardware interrupts or errata, and perform other functions. The unrestricted, non-standardized control inherent to SMM implies significant security vulnerabilities. There is no shortage of Day-0 and Day-1 Firmware vulnerabilities related to SMM. Current industry practices open a wide door for cyber attacks, and the attacker can even bypass the secured OS kernel with the SMM loopholes. This proposal introduces a novel SMM architectural design, by transitioning SMM ownership from core firmware (e.g. coreboot) to payload - in this case Linuxboot. This will leverage the robust, open-source nature of Linux’s SMM drivers, as its drivers that has been proven working very well over decades, and its open source nature made it easier for security reviews. This initiative aims to develop and universalize a secure architectural design in collaboration with chip vendors, and thus elevating the resilience and integrity of our digital ecosystem. >> Read more about Transitioning SMM Ownership to Linuxboot Surfer Waveform Viewer — Analyse signal levels in simulated circuits Surfer is an open source waveform viewer, primarily aimed at debugging digital designs. It is built for flexibility, extensibility, and speed to operate on most platforms. Although fully operational for many tasks, there are features to be added to improve the usability further. This project aims to implement the most requested missing features and pave a way for additional extensibility. >> Read more about Surfer Waveform Viewer Timing-Driven Place-and-Route (TDPR)  — Open hardware tool to synthesize digital silicon circuits The lack of an open-source timing-driven place-and-route tool is one of the major barriers to creating technically fully transparent digital integrated circuits such as microprocessors. The most popular open-source place-and-route tools available today are not timing-driven, hence the generated layouts are generally not guaranteed to satisfy the timing constraints. This requires tedious and time-consuming manual interventions. This project will combine published algorithms with existing open-source projects to fill this gap. The tool will be released with the free/libre AGPLv3 licence together with extensive documentation and tutorials. >> Read more about Timing-Driven Place-and-Route (TDPR)  TISG trustable image sensor gateware — FPGA based camera providing encrypted video streams The TISG project is set to develop a groundbreaking open-source, FPGA-based camera system, focusing on the implementation of the MIPI-CSI2 standard for connecting a wide range of image sensors to FPGAs. The development process involves leveraging open-source FPGA tools and formal verification methods to ensure robust security and functionality. The primary purpose is to create a secure, versatile, and accessible video processing platform that addresses current security vulnerabilities in video-based systems. By eliminating reliance on proprietary software and enabling formal hardware verification, the project aims to significantly reduce the risk of backdoors and cyber threats. The general public will benefit from enhanced security in areas like home surveillance, public safety, and infrastructure monitoring. Additionally, the open-source nature of the project promotes innovation and inclusivity, allowing developers worldwide to contribute and extend the technology. This democratization of advanced video processing technology not only fosters global collaboration but also paves the way for further advancements in various fields reliant on reliable and secure video technology. >> Read more about TISG trustable image sensor gateware TerosHDL — Assisting hardware developers to deliver safer designs TerosHDL is an open source IDE for FPGA/ASIC development. It includes a backend, a front-end built on VSCodium/VSCode and a command line interface. The goal of TerosHDL is make the ASIC/FPGA development easier and reliable: to reduce the adaptation time for new users of HW languages and help professionals. TerosHDL is multi-platform (Linux, Windows, MacOS), multi language (VHDL, Verilog, SystemVerilog) and it takes advantages of a lot of open hardware projects (such as Edalize, WaveDrom, VUnit…), integrating them in a common graphical user interface. The IDE tries to be as much self-contained as possible and simplify the installation process. Some of the features are: linter, go to definition, syntax highlighting, code formatting, snippets, automatic documentation, dependencies viewer, simulators support... >> Read more about TerosHDL TerosHDL: OSS, GHDL, NVC — IDE with support for Open SYthesis Suite and GHDL/NVC simulators TerosHDL is an open-source graphical IDE tailored to FPGA/ASIC development. The goal is to empower engineers, hobbyists, and students to easily engage in RTL design, fostering innovation and growth in the field. TerosHDL serves as a comprehensive platform, supporting RTL design, synthesis, simulation and common code edition (linting, formatting, etc). In this project, TerosHDL will incorporate support for a number of additional powerful RTL design tools: Yosys, GHDL, and NVC. This will give users an interface which is friendly to first time users, equipped with real-time feedback and debugging capabilities. This further streamlines the chip design process, enhancing efficiency and making RTL design more accessible and productive. >> Read more about TerosHDL: OSS, GHDL, NVC Tiliqua — Open audio DSP for FPGAs Tiliqua is an open-hardware DSP library and reference hardware design which aims to make it easier for musicians and engineers to get started in the world of audio DSP in the context of FPGAs. The Tiliqua DSP library is a suite of commonly-used audio DSP components, written in Amaranth HDL, that can be easily composed in Python to construct a custom FPGA-based DSP pipeline. The Tiliqua reference platform is fully compatible with open-source FPGA toolchains and designed to the Eurorack standard (the most popular hardware synthesizer format) lowering the barrier to entry for those with low/no hardware development experience. >> Read more about Tiliqua Topola — Topological (rubberband) router for printed circuit boards Topola is an open-source topological (rubberband) router for printed circuit boards (PCBs). Unlike traditional maze routers, topological routers like Topola are not constrained by a grid or 45° angles, allowing for more efficient circuit board layouts (denser arrangement of components and traces, lower crosstalk, reflection, and electromagnetic interference). The goal of the project is to develop a dutifully maintained engine for interactive and automatic routing that can be used both as a standalone application and reusable software library integrated in popular open-source PCB electronic design automation (EDA) packages, giving designers a tool for developing high-quality open hardware designs without having to pay for expensive proprietary software. >> Read more about Topola TwPM — Open hardware implementation of Trusted Platform Module The Trusted Platform Module or TPM is a dedicated hardware component designed for providing additional security features for computing platforms. Currently, the market is dominated by the TPMs based on chips from large silicon vendors. The common characteristic of these modules is the proprietary firmware implementation. TwPM project aims to increase the trustworthiness of the TPM module (hence the TwPM), by providing the open-source firmware implementation for the TPM device, compliant to the TCG PC Client Specification. The main goal of the project is an attempt to create open-source firmware stack, implementing the TCG PC Client Platform TPM Profile specification. Project aims to use already available open-source software components whenever possible (such as TPM simulators for TPM commands handling), while developing new code when necessary (such as LPC FPGA module, or low-level TPM FIFO interface handling). Another challenge is to overcome hardware restrictions and allow users to use the open-source TPM implementation on generally-accessible development boards. >> Read more about TwPM ULX4M — A modular open hardware FPGA platform Embedded systems are everywhere, including in trusted environments. But what is really inside them? ULX3M is a modular version of the popular open hardware project ULX3S. ULX3M delivers a versatile programmable (FPGA) modular mainboard that can be used a wide choice of peripherals. The main board is \"vendor neutral\" and can be used with different FPGA vendors daughter boards. As the community continues to grow, lots of FPGA modules are written, and one goal of our boards would be that we can easily switch and check other vendor chips, and work more on vendor neutral code where possible. The project also improves SERDES availability. Some cheaper FPGA chips do not have lots of SERDES lines and when someone makes a board it needs to choose what peripheral will be using those SERDES lines. A daughter board that can be rotated in any position will allow more flexible usage. In that way, cheaper FPGA could be used to write all the code. With an open source design, users are not dependent on anyone to make boards and can run independent production. >> Read more about ULX4M UberDDR3 — Open Hardware DDR3 memory controller UberDDR3 is set to transform the landscape of open-source technology as this will be above and beyond any previous opensourced DDR3 controller gatewares. This aims to unlock the full potential of DDR3 memory, aligning with the latest technological needs. We are dedicated to enhancing compatibility across diverse memory types and reaching higher speed. By integrating innovative features such as on-the-fly configuration, thermal management, ECC integration, and self-refresh mode, our goal is to elevate this open-source gateware to rival the performance of proprietary DDR3 controllers. This endeavor will empower the open-source community, ensuring that dependence on proprietary DDR3 controllers becomes a thing of the past, and setting a new benchmark for open-source hardware capabilities. >> Read more about UberDDR3 Reverse Engineering Toolkit — Reducing e-waste through Reverse Engineering According to the Global E-waste Statistics Partnership (GESP), electronic waste is estimated to increase to 74.4 Million Tonnes by 2030. A strong factor in the continuing increase of e-waste is the electronic industry artificially shortening the lifespan of their devices. Planned obsolescence, the inability to repair and abandoned software support all contribute to devices prematurely ending up in a waste stream. Older high-end consumer electronics devices have powerful components that, once open schematics, firmware and documentation has been created for them through reverse engineering, can be repurposed to create new and different devices. To meet this aim, Unbinare is creating an open hardware reverse engineering toolkit consisting of the OI!STER (a tool for debugging and glitching MCUs), the UNBProbe (a passive, spring-loaded needle probe for probing PCBs), the UNBProbebase (a magnetic base with a prototyping area) and a breakout board - which allow to repurpose components salvaged from e.g. discarded mobile phones. >> Read more about Reverse Engineering Toolkit LIP6 VLSI Tools — Logical validation of ASIC layouts The software we run critically depends on the trustworthiness of the chips we use. LIP6's VLSI tools are one of the few user-operated toolchains for creating ASIC layouts where the full source code is available for inspection by anyone. This provides a significant contrast to commodity chips from vendors like Intel and AMD, where anything beyond coarse technical detail is shielded away by NDA's. This project will improve Coriolis2, HITAS/YAGLE and extend the whole toolchain so that it can perform Logical Validation. It will also upgrade the code to make it faster, able to handle larger ASIC designs, and add support for lower geometries (starting with 130nm) which are more energy-friendly. >> Read more about LIP6 VLSI Tools Verilog-A distiller — Automated porting of models from C to Verilog-A Analog circuit simulators require compact device models in order to be able to simulate circuits. The de-facto standard language for compact device model dissemination is Verilog-A. Many legacy models exist that are coded for the SPICE3 circuit simulator in the C programming language. Manual conversion from C to Verilog-A is resource-intensive, time-consuming, and error-prone. This reduces the accessibility of legacy models and limits innovation. The Verilog-A Distiller project aims to automate conversion of SPICE3 device models from C to Verilog-A. By automating this conversion, we aim to streamline model implementation, reduce development time, and enhance compatibility across different simulators. Verilog-A Distiller is a converter written in Python that utilizes the pycparser library for reading the C code of SPICE3 models. The parsed models are pruned of unnecessary SPICE3-specific parts, upon which Verilog-A code is emitted. Projects like Ngspice put a lot of effort into cleaning up and improving legacy SPICE3 models. Verilog-A Distiller makes these models available across a wide range of simulators that support Verilog-A. >> Read more about Verilog-A distiller VexiiRiscv — Next generation of the VexRiscv in-order FPGA softcore VexiiRiscv (Vex2Risc5) is a hardware project which aim at providing an free/open-source RISC-V in-order CPU which could scale from a simple microcontroller up to a multi-issue/debian capable cluster. While the project already surpasses VexRiscv in multiple domains (performances, 64 bits, debian), it still needs work and testing to reach feature parity (tightly coupled RAM, JTAG debug, optimization, ...), aswell to extend its scope (lightweight FPU, vector unit, ...). This grant would aim at filling those gaps aswell as improving its documentation. >> Read more about VexiiRiscv video box — Affordable open hardware video-to-network The goal of the FOSDEM video box project is to develop a cheap, compact, open hardware & free software video-to-network solution. Initial motivation came from scratching our own itch: replacing 60 bulky, costly, not entirely free boxes currently used at the https://fosdem.org conference. Several other conferences have already used the current setup successfully. We expect this number to grow in the future. The solution being free software and open hardware should make it flexible to adapt to different environments, like education. Being cheap and compact encourages experimental use in areas difficult to foresee. On the hardware side, we use the open hardware Olimex Lime2 board (EU built!) as a base. We plan an open hardware hdmi input daughterboard, iterating on a simplified prototype that helped us verify feasibility. On the software side, the core Allwinner A20 chip has attracted a lot of free and open source development already. That enables us to focus our efforts on optimising video encoding on this platform from a hdmi signal to a compact network stream. >> Read more about video box WireGuard on FPGA — FPGA implementation of Wireguard protocol written in SpinalHDL This project will do an open hardware implementation of the WireGuard VPN protocol. The data plane with symmetric cryptography is implemented in HDL and should be able to handle 100 Gbit/s IP/Ethernet, whereas the asymmetric handshake is implemented on VexRiscv with accelerators and will be capable of maintaining thousands of concurrent connections. An off-the-shelf FPGA card handles the full protocol transparently: Ethernet/Ethernet or Ethernet/PCIe with one side ciphered and the other side plaintext. >> Read more about WireGuard on FPGA Wishbone Streaming — Add Streaming capabilities to Wishbone On System-on-Chips (SoC) the commercial grade bus infrastructure is covered by patents and at best available \"royalty-free\" (but with no ability to change). A serious alternative with significant adoption is the Wishbone SoC Bus, which is an Open Standard but does not yet have a \"streaming\" capability. That capability is needed for high-throughput data paths and interfaces. This project will provide an enhancement to the current Wishbone SoC Bus specification, provide Reference Implementations and Bus Function Models (BFM) to easily allows unit tests for all Wishbone BFM users. For demonstration purposes the project will implement an example peripheral to prove the overall concept. >> Read more about Wishbone Streaming ZSWatch — Open smartwatch including software, hardware, and mechanics ZSWatch is a free and open source smartwatch you can build almost from scratch - including software, hardware, and mechanics. Everything from the lowest level BLE radio driver code to PCB and casing is available for introspection or to be customised to suit your needs.In this project, the team will add interesting new capabilities such as Heart Rate and Blood Oxygen sensor hardware, create a new iteration of hardware to improve wearability, improve documentation, make it easier to upgrade, and make various improvements to the software including optimising power consumption >> Read more about ZSWatch ZSipOs — Open hardware for telephony encryption ZSIPOs is a fully open source based encryption solution for internet telephony. It takes the shape of a little dedicated gadget you connect with a desktop phone. At its core the device does not have a normal chip capable of running regular software (including malware) but a so called FPGA (Field Programmable Gate Array). This means the device cannot be remotely updated (secure by design): the functionality is locked down into the chip, and the system is technically incapable of executing anything else. This means no risk of remote takeover by an attacker like with a normal computer or mobile phone connected to a network like the internet. The whole system is open hardware, and the full design is available for introspection. Normal users and security specialists get transparent access to the whole system and can easily check, what functionality is realized by the FPGA. This means anyone can verify the absence of both backdoors and bugs. ZSIPOs is designed to be fully compatible with the standard internet telephony system (SIP) which is the one used with traditional telephony numbers. The handling is done in principal by a regular internet phone (Dial, Confirm once – done). The cryptographic system is based on the standard RFC 6189 - ZRTP (with “Z” like Phil Zimmermann, the father of PGP), meaning it can also be used when using internet telephony on a laptop or mobile phone - of course without the additional guarantee of hardware isolation. There is no need to trust in an external service provider to establish the absolute privacy of speech communication. The exchange and verification of a secure key between the parties ensures end-to-end encryption, meaning that no third party can listen into the call. To that extent the device has a display to exchange security codes. The same approach can also also used for secure VPN Bridgeheads, secure storage devices and secure IoT applications and platforms. The ZSipOS approach is an appropriate answer on today security risks: it is completely decentralized, and has no dependency on central instances. It has a fully transparent design from encryption hardware to software. And it is easy to use with hundreds of millions of existing phones. >> Read more about ZSipOs ZeroPhone Next — Hackable open hardware mobile phone This project is building a hacker-friendly personal device platform, providing people with an assortment of building blocks that can be reused in building devices of their own. It sets out to deliver a featureful device for day-to-day use, with cellular and wireless connectivity, and bringing a powerful user interface that can easily be used in others' projects. The platform's design prioritizes self-assembly capabilities, respect for the user's privacy, extensive documentation that makes the platform's building blocks all that more accessible, and forming a community aimed at helping other hackers build their own devices. The platform's inherent modularity also provides a testbench for designing open-source replacements for commonly closed-source parts of the DIY portable device ecosystem, as well as development of open firmware for currently-closed-source components. >> Read more about ZeroPhone Next betrusted — A protected hardware device for your private matters. Betrusted aims to be a secure communications device that is suitable for everyday use by non-technical users of diverse backgrounds. We believe users shouldn’t have to be experts in supply chain or cryptography to gain access to our ultimate goal: privacy and security one can count on. Today’s “private key only” secure enclave chips are vulnerable to I/O manipulation. This means there is no essential correlation between what a user is told, and what is actually going on. Betrusted will build a full technology stack, including silicon, device, OS, and UX that is open for inspection and verification. Betrusted is a simple, secure, and strong device that aims to advance Internet freedom. >> Read more about betrusted f8 — Modern 8-bit instruction set Among microcontrollers (µC), 8/16-bit µC are an important part of the embedded systems ecosystem since they tend to have substantially lower resource and energy costs than the larger, more powerful 32-bit and 64-bit µC. However, existing 8/16-bit µC architectures tend to be either somewhat inefficient (e.g. MCS-51) or single-vendor (e.g. STM8, Rabbit). The latter are at a high risk of being discontinued when a vendor pulls out of the 8/16-bit market, and this has been announced recently for the STM8 and Rabbit architectures. One possible solution is to develop an efficient free architecture for 8/16-bit µC. The f8 is such an approach. It is based upon extensive experience from the large number of 8/16-bit architectures supported by the free Small Device C compiler (SDCC). Like RISC-V did for 32/64-bit architectures, f8 is based on lessons learned from the strengths and weaknesses of existing 8/16-bit architectures. >> Read more about f8 foaHandler — Reverse engineer the OpenAccess file format Commercial CAE programs still dominate the community that designs electronic circuits. One of the most widely used file format here uses the OpenAccess API controlled by Si2. Unfortunately, this API is available only for members of the OpenAccess coalition. The project \"foaHandler\" aims at creating open-source programs for reading and writing OpenAccess files. Their internal data structure will be investigated by reverse engineering the file content of schematics, component symbols and layouts. Then, routines will be created that make it easy to import and export OpenAccess files in open-source programs like circuit simulators, layout programs etc. Example files and documentation will be published, too. This makes the data exchange between free and commercial EDA applications possible. >> Read more about foaHandler lpnTPM — TPM 2.0 compliant open hardware Trusted Platform Module lpnTPM is Open Source Software (OSS), and Open Source Hardware (OSHW) Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. What makes lpnTPM different from generally available solutions is openness. Software and hardware of lpnTPM can, without limits, be audited, fixed, and customized by communities and businesses. Open design address the lack of trustworthiness of proprietary closed source TPM products, which currently dominate the whole market. lpnTPM in production mode protects software by secure boot technology, and only the lpnTPM owner will update it. TPM modules enable measured boot and support verified boot, Dynamic Root of Trust for Measurement, and other security features. Another benefit of lpnTPM would be physical design, which solves the lack of standardization around pinout and connector. The ultimate goal of lpnTPM is to provide a trustworthy platform for future open evolution of Trusted Platform Module software and its application to various computing devices, resulting in better adoption of platform security. >> Read more about lpnTPM mikroPhone — Open Hardware feature phone mikroPhone is currently a basic feature phone with extensible open source firmware. It is a fully open hardware device and it can easily be built in a home lab. It is intended to protect user's privacy to the highest possible level and to bring data sovereignty back to its users. This project focuses on further improvement of the basic phone device and integration of ARM module that runs GNU/Linux OS. Since linux module is entirely optional, it is not used for handling any critical functions of the device (e.g. cellular voice and secure VoIP calls, SMS messaging) and it can be powered-up on demand. This would solve common problems of linux smartphones such as poor basic phone functionality and short battery life. The goal of the project is to provide an option of enjoying a fully usable linux smartphone. >> Read more about mikroPhone nextpnr for GW-5 — Add support to nextpnr for Gowin GW-5 FPGA family This project focuses on enhancing the open-source FPGA design toolchain (specifically nextpnr and Apicula), to support the Gowin GW-5 series of FPGAs. This initiative involves creating detailed documentation and developing tools to understand and utilize these FPGAs effectively. By extending nextpnr and Apicula to generate valid bitstreams for the GW-5 series, the project aims to make advanced FPGA technology more accessible and usable for designers and engineers around the world. >> Read more about nextpnr for GW-5 openCologne — CM4 form factor SoM for GateMate chips Currently there are few FGPA vendors in Europe. One of these vendors, CologneChip, produces the GateMate chips which have some high quality features compared to other FPGA's, such as a high speed SerDes. Recently we have seen the appearances of a number of affordable boards with these FPGA's. The challenge (and opportunity) is now to make sure that the open hardware community can benefit from these FGPA's as soon as possible. This project will design a new iteration of the popular open hardware ULX-boards (ULX5M) featuring GateMate chips, which will be compatible with the widely used CM4 form factor - so it can be slotted into many existing designs instantly. This opens up this strategic new FPGA target for a broader audience, and help breach the market. In addition, the project will make a portfolio of entry level projects that selectively put GateMate resources to good use, including its unique SerDes. Be they in RTL or HLS, implemented as pure hardware FSMs, or by using HW/SW co-design and SOC techniques, or integrated with LiteX - delivering a variety of real-life use cases. >> Read more about openCologne openPCIe2 Root Complex — Open hardware implementation of gen 2 PCIexpress in OpenXC7 This project will develop an open hardware implementation of PCIexpress 2.0, the high-speed serial computer expansion bus standard used to allow computer peripherals to be slotted into a motherboard. When designing open hardware, having such a critical part of a component depend on proprietary components is problematic. The open hardware PCIe/Gen2 Root Complex developed within this project would make a big step towards developing fully open hardware components. Prior efforts only provided a partial implementation, and depended on vendor-provided 'black boxes' that would prevent such designs to be used to create a working, fully open hardware solution. >> Read more about openPCIe2 Root Complex openXC7 — Improve hardware support for open source FPGA tooling FPGAs are reconfigurable chips capable of handling many electronic signals in parallel. They are used in network equipment like backbone switches, firewalls, video devices like surveillance cameras and radio equipment like mobile-phone base stations, radar systems and satellites to process high volumes of data with very low latency. FPGAs are also used to test digital circuit designs before they are manufactured as chips. The functionality of FPGAs is determined by a configuration file which is loaded into the FPGA at power-on. The configuration file is usually generated from a design file by a proprietary tool provided by the manufacturer of the FPGA. openXC7 will provide a complete set of open source tools to generate a configuration file for the widely used family of Xilinx Series 7 FPGAs from manufacturer Xilinx/AMD without having to use any proprietary tools. This will empower digital design engineers to have the guarantee that no backdoor is implemented on FPGA based devices by the proprietary design tool provided by the vendor. The availability of the source code of the FPGA design tool will also allow anyone to come up with new use cases for FPGAs currently not possible with existing tools. In this project the team will implement gigabit transceiver support, both for the widely used Artix7 and the Kintex7 families of devices, thus enabling complete open source network infrastructure (e.g. an open source 10 GB Ethernet switch). The second focal point will be identifying and fixing issues that arise from the community of users of the toolchain. >> Read more about openXC7 S-SATA for openXC7 — Open source SATA phy and interface for FPGA's This project develops an open-source SATA controller for use with FPGA technology, specifically targeting the Xilinx Kintex/Artix7 family. SATA, which stands for Serial Advanced Technology Attachment, is a technology used to transfer data between a CPU and an attached persistent storage device. By creating an open-source hardware controller, this project will make it easier and more affordable for researchers and developers to implement dependable high-speed data storage solutions in their FPGA-based projects. Initially, the controller will support the 1500Mb/s data transfer speed typical of earlier SATA versions. Our development plan includes both building this controller, a hardware simulation of it, and software to demonstrate it. We then intend to implement it on actual hardware and prove it works. >> Read more about S-SATA for openXC7 pcb-rnd — Modular printed circuit board editor Pcb-rnd is a modular printed circuit board editor that is designed with the UNIX mind set. It has a convenient GUI for editing the graphical data of the board but is also has a handy command line interface. Both the GUI and the CLI aspects are scriptable (in more than 10 scripting languages) and pcb-rnd can also process boards as a headless converter tool. It has support for various proprietary schematics/netlist and board formats which makes it also a good choice for converting free hardware designs coming in proprietary formats to free file formats. Among the upcoming challenges are a full rewrite of the Design Rule Checker, more file format support and making the menu system even more dynamic to match the modular nature of pcb-rnd better. >> Read more about pcb-rnd scalePNR — New place and route algorithms for large FPGAs The scalePNR project focuses on enhancing digital circuit design for large Field-Programmable Gate Arrays (FPGAs), which are complex chips used in everything from consumer electronics to mobile phone base stations to cameras to AI accelerators to internet backbone infrastructure to advanced computing systems. Traditionally, designing these chips has been a highly specialized and time-consuming task, due to the complexity and computational demands of arranging and determining efficient wiring between the millions of tiny logic blocks they contain. The goal of this effort is to tackle larger, more advanced FPGAs and make the process of designing circuits for these high-capacity chips more accessible and efficient, potentially leading to faster, more energy-efficient electronic devices. By researching and implementing new algorithms, the project aims to make it easier and quicker to design circuits that run cooler, faster, and more reliably, bringing the benefits of the latest technology to a broader audience and fostering innovation in numerous tech-driven sectors. >> Read more about scalePNR uFork — A memory-safe pure-actor virtual machine Applying the design principle of actors-all-the-way-down, uFork implements a virtual-machine that is memory-safe at the level of assembly-language instructions. All operations occur in the context of an actor message-event, which provides object-capability security throughout the system. The effects of individual instructions are isolated so they can only affect the state of their host actor until a transactional commit releases additional asynchronous message-events into the system. This isolation allows interleaved execution of multiple instruction streams, so multiple actors can make progress concurrently. The virtual-machine implements automatic memory management with garbage-collection, and fine-grained resource quotas are enforced by the processor. >> Read more about uFork uFork/FPGA — A memory-safe pure-actor processor soft-core uFork is a novel microprocessor architecture based on dispatching immutable asynchronous message-events to reactive objects (actors) which manage private mutable state. Contention for shared mutable storage is eliminated, reducing complexity. Strong process and memory isolation prevents interference among tasks. Object-capability security (ocaps) provides fine-grained access control. The architecture has been validated by implementing a virtual-machine in software. This project will implement the design using FPGA hardware fully supported by open-source tooling. >> Read more about uFork/FPGA uberClock — High precision open hardware clocks using multi-mode crystal oscillators Very precise clocks have many different use cases, but they are complex to make and expensive to buy - leaving high precision timing out of reach for many. Currently, there are no open hardware designs capable of delivering so called \"Stratum 2\" accuracy. This project will design and build an open hardware clock exploiting the properties of multi-mode crystal oscillators using modern numerical methods for frequency stabilization. A Field-Programmable Gate Array (FPGA) will be used for digital signal processing functions, multiple Proportional-Integral-Derivative (PID) control loops, and executing all necessary calculations needed for dynamic, real-time frequency corrections. High-Level Synthesis (HLS) code will be developed using the CflexHDL+PipelineC toolset, in order to validate and further mature that emerging design flow for signal processing applications. >> Read more about uberClock "},{"description":" GetEduroam A modern way to manage and deploy federated wifi roaming This page contains a concise overview of projects funded by NLnet foundation that belong to GetEduroam (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Letswifi/Geteduroam Portal — Make federated wifi access provisioning safer and more convenient The geteduroam toolset will allow organisations to more securely and conveniently to roll out wifi access provisioning to their userbase, in addition to making it even easier for end user to connect to such services (like eduroam and govroam) in a secure way. While many users connect to these roaming services by simply typing in their username and password when they see the network, to securely connect to the network relevant network information needs to be provided through an onboarding tool. geteduroam and eduroam CAT are such onboarding tools. In addition to providing onboarding, geteduroam also increases network security at the backend, by removing the necessity to connect the internal user database of an organisation to the federated infrastructure. >> Read more about Letswifi/Geteduroam Portal Letswifi/Geteduroam — Make federated wifi access provisioning safer and more convenient The geteduroam toolset will allow organisations to more securely and conveniently to roll out wifi access provisioning to their userbase, in addition to making it even easier for end user to connect to such services (like eduroam and govroam) in a secure way. While many users connect to these roaming services by simply typing in their username and password when they see the network, to securely connect to the network relevant network information needs to be provided through an onboarding tool. geteduroam and eduroam CAT are such onboarding tools. In addition to providing onboarding, geteduroam also increases network security at the backend, by removing the necessity to connect the internal user database of an organisation to the federated infrastructure. >> Read more about Letswifi/Geteduroam ","url":"https://nlnet.nl/thema/GetEduroam.html","title":"GetEduroam"},{"description":" FileSender Server application to send files of arbitrary size This page contains a concise overview of projects funded by NLnet foundation that belong to FileSender (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. FileSender — FileSender Crypto Improvements FileSender is a secure and private way to share very large files with end-to-end encryption. It can be self-hosted or offered as service. After a security assessment by OpenFortress, it became clear that FileSender should move from AES-CBC to AEC-GCM mode cryptography. The random password generator should also produce a random fixed length key tuned to provide the entropy that the AES algorithm can take advantage of. The CI test suite is extended to test that the data encrypted using an older key mode can be decoded by the current FileSender release to ensure updates and migrations do not cause issues. >> Read more about FileSender FileSender Multistage — Improve FileSender scalability FileSender is an open source web application for sending files of any size, quickly and securely. The sender has full control over who receives and can access the files and for which period of time – as it should be. It is important to FileSender users (especially first time users) that the flow for submitting files and downloading them is smooth. There is no one user experience that covers all use cases, and moreover people might be used to proprietary services that can offer a simple experience - courtesy of them not being federated or interoperable across instances. That means a need for supporting diversity in several dimensions. In this project will swap out the bespoke legacy CSS behind FileSender and switch to a widely used framework, which makes customisation easier for the developers. Another focus is on performance tuning: FileSender needs to run maintenance free and handle tens of thousands of users on a single install without problems. This project will deliver several improvements to FileSender to improve overall performance, stability and security. >> Read more about FileSender Multistage FileSender UX ZIP — Encrypted multi-file streaming FileSender is an open source web application for sending files of any size, quickly and securely. The sender has full control over who receives and can access the files and for which period of time – as it should be. This project aims to create a major update to the user interface of FileSender: the software offers End-to-End encryption for sending one or more files in a transfer. Because encryption is done in the browser the server can not offer an archive containing all of the files for an entire transfer. Decryption must happen in the browser and so any archive containing the decrypted files must be created in the browser. This build on the recent streaming decryption support to allow zip64 files to be created containing selected files from an encrypted transfer. The content will be decrypted in the browser prior to being streamed to the zip64 archive. There will be additional effort to improve overall performance, stability and security. >> Read more about FileSender UX ZIP FileSender IDOR and Rate Limiting — Security improvements to FileSender FileSender is an open source web application for sending files of any size, quickly and securely. The sender has full control over who receives and can access the files and for which period of time – as it should be. This project is to address a number of issues discovered during a security audit. These issues include possible insecure direct object references during a guest file upload, missing rate limiting for some email notifications which could allow abuse, a modification to a cookie for better security against internal attacks, and dependency updates. >> Read more about FileSender IDOR and Rate Limiting FileSender UX/UI — UX/UI overhaul of FileSender Privacy and data security have become top priority to organisations and individuals alike. Secure, trustworthy and transparent services for sharing files are difficult to find, however. With most available services on the market, users don’t really know what happens with their confidential files, nor whether or not their files are deleted by the service once the files have been successfully transferred from A to B. This lack of technical transparency not only poses a risk to data security and privacy, but also creates serious impediments to compliance and control. FileSender is a libre filesharing server designed with privacy and data security in mind, and capable of exchanging extremely large files - in fact, the key limit is the capacity of the equipment and the capacity of the network connection rather the software. FileSender is free and open source technology, which allows users and developers to maintain and enhance it to cater for new use cases. It is easy to customise the look and feel, so organisations and service providers can easily integrate it into their offering to users and customers. FileSender allows to encrypt files in transit and offers full control to users – as it should be when it comes to sensitive data. In this project, the entire user interface and user experience (UX/UI) are overhauled, from the user front end and the administrative interface to the emails that are sent out. >> Read more about FileSender UX/UI FileSender — Security improvements for FileSender FileSender is a web based application that allows authenticated users to securely and easily send arbitrarily large files to other users. Authentication of users is provided through SimpleSAMLphp, supporting SAML2, LDAP and RADIUS and more. Users without an account can be sent an upload voucher by an authenticated user. FileSender is developed to the requirements of the higher education and research community. The purpose of the software is to send a large file to someone, have that file available for download for a certain number of downloads and/or a certain amount of time, and after that automatically delete the file. The software is not intended as a permanent file publishing platform. This project will tackle a number of security improvements identified through a Security Assessment performed by Computest. >> Read more about FileSender FileSender secure passwords — FileSender is a secure and private way to share very large files with end-to-end encryption. It can be self-hosted or offered as service. This project addresses password security in a number of manners: key generation optimization, offering a PBKDF2 user interface and password improvements - some browsers like Microsoft Edge and Internet Explorer do not support PBKDF2 for generating a cryptographic key from a user supplied password. This requires an alternative solution for those browsers. >> Read more about FileSender secure passwords FileSender — Improve streaming downloads and encryption FileSender is an open source web application for sending files of any size, quickly and securely. The sender has full control over who receives and can access the files and for which period of time – as it should be. FileSender is developed to the requirements of the higher education and research community. This project addresses a variety of issues including rate limiting on e-mail functionality, testing for sensitive information stored in URLs, testing for missing authentication or authorization, testing for identifier-based authorization and streaming download and decrypt of encrypted content on modern browsers. >> Read more about FileSender ","title":"FileSender","url":"https://nlnet.nl/thema/FileSender.html"},{"description":" Educational Programs Projects aiming at using Internet technology within the educational sector. This page contains a concise overview of projects funded by NLnet foundation that belong to Educational Programs (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. How AdTech works — Improving public awareness of AdTech and privacy The web has become a place where visiting a webpage triggers many effects elsewhere on the globe, and where advertising technology has morphed into a market driven surveillance ecosystem of a size that was unimaginable even a few decades ago. While especially older people may still think of the 'friendly' world wide web of the nineties, the reality is that underneath the surface of many web pages lies a dark technology layer that sprawls data. \"How AdTech works\" is a project by the European umbrella of digital rights organisations, EDRi. The goal of EDRi is to address the threat these developments hold for our online lives and the shared public spaces. EDRi wants to de-mystify and challenge the complex and secretive world of online advertising and profiling - and bring attention to these issues at a policy level. With upcoming platform regulation like the pending EU Digital Services Act (DSA), there is an urgent need to share insights among human rights defenders, academics and the public at large. We need a concerted effort to take on this challenging subject - in order to better understand and subsequently challenge invasive and exploitative monopolistic practices that lead to aggravations of polarisation, spread of disinformation, and other abuses of fundamental rights. EDRi will engage with legislative efforts across Europe as an opportunity to better protect people’s rights online against data-hungry, abusive business models. EDRi will support this work via creation of a publication on AdTech and online advertising booklet, which will be distributed among policy makers, human rights defenders and the broader public. >> Read more about How AdTech works CodeYard — Open-Source software development for students in secondary education Computer Science is a growing subject in secondary education (12-to-18-year old students). In 2007 it will become a core profile course for the Dutch high school curriculum. The CodeYard project aims to draw students to the production of Open Source Software (OSS). Students can use the infrastructure and expertise of the CodeYard project to produce OSS, which can be passed on to future generations of students. This should lead to a wider use of OSS. >> Read more about CodeYard Democratic SendComm — Easy to use connected open hardware device Decocratic SenComm is an open hardware LoRaWAN capable device, aimed at the educational sector. The subgigaherz LoRa network and the IP networked LoRaWAN can be used to transmit data at relatively large distances with very simple commodity infrastructure, and Democratic SendComm is therefore for instance suitable for measurement data from actuators and sensors in low-bandwidth scenario's. The whole design is available under the CERN HW license. >> Read more about Democratic SendComm Explain Direct — Providing effective and efficient access paradigms for open educational material Open source technical solutions for analyzing, recommending, and querying open educational materials within the context of higher education >> Read more about Explain Direct GO-FOSS — Teach employees in SMEs and NGOs the benefits of FOSS The main goal of this project is to develop a group of skilled professionals on FOSS within the community of SMEs (Small and Medium Enterprises) and NGOs (large Non Governmental Organizations). >> Read more about GO-FOSS SchoolLan — computer networking as education support for primary schools The foundation SchoolLan ceased its activities officially on October 31, 2006. On the moment, no-one is working on a new release. The last release 5.2.0 was made in September 2004. SchoolLan brings an Internet infrastructure to Dutch primary schools. Pupils and teachers can get access to e-mail and websites with minimal effort. The systems are pre-configured to fit best in the school environment. SchoolLan has been developed to allow (remote) technical management within in a (technically naive) school environment. The design and configuration can easily be duplicated by similar educational institutions elsewhere. In other words, SchoolLan is a blueprint: a technical configuration/network design model. >> Read more about SchoolLan ThinkQuest — educational web contests Foundation ThinkQuest organized web-games for various target communities: primary school pupils, secondary schools, and even vocational training students. All contests are in Dutch only. >> Read more about ThinkQuest TOS;DR — A user rights initiative to rate and label website terms & privacy policies Terms of service are often too long to read (reading all of these carefully wrought documents could quite literally cost you years of your life), yet it is very important to understand what is in them. After all, your actual legal position online depends on them in a very concrete way. The ratings from TOS;DR can help users get informed about their rights. >> Read more about TOS;DR TwinSite-2000 — international web-competition for secondary schools International web-competition for secondary schools, where a Dutch school has to partner with a foreign school in creating a website on any topic of choice. >> Read more about TwinSite-2000 ","url":"https://nlnet.nl/thema/EducationalPrograms.html","title":"Educational Programs"},{"url":"https://nlnet.nl/thema/Deployability.html","title":"Deployability","description":" Deployability Making sure applications can be put to use in a sane, convenient way This page contains a concise overview of projects funded by NLnet foundation that belong to Deployability (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Nixcloud Mail — Declarative mail server based on NixOS Getting email infrastructure right is hard, and typically involves a lot of tweaking and manual optimisation. The goal of this project is to provide an easy out of the box mail infrastructure with declarative technology that adheres to modern email standards such as DKIM, SPF, DMARC, DNSSEC and IPv6. >> Read more about Nixcloud Mail Nixcloud Webservices — Declarative web services based on NixOS Create example webservices in different programming languages to benefit from the Nixcloud web services abstraction. >> Read more about Nixcloud Webservices Nixcloud — Declarative internet services based on NixOS This project aims to make NixOS the first computer operating system to package TLS Pool as a service component, and will allow to combine the power of declarative packaging with the unique security characteristics of TLS Pool to create a solid and versatile delivery channel for decentralised internet applications. >> Read more about Nixcloud "},{"description":" Decentralised solutions Decentralised solutions, including blockchain/distributed ledger This page contains a concise overview of projects funded by NLnet foundation that belong to Decentralised solutions (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. AI Horde — Collaborative infrastructure for running generative AI models The AI Horde is a crowdsourced, free, libre and open sourced service with the aim to truly democratise access to Generative AI. It supports both generating text via Large Language Models and images via Stable Diffusion via a simple REST API, allowing everyone to integrate this technology to any product. One of the biggest challenges with Generative AI is the amount of resources required to run even simple models, leaving the vast majority of humanity without access to this technology. The AI Horde delivers a groundbreaking smart-queuing clearing house where enthusiasts can volunteer their idle compute for everyone in the world to generate images or text without any further commitments or budget. >> Read more about AI Horde AVantGaRDe — Reliable Foundations of Local-first Graph Databases The *AVantGaRDe* (Verified highly-Available and Reliable Distributed Graph Databases) project aims to develop a framework for reliably supporting local-first connectivity. Graph databases have recently been introduced to efficiently manage interconnected, heterogeneous, and semi-structured data. These leverage native graph storage, an expressive property graph model, and dedicated graph query languages. Still, scalably and reliably managing large graphs, while ensuring availability, low latency, and consistency is challenging. While cloud graph databases try to address this, local-first solutions allow users to preserve ownership and agency over their data. Unfortunately, no local-first graph databases exist, as these require customized replicated data types (CRDTs) and compositionally preserving graph invariants. Moreover, as CRDTs are already notoriously difficult to construct, ensuring the correctness of complex graph CRDTs is challenging. The project aims to develop a novel framework for designing foundational models for local-first graph databases, with built-in trustworthiness and reliability guarantees. *AVantGaRDe* sets to design a unified framework for prototyping and extracting correct-by-construction horizontally scaled property graph CRDTs that can preserve complex invariants. >> Read more about AVantGaRDe ActivityPods 3.0 — Encrypted Solid-compatible Pods ActivityPods brings together two game-changing protocols, ActivityPub and Solid Pods, and empowers developers to create fully-decentralized social apps thanks to an easy-to-use framework. In the planned version 3.0, Solid clients will be able to connect to ActivityPods just like any other Solid Pod provider. Furthermore, ActivityPods 3.0 will build a bridge with the world of P2P protocols, since it will be using NextGraph (a local-first P2P solution based on CRDT) as a triple store. The result is that all Pod data will be encrypted. In addition, users will be able to create a NextGraph wallet and use it to give NextGraph apps access to their Pod data. This will allow ActivityPods to provide the first \"social Pods\" with built-in Fediverse communication and improved data security, potentially attracting more developers and users to the Solid and ActivityPub ecosystems. >> Read more about ActivityPods 3.0 Arcan-A12 — Explorative p2p protocol for fast and secure remote desktops Protocols such as VNC, X11 and SSH have long been fundamental components for accessing user facing software or desktop computing as a whole over a network connection, with millions of daily users ranging from simple households to businesses and critical infrastructure. The development of these protocols and their respective tools has unfortunately stagnated, drifting towards proprietary extensions and otherwise dragging behind developments in compression technology, while leaving qualities such as accessibility and usability in a rough state. A12 is a project within the Arcan umbrella (models for future desktop computing) that aims to change this, leaning on decades of experience in system graphics. A12 consolidates the use cases of these - and related - protocols, adding stronger privacy protections against side channel analysis, use of modern compression techniques, providing higher visual quality and lower latency with simplified key management and service discovery. >> Read more about Arcan-A12 Automerge — Add Merkle Search Tree support to Automerge Automerge is a CRDT library for building local-first collaboration software, allowing several users to concurrently edit a file, both in real-time and offline. It is currently optimized for working on a single document; this project aims to improve Automerge's support for synchronizing large collections of documents across multiple devices (for example, all of a user's notes in a note-taking app). The challenges here are efficiently determining which documents need to be synced, syncing multiple documents in parallel, giving users a progress indicator during large data transfers, and making the protocol efficient in terms of computation, memory, and bandwidth. Our protocol will be compatible with both client-server and peer-to-peer synchronization. >> Read more about Automerge Bana — Personal network oriented ActivityPub powered social networking Bana is aimed at private social networking. It is both a server and a mobile Web app, and is federated: anyone can operate a server and people on one server can communicate with people on any other Bana server. Bana uses ActivityPub, ActivityStreams, and the Activity Vocabulary protocols. Anthropologist Robin Dunbar speculated humans could only comfortably maintain 150 stable relationships. Bana limits you to 150 connections: the closest friends and family members in your life. The connections are reciprocal, meaning both people follow each other. Bana offers a digital journal shared with only the closest people in your life. Bana allows you to post text, photos, videos, audio, location check-ins, workouts, and media consumption - capturing what you want to remember about this particular day in your life. >> Read more about Bana Blink RELOAD — Secure P2P real-time communications with RELOAD REsource LOcation And Discovery specification (RELOAD) is a standard produced by the IETF standard to (as the name indicates) describe how people can search within a local network to discover other people and devices they can then exchange video and voice calls with, send messages etc. Why make every discovery depend on the availability of a global DNS system, if you are actually near each other... Blink is a mature open source real-time communication application that can be used on different operating systems, based on the IETF SIP standard. It offers audio, video, instant messaging and desktop sharing. Blink RELOAD aims to implement RELOAD (RFC 7904) , which describes a peer-to-peer network that allows participants to discover each other and to communicate using the IETF SIP protocol. This offers an alternative discovery mechanism, one that does not rely on server infrastructure, in order to allow participants to connect with each other and communicate. In addition, the RELOAD specification describes means by which participants can store, publish and share information, in a way that is secure and fully under the control of the user, without a third party controlling the sharing process or the information being shared. >> Read more about Blink RELOAD Briar — A secure messaging app with offline capabilities Briar is a secure messaging app designed for activists, journalists and civil society groups. Instead of using a central server, encrypted messages are synchronized directly between the users' devices, protecting users and their relationships from surveillance. This project will enable users of Briar to delete their private messages. Giving users control of what information their devices retain will allow them to practice defence in depth, managing their exposure if their devices are lost or compromised. >> Read more about Briar Briar Desktop — E2EE online and offline messaging and discussion Briar Desktop is a client for the peer to peer messenger Briar that runs on the typical desktop operating systems Windows, macOS and Linux. With the emergence of multiple Linux-based operating systems for phones, it will also become possible to adapt it to run on operating systems such as Manjaro, PureOS and postmarketOS. A basic version of Briar Desktop has just been implemented and released to the public, but its features are still limited to one-to-one communication. The main goal of this project is to implement the additional group-oriented modes of communication that Briar's Android client supports: groups, forums and blogs. While the first iteration of development focused on Linux, publishing for macOS and Windows are going to be stabilized from experimental to production stage within this project. To keep up with the development of the Android client, support for the upcoming Mailbox feature is also going to be implemented. >> Read more about Briar Desktop Discover and move your coins by yourself — A safe way to explore and work with cryptocurrency forks The numerous technologies behind cryptocurrencies are probably the most difficult to understand compared to any other networks, even for technical experts - and especially bitcoin based networks. Most users, even those familiar with the technology for years, have to rely on wallets or run/sync full nodes. Empirically we can see that they usually get lost at a certain point of time, especially when said wallets dictate the use of new \"features\", like bip39 and alike, multisig, segwit and bech32. Most users don't understand where their coins are and on what addresses, what is the format of these addresses and what are their seeds and what they need to unlock their coins. This situation pushes users to give their private keys to dubious services, resulting to the loss of all of their coins. The alternative is to let exchanges manage their coins, which removes their agency and puts them at risk. The goal of this project is to correct this situation allowing people to simply discover where are their coins and what are their addresses, whatever features are used. It will allow them to discover their addresses from one coin to another, rediscover their seed if they lost a part, sign/verify addresses ownership, discover public keys from private keys and create their hierarchical deterministic addresses. In fact, all the tools needed to discover and check what is related to their coins - and this for any bitcoin based network, in addition it allows them to create their transactions by themselves and send them to the networks, or just check them. The tool is a standalone secure open source webapp inside browsers that must be used offline, this is a browserification of a nodejs module that can be also used or modified for those that have the technical knowledge. >> Read more about Discover and move your coins by yourself Privacy Infrastructure for Corteza Federations — Allow users to locate and browse their private data wherever The project summary for this project is not yet available. Please come back soon! >> Read more about Privacy Infrastructure for Corteza Federations CryptPad Auth — Implement external identity mechanisms to E2EE collaborative editor CryptPad is a real-time collaboration environment that encrypts all user-generated content in users' browsers, making it illegible to the host of the service. In this project we'll develop optional extensions to the platform to provide additional layers of protection for such data by pursuing two broad strategies in parallel. For the first, we'll take a top-down approach to security through integration with identity provider services like LDAP or SSO, allowing organizations to apply centrally managed access control policies. For the second, more bottom-up approach, we'll offer tighter control of user accounts through various secondary authentication methods like app-based TOTP or email \"magic-links\". These new features will provide more choices for the protection of data stored in CryptPad, while also making the platform more approachable for conventional organizations by leveraging their existing points of trusted infrastructure. >> Read more about CryptPad Auth CryptPad for communities — Collaborative web editor with client-side encryption CryptPad is a secure and encrypted open-source collaboration platform, that allows people to work together online on documents, spreadsheets and other types of documents. The amazing thing is that while the participants can work with these web applications as they would with any normal tool, the server has no way of telling what it is they are working on. Everything is encrypted on the device of the user, before it is sent to the server. The \"CryptPad for communities\" project will improve the experience of users adopting the platform for community management tasks. We'll spend time solving the issues most commonly reported by our users as obstacles to their broader adoption of the platform as an alternative to proprietary services. Document review is as important to many as collaborative editing, so we'll implement comment workflows that integrate our recently introduced social features into our text editors. Our Kanban and spreadsheet apps will both receive some crucial updates to better facilitate project management tasks without compromising on privacy. We'll develop extra access control features based on users' public keys for documents that require stricter protection than is currently offered. Those hosting their own CryptPad instance will benefit from new functionality for their admin panel as well as detailed documentation to make server management more accessible. Finally, we'll implement extra controls permitting admins to limit access to their instance by requiring invites for registration. Altogether we hope these tools will allow communities more determination when it comes to their data, their processes, and their ability to work together productively. >> Read more about CryptPad for communities DeltaBot — Social discovery over mail-based chat Why make humans be the only ones to search new content that is relevant to you, if bots can be made to do the same on your behalf? The DeltaBot project will research and develop decentralized, e2e-encrypting and socially trustworthy bots for Delta Chat (https://delta.chat). Bots will bridge with messaging platforms like IRC and Matrix, offer media archiving for its users and provide ActivityPub and RSS/Atom integration to allow users to discover new content. Our project is not only to provide well tested and documented Chat Bots in Python but also help others to write and deploy their own custom bots. Bots will perform e2e-encryption by default and we'll explore seamless ways to resist active MITM attacks. >> Read more about DeltaBot Encoding for Robust Immutable Storage (ERIS) — Encrypted and content-addressable data blocks The Encoding for Robust Immutable Storage (ERIS) is an encoding of content into a set of uniformly sized, encrypted and content-addressed blocks as well as a short identifier (a URN). The content can be reassembled from the encrypted blocks only with this identifier (the read capability). ERIS is a form of content-addressing. The identifier of some encoded content depends on the content itself and is independent of the physical location of where the content is stored (unlike content addressed by URLs). This enables content to be replicated and cached, making systems relying on the content more robust. Unlike other forms of content-addressing (e.g. IPFS), ERIS encrypts content into uniformly sized blocks for storage and transport. This allows peers without access to the read capability to transport and cache content without being able to read the content. ERIS is defined independent of any specific protocol or application and decouples content from transport and storage layers. The project will release version 1.0.0 after handling feedback from security audit, provide implementations in popular languages to facilitate wider usage (e.g. C library, JS library on NPM), perform a number of core integrations into various transport and storage layers (e.g. GNUNet, HTTP, CoAP, S3), and deliver Block Storage Management (quotas, garbage collection and synchronization for caching peers). >> Read more about Encoding for Robust Immutable Storage (ERIS) Earthstar — P2P protocol and APIs for collaborative and social applications Your data is stuff you care about. But a lot of the time, you only get to interact with it in places owned by corporations. It’s a bit like living in someone else's house. One consequence is that you don't get to choose who can see your stuff: malicious actors can follow your activities and harass you, and the owners of the space can record what you do and sell that information on. And because the space isn't yours, you don't get any say over how anything works: features you like can disappear overnight, and your data can be changed or deleted without your consent. What if you and the people you care about could band together and have your own place for your data to live? Where the only people who see your stuff are people you trust, and no-one is selling your privacy? And where you decide how things works and when it should change? Earthstar is a pocket-sized toolkit to help users build a place of their own. Easily create user-owned infrastructure that holds the data you care about, in formats which suit your needs, and write your own applications to interact with it — or use ones from the community! >> Read more about Earthstar Federated Timesheets — Interoperable machine-readable time tracking This project brings together developers from WikiSuite, m-ld.io, Muze and Ponder Source in a collaboration to deliberately research how federated machine-readable data can work between independent software projects on the user-operated internet. We want to showcase how our vision of Federated Bookkeeping can make internet users \"connected but sovereign\". Each project’s timesheet system that tracks billable hours will be extended with time tracker apps (locally or on a self-hosted server) to expose machine-readable timesheet data through a query endpoint (reader pull) or through a webhook (writer push). Furthermore a W3C interest group “federated timesheets” was started that will contain and maintain a repository of time tracker schemas and extend this continuously in an orderly fashion to enable developers to import recipients’ schemas as well as add their own to the repository. >> Read more about Federated Timesheets Fleetbase on Solid: A production-ready supply chain solution — Federated open source supply chain solution using Solid One of the most exciting features of Solid is its ability to set up a knowledge graph that connects the data with different owners. This is useful for connecting personal data, but it's even more useful for connecting business data. As such, supply chain management is a field with a high potential for disruption with Solid. Individual companies can share supply chain data with their clients and suppliers, allowing for more insights across the entire supply chain. Building a supply chain solution on top of Solid doesn't only take knowledge of Linked Data, it requires partners who are experts in supply chain management. Fleetbase is an MIT licensed, open-source logistics platform serving companies around the world. The \"Fleetbase on Solid: A production-ready supply chain solution\" project seeks to make Fleetbase solid compatible and flesh out a real-world use-case that relies on the power of linked data sharing enabled by Solid. By the end of the project, shipping companies will be able to used Fleetbase on Solid to sharing information and coordinate with third party delivery companies. >> Read more about Fleetbase on Solid: A production-ready supply chain solution ForgeFed Frontend — Improved UI for federated version controlrepositories Software developers often use websites called forges, where they collaborate on software projects. But these forge platforms are centralized, leading to the community flocking into big privately- controlled forges. The ForgeFed project is creating a protocol specification and a reference implementation for forge communication, allowing forge websites to form a decentralized network, putting the power and freedom of choice back in the hands of the community. >> Read more about ForgeFed Frontend ForgeFlux — Software Forge independent federation with ActivityPub and F3 Federation accurately models the way free software dynamics work: people and organizations across the globe come together to work on a software project. However, current software forging tools do not reflect this model, which has resulted in centralization in a few software forge instances. This issue is further complicated since a limited amount of tooling creators is committed to implementing federation. ForgeFlux is a project in the forge federation domain that is trying to make forges federate by building external adapters. We use the forge's native APIs and create a translation layer to talk to other nodes on the federating forge network. We aim to make Forgejo and GitHub federate for the first stable release. We are also working on other supporting areas in the forge federation domain, name in search and discovery of software projects, and in developing testing and debugging tools. >> Read more about ForgeFlux Fix the Pitch Black Attack in Freenet routing — A decentralized distributed platform for private communication Hyphanet (previously: Freenet) is a peer-to-peer platform with academic roots, offering censorship-resistant publication and privacy by design. It uses a decentralized distributed data store to store and forward information of its users, and is one of the oldest privacy related infrastructures - having been in continuous development for two decades, and predating the alpha version of TOR with several years. This project solves a published theoretical denial-of-service attack on the friend-to-friend structure of its routing, which has been a looming threat since it was discovered a number of years ago. >> Read more about Fix the Pitch Black Attack in Freenet routing GNU Taler — Advanced electronic payment system for privacy-preserving payments GNU Taler is an advanced electronic payment system for privacy-preserving payments. Unusual for such a system, the entire Taler system is ethical, free/libre software, so there are no dependencies on third parties and no black boxes. Taler can support digital payments in any currency - existing or new, mainstream or private. Unique to the GNU Taler system is that it provides anonymity for customers, while delivering various anti-fraud measures necessary to curb abuse. If you are a central bank, you can use Taler to provision a CBDC. If you are a regular bank or payment provider, you can use it as a mature digital payment method instead of various proprietary solutions which are opaque and come with many restrictions and high costs. The technology behind Taler fully supports local or community currencies too. Taler was designed to meet all the usual regulations for electronic money issuers, and supports regulations like PCI-DSS and GDPR out of the box. The work done within this grant delivered a key regulatory requirement, an independent audit of the payment service operator (the \"exchange\"). With the third party security audit of the GNU Taler codebase completed, banks and payment providers can now switch to this new system with confidence. GNU Taler finally brings us a transparent, trustworthy and truly private payment ecosystem that operates independent from vendors. >> Read more about GNU Taler Layer-2-Overlay — Generalising the GNUnet Layer-2 Overlay for broader usage Layer-2-Overlay is a P2P connectivity layer that allows decentralized applications to establish communication with peers. The current Internet architecture is strongly biased in favor of client-server applications. To regain data sovereignty from tech oligopoly, citizens must be able to communicate directly without a few gatekeepers. Therefore decentralized applications need to overcome network obstacles of the existing Internet infrastructure without the need to setup a costly alternative infrastructure. An additional benefit is the effective usage of existing resource, to lower the environmental damage big centralized systems are doing to our planetary ecosystem. The Layer-2-Overlay will achieve this goal by utilizing a variety of existing protocols and infrastructure (Ethernet/WLAN, TCP/UDP, QUIC, Satellite) and an effective flow- and congestion-control to distribute traffic through different channels. After reconnecting the edges (e.g. PCs at home or mobiles) of the existing Internet among each other again, traffic can be forwarded directly to known peers and existing infrastructure will be preserved. The API of Layer-2-Overlay will be usable by all kinds of decentralized application use cases. For a first showcase Layer-2-Overlay will be integrated into GNUnet, an alternative network stack for building secure, decentralized and privacy-preserving distributed applications. >> Read more about Layer-2-Overlay GNUnet Messenger API — API for decentralized instant messaging using CADET Communication is one of the most valuable goods, but it requires confidentiality, integrity and availability to trust it. The GNUnet Messenger API implements an encrypted translation layer based on Confidential Ad-hoc Decentralized End-to-End Transport (CADET). Through CADET the API will allow any kind of application to set up a fully decentralized form of secure and private communication between groups of users. The service uses e2e-encryption and does not require any personal information from you to be used. You are able to send text messages, share files, invite contacts to a group or delete prior messages with a custom delay. Messages and files will both be stored decentralized being only available for others in the group. GNUnet provides the possibility to use this service without relying on the typical internet structures, with a turnkey optional DHT for sharing resources. Unlike many other messengers out there the GNUnet Messenger service focuses on privacy. You decide who can contact you and who does not. You decide which information gets shared with others and which stays a secret. The whole service and its API is free and open by design to be used by many different applications without trusting any third party. >> Read more about GNUnet Messenger API Galene — High quality libre videoconferencing server Galene is a complete self-hosted videoconferencing system that has been designed to be easy to install and to manage, to preserve the users' privacy, and that uses very moderate server resources. Galene has been continuously used in production to host university lectures and staff meetings since September 2020, as well as to host a number of international conferences during the COVID pandemic. The goal of this project is to improve Galene to make it use state-of-the-art networking and video algorithms, to improve its management features, and to add a number of user-visible features, such as background blur and automatic subtitling. >> Read more about Galene Federated software forges with Gitea — Use W3C ActivityPub to federate amond software forges Gitea is a popular free and open-source software forge, a solution for code hosting, version control (using Git) and featuring other collaborative features like bug tracking, wikis and code review. Unlike proprietary platforms like GitHub, anyone can host the software for themselves and for others - and retain full control and confidentiality over their operations and community. The goal of this project is to implement federation features to Gitea, by implementing among other the W3C ActivityPub standard. This is an important enabler that can be used to implement a distributed search across different software repositories - an important feature for decentralised systems. The project will also make sure to verify the implementation of the federation proposed for Gitea is conformant with the ActivityPub W3C standard as well as the Forgefed models. >> Read more about Federated software forges with Gitea Gosling — Generic Onions Services Library Project One of the internet’s core infrastructural flaws is a lack of anonymity - yet anonymity is a form of privacy that many users would prefer to have. Building products which preserve this user privacy while also being featureful and easy to use is difficult. Part of this difficulty has to do with the fact that developers need to be aware of and actively counter the myriad ways users can be de-anonymised (e.g. fingerprinting, side-channels). This requires knowing many intricate details at all levels of the software stack.Project parent Blueprint for Free Speech's goal is to gradually increase the portion of the internet that offers anonymity. By creating a “generic onions services library” (Gosling), we can help developers create secure and anonymous p2p applications without having to delve too deeply into protocol design or the Tor spec, and to do so with more security assurance. >> Read more about Gosling Hyper Hyper Space Sync Engine and adapters — Secure P2P data synchronisation The way authority is coded into software platforms impacts the health of the communities they serve. The goal of this project is to provide an information sync engine that can provide an application back-end with as little authority delegation as possible, thus enabling applications that are truly user-controlled. By using a formulation based on monotonicity, Hyper Hyper Space is able to simulate a transactional engine over a cryptographically secure event log. This yields a versatile data model, that is usable in a coordination-free setting and in the presence of Byzantine faults. This modelling flexibility can be leveraged by using bi-directional adapters, that are able to ingest and export synchronized data into a variety of local storage systems, including relational databases, document stores, and files. Application builders can choose the storage system that better suits their use-case, and rely on an adapter to synchronize its contents. This should lower the barriers of entry for creating p2p applications, and hopefully significantly boosts quality while reducing complexity. >> Read more about Hyper Hyper Space Sync Engine and adapters Hyper Hyper Space — Cryptographically secure append-only distributed data layer The Hyper Hyper Space project aims to make distributed applications easy to build and usable by anyone. It introduces “spaces”, shared information objects that are stored locally (on personal computers or phones) and can be easily replicated over the network to any number of participants and kept synchronized. Spaces have formats (just like files): blogs, discussion forums, e-commerce stores, etc. can be represented as space-types. Instead of filenames or URLs, spaces can be universally looked up by entering a 3-word code into the application. This code is used to find devices hosting the space, and then to fetch and validate it. Application designers can build upon a library of building blocks supplied by Hyper Hyper Space (e.g. cryptographic identities, CRDT-inspired datatypes, etc.) that work over append-only DAGs. Once a space is defined this way, its synchronization can be handled by Hyper Hyper Space transparently, simplifying application development. Finally, to make spaces universally available, the Hyper Hyper Space runtime works inside an unmodified web browser (as a JavaScript library: IndexedDB is used for in-browser storage, WebRTC as transport - no extensions are needed). Thus a distributed application can be deployed as a static website that fetches its contents from a browser-to-browser mesh. Ultimately, the Hyper Hyper Space project’s goal is to encourage open information formats and software interoperability, helping make open source, non-for profit and public interest application development sustainable. >> Read more about Hyper Hyper Space Icebreaker — Gemini centric viewpoint of coding issues and bug tracking Modern software projects not only require source code repository management but also tools to plan projects and solve technical problems. Closed source solutions and online commercial services may be convenient, but create significant concerns around control, autonomy and privacy - and they skew discoverability. Icebreaker believes in decentralised approaches which keep the coding repo separate from the project management repo. In terms of cooperation and teamwork, this helps to encourage new, flexible and dynamic approaches. These expectations are solved through the minimalism of the Gemini protocol and its terse Markdown format, Gemtext. It is modern because it is easy to understand; accessible to interact with (whether as a consumer or a contributor); and treats privacy as a foremost priority. Icebreaker's flagship project, gLean, provides building blocks for navigating and interpreting one or more Gemini content sources (with settings, rulesets, and regex magic). (Non core) modules provide output in alternative formats, including Kanban boards. Creators will control their issue trackers. Creators' terms. Creators' conditions. 'Off-the-shelf' solutions can't compete against gLean's tailored approaches. FOSS communities can choose workflows that match their technical requirements, while supporting autonomy and adhering to their ethical values. >> Read more about Icebreaker Interpeer — Collaboration infrastructure with near real-time p2p data synchronization The Interpeer Project's purpose is to research and develop novel peer-to-peer technologies for open and distributed software architectures. The goal is to enable serverless modes of operation for collaborative software with rich feature sets equal to or surpassing centralized client-server architectures. For that reason, the initial focus lies on facilitating the extreme end of the use case spectrum with very low latency and high bandwidth requirements, as exemplified by peer-to-peer video communications in quality as close to 4k resolution as possible. When that initial goal is reached, the project focus will shift to other collaboriative applications of the technology. >> Read more about Interpeer Threat intelligence sharing — Privacy-Preserving Sharing of Threat Intelligence in Trusted Adversarial Environments Iris P2P is a peer to peer system for sharing security detections and threat intelligence with trusted models resilient to manipulation attacks. Most P2P systems are designed for file sharing, storage, chat, etc. but they are not prepared to share security detections, threat intelligence data and alerts. The security world needs better ways to automatically share intelligence data with trusted organizations and peers. If decentralized no single organization has control or can censor, sell or modify the data. Iris is the first global P2P system that is designed to solve this problem. It implements: automatic sharing of threat intelligence data when you are attacked, controlling the spread in the P2P to spread slowly, alerting the network of a new attacker. Controlling the spread in the P2P to be fast, asking peers about the reputation of other peers, and defining ‘organizations’ in the P2P network using the DHT and private/public keys. Organizations can publish their keys in conventional communication systems to attest ownership (social media, etc.) All communication is encrypted with private/public keys. You can control the privacy of your data by defining to which organizations and peers you want to share your data. You can also control the transfer of data with epidemic algorithms. All data is evaluated according to the trust in the other peers. Defining trust of each peer in the network with a new protocol (Fides) which computes the trust in each peer by balancing the direct interactions with peers and reputation of peers according to the rest of the peers. Fides implements a mathematical model to guarantee that no adversarial peer can lie to manipulate the reputation and the trust. >> Read more about Threat intelligence sharing json-joy — JSON data structure as a CRDT Conflict-Free Replicated Data Types (CRDTs) are specialized data structures that enable the merging of changes in two or more data replicas without conflicts. Despite their immense potential, CRDTs remain a relatively new area of research and development, and much can be improved in existing open source CRDT libraries. The objective of the json-joy project is to implement a full JSON CRDT library that reflects the current state of the art, while simultaneously ensuring optimal performance through the use of custom-designed data structures and the latest advancements in Replicated Growable Array (RGA) literature. In addition, the project aims to establish specifications for critical components of the library, including the data types employed, serialization protocols, and patch format protocols, thereby facilitating the portability of the open source code to other programming languages and promoting educational initiatives. >> Read more about json-joy JSON-Joy Peritext — Rich-text CRDT implementations for json-joy CRDT json-joy is an open source library for building distributed collaborative web applications, its major focus is on implementing performant state-of-the-art CRDT algorithms. This project aims to implement a Peritext-like rich-text CRDT on top of the JSON CRDT Specification as part of the json-joy library. The goal of the project is to implement a production-ready collaborative rich-text editing algorithm, Peritext, and supporting modules for the json-joy library. The project will also improve on the originally proposed Peritext algorithm by leveraging JSON CRDT data structures to make various rich-text annotations mutable and block elements nestable. >> Read more about JSON-Joy Peritext Katzen — Meta-data resistant instant messaging over the Katzenpost mixnet Katzen is a new private instant messaging application built using the Katzenpost mixnet project, which is an overlay network that is able to hide communication patterns of individual users from passive network observers. This means that attackers cannot link sending and receiving of messages on the network with any of the participants. Messages between conversation parties are delivered to and read from message queues operated by the mixnet service operators. The legacy simple design maintains a per client queue and is able to see when a client is receiving a message, how often clients receive messages, and when the client is online and checking for their messages. The purpose of this project is to replace the legacy ephemeral message storage system used by Katzen with a replacement that does not link messages with a specific user or conversation, To do this, clients will include a csprng seed as part of the contact creation process that will be used to generate a deterministic sequence of message identifiers between conversation participants; these identifiers will be used by each client to query the ephemeral storage provider for the next message in the conversation. Because polling the storage service adds latency, and this design must check for new messages from each conversation partner, mechanisms to reduce the number of round trips - such as using SURBs as an asynchronous callback upon message delivery on the storage provider will be explored as a means to build a mixnet 'push' service to decrease the total round trip delay in receiving a new message. >> Read more about Katzen Katzen Metadata Minimizing Messenger — Privacy preserving instant messaging using a modern mixnet Katzen is a multi-platform messenger application that works with Katzenpost, a mix network framework for building anonymity-enhancing communication services. Katzen minimizes metadata that could potentially be used to reveal the identities, locations, and relationships of its users. Katzen currently supports one-to-one messages between paired users, while also not revealing who is speaking to whom. This project aims to improve Katzen by adding group messaging, multimedia file transfers, and voice chat. These features require a new encrypted-at-rest database, additional UI for file transfers and push-to-talk voice messaging, and implementation of group messaging using the multiparty REUNION protocol, which allows group members to discover each other using a shared passphrase. >> Read more about Katzen Metadata Minimizing Messenger Private Key Operations for Keyoxide — Implement Private Key Store design in Keyoxide Keyoxide is one of the open-source success stories when it comes to providing an alternative to the proprietary product (Keybase). The UI is straightforward so that the interaction with the site is available to all kinds of users. Unfortunately there is one critical part that differentiates Keyoxide from Keybase - no support for private key operations. Adding proofs requires a complex maze of command line invocations. This project will implement best of both worlds: simple, UI centric way of interaction without technical knowledge required and the strong security of Keyoxide. >> Read more about Private Key Operations for Keyoxide Keyoxide v2 — Add cryptographic signature based to Keyoxide How do you discover which other online accounts across different services and service providers actually belong to the same person? Keyoxide is a secure, privacy-friendly and decentralized platform to manage online identities, uncompromisingly driven by what the user herself wants to share. Keyoxide is a new type of service to allow proving linked account ownership on a variety of platforms. Keyoxide levers existing and battle-tested cryptographic primitives. The goal is to give users more control over their online presence, independent from dominant internet actors - without in fact having to depend on any centralised services or third parties. The project will build on top of the existing OpenPGP Identity Proofs to add other types of profiles based on various cryptographic signature mechanisms from a variety of new tools. To maintain linkable profiles, a new signature-hosting infrastructure needs to be designed and developed. Other improvements are aimed at safeguarding privacy and achieving plausible deniability. >> Read more about Keyoxide v2 LiberaForms — End tot End Encrypted Forms Cloud services that offer handling of online forms are widely used by schools, associations, volunteer organisations, civil society, and even families to publish questionnaires and collect the results. While these cloud services (such as Google Forms and Microsoft Forms) can be quite convenient to create forms with, for the constituency which has to fill out these forms such practices can actually be very invasive because forms may not only include personal details such as their name, address, gender or age, but also more intimate questions including medical details, political information and life style background. In many situations there is a power asymmetry between the people creating the form and the users that have to supply the data through that form. Often there is significant time pressure. No wonder that users feel socially coerced to comply and hand over their data, even though they might be perfectly aware that their own data might be used against them. LiberaForms is a transparent alternative for proprietary online forms that you can easily host yourself. In this project, LIberaForms will add end-to-end encryption with OpenPGP, meaning that the data is encrypted on the client device and only the final recipient of the form data can read it (and not just anyone with access to a server). Also, the team will add real-time collaboration on forms, in case users need to fill out forms together. >> Read more about LiberaForms XMPP-ActivityPub gateway — XMPP, ActivityPub and E2EE Pubsub XMPP (aka Jabber) is the vendor-netural internet standard for instant messaging. ActivityPub is a web standard for federated social networking, used in software like Mastodon, Pleroma, PeerTube, Pixelfed and Funkwhale. The project consists of two components: an ActivityPub-XMPP gateway, which will be a component bridging these protocols - enabling ActivityPub users to access XMPP blogs, comments and other features, and vice versa. And adding state of the art end-to-end encryption (E2EE) for PubSub and filesharing, which entails proposing a new XMPP standard which can provide a secure way to publish, retrieve and subscribe to all sorts of data over XMPP. The project is built on Libervia (previously known as \"Salut à Toi\"), a communication ecosystem based on XMPP. Libervia offers several interfaces (web, desktop, mobile, command line, text UI) and explores the XMPP protocol beyond instant messaging. Libervia features chat, blogging, file sharing, photo albums, events, forums, etc. Libervia's goal is to develop an all-in-one, easy to use \"familial and personal social network\", i.e. a tool to communicate with the people close to you securely - and that lets your personal data stay within your control (as it should be). >> Read more about XMPP-ActivityPub gateway Librecast — E2E encrypted multicast The Librecast project contributes to decentralising the Internet by enabling multicast. It builds transitional protocols and software to extend the reach of multicast and enable easy deployment by software developers. This can for instance help to synchronise large evolving datasets to many users at the same time (even hundreds of gigabytes of blockchain data) in an economic, reliable, transparent and fair way - unlike with unicast, everyone can get a copy of the same packets received by everyone else. Not depending on a centralised structure (anyone can be the upstream source), means it is very robust as well. LibreCast is energy efficient and as a next generation internet technology offers confidentiality and security - and is sustainable, has high scalability and throughput. Librecast Live is a Multicast Live Streaming, Conferencing and Remote Collaborative Work Environment. It is a versatile multicast platform flexible and scalable enough to be used for live-streaming, classrooms and conferences - using an ad hoc or previously established web of trust. While using multicast helps solve the scalability inherent with this kind of setup, actually all messages are transmitted over encrypted channels - providing strong privacy and integrity assurances through E2E encryption. >> Read more about Librecast LibreOffice CRDT — Real-time collaboration between several, distributed LibreOffice instances LibreOffice is the most widely used free and open source office suite, available for desktop, mobile and in the browser. Its most popular application is the text editor Writer, which is used to write billions of document every year. Due to the increase of connectivity and remote work, these days many users look for real-time collaboration capabilities - meaning the ability to work with multiple persons on a single document in parallel. This project seeks to add this critical feature to LibreOffice. As a significant first step towards that goal, this project will therefore embark to re-architect LibreOffice Writer's comment (and later on change tracking) implementation, to make use of a suitable CRDT data structure. This is the first step towards real-time collaboration between several, distributed LibreOffice instances (desktop, mobile and server). >> Read more about LibreOffice CRDT Librecast Live — Live streaming with multicast The Librecast Live project contributes to decentralizing the Internet by enabling multicast. Multicast is a major network capability for a secure, decentralized and private by default Next Generation Internet. The original design goals of the Internet do not match today's privacy and security needs, and this is evident in the technologies in use today. There are many situations where multicast can already be deployed on the Internet, but also some that are not. This project will build transitional protocols and software to extend the reach of multicast and enable easy deployment by software developers. Amongst others it will produce a C library and POC code using a tunneling method to make multicast available to the entire Internet, regardless of upstream support. We will then use these multicast libraries, WebRTC and the W3C-approved ActivityPub protocol to build a live streaming video service similar to twitch.tv. This will be a complement to the existing decentralised Mastodon and Peertube projects, and will integrate with these services using ActivePub. By doing so we can bring live video streaming services to these existing decentralised userbases and demonstrate the power of multicast at the same time. Users will be able to chat and comment in realtime during streaming (similar to YouTube live streaming). This fills an important gap in the Open Source decentralised space. All video and chat messages will be transmitted over encrypted channels. >> Read more about Librecast Live LumoSQL at-rest data security — Modern embedded database with encryption and signed data LumoSQL is an embedded database that combines various modern database technologies into a single powerful abstraction while remaining a drop-in replacement for the most-used database worldwide, SQLite. LumoSQL brings to embedded databases features including built-in encryption, per-row checksum verifiability of all data (without the overhead of e.g. a blockchain), and a choice of storage backends. In this project the LumoSQL community works towards the 1.0 version which will add a slew of attractive features such as encrypted embedded data at-rest (which can be unlocked either through role based access control or even outside of unmodified apps with a hardware token like Nitrokey), signed data rows and data tables (so users can cryptographically verify the integrity of data), as well as improved documentation and cross-platform availability. In addition the project is producing valuable tools such as the not-forking project, which addresses the root cause of many real-world security issues as customisation without such a tool requires hard-to-maintain forking. >> Read more about LumoSQL at-rest data security Distributed Trust for Web Servers — Establishing a Distributed Trust Authority The M-Pin protocol, and its implementation in the Milagro project currently incubating at Apache, provides cryptographic security using a distributed trust model. In place of the single point of failure (and high-value target for social engineering attacks) of today's Certificate Authorities (CAs), cryptographic verification is assembled from two or more mutually independent authorities, all of which would need to be subverted at once to break security. This project helps bring distributed trust to the Web, by implementing M-Pin support via Milagro's libraries in leading Open Source web servers. This will pave the way both to a distributed trust alternative to monolithic CAs and browser trust lists, and to a distributed trust alternative to protocols such as OpenID for user identification. >> Read more about Distributed Trust for Web Servers MTE - the MirageOS Taler Exchange — Implement Taler Exchange functionality in OCaml-based unikernel This project will develop a drop-in implementation for a GNU Taler exchange with the unikernel framework MirageOS. The GNU Taler Exchange is a service that needs to be robust and high secure (plus allow very high security deployments). MirageOS uses OCaml, a functional programming language with a static type system which catches lots of errors at compile time, and provides memory-safety. With MirageOS, one only embeds the code that is really required to run the service in the virtual machine image - resulting in a relatively much smaller attack surface. The resulting solution will use very little resources (memory usage / CPU cycles), which is beneficial both from a green computing perspective, and from a performance perspective. The plan is to use existing tests of GNU Taler exchange, in addition to our own fuzz testing, to ensure that MTE acts the same as GNU Taler exchange. >> Read more about MTE - the MirageOS Taler Exchange Manyverse — An off-line capable privacy-centric social messaging app Manyverse is a social networking mobile app, implemented not as a typical cloud service, but instead on a peer-to-peer network: Secure Scuttlebutt (SSB). The mobile app locally hosts the user's database, allowing them to own their personal data, and also use the app when offline. Data can sync from one mobile device to another, via Bluetooth, Wi-Fi, or Internet. Free and open source software. >> Read more about Manyverse Manyverse Private Groups — Implement SSB Private Groups in Manyverse Manyverse is a peer-to-peer social network built on the SSB protocol where users themselves are responsible for the network. It is used by thousands of people, on both mobile and desktop. Users can share public posts with each other, but there is currently no way to write private messages to closed communities of a dozen members or more. With this project, we want to implement and improve SSB Private Groups for adoption in Manyverse. This is a cryptographic mechanism to ensure that communities can talk in private. Additionally, we want to make sure that these communities have the tools they need to moderate and prune their social space for safety. >> Read more about Manyverse Private Groups Practical Decentralised Search and Discovery — Search and discovery inside mesh/adhoc networks Internet search and service discovery are invaluable services, but are reliant on an oligopoly of centralised services and service providers, such as the internet search and advertising companies. One problem with this situation, is that global internet connectivity is required to use these services, precisely because of their centralised nature. For remote and vulnerable communities stable, affordable and uncensored internet connectivity may simply not be available. Prior work with mesh technology clearly shows the value of connecting local communities, so that they can call and message one another, even in the absence of connectivity to the outside world. The project will implement a system that allows such isolated networks to also provide search and advertising capabilities, making it easier to find local services, and ensuring that local enterprises can promote their services to members of their communities, without requiring the loss of capital from their communities in the form of advertising costs. The project will then trial this system with a number of pilot communities, in order to learn how to make such a system best serve its purpose. >> Read more about Practical Decentralised Search and Discovery SecSync — Efficiently combine end-to-end encryption with CRDTs While popular CRDT implementations like Yjs or Automerge offer several designs and even implementations on how to asynchronously exchange data using servers, there is no plug & play implementation serving end-to-end encrypted systems. Focus of the first version of SecSync is to provide a protocol to efficiently exchange and resolve e2e encrypted CRDTs. It comes with a plug and play reference implementation on top of Yjs and should be well documented. By leveraging snapshots as well as operations logs referencing snapshots the load times should reduced while still offering real-time collaboration. >> Read more about SecSync Namecoin: Electrum-NMC — Security hardening and futureproofing Namecoin and Electrum-NMC Namecoin provides a decentralized naming system and trust anchor. Its flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Among other things, this provides a decentralized trust anchor for Public Key Infrastructure that does not require third party trust. It operates independently from the DNSSEC root trust chain, and can thus offer additional security under some circumstances. This project will focus on improving Namecoin's lightweight client (Electrum-NMC) in the areas of security (e.g. sandboxing and test coverage), scalability (e.g. more compact network protocol), UX (e.g. domain management GUI improvements), and packaging (e.g. for Debian and derived distros). >> Read more about Namecoin: Electrum-NMC Namecoin: ZeroNet and Packaging — Make ZeroNet work with Namecoin Namecoin provides a decentralized naming system and trust anchor. Its flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Among other things, this provides a decentralized trust anchor for Public Key Infrastructure that does not require third party trust. It operates independent from the DNSSEC root trust chain, and can thus offer additional security under some circumstances. ZeroNet is a decentralized web-like network of peer-to-peer users, which provides an alternative to TOR hidden services. In the project, Zeronet will be adapted to support a local Namecoin client, and provide additional assurances such as a Host Header-like mechanism to protect users from spoofing. Namecoin will be used as a human-readable naming layer for Tor onion services and ZeroNet sites. This eliminates the user problem of pseudorandom, unmemorable website addresses for onion services and ZeroNet sites, which can facilitate phishing attacks. >> Read more about Namecoin: ZeroNet and Packaging Namecoin: Core Infrastructure — Alternative domain name system Namecoin is a blockchain project that provides a decentralized naming system and trust anchor. Our flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. This project is meant to improve the security and usability of core components of Namecoin. >> Read more about Namecoin: Core Infrastructure NeoChat — Native Matrix encrypted instant messaging client NeoChat is a client for Matrix, an open and decentralized chat protocol. NeoChat is using Qt and KDE technologies to run on many platforms: Linux, Windows, macOS, Plasma Mobile and Android. One of the biggest missing features for NeoChat is support for end-to-end encryption. Currently, all the messages are sent unencrypted and encrypted conversation can't be read in NeoChat. This is not a problem for public rooms since they are usually not encrypted, but it makes NeoChat unsuitable for usage in a private or professional context. The goal of this project is to enable support for encryption in NeoChat. Since NeoChat uses libQuotient, a client library for the matrix protocol, most of the work will take place in libQuotient. This means that the work done in the project will also help other Matrix clients and bots built with Quotient, in particular Spectral and Quaternion. >> Read more about NeoChat neuropil — Privacy by design P2P search including IoT Neuropil is an open-source de-centralized messaging layer that focuses on security and privacy by design. Persons, machines, and applications first have to identify their respective partners and/or content before real information can be sent. The discovery is handled internally and is based on so called \"intent messages\" that are secured by cryptographic primitives. This project aims to create distributed search engine capabilities based on neuropil, that enable the discovery and sharing of information with significantly higher levels of trust and privacy and with more control over the search content for data owners than today's standard. As of now large search engines have implemented \"crawlers\", that constantly visit webpages and categorize their content. The only way to somehow influence the information that is used by search engines is by using a file called „robots.txt“. Other algorithms are only known to the search engine provider. By using a highly standardized \"intents\" format that protects the real content of users, this model is reversed: data owners define the searchable public content. As an example we seek to implement the neuropil messaging layer with its extended search capabilities into a standard web server to become one actor and to handle and maintain the search index contents of participating data owners. By using the Neuropil messaging layer it is thus possible to build a distributed search engine database that is able to contain and reveal any kind of information in a distributed, concise and privacy preserving manner, without the need for any central search engine provider. >> Read more about neuropil neuropil — DHT based overlay network The neuropil protocol is a new integration protocol for the IoT, which can be embedded into applications and devices. It facilitates and recombines messaging paradigms with distributed hash tables, self-sovereign identities and named-data networks to establish a new kind of privacy- and security-by-design overlay network. The protocol itself embraces self-containment, reducing the need for external systems/dependencies. Our goal is a trustworthy, democratized access control mechanism for the internet of everybody. Within our project we would like to leave the beta-phase and realize the first full release of our protocol. To reach this goal we will add two remaining critical parts to our protocol: distributed time calculations and distributed linked time-stamping authorities. The first addition is not only crucial for systems without an RTC, but it also enables a de-centralized time service with a much lower attack surface. The second builds upon the first and is a key requirement to establish trust between entities using the protocol. It can also be used to ensure the integrity and to keep-track of (search-) contents of peers. Furthermore we will review our current reference implementation for efficiency and use less power-hungry algorithms whenever possible to support the green deal of the European Union. >> Read more about neuropil NextGraph — Interlinked data graphs, with privacy, security, data locality, and interoperability in mind NextGraph brings about the convergence between P2P and Semantic Web technologies, towards a decentralized, secure and privacy-preserving cloud, based on CRDTs. This open source ecosystem provides solutions for end-users and software developers alike, wishing to use or create decentralized apps featuring: live collaboration on rich-text documents, peer to peer communication with end-to-end encryption, offline-first, local-first, portable and interoperable data, total ownership of data and software, security and privacy. Centered on repositories containing semantic data (RDF), rich text, and structured data formats like JSON, synced between peers belonging to permissioned groups of users, it offers strong eventual consistency, thanks to the use of operation-based CRDTs. Documents can be linked together, signed, shared securely, queried using the SPARQL language and organized into sites and containers. Long-term goals include developing or integrating wikis, knowledge bases, search engines, groupware, productivity tools, supply chain solutions, marketplaces and e-commerce solutions, social networks, smart contracts and DAOs. With NextGraph, users can now create and access freely their own interlinked data graphs, while preserving privacy, security, data locality, and interoperability. >> Read more about NextGraph NodeBB — ActivityPub support and accessibility improvements for forum software NodeBB is a Node.js based community forum software utilizes web sockets for instant interactions and real-time notifications. NodeBB benefits from modern features like real-time streaming discussions, mobile responsiveness, and rich RESTful read/write APIs, while staying true to the original bulletin board/forum format — categorical hierarchies, local user accounts, and asynchronous messaging. In this project, the team will be working on bringing ActivityPub integration to NodeBB, in order to allow forums to become truly interconnected with other ActivityPub-enabled applications throughout the wider Fediverse (of course including other NodeBB forums). The absolute hardest part of starting a community — forum or otherwise — is gaining a critical mass of adoption in order to sustain interest and content. What if we could bypass this hurdle altogether? >> Read more about NodeBB Adopting the Noise Key Exchange in Tox — Improved security of Tox instant messaging with NoiseIK Tox is a P2P instant messaging protocol that aims to provide secure messaging. It's implemented in a FOSS library called \"c-toxcore\" (GPLv3). The project started in the wake of Edward Snowden's disclosure of global surveillance. It's intended as an end-to-end encrypted and distributed Skype replacement. The cryptographic primitives for the key exchange (X25519), authentication (Poly1305) and symmetric encryption (XSalsa20) are state of the art peer-reviewed algorithms. Tox' authenticated key exchange (AKE) during Tox' handshake works, but it is a self-made cryptographic protocol and is known to be vulnerable to key compromise impersonation (KCI) attacks. This vulnerability enables an attacker, who compromised the static long-term private X25519 key of a Tox party Alice, to impersonate any other Tox party (with certain limitations) to Alice (reverse impersonation) and to perform Man-in-the-Middle attacks. The objective of this project is to implement a new KCI-resistant handshake based on NoiseIK in c-toxcore, which is backwards compatible to the current KCI-vulnerable handshake to enable interoperability. Further Noise's rekey feature will be evaluated for adoption. >> Read more about Adopting the Noise Key Exchange in Tox Nym Credentials — A decentralised solution for authentication Nym Credentials provides open-source code for privacy-enhanced authentication and authorization in a decentralized environment. Today, when using \"single-sign in\" solutions, users hand over their personal data to third-party identity providers such as Facebook Connect and Sign-In with Google. Nym Credentials tackles this problem by allowing users to securely authenticate and transfer personal data (and proofs of private data) while maintaining privacy without a centralized identity provider. Each credential is cryptographically unlinkable between usages and multiple decentralized identity providers can verify this data. Open-source Nym credential libraries can be easily integrated into existing services, with a focus on federated and decentralized European environments. >> Read more about Nym Credentials Off-the-Record messaging version 4 — Advanced protocol for secure messaging OTRv4 is the newest version of the Off-The-Record messaging protocol. It is a protocol where the newest academic research intertwines with real-world implementations. It's aim is to give end-to-end encryption, deniability, authentication, forward secrecy and post-compromise security for any kind of messaging (online or offline). The goal of this new version is to give the most secure privacy and security properties that have a real impact on the world. This new version aims to be available in different desktop clients (that use XMPP or other messaging protocol) and in mobile clients. >> Read more about Off-the-Record messaging version 4 Open MLS Infrastructure — End-to-end encrypted group messaging The Open MLS infrastructure project aims at designing and implementing infrastructure components for the MLS (Messaging Layer Security) protocol currently under development by the IETF (https://datatracker.ietf.org/doc/draft-ietf-mls-protocol/). While it is theoretically possible to run MLS peer-to-peer, most use-cases will require central components that take care of ordering and queueing messages, as well as managing group state. Our goal is to create components that are secure, metadata-minimizing, modular, and that allow for federation. This lays a foundation for improving existing and future messaging applications, and will allow to validate a potential future application-layer specification. >> Read more about Open MLS Infrastructure Interoperable Certificate Store for OpenPGP — Standardisation effort for shared OpenPGP certificate storage This project will build a public cert store for OpenPGP keys, with well defined data structures and access mechanisms to facilitate interoperability between OpenPGP implementations. It builds on pgp-cert.d, which stores certs, and has an API to access them. Beyond the common format and API, the project will also add Sequoia-specific indices, where standardization doesn't make sense. sq, Sequoia's command line tool, will be adapted to use the cert store. In addition the project aims to develop a privacy-preserving way to update the certs from keyservers. >> Read more about Interoperable Certificate Store for OpenPGP Hardening OpenPGP CA deployments — HSM support for OpenPGP key infrastructure OpenPGP CA is a tool for managing and certifying OpenPGP keys in organizations. Today, the private key material of OpenPGP CA instances is stored and used locally. This project will add support for two hardened modes of operation: 1) Using a hardware-token OpenPGP Card) based key for the CA, and 2) Split OpenPGP CA deployments, in which critical operations are performed on a highly protected machine (e.g. air-gapped), while regular operation can take place conveniently on an online CA instance. In addition the project will build an OpenPGP CA based tool for version control signing workflows (e.g. git), with a focus on providing a smooth user experience for signing with OpenPGP card devices. >> Read more about Hardening OpenPGP CA deployments p2panda: group encryption and capabilities — Add group encryption and capabilities to peer-to-peer SDK p2panda is a protocol and SDK for building decentralised applications with authenticated data, which is stored and synced between computers. Most p2p protocols, including p2panda, face problematic security and privacy challenges, where sensitive data is distributed in a trust-less network. This application aims at the integration of a secure data encryption and fine-grained capability layer to give users more control and protection of their data. Scaleable data encryption for large groups in a decentralised network is hard and has always involved a trade-off between UX and security. We believe that MLS is the first Internet Engineering Task Force (IETF) standard to tackle some of these challenges. p2p applications of all kinds, will benefit from a protocol that gives them a distributed, strongly encrypted database stack. MLS assures Post-Compromise Security (PCS) and Forward Secrecy (FS) and still stays performant for large groups. While MLS is capable of working in a decentralised environment it hasn’t been explicitly specified for it. With p2panda we have all the building blocks to realize MLS in a fully decentralised setting. Highly collaborative p2p and offline-first applications require a robust capability system which facilitates giving and revoking permissions to/from identities on the network. With such a system it becomes possible to give permissions for certain actions to other authors or link devices which should be grouped under a single identity. >> Read more about p2panda: group encryption and capabilities P2Pcollab — Decentralised social search and discovery This project is working towards creating a more decentralized, privacy-preserving, collaborative internet based on the end-to-end principle where users engage in peer-to-peer collaboration and have full control over their own data, enabling them to collaborate on, publish & subscribe to content in a decentralized way, as well as to discover & disseminate content based on collaborative filtering, while allowing local, offline search of all subscribed & discovered content. The project is researching & developing P2P gossip-based protocols and implementing them as composable libraries and lightweight unikernels with a focus on privacy, security, robustness, and scalability. >> Read more about P2Pcollab Adding Web-of-Trust Support to PGPainless — Web-of-Trust specification support for Java Reliable authentication of public key certificates is a hard requirement for strong and effective end-to-end encryption. The \"Web-of-Trust\" (WoT) serves as an example of a decentralized authentication mechanism for OpenPGP. While there are some existing implementations of the WoT in applications such as GnuPG, their algorithms are often poorly documented. As a result, WoT support in client applications is often missing or inadequate. PGPainless is an easy-to-use, secure-by-default OpenPGP library for Java and Android. This project will extend PGPainless with an implementation of a recently published, new Web of Trust specification. The goal is to make the Web of Trust more interoperable and accessible to client applications, overall increasing the usability and ergonomics of OpenPGP for the end-user. >> Read more about Adding Web-of-Trust Support to PGPainless Statime — Memory-safe high-precision clock synchronization Of all severe software security bugs, a big chunk (50-70%) has one single source: memory corruption. The underlying cause is that, traditionally, systems software is implemented in languages that are not memory-safe. The way forward is to replace these pieces of software with memory-safe alternatives, one by one. Doing so will not just mitigate, but eliminate this category of bugs entirely. This project picks out one piece: the Precision Time Protocol (PTP). High-precision clock synchronization plays a crucial role in networking, with application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. Our proof-of-concept implementation will conform to the IEEE standard for PTP and will focus on the software implementation of a slave-only PTP ordinary clock. In the future, our work is expected to become part of a wider open-source roadmap for reliable and memory-safe keeping of network time, that will seek to expand the feature set of our implementation and work towards growing its adoption. Statime is part of Project Pendulum. >> Read more about Statime PeerDB Search — Search for semantic and full-text data PeerDB Search is an opinionated but flexible open source search system incorporating best practices in search and user interfaces and experience to provide intuitive, fast, and easy to use search over both full-text data and semantic data exposed as facets. The goal of the user interface is to allow users without technical knowledge to easily find results they want, without having to write queries. The system will also allow multiple data sources to be used and merged together. As a demonstration PeerDB will deploy a public instance as a search service for Wikipedia articles and Wikidata data. >> Read more about PeerDB Search Peertube-Desktop — Enjoy and share federated videos Cuttlefish is a client for PeerTube that will allow for searching and discovering new and interesting video's online with more privacy. PeerTube is a federated video hosting service based on the W3C ActivityPub standard. By using WebTorrent - a version of BitTorrent that runs in the browser - users help serve videos to other users. Cuttlefish is a desktop client for PeerTube, but will work on GNU/Linux-based phones (like the Librem 5 or Pinephone) as well. We want the experience of watching PeerTube videos and using PeerTube in general to be better, by making a native application that will become the best and most efficient way to hook into the federation of interconnected video hosting services. It will have improved search, and will allow people to continue sharing watched videos with other PeerTube users for longer periods of time, instead of discarding the video when done watching. It will also help bridge PeerTube's gap between the - now separated - BitTorrent and WebTorrent networks by speaking both of those protocols. >> Read more about Peertube-Desktop Extending PeerTube — Adding advanced search capabailities to PeerTube This project aims to extend PeerTube to support the availability, accessibility, and discoverability of large-scale public media collections on the next generation internet. Although PeerTube is technically capable to support the distribution of large public media collections, the platform currently lacks practical examples and extensive documentation to achieve this in a timely and cost-efficient way. This project will function as a proof-of-concept that will showcase several compelling improvements to the PeerTube software by [1] developing and demonstrating the means needed for this end by migrating a large corpus of open video content, [2] implementing trustworthy open licensing metadata standards for video publication through the PeerTube platform, [3] and emphasizing the importance of accompanying subtitle files by recommending ways to generate them. >> Read more about Extending PeerTube peermaps — Peer to peer cartography Peermaps is a p2p, offline-friendly way to distribute, view, and embed map data. Instead of fetching data from a centralized tile provider, you fetch data from other peers on the network. Right now we have all of OpenStreetMap processed into a 100GB archive in our p2p spatial database and rendering formats and seeded to hyperdrive and ipfs. This data is hooked up to a proof-of-concept web map viewer. For this grant, we will build on our proof-of-concept to release a user-oriented map viewer as a web application with search functionality on peermaps.org along with a developer-oriented tool to embed web maps in an iframe. In addition to (p2p) web development, this project will involve research on peer queries for offline and online location-based search, optimizations to the spatial database and p2p layer, webgl graphics improvements in addition to web development in order to produce a usable p2p mapping alternative. >> Read more about peermaps Yrs persistent documents — Yrs/Yjs compatible layer for persistent key-value stores Yrs is a local-first collaboration library widely used for real-time collaborative editing. Yrs is a a CRDT-based solution that currently works on documents fully loaded into memory, with disk storage happening through plug-ins. The primary goal of this effort is to make it more robust (and less resource-heavy) by creating an alternative implementation that works directly with the on-disk database. All of this needs should happen while remaining compatible with the existing in-memory Yrs implementation as well as the original Yjs JavaScript implementation. >> Read more about Yrs persistent documents Pijul Hybrid — Hybrid patch-based/snapshot-based system for distributed versioning Pijul is a modern patch-based version control system that addresses many shortcomings found in existing tools, based on a mathematical theory of collaborative work. In order to ease the transition from existing tools, and increase utility in a wider set of use cases, this project will work on a better transition story from other tools like Git and Mercurial, and improve tooling around it. In particular, it will deliver a hosting platform called Nest which has features which will be quite different from other hosting services. Pijul is able to apply patches independently from each other, meaning that (reorderable) patches can be used in place of legacy pull/merge requests everywhere. This should makes most workflows vastly simpler, as well as result in cleaner code bases. >> Read more about Pijul Hybrid Pleroma — Scalable ActivityPub server written in Elixir Pleroma is an extendable ActivityPub communication server. Pleroma can be as light-weight as you want it to be, fit for both running from a homeserver or from more serious infrastructure. Pleroma embraces customization. Instead of trying to dictate how users should use our software, we give them options. From the backend to the frontend, there are hundreds of configurable options to satify the different needs of everyone. We know there's no single setup that works for everyone, and are more than willing to listen to users' feedback. Being part of fediverse of course means interacting with other servers and Pleroma provides the best experience when displaying other types of content, even non-microblogging. The Fediverse nowadays is a very big place with a lot of different people, who don't necessarily agree with each other or have good intentions. To help with the insurmountable task to moderate the stream of incoming and outgoing content, Pleroma has Message Rewrite Facility, allowing instance administrators to automatically act upon activities including modifying them and deciding whether to show them in federated timeline or not. Having more detailed and partially automated moderation helps create a network where users don't have to worry about not being able to talk to someone else because the admins didn't have the rights tools at their disposals. >> Read more about Pleroma ProveThis — Prove statements about authenticated API resources ProveThis allows users to prove statements from websites and APIs using TLS without revealing private information. Although efforts like TLSNotary can currently be used to prove the authenticity and origin of a full HTML page, we extend the capabilities of TLSNotary and allow users to make zk-SNARK based zero knowledge proofs about statements in complexity class NP. More concretely, this can allow users to prove statements about e.g. their banking data (how many transactions did you send in a certain period), social media data (how many friends are you away from knowing Barack Obama) or other data sources. Such proofs can generally be used to reduce fraud without compromising privacy and confidentiality. >> Read more about ProveThis R5N-DHT — Formalisation within IETF of R5N Distributed Hash Table design Decentralization and digital sovereignty are fundamental building blocks to strengthening European values of freedom of information and informational self-determination against particular interests of foreign state and commercial actors. Decentralization is often based on Distributed Hash Tables; DHTs are already an important component for many NGI components such as decentralized web applications (IPFS, Web3) or components in the blockchain ecosystem. The GNUnet/R5N-DHT - a Free Software distributed hash table and P2P protocol - provides additional and relevant properties like Byzantine fault tolerance and censorship resistance. The project will improve, implement and specify the R5N protocol as an IETF RFC (Informational). This supports other efforts such as the GNU Name System protocol (GNS). >> Read more about R5N-DHT Ricochet Refresh — Anonymous, meta-data free secure messaging Ricochet Refresh, is a metadataless messenger for PCs (Windows, macOS, Unix) that provides anonymity as well as security. By using Tor, it allows people at risk making public interest disclosures to communicate in chat sessions with anonymity to journalists, members of parliament, regulators protecting the environment, financial malfeasance investigators and others who have the power in society to act as corrective mechanisms to serious wrongdoing. This project will update Ricochet, reduce known security risks, and ensure continued compatibility with Tor's onion services protocol. The possibility of anonymous communication is important for everyone, but particularly vital for those who risk reprisal in their workplace or other institutions to be able to speak up. Through anonymity, Ricochet Refresh allows the focus to be on the disclosure, not on the source or whistleblower. Thus, the project provides a tool in support of evidence-based reporting in the public interest by creating a safe on-going channel for the journalist to conduct verification as the story develops. >> Read more about Ricochet Refresh SCION-Pathdiscovery — Secure and reliable decentralized storage platform With the amount of downloadable resources such as content and software updates available over the Internet increasing year over year, it turns out not all content has someone willing to serve all of it up eternally for free for everyone. And in other cases, the resources concerned are not meant to be public, but do need to be available in a controlled environment. In such situations users and other stakeholders themselves need to provide the necessary capacity and infrastructure in another, collective way. This of course creates new challenges. Unlike a website you can follow a link to or find through a standard search engine and which you typically only have to vet once for security and trustworthiness, the distributed nature of such a system makes it difficult for users to find the relevant information in a fast and trustworthy manner. One of the essential challenges of information management and retrieval in such a system is the location of data items in a way that the communication complexity remains scalable and a high reliability can be achieved even in case of adversaries. More specifically, if a provider has a particular data item to offer, where shall the information be stored such that a requester can easily find it? Moreover, if a user is interested in a particular information, how does he discover it and how can he quickly find the actual location of the corresponding data item? The project aims to develop a secure and reliable decentralized storage platform enabling fast and scalable content search and lookup going beyond existing approaches. The goal is to leverage the path-awareness features of the SCION Internet architecture to use network resources efficiently in order to achieve a low search and lookup delay while increasing the overall throughput. The challenge is to select suitable paths considering those performance requirements, and potentially combining them into a multi-path connection. To this end, we aim to design and implement optimal path selection and data placement strategies for a decentralized storage system. >> Read more about SCION-Pathdiscovery Geographic tagging of Routing and Forwarding — Geographic tagging and discovery of Internet Routing and Forwarding SCION is the first clean-slate Internet architecture designed to provide route control, failure isolation, and explicit trust information for end-to-end communication. As a path-based architecture, SCION end-hosts learn about available network path segments, and combine them into end-to-end paths, which are carried in packet headers. By design, SCION offers transparency to end hosts with respect to the path a packet travels through the network. This has numerous applications related to trust, compliance, and also privacy. By better understanding of the geographic and legislative context of a path, users can for instance choose trustworthy paths that best protect their privacy. Or avoid the need for privacy intrusive and expensive CDN's by selecting resources closer to them. SCION is the first to have such a decentralised system offer this kind of transparency and control to users of the network. >> Read more about Geographic tagging of Routing and Forwarding SES - SimplyEdit Spaces — SimplyEdit Spaces - collaborative presentations SimplyPresent allows users to collaboratively create and deliver good looking presentation using CRDT's through Hyper Hyper Space - another project supported by NGI Assure. SimplyPresent is itself based on top of the open source SimplyEdit tool, adding advanced user-friendly presentation features. SimplyPresent allows team members to live edit a presentation and the presenter notes while the presentation is being given, control the presentation from any phone without complicated setup: all that is needed on the presenting system or with remote viewers is a URL which will sync through Hyper Hyper Space. >> Read more about SES - SimplyEdit Spaces A Secret Key Store for Sequoia PGP — Standards-compliant private key store for OpenPGP This project implements a private key store for Sequoia, a new OpenPGP implementation. Currently, Sequoia-using programs use private keys directly. A private key store mediates applications' access to private keys, and offers three major advantages relative to the status quo. First, a private key store is in a separate address space. This means that private keys that are in memory are in a different address space from the application. This was underlying cause of the Heartbleed vulnerability. Second, a private key store can provide a uniform interface for accessing keys stored on different backends, e.g., an in-memory key, a key on a smart card, or a key on a remote computer, which is accessed via ssh. This simplifies applications. Third, this architecture simplifies sharing private key material among multiple applications. Only the private key store needs to worry about managing the private key material, which improves security. And, when a user unlocks a key in one application, it is potentially unlocked in all applications, which improves usability. >> Read more about A Secret Key Store for Sequoia PGP Sequoia PGP — Improve interface of Sequoia PGP commandline Sequoia PGP is a new OpenPGP implementation, which is written in Rust and focuses on ease of use. To date, the main product is a library. This project will focus on sq, Sequoia's command line tool. The project consists of three parts. First, useful functionality will be added to sq making sq comparable to gpg. Second, the human-readable interface will be augmented with a JSON interface. This will make it easier and robuster to use sq from scripts. Finally, this project will add an acceptance test suite to sq thereby strengthen the foundation for future changes. >> Read more about Sequoia PGP Sequoia GPG Chameleon — Implement well-known API's for using OpenPGP Sequoia's GnuPG Chameleon is a drop-in replacement for the widely-used encryption software GnuPG. It offers the same interface, while at the same time replacing the underlying OpenPGP implementation. This approach brings security benefits to everyone directly or indirectly using GnuPG before, while providing a smooth migration path that does not require changes to existing software. >> Read more about Sequoia GPG Chameleon Peer-to-Peer Access to Our Software Heritage — Access Software Heritage data via IPFS DHT Peer-to-Peer Access to Our Software Heritage (SWH × IPFS) is a project aimed at supporting Software Heritage’s mission to build a universal source code archive and preserve it for future generations by leveraging IPFS’s capabilities to share and replicate the archive inadecentralized, peer-to-peer manner. The project will build a bridge between the existing Software Heritage (SWH) API and the IPFS network to transparently serve native IPFS requests for SWH data. In the short term, this allows users using IPFS to form their own Content Distribution Network for SWH data. Longer term, we hope this will serve as a foundation fora decentralized network of copies that, together, ensure that the loss of no one repository, however large, results in the permanent destruction of any part of our heritage. The end product would be a perfect application of IPFS’s tools and a step in the direction of a decentralized internet services infrastructure. >> Read more about Peer-to-Peer Access to Our Software Heritage Solid-NextCloud app — Bridge Nextcloud to Solid This project connects the world of Solid with the world of Nextcloud. The aim is to develop an open source Nextcloud app that turns a Nextcloud server into a spec-compliant Solid server. It gives every user a WebID profile and allows Solid apps to store data on the user's Nextcloud account. It also exposes some of the user's existing Nextcloud data like contacts and calendar events as Solid user data, so that Solid apps can interact with the user's Nextcloud data, and allow the user to manage which Solid apps can access which specific aspects of the user's personal data. We will make our implementation compatible with the latest version of the Solid spec (including DPop tokens and the WebSockets AUTH command), and contribute the surface tests we create for this as a well-documented independent test-suite, for other Solid server implementers to benefit from. We will also publish a stand-alone version of our PHP components, which can run independently of Nextcloud. >> Read more about Solid-NextCloud app Solid Control — Access Control mechanism for data and services within Solid Solid-Control aims to enhance Tim Berners-Lee's Social Linked Data Project (Solid) with Attribute-Based Access Control. By extending the Linked Data Platform (LDP) with WebID based authentication and Access Control Lists (ACL), Solid has enabled the emergence of new forms of Hyper-Apps. These apps can follow data from server to server, authenticate when needed and write to the user's Personal Online Data storage (Pod), creating a decentralised social web. With relation-based access control (friend of a friend, business network, etc.), Solid can be a full alternative to centralised social networks. We also want to allow authentication based on Verifiable Claims such as age. Solid-Control will work on developing the needed logic, verify protocols, write prototype implementations and contribute to the Solid Auth Community groups, which are developing specs for standardisation. >> Read more about Solid Control Sonar: a modular peer-to-peer search engine — Modular peer-to-peer search engine Sonar is a project to research and build a toolkit for decentralized search. Currently, most open-source search engines are designed to work on centralized infrastructure. This proves to be problematic when working within a decentralized environment. Sonar will try to solve some of these problems by making a search engine share its indexes incrementally over a P2P network. Thereby, Sonar will provide a base layer for the integration of full-text search into peer to peer/decentralized applications. Initially, Sonar will focus on integration with a peer-to-peer network (Dat) to expose search indexes securely in a decentralized structure. Sonar will provide a library that allows to create, share, and query search indexes. An user interface and content ingestion pipeline will be provided through integration with the peer to peer archiving tool Archipel. >> Read more about Sonar: a modular peer-to-peer search engine Secure User Interfaces (Spritely) — Usability of decentralised social media Spritely is a project to advance the federated social network by adding richer communication and privacy/security features to the network. This particular sub-project aims to demonstrate how user interfaces can and should play an important role in user security. The core elements necessary for secure interaction are shown through a simple chat interface which integrates a contact list as an easy-to-use implementation of a \"petname interface\". Information from this contact list is integrated throughout the implementation in such a way that helps reduce phishing risk, aids discovery of meeting other users, and requires no centralized naming authority. As an additional benefit, this project will demonstrate some of the asynchronous network programming features of the Spritely development stack. >> Read more about Secure User Interfaces (Spritely) Spritely — Capability based petname system Users are currently caught between two worlds of identity solutions: prepackaged centralized identity silos (which also tend to be very phishing-vulnerable) and more decentralized naming systems that awkwardly separate the experience of secure connections from identity. What if instead users could have an experience where decentralized naming was a natural outgrowth of using the application? Spritely is a laboratory project to advance the decentralized social web founded by authors of the popular ActivityPub federated social web protocol. Spritely's approach to decentralized naming systems is to implement a \"petnames system\", where local meaning is given to \"petnames\" to otherwise non-human-meaningful decentralized identifiers (such as a hash of cryptographic key material). An important part of this design is that decentralized naming flows should be a natural part of use of the program. Petnames tend to resemble local contacts in a \"contact list\", but petnames on their own do not provide a sufficient way to discover, meet, and come to trust new contacts. A complete petname system also provides \"edge names\": for example \"CWebber=>JessicaTallon\" would show JessicaTallon as an \"edge name\" proposed by the petname CWebber. Our system also provides support for contacts introduced in a context with no existing relationships; these are called \"self-proposed names\" and are rendered in a way distinct from petnames and edge names. This has been under-implemented in existing petname systems; since Spritely is implementing decentralized communication systems, this will be a full implementation of a petname system (including edge names and self-proposed names) in an ergonomic manner that can also be applied to other decentralized systems. In addition to a specification, the project will delivered a usable chat application plus contact list. >> Read more about Spritely Sustainable web apps with m-ld — Empower users and developers with distributed interlinked data using local-first principles Our hypothesis in this project is that web app data securely stored in reactive, replicated Linked Data sets can make it possible for app developers to meet today's and tomorrow's feature expectations without the high costs and limitations of today's distributed data architectures. This foundational design principle combines ideas from the semantic web (machine-readable publishable interlinked data), personal data stores (user control of user data) and local-first software (collaboration without obligatory third parties). We believe the high costs of web app development have gone hand-in-hand with unwanted side-effects like user lock-in, attention theft, and abdication of control over personal data. Our core principle, like the ideas behind them, is designed to expedite the development of more sustainable apps: those without dependencies on specific service providers, with user empowerment in terms of service and data portability, and with linking of data between apps – including apps developed against similar technologies having these principles, such as those of the Solid ecosystem. We will produce a set of concrete software components which demonstrate that such an approach is practical, and indeed offers a great experience for app developers, making it simple to create collaborative applications over Linked Data resources with compelling, responsive user interfaces. >> Read more about Sustainable web apps with m-ld TALER Bullion — Infrastructure for GNU Taler Payments with non-fiat Currencies Depending on how you design a money system, its properties can be quite different. Regular currencies are typically steered towards (slight) inflation by the public bodies that steward them, by means of a gradual influx of money. This benefits \"active money\" (investors) which yields economic growth. Of course this also makes prices for consumers continually rise, and savings de-valuate over time in terms of purchasing power. The rate at which this devaluation takes place is a policy instrument, and of course one that should be used wisely. When these systems were first designed, money was backed up by physical assets such as gold and silver which offered more predictable long term purchasing power. Some users still prefer for their savings to be backed up by something of concrete value they own. GNU Taler is a well-designed system for (online) payments, and it is eminently suitable to trade (the ownership safely of) stored gold, silver and similar systems based on real value. Besides its obvious use case as a payment system for regular currencies, the system can also be used to revitalise gold and silver for storage and payment systems; they still exist today but are decoupled. The purpose of this project is to solve problems with trust relations, such as passing (the ownership of) gold or silver between vault operators, or between gold storage and payment systems so it can become practically useful money on an international scale, in service of people outside the financial industry. >> Read more about TALER Bullion GNU Taler Wallet ID Lookup Service — Optional discovery of TALER wallet addresses linked to digital identities GNU Taler is a payment system that makes privacy-friendly online transactions fast and easy. This project will facilitate the support of peer-to-peer payments (P2P) for the GNU Taler payment system between users by implementing a privacy- friendly directory service and lightweight inbox service (TALer DIRectory). The services will allow users to securely associate their online identities (such as email addresses, phone numbers, X/Twitter/Mastodon handles or other suitable verifiable addresses and accounts) with their wallet public keys and the URL of an inbox service and use it for P2P payments. Storage and retrieval may also be offloaded to distributed directory services such as DNS or GNS (RFC 9498) instead of a database and web service while maintaining the respective privacy guarantees. >> Read more about GNU Taler Wallet ID Lookup Service Road Signs for Digital Payments — Safe, usable financial interfaces for poorly-schooled adults. GNU Taler is a digital payment protocol for privacy-preserving cash-like transactions. It improves usability by avoiding the need for the payer to authenticate to third parties. Oral Information Management (OIM) is an emerging approach of design for creating safe, usable financial interfaces for poorly-schooled adults. Worldwide UNESCO estimates over 750 million adults to be unable to read or write in any language, and hundreds of millions of more have extremely limited ability. Due to unequal schooling opportunities, most are women. In Europe millions of migrants, refugees and marginalized people cannot confidently use digital payments. Digital OIM features carefully user-tested cash scrollbars and counting tables, iconographic navigation, mnemonic cues, user-reversible transaction processes, a 0-9 (not 1-0) numeric keypad and more. Poorly-schooled app users learn how to decode place value notation, arithmetic graphs and other schooled, formal sector protocols from repetitive use. >> Read more about Road Signs for Digital Payments Taler-Odoo Payment System — Integration module for TALER in Odoo The Taler-Odoo Payment System will integrate the GNU Taler payment system within Odoo, a business management software suite that includes customer relationship management, e-commerce, billing, accounting, manufacturing, warehouse, project management, and inventory management. With Odoo, merchants can create invoices for products they sell, websites to display them and much more. This project will produce an Odoo module written in Javascript and Python, which allows users to pay with Taler. Similar to any other payment integration within the Odoo Framework, the module integrates into the functionality of other existing Odoo modules (ticket sale, online shopping, invoices, etc). It will allows merchants to offer a customer to choose a payment system that fully respects their privacy. >> Read more about Taler-Odoo Payment System Great Black Swamp — Decentralized cloud storage with provider-independent security Tahoe-LAFS is a well-known open source distributed storage solution based on DHT, suited for sharing critical data in production. Currently, Tahoe-LAFS uses the Foolscap protocol for communication between client nodes and storage nodes. Foolscap has a small developer community, is only implemented in Python, and Tahoe-LAFS only uses a small subset of its features. This project will implement an HTTP-based storage node protocol for Tahoe-LAFS (Great Black Swamp, or GBS in short) which will help to eliminate unnecessary complexity, increase the pool of potential contributors, open the door to new implementations and improve runtime performance. >> Read more about Great Black Swamp Tasteweb — Develop new web of trust mechanisms Webs of Trust, (or networks of endorsement) are a common social technology with many useful properties; they can grow quickly, they can support a blend of shared structure and local structure, and they can incrementally self-correct with minimal labor. Despite being fairly common in the online world, we identify many still unrealized applications for webs of trust which we expect would greatly empower grass-roots organization of information, news systems, and public dialog. The main obstacle to most of these new functions turns out to be the performance scaling limits of today's graph databases. We've identified indexes and algorithms that would allow us to transcend those limits. The project aims to implement fast shortest path indexes (eg, Contraction Hierarchies, BatchHL+), and \"sparse query\" indexes (novel) (dynamic unions, or dynamic cache placement), for open source graph databases, to enable several new critical functions for webs of trust: Globally inclusive networks of endorsement, exclusive claims, news discovery, and subjective filtering. Once implemented, we plan to make this functionality available to emerging open source social network protocols and social computing frameworks. >> Read more about Tasteweb Titanic — Database server to synchronize vast collections of CRDT documents Yjs is a Conflict-free Replicated Data Type (CRDT) which enables developers to build collaborative applications, just like Google Docs and Figma. Most CRDT implementations work just like any other data type, but they automatically sync with other peers without conflicts. Today, Yjs is among the most used technologies for building collaborative applications. The developers observed the development of competing CRDTs, and recognize the need for more specialized CRDTs for specific use-cases. Syncing many CRDT instances with different permissions is still an unsolved problem. Syncing documents individually quickly becomes infeasible with an increasing number of documents in a local-first app. This project will therefore develop Titanic, an isomorphic database (works in the browser, Node.js, Deno, Bun, ..) that can host different CRDT implementations. It will sync many CRDT instances efficiently in a network-agnostic manner. While it will support custom authentication approaches, Titanic will ship with a role-based document-level permission system that prevents unauthorized users from reading or writing documents. >> Read more about Titanic Trustix — Make build logs available as publicly verifiable, tamper-proof Merkle trees Software build infrastructure is vastly underestimated in terms of its potential security impact. When we install a computer program, we usually trust downloaded software binaries. But even in the case of open source software: how do we know that we aren't installing something malicious which is different from the source code we are looking at - for instance to put us in a botnet or siphon away cryptocurrencies? Typically, we have confidence in the binaries we install because we get them from a trusted provider. But once the provider itself is compromised, the binaries can be anything. This makes depending on individual providers a single point of failure in a software supply chain. Trustix is a tool that compares build outputs across a group of providers - it decentralizes trust. Multiple providers independently build the software, each in their own isolated environment, and then can vouch for the content of binaries that are the outcome of reproducible builds - while non-reproducible builds can be automatically detected. In this project the team will work on further enabling trust delegation, by offloading log verification to trusted third parties - heavily inspired by the Delegated Proof of Stake consensus algorithm. It will bring Trustix into the Nix and the Guix ecosystems that are most amenable to Trustix' approach. The ultimate goal is for Trustix to integrate seamlessly into the entirely decentralized software supply chain so we can securely distribute software without any central corruptible entity. >> Read more about Trustix TypeCell — CRDT-based collaborative block-based editor TypeCell aims to make software development more open, simple and accessible. TypeCell integrates a live-programming environment as a first-class citizen in an end-user block-based document editor, forming an open source application platform where users can instantly inspect, edit and collaborate on the software they’re using. TypeCell spans a number of different projects improving and building on top of Matrix, Yjs and Prosemirror to advance local-first, distributed and collaborative software for the web. >> Read more about TypeCell ValOS Cryptographic Content Security project — Cryptographic Content Security for ValOS ValOS (Valaa Open System) is a project pushing programming to become a civic skill. It’s a decentralized software development architecture that empowers beginners with little training or prior experience to create practical web applications. ValOS applications and data are created, stored and distributed as event streams. ValOS Gateway is a JavaScript library that acts like a browser: it connects to event streams, reduces them into applications and provides means to induce new events. ValOS Cryptographic Content Security project focuses on enhancing the infrastructure level security of ValOS through event log hash chaining, end-to-end encryption and other features. >> Read more about ValOS Cryptographic Content Security project Enhancing vula with IPv6 and REUNION rendezvous — IPv6, hybrid post-quantum improvements & REUNION support for Vula With zero configuration, Vula automatically encrypts IP (v4) communication between hosts on a local area network (LAN) in a forward-secret and transitionally post-quantum manner to protect against passive eavesdropping. When the local gateway to the internet is a Vula peer, internet-destined traffic will also be encrypted on the LAN. With simple verification using QR codes or other peer verification methods, Vula is also able to disrupt active surveillance adversaries. Vula combines WireGuard for forward-secret point-to-point tunnels with cryptographically enhanced mDNS and DNS-SD for local peer discovery. Vula enhances the confidentiality of WireGuard tunnels by using CSIDH as provided by highctidh, a post-quantum non-interactive key exchange primitive, to generate a peer-wise pre-shared key for each tunnel configuration. Vula avoids the need for any Single Point of Failure (SPOF) such as a trusted third party. Vula is equally functional on otherwise air-gapped networks. >> Read more about Enhancing vula with IPv6 and REUNION rendezvous webxdc PUSH — Towards an usable, interoperable and trustworthy web app ecosystem Webxdc PUSH advances a new paradigm for writing and distributing web apps, majorly improving interoperability, usability, reliability, trustworthiness and and interactivity of chat-shared web apps (webxdc) across messengers and platforms. PUSH enables webxdc app developers to use new P2P real-time messaging facilities, new notification, deeplinking and context APIs, majorly leveling up the cross-messenger webxdc effort and specifications. >> Read more about webxdc PUSH Willow Sync — General Sync Protocol for Willow written in Rust Willow is a protocol for syncable data stores, forming resilient data networks which can endure indefinite connectivity outages. This protocol brings qualitative advances to data deletion in distributed networks, supports completely decentralised fine-grained permission schemes, and has been designed to use memory, bandwidth (and consequently energy) efficiently. In this project, the Willow protocol will be implemented using the Rust programming language. This new implementation will be able to take advantage of Rust’s efficiency and safety guarantees, and make the protocol accessible to embedded devices, as well as provide a more efficient solution for smartphones, computers, and servers alike. >> Read more about Willow Sync Yrs — Collaborative editing with CRDT written in Rust Yrs \"wires\" will be a native port (in the Rust programming language) of the Yjs shared editing framework. Abstractly speaking, Yjs allows many users to concurrently manipulate state that eventually converges. It is a popular solution for enabling collaborative editing (Google Docs style) on the web because it is indefinitely scalable, works peer-to-peer, and has a rich ecosystem of plugins. There are plugins that allow you to connect with other peers over different network providers (WebRTC, Websocket, Dat/Hyper, IPFS, XMPP, ..) and there are many editor plugins that allow you to make existing (rich-)text editors collaborative. The Yjs project is about connecting projects with each other and providing a network-agnostic solution for syncing state. A native port will allow native applications (e.g. XI, Vi, Emacs, Android, iPhone, ..) to sync state with web-based applications. We chose Rust because it's well suited to be embedded in other languages like C/C++, PHP, Python, Swift, and Java. With Yrs, we want to connect even more projects with each other and provide a modern collaboration engine for native applications. The Rust implementation will implement the full feature set of the shared types, including the event system. This will enable users to parse existing Yjs documents, manipulate them, and implement collaborative applications. The port will make it easy to \"bind\" to another language so that the shared state is available in other languages as well. There will likely be a WASM binding, a C++ binding, and a Python binding (provided by Quantstack). Other existing features like awareness, selective Undo/Redo manager, relative positions, and differential updates will be added after the initial release. >> Read more about Yrs Yrs Undo — Rust-based CRDT framework for real-time multi-user applications Yrs \"wires\" is a native port (in the Rust programming language) of the Yjs shared editing framework. Abstractly speaking, Yjs allows many users to concurrently manipulate state that eventually converges. It is a popular solution for enabling collaborative editing (Google Docs style) on the web because it is indefinitely scalable, works peer-to-peer, and has a rich ecosystem of plugins. There are plugins that allow you to connect with other peers over different network providers (WebRTC, Websocket, Dat/Hyper, IPFS, XMPP, ..) and there are many editor plugins that allow you to make existing (rich-)text editors collaborative. This project will add a selective Undo/Redo manager, include support for other native clients and to interop with languages like Java, PHP and Swift. The goal is to reach full feature compatibility with Yjs and improve its performance even more - bringing a collaborative, decentralized experience where users' data lies in their own hands. >> Read more about Yrs Undo Yrs weak links — More efficient CRDT by interconnecting and synchronising data structures inside documents Yrs weak links project aims to extend existing implementation of Yjs/Yrs - one of the most popular free and open source libraries for building collaborative peer-to-peer applications - with new primitives such as cursors allowing for a seamless integration with rich text editors, and an ability to cross-reference and react to changes occuring in a different parts of an application: be it for display or other evaluation purposes like referencing cells in spreadsheet calculations. All of these will be possible while preserving eventual consistency in an environment where applications need to be operable and accept changes coming from many different users even when offline or when the standard Internet access is not available. >> Read more about Yrs weak links Quantum-Proof Zenroom — Implementation of Quantum-Proof Cryptography in Zenroom Zenroom is a tiny secure execution environment that integrates in any platform and application, even on a chip or a web page. It executes human-readable smart contracts for all kinds of use cases, such as databases, blockchains and much more. Zenroom is scriptable in an English-like language called Zencode. During this project quantum-proof cryptography will be implemented in Zenroom by strictly adhering to ECDH specifications for common session exchanges, signature and verification, applying liboqs transparently as a back-end to existing Zencode scenarios. This makes it seamless to substitute existing EC implementations with the same Zencode. The result will be a fully portable software (plain C, no hardware acceleration) of the NIST quantum-proof competition winner algorithm and full alignment with its final test vectors. >> Read more about Quantum-Proof Zenroom Distributed Mechanism Learning — Privacy preserving ways of distributed data usage Mechanism design is a field concerned with finding rules for economic processes which incentivize self-interested agents to behave in a way, such that a common goal is reached. This project aims to build robust infrastructure for mechanism design via machine learning, to make theoretical results more applicable to practical networked deployments. We plan to do this by finding solutions for the following two problems and making them accessible to developers, while keeping the required domain knowledge to a minimum: On the one hand, a trusted third party is often assumed to exist, which is supposed to learn and execute the mechanism. In practice, finding neutral trusted parties who do not stand to gain anything from cheating can be hard. To solve this problem, we distribute the computation of the trusted party over multiple computers, ideally controlled by different entities, using multiparty computation. This way, we get a more robust trust base with better alignment of incentives. On the other hand, current models often assume prior knowledge about preference distributions of agents to learn optimal mechanisms. In practice, this knowledge is not always available. We exchange finding optimal solutions using prior information with finding approximate solutions using no prior information, by way of differentially private learning. This results in more general applicability, especially in settings with sparse information. >> Read more about Distributed Mechanism Learning dweb-search — Index DHT based distributed webs dweb-search is a Free and Open Source (FOSS) search engine for directories, documents, videos, music on the Interplanetary Filesystem (IPFS), supporting the creation of a decentralized web where privacy is possible, censorship is difficult, and the internet can remain open to all. This project implements a publicly accessible IPFS thumbnail service and creaties a UI specifically to explore music or videos. >> Read more about dweb-search elRepo.io - Resilient, distributed content sharing — Resilient, human-centered, distributed content sharing and discovery. In this project AlterMundi and NetHood collaborate to develop a critical missing part in decentralized and distributed p2p systems: content search. More specifically, this project will implement advanced search for elRepo.io, the self-hosted and distributed culturesharing platform currently under active development by AlterMundi and partners. Search functionalities will expand on the already proven coupling of thelibxapian searching and indexing library and turtle routing. The distributed search functionality will be implemented to be flexible and modular. It will become the meeting point of three complementary threads of on-going work: Libre technology and tools for building Community Networks (LibreRouter & LibreMesh), fully decentralized, secure and anonymous Friend2Friend software (Retroshare), and a transdisciplinary participatory methodology for local applications in Community Networks (netCommons). >> Read more about elRepo.io - Resilient, distributed content sharing libresilient — Create robust web presence with service workers and DHT A browser-based decentralized content delivery network, implemented as a JavaScript library to be deployed easily on any website. LibResilient uses ServiceWorkers and a suite of non-standard in-browser delivery mechanisms, with a strong focus on decentralized tools like IPFS. Ideally, users should not need to install any special software nor change any settings to continue being able to access an overloaded LibResilient-enabled site as soon as they are able to access it once. >> Read more about libresilient Securing Decentralised Live Information with m-ld — Collaborative editing of LInked Data based on CRDT m-ld is a software technology for live information sharing. It enables software engineers to reliably add real-time collaboration, support for offline working, and service resilience to both new and existing software architectures. It achieves this by operating at an \"information\" level, creating reusable patterns for maintaining the consistency and integrity of application content that is being edited from multiple locations at once. m-ld is built from the ground up on a W3C standard information representation, contributing ideas for its evolution, and is committed to open standards and open source. This project will research and prototype modifications to the primitives of the m-ld core protocol to natively support strong assurance of data integrity and traceability, with authority assignable to identified users or groups, so that they can be reliably assured of the integrity and controlled availability of their data. >> Read more about Securing Decentralised Live Information with m-ld Minedive — P2P search over webRTC The minedive project is building several components: first, minedive is a browser extension aiming to allow users to search the web while preserving their anonymity and privacy. The second is an open source reference implementation of its rendez-vous server. minedive instances connect each-other (via WebRTC data channels) forming a two layered P2P network. The lower layer (L1) provides routing, the upper layer (L2) provides anonymous and encrypted communication among peers acting as a MIX network. This architecture guarantees that peers which know your IP address (L1) do not know search data for (L2) and vice-versa. A central (websocket) rendez-vous server is needed to find and connect with L1 peers, and to exchange keys with L2 peers, but no search goes through it. We are running a default server which can be overridden by users who want to run their own (using our reference implementation or a custom one). Users can also set the extension to pick peers from a given community (identified by an opaque tag). Currently all requests are satisfied by letting L2 peers return results from the 1st page of mainstream search engines (as they see it, in an attempt to escape the search bubble). While this will stay as a fallback, we plan to implement web crawling on peers, doing keyword extraction from URLs in local bookmarks and history and ranking with open algorithms, being transparent with users about which techniques are used and open to suggestions. >> Read more about Minedive node-Tor — Implementation of Tor protocols for inside webpages Node-Tor is an open source project and the only existing implementation of the Tor protocol in Javascript. That gives it the unique property to not just run on a server or desktop, but also inside a regular webbrowser itself as a standalone secure webapp. It must not be misunderstood for just a re-implementation of Tor network nodes: the goal is much wider, because it allows any project related to privacy/security enhancement to implement the Tor protocol in their nodes and/or inside a web page. The browser client acts as a standalone node itself communicating via web interfaces such as Websockets with servers or through WebRTC with other browsers. The use of Javascript allows to reduce very significantly the code and libraries (prone to security breaches), simplifying the integration for developers (like removing the need to maintain installation packages since standard web interfaces can be used), simplifying the use for users. This offers a lot of potential for increasing security and privacy for everybody, since the technology can be accessed from any place and any device that has a browser or can run Javascript, including mobile devices. >> Read more about node-Tor p3pch4t — Decentralized chat platform built on i2p P3pch4t is a decentralized chat platform built on i2p that aims to provide a feature-rich experience with huge privacy standards, so it will be easy for people to switch from well-known centralized/proprietary chat apps - such as Facebook Messenger, Telegram, Slack to one place that will have all features that user desire - including large file sharing, shared calendar, group chats, multiple devices and chat themes - all of that will come in a cross-platform app that will run on all major mobile and desktop platforms. Together with that, there will be a handful of libraries in different languages to interact with the network directly - to ensure that it is easy for other developers to extend the p3pch4t ecosystem, and to ensure that the standard for communication is well defined. >> Read more about p3pch4t ","title":"Decentralised solutions","url":"https://nlnet.nl/thema/Decentralisedsolutions.html"},{"description":" Data and AI Data and AI This page contains a concise overview of projects funded by NLnet foundation that belong to Data and AI (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. AI Horde — Collaborative infrastructure for running generative AI models The AI Horde is a crowdsourced, free, libre and open sourced service with the aim to truly democratise access to Generative AI. It supports both generating text via Large Language Models and images via Stable Diffusion via a simple REST API, allowing everyone to integrate this technology to any product. One of the biggest challenges with Generative AI is the amount of resources required to run even simple models, leaving the vast majority of humanity without access to this technology. The AI Horde delivers a groundbreaking smart-queuing clearing house where enthusiasts can volunteer their idle compute for everyone in the world to generate images or text without any further commitments or budget. >> Read more about AI Horde AI-VPN — Local machine-based learned analysis of VPN trafffic Our security decreases significantly especially when we are outside our offices. Current VPNs encrypt our traffic, but they do not protect our devices from attacks or detect if there is an infection. The AI-VPN project proposes a new solution joining the VPN setup with a local AI-based IPS. The AI-VPN implements a state-of-the-art machine learning based Intrusion Prevention System in the VPN, generating alerts and blocking malicious connections automatically. The user is given a summary of the traffic of the device, showing dectected malicious patterns, privacy leaked data and security alerts, in order to protect and educate the users about their security status and any risks they are exposed to. >> Read more about AI-VPN AVantGaRDe — Reliable Foundations of Local-first Graph Databases The *AVantGaRDe* (Verified highly-Available and Reliable Distributed Graph Databases) project aims to develop a framework for reliably supporting local-first connectivity. Graph databases have recently been introduced to efficiently manage interconnected, heterogeneous, and semi-structured data. These leverage native graph storage, an expressive property graph model, and dedicated graph query languages. Still, scalably and reliably managing large graphs, while ensuring availability, low latency, and consistency is challenging. While cloud graph databases try to address this, local-first solutions allow users to preserve ownership and agency over their data. Unfortunately, no local-first graph databases exist, as these require customized replicated data types (CRDTs) and compositionally preserving graph invariants. Moreover, as CRDTs are already notoriously difficult to construct, ensuring the correctness of complex graph CRDTs is challenging. The project aims to develop a novel framework for designing foundational models for local-first graph databases, with built-in trustworthiness and reliability guarantees. *AVantGaRDe* sets to design a unified framework for prototyping and extracting correct-by-construction horizontally scaled property graph CRDTs that can preserve complex invariants. >> Read more about AVantGaRDe OCCRP Aleph disambiguation — OCCRP Aleph: disambiguating different people and companies Aleph is an investigative data platform that searches and cross-references global databases with leaks and public sources to find evidence of corruption and trace criminal connections. The project will improve the way that Aleph connects data across different data sources and how it ranks recommendations and searches for reporters. Our goal is to establish a feedback loop where users train a machine learning system that will predict if results showing a person or company refer to the same person or company. If successful this means journalists can conduct more efficient research and investigations, finding key information more quickly and wasting less time trawling through irrelevant documents and datasets. >> Read more about OCCRP Aleph disambiguation Atomic Data — Typesafe handling of LinkedData Atomic Data is a modular specification for sharing, modifying and modeling graph data. It uses links to connect pieces of data, and therefore makes it easier to connect datasets to each other - even when these datasets exist on separate machines. Atomic Data is especially suitable for knowledge graphs, distributed datasets, semantic data, p2p applications, decentralized apps and linked open data. It is designed to be highly extensible, easy to use, and to make the process of domain specific standardization as simple as possible. It is type-safe linked data (a strict subset of RDF), which is also fully compatible with regular JSON. In this project, we'll work on the MIT licensed atomic-server and atomic-data-browser, which are a graph database server and a modular web-gui that enable users to model, share and edit atomic data. We'll add functionality, improve stability and testing, improve documentation and create materials that help developers to get started. >> Read more about Atomic Data Atomic Tables — Self-hostable tabular structured data solution Atomic Tables is a new extension to the open source Atomic Data ecosystem, which aims to make the web more interoperable. In Atomic Tables, users can easily create their own data models using a tables interface, which people know and love from tools like Excel, Notion and Airtable. Having a self-hostable alternative to the existing SAAS offerings helps users retain control over their own data. What makes this project unique, is that the data models created in Atomic Tables are retrievable by a URL and can easily be re-used on other machines. This keeps costs of transforming or mapping data at an absolute minimum. Maintaining a standardized data model suddenly becomes trivial, instead of costing countless of man hours. Additionally, the software is not just designed to be a clean, intuitive end-user facing application, but also a powerful developer API that brings incredible performance and flexibility, making it highly usable as a database in other applications. >> Read more about Atomic Tables CRAVEX — Cyber Resilience Application for Vulnerability Exploitability Exchange There is no free and open source vulnerability exploitability management application centered on software packages. Vulnerability management applications traditionally serve the needs of security teams first. There is a fundamental disconnect between the package-centric mindset of a developer and the vulnerability-centric mindset of a security analyst. Developers need modern tools to manage, triage, rate, review, and determine exploitability of package vulnerabilities in a package-centric world. They are the primary stakeholders and best positioned to tackle open source package vulnerabilities at the root. With the impending requirements of the CRA, open source projects and small businesses urgently need a free and open solution to comply with these new emerging mandates with minimal friction and costs. The Cyber Resilience Application for Vulnerability Exploitability (CRAVEX) is a web-based app designed to fulfill these requirements for better software supply chain integrity and security. CRAVEX will make it easier for any organization to comply with the emerging CRA and other regulatory requirements, efficiently, and improve the overall security posture of organizations of all sizes, especially for SMEs. CRAVEX will collect, track, and triage FOSS package vulnerabilities, determine their exploitability in a portfolio of software products and projects, and provide reporting with SBOMs and VEX statements to share with stakeholders. >> Read more about CRAVEX CityBikes — Open access API for bike sharing information Citybikes is the most comprehensive open access API for bike sharing information, with support for more than 700 cities all around the world. The goal of the project is to promote open data policies and showcase the benefits of open data to city councils and companies that provide public services to society. Less than 25% of Citybikes data comes from open data standard feeds—for every city in citybikes publishing their bike sharing information in a reusable format, there are at least three more that do not use a standard format. Citybikes aims to change that by providing developers, researchers and organizations with a standard resource to bridge this gap and contribute towards an interoperable open data ecosystem for mobility services. >> Read more about CityBikes Condensation Data System — CRDT-driven data store that guarantees data ownership Condensation (CDS) is a general-purpose data distribution system for asynchronous client-to-client data collaboration implementing inherent end-to-end data confidentiality and traceability. CDS brings the logic of data synchronization and encryption to the edge device. While application makers can still leverage the availability and speed of the Cloud to transfer data - the risk of breaches and interferences happening on the network vanishes. CDS offers light-weight tools to build a distributed system, from client logic to protocols, accounts, and storage. All with flexibility and elasticity, thanks to binary files, CRDT structures, Merkle trees, hash tables, transactional operations, automatic conflict resolution, actor system, PGP-like asymmetrical encryption, public-private keys, and asynchronous communication. The system runs on IoT, Mobile, and Web applications, with multiple implementations. In this project, we will create a production ready implementation in Rust and webassembly (WASM) to make deployment in applications and devices easier, faster and more reliable. >> Read more about Condensation Data System Conzept encyclopedia — An alternative encyclopedia The Conzept encyclopedia is an attempt to create an encyclopedia for the 21st century. A modern topic-exploration tool based on: Wikipedia, Wikidata, the Open Library, Archive.org, YouTube, the Global Biodiversity Information Facility and many other information sources. A semantic web app build for fun, education and research. Conzept allows you to explore any of the millions of topics on Wikipedia from many different angles - such as science, art, digital books and education - both as a defined semantic entity (\"thing\") as well as a string. Client-side topic-classification in addition allows for a fast, higher-level logic throughout the whole user experience. Conzept also has an uniquely integrated user-interface, which gives you a single well-designed view of all this information (in any of the 300+ Wikipedia languages), without cognitive overload. >> Read more about Conzept encyclopedia Dat Private Network — Private storage in DAT The dat private network is a self-hosted server that is easy to deploy on cloud or home infrastructure. Key features include a web-based control panel for administration by non-developers, as well as on-disk encryption. These no-knowledge storage services will ensure backup and high availability of distributed datasets, while also providing trust that unauthorized third-parties won’t have access to content. By creating a turnkey backup solution, we’ll be able to address two of our users’ most pressing questions about dat: who serves my data when I’m offline, and how do I archive and secure important files? The idea for this module came from the community, and reflects a dire need in the storage space -- no-knowledge backup and sync across devices. A properly-designed backup service will provide solutions to both of these questions, and will do so in a privacy-preserving way. This deliverable will put resources into bringing this work to a production-ready state, primarily through development towards updates that make use of the latest performance and security updates from the dat ecosystem, such as NOISE support. We plan to maintain the socio-technical infrastructure through an open working group that creates updates for the network as it matures. >> Read more about Dat Private Network DATALISP — Universal data interchange format using canonical S-expressions As society moves digital the need for thorough fundamentals becomes more prominent. Datalisp is a laboratory for decentralized collaboration built on a few well understood ideas which imply a certain architecture. The central thesis of datalisp is: \"If we agree to use a theoretically sound data interchange format then we will be able to efficiently express increasingly complicated coordination problems\", but in order to move the web to a different encoding we will need incentives on our side. A substantial improvement in user experience is needed and we aim to provide it. Ultimately our goal is to give peers the tools they need to protect themselves, and others, by collaboratively measuring the legitimacy of information and locally; by assessing whether data can be trusted as code or whether it requires user attention. Datalisp is the convergence point for all these tools (none of which is named \"datalisp\") rather than a language, join us in figuring out how to reach it! >> Read more about DATALISP DatamiPods — Visualisations for (federated) Solid data Datami is a tool to edit, visualize and share your data. It allows to transform datasets into discoverable, understandable and reusable data. ActivityPods is a collective data space solution based on Solid and ActivityPub. The DatamiPods project creates a bridge between these two existing open source tools, and aims to simplifies the use of the datasets involved - also for less technical users. >> Read more about DatamiPods DeviceCode — Structured technical information about consumer devices This project is about reusing crowdsourced technical data about devices. This data is useful for researchers and tinkerers, but it is typically not the data that vendors are willing to give, let alone under a license that allows reuse. Think of: chipset information, serial port layout & speeds, amount of memory, and so on. Several groups of people have collected this data in several places (mostly wikis) under an open data license, but they are hard to reuse by other projects that could be interested in this data. The goal of \"DeviceCode\" is to collect this information, rework it into a format that is easy to reuse by other projects without having to resort to Wiki scraping, and also clean up the data (as humans make data entry mistakes and put useful data in places where it shouldn't be), cross-correlate different sources and automatically enrich the data where possible. >> Read more about DeviceCode Dokieli — Decentralised article publishing, annotations and social interactions Dokieli empowers users with full control and ownership of their content through self-publishing capabilities. As a decentralised authoring, annotation, and notification tool, dokieli enables users to create and share human-readable and machine-processable content. Users can author and annotate a wide range of creative works, including articles, reviews, technical specifications, research and academic works, resumes, journals, and slideshows. They can link significant units of information from various open sources, store their content using their preferred storage systems, and share it with their contacts. Dokieli is committed to leveraging open internet and web standards to ensure interoperability and universal access. Content produced by dokieli is decoupled from the application, allowing users the autonomy to switch to any other standards-compliant application and storage system. The project's goal is to make it usable and accessible for all. To this end, we will replace several key libraries; improve the UI; expand test coverage (including accessibility tests); increase support for offline use; perform security audits; and expand implementation of web standards, and provide implementation experience feedback to technical standards bodies. >> Read more about Dokieli Encoding for Robust Immutable Storage (ERIS) — Encrypted and content-addressable data blocks The Encoding for Robust Immutable Storage (ERIS) is an encoding of content into a set of uniformly sized, encrypted and content-addressed blocks as well as a short identifier (a URN). The content can be reassembled from the encrypted blocks only with this identifier (the read capability). ERIS is a form of content-addressing. The identifier of some encoded content depends on the content itself and is independent of the physical location of where the content is stored (unlike content addressed by URLs). This enables content to be replicated and cached, making systems relying on the content more robust. Unlike other forms of content-addressing (e.g. IPFS), ERIS encrypts content into uniformly sized blocks for storage and transport. This allows peers without access to the read capability to transport and cache content without being able to read the content. ERIS is defined independent of any specific protocol or application and decouples content from transport and storage layers. The project will release version 1.0.0 after handling feedback from security audit, provide implementations in popular languages to facilitate wider usage (e.g. C library, JS library on NPM), perform a number of core integrations into various transport and storage layers (e.g. GNUNet, HTTP, CoAP, S3), and deliver Block Storage Management (quotas, garbage collection and synchronization for caching peers). >> Read more about Encoding for Robust Immutable Storage (ERIS) Earthstar (Encryption, Safety, and Local Sync) — Improve security, encryption and sync capabilities in Earthstar CRDT Storing and collaborating digital data is an essential part of every day computing, from photo-sharing amongst family members, to document co-authoring between colleagues. Earthstar is a tool for building undiscoverable, offline-first shared data storage. Users decide which devices their data are stored on, what the infrastructure of their network looks like, the shape of their data, and how they can interact with it. The proposed project adds a number of useful features, notably end-to-end encryption (including metadata), P2P discovery in local networks and efficient data synchronisation. >> Read more about Earthstar (Encryption, Safety, and Local Sync) Etebase - protocol and encryption enhancements — Redesign EteSync protocol and encryption scheme Etebase is an open-source and end-to-end encrypted software development kit and backend. Think of it as a tool that developers can use to easily build encrypted applications. Etebase is the new name for the protocol that powers EteSync, an open source, end-to-end encrypted, and privacy respecting sync solution for contacts, calendars, notes, tasks and more across all major platforms. Many people are well aware of the importance of end-to-end encryption. This is evident by the increasing popularity of end-to-end encrypted messaging applications. However, in today's cloud-based world, there is much more (as important!) information that is just left exposed and unencrypted, without people even realising. Calendar events, tasks, personal notes and location data (\"find my phone\") are a few such examples. This is why the overarching goal of Etebase is to enable users to end-to-end encrypt all of their data. While the Etebase protocol served EteSync well, there are a number of improvements that could be made to better support EteSync's current and long-term requirements, as well as enabling other developers to build a variety of encrypted applications. >> Read more about Etebase - protocol and encryption enhancements EteSync - iOS application — Encrypted synchronisation for calendars, addressbook, etc EteSync is an open source, end-to-end encrypted, and privacy respecting sync solution for contacts, calendars and tasks with more data types planned for the future. It's currently supported on Android, the desktop (using a DAV adapter layer) where it seamlessly integrates with existing apps, and on the web for easy access from everywhere. Many people are well aware of the importance of end-to-end encryption. This is evident by the increasing popularity of end-to-end encrypted messaging applications. However, in today's cloud-based world, there is much more (as important!) information that is just left exposed and unencrypted, without people even realising. Calendar events, tasks, personal notes and location data (\"find my phone\") are a few such examples. This is why the overarching goal of EteSync is to enable users to end-to-end encrypt all of their data. The purpose of this project is to create an EteSync iOS client which will seamlessly integrate with rest of the system and let the many currently uncatered for iOS users securely sync their data. >> Read more about EteSync - iOS application Every Door — Efficient and customizable mobile OpenStreetMap editor Every Door is an open-source OpenStreetMap editor for Android and iOS devices. It focuses on efficient on-the-ground surveying, mainly on points of interest and addresses. With the app, one can fully map an entire shopping mall or an entire village in a matter of hours. The next steps for the editor are vector tiles and customization: tailoring Every Door for focused mapping and adding interoperability with third-party services. >> Read more about Every Door Explain — Deep search on open educational resources The Explain project aims to bring open educational resources to the masses. Many disparate locations of learning material exist, but as of yet there isn’t a single place which combines these resources to make them easily discoverable for learners. Using a broad array of deep content metadata extraction techniques developed in conjunction with the Delft University of Technology, the Explain search engine indexes content from a wide variety of sources. With this search engine, learners can then discover the learning material they need through a fine-grained topic search or through uploading their own content (eg. exams, rubrics, excerpts) for which learners require additional educational resources. The project focuses on usability and discoverability of resources. >> Read more about Explain Friendly Forge Format (F3) — Proposed Standard for secure communication between software forges The Friendly Forge Format (abbreviated F3) is an Open File Format for storing the information from a forge such as issues, pull/merge requests, milestones, release assets, etc. as well as the associated VCS (Git, Mercurial, etc.). F3 is designed to exchange the state of a software project between GitHub, GitLab, Gitea, etc. for backup, mirroring or federation. F3 is essential for a forge to provide key requirements. (i) Portability: the entire state of a software project can be dumped and restored at a later time, on a different development environment (ii) Versatility: when published and updated as a F3 archive, a software project effectively is Open Data on which an unlimited range of applications can rely, even outside of the forge domain (iii) Consistency: it provides a common language to use when talking about the forge related domains (iv) Trust: cryptographic signatures on each F3 dump guard against malicious or unintentional tampering that could compromise the integrity of a software project. >> Read more about Friendly Forge Format (F3) FastScan — Performance improvements for ScanCode Toolkit/ScanCode.io ScanCode is a powerful free and open source software composition analysis (SCA) code scanner. It can be used to analyze a complete virtual machine image, or a single application package with customizable pipelines. It integrates into DevOps workflows with comprehensive APIs, and helps to generate correct SBOMs. It can be used with all programming languages and environments. One weakness so far has been througput. ScanCode could be much faster, and this is the topic of this grant: it improves the performance for both ScanCode Toolkit and ScanCode.io. By profiling ScanCode.io performance and identifying hotspots and issues using benchmarks, and subsequently improving performance in a targeted manner this project stands to make software composition analysis more easy and more accessible. >> Read more about FastScan Software metadata — Decentralized, federated metadata about software applications Modern software systems (and the organizations building and using them) rely on reusing free and open source software (FOSS), which requires quality metadata. Existing FOSS metadata databases are centralized and \"too big to share\" with locked metadata behind gated APIs promoting lock-in and prohibiting privacy-preserving offline usage. FederatedCode is a new decentralized and federated system for FOSS metadata, enabling social review and sharing of curated metadata along with air-gapped, local usage to preserve privacy and confidentiality. FederatedCode's distributed metadata collection process includes metadata crawling, curation and sharing, and its application to open source software package origin, license and vulnerabilities. The project strives to implement the concepts outlined in \"Federated and decentralized metadata system\" (Ombredanne 2023). >> Read more about Software metadata Federated Task-Tracking with Live Data — Track tasks and issues in a federated way Applications and data are tightly coupled: the format, structure, and meaning of data are almost inseparable from the application generating and using them, hindering the data's portability. Sharing data between applications entails mastering complex and proprietary APIs or export formats, and transforming output data into the necessary structure and meaning for use elsewhere, time-consuming and error-prone activities. Federation is a way of linking different systems together so users can share data by being 'connected, but sovereign'. The precursor Federated Timesheets project successfully pioneered this approach for time-tracking data, bringing together WikiSuite, timeld, and Prejournal such that timesheet data entered into one are easily disseminated to the others. Federated Task-Tracking builds ambitiously on that foundation, with a more complex data model applicable to a broader range of real-world scenarios, introduces live collaborative editing of latency-critical data shared between participating systems. >> Read more about Federated Task-Tracking with Live Data First Classify Documents — Categorise different types of official documents With governments all over the world turning to digital filing systems, millions of paper files still wait to be digitized. One major challenge in this process is a structured approach to classifying and ordering documents. It is an unfortunate fact that many public documents are bitmap images of texts. For instance, tenders are published digitally but the actual resulting contracts are not published in a way that allows them to be indexed and queried - which hinders civil society in their ability to access these documents. Open source OCR software needs to become better to get good results with this. This project developed a system for models to distinguish between different types of official documents. able to classify state documents according to structure, keywords, document name, word and page count, metadata and context. >> Read more about First Classify Documents Fleetbase on Solid: A production-ready supply chain solution — Federated open source supply chain solution using Solid One of the most exciting features of Solid is its ability to set up a knowledge graph that connects the data with different owners. This is useful for connecting personal data, but it's even more useful for connecting business data. As such, supply chain management is a field with a high potential for disruption with Solid. Individual companies can share supply chain data with their clients and suppliers, allowing for more insights across the entire supply chain. Building a supply chain solution on top of Solid doesn't only take knowledge of Linked Data, it requires partners who are experts in supply chain management. Fleetbase is an MIT licensed, open-source logistics platform serving companies around the world. The \"Fleetbase on Solid: A production-ready supply chain solution\" project seeks to make Fleetbase solid compatible and flesh out a real-world use-case that relies on the power of linked data sharing enabled by Solid. By the end of the project, shipping companies will be able to used Fleetbase on Solid to sharing information and coordinate with third party delivery companies. >> Read more about Fleetbase on Solid: A production-ready supply chain solution Wikirate Frameworks — Open corporate data in Wikirate through the lens of standards Wikirate.org is the largest open-source open-data registry of Environmental, Social and Governance (ESG) data about companies. The project, “A Frameworks Framing: Open Corporate data through the lens of standards”, aims to enhance Wikirate.org by integrating ESG standards and frameworks as key navigational and analytical tools. The enhancements will make it easy for diverse stakeholders – such as researchers, CSOs and investors – to navigate the many existing frameworks conceived to organize ESG data. It can be very difficult to wrap one’s head around any single ESG framework, much less to see how all the frameworks interrelate. There is, however, quite a lot of interrelation. Frameworks end up needing the answers to overlapping questions (or, in Wikirate terms, metrics). The functionality developed in this grant will enable users to see how Wikirate metrics and datasets align with one or more frameworks. The project will facilitate better understanding and use of corporate data for stakeholders by streamlining the organization of ESG topics, advancing open standards, and making frameworks central to exploring metrics. >> Read more about Wikirate Frameworks Data packages — Specification + improved tooling for external data set descriptions Frictionless Standards are lightweight yet comprehensive open standards to help data publishers and consumers to create and use data. The standards include Data Package to describe a dataset, Data Resource to describe a data resource, File Dialect to describe a file format, and Table Schema to describe tabular data. They can be used together within a data package, like when providing a data API within an open data portal, or separately as building blocks for other standards or metadata catalogues, like Table Schema catalogue for public data models. The ultimate goal of Frictionless Standards is fully aligned with the FAIR principles: Findability, Accessibility, Interoperability, and Reuse of digital assets. >> Read more about Data packages Geolexica reverse — Reverse Semantic Search and Ontology Discovery via Machine Learning Ever forgotten a specific word but could describe its meaning? Internet search engines more than often return unrelated entries. The solution is reverse semantic search: given an input of the meaning of the word (search phrase), provide an output with dictionary words that match the meaning. The key to accurate reverse search lies in the machine’s ability to understand semantics. We employ deep learning approaches in natural language processing (NLP) to enable better comparison of meanings between the search phrases with word definitions. Accuracy will be significantly increased. The project outcome will be employed on Geolexica as a pilot application and testbed for evaluation. The ability to identify entities with similar semantics facilitates ontology discovery in the Semantic Web and in Technical Language Processing (TLP). >> Read more about Geolexica reverse ISCC-CORE typescript implementation library — Decentralised content identifiers through ISO 24138. The goal of this project is to implement core functions of the new ISCC standard ISO 24138:2024 (“International Standard Content Code”) in Typescript, resulting in a library will be useful for the javascript ecosystem and developers to use and work with this new standard in their project. ISCC is a similarity preserving fingerprint and identifier for digital media assets. ISCCs are generated algorithmically from digital content, just like cryptographic hashes. However, instead of using a single cryptographic hash function to identify data only, the ISCC uses various algorithms to create a composite identifier that exhibits similarity-preserving properties (soft hash). This supports content deduplication, database synchronization, indexing, integrity verification, timestamping, versioning, data provenance, similarity clustering, anomaly detection, usage tracking, allocation of royalties, fact-checking and other use-cases. >> Read more about ISCC-CORE typescript implementation library Icosa Gallery — Open, decentralised platform for 3D assets Icosa Gallery is an open source 3D model sharing platform, designed to give users total control over their 3D creations. Powered by ActivityPub, users are free to choose their own instance that suits their needs, while still being able to share their creations with the wider fediverse. Users have access to a versatile 3D viewer for the browser, can upload in a wide choice of formats, and have complete control over publishing, licencing, and terms of their own assets. 3D portfolios are made simple for sharing with clients. A powerful API, search, and tagging system allows users to easily integrate their creations into any 3D environment. Instance admins have a versatile toolbox for managing data, including multiple large file storage backends depending on their hosting needs. >> Read more about Icosa Gallery In-document search — Interoperable Rich Text Changes for Search There is a relatively unexplored layer of metadata inside the document formats we use, such as Office documents. This allows to answer queries like: show me all the reports with edits made within a timespan, by a certain user or by a group of users. Or: Show me all the hyperlinks inside documents pointing to a web resource that is about to be moved. Or: list all presentations that contain this copyrighted image. Such embedded information could be better exposed to and used by search engines than is now the case. The project expands the ODF toolkit library to dissect file formats, and will potentially have a very useful side effect of maturing the understanding of document metadata at large and for collaborative editing of documents in particular. >> Read more about In-document search Practical Tools to Build the Context Web — Declarative setup of P2P collaboration In a nutshell, the Perspectives project makes collaboration behaviour reusable, and workflows searchable. It provides the conceptual building blocks for co-operation, laying the groundwork for a federated, fully distributed infrastructure that supports endless varieties of co-operation and reuse. The declarative Perspectives Language allows a model to translate instantly in an application that supports multiple users to contribute to a shared process, each with her own unique perspective. The project will extend the existing Alpha version of the reference implementation into a solid Beta, with useful models/apps, aspiring to community adoption to further the growth of applications for citizen end users. Furthermore, necessary services such as a model repository will be provided. This will bring Perspectives out of the lab, and into the field. For users, it will provide support in well-known IDE's for the modelling language, providing syntax colouring, go-to definition and autocomplete. Real life is an endless affair of interlocking activities. Likewise, Perspectives models of services can overlap and build on common concepts, thus forming a federated conceptual space that allows users to move from one service to another as the need arises in a most natural way. Such an infrastructure functions as a map, promoting discovery, decreasing dependency on explicit search. However, rather than being an on-line information source to be searched, such the traditional Yellow Pages, Perspectives models allow their users (individuals and organisations alike) to interact and deal with each other on-line. Supply-demand matching in specific domains (e.g. local transport) integrates readily with such an infrastructure. Other patterns of integrating search with co-operation support form a promising area for further research. >> Read more about Practical Tools to Build the Context Web Inventaire Self-hosted — Self-hosted book inventories that share the wikidata-powered bibliographic database The Inventaire Association supports and promotes the use of libre/free software and open knowledge to share information on resources. This ideal results in inventaire.io: a libre book sharing webapp, inviting everyone to make the inventory of their physical books, say what they want to do with it (giving, sharing, selling) and who may see it (friends, groups, or everyone). To provide data on books, inventaire.io reuses, extends, and facilitate contribution to wikidata.org. This allows users to build their inventories on top of a huge open multilingual knowledge graph, connected to Wikipedia, national libraries, the fediverse, and many other resources. As the inventaire software becomes more mature, it is now time to deliver on a promise made years ago: decentralization. Installing and maintaining a self-hosted data-federated inventaire server should soon be as easy as (cyber-)cake! This would allow association libraries, privacy-concerned collectives, or anyone preferring self-hosting, to run their own instance: they would fully control their inventory data (\"We have this book\"), while still having the possibility to benefit from a mutualized bibliographic database (\"This author wrote this book\"). >> Read more about Inventaire Self-hosted Threat intelligence sharing — Privacy-Preserving Sharing of Threat Intelligence in Trusted Adversarial Environments Iris P2P is a peer to peer system for sharing security detections and threat intelligence with trusted models resilient to manipulation attacks. Most P2P systems are designed for file sharing, storage, chat, etc. but they are not prepared to share security detections, threat intelligence data and alerts. The security world needs better ways to automatically share intelligence data with trusted organizations and peers. If decentralized no single organization has control or can censor, sell or modify the data. Iris is the first global P2P system that is designed to solve this problem. It implements: automatic sharing of threat intelligence data when you are attacked, controlling the spread in the P2P to spread slowly, alerting the network of a new attacker. Controlling the spread in the P2P to be fast, asking peers about the reputation of other peers, and defining ‘organizations’ in the P2P network using the DHT and private/public keys. Organizations can publish their keys in conventional communication systems to attest ownership (social media, etc.) All communication is encrypted with private/public keys. You can control the privacy of your data by defining to which organizations and peers you want to share your data. You can also control the transfer of data with epidemic algorithms. All data is evaluated according to the trust in the other peers. Defining trust of each peer in the network with a new protocol (Fides) which computes the trust in each peer by balancing the direct interactions with peers and reputation of peers according to the rest of the peers. Fides implements a mathematical model to guarantee that no adversarial peer can lie to manipulate the reputation and the trust. >> Read more about Threat intelligence sharing Knowledge Graph Portal Generator — Automatically generate custom web interfaces for structured data The Knowledge Graph Portal Generator is a toolkit designed to create user-friendly web portals for Knowledge Graph (KG) datasets, making data from public SPARQL endpoints accessible to users without expertise in semantic technologies. Built on the LinkedDataHub framework, our solution will feature paginated collections, faceted search, and detailed entity views. It will extract RDF ontologies from datasets, generate content configurations, and use these to extend the default LinkedDataHub into a dataset-specific web application. >> Read more about Knowledge Graph Portal Generator LabPlot — Scientific and engineering data analysis and visualisation LabPlot is a free, open source and cross-platform data visualisation and analysis software. It focuses on ease of use and performance. It provides high quality data visualisation and plotting capabilities, as well as reliable and easy data analysis, without requiring any programming skills from the user. Data import and export to and from a variety of formats is supported. LabPlot also allows calculations to be performed in various open source computer algebra systems and languages via an interactive notebook interface. In this project the team will work on extending the current feature set of the application to reach a wider audience. This includes scripting capabilities (in Python only in the initial implementation) to script and automate repetitive data visualisation and analysis workflows and to allow control of LabPlot from external applications via a public interface. The second feature that will be worked on is the ability to apply analysis functions such as FFT, smoothing, etc. to live/streaming data (data imported into LabPlot and modified externally). And thirdly, statistical analysis including common hypothesis tests, correlations, regressions and data panning. >> Read more about LabPlot LiberaForms — End tot End Encrypted Forms Cloud services that offer handling of online forms are widely used by schools, associations, volunteer organisations, civil society, and even families to publish questionnaires and collect the results. While these cloud services (such as Google Forms and Microsoft Forms) can be quite convenient to create forms with, for the constituency which has to fill out these forms such practices can actually be very invasive because forms may not only include personal details such as their name, address, gender or age, but also more intimate questions including medical details, political information and life style background. In many situations there is a power asymmetry between the people creating the form and the users that have to supply the data through that form. Often there is significant time pressure. No wonder that users feel socially coerced to comply and hand over their data, even though they might be perfectly aware that their own data might be used against them. LiberaForms is a transparent alternative for proprietary online forms that you can easily host yourself. In this project, LIberaForms will add end-to-end encryption with OpenPGP, meaning that the data is encrypted on the client device and only the final recipient of the form data can read it (and not just anyone with access to a server). Also, the team will add real-time collaboration on forms, in case users need to fill out forms together. >> Read more about LiberaForms LinkedDataHub — Framework to handle Linked Data at scale LinkedDataHub is a Knowledge Graph explorer, or in technical terms, a rich Linked Data client combined with a personal RDF dataspace (triplestore). It provides a number of features for end-users: browsing Linked Data, cloning RDF resources to the personal dataspace, searching and querying SPARQL endpoints, creating collections from SPARQL queries, editing remote and local RDF documents, creating and transcluding structured content with visualizations of SPARQL results, charts etc. LinkedDataHub is a standalone product as well as a framework – its data-driven architecture allows extension and customization of at every level from the APIs up to the UI. We expect LinkedDataHub to become a go-to tool for end-users working with Linked Data and SPARQL: researchers, data scientists, domain experts – regardless of whether they work in the digital humanities, life-sciences or any other domain. We strive to provide an unparalleled Knowledge Graph user experience that is enabled by the RDF stack, with the focus on discovery, exploration and personalization. >> Read more about LinkedDataHub LumoSQL — Create more reliable, distributed embedded databases The most widely-used database (SQLite) is not as reliable as it could be, and is missing essential features like encryption and safe usage in networked environments. Billions of people unknowingly depend on SQLite in their applications for critical tasks throughout the day, and this embedded database is used in many internet applications - including in some core internet and technology infrastructure. This project wants to create a viable alternative ('rip and replace'), using the battle tested LMDB produced by the LDAP community. This effort allow to address a number of other shortcomings, and make many applications more trustworthy and by means of adding cryptography also more private. Given the wide range of use cases and heavy operational demands of this class of embedded databases, a serious effort is needed to execute this plan in a way where users can massively switch. The project will extensively test, and will validate its efforts with a number of critical applications. >> Read more about LumoSQL MWoffliner — Software to make Wikipedia and other Mediawiki content available offline Wikipedia aims to make the Sum of All Human Knowledge available to all and for free. But with three to four billion people around the world lacking connectivity (because of cost, infrastructure or censorship) we need a solution to bridge the digital divide and bring this great tool to everyone. Mediawiki offliner packages and compresses any wiki into a portable ZIM archive that can then be browsed offline and on any device, no matter where their users are located. In short, this allows everyone and everyone to carry the largest encyclopaedia ever on their phone and in their pocket. >> Read more about MWoffliner MaDada — Using LinkedData to improve FOI processes MaDada is a free open source platform that simplifies and opens up the process of access by the general public to data and information held by the French government. Making use of the Freedom Of Information (FOI) law, the platform guides citizens to file requests, but also acts as an open data archive and platform for right-to-know or transparency campaigns, by publishing the whole process : the requests history, the resulting correspondence, and the data obtained through it. Launched in October 2019 by Open Knowledge Foundation France members, MaDada has helped 250+ users make over 1200 FOI requests to French public bodies, and is beginning to play an important role in the right-to-know, need for transparency and open government problems. MaDada is based on the open source software Alaveteli (https://alaveteli.org), which has been adapted and deployed to more than 25 countries in 20 different languages and jurisdictions. Alaveteli offers efficient functions for users to request and manage FOI requests. The NLnet funding will help the project develop and improve discovery and search features of public bodies on madada.fr and Alaveteli software - for instance, in France alone there are more than 60,000 public authorities. This will take advantage of existing digital commons such as Wikidata, and open standards such as schema.org and DCAT. >> Read more about MaDada Manas — Rust modules for Solid clients and servers Manas project aims to make Solid ubiquitous by creating an ecosystem with well-tested, reusable components in rust and js, with which one can assemble customized, feature rich Solid storage servers, clients, and applications, and digital-commons with data-sovereignty collaboration at the core. Using rust, the servers could be run on low resource raspberry-pies to low latency serverless clouds, or as lightweight developer test servers. Can use custom storages from filesystem, object-stores, or consumer cloud storages like google-drive as backends. Support for WAC, ACP authorization systems, Solid-OIDC, HTTPSig authentication schemes, multi pod management, solid-notifications, etc will be provided as reusable layers. And the layered architecture enables adding customized validation, or any other custom features. For clients, a rust client, and other helper crates will be developed for Solid protocol, Solid-notifications, etc, with probable bindings to other languages, that enables small CLIs, and other server-side/client side applications. For the applications, a reusable crate will be created to package them as native applications using tauri, and Manas. This could make Solid an attractive storage api to code web & native apps with a single code base. It can be extended to offer sync solutions, native-first apps, etc in future. >> Read more about Manas MapComplete — Thematics OpenStreetMap-viewer and editor. OpenStreetMap is a libre and free online database of geodata which can be edited by everyone and is used by millions of people. However, contributing can be challenging or intimidating to non-technical users. MapComplete is a webapp whose goal is to make it trivial to see and update information on OpenStreetMap. This is achieved by showing only features related to a single topic of interest on the map - from playgrounds, public toilets and bicycle rental places to charging stations and public tap water spots. MapComplete contains many thematic maps, each built for a certain community of users and use cases. By focusing on a single topic, contributors are not distracted by objects not relevant to them. Furthermore, this allows to show (and ask for) attributes that are highly specialized (e.g. a widget that determines tree species based on pictures) but also to reuse common attributes and elements (such as showing and adding opening hours or pictures). Within this project, performance will be improved and a user interface to create a new topical map will be built, which will allow for more people to contribute on more topics. >> Read more about MapComplete NEFUSI — NEFUSI: A novel NEuroFUzzy approach for semantic SImilarity assessment The challenge of determining the degree of semantic similarity between two expressions of a textual nature has become increasingly important in recent times. The great importance it has in many modern computing areas and the latest advances in neural computation have made the solutions better. NEFUSI (which stands for \"NEuroFUzzy approach for semantic SImilarity assessment\") aims to go a step further with the design and development of a novel neurofuzzy approach for semantic textual similarity based on neural networks and fuzzy logics. We intend to benefit from the outstanding capabilities of the latest neural models to work with text and, at the same time, from the possibilities that fuzzy logic offers to aggregate and decode numerical values in a personalized way. In this way, the project will build an approach intended to effectively determine the degree of semantic similarity of textual expressions with high accuracy in a wide range of scenarios concerning Search and Discovery. >> Read more about NEFUSI Nextcloud — Unified and intelligent search within private cloud data The internet helps people to work, manage, share and access information and documents. Proprietary cloud services from large vendors like Microsoft, Google, Dropbox and others cannot offer the privacy and security guarantees users need. Nextcloud is a 100% open source solution where all information can stay on premise, with the protected users choose themselves. The Nextcloud Search project will solve the last remaining open issue which is unified, convenient and intelligent search and discoverability of data. The goal is to build a powerful but user friendly user interface for search across the entire private cloud. It will be possible to select data date, type, owner, size, keywords, tags and other metadata. The backend will offers indexing and searching of file based content, as well as integrated search for other contents like text chats, calendar entries, contacts, comments and other data. It will integrate with the private search capabilities of Searx. As a result the users will have the same powerful search functionalities they know and like elsewhere, but respecting the privacy of users and strict regulations like the GDPR. >> Read more about Nextcloud NextGraph — Interlinked data graphs, with privacy, security, data locality, and interoperability in mind NextGraph brings about the convergence between P2P and Semantic Web technologies, towards a decentralized, secure and privacy-preserving cloud, based on CRDTs. This open source ecosystem provides solutions for end-users and software developers alike, wishing to use or create decentralized apps featuring: live collaboration on rich-text documents, peer to peer communication with end-to-end encryption, offline-first, local-first, portable and interoperable data, total ownership of data and software, security and privacy. Centered on repositories containing semantic data (RDF), rich text, and structured data formats like JSON, synced between peers belonging to permissioned groups of users, it offers strong eventual consistency, thanks to the use of operation-based CRDTs. Documents can be linked together, signed, shared securely, queried using the SPARQL language and organized into sites and containers. Long-term goals include developing or integrating wikis, knowledge bases, search engines, groupware, productivity tools, supply chain solutions, marketplaces and e-commerce solutions, social networks, smart contracts and DAOs. With NextGraph, users can now create and access freely their own interlinked data graphs, while preserving privacy, security, data locality, and interoperability. >> Read more about NextGraph Nominatim as a library — Self-hostable address/location retrieval for OpenStreetMap Nominatim is an open-source geographic search engine (geocoder). It makes use of the data from OpenStreetMap to built up a database and API that allows to search for any place on earth and lookup addresses for any given geographic location. The conventional wisdom is that geocoding is such a computationally heavy task that it can only be done through a webservice. So far, Nominatim has been following this convention. While it is easy to install your own instance, it is still expected to be run as a service. However, if you care about privacy, then location data is not something you would want to regularly send to an external geocoding provider because it allows to create detailed movement profiles. We need the possibility to do geocoding directly on the device. The goal of this project is to transform Nominatim's code base so that it cannot be only be used as a web service but also as a local application or as a library inside another application. In the first phase, the PHP code of the search frontend will be ported to Python, which is much better suited for such a multi-use task. In the second phase, we explore if the rather heavy-weight PostgreSQL database can be transformed into an SQLite database to even further simplify using Nominatim as a library. >> Read more about Nominatim as a library OpenStreetMap Speed Limits — Infer default speed limits for better quality OpenStreetMap-based routing OpenStreetMap (OSM) is the worlds largest open geodata set, created and maintained collaboratively by millions of users. Of course there are many other purposes beyond creating a map, for instance finding the best route from A to B. Such usage needs to take into account incomplete data, as coverage of speed limits varies greatly across OSM. Currently, only about 12% of roads in OSM have speed limits set. However, default legal speed limits can often be inferred from other data, such as whether the road is within an urban zone, whether the carriage way is segregated, how many lanes it has, whether it is paved etc. The goal of this project is to extract the default speed limits for different road and vehicle types for all state legislations, map these to OSM and provide these in a machine-readable form so that it can be consumed by open source routing software such as GraphHopper, Valhalla or OSRM. Further, a reference implementation that interprets this data will be provided. >> Read more about OpenStreetMap Speed Limits Ontogen — From datasets in DCAT catalogs to knowledge graphs Data Catalogs are an important building block for a knowledge graph. Most available open-source data cataloging solutions, however, are tailored either to the needs of dataset publishers or to bigger companies with existing data warehouses or data lakes. Open data communities or smaller-sized companies do have not many options to choose from when it comes to lightweight solutions to catalog their existing data assets or collect existing metadata about relevant datasets for their needs. K-Gen will be such a lightweight data catalog solution. It will be based on DCAT, the W3C standard for data catalogs, which has been widely adopted in the public sector for the publishing of open datasets. In the first development phase, the milestone of a basic data catalog to collect metadata about datasets of a user and a general data processing pipeline to import existing metadata about datasets from various sources and various formats, including ways to keep them in sync with the original source should be developed. Further development should then provide tools to build a knowledge graph over the content of the datasets of the data catalog. >> Read more about Ontogen Ontogen and Mud — Advanced versioning and identity management for RDF datasets Ontogen is a specialized version control system for RDF datasets, addressing unique challenges in semantic web data management. In this project, we aim to significantly enhance Ontogen's capabilities and usability. A key improvement is extracting and expanding Ontogen's configuration language into Mud, a standalone RDF preprocessing language for comprehensive identity management. Mud will extend beyond configuration, offering expanded identity management for all resources in RDF datasets and providing extensible support for other common operations when working with RDF data, like RDF smushing for example. Also a robust synchronization protocol should be implemented in Ontogen, enabling a complete repository copy in the file system, allowing seamless use of text editors and other file-based utilities for working with the versioned dataset, as well as integration with Git or other file-based version control systems. Additionally, support for datasets with multiple graphs should be extended. These advancements will make Ontogen more flexible, accessible, and secure, paving the way for its adoption in production environments and opening up new possibilities in RDF data management. >> Read more about Ontogen and Mud Open Cloud Mesh — Improved specs and test suite for Open Cloud Mesh protocol The Open Cloud Mesh protocol, at its core, defines a wonderfully simple JSON payload to notify another server when a user wants to share a folder or file with a user on that server. It is implemented by some major Enterprise File Sync and Share (EFSS) vendors, and used in production by several serious organisations - including major National Research and Education Networks (NRENs). But its specification and test suite are still lacking in substance and quality. In this project we will improve the specification text, flesh it out to a more strictly defined (RFC-style) text that addresses all aspects and considerations of the protocol. In addition we improve the test suite so that it can be run in Continuous Integration (CI) instead of requiring frequent manual intervention, and clarify any incompatibilities we find between implementations. >> Read more about Open Cloud Mesh Open Everything Facts — Powering consumer choice on anything with a bar code When we started Open Food Facts, it already seemed like a bold endeavour to compile comprehensive food product data into a single database, with far-reaching positive impacts, and the rest is history. Why not extend this concept further? Why should consumers not have the same level of informed decision-making power for products beyond food, like their shampoo, bicycles, refrigerators, or ventilation systems? Our ambition is to integrate our existing product databases — Open Food Facts, Open Product Facts, Open Beauty Facts, and Open Pet Food Facts — into one unified, easy-to-navigate mobile application. This will include a universal scan, a new unified versatile and simplified product page, simplified personal and private preferences, as well as the matching contribution experience. Ultimately, this project is a stride towards a world where transparency and informed choices are the norms, not the exception, in every aspect of consumer goods. >> Read more about Open Everything Facts Personal Food Facts — Privacy protecting personalized information about food Open Food Facts is a collaborative database containing data on 1 million food products from around the world, in open data. This project will allow users of our website, mobile app and our 100+ mobile apps ecosystem, to get personalized search results (food products that match their personal preferences and diet restrictions based on ingredients, allergens, nutritional quality, vegan and vegetarian products, kosher and halal foods etc.) without sacrificing their privacy and having to send those preferences to us. >> Read more about Personal Food Facts OpenStreetMap-NG — Alternative implementation of OpenStreetMap OpenStreetMap-NG is an innovative rethinking of how open mapping platforms can be built and maintained, as an alternative to the current openstreetmap.org setup. Leveraging Python and other widely used technologies and guided by user-centric design principles, this project creates a more accessible, privacy-respecting, and developer-friendly mapping platform. By prioritizing both solid technical foundations and ease of use, OpenStreetMap-NG wants to make open-source mapping more approachable while pushing the boundaries of what's possible. >> Read more about OpenStreetMap-NG Open Web Calendar Stack — Aggregate public and private web calendars The Open Web Calendar stack is an open-source set of Python libraries and programs which read and write calendars based on the iCalendar standard. The Open Web Calendar displays a highly configurable website that can be embedded to show a calendar. Currently, ICS URLs are supported and a goal is to also support CalDAV. Amongst the used libraries is the popular icalendar library to parse and write iCalendar (RFC5545) information. This cornerstone of Python's ecosystem requires some work to be up-to-date with common practice such as updating the timezone implementation. The updates to the icalendar library will be tested and also pushed up the stack to the Open Web Calendar. The recurrence calculation of events is done by the python-recurring-ical-events library. Changes to icalendar will be tested against this library to find compatibility issues. As the iCalendar standard has been updated, recurrence calculation is affected, too. These updates need to be evaluated and possibly implemented for both icalendar and the recurrence calculation. By implementing changes at the base, the whole stack is improved. We can use the Open Web Calendar project to make sure that possible transitions and updates are mapped out and communicated to other projects in the ecosystem. Improving a FOSS solution thus spreads the accessibility of iCalendar. >> Read more about Open Web Calendar Stack Organic Maps сonvergent UI with Qt Quick/Kirigami — Declarative cross-platform UI for navigation Maps navigation software is a crucial part of computer systems today, be it on Mobile, Desktop, Automotive and so on. For quite a lot time already, we have a brilliant open-source maps application, now named Organic Maps. It's features make it strong competitor to commercial-grade software, among them are: privacy, fully offline maps, low battery consumption, navigation, points of interest (POI) and much more. Currently, the application shows it's strength on mainstream mobile operating systems only. On other systems, it's ability is quite limited, mainly because of lack of proper User Interface for them. This project aims to create an Organic Maps convergent touch-friendly User Interface for Linux, backed by featured Qt Quick/QML application framework, perfectly suitable for this task. This would allow feature-parity for Mobile and Desktop Linux systems, and also creates solid ground for further unification of the User Interface among other platforms. >> Read more about Organic Maps сonvergent UI with Qt Quick/Kirigami p2panda: group encryption and capabilities — Add group encryption and capabilities to peer-to-peer SDK p2panda is a protocol and SDK for building decentralised applications with authenticated data, which is stored and synced between computers. Most p2p protocols, including p2panda, face problematic security and privacy challenges, where sensitive data is distributed in a trust-less network. This application aims at the integration of a secure data encryption and fine-grained capability layer to give users more control and protection of their data. Scaleable data encryption for large groups in a decentralised network is hard and has always involved a trade-off between UX and security. We believe that MLS is the first Internet Engineering Task Force (IETF) standard to tackle some of these challenges. p2p applications of all kinds, will benefit from a protocol that gives them a distributed, strongly encrypted database stack. MLS assures Post-Compromise Security (PCS) and Forward Secrecy (FS) and still stays performant for large groups. While MLS is capable of working in a decentralised environment it hasn’t been explicitly specified for it. With p2panda we have all the building blocks to realize MLS in a fully decentralised setting. Highly collaborative p2p and offline-first applications require a robust capability system which facilitates giving and revoking permissions to/from identities on the network. With such a system it becomes possible to give permissions for certain actions to other authors or link devices which should be grouped under a single identity. >> Read more about p2panda: group encryption and capabilities PRESC Classifier Copies Package — Implementing Machine Learning Copies as a Means for Black Box Model Evaluation and Remediation The ubiquitous use over the Internet, and in particular in search engines, of often proprietary black-box machine learning models and APIs in the form of Machine Learning as a Service, makes it very difficult to control and mitigate their potential harmful effects (such as lack of transparency, privacy safeguards, robustness, reusability or fairness). Machine Learning Classifier Copying allows us to build a new model that replicates the decision behaviour of an existing one without the need of knowing its architecture nor having access to the original training data. A suitable copy allows to audit the already deployed model, mitigate its shortcomings, and even introduce improvements, without the need to build a new model from scratch, which requires access to the original data. This project aims to implement a practical solution of this innovative technique into PRESC, an existing free software tool for the evaluation of machine learning classifiers, so that classifier copies are automated and can be easily created by developers using machine learning, in order to reuse, evaluate, mitigate and improve black-box models, ensure a personal data privacy safeguard into their machine learning models, or for any other application. >> Read more about PRESC Classifier Copies Package Panoramax — Digital, collaborative immersive street level imagery Panoramax is an immersive views project. It is a digital, collaborative, free and open community. Access to the photos is free. Panoramax operates as an instance or federation of instances for hosting images. Today, most contributions are made using web interfaces that are not suitable for smartphones. However, this is an important lever for increasing the number of contributions. The aim of the “A mobile app for Panoramax” project is to enable contributions from smartphones, while making them easy for everyone. The application will enable geolocated and sequenced photos to be taken and uploaded to the various community instances. >> Read more about Panoramax PeerDB Search — Search for semantic and full-text data PeerDB Search is an opinionated but flexible open source search system incorporating best practices in search and user interfaces and experience to provide intuitive, fast, and easy to use search over both full-text data and semantic data exposed as facets. The goal of the user interface is to allow users without technical knowledge to easily find results they want, without having to write queries. The system will also allow multiple data sources to be used and merged together. As a demonstration PeerDB will deploy a public instance as a search service for Wikipedia articles and Wikidata data. >> Read more about PeerDB Search Poliscoops — Make political news and online debate accessible PoliFLW is an interactive online platform that allows journalists and citizens to stay informed, and keep up to date with the growing group of political parties and politicians relevant to them - even those whose opinions they don't directly share. The prize-winning polical crowdsourcing platform makes finding hyperlocal, national and European political news relevant to the individual far easier. By aggregating the news political parties share on their websites and social media accounts, PoliFLW is a time-saving and citizen-engagement enhancing tool that brings the internet one step closer to being human-centric. In this project the platform will add the news shared by parties in the European Parliament and national parties in all EU member states. , showcasing what it can mean for access to information in Europe. There will be a built-in translation function, making it easier to read news across country borders. PoliFLW is a collaborative environment that helps to create more societal dialogue and better informed citizens, breaking down political barriers. >> Read more about Poliscoops Polyglot jaq — Data wrangling tool focusing on correctness, speed, and simplicity. Data often needs to be processed going from one tool to another. Doing that is potentially a point of failure, as 'quick and dirty' solutions often fail to take into account edge cases. This project will build on top of Jaq, a Rust re-implementation of the widely popular jq syntax with rigorously defined semantics, and extend its approach to other data formats - from legible formats such as XML, YAML, TOML, CSV and Markdown to binary formats. For the latter, the project builds on the versatile parsing toolbox of Kaitai Struct. >> Read more about Polyglot jaq Pomme d’API — Improvements around the Open Food Facts API Open Food Facts is an open and collaborative database of 3.5M food products from around the world. This project will improve the Open Food Facts API to make it easier for the 250+ apps and services that use it daily to access and contribute food products data. In particular, it will focus on providing easier means to contribute photos and data, better structured data, OpenAPI specifications, and extensive documentation. >> Read more about Pomme d’API Private Searx — Add private resources to the open source Searx metasearch engine Searx is a popular meta-search engine letting people query third party services to retrieve results without giving away personal data. However, there are other sources of information stored privately, either on the computers of users themselves or on other machines in the network that are not publically accessible. To share it with others, one could upload the data to a third party hosting service. However, there are many cases in which it is unacceptable to do so, because of privacy reasons (including GPPR) or in case of sensitive or classified information. This issue can be avoided by storing and indexing data on a local server. By adding offline and private engines to searx, users can search not only on the internet, but on their local network from the same user interface. Data can be conveniently available to anyone without giving it away to untrusted services. The new offline engines would let users search in local file system, open source indexers and data bases all from the UI of searx. >> Read more about Private Searx PyCM — Evaluate the performance of ML algorithms The outputs and results of machine learning algorithms are usually in the form of confusion matrices. PyCM is an open source python library for evaluating, quantifying, and reporting the results of machine learning algorithms systematically. PyCM provides a wide range of confusion matrix evaluation metrics to process and evaluate the performance of machine learning algorithms comprehensively. This open source library allows users to compare different algorithms in order to determine the optimal one based on their preferences and priorities. In addition, the evaluation can be reported in different formats. PyCM has been widely used as a standard and reliable post-processing tool in the most reputed open-source AI projects like TensorFlow similary, Google's scaaml, torchbearer, and CLaF. >> Read more about PyCM PyCM — Machine learning post-processing and analysis PyCM is an open-source Python library designed to systematically evaluate, quantify, and report the performance of machine learning algorithms. It offers an extensive range of metrics to assess algorithm performance comprehensively, enabling users to compare different models and identify the optimal one based on their specific requirements and priorities. Additionally, PyCM supports generating evaluation reports in various formats. Widely recognized as a standard and reliable post-processing tool, PyCM has been adopted by leading open-source AI projects, including TensorFlow, Google’s scaaml, Torchbearer, and CLaF. In this grant, the team will implement several new features, such as data distribution analysis, dissimilarity / distance matrices and curve analysis. In addition the project will improve benchmarking and confidence, and introduce an API and GUI for wider adoption. >> Read more about PyCM Re-isearch Schmate — Extending re-Isearch with a flat vector datatype for embeddings Schmate is the development name for the evolving next iteration of re-Isearch adding vector datatypes for embeddings and applications like retrieval augmented generation (RAG). Schmate (pronounced \"SHMAH-teh\") is Yiddish for rag (שמאטע). In contrast to typical vector stores the proposed re-Isearch+ shall offer a full passage information retrieval system (index and retrieval) using a combination of dense and sparse vectors as well as structure. It is dense passage retrieval (DPR) and a whole lot more. It addresses the stumbling blocks of chunking, has a tight integration of ingest, tokenisation, a number of alternative vector stores and similarity algorithms and, above all, uses a novel combination of understanding document structure (implicit and explicit) to provide a better contextual passage retrieval to solve the problem of misaligned context. This builds on the observation that meaning is also communicated through structure so needs to be viewed in the context of structure. Since structure like the words are meant by the sender (writer) to be received and understood (reader) our approach is to exploit the original author's organization of content to determine appropriate passages rather than relying solely on the chunks. >> Read more about Re-isearch Schmate SCION-enabled IPFS and libp2p — Enhancing IPFS Performance and Resilience through SCION's Path-Aware Networking SCION is a clean-slate Next-Generation Internet (NGI) architecture which offers a.o. multi-path and path-awareness capabilities by design. Moreover, SCION was designed to provide route control, failure isolation, and explicit trust information for end-to-end communication. As a result, the SCION architecture provides strong resilience and security properties as an intrinsic consequence of its design. The goal in this project is to leverage the path-awareness in SCION to align the storage and lookup in IPFS with the underlying network in an optimal manner, while at the same time using SCION to establish trust between the entities. >> Read more about SCION-enabled IPFS and libp2p SCION-Pathdiscovery — Secure and reliable decentralized storage platform With the amount of downloadable resources such as content and software updates available over the Internet increasing year over year, it turns out not all content has someone willing to serve all of it up eternally for free for everyone. And in other cases, the resources concerned are not meant to be public, but do need to be available in a controlled environment. In such situations users and other stakeholders themselves need to provide the necessary capacity and infrastructure in another, collective way. This of course creates new challenges. Unlike a website you can follow a link to or find through a standard search engine and which you typically only have to vet once for security and trustworthiness, the distributed nature of such a system makes it difficult for users to find the relevant information in a fast and trustworthy manner. One of the essential challenges of information management and retrieval in such a system is the location of data items in a way that the communication complexity remains scalable and a high reliability can be achieved even in case of adversaries. More specifically, if a provider has a particular data item to offer, where shall the information be stored such that a requester can easily find it? Moreover, if a user is interested in a particular information, how does he discover it and how can he quickly find the actual location of the corresponding data item? The project aims to develop a secure and reliable decentralized storage platform enabling fast and scalable content search and lookup going beyond existing approaches. The goal is to leverage the path-awareness features of the SCION Internet architecture to use network resources efficiently in order to achieve a low search and lookup delay while increasing the overall throughput. The challenge is to select suitable paths considering those performance requirements, and potentially combining them into a multi-path connection. To this end, we aim to design and implement optimal path selection and data placement strategies for a decentralized storage system. >> Read more about SCION-Pathdiscovery Geographic tagging of Routing and Forwarding — Geographic tagging and discovery of Internet Routing and Forwarding SCION is the first clean-slate Internet architecture designed to provide route control, failure isolation, and explicit trust information for end-to-end communication. As a path-based architecture, SCION end-hosts learn about available network path segments, and combine them into end-to-end paths, which are carried in packet headers. By design, SCION offers transparency to end hosts with respect to the path a packet travels through the network. This has numerous applications related to trust, compliance, and also privacy. By better understanding of the geographic and legislative context of a path, users can for instance choose trustworthy paths that best protect their privacy. Or avoid the need for privacy intrusive and expensive CDN's by selecting resources closer to them. SCION is the first to have such a decentralised system offer this kind of transparency and control to users of the network. >> Read more about Geographic tagging of Routing and Forwarding SES - SimplyEdit Spaces — SimplyEdit Spaces - collaborative presentations SimplyPresent allows users to collaboratively create and deliver good looking presentation using CRDT's through Hyper Hyper Space - another project supported by NGI Assure. SimplyPresent is itself based on top of the open source SimplyEdit tool, adding advanced user-friendly presentation features. SimplyPresent allows team members to live edit a presentation and the presenter notes while the presentation is being given, control the presentation from any phone without complicated setup: all that is needed on the presenting system or with remote viewers is a URL which will sync through Hyper Hyper Space. >> Read more about SES - SimplyEdit Spaces SOLID Data Workers — Toolkit to ingest data into SOLID Solid Data Workers is a toolkit to leverage the Solid platform (an open source project led byTim Berners-Lee) into a viable, convenient, open and interoperable alternative to privacy-hungry data silos. The aim is to use Solid as a general purpose storage for all of the user's private information, giving them a linked-data meaning to enrich the personal graph and provide a first-class semantic web experience. The project involves a PHP and a NodeJS implementation of the \"Data Workers\" toolkit to easy the \"semantification\" of the data collected from external services (SPARQL queries build, metadata retrieval and storage, relationships creation...), some sample software component to import existing data into the semantic graph and keep it synchronized with back-end sources (primarily: emails and calendars), and a proof-of-concept application to showcase the potentials of the semantic web applied to personal linked data. As Solid may be self-hosted or hosted by third-party providers, Solid Data Workers may be attached to any of those instances and to different back-end services. >> Read more about SOLID Data Workers SWH package manager Data Ingestion — Add Package managers to Software Heritage Software Heritage's ambition is to collect, preserve, and share all software that is publicly available in source code form. In this project we improve the SWH scanner tool which compares any set of files with the SWH archive. This is very useful for detecting license violations or security issues. The goal of the project is to take the scanner from a research prototype to a widely available and usable tool. This involves work around its packaging, user interface, robustness and performance. We will be re-purposing the advanced graph-comparison algorithm from the Mercurial DVCS to minimize the load to the SWH archive. We will also expand the list of existing source code origins we will create new listers and loaders for Maven, Go, Packagist, RubyGems, Bower, CPAN and pub.dev/Dart package managers. >> Read more about SWH package manager Data Ingestion Storing Efficiently Our Software Heritage — Faster retrieval within Software Heritage Software Heritage (https://www.softwareheritage.org) is the single largest collection of software artifacts in existence. But how do you store this in a way that you can find something fast enough, taking into account that these are billions of files with a huge spread in file sizes? \"Storing Efficiently Our Software Heritage\" will build a web service that provides APIs to efficiently store and retrieve the 10 billions small objects that today comprise the Software Heritage corpus. It will be the first implementation of the innovative object storage design that was designed early 2021. It has the ability to ingest the SWH corpus in bulk: it makes building search indexes an order of magnitude faster, helps with mirroring etc. The project is the first step to a more ambitious and general purpose undertaking allowing to store, search and mirror hundreds of billions of small objects. >> Read more about Storing Efficiently Our Software Heritage SeedVault Integrity — Add integrity checking and WebDAV support to SeedVault Android backups SeedVault Backup is an independent open-source app data backup application for Android and derived mobile operating systems. By storing Android users' data and files in a place the user chooses, and by using client-side encryption to protect backed-up data, SeedVault offers users maximum data privacy and resilience with minimal hassle. SeedVault uses Android's storage access framework (SAF) to read and write encrypted app data. This allows it to backup and restore application data on a wide range of platforms (such as Nextcloud) and even USB flash drives. The project will improve the current implementation to allow storing files also on generic WebDAV-based storage without the SAF abstraction layer for improved performance and reliability. It will be possible to decide what apps and files should be restored and to verify the integrity of the backups made. >> Read more about SeedVault Integrity SensifAI — AI driven image tagging Billions of users manually upload their captured videos and images to cloud storages such as Dropbox, Google Drive and Apple iCloud straight from their camera or phone. Their private pictures and video material are subsequently stored unprotected somewhere else on some remote computer, in many cases in another country with quite different legislation. Users depend on the tools from these service providers to browse their archives of often thousands and thousands of videos and photo's in search of some specific image or video of interest. The direct result of this is continuous exposure to cyber threats like extortion and an intrinsic loss of privacy towards the service providers. There is a perfectly valid user-centric approach possible in dealing with such confidential materials, which is to encrypt everything before uploading anything to the internet. At that point the user may be a lot more safe, but from now on would have a hard time locating any specific videos or images in their often very large collection. What if smart algorithms could describe the pictures for you, recognise who is in it and you can store this information and use it to conveniently search and share? This project develops an open source smart-gallery app which uses machine learning to recognize and tag all visual material automatically - and on the device itself. After that, the user can do what she or he wants with the additional information and the original source material. They can save them to local storage, using the tags for easy search and navigation. Or offload the content to the internet in encrypted form, and use the descriptions and tags to navigate this remote content. Either option makes images and videos searchable while fully preserving user privacy. >> Read more about SensifAI Smart lookup & inference for Semantic Data — Knowledge mapping within a postgresql database Semantic knowledge representations have not evolved since the Semantic Web was proposed during the 1990s. Modern graph databases offer new possibilities for knowledge representation, but the methods are poorly developed and require the use of specialized query languages and clumsy outdated formats. This project aims to make semantic maps easy for general use, using standard SQL databases and modern lightweight data formats. A user workflow starts from a simple note-taking language, then ingesting into a database using a graph model based on the causal semantic spacetime model, to the use of a simple web application for supporting graph searches and data presentation. The aim is to make a generally useful library for incorporating into other applications, or running as a standalone notebook service. >> Read more about Smart lookup & inference for Semantic Data Software Heritage — Collect, preserve and share the source code of all software ever written Software Heritage is a non profit, multi-stakeholder initiative with the stated goal to collect, preserve and share the source code of all software ever written, ensuring that current and future generations may discover its precious embedded knowledge. This ambitious mission requires to proactively harvest from a myriad source code hosting platforms over the internet, each one having its own protocol, and coping with a variety of version control systems, each one having its own data model. This project will amongst other help ingest the content of over 250000 open source software projects that use the Mercurial version control system that will be removed from the Bitbucket code hosting platform in June 2020. >> Read more about Software Heritage Peer-to-Peer Access to Our Software Heritage — Access Software Heritage data via IPFS DHT Peer-to-Peer Access to Our Software Heritage (SWH × IPFS) is a project aimed at supporting Software Heritage’s mission to build a universal source code archive and preserve it for future generations by leveraging IPFS’s capabilities to share and replicate the archive inadecentralized, peer-to-peer manner. The project will build a bridge between the existing Software Heritage (SWH) API and the IPFS network to transparently serve native IPFS requests for SWH data. In the short term, this allows users using IPFS to form their own Content Distribution Network for SWH data. Longer term, we hope this will serve as a foundation fora decentralized network of copies that, together, ensure that the loss of no one repository, however large, results in the permanent destruction of any part of our heritage. The end product would be a perfect application of IPFS’s tools and a step in the direction of a decentralized internet services infrastructure. >> Read more about Peer-to-Peer Access to Our Software Heritage Solid NC 2024 — Add more Solid capabilities to Nextcloud The Solid Nextcloud project implemented a server component with the Solid specification for Nextcloud, which makes ones Nextcloud server a Solid server as well. This allows user to user their existing server for identity and storage within the Solid eco-system. To enhance security and to enable easier cooperation and release of new versions we need to improve a number of things. The CI/CD of the project will be improved. Based on an earlier audit, we will implement a number of security enhancing features and we will release a PHP Solid Server next to the Solid Nextcloud module. These servers share a lot of code, which makes maintenance easier. The advantage is that PHP has a security maintenance cycle of three years, making it easier for users to stay secure when using a Solid server. >> Read more about Solid NC 2024 Solid Compound — A software library/framework to simplify designing for W3C Solid Solid Compound is an innovative library designed to streamline the integration of web applications into the Solid ecosystem. It provides functionality to Solid App developers to make their Solid Apps usable without end-users needing a Solid Pod or a WebID. This lowers the barrier of entry for new end-users and allows everyone to use newly crafted and innovative Solid applications. Solid Compound offers a hybrid data storage approach, allowing for data to be stored either in the application's datastore (but Solid-ready) or in the user's Solid pod. It also enables user authentication (either done by the application or Solid-OIDC). This merging of traditional web development with Solid-compatible systems also extends the functionality to include a feature that enables data and identity migration from an application's datastore to a user's pod when they are ready. The hybrid approach ensures a smooth transition towards a more decentralized web, while simultaneously broadening the reach of Solid developers to users who may not yet be familiar with the Solid ecosystem. >> Read more about Solid Compound Solid Data Modules — Improve data accessibility and prevent data corruption in Solid Pods The Solid Project enables a \"Bring your own Data\" architecture, but this is only useful if apps understand the data they find on the pod. Client-client specs are the crucial but underdeveloped core part of the Solid project which needs urgent attention now. Solid Data Modules will build on the existing remoteStorage modules work and the Solid Application Interoperability spec. They will support the data types already documented in the PDS Interop (https://pdsinterop.org/conventions/overview) and Shaperepo (https://shaperepo.com) initiatives. Apart from making data more easily accessible, reliably updating index files, and preventing data corruption, the Solid Data Modules will also automatically show the app developer which fine-grained Data Grants to request. That way, we hope to finally stop the bad practice of even demo apps that request root access to your pod. >> Read more about Solid Data Modules Solid Application Interoperability — Solid Application Interoperability specification details how Agents in the Solid ecosystem can read, write, and manage data stored in a Solid pod using disparate Applications, either individually or in collaboration with other Agents. Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. When data is stored in someone's Pod, they control which people and applications can access it. Solid was initiated and is currently led by the inventor of the World Wide Web, sir Tim Berners-Lee. Solid Application Interoperability provides clear way to create intuitive data boundaries and higher level patterns to manage access to that data following the principle of least privilege. In this follow up project there is a focus on implementing the Authorization Agent service in TypeScript. It will also work on the SAI specification, which needs to provide more details on how the agent who receives access grant gets updated when the access grant is replaced by a new one. The Authorization Agent service will also implement server to server subscription type developed in the Solid Authentication panel. >> Read more about Solid Application Interoperability Solid Usable App Tools Project — Improve developer experience for W3C Solid The Solid project is one of the best known efforts promising to bring individual data ownership to the people of Europe and the world. While Solid has many use cases, a common example is an alternative to Facebook, Instagram, and Twitter where a user can own their own social media data. But, Solid's current specification, implementations, and developer tools are not yet able to support a full-fledged social media alternative. This project will aide the ongoing specification and developer tool development for Solid by filling in the gaps that are currently preventing a \"home-run\" app from being created on Solid. Particular areas of concern for this project are: Authentication for Mobile Apps and Bots, Real-Time Notifications, and Easier Devtools (which caters also for developer that lack much prior knowledge of linked data). In addition, the project will produce a tutorial series to make developing apps on Solid as easy as learning how to use more mainstream technologies like React. >> Read more about Solid Usable App Tools Project Secure User Interfaces (Spritely) — Usability of decentralised social media Spritely is a project to advance the federated social network by adding richer communication and privacy/security features to the network. This particular sub-project aims to demonstrate how user interfaces can and should play an important role in user security. The core elements necessary for secure interaction are shown through a simple chat interface which integrates a contact list as an easy-to-use implementation of a \"petname interface\". Information from this contact list is integrated throughout the implementation in such a way that helps reduce phishing risk, aids discovery of meeting other users, and requires no centralized naming authority. As an additional benefit, this project will demonstrate some of the asynchronous network programming features of the Spritely development stack. >> Read more about Secure User Interfaces (Spritely) Standards Grammar Catalog/Toolchain — Open Standards Grammar Catalog/Toolchain The Open Standards Grammar Catalog/Toolchain makes it easier to implement a format or protocol by translating its machine-readable definition, usually in a language such as ABNF, into forms readily compatible with popular programming languages, like regular expressions, YACC, ANTLR, and native code. By providing a toolchain for making these translations, assembling a catalog of commonly used formats & protocols, and publishing a developer-friendly website for browsing the grammars and generating translations, these tools will reduce the need to manually write a parser, ultimately reducing errors due to hand-written code, and enhancing interoperability. >> Read more about Standards Grammar Catalog/Toolchain Stencila v2 for ERA and EPP — Add editable, runnable code to scientific publications Stencila offers a platform for collaborating on, and publishing, dynamic, data-driven content with the aim of lowering the barriers for creating data-driven documents and making it easier to create beautiful, interactive, and semantically rich, articles, web pages and applications from them. The latest version, a rewrite in Rust, is aimed at leveraging two relatively recent and impactful innovations: conflict-free replicated data types (CRDTs), for de-centralized collaboration and version control, and large language models (LLMs) for assisting in writing and editing prose and code. These technologies used together provide an advance in scholarly communication of research findings by powering the Enhanced Preprint Platform and Executable Research Articles at publishing venues such as eLife and GigaScience. >> Read more about Stencila v2 for ERA and EPP StreetComplete — Fix open geodata with OpenStreetMap The project will make collecting data for OpenStreetMap easier and more efficient. OpenStreetMap is the best source of information for general purpose search engines that need a geographic data about locations and properties of various objects. The objects vary from cities and other settlements to shops, parks, roads, schools, railways, motorways, forests, beaches etc etc etc. The search engine can use the data to answer queries such as \"route to nearest wheelchair accessible greengrocer\", \"list of national parks near motorways\" or \"London weather\". Full OpenStreetMap dataset is publicly available on an open license and already used for many purposes. Improving OSM increases quality of services using open data rather than proprietary datasets kept as a trade secret by established companies. >> Read more about StreetComplete StreetComplete/AllThePlaces — Ingest data from AllThePlaces into StreetComplete This project will contribute to more accurate data about shops and other businesses in OpenStreetMap, by suggesting mappers at which places shops might be missing. The detection of places where a shop may exist but nothing is mapped in OpenStreetMap will be powered by the All The Places project, which crawls store location webpages across of many businesses. Mappers will thus be able to quickly add a shop to OpenStreetMap, after adjusting location as needed. >> Read more about StreetComplete/AllThePlaces StreetComplete — Collaborative editing in OpenStreetMap StreetComplete is a mobile app that makes it easy and fun to contribute to OpenStreetMap while on and about. OpenStreetMap is the largest open data community about maps, and the go-to source for free geographic data when doing a location-based search. This project focuses on making the collection of data to be used in a search more powerful and efficient. More specifically, the main goals are to add the possibility to collect more data with an easy interface and to add a new view in which it shall be more efficient to complete and keep up-to-date certain types of data, such as housenumbers or cycleways. >> Read more about StreetComplete StreetComplete UX — Improve usability of StreetComplete OpenStreetMap is the best source of information for general purpose search engines that need a geographic data about locations and properties of various objects. The objects vary from cities and other settlements to shops, parks, roads, schools, railways, motorways, forests, beaches etc etc etc. The search engine can use the data to answer queries such as \"route to nearest wheelchair accessible greengrocer\", \"list of national parks near motorways\" or \"London weather\". Full OpenStreetMap dataset is publicly available on an open license and already used for many purposes. The project will make collecting open data for OpenStreetMap easier and more efficient, and lower the threshold for contribution by improving usability and accessibility. Any user should be able to help improve OpenStreetMap data, simply by downloading the app from F-droid or Google store and map as they walk. >> Read more about StreetComplete UX GNU Taler Wallet ID Lookup Service — Optional discovery of TALER wallet addresses linked to digital identities GNU Taler is a payment system that makes privacy-friendly online transactions fast and easy. This project will facilitate the support of peer-to-peer payments (P2P) for the GNU Taler payment system between users by implementing a privacy- friendly directory service and lightweight inbox service (TALer DIRectory). The services will allow users to securely associate their online identities (such as email addresses, phone numbers, X/Twitter/Mastodon handles or other suitable verifiable addresses and accounts) with their wallet public keys and the URL of an inbox service and use it for P2P payments. Storage and retrieval may also be offloaded to distributed directory services such as DNS or GNS (RFC 9498) instead of a database and web service while maintaining the respective privacy guarantees. >> Read more about GNU Taler Wallet ID Lookup Service TypeCell — CRDT-based collaborative block-based editor TypeCell aims to make software development more open, simple and accessible. TypeCell integrates a live-programming environment as a first-class citizen in an end-user block-based document editor, forming an open source application platform where users can instantly inspect, edit and collaborate on the software they’re using. TypeCell spans a number of different projects improving and building on top of Matrix, Yjs and Prosemirror to advance local-first, distributed and collaborative software for the web. >> Read more about TypeCell URL Frontier — Develop a API between web crawler and frontier Discovering content on the web is possible thanks to web crawlers, luckily there are many excellent open source solutions for this; however, most of them have their own way of storing and accessing the information about the URLs. The aim of the URL Frontier project is to develop a crawler-neutral API for the operations that a web crawler when communicating with a web frontier e.g. get the next URLs to crawl, update the information about URLs already processed, change the crawl rate for a particular hostname, get the list of active hosts, get statistics, etcetera. It aims to serve a variety of open source web crawlers, such as StormCrawler, Heritrix and Apache Nutch. The outcomes of the project are to design a gRPC schema then provide a set of client stubs from the schema as well as a robust reference implementation and a validation suite to check that implementations behave as expected. The code and resources will be made available under Apache License as a sub-project of crawler-commons, a community that focuses on sharing code between crawlers. One of the objectives of URL Frontier is to involve as many actors in the web crawling community as possible and get real users to give continuous feedback on our proposals. >> Read more about URL Frontier variation graph (vgteam) — Privacy enhanced search within e.g. genome data sets Vgteam is pioneering privacy-preserving variation graphs, that allow to capture complex models and aggregate data resources with formal guarantees about the privacy of the individual data sources from which they were constructed. Variation graphs relate collections of sequences together as walks through a graph. They are traditionally applied to genomic data, where they support the compression and query of very large collections of genomes. But there are many types of sensitive data that can be represented in a variation graph form, including geolocation trajectory data - the trajectories of individuals and vehicles through transportation networks. Epidemiologists can use a public database of personal movement trajectories to for instance do geophylogenetic modeling of a pandemic like SARS-CoV2. The idea is that one cannot see individual movements, but rather large scale flows of people across space that would be essential for understanding the likely places where a outbreak might spread. This is essential information to understand at scientific and political level how to best act in case of a pandemic, now and in the future. The project will apply formal models of differential privacy to build variation graphs which do not leak information about the individuals whose data was used to construct them. For genomes, the techniques allow us to extend the traditional models to include phenotype and health information, maximizing their utility for biological research and clinical practice without risking the privacy of participants who shared their data to build them. For geolocation trajectory data, people can share data in the knowledge that their social graph is not exposed. The tools themselves are not limited to the above use cases, and open the doors to many other types of applications both online (web browsing histories, social media usage) and offline. . >> Read more about variation graph (vgteam) VersaTiles — Simplify vector map tile creation, hosting, and interaction VersaTiles provides vital digital infrastructure for web maps, offering a free, flexible alternative to commercial services. Web maps are essential in fields like data journalism, research, and emergency response, but current commercial solutions are often costly, proprietary, and pose privacy concerns. VersaTiles addresses this by dividing the complex process of map creation, distribution, and visualization into manageable layers, ensuring interoperability and scalability. With its open, transparent approach, VersaTiles promotes digital sovereignty in Europe, empowering public institutions, media, and developers with an accessible, high-quality map infrastructure that avoids vendor lock-in and supports free access to geospatial data. >> Read more about VersaTiles Vouivre — A dependent type system for machine learning in Lisp Current machine learning frameworks are built around relatively weak type systems. This is a problem because, at scale, machine learning applications are exceedingly intricate and computationally expensive, therefore making costly runtime errors unavoidable. This is where Vouivre comes into play. Using a dependent-type system, the project aims at enabling users to write machine-learning applications that solve real-world problems with compile-time validation of their correctness, thus preventing runtime errors at a reasonable computational cost. >> Read more about Vouivre Independent captions and transcript augmentation — Speech-to-text integration for Waasabi Waasabi is a highly customizable platform for self-hosted video streaming (live broadcast) events. It is provided as a flexible open source web framework that anyone can host and integrate directly into their existing website. By focusing on quick setup, ease of use and customizability Waasabi aims to lower the barrier of entry for hosting custom live streaming events on one's own website, side-stepping the cost, compromises and limitations stemming from using various \"batteries-included\" offerings, but also removing the hassle of having to build everything from scratch. In this project the team seeks to integrate tools for transcript augmentation, augmented human captioning and automatic machine-generated captions using open-source software based on machine learning and royalty-free training data and models. The primary use case is live captioning for live internet broadcasts (primarily video streaming). With such tools online event organizers will be able to create interactive transcripts and better live captions for their events anytime everywhere - and without external dependencies. >> Read more about Independent captions and transcript augmentation WebXray Discovery — Expose tracking mechanism in search hubs WebXray intends to build a filter extension for the popular and privacy-friendly meta-search Searx that will show users what third party trackers are used on the sites in their results pages. Full transparency of what tracker is operated by what company is provided to users, who will be able to filter out sites that use particular trackers. This filter tool will be built on the unique ownership database WebXray maintains of tracking companies that collect personal data of website visitors. Mapping the ownership of tracking companies which sell behavioural profiles of individuals, is critical for all privacy and trust-enhancing technologies. Considerable scrutiny is given to the large players who conduct third party tracking and advertising whilst little scrutiny is given to large numbers of smaller companies who collect and sell unknown volumes of personal data. Such collection is unsolicited, with invisible beneficiaries. The ease and speed of corporate registration provides the opportunity for data brokers to mitigate their liability when collecting data profiles. We must therefore establish a systematic database of data broker domain ownership. The filter extension that will be the output of the project will make this ownership database visible and actionable to end users, and to curate the crowdsourced data and add it to the current database of ownership (which is already comprehensive, containing detailed information on more than 1,000 ad tech tracking domains). >> Read more about WebXray Discovery WikiRate: More Sites, More Cites — Persistent citation for Dekko-based open source data collections WikiRate.org is the largest open source registry of ESG data in the world with more than 3.5 million data points for over 100,000 companies. By bringing this information together in one place and making it accessible, comparable and free for all, we aim to provide society with the tools and evidence needed to help and encourage companies to respond to the world's social and environmental challenges. To achieve this systemic change we need corporate accountability at scale. Focusing on the top 10, 100, or even 1000 companies, is not sufficient. Rather we need to monitor and understand impacts at industry and value chain levels, whilst leveraging individual corporate accountability to transform companies into positive agents of change. This follow-up project is focused on adding functionality to the underlying tool (Decko) which will allow in a fine-grained way to point at specific data slices, as well as a history of any updates and corrections to such data. >> Read more about WikiRate: More Sites, More Cites WikiRate Insights — Transforming WikiRate ESG Platform User Experience to Maximise Reliable Data Insights For too long actionable data about the behavior of companies has been hidden behind the paywalls of commercial data providers. As a result only those with sufficient resources were able to advocate and shape improvements in corporate practice. Since launching in 2016, WikiRate.org has become the world’s largest open source registry of ESG (Environmental, Social, and Governance) data with nearly 1 million data points for over 55,000 companies. Through the open data platform anyone can systematically gather, analyze and discuss publicly available information on company practices, joining current debates on corporate responsibility and accountability. By bringing this information together in one place, and making it accessible, comparable and free for all, we aim to provide society with the tools and evidence it needs to spur corporations to respond to the world's social and environmental challenges. Homing in on the usability of the platform, this project will tackle some of the most crucial barriers for users when it comes to gathering and extracting the data, whilst boosting reuse of the open source platform for other purposes. >> Read more about WikiRate Insights WikiRate Insights 2 — Dedicated text search architecture for environmental, social and corporate governance platform The project summary for this project is not yet available. Please come back soon! >> Read more about WikiRate Insights 2 Winden/Magic Wormhole dilation — Improving Magic-Wormhole by implementing dilation and multiple file support for the web Winden is an open-source web app built on the Magic-Wormhole protocol, which allows two devices to connect and exchange data without requiring identity information. We are building Winden to make file-transfers for the web secure and private. With Winden, we are giving users control over their data without them needing to trust us. This project adds support for reconnection (referred to as the ‘Dilation’ protocol) and multiple file-transfers into both Winden and wormhole-william, the Go implementation of Magic-Wormhole used by Winden and other projects. Magic-Wormhole file-transfers require both parties to be online at the same time. Dilation allows for reconnection and changing networks during a transfer. This reduces the risks of connection interruptions during these synchronous transfers. Multiple file support is a much sought after need for transferring data, which requires Dilation (and Dilation’s sub-channels). >> Read more about Winden/Magic Wormhole dilation iTowns — Visualise 2D and 3D geospatial data on virtual globes & maps iTowns is an open-source framework designed for web-based visualisation, navigation and interaction with 2D and 3D geospatial data on globes and maps. Built on Open Geospatial Consortium (OGC) open standards, it is developed with data and service interoperability in mind. It seamlessly integrates with geographical services, offering support of standard raster and vector data, including aerial imagery and terrain models. The framework supports large, heterogeneous 3D datasets such as OGC's 3D Tiles, making it ideal to build application for urban-planning and environmental monitoring. It can be easily extended to support other open formats, offering a highly customizable platform for developers. iTowns is a geographic commons, developed collectively by a diverse community of contributors, comprising independent developers, public organizations, research laboratories and private companies. It aims to provide an European alternative to Big Tech products which often overlook a broad class of users. Instead, iTowns offers a modular framework to build a wide range of use cases, including visualisation, GIS, environmental and educational applications, making it versatile and adaptable for different geospatial projects. >> Read more about iTowns jaq — Implementation of jq in Rust with formal semantics JSON is a data format that is frequently used to publish Open Data. jq is a widely used programming language that allows citizens to easily process JSON data. There are several tools to run jq programs, including jq, gojq, and jaq. Of these three tools, jaq is the fastest (judging from several benchmarks), despite having the smallest code base. This project centers on improving jaq and the wider jq ecosystem: First, we want to advance the development of jaq, in particular to support more features of jq. Next, we want to make jaq more accessible, by creating JavaScript bindings for jaq. This will allow developers to integrate jaq into websites. Furthermore, this will allow users to run jaq from a browser, respecting their privacy by processing data on their machines. Finally, we want to create formal semantics for jq, based on jaq's execution approach. This will allow users to better understand how jq programs behave. >> Read more about jaq openEngiadina — Platform for creating, publishing and using open local knowledge OpenEngiadina is developing a platform for open local knowledge - a mashup between a semantic knowledge base (like Wikipedia) and a social network using the ActivityPub protocol. openEngiadina is being developed with small municipalities and local organizations in mind, and wants to explore the intersection of Linked Data and social networks - a 'semantic social network'. openEngiadina started off as a platform for creating, publishing and using open local knowledge. The structured data allows for semantic queries and intelligent discovery of information. The ActivityPub protocol enables decentralized creation and federation of such structured data, so that local knowledge can be created by indepent actors in a certain area (e.g. a music association publishes concert location and timing). The project aims to develop a backend allowing such a platform, research ideas into user interfaces and strengthen the ties between the Linked Data and decentralized social networking communities. >> Read more about openEngiadina Privacy Preserving Disease Tracking — Research into contact tracing privacy In case of a pandemic, it makes sense to share data to track the spread of a virus like SARS-CoV2. However, that very same data when gathered in a crude way is potentially very invasive to privacy - and in politically less reliable environments can be used to map out the social graph of individuals and severely threaten civil rights, free press. Unless the whole process is transparent, people might not be easily convinced to collaborate. The PPDT project is trying to build a privacy preserving contact tracing mechanism that allows to notify users if they have come in contact with potentially infected people. This should happen in a way that is as privacy preserving as possible. We want to have the following properties: the users should be able to learn if they got in touch with infected parties, ideally only that - unless they opt in to share more information. The organisations operating servers should not learn anything besides who is infected, ideally not even that. The project builds a portable library that can be used across different mobile platforms, and a server component to aggregate data and send this back to the participants. >> Read more about Privacy Preserving Disease Tracking PurlValidator — Check validity of software package identifiers online and offline Package-URL, or PURL, is the de-facto standard for identifying software packages, used by open source SCA tools, SBOM and VEX specs, and vulnerability databases. But using a standard syntax does not prevent errors: A recent (not yet published) study on the quality of software bill of materials (SBoM) revealed that for too often PURLs in SBOMs are still inconsistent, fake, incorrect, or misleading. This is a major impairment to any application of SBOMs, and industry-wide cybersecurity and application security. The PurlValidator project is a public service, based on PurlDB, to validate all the PURLs. An extension of the purl2all project, PurlValidator validates the PURL syntax against any known PURLs by exposing PurlDB's reference data of 20M+ PURLs. PurlValidator also provides decentralized libraries for offline use that can be integrated in multiple tech stacks for all major ecosystems, beyond what is already available for PURL tools. The goal of this project is to provide an accessible, single source of truth to the security and SBOM ecosystem at large and improve the quality and accuracy of PURLs in use, imperative for CRA compliance. >> Read more about PurlValidator uMap — Collaborative custom mapping with OpenStreetMap data uMap is an online open source application to make custom maps. It aims to make creating maps easy for anyone in a few clicks. It’s simple for basic use cases, whether you want to prepare a bike travel with your friends or communicate the current roadworks for your city. But it’s also flexible and extendable for more complex or custom ones: drawing or importing data, customizing style and interface, sharing access to a map… uMap is also easy to install and to maintain to enforce a decentralized model. It is already deployed in several European countries, and is translated in dozen of languages. Plus, it also allows to create maps anonymously. In this project, we will adding real-time collaboration on maps with local-first support - which will for instance help a lot with live events and mapping sprints - and clean up the user interface. >> Read more about uMap uMap Vector Tiles — Use vector tiles to build custom maps with OpenStreetMap data uMap is a web application which lets you quickly build custom maps with OpenStreetMap’s background layers and integrate them on your own website. Vector tiles allow two main things: less duplicated content, and data transmitted at the same time as the tiles, enabling scenarii where data and background could be styled according to the user needs, which required previously to serve custom tiles. >> Read more about uMap Vector Tiles ","title":"Data and AI","url":"https://nlnet.nl/thema/DataandAI.html"},{"title":"Conferences","url":"https://nlnet.nl/thema/Conferences.html","description":" Conferences Sponsored conferences and other events aiming at dissemination of internet knowledge and technology. This page contains a concise overview of projects funded by NLnet foundation that belong to Conferences (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Conferences — Sponsoring of various conferences NLnet historically contributed directly and indirectly to various third party conferences. In some cases, like the renowned SANE conferences, not only financially but also with man-power. Besides these large activities, it used to sponsor smaller events on an irregular bases. Those smaller conference contributions are collected on this page. Currently, NLnet puts the focus on R&D activities — this may change in the future, also depending on suitable budgets for this to become available. Meeting people in person and real human contact can greatly simplify working together on complex topics, and to coordinate work. >> Read more about Conferences Hackathons and sprints — contributions to various hackathons and sprints Sprints and hackathon are meetings that bring together developers and other interested people to work on a project side by side. Especially for distributed or virtual teams that are used to work asynchronously, this temporary change of pace combined with being locked up in a room together, can be very productive. In a few days of intense, dedicated in-person interaction, sprints and hackathons may boost a project in terms of new features, resolving long standing technical debt, trying out new ideas as well as help to improve group cohesion. >> Read more about Hackathons and sprints SANE — System Administration and NEtworking conferences The SANE Conferences are organized by the Dutch UNIX Users Group NLUUG, and target the International UNIX (and Linux/FreeBSD/Darwin) professional users community. The conference language is English. >> Read more about SANE "},{"description":" Community Programs Support for advancing research and development internet communities This page contains a concise overview of projects funded by NLnet foundation that belong to Community Programs (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. GDPR Compliance — Support instruments for the country adoption of the GDPR In 2016, the European Parliament passed the General Data Protection Regulation (GDPR). It will be the harmonised framework, which will establish the rules regarding the protection of personal data in all European countries. Although the GDPR is directly applicable without needing any law implementing it on national levels, the majority of countries will need to go through a period of adaptation in which the interpretations of the key issues in practice will be crucial (https://edri.org/analysis-flexibilities-gdpr/). EDRi will provide a series of material, such as a checklist, a technical tool and a set of research papers, to advise Europe's countries on how to translate consent, profiling, access to your data, etc. in practical terms. >> Read more about GDPR Compliance Bits of Freedom — support for Bits of Freedom Bits of Freedom is a privacy and digital rights organisation. Major topics of concern to Bits of Freedom are copyright, the balance between law enforcement and privacy, freedom of speech, and spam. Bits of Freedom is a not-for-profit organisation based in Amsterdam, the Netherlands. BOF organises both public and closed events to promote its ideas, often in collaboration with other organisations. Amongst the events BOF organises is the annual presentation of the Big Brother Awards. >> Read more about Bits of Freedom CAcert — support for CAcert CAcert, Inc., is a non-profit community-oriented Certificate Authority that provides a general service to the community by issuing, where possible, free X.509(v3) certificates for personal and/or server-side use. CAcert services the Open Source digital certificate security needs of users across six continents. Certificates issued by the nonprofit CA form the foundation for many server-side (web) and personal (email) security implementations. >> Read more about CAcert CAIEC — Investigate information offered by consumer organisations This project concerns investigation of the structure of the information offered to the Dutch consumer by consumer organisations. In the first phase of this project, the team will conduct research on the strategy of the Dutch consumer organisation Consumentenbond and their implementation thereof. In the next phase, recommendations how to change this strategy will be worked out. In the last phase, these recommendations will be presented to Consumentenbond. >> Read more about CAIEC The Commons Conservancy — Legal infrastructure for public benefit efforts [The Commons Conservancy] is an initiative to provide a lightweight organisational structure for open project. Its mission is to strive towards a stable democratic and open global information society in which individuals can collectively scrutinise, reconfigure and improve upon any technology they depend on - unleashing and empowering human innovation at the widest possible scale, with the express intention to empower any individual to participate in all facets of social, cultural, economic and private life under conditions of his or her own choosing and with secure and reliable technology they can have full control over themselves. >> Read more about The Commons Conservancy Donations — smaller contributions to various activities Besides the larger support activities and donations, NLnet also helps-out small projects. Since 2005, they got grouped on this page. >> Read more about Donations FFII — support for the Foundation for a Free Information Infrastructure The FFII is a non-profit organisation with branches in various European countries. FFII concentrates on the spread of data processing literacy. They support the development of public information products based on copyright, free competition, and open standards. In daily practice, FFII is the driving force of the movement which fights against the legalisation of software patents in the European legislation. This means in practice: active lobbying in the European administration in Brussels (in particular the European Parliament), distributing lots of information and press releases, and organising conferences and demonstrations (both physically and on the web). >> Read more about FFII FLOSS — Stimulating FLOSS dissemination in The Netherlands The promotion of FLOSS (Free/Libre/Open-Source Software) in The Netherlands needs people. This project will educate FLOSS ambassadors who will disseminate open source philosophy and methods amongst non-profit organisations, SME's and local governments. Volunteers will become ambassadors, trained in the essence of Open Source principles and technology. Communication techniques will be taught to help contact a peer group of NGO's, SME's, and local governments. >> Read more about FLOSS FSF — support for the Free Software Foundation The Free Software Foundation (FSF) is the principal organizational sponsor of the GNU Project. FSF relies on voluntary support from individuals, organizations and companies who support FSF's mission to preserve, protect and promote the freedom to use, study, copy, modify, and redistribute computer software, and to defend the rights of Free Software users. >> Read more about FSF FSF Europe — support for the Free Software Foundation Europe The Free Software Foundation Europe (FSF Europe) is a charitable non-governmental organization dedicated to all aspects of Free Software in Europe. Access to software determines who may participate in a digital society. Therefore the freedoms to use, copy, modify and redistribute software - as described in the Free Software definition - allow equal participation in the information age. The FSF Europe works towards all European aspects of Free Software and especially the GNU Project. It is actively supporting development of Free Software and furthering GNU-based systems, such as GNU/Linux. Also, it provides a competence center for politicians, lawyers and journalists in order to secure the legal, political and social future of Free Software. The NLnet Foundation is stimulating efforts made by FSF Europe to adapt and embed Free Software licenses, like GPL, LGPL, and FDL in the European legal system(s). Besides, NLnet supports the Freedom Task Force, which provides licensing services to individuals, projects and businesses involved with Free Software. >> Read more about FSF Europe GPLv3 — GNU Public Licence v3 Development and Publicity Project The creation of GPL version 3 brought together thousands of organizations, software developers, and software users from around the globe, in an effort to update the worlds most popular Free Software license. The GPLv3 was one of the largest participatory comments and adoption efforts ever undertaken. On June 29th 2007, the GPL and LGPL version 3 documents were released in their final version. AGPLv3 was launched on November 19th 2007. >> Read more about GPLv3 HWIOS — Hybrid Web In OpenSim (HWIOS) The HWIOS project (Hybrid Web In OpenSim) is meant to create an accessible interface to the popular and most developed virtual world platform called OpenSimulator. One of the main problems of OpenSimulator is that it's too technical for people who want to perform basic operations within this virtual world platform. Compared to the existing or being developed tools like wiredux, gridmix, unga, the HWIOS tool has decentralized service management through osservices (sideproject of hwios), it's page-refresh-less (preperation for gwave kind functionality), it's very liberally licensed (bsd license), it has tms map support through osmaps (sideproject of hwios), and it's well structured. The hybrid web interface communicates directly with OpenSimulator server, and is thus able to hide the most of the complexity of admin tasks, and therefor makes most admin tasks easier for less technically oriented user. Besides administrative tasks like user-, service- and land-management, HWIOS is meant to become a general-use next-gen webportal with virtual world support. The whole web application doesn't use page refreshing (html over json transport), and is strongly focussed on supporting html5 features, like collaborative text editing through web sockets. It is not concerned about backwards compatibility with older browsers, but will only support the most current html5 featured browsers (chromium and shortly Firefox). It's build on top of tools like Python, Django, Twisted and JQuery. This project is being co-financed by SurfNet. >> Read more about HWIOS MAPS — defending Internet e-mail from abuse by spammers MAPS is a service to limit the transport of known-to-be-unwanted mass e-mail based on the address of the sending MTA (Mail Transfer Agent). >> Read more about MAPS OpenDoc-Soc — Dutch OpenDoc Society The aim of this project, is to initiate the Dutch OpenDoc Society which actively promotes the use of ODF -and other Open Standards- to existing organisations, like government, health care, and educational institutes. >> Read more about OpenDoc-Soc ReX — international exchange of scholars for software projects The ReX program aims at improving collaboration between research institutions working on computer software projects, especially those involving networking technology. Collaboration is improved by exchanging complementary research knowledge, and facilitated by a grants program covering costs of travel and temporary work abroad. >> Read more about ReX TOS;DR — A user rights initiative to rate and label website terms & privacy policies Terms of service are often too long to read (reading all of these carefully wrought documents could quite literally cost you years of your life), yet it is very important to understand what is in them. After all, your actual legal position online depends on them in a very concrete way. The ratings from TOS;DR can help users get informed about their rights. >> Read more about TOS;DR ","url":"https://nlnet.nl/thema/CommunityPrograms.html","title":"Community Programs"},{"url":"https://nlnet.nl/thema/BinaryAnalysisFund.html","title":"Binary Analysis Fund","description":" Binary Analysis Fund Derive knowledge from binary blobs such as firmwares This page contains a concise overview of projects funded by NLnet foundation that belong to Binary Analysis Fund (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. Automated clearing of source code files — More efficient retrieval of security and license compliance contextual information A common task for companies is to clear software source code files for legal or security reasons before they can be used by the software developers. The clearing process is tool driven, using tools such as code clone detectors/snippet matchers, license scanners and security scanners. Typically the clearning process starts from 0 for each new file that is analyzed and the fact that open source software is changed incrementally most of the time, and the software being scanned will likely be nearly identical to previously seen software, is not used. For a (large) subset of files it is possible to use this characteristic to (semi-)automate this process. When scanning a new file, first find a closest file in a set of known files, compute the difference to the known file, checking where the difference in the file is and use rules to determine what action to take depending on where the difference in the file is. When scanning source code people are typically looking at the file as a whole as an individual unit but never at the lifecycle of the file: how much was changed and where was it changed. For license compliance it makes no sense to rescan files if the header where the license text is found has not been changed and earlier conclusions can be copied. For security it doesn't matter if only comments are changed but no code. This project tries to tackle this by finding out a little bit more about finding a closest match to the code (is there already a file that is close enough), determine the structure of the file (what is comments, what is code) and then comparing the two files to see where changes were made. Depending on the scenario (license compliance or security) different actions can subsequently be taken by the user. >> Read more about Automated clearing of source code files binary-analysis-ng improvements — Integrate Kaitai in binary-analysis-ng Firmware is one of the most opaque components of our technology stack. Firmware analysis is a critical factor in making our appliances more secure, but there is a very limited set of tools available. BANG is a tool to analyse firmware and other binary files. The code and complexity of the tool has grown significantly over time, making it challenging to maintain. Most of the parsers are hand-made. Meanwhile the reverse engineering community has produced significant efforts for analyzing binaries, such as the kaitai struct framework (http://kaitai.io). The project will integrate these efforts, and will in addition work on optimising performance based on realistic workload performance measurements. >> Read more about binary-analysis-ng improvements Serialization in Kaitai Struct for Java and Python — Declaratively modify and create complex binary file formats Kaitai Struct (KS) is a tool for working with binary formats. It introduces a declarative domain-specific language for describing the structure of arbitrary binary formats. Over 170 formats are already described in the official format gallery. Based on any specification, KS can automatically generate a ready-to-use parsing module in one of 11 programming languages (C++/STL, C#, Go, Java, JavaScript, Lua, Nim, Perl, PHP, Python, Ruby). The current state of KS only allows you to extract data from binary files (parsing). However, in many cases, the opposite direction is also needed, i.e. to modify the data in the binary files or to create new ones (serialization). It is a logical extension to KS that allows new uses of written format specifications. This is by far the most requested feature in KS for a long time. Its absence prevents many users from using KS to its full potential. The goal is to add stable serialization support to the KS project. This will involve extending the compiler, adding support for serialization in runtime libraries, and building an automated testing infrastructure for serialization. This project will implement serialization for Java and Python. >> Read more about Serialization in Kaitai Struct for Java and Python ZIP file format description — Documenting the ZIP file format for reverse engineers and developers The ZIP file format was originally a compression format, but is meanwhile used a lot in projects. Although there is a historical specification (dating back to 1990), there are plenty of edge cases as well as files not following the specification. These for instance add extra data (electronic signatures/keys, pad data, (an example are Android APK files) or change headers (Dahua firmware files). Information is scattered on various webpages, and can be hard to decipher. The goal is to gather this information in one place and to describe the format properly with examples. Given the broad usage of ZIP files in many use cases by different actors, this will be an ongoing effort - as new exceptions and extensions continue to be uncovered. >> Read more about ZIP file format description "},{"description":" Application protocols Network application protocols This page contains a concise overview of projects funded by NLnet foundation that belong to Application protocols (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. 0cpm — 0cpm, open firmware for digital telephony SIP is a well-established IETF standard ready to provide telephony and many other advanced services through the internet, but it seems not to be developing to its full extent. Sometimes we even see lock-in arrangements from vendors. This project aims to overcome these barriers and unleash the true power of the underlying technology platform - it designs and builds open source firmware for digital phones. The project makes full use of the exiting capabilities of DNSSEC, ZRTP and IPv6: DNSSEC secures the information looked up on remote parties; ZRTP secures conversations and if it is missing, this will be explicitly communicated to end users. Direct media streams between IPv4 endpoints can only be built up using sophisticated handling like port forwarding, but remains dependent of many factors, while IPv6 simplifies and improves SIP technology immensely. Especially the clever usage of IPv6 makes 0cpm an exiting project. Many people see IPv6 as something to avoid as long as they can because they are afraid of technical headache. This project shows that IPv6 is nothing to fear and offers exiting opportunities. For instance the fact that every RTP media stream can use random end point addresses which can be abandoned after the stream stops. Also it is possible to send IPv6 adresses of different devices in one SIP INVITE message, which is almost impossible to do behind IPv4 NAT. This will allow you to send video of a conversation to your television and simultaneously speak through your telephone. >> Read more about 0cpm SIPproxy64/6bed4 — 0cpm, SIPproxy64, 6bed4, applet, freeswitch RTT This is an additional project to the ongoing 0cpm project which is building the IPv6-only telephony. This particular projects intends to provide a peering platform allowing for building a network to interconnect telcos, PBX farmers and connections handlers. What's unique here is systematic deployment of IPv6 and the use of RTT (real-time text) within ordinary telephone systems wherewith e.g. deaf people can communicate as if they are speaking. The use of open source firmware for SIP phones in this project is groundbreaking. >> Read more about SIPproxy64/6bed4 PSYC2 — Next iteration of the Protocol for SYnchronous Conferencing Protocol for SYnchronous Conferencing is an efficient text-based protocol for delivery of data to a flexible amount of recipients or people, by unicast or multicast. PSYC2 represents a next iteration of the PSYC framework in conjunction with SecuShare, another NLnet supported project that aims to build a novel social messaging system as part of the GNUnet peer-to-peer system. >> Read more about PSYC2 Ambulant — providing a reference SMIL 3.0 implementation The Ambulant Open SMIL Player is an open-source, full W3C SMIL player. It is intended for researchers who need source-code access to a complete SMIL player environment. It may also be used as a stand-alone SMIL player for applications that do not need proprietary media formats. The player will support a range of SMIL profiles (including desktop and mobile configurations) and will run under Linux and Win32. A Macintosh OS-X port is also expected. The target community for the Ambulant Player are developers of multimedia protocols, networks and infrastructures. The Ambulant Player represents the first phase of a multi-year project aimed at improving network level support for multimedia information processing. As one of the results, the Ambulant team contributed considerably to the SMIL 3.0 specification. >> Read more about Ambulant Decibel — service architecture for multi-media based communication Decibel (formerly known as \"OpenCDI\") provides a generic infrastructure, which integrates existing communication protocols --like any plugin based solution would do-- without the need for an application which presents everything in one user interface. It creates components and services, each optimized for a special task (or role). When a component realizes user interaction, the service will provide the technology. A service-based architecture will interconnect components to fulfill a given task. >> Read more about Decibel Internet of Coins — Create a decentralized, self-sustaining economy by implementing inter-blockchain connectivity Internet of Coins is an environment for personal finance. As a decentralized open source platform it enables an optimally inclusive financial network, interlinking all digital forms of value. It allows you to trade digital assets and currencies peer to peer, with an easy to use interface and the opportunity to earn fees by participating as an allocator. >> Read more about Internet of Coins Jingle Nodes — Jingle Relay Nodes Specifications and Prototypes One of the main goals of the first version of the Jingle Protocol was to create a P2P enabled protocol, depending on XMPP for routing but at the same time able to negotiate sessions and exchange content without main proxy servers. After 5 years we still don't have implementations which supported the current specifications in full. SIP on the other hand, is not very efficient and simple to use for P2P connections, but is widely deployed. It is much simpler to install and, although with higher costs, does provide media connectivity. \"Jingle Nodes\" simplifies the erection of (public) relays, It also makes every buddy in your contact list a potential Node. An additional positive aspect is that a client does not need to run its own Relay Node, but only configure its \"usage specification\" (no more than two or three pages), as the application runs on the server side. >> Read more about Jingle Nodes Jitsi — Better and Open Source alternative for Skype During the last fifteen months SIP Communicator became a real open source alternative for Skype. It support Audio/Video calls with SIP (and very soon XMPP), and Instant messaging for almost all popular protocols such as XMPP/Jabber/GoogleTalk, MSN, AIM, ICQ, IRC, Yahoo! Messenger, Bonjour, and more to come (like Facebook). Jingle conference calls and Jingle encrypted calls features are also implemented and being tested. This project is about adding new features to SIP Communicator (soon to be called jitsi) that would take it beyond what's currently possible with Skype, as well as other closed platforms, which would address an even wider span of communications use-cases. Some of these feature, like video conferencing, would make it even more unique than it currently is. Others, like the support for MUJI and new audio/video codecs, add to its wide interoperability. The list of tasks in this project is: Video conference calls Google mode of operation for Jingle and ICE4J Using HTTPS as a telephony transport Support for H.263plus and VP8 Support for G.722 Completing audio/video calls support with MSN Cross-protocol conference calls Using Outlook, Address Book, and Thunderbird as sources of contact information LDAP support Support for MUJI conference calls >> Read more about Jitsi Jitsi-DNSSEC — DNSSEC for Jitsi (SIP Communicator) Jitsi (formerly known as SIP Communicator), is a Java based open source VoIP and Instant Messaging client supporting various protocols such as SIP and XMPP. Trying to not being just another SIP Client it incorporates security mechanisms like ZRTP for encrypted media streams (audio, video, desktop sharing, etc.) and OTR for instant messages. While these technologies provide a high level of security for the user data, the signaling metadata is blindly sent to the servers returned from DNS a query. Securing the connection to the server through TLS helps, but the connection can still be compromised when a rogue certificate can be obtained (for example from a government CA). At first sight signaling data seems not important, but looking at the newest developments in the Far East and North African countries it implies that some unfriendly people might only be interested in the metadata. DNS is responsible for converting names into network addresses to locate servers. Users usually receive the addresses of DNS servers from their internet provider. As conventional DNS provides no security mechanisms, a rogue DNS can very easily supply the user with faked responses to requests and therefore redirecting him to an arbitrary server. Jitsi, or any other client application, relies on the replies from the DNS servers. When a VoIP account is configured to use a specific server, it passes all traffic to the address obtained from the possibly rogue DNS server. Transporting the metadata over TLS to the server does not really solve the problem as some governments run certification authorities that are trusted by the operating systems and web browsers. A malicious server would therefore silently be able to listen to all metadata traffic. This is where DNSSEC comes into play. DNSSEC can guarantee the integrity and authenticity of replies. A DNSSEC aware client can be sure that a validated response is the one intended by the owner of the requested domain name. This avoids nearly all situations where a server tries to redirect the client to a malicious server. The project will add client side DNSSEC validation and certificate checking to Jitsi, thus making end-to-end SIP communication secure. >> Read more about Jitsi-DNSSEC LEAP/Torbirdy — LEAP integration into Torbirdy Due to its age and design flaws securing email is notoriously hard. Without an easy-to-use e-mail client most users will not be able to adequately protect themselves. LEAP allows easy set-up of secure e-mail providers, but currently LEAP integration into e.g. the popular Thunderbird email client requires manual configuration and does not provide anonymity of the connection from the client to the server via Tor. What if users could profit from automatically encrypting email and retain their privacy? >> Read more about LEAP/Torbirdy MU-Jingle — jabber-based VoIP protocol When a meeting between a scattered group of people needs to take place, a phone conference is a popular solution, especially in a business context. These calls can become costly especially when participants have to make long distance or international calls to participate. With the advent of cheap and abundant Internet connectivity, there is an opportunity to lower costs by transmitting call data over Internet connections. Additionally, the increasing ubiquity of webcams allows video as well as audio to be transmitted. The proprietary Skype service has become very popular for this purpose. Jabber's extension for audio/video conferencing is limited to communications between two users. Extending Jabber further to support multi-party audio/video conferences will allow it to match the functionality of proprietary offerings, whilst still providing all the benefits of XMPP. It is intended that Multi-User Jingle improves over three existing solutions: Jingle: by supporting more than two participants. Skype: by being an open standard with a free software implementation. SIP: by supporting reliable peer-to-peer connectivity, as opposed to requiring dedicated media relay infrastructure, thereby allowing a video stream from each participant without the need for multiplexing. In general, by adding support for multi-user audio/video to XMPP, users do not have to give up the benefits of XMPP in order to make a multi-user call. Deliverables A prototype client, using a Jabber-based protocol to negotiate an audio conference between at least three people. An updated prototype client able to negotiate multiple streams (simultaneous audio and video). First draft of XMPP extension document, based on the experience developing the prototype. First draft of Telepathy API allowing creation and management of multi-user calls. A version of Gabble able to negotiate a MU-Jingle call according to the draft standard. The final draft of the MU-Jingle protocol description, incorporating implementation experience. A version of Gabble corresponding to the nal draft of the protocol. >> Read more about MU-Jingle OCS-Asterisk — Open real-time connection between Microsoft OCS and Asterisk An investigation into the feasibility to connect Microsoft Office Communication Server (OCS) with Open Source PABX systems based on Asterisk.>> Read more about OCS-Asterisk openMSRP — openMSRP relay implementation This project aims to implement an Open Source MSRP relay based on IETF specifications RFC4975 and RFC4976. MSRP is the abbreviation of Message Session Relay Protocol, a protocol for transmitting a series of related instant messages in the context of a session. The aim is to provide a reference server side implementation of the SIP SIMPLE (SIP for Instant Messaging and Presence Leveraging Extensions) key component. The project contributes to the convergence of SIP (Session Initiation Protocol) and instant messaging. The Open Source MSRP relay implementation will have the following features: Open source implementation licensed under LGPL; Code written in Python programming language; Integration with a popular open source SIP Proxy (OpenSER). Plans for the future include the implementation of a multi-party Instant Message (IM) server and Open Source MSRP IM/File transfer client. >> Read more about openMSRP openMSRP(2) — multi-party Instant Message server based on MSRP This project aims to implement an open source MSRP multi-party IM chat server that works seamless with the MSRP relay implementation, already under development. >> Read more about openMSRP(2) openMSRP(3) — GUI for the open source SIP SIMPLE client This project will implement the Graphical User Internet (GUI) for the open source SIP SIMPLE client. This is the Phase 2 of the works started earlier on the SIP client for IM, Presence and File transfer based on MSRP protocol. Once completed, the project will provide the source code and binary installation packages for Linux, Microsoft Windows and MacOSX operating systems. The packages will provide a fully featured graphical client for Voice, IM and Presence based on SIP protocol. >> Read more about openMSRP(3) Parselov — Syntactic analysis of documents and protocol messages based on formal descriptions Parselov is a system for the syntactic analysis of documents and protocol messages based on formal descriptions, as well as the analysis and manipulation of such formal descriptions. It makes it easy to build parsers, validators, converters, test case generators, and other tools. It also explains the process of syntactic analysis slightly differently than usual, which has helped me tremendously to \"understand parsing\". At the heart of the system is a computer program that converts a formal grammar (the IETF standard \"ABNF\" is used as input for testing, but it is easy to support W3C's \"EBNF\" format and similar formats thanks to this system) into a graph and additionally computes all possible traversals of this graph. The result is stored in a simple JSON-based data format. >> Read more about Parselov PKCS#11 v3 — Contribute to standardisation of PKCS#11 for cryptographic tokens PKCS #11 is the de facto standard for cryptographic tokens controlling authentication information (personal identity, cryptographic keys, certificates, digital signatures, biometric data). Due to the age of the standard, it was lacking a number of modern, so called 'quantum-resistant' algorithms. This small project enables open source developers from the Pitchfork project to contribute a number of important algorithms to the OASIS PKCS #11 standards committee in time for the pending new version of PKCS #11.>> Read more about PKCS#11 v3 realXtend — realXtend communications based on Telepathy realXtend is an open source project for creating a platform for interconnected virtual worlds. Virtual worlds excel at interpersonal communication and the component that enables textual and voice communications is a vital part of the system. This is exactly where the NLnet's contribution will be used for development of the communications component for the realXtend platform. This will be done based on the Telepathy framework. The intention is to start working on a voice over IP component and provide a version with basic functionality by Christmas 2009. >> Read more about realXtend SecuShare — A framework for sufficiently safe social interaction The SecuShare project implements a social messaging service based on the GNUnet peer-to-peer framework offering scalability, extensibility, and end-to-end encrypted communication. The scalability property is achieved through multicast message delivery, while extensibility is made possible by using PSYC (Protocol for SYnchronous Communication), which provides an extensible RPC (Remote Procedure Call) syntax that can evolve over time without having to upgrade the software on all nodes in the network. Another key feature provided by the PSYC layer are stateful multicast channels, which are used to store e.g. user profiles. End-to-end encrypted communication is provided by the mesh service of GNUnet, upon which the multicast channels are built. Pseudonymous users and social places in the system have cryptographical identities &emdash; identified by their public key &emdash; these are mapped to human memorable names using GNS (GNU Name System), where each pseudonym has a zone pointing to its places. >> Read more about SecuShare Secushare Box — Operating system extension of Secushare for hardware devices An operating system extension for hardware devices that turns them into automatable nodes in a distributed social mesh network, independent of central control. The objective is to offer an alternative to cloud-controlled IoT, empowering the owner of a device instead of its manufacturer. IoT devices are cryptographically linked to their owner's smartphones, PCs or other interfaces, using an initial vicinity rendez-vous procedure, akin to how bluetooth devices \"pair\". This integrates the new IoT device into the owner's social graph as a resource that can potentially be shared with others without the hassle of exchanging unsafe passwords. >> Read more about Secushare Box Jitsi (SIP Comm Phone) — Internet phone and instant messenger SIP Communicator is an audio/video Internet phone and Instant Messenger. It supports some of the most popular instant messaging and telephony protocols such as SIP, XMPP/Jabber (and hence GoogleTalk), AIM, ICQ, MSN, Yahoo! Messenger, IRC, Bonjour and new ones will be coming soon. This particular project concerns a number of tasks needed to be accomplished so that SIP Communicator could become a viable or even better alternative for Skype, but all in Open Source. The following tasks are to be accomplished within the scope of the project: Developing a Java implementation for the ICE protocol. Audio/video telephony for XMPP/Jabber. Conference calls. File transfer. >> Read more about Jitsi (SIP Comm Phone) Jitsi (SIP-Communicator) Desktop — Desktop Streaming and Sharing with SIP Communicator The possibility to allow remote access to one's ongoing desktop session has been appealing to users ever since the early days of Internet communication. Especially the Desktop Sharing and Streaming features are of interest to virtually all internet users. This is probably why all commercial instant messengers ship with some form of implementation for this feature. Today it's still one of the major features for Microsoft's Windows Live Messenger, Apple's iChat and more recently Skype who started out with Windows-only support and extended it to Mac OS X with their latest version. However, the feature is generally unavailable with free/open source communicators, and the only way to share one's desktop in a platform independent way is to use dedicated solutions such as VNC applications and multi-platform clients for the Remote Desktop Protocol. This project is all about running Desktop Sharing and Streaming, stressing on certain characteristics, like ease of session establishment, interactivity, and privacy protection. The project was led by dr. Emil Ivov >> Read more about Jitsi (SIP-Communicator) Desktop SIP-GUI — Next Phase Graphical User Interface for the SIP SIMPLE client The goal of this project is to finish the GUI for Blink, the communication tool providing a combination of multiple media streams in SIP sessions --a future-proof design that will eventually take over other commercially closed solutions available on the market today. The Graphical User Interface for the SIP SIMPLE client project is a stand-alone project that is financed by AG Projects and NLnet. The project once completed will provide the source code and binary installation packages for Linux, Microsoft Windows and MacOSX operating systems. The packages will provide a fully featured graphical client for Voice, IM, file Transfer and Desktop Sharing based on SIP and MSRP protocols. In fact a fully open source package replacing Skype will appear on the market. >> Read more about SIP-GUI SPEAR — Secure Peer-to-peer Services Overlay Architecture SPEAR is a pilot experiment with the community, studying privacy and mobility aspects of P2PSIP. Peer-to-peer protocols increasingly appear in commercial data distribution and communication applications. Although several proprietary solutions are highly successful, an open standardized architecture for secure P2P services is only emerging. Many open issues need to be addressed, including peer lookup, scalability and resilience, NAT traversal, interoperating IPv4 and IPv6 peers, and performance on lightweight devices. The project on Secure Peer-to-peer Services Overlay Architecture of the Helsinki Institute for Information Technologies (HIIT) attempts to develop a generic mechanism to support such distributed services as P2P Session Initiation Protocol (P2PSIP). In contrast to other approaches, security is taken as the corner stone of design, integrating support for Host Identity Protocol (HIP) Based Overlay Networking Environment (HIP-BONE) into the architecture. The architecture can support various P2P services, not limited to P2PSIP, such as P2P HTTP. We envision that P2P HTTP can be used to create a community version of many useful scenarios as plenty of current applications are based on HTTP. The work is carried out jointly with industrial partners actively involved in developing protocol specifications in the IETF. In particular, the design of a protocol stack combing overlay peer protocol with HIP and IPsec, binding peer identities to host identities, hierarchical P2P systems, and prevention of unwanted traffic are in scope of the project. An existing proof-of-concept demonstration of P2PSIP proxy will be further developed and tested with real users, and its usability will be evaluated. >> Read more about SPEAR Swirl — Implementation of PPSPP proposed standard in Erlang Current peer-to-peer traffic on the internet happens in a wide variety of often application-dependent protocols, limiting growth and innovation. A working group of the IETF has in recent years been developing the Peer-to-Peer Streaming Peer Protocol (PPSPP) to establish a safe, modern standard in this area. NLnet considers a mature standard for P2P applications an important building block for the future of the internet. Swirl is an open source reference implementation of the PPSPP proposed standard in the Erlang programming language. The Swirl project is led by Dave Cottlehuber (Austria). >> Read more about Swirl SylkRTC — SylkRTC The SylkRTC project entails adding webRTC capabilities to Sylkserver, a polyglot open source conference server that unites the realms of the two IETF standardised internet technologies in the area of real-time communication: SIP and XMPP. Sylkserver allows anyone with basic computer knowledge to setup a private, conferencing facility that can be used with a large variety of different applications that supports these open standards. By providing a webRTC gateway, the SylkRTC project will additionally allow anyone with just a modern web browser with webRTC capabilities running on a device with a microphone and/or camera to join a conference or contact someone using either protocol. Visit the SylkRTC demo page to make a trial call over the internet. >> Read more about SylkRTC Wormhole — Project Wormhole There are two leading internet technologies emerging as the future of real-time communication: SIP and XMPP. This project and its outcome will provide the possibility for users of both universes to use either protocol to interoperate with each other for audio, instant messaging and presence. If the software is installed on the desktop next to an existing application it can encapsulate or tunnel conversations from one protocol to the other - serving as a wormhole between the two universes. It should work transparently with little or no configuration. It will allow users to share contacts and establish chat and audio sessions without having to bother of the protocol used to address buddies in user@domain format. If the software is used on a server, one should simply point the appropriate DNS record of a domain to the server, and any session request made with either SIP or XMPP protocol will be bridged to the other side. >> Read more about Wormhole Jabber/XMMP — Strengthening Trust in Jabber/XMPP Technologies Jabber Technologies, as formalized in the Extensible Messaging and Presence Protocol (XMPP), are a set of decentralized, open technologies for near-real-time messaging, presence, and streaming XML (now being extended to address multimedia signalling and other advanced use cases). The focus of this project is to improve the security and trust characteristics of Jabber technologies. >> Read more about Jabber/XMMP ","title":"Application protocols","url":"https://nlnet.nl/thema/Applicationprotocols.html"},{"url":"https://nlnet.nl/taler/","title":"NGI TALER","description":" NGI TALER Privacy-preserving digital payments More about: Guide for Applicants | Who is behind this? | Eligibility | FAQ The thirteenth call of NGI TALER opened up on April 1st 2026, with a deadline of June 1st 2026 12:00 CEST (noon).  Check out the guide for applicants and the frequently asked questions. Submit a proposal Without a technical layer providing privacy-by-default, financial transactions reveal unnecessary levels of personal or private data. In the digital economy, payments play a critical role. Yet online payment systems tend to allow for far less privacy than paying with a bank note or coins, especially when using proprietary solutions like Google Pay or Apple Pay. When interacting with the offline economy comes into play, the alternative of paying with all kind of volatile cryptocurrencies isn't a viable option either. NGI TALER is a pilot funded by the European Commission and the Swiss State with the very concrete objective to roll out a new, best-in-class electronic payment system that benefits everyone: people, merchants, banks, financial authorities, auditors and anti-corruption researchers. The project doesn't have to start from scratch either, but builds on the strong foundations of GNU Taler — the privacy-preserving digital payment system developed by the GNU community and Taler Systems SA with support from the NGI initiative. This offers privacy for those that make payments, while enforcing transparency on those that sell. By providing micro payments at very low overhead, GNU Taler permits internet business models to shift away from advertising revenue or subscription models, especially for online publishers. No-risk transactions can lower transaction fees and open online payments for the underbanked population and citizens marginalized from digitalisation. In Europe, there has been a lot of discussion about a digital Euro in recent years. Having an efficient and privacy-respecting commercial-grade (but libre) payment system that doesn't require invasive practices is a strong alternative to central bank digital currencies (CBDCs). And it isn't just GNU Taler or privacy experts saying this, but several national banks have already come forward stating their support for GNU Taler. With GNU Taler, citizens do not suffer from surveillance when paying, while businesses can be held accountable for their income and pay their taxes. Moreover, the software is transparent and free in every sense of the word — meaning that anyone can see its inner workings, deploy it for whatever use case they have, and adapted it to their needs without asking anyone for permission. Privacy is most meaningful when it is guaranteed via technical measures, as opposed to mere policies. Part of the budget of NGI TALER (15% to be precise) is reserved for open calls to fund additional free and open source efforts that are aligned with the topics and approach of NGI TALER. We invite your contributions to help reshape the state of play of digital payment systems, and to help create an open, trustworthy and reliable internet for all. Of course you can contribute exciting new capabilities to GNU Taler itself, build auxiliary tools or work on user experience, but you could also be developing integrations into FOSS applications and open standards (enabling P2P micropayments in for instance an instant messenger, open social media platform or video conferencing tool), or work on improvements to infrastructure components like merchant backends. Together with the rest of the NGI, we move towards restoring and subsequently maintaining European sovereignty and to secure democratic ownership of our digital societies. In order to enable you to make such contributions, we will award at least 676 000 euro in small to medium-size R&D grants towards technology commons that empower users, and establish a new generation of privacy-friendly digital payments systems. The programme will run between now and November 2026, but budgets are limited — so grab your opportunity. Project results must be made available under a free and open source license, so anyone can read and validate the source code, and anyone can use the code to create technology that fits their own purposes. We are seeking project proposals between 5.000 and 50.000 euro's — if the project works out well you can subsequently scale up in other programmes funded by NLnet such as NGI0 Core. Reliable, low-cost, secure and resource efficient payments should become the 'new normal' of the internet, something ordinary users should not have to worry about — users should be in control. So let's make it happen. Note that GNU Taler itself was funded through such Next Generation Internet projects, so there is every opportunity to grow. The consortium behind NGI TALER is wholly committed to make this opportunity come to life: there is a limited window of opportunity. Through the open calls, we assist you and other independent researchers and developers to join in and create powerful new technologies and put these in the hands of future generations as building blocks for a fair and democratic society. The GNU Taler Integration Community Hub is waiting to help you. Help us build a sustainable and open economy that benefits all, and submit your idea today. Not sure whether your idea fits? Don't be afraid to send something completely out-of-the-box if you think you can contribute to the topic (and your idea fits with the eligibility criteria): it really is an open call. Note that if you have a good idea that doesn't immediately fit, you can probably submit to another of our funds (e.g. the NGI0 Commons Fund) instead. The thirteenth call of NGI TALER opened up on April 1st 2026, with a deadline of June 1st 2026 12:00 CEST (noon).  Check out the guide for applicants and the frequently asked questions. Want to learn more about Taler before you submit a proposal, or have other questions? Take a look at the technology, the NGI Taler site or join the GNU Taler Integration Community Hub to have a chat about your ideas. Submit a proposal Next Generation Internet A human centric Next Generation Internet shall reflect the openness, diversity and the inclusion that are at the core of European values - Roberto Viola The overall mission of the Next Generation Internet initiative is to re-imagine and re-engineer the internet for the third millennium and beyond to shape a value-centric, human and inclusive society for all. How we share and retrieve information is an essential part of that equation. The internet can and should bring out the best in all of us. It should enable human potential, mobility and creativity at the largest possible scale — while dealing responsibly with our natural resources. Doing so is essential to preserve and expand the European way of life. The Next Generation Internet initiative aims to mobilise the best ideas to improve how we find and connect people, devices, services and ideas. The internet can and should bring out the best in all of us. Acknowledgements This project has received funding from the European Union’s Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" NGI TALER Guide for Applicants Main page | Guide for Applicants | Organisations involved | Eligibility | FAQ This page provides some guidance for people applying to the NGI TALER calls. TALER is a consortium funded by the European Commission to further develop free and open source mobile platforms, applications and framework. In addition to its own work, the NGI TALER Consortium will competitively award at least 676 000 € worth of grants (15% of the total budget of the pilot) to independent researchers in the period between December 1st 2023 and November 30th 2026. For the deadline of the calls please check the main information page. In principle there are continuous open calls, until the budget is allocated in line with the objectives of the Next Generation Internet — and the TALER programme in particular. If you want to know details about the type of activities that qualify for financial support, or who can apply, please check the eligibility information. This page details the entire procedure, the results to be obtained, the competitive criteria for awarding financial support, and the criteria for calculating the exact amount of the financial support. Criteria for awarding financial support Projects are judged on their technical merits, strategic relevance to the Next Generation Internet and the topics within NGI TALER, and overall value for money. The key objective is to deliver potential break-through contributions to the open internet. All scientific outcomes must be published as open access, and any software and hardware must be published under a recognised open source license in its entirety. First stage of the assessment Based on the submitted proposals, projects receive a first check for eligibility in terms of alignment of goals and criteria with the sub-granting call. In this stage hard eligibility (“knock-out”) criteria specific to the sub-granting call are checked. Project proposals are written in English and: should be in line with the NGI vision and the objectives of NGI Taler in particular should have research and development as their primary objective should satisfy any other hard eligibility criteria specific to the sub-granting call, such as having a clear European Dimension. All projects that fail on any of these knock-out criteria, will not be further reviewed and will be marked ineligible. The rest of the projects will be given a score based on the proposal text as submitted. If multiple versions were submitted prior to the deadline, the last complete version will be used. Projects receive an initial rating on three criteria: Weight Criterion 30% Technical excellence/feasibility 40% Relevance/Impact/Strategic potential 30% Cost effectiveness/Value for money The total weighted score of projects has to be above 5.0 (out of 7) to pass to the next stage. The projects which are not taken into the second round are informed that their project is not selected, so that they may try to find funding elsewhere as soon as possible - or continue without additional funding. Second stage of the assessment The second stage is used to select strategic projects which not only satisfy the minimal criteria, but also have potentially a lasting impact on society. Projects are to be selected based on their potential contribution to the Next Generation Internet and its key drivers for change. In the second stage, the reviewers are able to ask additional clarifying questions and make (minor) suggestions to improve the quality and impact of the project. This typically involves questions such as: what is the difference in approach to existing projects U, V and W how will you approach complicating factor X can you back up or validate claim Y have you considered collaborating with complementary effort Z or using standard A the rate you have applied for task B is very high compared to the perceived value of that task. Can you explain, or would you like to reconsider? can you clarify how you intend to make the outcome of the project (self)sustainable how does upstream project D feel about your application In addition, the review team will do independent verification of facts, methods and claims. If necessary they verify relevant information through their expert network. This is done without revealing personally identifiable information, unless there is explicit consent from the submitter. If a project is unable to prepare all the answers to the questions and/or a modified proposal within the allocated time frame, the project may be moved to the next call. Note that the proposed project budget may change during this phase due to e.g. added or deleted project milestones. After the interactive part of the second stage is completed, new ratings are calculated based on the revised plan. If the revised plan scores lower than the original proposal, the original proposal is rated. The result is a ranking of projects that reflects the overall expected value and the relative impact in the context of the NGI initiative, starting with the project with the highest weighted rating and going down to the lowest weighted score. The cut off point is a weighted score of 5/7, unless there is not enough remaining budget left to fund all projects that have received this ranking - in which case the ranking is followed until there is no more available budget. The projects that fall below the cut are (similar to the first round) informed that their project is not selected, so that they may try to find funding elsewhere as soon as possible - or continue with their current funding. Independent review committee An independent review committee checks the final selection of projects. The review committee consists of independent experts from the internet and open source field, academia and the public sector. The committee receives no remuneration for its work, and its members have no other economic interests with the programme and/or links to NLnet Foundation as the grant-making organisation. Each project is individually reviewed for eligibility by at least two members of the review committee. The outcome of the selection process is randomly divided among the members of the Review Committee. At least two members independently validate that all the projects that are nominated are indeed eligible for funding, budgets are frugal, and that there are no other concerns. This creates a transparency trail with regards to eligibility and cost effectiveness of the proposed solutions, while retaining confidentiality of the preceding procedure. If a project fails to meet the criteria of the independent review committee, the concerns are sent to the proposer and the project is pushed back to the next available call. Criteria for calculating the exact amount of the financial support, The amount to be granted to each third party should be the amount necessary to achieve the key objectives of the action. During the three stage review process, the overall ‘value for money’ and strategic potential of the proposal are part of the review, and thus of the ranking. We have a rapid succession of project funding opportunities, so we can iterate and grow talent instead of having a ‘leap of faith’ with a select few projects. Excellent teams that have successfully completed their project, can apply for additional funding again — provided that higher amount is necessary and delivers enough additional value. They are judged along the same criteria as the rest of the people in the grant round they are entering. Proposals must adhere to the following boundary conditions: A single proposal MAY request a grant allocation up to 50 kEuro. A significant part of the work within a project MUST have been successfully completed before an amendment to the project or a new propoposal from the same applicant can be awarded: this means that the project deliverables have been made publicly available under recognised open/free licenses, that any software artefacts delivered were WCAG compliant, and that the outcomes of any third party audit have been satisfactorily dealt with. If a grantee seeks an amendment or new grant, the outcomes of the previously delivered work are taken into account during the evaluation. The exact amount of financial support is determined by NLnet based on the projected cost and estimated value of the proposition. Any proposed amount is to be adjusted for costs that are deemed ineligible (see above) as well as for the cost of any additional activities recommended by NLnet. The final amount is established in the memorandum of understanding between NLnet and the grantee. If the grantee does not agree with the size of the grant offered, they may decline and withdraw the proposal prior to signing the MoU at any time. NLnet as the grant handling organisation is a recognised public benefit organisation, and the goals of NGI are within its statutory mission. Any grants that will be handed out, to individuals, companies, NGO’s or other types of legal entities are donations that fall under the most beneficial tax conditions as ‘charitable gifts’. Maximum amount to be granted to each third party The maximum amount to be granted per third party over the lifetime of NGI TALER is 60 kEuro. A third party can be an organisation or an individual. Example Memorandum of Understanding Curious what a typical Memorandum of Understanding looks like? Of course every MoU is specific, but do feel free to quickly glance over an example MoU to get an idea of what it looks like. Example Memorandum of Understanding Conflict of interest resolution The reviews within this programme are done by full time professional staff of a recognised and professionally audited public benefit organisation with a significant track record (NLnet foundation), hired to perform impartial and objective project reviews without economic interest, political or national affinity. Every project is reviewed by multiple full time staff members, and independently from that all projects proposed for funding are again reviewed by multiple well-regarded experts from academia, the internet world and the public sector. Institutional conflicts of interest As the organisation responsible for performing the reviews within this programmer, NLnet foundation offers strong guarantees it does not in any way have any financial or other benefit from awarding certain proposals over others. Note that NLnet foundation is entirely independent, and has been so ever since it was founded in 1989. NLnet currently has no organisational ties with other legal entities — with the noted exception of its wholly owned fiscal fundraising entity Commons Caretakers, which for obvious reasons is excluded from requesting grants from this programme. As part of managing its own financial endowment, NLnet has some small historical investments in SME companies and small investment funds. Companies financially invested in by NLnet are also explicitly excluded from receiving any grants through this programme. Although they are not in any way involved with the review, the other legal entities that are part of the consortium and their staff are also fully excluded from requesting and receiving grants through the programme. This avoids conflicts of interest within the consortium. Personal conflicts of interest Reviews are performed by full time professional staff, hired to perform impartial and objective project reviews without economic interest, political or national affinity. For obvious reasons, NLnet staff are not allowed to have any financial or other personal benefit from grant proposals they are responsible for reviewing in any way either — other than the longer term public benefit. This allows them to fulfil their tasks in an impartial manner. The same holds for those people with which the reviewers have close family ties (spouse, domestic or non-domestic partner, child, sibling, parent etc.), and for any legal entities in which NLnet (or its staff) may hold stocks, shares or other economic rights. Independent review committee The standing review committee consisting of independent experts from the technical and academic internet community and the public sector validates the outcome of the selection procedure of each round on criteria of eligibility and budgetary efficiency. To ensure their independence, the members of the review committee are not attached to any of the consortium partners within the programme as employee, member of the board of directors or member of the board of supervisors. Members of the independent review committee, their employers, their co-workers and their relatives are themselves excluded from submitting projects to the programme. Membership of reviewers in associations and not-for-profits Note that the above explicitly does allow for past and present non-remunerate involvement of NLnet staff in not-for-profit legal entities serving the public interest, including those that were part of previously funded efforts within its funding programmes in which the partners were involved. This also includes paid and unpaid (board) membership of professional or ideological organisations such as ACM, IEEE, Internet Society, FSF, ICANN, OSI and Unix user groups, legal umbrellas such as The Commons Conservancy and OW2 as well as open standards bodies like OASIS and W3C. Submissions from those organisations (and other people involved with them) are not considered to constitute a conflict of interest. The ‘reviewer paradox’ is similar to the more classical ‘observer paradox’: in order to be able to properly review the relevance of proposed R&D at the cutting edge of technology, reviewers have to have a level of knowledge that only exists within the R&D ecosystem itself. We believe it would not be proportional to exclude members of associations and volunteers within not-for-profits to exclude them from receiving support through thi programme, and we believe the ample additional quality assurances and third party checks made allow for this sane approach. Non-commercial constituencies As mentioned before, all legal entities that are part of the programme consortium and their paid staff are excluded from requesting and receiving grants through the programme. This actively blocks any applications from the entire paid staff from the organisations within the consortium as well as the leadership involved with the programme: there is a ‘Chinese wall’ between the projects which are funded and the partners supporting the projects. We believe it would not be proportional and in fact be undesirable to categorically exclude the membership and volunteer constituencies of the not-for-profit organisations within the larger ecosystem from grants. Besides NLnet foundation, neither of the partners is involved in any way with the actual review of projects and the resulting selection. The fact that people choose to contribute in an unpaid capacity to idealistic organisations that play an active and constructive role in e.g. the internet and libre-driven ecosystems should not affect their ability to receive funding for a possible contribution. In fact, the ability to reach motivated and qualified people aligned with the core mission of NGI is one of the reasons these organisations were involved in the first place. Given the clear and consistent separation between the rest of the consortium and the selection process, and the strong quality guarantees from the whole procedure, NLnet elected to place no restrictions on proposals from the non-commercial constituencies surrounding the consortium partners in the programme — with of course the noted exception of the coordinator and the organisation responsible for reviewing (NLnet foundation itself). Consortium members have been instructed to stay clear from project proposals from their constituencies, and are aware that failing to keep adequate distance to proposals from their constituencies will disqualify the proposals involved. Did not find what you were looking for? You may want to check the Frequently Asked/Anticipated Questions ","url":"https://nlnet.nl/taler/guideforapplicants/","title":"NGI TALER Guide for Applicants"},{"title":"Frequently Asked (and/or Anticipated) Questions","url":"https://nlnet.nl/taler/faq/","description":" Frequently Asked (and/or Anticipated) Questions Main page | Guide for Applicants | Organisations involved | Eligibility | FAQ What kind of projects are you looking for? This is really an open call, provided it is somehow relevant to the TALER ecosystem. If you have an idea that contributes to the vision of the Next Generation Internet, we invite you to propose. Make a proposal Do you have examples of granted projects? Yes, we keep an up-to-date overview of projects that have been selected in NGI Taler. Furthermore, you'll get a fairly good impression by looking at projects from earlier programmes from the Next Generation Internet initiative like NGI0 PET, NGI0 Discovery and NGI0 Entrust, with background information on all the projects and links to their websites. Several of the projects within TALER are former grantees of these programmes. Or browse through all our recent and current projects for inspiration. Can we send you a proposal upfront to check its eligibility? Unfortunately, you can't. This would move the whole structured procedure to a flood of unstructured and intransparent private dialogues, which would be unfair to other participants (and very inefficient as well). Luckily there is no need for this: the application procedure is very light-weight, and so you can just put in your proposal. If the project is not selected, you can iterate with the proposal as the cycle is quite fast (every two months a new call). Do I need to work for an university or research institute to apply? No, you don't. Application is open to all. The thing that counts is a good project proposal. Do I need to have a legal entity like a company to apply? No, you don't. You can apply as an individual, or as a formal or informal organisation of any type. Or even a collaboration of the two. Each of the persons and legal entities which are part of the grant can be paid directly by us. The internal allocation of payment is decided upon by the project lead, and can be done after the work is completed. Will the grant be disbursed up front? No, the grant is not paid out up front. Instead you divide your project into milestones and allocate an amount to each of these. Once you reach a milestone you send in an request for payment. So for instance: You divide your project in milestones A, B, C and D. And you allocate amount € X to milestone A. Once you have finished milestone A, you request the payment for it and move on to milestone B. How long does the application process take? We do our best to assess all applications as quickly as possible. However, our funds are popular and we receive a large amount of applications. You can expect the process to take between three and five months. This is counted from the date of the deadline of the open call, not from the date you have submitted a proposal. Can I remain anonymous? You don't need to reveal your real name to us, prior to the project being granted. After that, we need to have this for compliance reasons — but we do not need to make it public. We can use an alias in all outgoing communication, should this be desirable or necessary at your end. Can young people apply? Yes, you can. Note that you do not have to reveal your real identity to us prior to the project being selected, so we have no way of even knowing anyway. And we very much welcome upcoming talent to NGI. Young people that have not yet reached the age of legal consent in their country of origin (typically 18 years old) on the date of the deadline may apply without any constraints; consent from a legal guardian such as a parent does not have to be provided prior to initial submission, but will be required to enter any further negotiations. Use of a pseudonym also after that is recommended. Is there a special programme for under-represented social groups? Inclusiveness is one of the key starting points of the NGI initiative. Projects are reviewed on a number of criteria, one of which is the strategic dimensions of the project. Creating strong role models for under-represented groups can help expand the relevance and impact of NGI and thus is considered a strategic dimension, and as such is taken into account during the review — alongside other strategic dimensions such as the effect of the project on the technology landscape, standardisation efforts which are under way, human rights aspects, contribution to European and national legislative understanding and societal dialogue, etc. If you represent an unrepresented group, consider yourself invited to pay attention to this in your application. Of course this is not mandatory in any way, if you feel it is too much effort or distracts from the project contents itself. Can you sponsor our event, which is about X which falls within the scope of the call? No we cannot, unfortunately, and to our regret. At current we can only financially contribute to events that meaningfully contribute in a direct way to an actual R&D project within the programme. E.g. a code or documentation sprint, or a hackathon. Please check the information on eligible costs. Of course you can still mention good opportunities in your application, and we encourage you to do so: this will increase our understanding, and perhaps we can think of others that might be interested. Are you going to spend the whole budget on small projects? Yes. You can apply only with proposals between 5.000 en 50.000 euro. For this programme, 60.000 euro is the cumulative absolute hard limit for any applicant for the programme. There is a lot you can do with such a budget. The NGI pilots themselves are past grantees of the Next Generation Internet initiative. The core activity of TALER is to scale the projects in question up. The majority of the effort comes from the partners in the consortium, a limited part (15%) is to be spent on projects from third parties. If you require larger amounts, please have a look at the other programmes from NLnet. These can handle larger applications. I'm developing a proprietary application, and want to open source only a small part. Is that allowed in a proposal? If the part you want to develop and release as free and open source is relevant and is not itself dependent on your (or other) proprietary technology, sure. We look at what you research and develop inside the project you propose, not to anything else. NGI Zero programmes are open to worthwhile contributions from all types of organisations, including companies that want to keep part of their business model away from free and open source software. Your proposal will be reviewed on its expected contribution towards the NGI Vision. Technology that can only be used with an individual closed source application will not adequately scale to the global internet, certainly not in the long run. If the fate of a certain technology depends on leadership decisions and the internal economy of a single commercial entity this should probably not be considered 'sustainably open'. Spending public funding for building private monopolies isn't in the public interest. So in short: you can submit a proposal that fits snugly within a closed commercial environment, as long as that project itself is open source and doesn't depend on that closed environment — which would get in the way of permissionfree innovation and fair opportunities for all. Am I allowed to offer additional, non-open licenses? All projects are supposed to be released under a suitable free/libre/open source license. This allows for incremental innovation on top of your results, and as we explained is non-negotiable. We recommend you set up good governance processes for handling rights attached to your work, to make sure you and the users of your research retain agency in the future. This condition however does not in any way exclude the legitimate holders of copyrights and other associated rights of dealing with your project results under additional licenses, even proprietary ones: there may be legitimate reasons (such as license incompatibility with third party complementary FLOSS efforts) for alternative licenses beyond the license you use for the project. Can I apply with multiple projects in one single round Yes, theoretically you probably could — but there are some conditions to that. Note that if you submit multiple proposals in a single round, these typically have to be independent from each other. You cannot bypass the size conditions of the call by submitting a string of proposals that are tightly coupled to each other. If project B and C can only happen if project A is successful, you should probably be well under way finishing project A first before you block money for two more projects. Each proposal also costs time to write and submit — and we cannot give that time back to you. The limits with regards to the maximum amount you can receive during the lifetime of the fund stay the same — whether or not you contribute to multiple projects. I have patents assigned or pending on my idea. Can I meanwhile propose a project involving those patents? Should I disclose this in my application? Yes, you must certainly disclose this. Patents can hinder other people and organisations from freely working and innovating with the technologies you may be creating, in different and sometimes unpredictable ways. Free and open source software licensing is based on copyright law, and may or may not have provisions with regards to patents. The interaction with patent law can be complex. We would prefer to understand potential patent situations at the application stage, given that we are talking about technologies which are to be created inside publicly funded research and development. The final selection of projects is competitive, and your application will be reviewed on its expected contribution towards the NGI Vision. If the patents involved do not interfere with that contribution, and the technology you develop becomes available under suitable open source licenses, your project may still be eligible. I only heard about this call recently, can you postpone the deadline? We get this question surprisingly regular. We are sympathetic to your need. Unfortunately, the deadline of such a large concerted effort really is a deadline and there is nothing we can do about this. That means when you submit after the deadline, you will submit to the next call. The deadline of which, fortunately, is just a mere two months away since we have a bimonthly cycle. Meanwhile, of course, you can just submit a preliminary proposal — unlike most procedures you should be able to complete a proposal in less than an hour. I made a mistake in my application. What do I do? I have submitted my project proposal already, but found out I made a mistake. Is the call you submitted to still open?Just resubmit the correct proposal. Please mention this in your resubmission, this helps speed up processing. There is no need for concern or to send us emails, this happens all the time. Is the call you submitted to already closed?We suggest you still resubmit, clearly marking the necessary changes in your resubmission. We have no interest in causing unnecessary delay, but of course we have to be fair and a deadline is a deadline. Clerical errors can always be fixed, contact us via email as soon as possible to arrange for a manual alteration — and please include the assigned number of the original application and your resubmission to ease processing.I have submitted my project proposal already, but I want to change it. Can I? I forgot to mention/include something important/there is progressive insight. What do I do? Is the call you submitted to still open?Just resubmit the correct proposal. Please mention this in your resubmission, this helps speed up processing. There is no need for concern or to send us emails, this happens all the time. Is the call you submitted to already closed?We suggest you still resubmit, clearly marking the changes. You've done the hard work already, so this should be a limited effort. Please send us a short notification via email as well — please include the assigned number of the original application and your resubmission in your message to ease processing. We have to be fair and a deadline is a deadline, but the sooner we have the right proposal, the better. Note that if the original flawed submission gets rejected (which would not be strange because, well, it is flawed), the fixed resubmission might stand a better chance — and this limits the delay caused to a minimum. Note that clerical errors can always be fixed.I submitted to the wrong fund, now what? I apparently did not look well enough when I submitted my project, but when looking at the mail copy of the application I got from you, I submitted to the wrong fund. Can you fix this for me? By far the quickest variant is to resubmit to the right call. Just copy and paste your application details from the confirmation email. At your request, we can just discard the earlier submission. If the call you wanted to submit to is already closed, resubmission would of course not possible without unnecessary delay. In that case, please contact us as soon as possible to arrange for a manual alteration — and please include the assigned number in your mail to ease processing. What happens if there are not enough good projects submitted? From our long experience we know there are a lot of people with awesome ideas that need funding, and the funding is there to enable them to actually carry out this work in the public benefit. We believe we can give people a once-in-a-lifetime opportunity to do their part in fixing the internet. However, we also happen to have rather high quality standards, and intend to stick to them. We are not running a lottery where weak projects can submit in the hope of running away with leftover budget. TALER is funded with public money, and we have a moral obligation to spend that money frugally and effectively. Our mission is to pave the way for the Next Generation Internet. Besides money we invest a lot of (real) time in helping the projects we work with, in terms of improving accessibility, security, documentation, localisation/internationalisation, responsible disclosure, community building etc. Work there is never done, and we will spend our efforts on worthwhile projects alone. We therefore retain the right to allocate less than the entire budget, meaning we will return any unspent part of the underlying grant to the European Commission without giving it a second thought. Can anyone in the whole world submit? If the project you are are considering would be a significant advance towards the goals and the vision of the Next Generation Internet, we invite you to submit — even if you live outside of Europe. Of course, it remains competitive — but you would expect that from money you get for doing what you love to do. The grant from the European Commission that allows us to run this programme is funded by tax payers in its member states. It is a knock-out criterion for each project to have a \"European dimension\". Having people inside the proposed project from Europe or the associated countries is an obvious and logical way to fulfil that requirement. You have a unique and worthwhile idea, but you are from elsewhere? Don't despair: there are other ways too... A significant contribution towards the vision of the Next Generation Internet initiative also qualifies. What is good for the whole open internet also benefits Europe, after all. Or put differently: we are open to talent from far and wide to deliver the ambitions of the NGI. Smaller tasks have been undertaken than delivering a new and better internet, and we need buy in and talent from far and wide to contribute to that global mission. How sustainable is all this? Does all of it stop when project funding goes away? We certainly hope not! One of the huge benefits of the design decision that all projects release their results under free/libre/open source licenses, means that we allow for incremental permissionless innovation. We invest in ideas and technology commons, not in individual businesses or particular business models. Free software allow literally anyone to use whatever they want in whatever way fits their needs. As long as there is someone interested in developing or using the software, they can do so without asking anyone. Obviously, under those rather unique conditions, evolutionary sustainability is much improved over the situation where the 'owner' restricts development and may pull the plug at any time. Furthermore, we spend a lot of effort in working with the technical and operational internet community as well as with other relevant stakeholders — preferably as early in the process of each project. This means not only that they get relevant feedback, but also that they are more likely to adhere to quality standards and operational practises that make it more likely that results are actually deployed. What services do you offer to projects besides money? While supplies last, projects funded within the programme can benefit from the support of NGI Zero Review. One of the key objectives for the larger NGI Zero effort is to set a new global standard for supporting R&D projects. We've set up a best-of-breed \"greenhouse environment\" (analogous to what an \"accelerator\" does for for-profit initiatives) for the projects and teams that are funded within NGI. We offer support services such as accessibility and security audits, licensing advice, mentoring, packaging and more. Researchers and developers are mere humans, and the grasp of all relevant best practises they bring along initially is by definition limited. No matter how brilliant a researcher is: the demands on technology that should actually run at scale on the modern internet today are huge, and continuously changing. Having a crazy idea that might just work to fix the broken internet, does not automatically mean that you know how to make your solution accessible to blind people, how to set up continuous integration and reproducible builds, how to orchestrate a responsible disclosure procedure, how to make sure that your application can be used with different languages and be properly localised to be compatible with different cultures, how to engineer secure software and what state of the art attack vectors you'd better deal with, how to engage with standards setting organisations, how to nurture and grow a developer community, how to write end user documentation, which software license best fits the goals of the project, how to deal with software patent trolling, how to support diversity with regards to gender and social identity, what considerations to take into account for software to be packaged by distributions, etcetera. Adding these requirements post-development is many times more expensive, and certainly more complex. Through the support we provide, NGI Zero Review aims to complement the knowledge and skill set of the project proposers with leading domain experts in the respective fields. We can't do all the work for you, but we can provide guidance and mentoring to tackle each of these topics. I want to make a future living out of my project. What are your thoughts on this? The results of some projects are self-sustainable and take a life of their own, while others may involve setting up some sort of business or not-for-profit structure around them. We are happy to brainstorm with you about this. It is our belief that society should invest in digital commons. Technology is too important for society, and (short term) profit is not the best driver for the goals of NGI: resilience, trustworthiness and sustainability. Can I ask my users for a subscription fee to sustain my income? Sure, as long as you also make the results of your project available under a free and open source license for other researchers and developers to work with. Such a license allows people to reuse it for any purpose they see fit. That in turn allows for incremental innovation and reuse. Free and open source software makes what you develop a technology commons, meaning complete strangers will spontaneously care about making what you have created go far and wide — something they would never do for a proprietary product restricted to a single commercial entity ... Of course most ordinary people don't directly work with code themselves — they tend to leave that to experts like hosting companies and app stores. Very few people might be more qualified than you (as the creator of your technology) to provide services around your 'brain child' — and you might actually do some of your target user base a large favour by providing a hosted service they can pay for. It is therefore perfectly okay to (for instance) provide a hosted version with a monthly subscription fee attached. Running software is not R&D but a service and comes at a cost in terms of operational expenditure (e.g. electrical power, hardware, etc) and human labour. Part of the user community is interested to outsource that work and pay for convenience and not having to worry. Others want or need to run the software you create themselves, for good reasons such as privacy or confidentiality. Some of the users would contribute back in code, some of which you can use for your customers. And of course others will just download the software and use it. However, every single user is proof that your project provides something worthwhile. You do not have customer lock-in, but as long as you provide enough value (innovation, operational excellence, etc) — people are likely to come to you again and again. You are after all the brains behind the software they depend on. And of course you can apply for follow up funding to continue 'working for the internet', based on the utility of your software and the relevance of your new plans. Hosted services are not the only way to make a future living. Another type of users may want you to provide paid consultancy to add features they need, or to have you help out set up their own instance. The best model for sustainability depends really on the nature of your project, and will be specific to the problem you are solving and the target group(s) you address with your work. You can in fact make money from what you build in any way, as long as the result of the work funded by us is at least available under a free and open source license. There are many examples of free and open source projects that result in a sustainable income for their creators in very different ways, and also many that don't. This is no different from any other enterprise you may undertake. The grant we provide typically pays your entire income (and those of people you may involve) during the development of the project itself. So consider that you work for the internet, and that is its own reward. If the project is picked up by a wider community, that will give you an excellent position going forward. You could do worse than having a revolutionary internet technology on your resume... What about accessibility? Is this mandatory? The Next Generation Internet is meant to be inclusive. This is why we put significant attention to the results of the NGI Zero projects to be accessible to people with disabilities. We understand that not everyone is an expert in this area — yet. But taking care of accessibility (or a11y for short) is, as far as we are concerned, the 'new normal'. From our end, we are willing to invest in this as well. Experts from our team will help you understand what that means to your project, and will mentor you how you can comply with the technical requirements. We have excellent support to evaluate the current state of accessibility and projects can request an accessibility audit performed by the HAN University of Applied Sciences, dept. Inclusive Design & Engineering — one of the core competence building centres of accessibility in the Netherlands. The topic of this call doesn't really fit, are there other topics I could apply to? NLnet has several other topics currently active, see the overview of thematic funds. Submitting to our open call is also an option, and even recommended — we'll try and find the best fit for you. You can also check the website of the NGI initiative for open calls by other organisations. My project is completed, but my work is not done! If the fund is still active, you can propose a continuation of the project. If the tasks that are left are rather limited in size (see the official policy on that), you can discuss this with your contact person at NLnet. If it is quite substantial, you would need to submit a new proposal. When in doubt, contact NLnet staff — they will be able to tell you what is the best path forward. The project plan needs to be adjusted Of course, while you are executing your plan the world doesn't come to a standstill. This means that there can be progressive insight and new opportunities, while also sometimes identified opportunities don't materialize or time out. You should discuss these kinds of issues with your contact person at NLnet. You can propose adjustments within the boundaries of what is possible (see the official policy on that). When in doubt, contact NLnet staff — they will be able to tell you what is the best path forward. When I receive donations, what happens? Your grants take the form of a donation from NLnet Foundation. NLnet is a recognised public benefit organisation according to the Netherlands tax office, a status which translates in full or to some degree to many other parts of the planet — which may or many not include your country of residence and/or work. Taxation in a global context is a pleasantly complex, dynamic and inspiring issue that has intellectually challenged many great minds. It has damaged some of those (and many others too). There are unfortunately significant differences across countries, and even across regions within a single tax system you may find notable variations in treatment. If you are from Europe, you might benefit from an initiative by Philantropy Europe Association (Philea) called Legal Environment for Philanthropy in Europe. With the help of a network of local experts, they have crafted a very overview per country of key legal provisions that apply. This should help get you started. Obviously, your local tax authority is the authoritative answer to all matters concerning taxation, and if you are in doubt you are advised to contact them for guidance. Go to: Legal Environment for Philanthropy in Europe (warning: trackers present, unfortunately.) When does my project need to be finished? We'll agree on a duration in the Memorandum of Understanding. By default, we expect projects to be completed within 12 months — but qualified exceptions can be made. Are you nearing the end date and still working diligently on the project, and it looks like it won't be finished in time? Contact us, and we may very well be able to grant you extra time.Obviously, the lifetime of the whole programme is a hard external constraint pretty much beyond our control ߞ as much as we want to help make anything worthwhile possible, some things are out of reach. Note that for NGI TALER, the programme is tentatively scheduled to end in November 2026). If your idea fits, you can just put it in your proposal. If it doesn't immediately fit: of course, your plans and longer term roadmap may (need to) extend well beyond the more or less arbitrary boundaries of our programme. We suggest you cut your plans up in multiple stages. Our grants are 'human size', which has the advantage of being very agile but the disadvantage of some overhead for long term efforts. We know that is a bit awkward, but it is just how things are. We need to take it one step at a time. Are F&A costs considered eligible expenses? Facilities and Administrative costs are generally not considered eligible expenses, unless in the presence of exceptional circumstances. When they are allowed, the maximum permissible amount is capped at 25%. Can I use generative AI to write parts of my proposal The short answer is: no. Grant applications are short and we spend a lot of effort evaluating proposals. Please grant us the courtesy of writing the proposal yourself. If you do use generative AI to write (part of your) proposal, please put this in the text and explain why this was necessary. Failure to do so is likely to result in the proposal being rejected, and tarnishing your reputation. My question is not here? Well, if you've read all this and still have a burning question: let us know. We are happy to help! "},{"url":"https://nlnet.nl/taler/eligibility/","title":"NGI TALER Eligibility information","description":" NGI TALER Eligibility information Main page | Guide for Applicants | Organisations involved | Eligibility | FAQ Eligibility List of different types of activities eligible for financial support The following types of activities qualify for financial support, provided they are cost effective and have a clear link to the topics directly relevant to TALER and the objectives set out in the call: scientific research design and development of free and open source software and open hardware validation or constructive inquiry into existing or novel technical solutions software engineering aimed at adapting to new usage areas or improving software quality formal security proofs, security audits, setup and design of software testing and continuous integration documentation for researchers, developers and end users, including educational materials standardisation activities, including membership fees of standards bodies understanding user requirements and improving usability/inclusive design necessary measures in support of (broad)er deployability, e.g. packaging participation in technical, developer and community events like hackathons, IETF, W3C, RIPE meetings, FOSDEM, etc. (admission fee, travel and subsistence costs) other activities that are relevant to adhering to robust software development and deployment practices project management out-of-pocket costs for infrastructure essential to achieving the above Definition of persons or categories of persons which may receive financial support There are no categorical exclusions of persons who may not receive support from NGI TALER. Given equal proposals, inhabitants of the EU and countries associated to Horizon Europe are given priority, however if the project is of exceptional quality and the proposer holds unique technical expertise proposals from outside of those geographic areas can be eligible as well. Young people that have not yet reached the age of legal consent in their country of origin (typically 18 years old) on the date of the deadline may apply without any constraints; consent from a legal guardian such as a parent does not have to be provided prior to initial submission, but will be required to enter any further negotiations. "},{"description":" NGI TALER Background information Main page | Guide for Applicants | Organisations involved | Eligibility | FAQ Who is behind this? This grant program is courtesy of NGI TALER. NGI TALER is a pilot within the Next Generation Internet initiative. The purpose of the NGI Pilots is to scale up high impact technologies that stem from NGI. The NGI TALER consortium consists of 11 partners from 8 European countries (the Netherlands, Belgium, France, Germany, Greece, Hungary, Luxembourg and Switzerland). In addition to NLnet, the consortium includes research and applied science universities, cooperative banks, SMEs, and civil society organisations. Bringing GNU Taler to citizens and organisations as a privacy-preserving payment alternative is the primary objective of NGI TALER, alongside further technical development of tools, integrations and infrastructure. Part of the budget (15% to be precise) is reserved for open calls to fund additional free and open source efforts that are aligned with the topics and approach of NGI TALER. It shares this approach with other pilots like Mobifree and Fediversity. Through this agile, low-threshold funding mechanism we will enable individual researchers and developers, as well as small (potentially distributed) teams of them, to research and develop important new ideas that contribute to the establishment of privacy-preserving digital payment systems. The money for the pilot is kindly provided by the European Commission's DG CNECT, and the Swiss State Secretariat for Education, Research and Innovation (SERI). External Review Committee NLnet has installed a External Review Committee for this fund. This External Review Committe consists of independent experts from the internet and open source field, academia and the public sector. The committee receives no remuneration for its work, and its members have no other economic interests with any projects funded by the programme. The Externtal Review Commitee receives the outcome of the selection process, and independently validates that all the projects that are selected are indeed eligible for funding, budgets are frugal, and that there are no other concerns. ","url":"https://nlnet.nl/taler/background/","title":"NGI TALER Background information"},{"title":"Interviews with people building the Next Generation Internet","url":"https://nlnet.nl/stories/interviews/","description":" Interviews with people building the Next Generation Internet .img_icon_small { max-width: 40px; max-height: 40px; margin-right: 30px; /* Make icons small and create a little space on the right */ } .up { position: relative; top: -15px; /* Adjust the value to move the text up by the desired amount. Text moved up a bit to align with icon.*/ } There are many issues with today's internet. In this interview series we asked free and open source developers about the issue that particularly bothers them and how their project addresses it. Each interview provides insight in a particular project and the people behind them. Taken together the interviews present an overview of issues with today's internet, and concrete answers to address them. Ten technology layers of NGI Within the Next Generation Internet initiative, the ten \"technology layers\" are used to categorise projects. The interviews are sorted by layer. You can jump to each layer via the links below. Here is a description of each of the technology layers. Layer Name Layer Name L1 Trustworthy hardware L6 Middleware and identity L2 Network infrastructure L7 Decentralised solutions L3 Software engineering L8 Data and AI L4 Operating Systems L9 Services + Applications L5 Measurement L10 Vertical use cases, Search L1: Trustworthy hardware and manufacturing Pedro Miranda, Artur Nóbrega, & José T. de Sousa - OpenCryptoTester System-on-Chip for hardware/software testing Issue In order of importance, the three fundamental issues are Privacy, Data Security, and Environmental Impact. Project's answer By using reconfigurable hardware accelerators, we enable higher security algorithms with longer keys to be executed in a reasonable time and energy budget. Carlos A. Ruiz Naranjo - TerosHDL Assisting hardware developers to deliver safer designs Issue The chip design industry is dominated by proprietary tools with costly licenses, making access difficult for small companies or students. Project's answer The open hardware movement is trying to design a fully open workflow for creating low-level hardware. TerosHDL offers a unified interface for over 25 open source tools. Jean-Paul Chaput - Coriolis Open EDA Logical validation of ASIC layouts Issue The whole of the internet, whether the infrastructure or the algorithms, critically depends on the trustworthiness of the chips we use. But most of them are black boxes. Project's answer The open hardware movement addresses the issue of closed source chips. Still, they need an Open EDA (Electronics Design Automation) to guarantee that what you get on silicon is what you specified. Julian Stirling - OpenFlexure microscope Enabling telepathology with open hardware high end microscopes Issue Medical instruments are expensive. Open hardware can provide an affordable alternative but often lacks medical certification. Project's answer OpenFlexure developed a laboratory-grade microscope and is now working on medical certification in close collaboration with local stakeholders. L2: Network infrastructure, P2P and VPN pi-lar - Neuropil-DHT DHT based overlay network Issue Data protection is in our opinion the world's current concern. Without protecting privacy of everybody, there is no information security. Project's answer Neuropil-DHT is an opinionated solution how security and privacy by design networks should be build. robur collective - MirageVPN Robust OpenVPN client and server, and QubesOS client Issue The locked-in apps and multinational corporations that have access to your data. We strive for a more decentralised internet. Project's answer By developing a VPN service, we have, apart from already established web services and DNS servers, another leg of what you can run as a MirageOS unikernel :). Morgan - Blueprint for FreeSpeech Generic Onions Services Library Project Issue One of the internet's issues is the trend of treating users and their data as raw material to be exploited rather than as people with sensitive information to be served and protected. Project's answer Ricochet-Refresh is an anonymous, end-to-end encrypted, peer-to-peer, and metadata-resistant instant messaging client. There are no servers to seize and no organisations to subpoena. Users control their data entirely. L3: Software engineering, protocols, cryptography Szilárd Pfeiffer - CryptoLyzer Cryptographic settings analyzer library Issue Internet protocols designed to be secure - such as TLS and SSH - suffer from implementation and configuration issues. Project's answer Cryptolyzer is a tool designed to support end users in choosing the right cryptographic settings in order to make communication on private and public networks more secure. Michael Baentsch - oqsprovider Post-quantum/quantum-safe cryptographic algorithms for OpenSS Issue The gulf between users of cryptography and \"hard-core cryptographers\", resulting in complicated-to-use crypto applications or even insecure ones. Project's answer oqsprovider aims to be a technological bridge for one particular problem area in this space, namely the integration of post-quantum cryptography into the TLS and X.509 internet standard protocols with minimum change/introduction of new risks at maximum ease of use. Philippe Ombredanne - FOSS Code Supply Chain Assurance Mitigate attacks through software dependencies Issue Security: a sophisticated malware attack on FOSS can be disastrous for developers and users, companies and countries, industries and sectors. Project's answer Our project improves the security of FOSS packages by ensuring that the different FOSS components used in various software are genuine. Kristina Sojakova & Mihai Codescu - IPDL Equational Proofs for Distributed Cryptographic Protocols Issue Most cryptographic algorithms we use nowadays to secure sensitive data are too complex for humans to verify. Project's answer We aim to give cryptographic researchers the tools for constructing formal security proofs for large message-passing cryptographic protocols. Karolin Varner - Rosenpass Post Quantum Security Add-On for WireGuard Issue Movements to ban cryptography are a huge threat to safety online, as are more visible issues like censorship, misinformation, and surveillance capitalism through online tracking. Project's answer Rosenpass, at its heart, is a future-proofing infrastructure project. We are working to ensure that existing security technology will keep working as computers get faster. Neal H. Walfield - Sequoia PGP Standards-compliant private key store for OpenPGP Issue There are three key issues with the state of the internet today: commercialization, government overreach, and centralization. Project's answer Sequoia PGP is a set of tools for encryption and authentication based on interoperable standards. It can help protect personal data from surveillance capitalism and government overreach. L4: Operating systems, firmware and virtualisation Merlijn Wajer - Maemo Leste Modernise open source real-time communications stack Issue The majority of mobile devices are controlled by a duopoly of Google and Apple, who by the nature of a duopoly mostly control how users access the Internet on their mobile devices. Project's answer Maemo Leste, an independent mobile operating system, aims to provide an alternative to users who do not want to be at the mercy of either Google or Apple. Ekaitz Zarraga - RISC-V bootstrapping effort via GNU Mes Allow bootstrapping Guix on RISC-V via GNU Mes Issue Trust is one of the biggest problems on the internet. In our case, we focus on trust in the software supply chain, a very overlooked issue. Project's answer Provide a system that ensures artifacts (pre-built programs or even pre-processed sources) are what they are supposed to be. Meaning the source code matches the artifact. L5: Measurement, monitoring, analysis and abuse handling L6: Middleware and identity Mark Burgess - Promise Theory Measure on-going trust between interacting agents Issue We tend to focus just on building whatever we feel like but don't think enough about the impact of these technologies on human society. Project's answer The project is part of a wide ranging effort to understand trust in network socio-technical systems. Andrea D'Intino - Signroom Zenroom based signature and credential platform Issue Privacy and security, more than ever! Document signatures work with 30-year-old standards (X.509) and most of the software available is closed source. Project's answer A web-based, mobile-friendly solution to offer signatures and verification of documents. Jens Finkhäuser - Interpeer Secure and efficient peer-to-peer networking stack Issue One of the critical issues is that the web is fundamentally centralised in some sense and grants too much power to its centralised components. Project's answer Based on an analyses of the web technology stack and alternatives, we’ve derived an alternative, human-centric architecture. Our work now is to implement this. Wiktor Kwapisiewicz - OpenPGP-OpenSSH Improving SSH Authentication with OpenPGP transitive trust Issue The project addresses the issue of initial trust in SSH. Most SSH users default to the “Trust On First Use” model, which leaves the first, initial connection vulnerable to Man in the Middle attacks. Project's answer Solving this problem securely but frictionlessly requires some kind of Public Key Infrastructure. Our project uses the OpenPGP PKI to authenticate the remote host. L7: Decentralised solutions Esther Payne & Brett Sheffield - Librecast End-to-end encrypted multicast Issue The increasingly centralized nature of our unicast internet makes us more vulnerable to surveillance and censorship and risks our privacy. Project's answer The Librecast Project is building the software required to rebuild our internet using multicast, with privacy, accessibility, and efficiency as design goals from the outset. Aljoscha Meyer & Sam Gwilym - Earthstar + Willow P2P protocol and APIs for collaborative and social applications Issue The key issue we see is fragility. Most networked services are built in a tightly coupled way where a single component failure can bring the whole service down, and users regularly lose access to their data. Project's answer Devices using Willow can connect to each other directly, with no privileged intermediary infrastructure like a data centre; and that they can disconnect from the network, yet still be able to read and write data. Niko Bonnieure - NextGraph Local-first collaboration, with privacy, security, data locality, and interoperability in mind Issue Big Tech is maintaining a Giant Global Graph of data inside their proprietary silo's/data centres, where all our personal and sensitive information is stored. But we have no access to this graph. Project's answer NextGraph addresses both issues of privacy and availability: its graph is open and can be queried by anyone, if the permission to do so has been granted by the owners of the data. Santiago Bazerque - Hyper Hyper Space Cryptographically secure append-only distributed data layer Issue The trust/control barriers are off. We often use platforms over which we need more control. Project's answer When we use cloud-based apps, they’re not running on our computer or phone. In the model Hyper Hyper Space is working on, everybody has a copy of the app's workspace on their device. Michał “rysiek” Woźniak - LibResilient Create robust web presence with service workers and DHT Issue Centralization of infrastructure, control, and power makes it difficult to run a website independent of a few gigantic internet companies. Project's answer LibResilient allows a website to stay up to returning visitors even if the original site is down, without relying on centralized internet gatekeepers. L8: Data and AI Sepand Haghighi, Arash Zolanvari & Sadra Sabouri - PyCM Evaluate the performance of ML algorithms Issue Evaluating LLMs is difficult due to the complexity of evaluating models on different tasks and aggregation. Project's answer PyCM emerged as the first and most complete tool for evaluating AI classification tools. L9: Services + Applications Michiel de Jong - Federated Bookkeeping Hybrid self-hosted e-invoicing with decentralized identities Issue Due to the power of capital investment, there is too much focus on building momentum around specific proprietary platforms and not enough on making these platforms interoperable. Project's answer My projects mostly try to build open source prototypes of a more connected and distributed vision for internet applications, accompanied by protocol specifications and test suites. L10: Vertical use cases, search and community "},{"description":" Stories of the Next Generation Internet At NLnet we support people and organisations who contribute to a free, open, decentralized, resilient and secure internet. These people are working on inspiring projects that benefit everyone. We'd like to shine a light on them by sharing their stories. Each story is a piece of the larger narrative of the Next Generation Internet. What it is, why we need it and how you can participate. Come and meet the people working on the building blocks of the Next Generation Internet. Interviews Read the interviews with developers to learn more about their projects. Podcast Listen to conversations with the people building the Next Generation Internet. Webinars Webinar recordings featuring NGI Zero projects and partners. From around the web A collection of external sources telling stories about NGI Zero projects. Publications Trust from the ground up, a book with an overview of all NGI Assure projects. ","title":"Stories of the Next Generation Internet","url":"https://nlnet.nl/stories/"},{"url":"https://nlnet.nl/stories/external-sources/","title":"Stories about projects elsewhere on the web","description":" Stories about projects elsewhere on the web An overview of external sources telling stories about the projects we support such as media coverage or content created by the projects themselves. Mind you this list is (very) non-exhaustive. We'll add sources when we see it but we have no structural method to collect all the data and archive it here. Ontogen and Mud 2026-03-19 — Ontogen Blog DCAT-R, Gno, and RDF.ex 3.0 . Although the Ontogen project is still ongoing, several sub-projects have emerged from the project that are independently being released. Apereo CAS 2025-06-06 — Apereo Community Blog Apereo CAS Receives NLnet Grant to Advance CAS Development. Extensive description of the CAS project and the work planned with support from the NGI Zero Commons Fund. Nyxt 2025-06-06 — lwn.net Article by Joe Brockmeier. A review about Nyxt that start s with the sentence: \"Nyxt is an unusual web browser that tries to answer the question, \"what if Emacs was a good web browser?\". Nyxt is not an Emacs package, but a full web browser written in Common Lisp\". Redox Flow Battery 2025-02-26 — lwn.nl Article by technology writer Koen Vervloesem. Nice write-up about the Flow Battery Research Collective who are building an open source battery redox flow battery. They plan to democratize flow battery technology by developing an open source flow battery, starting with a development kit. badkeys 2024-11-13 — German OWASP Day 2024 Talk by Hanno Böck, developer of badkeys, an open source tool to check cryptographic keys for known vulnerabilities. In early 2024, hundreds of DKIM setups still used cryptographic keys vulnerable to a bug from 2008 in Debian's OpenSSL package. The talk will cover such findings and plans for future improvements in badkeys. Manyfold 2024-10-23 — FLOSS Weekly by Jonathan Bennett and David Ruggles Podcast with James Smith about Manyfold, the self-hosted 3D print digital asset manager that’s on the Fediverse! Does it do live renders? Does it slice? Listen to find out! Interpeer 2024-10-20 — SafetyDetectives by Shauli Zacks Interview with Jens Finkhaeuser - Founder and CEO at the Interpeer Project. “a minor technical cause — deliberately leaving something undefined for flexibility — has turned the web from a fantastic means for connecting people across the globe into a human rights nightmare that can actively endanger lives.”. Librecast Live 2024-09-17 — APC News by Xavier Coadic Interview with Esther Payne of Librecast. “The code we create and the tools we use can help or harm humanity. We write our political values into our code”. Part 3 of APC's Building a Free Internet of the Future series. BrailleRAP 2024-08-23 — APC News by Xavier Coadic Interview with Stéphane Godin, creator of BrailleRAP. BrailleRAP is an open source printer to produce documents in Braille. Godin speaks about collaborative manufacturing, the power of open licenses and the impact of their NGI0 Entrust grant. Part 2 of APC's Building a Free Internet of the Future series. CryptPad 2024-07-17 — APC News by Xavier Coadic Interview with Cryptpad's David Benqué, graphic designer in charge of UI/UX, and Mathilde, deployment engineer who also does community and support. They talk about being up against Big Tech, accessibility and the usefulness of NGI Zero grants. Part 1 of APC's Building a Free Internet of the Future series. Post-Quantum Crypto in DNSSEC 2024-07-11 — PING podcast Host George Michaelson talks to Peter Thomassen & Jason Goertzen. Jason and Peter explored implementations of some of the NIST post-quantum candidate algorithms in Bind9 and PowerDNS code. Their tests confirmed that, as things currently stand, issues with packet size in the DNS and the new algorithms will pose problems for deployment. their project. MirageVPN 2024-07-04 — FSFE podcast hosted by Matthias Kirschner Hannes Mehnert, one of the MirageOS core developers, talks about the usage of MirageOS, the funding and how you as a volunteer can support MirageOS. LiberaForms and Framasoft 2024-06-24 — Blogpost by David from LiberaForms Announcing a collaboration between LiberaForms and Framasoft Peertube 2023-12-13 — Peertube AMA Livecast Ask Me Anything with Pouhiou (Framasoft's codirector and PeerTube's product owner), Booteille (volounteer member of Framasoft, and contributor to the PeerTube's ecosystem) and moderated by Laurens (Author of The Fediverse Report). Tauri 2023-09-29 — Changelog Podcast by Adam Stacoviak ∓ Jerod Santo Tauri's next big move Pixelfed 2023-08-12 — Wired by Justin Pot How to Move Your Instagram Feed to Pixelfed, the Photo App That Doesn't Track Your Every Move. RETETRA 2023-07-24 — TETRA Radio For Critical Comms Is Vulnerable, Researchers Show tetraburst.com The Register Wired Vice The Next Web RTL Nieuws NCSC NRC De Volkskrant Interpeer 2023-05-11 — Next Generation Internet Interview with Jens Finkhaeuser (Interpeer) - NGI Zero Participant. "},{"description":" NGI0 Speaker bureau .speaker-photo { width: 100%; margin: auto; padding: 10px,10px,10px,10px; } .speaker-photo-border { border-radius: 10%; border-top-left-radius: 10; border-top-right-radius: 10%; border-bottom-right-radius: 10%; border-bottom-left-radius: 10%; } .speaker-name { font-weight: 900; font-size: x-large;} .speaker-affiliation { font-style: italic;} .speaker-bio {} .topic { font-weight: bold; font-size: large;} .organisation, .travels-from { font-weight: 900; font-size: large;} .outer-affiliation { height: 45px; } Invite our experts to your event Are you interested in bringing the next generation internet to your event? Fill in the form below to invite a speaker. For info on how the speaker bureau works, see frequently asked questions below the form. NGI Zero's mission is to contribute to an open, resilient, human-centered internet for all by supporting the development of free/libre/open source software and hardware, open standards and open data. We're a consortium of not-for-profit organisations, each with a specific area of expertise to make the digital commons more robust. The NGI0 speaker bureau liaises to bring these experts to your event. FSFE Legal Education WorkshopIn addition to speakers the Free Software Foundation Europe also offers the Legal Education Workshop to learn about Free Software from a legal perspective. We'll tell you more about this in the section below the speakers.Experts in our network: Cyber security / Post growth entrepreneurship Melanie Rieback CEO and co-founder of Radically Open Security Dr. Melanie Rieback is CEO/Co-founder of Radically Open Security (the world's first not-for-profit computer security company), and \"Post Growth\" startup incubator Nonprofit Ventures. Read on ... She is also a former Assistant Professor of Computer Science at the Free University of Amsterdam. She was named \"Most Innovative IT Leader of the Netherlands\" by CIO Magazine (TIM Award) in 2017, and one of the \"9 Most Innovative Women in the European Union\" (EU Women Innovators Prize) in 2019. She is also one of the 400 most successful women in the Netherlands by Viva Magazine (Viva400) in 2010 and 2017, and one of the fifty most inspiring women in tech (Inspiring Fifty Netherlands) in 2016, 2017, and 2019. Her company, Radically Open Security was named the 50th Most Innovative SME by the Dutch Chamber of Commerce (MKB Innovatie Top 100) in 2016. Radically Open Security Radically Open Security prides itself on being the world’s first not-for-profit computer security consultancy company. Read on ...ROS is prototyping an innovative new business model to provide a commercial front-end that sends 100% of our profits tax-free to a charitable foundation (NLnet foundation). Our low management/overhead costs mean we can afford to pay competitive wages to our computer security consultants. ROS is \"hacking a new business model\" for prototyping an ideal company – one that optimizes for benefit to the world (customers, employees, society) as opposed to profit motive (shareholders, investors, founders). Their hope is that, in a few years from now, we might inspire others to setup similar sustainable \"not for profit businesses\" in other industries. Travels from: Melanie is based out of Amsterdam but has given on site presentations in for instance Europe, North-America and Africa. Security / Privacy / Standards Stephen Farrell CEO and co-founder of Tolerant Networks Dr. Stephen Farrell is co-founder of Tolerant Networks and a research fellow in the Distributed Systems Group of the School of Computer Science and Statistics at Trinity College Dublin. Read on ... At Trinity College Stephen teaches and researches on security and delay/disruption-tolerant networking (DTN). In 2006 he co-authored the first book on the latter topic. Stephen has been involved in Internet standards for more than a decade and has been an IETF security area director for six years. Prior to returning to academia in 2002, Stephen had 15 years experience in industry, working for Siemens and Baltimore Technologies amongst others. Tolerant Networks Tolerant Networks Limited (a Trinity College Dublin campus company) works on Internet security and privacy. Read on ...Tolerant Networks was founded in April 2010 by Stephen Farrell and Kerry Hartnett. The company was spun out of an EU FP7 funded project called N4C in which we used Delay Tolerant Networking (DTN) to enable Internet-like communications in very remote communities. It has successfully completed a range of projects in the area of DTN deployment, educational DTN projects and DTN usage for the European Space Agency. Tolerant Networks is a a Trinity College Dublin campus company. Travels from: Dublin, Ireland. Legal and licensing topics relating to Free Software Gabriel Ku Wei Bin Legal Programme Manager at FSFE Gabriel is a Legal Programme Manager at the FSFE. Originally from Singapore, Gabriel is a former human rights and constitutional law researcher, as well as a former commercial lawyer. Read on ... At the FSFE, Gabriel manages the FSFE’s legal projects, including its involvement in a number of European Commission funded projects, including the NGI0 projects. Additionally, Gabriel administers the FSFE’s Legal Network of lawyers around the world involved in Free Software, in order to to promote discussion and foster better knowledge of the legal constructs that back Free Software. In addition to the topic mentioned above, Gabriel also speaks aboutHow Free Software supports Human Rights Free Software Foundation Europe The Free Software Foundation Europe is a charity that empowers users to control technology. Read on ...Software is deeply involved in all aspects of our lives, and it is important that this technology empowers rather than restricts us. Free Software gives everybody the rights to use, understand, adapt, and share software. These rights help support other fundamental freedoms like freedom of speech, press, and privacy. The FSFE helps individuals and organisations to understand how Free Software contributes to freedom, transparency, and self-determination. It enhances users' rights by abolishing barriers to Free Software adoption, encouraging people to use and develop Free Software, and providing resources to enable everyone to further promote Free Software in Europe. Travels from: Berlin, Germany Security / Open source projects / Women in tech Dominika Regéciová Senior Researcher at Gen Digital Senior Researcher at Gen Digital and Ph.D. student at the Faculty of Information Technology, Brno University of Technology. Her research interests include formal models, compilers, and languages... Read on ... ... focusing on their use in computer security. Dominika advocates for women in Tech. Brno University of Technology Brno University of Technology is a research-oriented technical university founded in 1899. Read on ...Faculty of Information Technology, Brno University of Technology (BUT) is the second-largest technical university in Czechia. It comprises 8 faculties with more than 18,000 students and 3,000 staff members. The Faculty of Information Technology (FIT) provides education in the Bachelor, Master, and Doctoral Study programs in Information Technology and Artificial Intelligence. FIT is involved in many European and international projects, national research and development grants, and contractual research for large multinational companies, as well as regional small and medium enterprises. Travels from: Brno, Czech Republic. Digital transformation in automation industry Christofer Dutz Member of the Apache Software Foundation Christofer Dutz is a software engineer, open source advocate, and member of the Apache Software Foundation. For more than a decade he has been building protocol drivers and connectivity solutions for industrial automation systems, ... Read on ...leading the development of Apache PLC4X and contributing across multiple ASF projects. As founder of ToddySoft GmbH, he focuses on IT/OT convergence, building high-performance drivers, connectors, and toolkits for Beckhoff, Siemens, Wago, Phoenix Contact, and many other ecosystems. His work enables reliable data exchange between PLCs, enterprise systems, MQTT/Kafka infrastructures, and modern cloud/edge platforms. Christofer is a frequent speaker on topics like protocol reverse-engineering, industrial connectivity, open standards, and open source sustainability. ToddySoft GmbH & Apache Software Foundation Apache Member, PMC Member in 11 Apache Projects, ... Read on ...Mentor in the Apache Incubator, Former Member of the Apache Software Foundation Board of Directors. Founder of ToddySoft GmbH Travels from: Ober-Ramstadt, Germany Free Software legal and licensing issues /.../ Lucas Lasota Legal Programme Manager at the FSFE Dr. Lucas Lasota works as Legal Program Manager at FSFE. He is also a researcher and lecturer at the Humboldt University of Berlin in the field of Civil, IT and Telecommunications Law. Read on ... His current research is focused on contemporary regulatory measures involving digital technologies and their impact on individual and collective rights, as well internet governance, telecommunications and international contract law. In addition to the topics mentioned above, Lucas also speaks about Device Neutrality, Router Freedom, AI and Free Software Free Software Foundation Europe The Free Software Foundation Europe is a charity that empowers users to control technology. Read on ...The FSFE helps individuals and organisations to understand how Free Software contributes to freedom, transparency, and self-determination. It enhances users' rights by abolishing barriers to Free Software adoption, encouraging people to use and develop Free Software, and providing resources to enable everyone to further promote Free Software in Europe. Travels from: Berlin, Germany Internet decentralisation/Digital autonomy /.../ Gerben van den Broeke NLnet foundation A self-taught programmer and school-taught electrical engineering and machine learning graduate, Gerben takes a full-stack view on technology, with an interest in the interplay of technology and society. Read on ...Gerben also speaks about Interoperability and Data protection in addition to the topics mentioned above. Before joining NLnet he worked for noyb and Redecentralize.org NLnet foundation NLnet financially supports organisations and people who contribute to a resilient, trustworthy, sustainable, open internet for all. Read on ...It offers a fast and low-threshold grant application process so as to not waste anyone's time. All project results become available under an open source license so it's available for everyone to use, study, modify and share. Travels from: Brussels, Belgium Online press & business models / foss rights /.../ Simon Descarpentries Meta-Press.es Simon is a computer science engineer with 15 years of experience in web development and is an online press expert. He is the creator of Meta-Press.es, a search engine to read the news without surveillance. Read on ...Being a free software enthousiast for 20 years he contributed to many free software associations such as Framasoft, April.org and La Quadrature du Net. Today he is the CEO of a small free software compagny Acoeuro.com, treasurer of the french Fund for Defense of Net Neutrality and leader of the Meta-Press.es project. In addition to the topics mentioned above Simon also speaks about: impacts of the free softwares over the western societies fundamental rights in the digital age the emergence of a horde of independent investigation newspapers in France (hundreds of them) technical web lessons learnt from the dissection of a thousand worldwide online newspapers… Meta-Press.es Meta-Press.es is a search engine that lets you explore the news without middle men between news papers and your browser. Read on ...Meta-press, which comes in the form of a browser add-on, helps you avoid the swamp of third-party trackers on most newspaper websites and the jungle of fake newspapers. Travels from: Pougne-Hérisson, Deux-Sèvres, France Open source game development /.../ Ramon Santamaria Gamedev engineer & entrepreneur Ramon is a passionate gamedev engineer and entrepreneur. Developer of multiple tools and technologies for games development and more. Creator of the popular FOSS and multi-awarded framework raylib, ... Read on ...designed to easely put graphics on any screen. Ramon speaks about multiple topics related to open source game development: raylib, his popular multiplatform C library for graphics programming; videogames development: processes, pipelines, tooling, middleware; open source tools and technologies for videogames development; gamedev education, personal experience teaching gamedev for 13 years at multiple institutions. raylib raylib, is a simple and easy-to-use C library to draw graphics on any kind of display, originally created for education, ... Read on ...today it is used in many other fields: to develop commercial videogames, multipaltform tooling, 2D/3D simulations and visualization, R&D, embedded platforms. Along the 12 years of life of raylib, a wide ecosystem has been built around the library, with +20 support libraries and tools published, most of them FOSS. Travels from: Barcelona, Spain Data & AI / Information retrieval /.../ Pavel Smrz Associate professor at Brno University of Technology Leads Faculty of Information Technology, Knowledge Technology Research group. Read on ... Pavel's research interests include embedded intelligence, machine learning, IoT, and human-machine interaction. He also speaks about Middleware and Open Data. He leads the Faculty of Information Technology, Knowledge Technology Research group Brno University of Technology Brno University of Technology is a research-oriented technical university founded in 1899. Read on ...Faculty of Information Technology, Brno University of Technology (BUT) is the second-largest technical university in Czechia. It comprises 8 faculties with more than 18,000 students and 3,000 staff members. The Faculty of Information Technology (FIT) provides education in the Bachelor, Master, and Doctoral Study programs in Information Technology and Artificial Intelligence. FIT is involved in many European and international projects, national research and development grants, and contractual research for large multinational companies, as well as regional small and medium enterprises. Travels from: Brno, Czech Republic. The GNU project / Taler (electronic payments) Christian Grothoff Professor at Bern University of Applied Sciences. GNU maintainer, co-founder of Taler Systems SA and Anastasis SARL. Read on ... Christian's research interests include future Internet architectures, compilers, programming languages, software engineering, networking, security and privacy. Before, he was leading the Décentralisé research team at INRIA and an Emmy Noether research group leader at TU Munich. He earned his PhD in computer science from UCLA, an M.S. in computer science from Purdue University, and a Diplom in mathematics from the University of Wuppertal. He also served as an expert court witness, and has reported on technology and national security as a freelance journalist. The GNU Project The goal of the GNU Project is to build a libre operating system that give computer users freedom and control in their use of their computers. Read on ...GNU is an operating system that is free software—that is, it respects users' freedom. The GNU operating system consists of GNU packages (programs specifically released by the GNU Project) as well as free software released by third parties. The development of GNU made it possible to use a computer without software that would trample your freedom. Taler Systems is frictionless, sustainable, low-cost and highly scalable payment system. It’s like cash but digital, with instant confirmation for all fiat- and crypto-currencies. Taler protects your data, while being environmentally friendly. Travels from: Biel/Bienne, Switzerland. Open source & open models/ FOSS funding /.../ Pierre-Yves Gibello CEO of OW2 Pierre-Yves, initially a software R&D engineer, is the CEO of OW2 ... Read on ...since 2022. Before, he was an open source supporter for nearly 30 years, writing code, doing business and consulting, working with academia, teaching computer science and participating in OW2 as an elected Board representative. Pierre-Yves also speaks about Digital Commons and Digital Sovereignty in addition to the topics mentioned above. OW2 OW2, a French non-profit FOSS foundation, hosts open source projects, promotes them, animates a community mixing academics, ... Read on ...companies, public bodies, foundations, associations and individuals, promotes FOSS by organizing or participating to professional events, and advocates for it at political and social levels. OW2 is also involved in the Next Generation Internet FOSS funding programme. Travels from: Grenoble, France Digital commons / Rules as code /.../ Matti Schneider Open Terms Archive / OpenFisca. Matti Schneider is Founder & Director of Open Terms Archive / Director of partnerships at OpenFisca. He is a passionate advocate for digital commons and open source innovation. ... Read on ... As a software engineerand product manager, Matti's experience includes founding a social impact startup in sustainable mobility, leading public healthcare tech projects, co-founding the French Prime Minister State Startups incubator, and driving digital transformation across governments. He is also Director of partnerships of OpenFisca, a law modelling tool recognized by the United Nations as a Digital Public Good and used by multiple governments worldwide. He played a pivotal role in the development and global adoption of OpenFisca, Additionally, Matti founded Open Terms Archive, a tool for tracking and assessing changes in online platform policies. Under his lead, these projects have been distinguished by organisations such as the World Government Summit, the OECD, the Digital Public Goods Alliance, or the Nobel Prize Summit. As a digital nomad, Matti travels extensively to understand how to best serve diverse cultures. His personal travels not only enrich his professional insights but also fuel his commitment to leveraging technology for social good. In addition to the topics mentioned above, Matti also speaks about Platform Governance. Open Terms Archive Open Terms Archive publicly records every version of the terms of digital services to enable democratic oversight and make them transparent. Read on ...It addresses a critical gap in the ability of activists, journalists, researchers, lawmakers and regulators to analyse and influence the rules of online services. Big Tech services benefit from the opaqueness of their terms, Open Terms Archive make them transparent. Travels from: Matti is a nomad, reach out for travel arrangements. WebXR / Interoperability for emerging tech Fabien Benetou Software prototypist Fabien Benetou is a software prototypist focusing on virtual and augmented reality, leveraging open source and interoperability on the Web. Until recently he worked for the European Parliament ... Read on ...leading the XR projects of the innovation unit, supported the UNICEF Innovation Fund on WebXR, worked for Mozilla on its social virtual world, among others. Currently Fabien is contributing to the Future of Text in XR project via an Alfred P. Sloan Foundation grant, contributing to a recurring NGI0 project, “xrsh - Interactive text/OS terminal inside WebXR”, and just recently started his own “Federating pedagogical immersive experiences” thanks to the NLNet Foundation and thus an NGI0 supported project.\" Iterative Explorations Iterative Explorations, builds prototypes exploring interoperability for emerging technologies, in particular WebXR as VR and AR on the web. Travels from: Brussels, Belgium OpenFlexure Microscope / Open science Hardware Dr Julian Stirling Chief Executive of HTTrust Julian is Chief Executive of the Humanitarian Technology Trust and is one of the core developers of the OpenFlexure Microscope. He also develops sophisticated and automated open... Read on ...source workflows for hardware development and documentation. Julian has worked closely with manufacturing partners in Africa during the development of the OpenFlexure Microscope. Julian holds a PhD in Physics, and has previously worked for the University of Bath, University of Maryland, and NIST developing precision scientific instruments. He is also well-connected within the global open source hardware movement, and was previously on the community council for the Gathering for Open Science Hardware and on the board of the Open Science Hardware Foundation (formerly GOSH Inc). open- In addition to the topics mentioned above Julian also speaks about documentation for Open Source Hardware.\" The Humanitarian Technology Trust The Humanitarian Technology Trust is UK charity that enables the local production of essential and life saving... Read on ...open source technologies. Its core project at this time is the OpenFlexure Microscope, a laboratory grade digital diagnostic microscope, that can be built anywhere in the world. The microscope can image malaria parasites and cancerous cells, and is undergoing clinical evaluation for diagnostic use in five continents. Travels from: Bath, United Kingdom Security / Privacy / Standards Kerry Hartnett Director and co-founder of Tolerant Networks Kerry is co-founder of Tolerant Networks. With over 20 years experience in IT he is an experienced and versatile senior IT professional. Kerry worked with Intel for 15 years in all aspects of IT. Read on ... Commercially aware and results-orientated with a wide range of technical abilities, Kerry's planning and organisational skills have enabled him to repeatedly deliver complex integration projects to schedule. Kerry has a BSc. in Information Systems and has worked on contract as a research engineer on the N4C project. Kerry's focus is on new technology deployment in networks and research. Tolerant Networks Tolerant Networks Limited (a Trinity College Dublin campus company) works on Internet security and privacy. Read on ...Tolerant Networks was founded in April 2010 by Stephen Farrell and Kerry Hartnett. The company was spun out of an EU FP7 funded project called N4C in which we used Delay Tolerant Networking (DTN) to enable Internet-like communications in very remote communities. It has successfully completed a range of projects in the area of DTN deployment, educational DTN projects and DTN usage for the European Space Agency. Tolerant Networks is a a Trinity College Dublin campus company. Travels from: Dublin, Ireland. WebXR / WebVR / WebAR / Virtual worlds /.../ Leon van Kammen Founder of the XR Hypermedia Federation Leon is the founder of the XR Hypermedia Federation, an organization dedicated to ensuring that virtual worlds remain as open and interconnected as possible. He argues that... Read on ... ... \"public XR highways\" are essential for a future where we move seamlessly between digital experiences without being locked into proprietary engines. Key Contributions to the XR Ecosystem: XR Fragments: A URL standard for XR (funded by NLnet) that allows for precise \"linking\" within spatial environments (https://www.youtube.com/watch?v=mTJZ0JVw0lY) XRForge: A self-hostable (Janus)XR platform that empowers creators to own their digital space. XRSH: A technical milestone—the first-ever WebXR shell capable of running actual Linux. Leon’s work focuses on cost-efficiency and accessibility, advocating for a shift away from disjointed XR apps/games toward a streamlined, local-first hypermedia-driven approach. Whether you are a developer, a policy-maker, or a VR enthusiast, Leon’s vision for a \"common ground for all\" is a glimpse into the future of the spatial web.... The XR Hypermedia Federation The XR Hypermedia Federation (XRHF) fosters digital commons for XR Read on ...hypermedia. It helps connecting, and get open XR ecosystems funded. It supports public local-first AR/VR/MR highways without obstacles by promoting public spatial hypermedia. XHRF encourages XR translator-development to view existing ecosystems within AR/VR-headsets via open protocols. Its mission 100% piggybacks NLnet and follows the 'digital for good'-values of Europe , US (DFI), and Canada (DC), narrowed down to OpenSource XR experiences via link traversal. Travels from: Budapest, Hungary Community development / Cooperative principles Alex W. Rodríguez Co-founder of Mirlo Alex is an improvising trombonist, writer, organizer working at the confluences of music and social transformation. He has worked in the solidarity economy movement as co-founder of Mirlo, ... Read on ...a digital music distribution software cooperative, the mental health worker cooperative Catalyst Cooperative Healing, and as an Artist-Owner of Ampled. Alex holds a PhD in Ethnomusicology from UCLA, where his research focused on jazz clubs and the communities that sustain them in California, Chile, and Siberia; his writing on the contemporary jazz world has appeared in NPR Music and DownBeat, among other outlets. In addition to the topics mentioned above Alex also speaks about project governance, music, improvisation and organizational creativity.\" Mirlo The music industry does not work for artists or listeners and needs a radical re-imagining. Read on ...Mirlo hosts a community of artists, listeners, organizers, and coders who are daring to do just that: taking lessons learned from working in the solidarity economy and applying them to our platform. We are building an online audio distribution and patronage platform that aims to be radical, accessible, open source (free & libre), modular, and standards based. Travels from: Holyoke, MA, USA FSFE Legal Education Workshop The Legal Education Workshop of the FSFE features talks on legal topics relating to Free Software, as well as a workshop to facilitate a better understanding of these legal frameworks and compliances. The talks will explain basic legal concepts such as licenses, copyright law, and its practical application into your projects with the FSFE's REUSE initiative, as well as other legal topics important for developers and the Free Software community in general. Free Software grants users and developers the essential freedoms to construct a healthy and open digital ecosystem. To preserve and guarantee the continued enjoyment of those freedoms, it is important to understand and comply with the legal framework which safeguards our software projects from potential legal threats and also makes sure they reach their full potential. Understanding the legal matters and complying with legal obligations can become a burden sometimes. That is the reason why the FSFE organizes the Legal Education Workshop. It's aim is to spread basic legal education on the legal context of Free Software, so that licensing your project, understanding copyright, and meeting legal obligations in your software project will be less of a daunting task! Request to host the workshop The workshop is developed by Lucas Lasota (lucas.lasota@fsfe.org) and Gabriel Ku Wei Bin (gabriel.ku@fsfe.org). If you are interested in hosting a Legal Education Workshop fill in the form below or contact the speakers directly. The full workshop takes four hours. But it is also possible to request a more condensed version that takes less time. If you want to know what to expect, here is a video of a previous edition of Legal Education Day at SFSCON 2022. For more information about Free Software Licensing check the FSFE's Frequently Asked Questions page of the FSFE. Request a speaker for your eventWhich speaker would you like to invite? What topic are you interested in? Do you offer reimbursement of traveling costs? Do you have budget for a speaker fee? Tell us about you so the speakers know what they are getting themselves intoName of your event Website of your event Topic(s) of your event Target audience Date of your event Event location (or online) Your name Your organisation Your email address Description and other remarks: SubmitFrequently Asked Questions What is the purpose of the speaker bureau?Part of NGI0's mission is to share knowledge about the digital commons, and what exciting things are happening in the open technology community. We've established the speaker bureau for people who want to bring this knowledge to their event.Is a speaker fee required?No, it's not required. You can send in a speaker request if you don't have budget for a speaker fee. But if you do have a budget we'd appreciate compensation for the time the speakers are putting in.Will my requested speaker definitely say yes?No. We will relay your request but like most mortals our speakers do not have an unlimited time supply. So they'll have to make choices on what to spend it on.What is the role of the speaker bureau?We provide a consolidated point of entry to our network of researchers and developers, a single place where you can put in all requests for speakers. We'll ask the speaker(s) on your behalf. If they say yes, we'll get out of the way and will directly connect you to each other.I don't know which speaker to ask, can I ask for advice?Yes, of course. Contact us! ","title":"NGI0 Speaker bureau","url":"https://nlnet.nl/speakerbureau/"},{"url":"https://nlnet.nl/propose/","title":"Apply for a grant","description":" Apply for a grant Next deadline: June 1st 2026 12:00 CEST (noon) This form can be used to request support for your project. Note that releasing software, hardware and content under libre/open licenses, and the application of open standards where possible are transversal requirements for all. From our end we will provide a transparent and efficient selection process. Please check the (call-specific) guide for applicants for the call you are interested in. Please also don't forget to look into our privacy statement about how we deal with your information (should be a pleasant surprise, actually — we really care about your privacy. Throughout the years we've funded the development of quite some widespread privacy enhancing technologies ourselves). A practical point: we recommend to prepare longer answers offline, in case something goes wrong with your browser session. It is a light weight procedure, please don't wait until the last hour before the deadline before submitting — deadlines are hard. Please select a call In the list of current calls below, please indicate the call topic you are responding to. Note that some larger funds (like the NGI0 Commons Fund) and smaller funds with targeted calls (like NGI Fediversity, and TALER — all part of the Next Generation Internet initiative) will have some special scope or conditions. You'd better have a look at the respective guides for applicants before you submit a proposal. If in doubt, submit to our open call and mention in the application that you are okay with us allocating your proposal to the most suitable fund. Thematic call NGI Zero Commons Fund NGI TALER NGI Fediversity Research & Higher Education Technology Fund Open Call Other Contact information Your name Email address Phone number Organisation Country General project information Proposal name Website / wiki Please be short and to the point in your answers; focus primarily on the what and how, not so much on the why. Add longer descriptions as attachments (see below). If English isn't your first language, don't worry — our reviewers don't care about spelling errors, only about great ideas. We apologise for the inconvenience of having to submit in English. On the up side, you can be as technical as you need to be (but you don't have to). Do stay concrete. Use plain text in your reply only, if you need any HTML to make your point please include this as attachment. Abstract: Can you explain the whole project and its expected outcome(s). Have you been involved with projects or organisations relevant to this project before? And if so, can you tell us a bit about your contributions? Requested support Requested Amount   (in Euro) Explain what the requested budget will be used for? Does the project have other funding sources, both past and present? A breakdown in the main tasks with associated effort is appreciated. Make rates explicit. (If you want, you can in addition attach a full budget at the bottom of the form) Compare your own project with existing or historical efforts. What are significant technical challenges you expect to solve during the project, if any? Describe the ecosystem of the project, and how you will engage with relevant actors and promote the outcomes? Attachments Attachments: add any additional information about the project that may help us to gain more insight into the proposed effort, for instance a more detailed task description, a justification of costs or relevant endorsements. Attachments should only contain background information, please make sure that the proposal without attachments is self-contained and concise. Don't waste too much time on this. Really. Accepted formats for attachments are: HTML, PDF, OpenDocument Format and plain text files.(The total size of attachments must not exceed 50 MB) Generative AI Did you use generative AI in writing this proposal? (See our GenAI policy.) --Please choose an option-- I did not use generative AI in writing this proposal I have used generative AI in writing this proposal Which model did you use? What did you use it for? Please submit the dates of the prompts, the prompts themselves and the unedited output in this text field. Optional files containing prompts used in creation of this proposal.(The total size of attachments must not exceed 50 MB) How may we handle your information Your privacy is so important to us, we wrote a nifty privacy statement. We'd love to collect as little personal data from you as possible, but we're bound by some pesky rules and regulations. So, before you submit your proposal, please acknowledge the following: I have read and understood NLnet’s Privacy Statement. I agree that the NLnet can collect, use, and share my personal information as described in the statement. I also understand that I have rights over my personal information, such as the right to access, correct, or delete it.  Send me a copy of this application. PGP pubkey     We will contact you within a few days after the deadline. Alternatively (or in case of urgency), you can contact us in a number of ways. <!-- const ai_select = document.getElementById('used_ai'); function display_ai_info() { const used_ai = ai_select.value !== \"\" && ai_select.value !== \"I did not use generative AI in writing this proposal\"; for (const e of document.getElementsByClassName('ai_info')) { e.style.display = used_ai ? \"table-row\" : \"none\"; } } ai_select.addEventListener(\"change\", display_ai_info); display_ai_info(); -->"},{"description":" XSSer Cross Site Scripting testing Currently, XSS attack is one of the most widespread vulnerabilities in Web applications. Incorrect filtering and the appearance of new increasingly sophisticated techniques make protection a complex and time-consuming task. Cross Site \"Scripter\" aka XSSer, is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections in different applications. It contains several options to bypass certain filters, and various special techniques of code injection. It makes possible to test an application on vulnerabilities to Cross Site Scripting (XSS) attacks. The XSSer tool aims to automate these complex application security testing tasks. Run by R.C. Merida (psy) The project's own website: http://xsser.sourceforge.net/ ","url":"https://nlnet.nl/project/xsser/","title":"XSSer"},{"title":"xrsh","url":"https://nlnet.nl/project/xrsh/","description":" xrsh Interactive text/OS terminal inside WebXR xrsh (xrshell) brings the FOSS-soul of unix/linux to WebXR, promoting the use of (interactive text) terminal and user-provided operating systems inside WebXR (=xrsh). Technically, xrsh is a bundle of freshly created re-usable FOSS WebXR components. These provide a common filesystem interface for interacting with WebXR, offering the well-known linux/unix toolchain including a commandline to invoke, store, edit and run WebXR utilities - regardless of their implementation. Think of it as termux for the VR/AR headset browser, which can be used to e.g. livecode (using terminal auto-completion!) for XR component (registries). The project's own website: https://xrsh.isvery.ninja This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" xqerl Performant (Erlang) implementation of W3C XQuery and XML database This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. The xqerl project is an open-source XQuery 3.1 implementation. It attempts to combine the simplicity of the W3C XQuery 3.1 language for querying and building XML and JSON, with the powers of the Erlang language for building massively concurrent, fault-tolerant, distributed applications. Many optional language features have already been added to xqerl, including the RESTXQ specification for building REST endpoints directly from code annotations. To further enhance user experience and the feature-set of xqerl, the \"Schema Aware\" and \"Typed Data Features\" will be added. These features will allow for XML Schema documents to be directly referenced from queries and the query statically analyzed at compile time using the schema to either build better query plans or return errors back to the user before running time consuming queries. The project's own website: https://github.com/zadean/xqerl Why does this actually matter to end users? One of the reasons the internet has grown to be the backbone of current society and economy, is because it is based on open source technology and open standards. This way the technology that runs on routers and computers everywhere, is not governed by commercial, but public interests. Open standards play an important role in this, as they provide a way for software and hardware developers and organizations to converge on one (or multiple) ways to go about things, which improves interoperability. A recurring problem of establishing open standards is that to prove their real-life value, you need stable and updated implementations that demonstrate their capabilities. This project will provide a modern implementation of the so-called XQuery-standard, which was established through the World Wide Web Consortium (W3C), combined with the fault-tolerant powers of the Erlang programming language. The XQuery-language can query and transform both structured (also known as semantic or linked data) as well as unstructured data. Erlang can be used to build concurrent, distributed and fault-tolerant applications. Combined, this project will deliver developers to build massively parallel and concurrent systems for reading, writing, aggregating, and analyzing semi-structured data from all over the web This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/xqerl/","title":"xqerl"},{"title":"Jabber/XMMP","url":"https://nlnet.nl/project/xmpp/","description":" Jabber/XMMP Strengthening Trust in Jabber/XMPP Technologies Jabber Technologies, as formalized in the Extensible Messaging and Presence Protocol (XMPP), are a set of decentralized, open technologies for near-real-time messaging, presence, and streaming XML (now being extended to address multimedia signalling and other advanced use cases). The focus of this project is to improve the security and trust characteristics of Jabber technologies. The XMPP protocol is the specification of information interchange between a large group of Open Source and commercial applications, an alternative to AIM, ICQ, MSN, and Yahoo. The project's own website: http://xmpp.org/about-xmpp/xsf/xsf-organizational-documents/strengthening-trust-in-jabber-technologies/ 2007-01-19: The project proposal describes all the project milestones. .pdf (56 kB) The XMPP protocol is maintained by the XMPP Standards Foundation which is closely related to the Jabber community."},{"url":"https://nlnet.nl/project/xmpp/how.html","title":"Jabber/XMMP","description":" Jabber/XMMP Strengthening Trust in Jabber/XMPP Technologies The NLnet Foundation supports the XSF, the XMPP Standards Foundation (formerly the Jabber Software Foundation). Volunteer programmers will get \"bounties\" when they complete parts of the implementation. 2007-04-02: The Foundation \"Stichting NLnet\" contributes US$ 46,200 to the project \"Strengthening Trust in Jabber/XMPP Technologies\". "},{"title":"Jabber/XMMP","url":"https://nlnet.nl/project/xmpp/description.html","description":" Jabber/XMMP Strengthening Trust in Jabber/XMPP Technologies Jabber technologies, as formalized in the Extensible Messaging and Presence Protocol (XMPP), are a set of decentralized, open technologies for near-real-time messaging, presence, and streaming XML (now being extended to address multimedia signalling and other advanced use cases). In order to understand how to improve the security and trust characteristics of Jabber technologies, one needs to understand some of their key characteristics: Jabber/XMPP is not a typical open-source project; because the Jabber community is centered on a wire protocol rather than a particular codebase, it consists of many open-source projects, freeware and shareware developers, and commercial software companies. The role of the XMPP Standards Foundation (XSF) is to define protocols through open debate and discussion, then encourage the implementation of those protocols by the many decentralized projects and companies in the Jabber community. Jabber/XMPP technologies are also deployed in a highly decentralized fashion, typically in a client-server architecture that is quite similar to email (but also sometimes in a local mesh or peer-to-peer architecture through the use of zero-configuration networking). As a result, there is a large network of Jabber servers on the Internet, plus many servers operating behind firewalls on organizational intranets. However, few Jabber/XMPP servers are deployed in a high-security fashion (e.g., with non-self-signed certificiates). The core Jabber/XMPP protocols underwent rigorous cross-area and security review within the Internet Engineering Task Force (IETF) in 2002-2004, resulting in a strong security profile through the use of Transport Layer Security (TLS) for channel encryption and Simple Authentication and Security Layer (SASL) for authentication. However, work remains to be done in extending XMPP to include end-to-end encryption, strong identity, server and endpoint reputation, and per-hop reliability. This project concentrates on ways to strengthen the security and trust characteristics of Jabber technologies, the open network of Jabber servers, and communication among Jabber clients. While future proposals may define ways to extend those achievements, baseline security is a higher priority and therefore is the focus of this proposal. In particular, two main sub-projects will take place: Strengthening server trust by stimulating implementation and deployment of existing Jabber/XMPP protocols for encryption and strong authentication of client-to-server and server-to-server connections. Strengthening endpoint trust by completing development, iteratively improving, and encouraging deployment of strong, easy-to-use end-to-end encryption technologies over the Jabber network. More details can be found in the Project Proposal (PDF) "},{"url":"https://nlnet.nl/project/wpia/","title":"WPIA CA Infrastructure","description":" WPIA CA Infrastructure Deployment infrastructure for certificate authorities World Privacy and Identity Association is an effort to create and setup a Trusted Service Provider to deploy digital certificates to the public for free. One part of this project (and the association behind it) is the development of software to setup and operate a Certificate Authority. The software is developed from scratch, and is released under an AGPL license. The repository resides on code.wpia.club. The primary goal of the publication of the software is to grant check and control to the public. Trust is the basis of all. If someone wants to use the software for his own business he may do so. The real target of the project is to provide individuals and organisations with reliable and accountable digital certificates using PKI technique. Certificates should always match the CA/Browser Forum Baseline Requirements and be compatible with ETSI. Individuals will get their certificates for free (free as in free beer). Digital certificates help all people to keep fundamental rights as e.g. privacy and identity. As such, WPIA intends to provide an alternative to Let’s Encrypt. The project's own website: https://wpia.club Run by WPIA This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"description":" Wormhole Project Wormhole There are two leading internet technologies emerging as the future of real-time communication: SIP and XMPP. This project and its outcome will provide the possibility for users of both universes to use either protocol to interoperate with each other for audio, instant messaging and presence. If the software is installed on the desktop next to an existing application it can encapsulate or tunnel conversations from one protocol to the other - serving as a wormhole between the two universes. It should work transparently with little or no configuration. It will allow users to share contacts and establish chat and audio sessions without having to bother of the protocol used to address buddies in user@domain format. If the software is used on a server, one should simply point the appropriate DNS record of a domain to the server, and any session request made with either SIP or XMPP protocol will be bridged to the other side. The project's own website: http://www.sylkserver.com This is a project coordinated by AG Projects BV, located in Haarlem, The Netherlands. ","url":"https://nlnet.nl/project/wormhole/","title":"Wormhole"},{"description":" Wisper long distance wifi internet infrastructure Wisper is a concept (an idea) in the field of long distance wifi network infrastructures with a practical and concrete internet service provision goal. Wisper is the buzz word in order to stimulate concrete project proposals and cooperative initiatives focussed on creating a new mesh-type: solely based on wifi and IPv6 internet connections. The access nodes in Wisper are projected to be low cost (US$ 100) wifi boxes some Public Domain (fully self-configuring) networking software (probably on Linux and/or BSD OS's). Access and usage to the Wisper network should be free of charge. The plan is to create clouds of Wisper nodes. And then clouds of Wisper-clouds, expanding all over the globe. The Wisper idea is inspired by the in November 2005 initiative of the One Laptop Per Child (OLPC) project. Wisper could boost the OLPC target to provide internet access in development countries (and even in your neigbourhood). MIT research develops Roofnet a wireless infrastructure for the town of Cambridge, MA USA. The number of nodes (currently 37) is much smaller than the target for Wisper. Other initialives, like Wireless Leiden attempt to on provide wireless internet access of large regions of towns. In these cases, the routers are connected by cable; these networks are not purely wireless. Wisper was announced in the October 2006 edition of Usenix' magazin \";login:\" (membership required to read that publication) ","url":"https://nlnet.nl/project/wisper/","title":"Wisper"},{"title":"Wisper","url":"https://nlnet.nl/project/wisper/how.html","description":" Wisper long distance wifi internet infrastructure The project is currently run by Teus Hagen of Stichting NLnet. The project has just started, investigating the needs and the problem areas. New projects will be spawned-off when the general ideas get worked-out. See the Wisper Wiki "},{"url":"https://nlnet.nl/project/wisper/description.html","title":"Wisper","description":" Wisper long distance wifi internet infrastructure Wisper is a concept (an idea) in the field of long distance wifi network infrastructures, but with a more practical and concrete internet service provision goal. \"Wisper\" (Wifi Internet Service Provision) is a buzz word in order to stimulate concrete project proposals and/or cooperative initiatives focussed on these new mesh-type, wifi and IPV6 based, internet infrastructure technologies. Wisper network infrastructure consists of low cost wifi boxes. The wifi hardware should be able to operate on long distance wifi, typically up to 10 miles. The boxes operate with a standard (embedded) Open Source Operation System like Linux or BSD OS. Probably, the network software will organize a mesh type of connectivity, like MIT Research's RoofNet project (however, the scaling bandwidth problem needs to be solved first). Wisper wifi boxes should be able to join an existing Wisper cloud fully automatically and the network should scale well. Similar to indoor mesh type of boxes, like the MeshCube (running on NyLon OSS software), Meraki (running on Linux 2.4), and closely related to Meraki RoofNet Cambridge MA (USA) regional wifi access (running on OpenWRT and standard wifi routing boxes). Wisper should not use scarce resources as e.g. IPV4 limited address space, refrain from expert help and expert configuration, should be fair in bandwidth use, and secure (privacy). Wisper clouds well be linked in a fully automated way. Self configuration of the clouds should be fully autonomic. For now, Wisper is an open invitation to experts who like the Wisper idea and are willing to contribute to identify practical problem areas. The NLnet Foundation forward project proposals in subareas of Wisper by OSS development groups who want to cooperate. The main prerequisite is that all software developments shall be fully Open Source software and must run on low cost wifi box hardware. "},{"title":"WireGuard","url":"https://nlnet.nl/project/wireguard/","description":" WireGuard A fast and modern VPN that utilizes state-of-the-art cryptography In hostile environments such as the open internet, Virtual Private Network technology play a major role in protecting users both from snooping and malicious traffic injection. WireGuard is a general purpose VPN - the new kd on the block that is fast, simple and lean. It can run on embedded interfaces and super computers alike, fit for many different circumstances. Its goal is to be the most secure, easiest to use, and simplest VPN solution in the industry. The project's own website: https://www.wireguard.com Why does this actually matter to end users? When you go online outside of your house or office, your connection is often vulnerable to man-in-the-middle attack. VPN's are a way to protect against these attacks, but are traditionally rather cumbersome (if not plain hard) to work with - which has prevented mass adoption. WireGuard has been designed in many ways to contrast with poor architectural decisions of popular but aged VPN technologies like IPsec and OpenVPN. IPsec may be academically pristine in its laying responsibilities, but the complexity of this makes it nearly impossible to deploy or implement securely. OpenVPN is similarly a monstrous codebase, relying on the error-prone DTLS protocol and uses 90s constructions. WireGuard aims to start fresh with modern cryptographic principles, in order to drastically simplify designs while still enabling use in networks of considerable complexity. This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"description":" Wireguard Take modern network tunnels to the next level WireGuard is a next generation VPN protocol that uses state of the art cryptography. One of the most exciting recent crypto-networking developments, WireGuard aims to drastically simplify secure tunneling. The current state of VPN protocols is not pretty, with popular options, such as IPsec and OpenVPN, being overwhelmingly complex, with large attack surfaces, using mostly cryptographic designs from the 90s. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It uses a 1-RTT handshake, based on NoiseIK, to provide perfect forward secrecy, identity hiding, and resistance to key-compromise impersonation attacks, among other important security properties, as well as high performance transport using ChaCha20Poly1305. A novel IP-binding cookie MAC mechanism is used to prevent against several forms of common denial-of-service attacks, both against the client and server, improving greatly on those of DTLS and IKEv2. Key distribution is handled out-of-band with extremely short Curve25519 points, which can be passed around in the likes of OpenSSH. Discarding the academic layering perfection of IPsec, WireGuard introduces the idea of a \"cryptokey routing table\", alongside an extremely simple and fully defined timer-state mechanism, to allow for easy and minimal configuration; WireGuard is actually securely deployable in practical settings. In order to rival the performance of IPsec, in addition to cross-platform implementations, WireGuard is implemented inside the Linux kernel, but unlike IPsec, it is implemented in less than 4,000 lines of code, making the implementation manageably auditable. These features converge to create an open source VPN utility that is exceedingly simple, yet thoroughly modern and secure. The project's own website: https://wireguard.com Why does this actually matter to end users? The internet is unfortunately not only populated just by kind and careful people. And it wasn't designed to be secure either. This is a dangerous and rather unfortunate combination of circumstances, and one you should take into account when you use the internet. When you go online outside of your house or office, chances are you use whatever wireless network you can find to get online. Mobile internet subscriptions are still expensive, so it is logical people seize every opportunity to connect for free. While this is a daily habit for many millions of people, and often nothing bad happens, it does expose you to serious risks. This is because your computer doesn't really know a lot about the world. It depend on information it gets from the networks it connects to. If the network happens to cheat, the computer often has very little defenses. If you use an untrustworthy network to connect you to the internet, you move yourself into the middle of enemy territory. While you happily enjoy your free bits it provides as a way to buy money, it has ample opportunity to exploit all kinds of security weaknesses against you. Essentially, if you got away scot free with connecting to an unsafe network, it probably wasn't your security that held anyone back. You were just lucky that no-one serious tried to do anything - this time. So it is recommended to not connect over wifi networks you don't know. Unless of course you've arranged for a secure tunnel that allows you to teleport your internet traffic across the unsafe local network to the real internet unscathed. The concept is surprisingly simple: individual messages sent through the Internet, called packets, are encrypted using some mechanism, and this encrypted message then substitutes the original one, making all communications sent through the tunnel unreadable to eavesdroppers and unalterable to attackers. Proven cryptography protects the integrity of the traffic flowing through the tunnel. And once the packets reach the other end of the tunnel, they can be unpacked. From that point onwards they may continue their life as normal internet traffic. Travelling the path in reverse path is of course also possible: packets sent from the internet to your computer are protected in exactly the same way. In anticipation of better technologies that should arrive with the next generation internet, such tunnels are a key technology to guarantee consumer safety. They play a major role in protecting users both from snooping and malicious traffic injection. Sadly, the tools to create these secure tunnels is rather cumbersome (if not plain hard) to work with. This has prevented mass adoption. WireGuard is a completely new entrant to the field, and it is praised widely by technologists for its very high quality. Its goal is to be the most secure and easiest to use VPN solution available. Wireguard has many attractive traits: it is fast, simple and lean. It can run on embedded interfaces and super computers alike, and is fit for many different circumstances. Wireguard makes it very easy to set up a secure tunnel with modern technologies. It employs formally verified cryptographic constructions and has best in class performance. So you can more safely browse the web without annoying delay, even from potentially unsafe networks. WireGuard starts from scratch with modern cryptography and best-practice defense-in-depth implementation strategies. It is suitable and easily deployable for both end users and in data centers across the world, and provides an essential core building block for making the Internet safer. Within the project the team will continue the effort to make WireGuard land within the Linux kernel, upgrade some parts of the cryptography inside the Linux kernel because the current options are flawed, and do a comparative analysis of Wireguard protocol implementations on Windows, iOS and Android so quality and reliability can be assured across implementations. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/wireguard-scaleup/","title":"Wireguard"},{"title":"Nixcloud","url":"https://nlnet.nl/project/webservicesecurity/","description":" Nixcloud Declarative internet services based on NixOS This project aims to make NixOS the first computer operating system to package TLS Pool as a service component, and will allow to combine the power of declarative packaging with the unique security characteristics of TLS Pool to create a solid and versatile delivery channel for decentralised internet applications. The project's own website: https://nixcloud.io Why does this actually matter to end users? Creating secure webservices is non-trivial. Every application has its own security configuration mechanism, which means there is lots of room to make mistakes, neglect flaws and end up with vulnerable systems. TLS Pool is a ground-breaking mechanism from the ARPA2 project to isolate security processes and key material from actual applications themselves, and allows to manage transport layer security at a system level. NixOS is a Linux distribution with a unique approach to package and configuration management. Built on top of the Nix package manager, it is completely declarative, makes upgrading systems reliable, and has many other advantages. It is used increasingly in complex environments where reproducible behaviour and configurability matter, from desktop systems to some of the top 500 supercomputers. The results of this project should greatly simplify the creation and delivery of robust and secure services, on the web and beyond. We will validate and demonstrate the new capabilities resulting from the project by providing a number of examples of different types of web services, such as classic LAMP applications, NodeJS and Java application containers. Run by Nixcloud This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"description":" WebODF ODF editor in the browser Aim of the project: make an ODF editor that runs in the browser. WebODF is an innovative initiative because it is the first attempt at FOSS implementation of an office suite based on HTML5. Using HTML5 means that the code will run on nearly all modern computing systems. On top of that, it uses CSS in such a way that the ODF XML is used nearly unaltered in the program. This simplification allows us to develop fast and with little code. This project will help WebODF to grow: to have architectural documentation, save support, simple editing support and better rendering. Also a plugin for OfficeShots is planned to be written that writes png and PDF files. The project's own website: https://webodf.org/ Run by KO Gmbh. ","url":"https://nlnet.nl/project/webodf/","title":"WebODF"},{"url":"https://nlnet.nl/project/webodf-dissem/","title":"WebODF-Dissem","description":" WebODF-Dissem WebODF Dissemination WebODF is a JavaScript library that makes it easy to add Open Document Format (ODF) support to your website and to mobile or desktop application. WebODF is extremely innovative because it is the first attempt at FOSS implementation of an office suite based on HTML5. Using HTML5 means that the code runs on nearly all modern computing systems. This project aims to make WebODF stable, versatile and easy. To achieve this, a number of highly desired scenarios are being implemented: Read ODF documents on iPhone, iPad, Android and MeeGo devices. View ODF documents directly in Chrome, Firefox and Safari. Add and view ODF documents that are stored in a CMS or web mail system. Report bugs in WebODF. View a text document as it would be printed. View a document with proper placement of graphics. The project's own website: https://webodf.org Run by KO Gmbh. "},{"url":"https://nlnet.nl/project/wcoord/","title":"wcoord (wireless-coordination)","description":" wcoord (wireless-coordination) Easy configuration of wireless networks This project aims to create a standard management system for groups of networked devices by integrating with core components of the OpenWrt embedded operating system. The management system integrates the latest developments in lightweight OpenWrt software: ucode (a powerful and small alternative to Bash or Lua), and unetd (a daemon that aides in the creation of fully-meshed WireGuard VPNs). OpenWrt, already one of the most prominent operating systems for embedded devices, plays a fundamental (often invisible) role in internet commons on the network edge. Improvements in deployment and management of groups of devices empower people to take collective control of the hardware they already own and use. The project's own website: https://wcoord.informatics.coop This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"Free Software Vulnerability Database","url":"https://nlnet.nl/project/vulnerabilitydatabase/","description":" Free Software Vulnerability Database A resource to aggregate software updates \"Using Components with Known Vulnerabilities\" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (from US Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage over the last decade we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools. The goal of this project is create new FOSS tools to aggregate software component vulnerability data from multiple sources, organize that data with a new standard package identifier (Package URL or PURL) and automate the search for FOSS component security vulnerabilities. The expected benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source or a few foreign commercial data providers. The project's own website: https://public.vulnerablecode.io Why does this actually matter to end users? Software security for many users is a given, an assumption, something you do not and should not have to think about too hard. If you open an app on your phone, install new software on your laptop or boot up your tablet, you assume the software you use is safe, secure and that the developers have done their job right. With the amount of software coming out and the tangled web of inter-dependencies that exist today, this assumption of trust is hard to live up to. Especially since software vulnerabilities are constantly hunted for by malicious parties that want to get into our data and devices for blackmail, theft or on a larger and more dangerous scale, disruption of vital processes like power grids. Search and discovery of software vulnerabilities is an issue of oversight. There are various databases that record critical risks and issues, but the tools that developers can use to go through these databases tend to focus only on a few sources. Software security should be a collective effort and developers need a complete view of any insecurities they need to deal with. This project wants to create new free and open source (FOSS) tools that aggregate software vulnerabilities from all possible sources and organize them in a standardized way. This makes secure software development more transparent and ultimately contribute to more solid tools and services for endusers. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"url":"https://nlnet.nl/project/vm-builder/","title":"vm-builder","description":" vm-builder Virtual Machine Build, Life Cycle and Integration in monolithic and microkernel platforms As each piece of software is built using other software, it is difficult to ensure that a program is not accidentally infected through malicious code interfering anywhere in this process. An important defence is reducing the amount of code one relies upon and strictly isolating the build from any other processes that could influence it, typically by using a virtual machine. However, the are currently no minimal, portable and final virtual machine build systems which enable effective bootstrapping of operating systems. Delegating this task to container build systems is insufficient, since they are primarily available to the Linux kernel and provide weak isolation properties. Delivering those with a high portability and even (or especially) on low TCB microkernels is key to secure bootstrapping of operating systems and applications on (to be) trusted infrastructure. The current prototype has proven successfully applicable to nowadays general purpose OSs, templating/inheritance and reproducible builds are to be implemented. An implementation in a more robust programming language like Rust is still lacking and will be completed in the course of this project. The long term goal is to easily build and provide legacy platforms and software especially on microkernels — allowing for a migration path towards operating systems with effectively manageable complexity. The project's own website: https://codeberg.org/uvm/vm-builder This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/vita/","title":"Vita","description":" Vita A fast IPSEC-based VPN gateway VPN technology is a key enabler for end user security in insecure environments. Vita aims to achieve high performance (beyond 10G speeds) on commodity server hardware. Vita is intended to be both simple in terms of code, as well as in terms of deployment, and non-invasive to deploy in existing networks. Vita also strives to be affordable, in terms of both energy footprint and cost of maintenance: its goal is to make the best possible use of commodity hardware while remaining easy to deploy safely. The project's own website: https://github.com/inters/vita Why does this actually matter to end users? VPN's tend to be hard to configure, and standards based (IPsec) ones in particular. Vita runs on commodity hardware, implements IPsec for IPv4, specifically \"IP Encapsulating Security Payload\", or ESP) in tunnel mode. It uses optimized AES-GCM 128-bit encryption based on a reference implementation by Intel for their AVX2 (generation-4) processors. It is suitable for 1-Gigabit, 10-Gigabit (and beyond?) Ethernet. Vita delivers automated key exchange and rotation, with perfect forward secrecy (PFS) and dynamic reconfiguration (meaning it can update routes while running. If you are operating a Vita node, you can easily access relevant statistics of your running Vita node . This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"description":" Vita A high performance IPSEC implementation When the IP protocol was designed, its original authors did not add adequate security features. In 1994 the first official RFC concerning an end-to-end encrypted variant of IP called IPSEC was published after a number of years of standardisation work in the IETF. Almost a quarter of a century later, there is still a very limited set of implementations of the protocol. IPSEC is perceived by many as hard to deploy, which creates a chicken and egg situation in driving adoption. Vita is a fresh new implementation of IPSEC based on Snabb Switch, a high performance open source packet networking toolkit. The goal of Vita is to make it very easy to use IPSec on commodity hardware, and to produce a fast and compliant clean room implementation. Vita previously received funding from the Internet Hardening Fund. This project will move the deployability of Vita forward, and among others will produce a number of drivers for interfacing with e.g. high speed interfaces such as the Linux kernel. It limited size and use of an existing packet networking toolkit means it can be easily audited. The project's own website: https://github.com/inters/vita Why does this actually matter to end users? On the internet, every computer by design gets a unique number - a so called internet protocol address (or for short IP address). This address is used to send information from your computer to the other computer you want to communicate with, and of course back. Unlike a traditional radio, you often need to send messages to receive messages on the internet. Computers are a great engineering achievement but they are certainly not magic, and thus they need to be able to somehow find each other. The IP address makes this possible. Unfortunately, the fact that every computer has a unique number opens up the possibility of abuse by dishonest actors. Because even though it is none of their business, breaking privacy is a profitable business. If they link what you do on the left side of the internet to what you do on the right side of the internet, they can create a profile and sell this to the highest bidder - with any bad luck to people that want to use it for nefarious purposes. Misuse of IP addresses shows just one of the ways in which the internet protocol and other important networking technologies are designed to connect, to extend, but not always to secure the traffic that is sent over it. The pioneers of the internet simply could not foresee how massive and crucial their technology would become to modern society. This project aims to add security to the core internet protocol by encrypting and codifying the information it transports so users can confidentially be online. IPsec, which stands for internet protocol security, is an older effort to protect users privacy and security on the internet and Vita aims to update this work and make it ready for deployment at your local network operator. Fixing and securing fundamental internet technologies is a worthwhile effort for the billions of users that live and work online as we speak, but can only make a difference for people if it is actually a part of the current internet. This project can help make that a reality and raise the bar for online privacy and security. Run by Interstellar Ventures This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/vita-cloud/","title":"Vita"},{"description":" Virtualizing device firmware Creating digital twins for auditing and testing appliances This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. Recent targets of attacks on infrastructure did not come from powerful computers, but instead from consumer electronics devices. The most widely known example of this is the Mirai botnet, where consumer grade IP cameras were infected, added to a botnet and then used in wide scale attacks in a rather devious way: the original functionality of the device was left untouched, meaning that users either didn’t notice that their device had been taken over, or weren’t bothered by it. This projects aims to provide a way to virtualise such an IoT device and integrate it with an existing honeypot framework to see how the malware is inserted and how botnets operate. The goal is to extract a firmware from an existing device and use that as the base for the virtualisation. The same setup can also be used to systematically check for undocumented behaviour of firmware. Why does this actually matter to end users? The impact of cybercrime is increasing and the attacks on individuals, businesses and crucial infrastructure are becoming more advanced and creative. At the same time we use more 'smart' devices in our homes, offices and streets that are connected to the internet while lacking fundamental security. A camera connected to the internet is not just a camera you can control from your phone, it is also a device that, without certain protection measures, can be manipulated to attack specific servers, trying to take down specific servers which can be immensely harmful, let alone dangerous when crucial infrastructures are the target. To bring the pervasive insecurities of the internet of things closer to home, how about a company selling smart home software that uses the same access details for every house, which can simply open the 'smart' front door lock of every user? As the internet of things grows and connected devices become cheaper and more commonplace, we need to fix vulnerabilities and close back doors as fast as possible. That means developers should learn how to think like a cybercriminal: how can my device be abused, what creative workaround can grant you access that I should fix? One of the ways to do this is to carefully monitor how a device is actually attacked. This project creates technology that can simulate how basic internet of things devices work and how malicious software will try to abuse it to attack servers. Better understanding one of the many security and privacy threats that plague the internet of things is a step forward in ensuring our devices work for us, instead of against us. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"Virtualizing device firmware","url":"https://nlnet.nl/project/virtualfirmware/"},{"url":"https://nlnet.nl/project/virtnet/","title":"VirtNet","description":" VirtNet network stack virtualization for FreeBSD Traditionally, UNIX operating systems have been equipped with monolithic network stack implementations, meaning all user processes have to cooperatively share a single networking subsystem. The introduction of the network stack cloning model enables the kernel to simultaneously maintain multiple independent and isolated network stack instances. Combined with forcible binding of user processes to individual network stacks, this concept can bring us a step closer to an efficient pseudo virtual machine functionality which opens new possibilities particularly in virtual hosting applications, as well as in other less obvious areas such as network simulation and advanced VPN provisioning. This project is focused on design, implementation and performance aspects of experimental clonable network stack support in the FreeBSD kernel. The project's own website: http://www.tel.fer.hr/zec/BSD/vimage 2003-06-09: Detailed description of the project in a paper by Marko Zec, Implementing a Clonable Network Stack in the FreeBSD Kernel, in Proceedings of the 2003. USENIX Annual Technical Conference, San Antonio, Texas, June 2003. .pdf (248 kB) "},{"title":"VirtNet","url":"https://nlnet.nl/project/virtnet/how.html","description":" VirtNet network stack virtualization for FreeBSD NLnet is sponsoring the FreeBSD Foundation with US$  55,000 to run this project. Most of the money will be used to hire Marko Zec from the University of Zagreb to work on this project, under the supervision of the FreeBSD Foundation. 2007-07-20: Progress report: the prototype is reasonable stable and functional. more > > "},{"description":" VirtNet network stack virtualization for FreeBSD FreeBSD network stack virtualization FreeBSD jail [1] is a widely accepted framework for application environment isolation. Processes running inside jails have a restricted view of resources provided by the operating system, most notably, they are unable to directly interact with other processes outside the scope of their own jailed environment. Combined with restricting jail's network visibility to a single system IP address while confining the file system access to a private directory tree, the jail model provides isolation capabilities sufficient to allow system administrators to host tens or hundreds of such environments on a single physical machine while delegating per-jail superuser authorities to other parties. In other words, a jail can be thought of as an isolated lightweight virtual host with its own (potentially untrusted) system administrator, users and applications; while sharing the base OS kernel and physical system resources with other such environments. This concept, first introduced in FreeBSD 4.0, proved so successful that not only it become a platform of choice for many application hosting providers, but it lead to introduction of similar features in operating systems other than FreeBSD, such as zones in Sun's Solaris or the Linux Vserver project. While providing less rigid levels of isolation compared to traditional hardware virtualization architectures such as IBM's z-Series platform or more recent paravirtualization models such as Xen [2], the main attraction and strength of FreeBSD's jail concept lies in its scalability and efficient usage of hardware resources. One shortcoming of the original jail model is that it exposes a very restricted set of networking facilities to jailed applications. Network stack settings such as IP addresses, routes or firewall rules can be administered only from the global OS context, not from within the jails themselves. Delegating the authority to manage the network stack settings to jailed super-users would require independent copies of network stack state variables to be kept on a per-jail basis. Precisely such a model was experimentally implemented as an extension to FreeBSD 4.7 kernel [3]: the existing networking kernel code was modified to operate on multiple clonable structures where most of the networking-related state is kept. Such a new virtualized network stack model turned out to provide a great flexibility to perjail local administrators. Each jail-style environment could control multiple private network interfaces with multiple IP addresses, could maintain and control its own firewall ruleset, routing tables, address translators, traffic shapers etc. In short, looking from the networking perspective, the network stack cloning model blurred the line between the traditional hardware (or para-) virtualization architectures and jail-style lightweight virtual machines. Most importantly, the experimental implementation proved that the overhead of the network stack virtualization was neglectable, so that the performance advantage of jails over traditional server virtualization models was preserved. Besides for virtual hosting applications, the clonable network stack model enabled the OS kernel to be used as a highly scalable and efficient network topology emulator, by constructing arbitrarily complex kernel-level virtual topologies composed of network stack instances (nodes) and netgraph-based explicit links [4]. References: Poul-Henning Kamp, Robert N. M. Watson, Jails: Confining the omnipotent root, in Proceedings 2nd SANE Conference, May 2000. Barham, P. et. al., XEN and the art of virtualization, in Proceedings of the ACM Symposium on Operating Systems Principles, 2003. Zec, M., Implementing a Clonable Network Stack in the FreeBSD Kernel, in Proceedings of the 2003. USENIX Annual Technical Conference, San Antonio, Texas, June 2003. Zec, M., Mikuc, M., Operating System Support for Integrated Network Emulation in IMUNES, 1st Workshop on Operating System and Architectural Support for the on demand IT InfraStructure/ ASPLOS-XI, Boston, October 2004. ","title":"VirtNet","url":"https://nlnet.nl/project/virtnet/description.html"},{"description":" ViewerJS A multiformat document viewer for embedding, combining WebODF.js and PDF.js Is your website still littered with unfriendly commands to your users like \"In order to read this document, you must install Acrobat Reader\"? Start using viewer.js today, so that your visitors can read safely read documents online within your own website. Users hate switching between applications as they are browsing the web. Just adding links with downloads all over your site is seen as unprofessional, lousy UX and oldfashioned. Yet sometimes all you have are a bunch of documents you need to show, and manually converting each of them to native content on your site is just not practical. In addition, more and more users are becoming aware that downloading documents from the web and then running them outside of the browser is a major security risk - in fact one of the most common ways in which people are infected with malware on their computers. View some examples or just try it out on your own site. The heavy lifting in Viewer.js is done by these awesome projects: PDF.js (by Mozilla)PDF.js is a library created by Andreas Gal and others at Mozilla Labs. It is an HTML5 technology experiment that explores building a faithful and efficient Portable Document Format (PDF) renderer without native code assistance. PDF.js is community-driven and supported by Mozilla Labs. Its goal is to create a general-purpose, web standards-based platform for parsing and rendering PDFs, and eventually release a PDF reader extension powered by PDF.js. Visit project website WebODF (by KO GmbH)WebODF is a JavaScript library previously funded by NLnet that shows office documents created by KO GmbH. It was started by Jos van den Oever at KO and is now developed by a growing team including external collaborators. It makes it easy to add Open Document Format (ODF) support to your website and to your mobile or desktop applications. It uses HTML and CSS to display ODF documents. Visit project website The project's own website: http://viewerjs.org KO GmbH ","title":"ViewerJS","url":"https://nlnet.nl/project/viewer/"},{"url":"https://nlnet.nl/project/vdirsyncer/","title":"vdirsyncer/pimsync","description":" vdirsyncer/pimsync Synchronise calendars and contacts In this digital age, we all have digital address books with the phones and addresses of our loved ones, friends, and those with whom we work. We keep calendars with meetings we need to attend and places we are expected to be. And we need to keep this information synchronised across devices, shared with others, but only with those whom we choose to collaborate. Like its predecessor Vdirsyncer, Pimsync synchronises address books and calendars between webcal, caldav, and local vdir collections. This empowers users to manage their own data, synchronising with servers of their choice - and take their data offline to their own devices at any point, to interact with it any way they please. Pimsync is written in Rust. The project's own website: https://pimsync.whynothugo.nl Run by - This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" VDD project virtual operating system instances on arbitrary terminals Virtual Distro Dispatcher is a distributed system which aim is to project virtual, fully operational operating system instances on arbitrary terminals. Client terminals can be obsolete PCs or energy saving thin clients (such as mini-ITX) managed by a powerful, multiprocessor (and possibly clustered) central system. The VDD gives users a possibility to enjoy their own favourite operating systems, including those that are not Open Source, possibly at the same time, simply by switching from one to another, on each single thin client, on demand, across a network. Thin clients are interfaces to proper and isolated machines, that can be made to measure for whatever need and in whatever number. This is completely transparent to users, who, even from an obsolete machine, can select a particular machine with certain characteristics and then do absolutely everything they would do on such a machine as if it was physical and with its virtual performance. Contrary to other systems, like LTSP (Linux Terminal Server Project) the VDD offers not only the host operating system to thin clients, but projects virtualized guest systems, i.e. fully operational and independent machines. The project's own website: http://www.vdd-project.org ","url":"https://nlnet.nl/project/vdd/","title":"VDD"},{"description":" Unhosted The Unhosted project enables separation of storage and applications Unhosted is an approach to the \"cloud\" opposite to the current web2.0 trend: it separates the user data from the application, rather than putting user data \"into\" the application. This leads to much better privacy management. End-users of \"cloud\" capable applications use Unhosted directly, they don't have to do anything special for that - just need to log in to remoteStorage enabled applications using their remoteStorage-enabled email address. As example, all Dutch students and academic staff already have remoteStorage connected to their university email addresses. Now the target community is web developers. They need to enable their applications so that they accept login with remoteStorage. Contrary to other projects (that usually create 1 product with 1 function, and offer that as a free software of which everyone can run their own server, like Diaspora, MediaGoblin, ownCloud, etc.), Unhosted aims for a generic storage server. Everyone just needs a bit of very simple and dumb cloud storage, with no application-specific features. Cloud storage becomes an interchangeable commodity, and the market of useful cloud applications becomes entirely separate from the market of reliable cloud storage. The project's own website: http://www.unhosted.org ","url":"https://nlnet.nl/project/unhosted2/","title":"Unhosted"},{"description":" Unhosted Unhosted, separating data servers from application servers The web is not as open as it used to be: big monopoly platforms have formed new proprietary layers on top of it. This project breaks the \"you get our app, we get your data\" package deal. This by providing a cross-origin data storage protocol, thus separating data servers from application servers. More and more applications are hosted online and force users to put their data onto servers where applications run. Apart from our data being locked inside a place we don't have control over, many websites sell the data to third parties. This is a huge emergency in terms of consumer rights. Unhosted improves the web infrastructure by separating web applications from your data: Your can store your data remotely anywhere, preferably encrypted; Unhosted apps, which are web applications, will run locally in your browser. This also makes it easier for app developers, as they neither have to worry about hosting all the data and user accounts nor about server load - all the computing takes place in your own browser on your own machine. With the app being just JavaScript it becomes very easy to develop and deploy new apps which everyone can use. The project will define a standard and submit it to W3C. The project's own website: http://www.unhosted.org ","url":"https://nlnet.nl/project/unhosted/","title":"Unhosted"},{"title":"UmTRX","url":"https://nlnet.nl/project/umtrx/","description":" UmTRX UmTRX, cheaper mobile communication Mission of the UmTRX project is to radically drop price of mobile communications in developing, rural and remote areas. UmTRX aims at providing an open-source, inexpensive yet carrier grade transceiver for GSM Base Station. This project is a part of a bigger effort to create a completely open GSM network, from a low level hardware to high level software. UmTRX will be the first open hardware to work within the core telecom networks. This open hardware is being designed specifically to work with OpenBTS and OsmoBTS/OpenBSC open-source projects. While those software projects enjoy quick growth, the hardware side is remaining proprietary. The main reason for this is that such hardware is extremely hard to develop, it requires specific skills and specialists like high-profile RF designers and lots of effort to be put in it. The results of this project have been used to provision affordable mobile service to people at Mayotte island. The project's own website: http://umtrx.org "},{"description":" Uberflow An Open-Source OpenFlow Controller Implementing the North-Bound Interface OpenFlow is a cornerstone and the de-facto standard protocol for software-defined networking (SDN). The API for manipulating the network state is currently being standardised by the Open Networking Foundation (ONF) as NBI (which stands for 'North-Bound Interface'). As an emerging standard NBI has significant potential to create the ecosystem for network architectures. The project's own website: https://viagenie.ca OpenFlow is a simple protocol that allows switching hardware to be unbound from routing decisions. The intelligence is moved to a central controller that is responsible for multiple switches in a network. Through OpenFlow, the controller is dynamically notified of flow creations (as with NetFlow and IPFIX), and can respond with actions that are to be taken by switching hardware in the data path: route the flow elsewhere, change fields, etc. This dynamic altering of network state is what makes OpenFlow, and SDN in general, very attractive in a number of fields. The Open Networking Foundation is a consortium that has been created to take over the specification of the OpenFlow protocol as well as to extend it. One of the extensions being developed in the ONF is the north-bound interface (NBI). The NBI is situated between the control layer and the application layer. In a nutshell, the NBI is the API through which network operator applications manipulate the network state. The controller is in the middle of it all: it speaks with those applications through the NBI, and it speaks with the switching hardware through OpenFlow. The project will implementing a reference quality open-source OpenFlow controller speaking NBI, that can easily be deployed on open-source operating systems such as Linux and BSD. Viagenie (Canada) ","url":"https://nlnet.nl/project/uberflow/","title":"Uberflow"},{"description":" uberWAVE Full featured live interactive waveform viewer UberWave is a fully featured, open-source, interactive, analog waveform viewer. It is designed to enable analog and mixed-signal chip designers to view simulation results generated by NGSpice. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/uberWAVE/","title":"uberWAVE"},{"title":"Witdrawn","url":"https://nlnet.nl/project/uberSDIO/","description":""},{"title":"uberClock","url":"https://nlnet.nl/project/uberClock/","description":" uberClock High precision open hardware clocks using multi-mode crystal oscillators Very precise clocks have many different use cases, but they are complex to make and expensive to buy - leaving high precision timing out of reach for many. Currently, there are no open hardware designs capable of delivering so called \"Stratum 2\" accuracy. This project will design and build an open hardware clock exploiting the properties of multi-mode crystal oscillators using modern numerical methods for frequency stabilization. A Field-Programmable Gate Array (FPGA) will be used for digital signal processing functions, multiple Proportional-Integral-Derivative (PID) control loops, and executing all necessary calculations needed for dynamic, real-time frequency corrections. High-Level Synthesis (HLS) code will be developed using the CflexHDL+PipelineC toolset, in order to validate and further mature that emerging design flow for signal processing applications. The project's own website: https://www.chili-chips.xyz/ This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" uMap Vector Tiles Use vector tiles to build custom maps with OpenStreetMap data uMap is a web application which lets you quickly build custom maps with OpenStreetMap’s background layers and integrate them on your own website. Vector tiles allow two main things: less duplicated content, and data transmitted at the same time as the tiles, enabling scenarii where data and background could be styled according to the user needs, which required previously to serve custom tiles. The project's own website: https://umap-project.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/uMapVectorTiles/","title":"uMap Vector Tiles"},{"description":" uMap Collaborative custom mapping with OpenStreetMap data uMap is an online open source application to make custom maps. It aims to make creating maps easy for anyone in a few clicks. It’s simple for basic use cases, whether you want to prepare a bike travel with your friends or communicate the current roadworks for your city. But it’s also flexible and extendable for more complex or custom ones: drawing or importing data, customizing style and interface, sharing access to a map… uMap is also easy to install and to maintain to enforce a decentralized model. It is already deployed in several European countries, and is translated in dozen of languages. Plus, it also allows to create maps anonymously. In this project, we will adding real-time collaboration on maps with local-first support - which will for instance help a lot with live events and mapping sprints - and clean up the user interface. The project's own website: https://umap-project.org This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/uMap/","title":"uMap"},{"description":" uFork A memory-safe pure-actor virtual machine Applying the design principle of actors-all-the-way-down, uFork implements a virtual-machine that is memory-safe at the level of assembly-language instructions. All operations occur in the context of an actor message-event, which provides object-capability security throughout the system. The effects of individual instructions are isolated so they can only affect the state of their host actor until a transactional commit releases additional asynchronous message-events into the system. This isolation allows interleaved execution of multiple instruction streams, so multiple actors can make progress concurrently. The virtual-machine implements automatic memory management with garbage-collection, and fine-grained resource quotas are enforced by the processor. The project's own website: https://ufork.org This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"uFork","url":"https://nlnet.nl/project/uFork/"},{"title":"uFork/FPGA","url":"https://nlnet.nl/project/uFork-FPGA/","description":" uFork/FPGA A memory-safe pure-actor processor soft-core uFork is a novel microprocessor architecture based on dispatching immutable asynchronous message-events to reactive objects (actors) which manage private mutable state. Contention for shared mutable storage is eliminated, reducing complexity. Strong process and memory isolation prevents interference among tasks. Object-capability security (ocaps) provides fine-grained access control. The architecture has been validated by implementing a virtual-machine in software. This project will implement the design using FPGA hardware fully supported by open-source tooling. The project's own website: https://ufork.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"TwinSite-2000","url":"https://nlnet.nl/project/twinsite/","description":" TwinSite-2000 international web-competition for secondary schools International web-competition for secondary schools, where a Dutch school has to partner with a foreign school in creating a website on any topic of choice. TwinSite is somewhat comparable to ThinkQuest, except for being a one time event with a more limited audience. The project's own website: http://www.cs.vu.nl/TwinSite-2000/UK/competit.html "},{"description":" TwinSite-2000 international web-competition for secondary schools The main prize of TwinSite-2000 is sponsored by Stichting NLnet. The TwinSite-2000 competition is organized by the Vrije Universiteit Amsterdam. ","title":"TwinSite-2000","url":"https://nlnet.nl/project/twinsite/how.html"},{"url":"https://nlnet.nl/project/twinsite/description.html","title":"TwinSite-2000","description":" TwinSite-2000 international web-competition for secondary schools TwinSite-2000 is a competition between teams of high schools. Each participating Dutch school has to find a partner team from a foreign school or vice versa. Together they will form a TwinTeam which will be coached by a teacher. The goal is to make the best TwinSite, a website created by a TwinTeam, with a topic that interests both teams. The team that makes the best TwinSite will receive a prize of NLG 10,000 (€ 45,000) at the TwinSite-2000 manifestation \"Virtual Future\" on 1 April 2000. "},{"url":"https://nlnet.nl/project/turtle/","title":"Turtle","description":" Turtle P2P infrastructure for safe sharing of sensitive data Turtle aims at the creation of a peer-to-peer (P2P) infrastructure for safe sharing of sensitive data. The truly revolutionary aspect of Turtle rests in its novel way of dealing with trust issues. Where other P2P architectures attempt to build trust relationships on top of a trust-agnostic P2P overlay, Turtle builds its overlay on top of pre-existent trust relationships among its users. This allows both data sender and receiver anonymity. At the same time, it protects each intermediate relay in the data query path against liability. Furthermore, its trust model should allow Turtle to withstand most of the denial of service attacks that plague other peer-to-peer data sharing networks. The project's own website: http://www.turtle4privacy.org/ 2005-08-15: Abstract (and presentation slides PDF) from USENIX Security Symposium 2005. .pdf (14 kB) .ps (18 kB) \"Sage and Private Data Sharing with Turtle: Friends Team-Up and Beat the System\", initial paper. .pdf (49 kB) "},{"description":" Turtle P2P infrastructure for safe sharing of sensitive data Turtle is being developed at the Vrije Universiteit van Amsterdam, by Popescu Bogdan, Bruno Crispo, and Andrew S. Tanenbaum.","title":"Turtle","url":"https://nlnet.nl/project/turtle/how.html"},{"description":" Turtle P2P infrastructure for safe sharing of sensitive data Introduction Turtle aims at the creation of a peer-to-peer (P2P) infrastructure for safe sharing of sensitive data. The truly revolutionary aspect of Turtle rests in its novel way of dealing with trust issues. Where other P2P architectures attempt to build trust relationships on top of a trust-agnostic P2P overlay, Turtle builds its overlay on top of pre-existent trust relationships among its users. This allows both data sender and receiver anonymity. At the same time, it protects each intermediate relay in the data query path. Furthermore, its trust model should allow Turtle to withstand most of the denial of service attacks that plague other peer-to-peer data sharing networks. A high-level description of the Turtle protocol can be found in a paper (PDF) presented at the Cambridge Security Protocols Workshop in 2004. Each user acts as node in the overlay by running a copy of the Turtle client software on his computer. In contrast to other P2P systems, Turtle does not allow anytwo arbitrary nodes to connect and exchange information. Instead, each user will only connect her node to a limited number of other nodes, which are run by people she trusts (her friends). Before establishing a connection, there is an authentication phase, in order to prevent masquerading. The data is exchanged among friend nodes over secure encrypted links in order to guarantee confidentiality. When a Turtle user looks for an item in the network, the query is initially sent only to her friends' Turtle nodes. The friends forward the query to their friends, and so on, up to a given query depth. Query results follow the reverse path, travelling across friendship connections back to the query originator. This way data is only exchanged between people that trust each other. As the data is always encrypted, the adversary has no way to determine who is requesting or providing information, and what that information is about. Social science research (like the famous \"six degrees of separation\" experiment) and existing internet systems (like the PGP public key infrastructure and the Orkut online community) have shown that the social graphs are extremely scalable. These graphs, on which also Turtle relies, have the ability to connect very large communities through a small number of hops (usually less than 6). Finally, one important property resulting from the way the Turtle overlay is constructed is confined damage; a security break in one Turtle node only affects a small subset of the system: only the node itself and its friends. The goal of this NLnet project is to develop the Turtle P2P client software, and to offer it to the general public under the GPL public license. ","title":"Turtle","url":"https://nlnet.nl/project/turtle/description.html"},{"description":" tslib Better configuration and callibration of touchscreen devices tslib is somewhat older but widely used software for configuring the touchscreen of (mainly) embedded Linux devices including printers, mobile phones, etc. This nimble project concerns a bundle of improvements in terms of calibration, some accessibility research (to see if people with e.g. a tremor can be better served), and addressing a backlog of feature requests. In addition the project will use the help of NGI Zero to apply additional security scrutiny. The project's own website: http://tslib.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"tslib","url":"https://nlnet.nl/project/tslib/"},{"title":"Trusted Boot Module","url":"https://nlnet.nl/project/trustedbootmodule/","description":" Trusted Boot Module An open hardware trusted boot manager This project is developing a system for booting trusted OS images on existing, ARM-based systems. It will consist of open hardware and software that allows users to start up Linux systems on off-the-shelf ARM development boards, where the system ensures that the system can be booted in a trusted state by booting only OS images trusted by the vendor and/or the user of the system. The hardware consists of cheap, off-the-shelf components that are simple to analyse and program, and which provide for an easily verifiable solution that does not depend on 'black box' components. This project aims to bring trusted boot to the market of commodity ARM-based servers, thus providing the community a security solution that allows for, for example, affordable distributed hosting and computing. The project's own website: https://src.whiteboxsystems.nl/TBM The goal of the project is simple: to provide a means to ensure that, at a specific point in time – specifically, after system (re)start – the state of a system is known and trusted. For non-centralized systems, being able to bring the system into a sane, known state is more difficult than in a centralized environment where the hardware is directly accessible to the system's maintainers. The TBM developed in this project allows maintainers of a distributed system that consists of (small) devices/servers located with (trusted) end-users to ensure that the state of the devices can be known. The system provides way to ensure that at system boot time, no untrusted code is executed. The aim of the trusted boot system is to protect against persistent backdoors that may be inserted by a remote attacker exploited a vulnerability, and made modifications to e.g., kernels stored on a device's disk. At runtime, we can only prevent such compromise by traditional means, but by rebooting the system at regular intervals we can at least ensure that if a system is compromised, this compromise is time limited and that integrity is restored eventually. A project initiated by Whitebox Systems. "},{"title":"Tracking Exposed","url":"https://nlnet.nl/project/trackingexposed/","description":" Tracking Exposed Increase transparency behind personalization algorithms Goal of the project is to increase transparency behind personalization algorithms, so that people can have more effective control of their online experiences and will have more awareness of the information to which they are and are not exposed. The project's own website: https://tracking.exposed Algorithms are the technological solution to the information overload: they are as powerful as necessary to manage the overflow of data that reaches us. Unfortunately, they can also conceal the existence and use of assessments and judgments that impact the dissemination of ideas and culture. No one should be allowed to abuse such power over connected people. At this stage, consent is nor informed nor optional. The main objective of the project is to put a spotlight on users' tracking, profiling, on the data market and on the influence of algorithms. As long as these phenomena are shielded from view or understood only by experts, they cannot be tackled with the political determination that problems of such magnitude deserve. That is why we strive to explain the issue, test and promote new solutions, developed to benefit the community. The project is developed by a group of volunteers led by Claudio Agosti. A collaboration of: "},{"description":" TOS;DR A user rights initiative to rate and label website terms & privacy policies Terms of service are often too long to read (reading all of these carefully wrought documents could quite literally cost you years of your life), yet it is very important to understand what is in them. After all, your actual legal position online depends on them in a very concrete way. The ratings from TOS;DR can help users get informed about their rights. The project's own website: https://www.tosdr.org The project crowdsources the parsing of 'legalese', so that users can see immediately if a service is actually too good to be true. You can get the peer-reviewed ratings through an online portal, or directly in your browser by installing the TOS;DR web browser add-on: The project team consists of Michiel de Jong, Jan-Christoph Borchardt, Hugo Roy, Ian McGowan, Jimm Stout, Suzanne Azmayesh and Christopher Talib. ","title":"TOS;DR","url":"https://nlnet.nl/project/tosdr/"},{"description":" Tor low-bandwidth Tor for modem and mobile users The Tor anonymity system is currently only usable by internet users with high-bandwidth connections. Upon start of a Tor client, a large file with all Tor server descriptions is being downloaded. This \"Tor Directory\" file enables the client to pick from the available mix-servers in the Tor network. This Directory file is too large for users on modem lines or on mobile data networks (like GPRS) as it gets downloaded each time a user logs in, taking 10 to 30 minutes over a slow connection. Therefore, Tor is not usable by modem and mobile users. One of the major goals of the Tor project is to provide secure anonymous internet access to users in repressive states. These location often have very slow internet connections to the outside world. By enabling these users to use the Tor network, significant progress can be made towards free communication and free information in these countries. An evolution of the Tor protocol is proposed to reduce the initial download size. The new Tor protocol version should change the way a client receives the information for its Tor circuit setup in such a way, that the initial download can be performed over a slow modem line in less then three minutes. The work to be conducted under the proposal is split into two major deliverables, with the end goal of having the protocol change production ready and propagated to the Tor users within a timeframe of less then 8 months. The resulting software will be published under the GPL license, like the rest of the Tor code. All deliverables will be fully public. The project's own website: https://www.torproject.org ","url":"https://nlnet.nl/project/tor-lowbw/","title":"Tor low-bandwidth"},{"description":" Tor hidden services Protect publisher and users of the services against identification The Tor Anonymity System's key functionality `Hidden Services' allows users to set up anonymous information services (like websites) that can only be accessed through the Tor network and therefore are protected against identification of the host that runs the services. Using these Hidden Services, critical political and human rights information can be published in a way that both the publisher and users of the service are protected from identification. The current version of Tor Hidden Services has a number of drawbacks that hamper the active use of this important feature. The most serious limitation is the performance: the time it takes until a Hidden Service gets registered in the network and the latency of contact establishment when being accessed by a user. Due to design issues in the original Tor protocol, the connection to a new Hidden Service can take several minutes, leading most users to give up before the connection has been established. Using the Tor Hidden Services for direct interactive user-to-user communication (like for instant messaging) is nearly impossible due to this high latency in the Hidden Service circuit setup. An evolution of the Tor protocol is proposed to speed up the Tor Hidden Services. The improved protocol will change the way circuits are set up. The end goal is to have the protocol change production ready and propagated to the Tor users within nine months. The resulting software will be published under the GPL license, like the rest of the Tor code. All deliverables will be fully public. The project's own website: http://www.torproject.org ","url":"https://nlnet.nl/project/tor-hidden/","title":"Tor hidden services"},{"description":" TLS-KDH Combined Kerberos and Diffie-Hellman as an authentication mechanism for TLS This project develops a number of additions to the open source TLS library GnuTLS. Based on the prototype for TLS-KDH (http://tls-kdh.arpa2.net) that was developed as a branch of GnuTLS, we now need to do a full implementation that incorporate the features from this development branch into GnuTLS’ main branch. By doing so our TLS-KDH mechanism becomes automatically available for the general public worldwide. However, additional work needs to be done for these two branches to be merged. Compatibility issues need to be checked and resolved and test cases need to be written to ensure proper functioning of the library, now and in the future. Additionally, TLS-KDH relies on RFC7250 (https://tools.ietf.org/html/rfc7250). The functionality described in this RFC is not yet implemented in any TLS library and concerns Raw public keys. As part of our TLS-KDH implementation we have implemented RFC7250 partially (what was needed for TLS-KDH). However, we have noticed the interest of the GnuTLS community in the complete RFC7250 functionality. Therefore, in order to deliver a complete ‘product’ we also want to implement the rest of RFC7250 and incorporate it into GnuTLS. Thereby creating the first TLS library that support Raw public keys. This enables a more light-weight mechanism for transmitting public key material between peers. Finally, to ease adoption of the TLS-KDH mechanism and to provide in a default Kerberos binding for TLS, we want to implement a gnutls - krb5 library (similar to the already existing gnutls-dane library). The current TLS-KDH implementation separates the TLS and Kerberos layers by design. While this is good design practice and offers the user great flexibility for choosing its own Kerberos implementation, it also requires (a lot) more work to be done in order to get the TLS-KDH mechanism going. By introducing a gnutls - krb5 library ( choosing MIT Krb5 ) users can benefit from a default TLS Kerberos binding thereby relieving themselves from having to implement such a binding. It therefore eases adoption and use of the TLS-KDH mechanism. At the same time, keeping the TLS and Kerberos layers separated still enables different Kerberos libraries to be used when desired. Also a layered architecture works in favor of code acceptance. The project's own website: http://tls-kdh.arpa2.net/ Why does this actually matter to end users? ARPA2 is a coherent, longer term open source project from Internet-Wide Organisation. It is thoughtfully engineering towards an overall architecture scalable to run the future internet which is secure by design. It brings together proven technologies, new insights and talented people to solve the hard challenges. The TLS-KDH specification describes how Kerberos data structures can be used for TLS client authentication, by introducing a new certificate type for use with TLS. The server can choose to provide a Certificate with a traditional signing mechanism such as RSA for authentication, in which case this specification speaks of a KDH-enhanced exchange; even when presenting no server certificate at all, a client-side Kerberos ticket can be used for mutual authentication in what will then be called a KDH-only exchange. The KDH-enhanced variety uses existing CipherSuite, and KDH-only defines new CipherSuites. Both KDH-enhanced and KDH-only message flows are referred to as TLS- KDH. Earlier work on TLS-KDH was funded with a joint subsidy from NLnet and the programme '[veilig] door innovatie' from the Netherlands government. For a complete overview of other projects within ARPA2 visit the ARPA2 website: http://arpa2.org Run by ARPA2 This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. ","title":"TLS-KDH","url":"https://nlnet.nl/project/tls-kdh/"},{"description":" TimeWalker; Product summary tools for visualising huge amounts of log data Theo de Ridder - Pim Buurman 1. Introduction Many systems produce huge amounts of timestamped data (events) like logs from systemcalls, time-series from network monitoring or transactions from database-applications. In practice eventdata is often thrown away without any inspection. Some of the main reasons are: waste of resources, poor dataformats, non-scalability of traditional tools, lack of an adequate visual instrument. However, throwing away eventdata unseen implies losing essential information needed to discover cause-effect relations within (un)wanted or (un)expected systembehaviour. TimeWalker is a tool that makes preservation and disclosure of historical details contained in eventdata attractive and feasible. The implementation and user-interface are made very flexible and portable by usingwxPythonand C. The first release of TimeWalker will become available(under a GPL-licence) in november 2001 for Win32 and Linux. In this release TimeWalker will work smoothly for about 500000 records in memory that represent individual events or aggregated events collected from much larger (Gb) datasets. 2. Data handling TimeWalker unifies arbitrary eventformats into a format that enables a much better performance for persistent storage, aggregation and transformation than can be obtained by using a (traditional) database. Aggregation is the process of compressing arbitrary eventlists into a fixed-time interval sequence containing a single composite record in each interval. With user-specified expressions important correlations can be preserved during aggregation. Aggregated records can be transformed with user-specified expressions into values to plotted. The clean syntax and semantics of Python is used for all expressions at the user level. Some specific internal techniques are used to improve the performance of the produced byte-code drastically. 3. Visualizing techniques TimeWalker uses an innovative technique for information-visualisation along the time-axis that enables simultaneous presentation of context and detail of eventdata in a range from 40 years down to 5 minutes. The technique is based on a sliding hierarchical ZoomLens that shows a bundle of multiple beams with predefined (quarter, week, day, hour, 5 min) time-scales. The zoomlens can be shifted by hand or be started as an animation. The graphical user-interface as a whole is carefully designed for quick pattern-recognition by a regular user. Each part has a fixed place, there is no scrolling, the information density is high, scaling and coloring is automatic, and there is (almost) no static and redundant (textual) information. Apart from the graphical mainwindow there are also frames for textual browsing and manipulating configuration data, metadata, raw data, documentation, and even (parts of) the reflective running environment. All textual navigation is based on data-driven tree/table-grid combinations. Graphical and textual visualisations are both interactive and scale up with realtime performance for very large datasets. 4. Usage There is a general datacollector, with derivations available for some common dataformats like syslog. Experience showed that creating and testing a new collector can be done within one day. The use of expressions for aggregations and transformations on itself is not complicated, but making the right choices requires domain knowledge as well as some experience with the resulting visual effects. TimeWalker is supports visual datamining of huge amounts of non-filtered eventdata. It can be considered as a multi-focal looking glass complementary to the limitations of the usual spreadsheet way of (statistical) datareduction. About the authors Theo de Ridder has walked around in the software-engineering landscape for more than 30 years. His current interest is painting enduring and aesthetic software patterns using Python as a pencil. Pim Buurman is an experienced programmer on Unix platforms. He enjoys mostly problems that are hard to solve. ","title":"TimeWalker; Product summary","url":"https://nlnet.nl/project/timewalker/summary.html"},{"description":" TimeWalker tools for visualising huge amounts of log data Timewallker is a multi-focal time-lens for visual data-mining. Its application domain is information visualization, which is characterized by handling huge data sets with unkown correlations and by real-time zooming within multiple graphical and textual representations. TimeWalker is primarily intended to be a useful instrument for people like system-administrators that are confronted with unmanageable amounts of logging data. Most tools for analyzing log data start with filtering the data based on some assumptions about what is interesting in the data. TimeWalker attempts to visualize the complete unfiltered data with maximal information density and to exploit the pattern-recognition capabilities of the human end-user for discovering interesting patterns in the data. The project's own website: http://sourceforge.net/projects/timewalker/ current CVS tree on SourceForge; please read these instructions for accessing it. Software Download Area Slides of the presentation given at the European Python and Zope Conference (Europython), held in June 2002 in Charleroi, Belgium. .pdf (2 MB) 2001-11-28: TimeWalker paper, presented at Linux Kongress 2001 .pdf (397 kB) 2001-04-23: TimeWalker Whitepaper. more > > ","url":"https://nlnet.nl/project/timewalker/","title":"TimeWalker"},{"description":" TimeWalker tools for visualising huge amounts of log data The project is realised by Prometa Ratum bv, a small company specialized inEngineering Enduring Software Patterns, founded byTheo de Ridder. NLnet provides full funding for this project, € 150,000 in total. 2002-11-27: Final report. more > > .pdf (105 kB) ","url":"https://nlnet.nl/project/timewalker/how.html","title":"TimeWalker"},{"title":"TimeWalker","url":"https://nlnet.nl/project/timewalker/description.html","description":" TimeWalker tools for visualising huge amounts of log data The goal of this project is to implement a tool for visualising huge amounts of log data. The visualisation techniques of TimeWalker are based on the paradigm of information visualisation. In this paradigm, the emphasis is on maximizing information density and minimizing end-user effort by always showing detail and context simultaneously. TimeWalker introduces the innovative concept of an hierarchical zoom lens sliding along the time-axis. Because the user-interface is exploiting the typical human capabilities for pattern-recognition, TimeWalker can be seen as a sophisticated looking-glass for visual data-mining in the time-dimension. In order to optimize usability, there will be close cooperation from the beginning with alpha- and beta-sites. Network and system maintenance is chosen as the first application-domain. Feedback will be based on sites that are representative for producing high volumes of log data within distributed infrastructures. TimeWalker is also quite interesting as an open-source project exploitingPythonup to its limits as a wide-spectrum language in any stage in the software lifecycle. Python has enabled a high level of elegance and portability to represent implementation, documentation, persistent storage of data and running states, regression tests and profiling. A remarkable scalability and performance could be obtained by just using the generic facilities of Numerical Python and wxPython, instead of coding specfic extensions in C. "},{"url":"https://nlnet.nl/project/timesheets/","title":"Timesheets","description":" Timesheets Adaptive time-based application development Platform This project aims to create a platform to develop Adaptive Time-based web applications. This is applied to developing Single-Page Interfaces (SPIs). A SPI can reduce network bandwidth needs, specially important in the fast-growing use of mobile networks. Despite its importance, use of SPIs has not proliferated because it is highly complicated to develop and maintain. A novel approach based on a W3C specification is proposed: SMIL Timesheets. This approach simplifies the design of time-based web applications and web sites. These interactive applications use time as a major structuring paradigm, i.e. time and events dictate which parts of the application are presented. SMIL Timesheets are the time counterparts of layout focussed Stylesheets. SMIL Timesheets use the W3C standard SMIL Timing & Synchronization. Timesheets are a perfect match for CSS styles and CSS3 Transitions/Animations. Also, it is designed to synchronize multimedia (HTML5's audio and video) with web content. In addition the following issue is tackled: wasting network bandwidth is common in multi-device applications. This project aims to dynamically adapt to the capabilities of devices, to save bandwidth and processing power. Such adaptation is achieved via capability-based resource loading for different devices (e.g. media resources, CSS3 emulation, and other). The project's own website: https://bitbucket.org/tadp/timesheets/wiki/Home "},{"url":"https://nlnet.nl/project/ties/","title":"Ties","description":" Ties Federated bookmark manager based on ActivityPub Ties (formerly: Linkblocks) is a federated bookmark manager. By combining a web-like graph structure with collaborative features, it aims to make knowledge discovery on the web more open and productive, providing an alternative to social networks and search engines. The project's own website: https://ties.pub/ This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" ThinkQuest educational web contests Foundation ThinkQuest organized web-games for various target communities: primary school pupils, secondary schools, and even vocational training students. All contests are in Dutch only. The original idea of ThinkQuest came from the American Advanced Network & Services, Inc, which exported the idea across the world. Their website contains a lot of valuable information. The Dutch ThinkQuest is also taking part in some of the international projects, like eXplora, the European version of ThinkQuest. The project's own website: https://www.stichtingtq.nl 2006-10-24: Call for projects 2007-2008. more > > Kennisnet, the Dutch National portal for education. The main international ThinkQuest site, with references to comparable projects in the whole World. ","url":"https://nlnet.nl/project/thinkquest/","title":"ThinkQuest"},{"description":" ThinkQuest educational web contests The foundation `Stichting ThinkQuest Nederland' has been set up to organize various ThinkQuest-style contests starting in 2000. Stichting NLnet, SURFnet, and the Dutch Ministry of Education each contributed € 226,890 towards the starting capital of ThinkQuest Nederland. It now derives its main income from subsidies from the Ministry of Education and some commercial sponsors.Since July 2002, the ThinkQuest competition is organized by Kennisnet , the Dutch educational network. The foundation Stichting Thinkquest is looking for new initiatives to innovate education in fields of technology and unusual internet utilization. 2006-06-29: Press release: the innovative projects of 10 primary and secondary schools will be sponsored during the 2006/2007 school season. In total, over €120.000 is donated to help them achieve their goals. .pdf (19 kB) 2006-01-20: Stichting TQ-NL subsidizes project for innovative education. more > > ","title":"ThinkQuest","url":"https://nlnet.nl/project/thinkquest/how.html"},{"description":" ThinkQuest educational web contests ThinkQuest is an international web contest for students ages 12 through 19. Teams of 2 to 3 students supported by 1 to 3 coaches are creating educational websites. They are competing with their entry for one of many prizes (over 1 million USD in scholarships and awards). ThinkQuest was created by the US organisation Advanced Network & Services Inc. In 1996, ThinkQuest was organized for the first time as a national American contest. In 1997, ThinkQuest was launched as an international contest. To simplify the organisation of ThinkQuest world wide, Advanced has created so-called National Partners. National Partners (NP) are organizations cooperating with Advanced, which introduce, stimulate and support ThinkQuest in their own country. In 1997, SURFnet took upon itself the National Partnership for ThinkQuest in the Netherlands. In the first years, SURFnet has established ThinkQuest in the Netherlands and gained valuable experiences with the organization, supported by a few distinguished sponsors (KPN Telecom, the Ministry of Education, Kennisnet and Educatiefnet). To establish a somewhat more permanent platform for the expansion of ThinkQuest, SURFnet and Stichting NLnet have set up a new foundation, Stichting ThinkQuest Nederland. Together with the Dutch Ministry of Education, the three partners have provided the new foundation with NLG 1,500,000 for the next four years. In the year 2000, ThinkQuest Nederland will expand the contest program with two new contests in addition to the existing ThinkQuest Internet Challenge contest: ThinkQuest-Junior,for pupils in group 6, 7 and 8 of the primary school; ThinkQuest-BVE, for students in BVE (professional and adult education). In subsequent years, additional programs will be launched, as allowed by additional funding from external sponsors. ","url":"https://nlnet.nl/project/thinkquest/description.html","title":"ThinkQuest"},{"title":"TCP-multipath","url":"https://nlnet.nl/project/tcp-multipath/","description":" TCP-multipath Design and empirical evaluation of secure and efficient multipath communication The goal of the project is to implement open source extension of TCP/IP stack to support multipath communication in the Internet. With this approach, users will be able to improve their connection speed and reliably by utilizing several network interfaces simultaneously and receiving aggregate bandwidth. Modern mobile devices, equipped with several network interfaces, as well as multihomed residential Internet hosts are capable of maintaining multiple simultaneous attachments to the network. This can be favorable for applications that are aiming to increase the overall throughput or minimize the delays caused by roaming between the networks. This project will design and evaluate an efficient and secure multipath solution on a wedge-layer. Based on Host Identity Protocol (HIP) the design will support multihoming, mobility, NAT traversal, advanced security features, network coding for efficiency in lossy networks and will match the requirements of the most modern applications. Who will benefit? General network users requiring faster Internet access e.g. over two ADSL lines at home, service provides in Internet requiring higher fault tolerance for their services, network operators providing high speed connectivity e.g. over WLAN and 3G combined. Aalto University, Finland "},{"description":" synit-nixos Expand synit system layer and integrate in NixOS Much of the software applications and services that we interact with today can only exist as dynamic compositions of many different software components. Dynamic systems can be adapted to serve different purposes, react to a changing environment, and can be self-updating or self-healing in response to failure. These systems exchange the predictability of static systems for the resilience of dynamism. Our software operating systems achieve dynamism by what some call the \"system layer\". Traditional this would be the so-called \"init\" system which activates different software components. The system layer is the software activation and management of init combined with a communication layer, reactive behavior, and system introspection. Synit is an experimental system layer that provides these features according to a model that combines capability security, conversational actors, and eventually-consistent replicated state. The Synit-NixOS project aims to bring init and system-layer portability to NixOS with Synit as an alternative to systemd. The project's own website: https://synit.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/synit-nixos/","title":"synit-nixos"},{"title":"SylkRTC","url":"https://nlnet.nl/project/sylkRTC/","description":" SylkRTC SylkRTC The SylkRTC project entails adding webRTC capabilities to Sylkserver, a polyglot open source conference server that unites the realms of the two IETF standardised internet technologies in the area of real-time communication: SIP and XMPP. Sylkserver allows anyone with basic computer knowledge to setup a private, conferencing facility that can be used with a large variety of different applications that supports these open standards. By providing a webRTC gateway, the SylkRTC project will additionally allow anyone with just a modern web browser with webRTC capabilities running on a device with a microphone and/or camera to join a conference or contact someone using either protocol. Visit the SylkRTC demo page to make a trial call over the internet. The project's own website: https://www.sylkserver.com This is a project coordinated by AG Projects BV, located in Haarlem, The Netherlands. "},{"description":" Swirl Implementation of PPSPP proposed standard in Erlang Current peer-to-peer traffic on the internet happens in a wide variety of often application-dependent protocols, limiting growth and innovation. A working group of the IETF has in recent years been developing the Peer-to-Peer Streaming Peer Protocol (PPSPP) to establish a safe, modern standard in this area. NLnet considers a mature standard for P2P applications an important building block for the future of the internet. Swirl is an open source reference implementation of the PPSPP proposed standard in the Erlang programming language. The Swirl project is led by Dave Cottlehuber (Austria). The project's own website: https://github.com/skunkwerks/swirl Tomorrow's internet will bear little resemblance to that of today. The protocols we use today are not suited to scale and handle the growth of video traffic, changing connectivity types and the rise of mobile devices, and the shift towards Peer-to-Peer traffic. This project aims to provide and promote a working solution to these problems, by implementing the IETF draft Peer-to-Peer Streaming Protocol, aka PPSPP. \"Allow anybody, anywhere, to share or live stream their content, in the small or at scale, securely and efficiently, from any device, without being dependent on centralised storage or services, using a free & open protocol\". Mobile devices are now the primary means of accessing the internet, and peer-to-peer protocols like BitTorrent are taking over from HTTP for shifting and sharing data, driven by the explosion in video, high-resolution images and audio, even as global internet usage continues to grow. Globally, mobile data traffic will increase 13-fold between 2012 and 2017. Mobile data traffic will grow at a CAGR of 66 percent between 2012 and 2017, reaching 11.2 exabytes per month by 2017. Global mobile data traffic will grow three times faster than fixed IP traffic from 2012 to 2017. Global mobile data traffic was 2 percent of total IP traffic in 2012, and will be 9 percent of total IP traffic in 2017. -- Global Consumer Internet Traffic, 2012-2017, Cisco. Peer-to-peer traffic has grown enormously in recent years, consuming 1/2 to 3/4 of all internet traffic depending on the exact survey referred to. Today's reliable and stable connection from a single location at home or work, is being replaced by temporary and irregular connections through different providers and connections, as users roam over VPN, public wifi, and home wifi via broadband, on GSM and LTE cellular networks. Internet video streaming and downloads are beginning to take a larger share of bandwidth and will grow to more than 69 percent of all consumer Internet traffic in 2017 -- Global Consumer Internet Traffic, 2012-2017, Cisco. The primary type of traffic on the internet (by volume) is now video media, with YouTube, Netflix and similar services representing more than half of all traffic in most regions. The growth in video content has been so significant that it has pushed the proportion of peer-to-peer data consumption down even though both have risen significantly in total volume. In North America's broadband usage, video content was already 68% of all downstream traffic, comprising 17% YouTube and 32% Netflix. HTTP by comparison is 11% only. Peer-to-peer traffic comprises a staggering 40% upstream traffic, and a much lower 6% downstream. Similar trends are present across the globe. Commonly-used protocols such as TCP and HTTP suffer from slow startup times before content arrives, unnecessary metadata and are not ideally fitted to streaming data volumes in near or real-time, to multiple endpoints, and many existing proprietary P2P protocols have typically focused on static file sharing, needing enhancements to enable live streaming support. From the carrier or operator perspective, every proprietary solution requires custom integration into their network, including traffic shaping, billing, and caching technologies. For the end user, this means lock-in and spiralling complexity as each P2P network requires a separate tool or plugin, with sporadic support across their devices, from PCs, tablets, smartphones, home routers and their ISPs. The IETF draft Peer-to-Peer streaming protocol, known as PPSP, offers a royalty-free open standard that has been designed from the ground up to fit in this complex environment, with features like fast start-up time, & full encryption, and can be implemented in embedded devices like tablets or smartphones, or in carrier-grade facilities to service large user groups for events like football matches and movie distribution. ","url":"https://nlnet.nl/project/swirl/","title":"Swirl"},{"description":" Maintenance and portability of sudo-rs Make sudo-rs available cross-platform The sudo and su utilities guard a critical privilege boundary on just about every free and open-source operating system that powers the Internet. Memory safety bugs occur in the original sudo from time to time, and there is only one maintainer to fix them. For these reasons sudo-rs was written: a Rust drop-in replacement for sudo on Linux. For it to be a success, it needs to gain adoption. In this project, we will 1) address bugs and incompatibilities between sudo-rs and sudo and 2) port it to platforms other than Linux, to grow its user base and viability. The project's own website: https://github.com/trifectatechfoundation/sudo-rs Run by Trifecta Tech Foundation This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Maintenance and portability of sudo-rs","url":"https://nlnet.nl/project/sudo-rs/"},{"title":"FreeBSD sudo-rs","url":"https://nlnet.nl/project/sudo-rs-FreeBSD-compat/","description":" FreeBSD sudo-rs Port to FreeBSD and legacy compatibility Sudo is a small but critical system tool allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. As such, it guard a critical privilege boundary on just about every free and open-source operating system that powers the Internet. sudo-rs is a drop-in replacement for sudo written in Rust. This project will port the tool to FreeBSD, and will address some known bugs and incompatibilities between sudo-rs and sudo. The project's own website: https://github.com/trifectatechfoundation/sudo-rs Run by Trifecta Tech Foundation This project was funded through the e-Commons Fund, a fund established by NLnet with financial support from the Netherlands Ministry of the Interior and Kingdom Relations. "},{"url":"https://nlnet.nl/project/stubby/","title":"Stubby","description":" Stubby A local DNS Privacy stub resolver using DNS-over-TLS Stubby is an open source project to develop a DNS stub resolver for use on client devices which will provide DNS Privacy for end users by implementing DNS-over-TLS (RFC 7858). This service will provide encrypted first-hop access to DNS services protecting users’ DNS queries from eavesdropping at any point along the path between their device and a privacy-enabling DNS server. More information about DNS-over-TLS: https://tools.ietf.org /html/rfc7858 The project's own website: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby Why does this actually matter to end users? We use DNS every day, but most of us never realise that the lack of transport layer security this discovery protocol has brings along a significant liability from a security perspective. DNS-over-TLS aims to fix that - but what is a privacy protecting internet technology like it worth, if it isn't in the hands of actual end users protecting them? With main stream software developers and operating system vendors erring on the side of caution (to put it friendly), users that want to benefit from technologies like DNS-over-TLS need suitable tools to replace native functionality.. An experimental implementation of Stubby (developed by the getdns team as part of the DNS Privacy project) is already available. The project now aims to mature Stubby and significantly improve usability, thereby gaining valuable experience with the new standard and increasing uptake of Stubby among non-technical users. Run by Sinodun This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"url":"https://nlnet.nl/project/stratosphere/","title":"Stratosphere IPS","description":" Stratosphere IPS A behavioral-based free software Intrusion Prevention System. The Stratosphere IPS is a free software Intrusion Prevention System that uses Machine Learning to detect and block known malicious behaviors in the network traffic. The behaviors are learnt from highly verified malware and normal traffic connections in our research laboratory. Its goal is to provide the community and especially vulnerable targets with low budgets such as NGO's and civil society groups with an advanced tool that can protect against targeted attacks. The project's own website: https://stratosphereips.org/ The Stratosphere IPS project was born in the CTU University of Prague in Czech Republic, as part of the PhD work of Sebastian García. The core of the Stratosphere IPS is a machine learning algorithm that analyzes individual network connections to extract their behavioral pattern. The patterns of known malicious connections are used to train the system and can subsequently be used to detect unknown traffic in new networks. The algorithms were publicly published and the behavioral models are continually being verified by academic researchers. Scanning your network is a very security and privacy sensitive matter. Because Stratosphere is published as a free software product, you do not have to trust it - you get to inspect every aspect of its inner workings and can freely improve upon it. It is already being used across the world - within multinationals, NGO's and academia. The design goal of the Stratosphere IPS is to develop a highly advanced and free network-based malicious actions detector that can help protect individuals, middle-size organizations, NGOs and almost any type of network. Agent Technology Center, CTU University of Prague "},{"description":" ARPA2 Steamworks Near-instantaneous controlled configuration settings over any network ARPA2 SteamWorks is a set of tools that co-operate to transmit more-or-less centrally controlled configuration settings over any network, and make these settings available to individual programs. Updates are passed around instantaneously when network connections are good, but the last version of the information can be used when the network temporarily degrades. The project is part of the ARPA2 project, which is engineering towards an overall architecture scalable to run a future internet that is secure by design. The project's own website: http://steamworks.arpa2.net Configuring and provisioning TLS — trusted (root) certificates, intermediates, end-user certificates, and public keys — can be a complicated business. The ARPA2 TLS Pool project makes it simpler for third-party applications (e.g. a web browser, or a web server) to use TLS and identity information. Configuration of TLS Pool itself however is still somewhat complicated: it provides a number of databases for configuring its behavior -- that is, the way it provides TLS and identity support to applications and the parameters of its outgoing TLS connections -- but filling those databases needs an API and a user interface. ARPA2 SteamWorks is about creating machinery for distributing configuration information through LDAP and using that for local provisioning through the Pulley (a local daemon) and Pulley Plug-ins (used to configure specific applications, e.g. TLS Pool). The configuration of the Pulley is done through a Pulley Script (which can, in turn, be distributed through LDAP). The Pulley Plug-in mechanism is generic and in the longer term will evolve more plug-ins for configuring other (sub)systems, e.g. writing ISC DHCPd configuration or Local Unbound configuration files. The project will make it possible to connect the complete configuration of TLS Pool to the SteamWorks machinery by building a SteamWorks Pulley Plug-In and Pulley Scripts that can fully configure TLS Pool. This includes defining all of the configuration elements for TLS Pool in LDAP schemata. SteamWorks also provides a framework for writing web-based front-ends to the LDAP configuration though the Crank component of SteamWorks. In order to provide the user interface for TLS Pool provisioning, we will construct that front-end (web application). This gives us a mechanism for filling the TLS Pool configuration in LDAP, distributing it to the Pulley through LDAP, and then locally turning it into configuration for provisioning TLS for applications. (An extension of this mechanism would involve generically associating Some parts of this system are already built as proofs-of-concept: there is a stub Pulley Plug-in for configuring the trusted root certificates in TLS Pool, as well as a rudimentary web-interface for filling those in in LDAP. This project aims to turn those proofs-of-concept into fully functional configuration tools. Earlier work on ARPA2 Steamworks was funded with a joint subsidy from NLnet and the programme \"[veilig] door innovatie\" from the Netherlands government. For a complete overview of other projects within ARPA2 visit the ARPA2 website. TLS-KDH is supported by NLnet and the Internet Hardening Fund. ","title":"ARPA2 Steamworks","url":"https://nlnet.nl/project/steamworks/"},{"description":" SPEAR Secure Peer-to-peer Services Overlay Architecture SPEAR is a pilot experiment with the community, studying privacy and mobility aspects of P2PSIP. Peer-to-peer protocols increasingly appear in commercial data distribution and communication applications. Although several proprietary solutions are highly successful, an open standardized architecture for secure P2P services is only emerging. Many open issues need to be addressed, including peer lookup, scalability and resilience, NAT traversal, interoperating IPv4 and IPv6 peers, and performance on lightweight devices. The project on Secure Peer-to-peer Services Overlay Architecture of the Helsinki Institute for Information Technologies (HIIT) attempts to develop a generic mechanism to support such distributed services as P2P Session Initiation Protocol (P2PSIP). In contrast to other approaches, security is taken as the corner stone of design, integrating support for Host Identity Protocol (HIP) Based Overlay Networking Environment (HIP-BONE) into the architecture. The architecture can support various P2P services, not limited to P2PSIP, such as P2P HTTP. We envision that P2P HTTP can be used to create a community version of many useful scenarios as plenty of current applications are based on HTTP. The work is carried out jointly with industrial partners actively involved in developing protocol specifications in the IETF. In particular, the design of a protocol stack combing overlay peer protocol with HIP and IPsec, binding peer identities to host identities, hierarchical P2P systems, and prevention of unwanted traffic are in scope of the project. An existing proof-of-concept demonstration of P2PSIP proxy will be further developed and tested with real users, and its usability will be evaluated. ","url":"https://nlnet.nl/project/spear/","title":"SPEAR"},{"title":"Magic Wormhole/SPAKE2","url":"https://nlnet.nl/project/spake2/","description":" Magic Wormhole/SPAKE2 Securely send files between two computers with minimum fuss SPAKE2 is a modern academic password-authenticated key exchange mechanism, originally designed by two security researchers from Ecole Normale Superieure. It allows to set up an ad hoc encrypted channel between two users that share a combination of words in real-time. Magic Wormhole is an open source implementation of SPAKE2 (both client and server) by Brian Warner, one of the founders of the TAHOE-LAFS. The server part of Magic Wormhole can creating a rendez-vous/relay, so it can be used in a LAN, behind firewalls, NATs, etc. There are many cases in which a person wants to quickly exchange a file in an untrustworthy environment (say a presentation deck) without running either the risk of an Evil Maid attack or uploading to a trusted server and then giving someone access to that. Most people do not even have such a trusted infrastructure, which forces them to trust their data to third parties. This solution allows for very user-friendly exchange of files with modern encryption, without the need for anything else. Secure exchange of files is a critical problem of all ages, this solution has potentially disruptive qualities. This project will try to make SPAKE2 primitives available to mobile app developers and will support standardisation of SPAKE2 inside the IETF. The project's own website: https://github.com/warner/magic-wormhole Run by Least Authority This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"description":" SocketHUB A polyglot communication server for the decentralized internet This project aims to implement a service which enables developers to use common social functions regardless of the 'language' of the various protocols out in the wild. Call it \"polyglot\" of the social web. The implementation revolves around a socket server, with a clearly defined protocol/API that the developers can use as a tool to execute actions mainly focused on social interaction on the internet. Identifying users, sending messages, subscribing, sharing, chatting. It will speak whatever language (protocol) necessary to carry out the action, abstracting the implementation details of the various APIs from the developer. Leaving them to focus on creating rich web applications and providing as much compatibility as possible. The app developer can utilize one tool, indicate what they'd like to do, and that tool goes out and 'speaks the right language' to get the job done. This project is born from the Unhosted community and shares ideologies and goals with projects such as remoteStorage.js. The project's own website: http://sockethub.org Sockethub ","title":"SocketHUB","url":"https://nlnet.nl/project/sockethub/"},{"url":"https://nlnet.nl/project/snabbwall/","title":"SnabbWall","description":" SnabbWall SnabbWall is a layer-7 network flow detector and firewall application. Layer-7 firewalls, or application firewalls, empower technical users and administrators near the endpoints of networks. They can provide one centralized, flexible tool to subsume many other ones, simultaneously reducing the burden to learn how to achieve certain ends, and freeing people from the confines of very specific tools. Software Defined Networking has been revolutionizing the network space over the last couple of years. SDN uses commodity hardware to implement network elements and functionalities which were generally provided by very expensive, and usually inflexible, special-purpose network appliances. SnabbWall is designed as a modular, application-level (Layer-7) firewall suite built on the foundations of the popular open source SDN Snabb Switch, allowing it to be used with cheap commodity hardware. As an application-level (Layer-7) firewall, it will be able to: Inspect network traffic and detect flows of related data, and pinpoint which application has produced a certain data flow. Filter (drop, reject, or accept) packets using criteria specified in a set of rules, which can use the information inferred by inspecting the packets. As a suite, it will include a complete firewall program out of the box. As a modular system, it will provide a set of components which can be reused in other Snabb Switch designs. The project's own website: https://snabbwall.igalia.com The L7 Spy application will be capable of identifying protocol data flows (that is, it will work in at the application level, or Layer-7) but other than that packets just flow through it. The idea here is that sometimes it is interesting to just know which kind of traffic passes through a network, for example to gather statistics. If a packet is determined to belong to a certain protocol, ancillary metadata is attached to the packet. The way metadata is handled does not ever modify the packet itself, so applications which are not designed to handle it do not need to be modified. On the other hand, the L7 Firewall application will implement the actual logic of matching packets against a set of rules which determine what to do with each one of them. What is special about this application is that, on top of what other filtering solutions like pflua may offer, it also allows to match the additional metadata generated by L7 Spy — if present. Note that it is not at all necessary to use both applications in tandem: they can function independently, to allow others to mix-and-match them as desired. Yet, they are designed to work together, and SnabbWall also provides a standalone program (snabb wall) which implements a complete application-level firewall. A project of Igalia. "},{"description":" SIRS Scalable Internet Resource Service The SIRS project focuses on the development of a service that allows resources to be widely distributed and replicated across the Internet in a scalable way. The project's own website: http://www.cs.vu.nl/pub/globe/ Full source code for the system developed in the SIRS-1, SIRS-2 and SIRS-3 projects Globe publications website 2002-06-21: The Globe Distribution Network. Paper describing the design of the Globe Distribution Network has been presented in the FreeNIX track at the USENIX conference in San Diego. .ps (46 kB) A Scalable Implementation for Human-Friendly URIs more > > (33 kB) Beyond HTTP: An Implementation of the Web in Globe more > > (62 kB) ","title":"SIRS","url":"https://nlnet.nl/project/sirs/"},{"description":" SIRS Scalable Internet Resource Service The SIRS development work is done by scientific programmers of the Computer Systems Group in the Division Mathematics and Computer Science at the Vrije Universiteit of Amsterdam, under the direction of prof. dr. Maarten van Steen. It is implementing components of the design of the Globe research project by the same Computer Systems Group. NLnet has funded the implementation costs for a total of € 356,218. Final report and assessment of all SIRS projects. more > > (1 kB) .pdf (47 kB) SIRS-3 project proposal more > > (21 kB) Final report for SIRS-2 project more > > (9 kB) SIRS-2 project proposal more > > (13 kB) SIRS-1 project proposal more > > (25 kB) Final report for SIRS-1 project more > > (9 kB) ","url":"https://nlnet.nl/project/sirs/how.html","title":"SIRS"},{"url":"https://nlnet.nl/project/sirs/description.html","title":"SIRS","description":" SIRS Scalable Internet Resource Service Experiences with overloaded networks as a result of the distribution of popular software packages via public ftp servers were the reason for discussion with prof. dr. Andy Tanenbaum and dr. Maarten van Steen of the Computer Systems Group in the Division Mathematics and Computer Science at the Vrije Universiteit Amsterdam. This group does fundamental and applied research in the area of distributed systems. Globe, a world-wide distributed system which supports the distribution and replication of objects, is the focus of the research of the group. Within the scope of Globe, a project named Scalable Internet Resource Service (SIRS) has been defined. The essence of the SIRS-implementation is the encapsulation of a resource (i.e. one or more files) in a Globe distributed object, and subsequently the addition of the most applicable replication and distribution strategy to that object. The development of the necessary adaptations to servers and clients is the main topic of the first part of the SIRS project. The SIRS-1 project started on December 1, 1998, and its first phase ran until December 1, 1999. The costs of the first phase, € 68.067, were fully subsidised by Stichting NLnet. The results of this first phase were still very much in the alpha stage, but were promising enough to follow up the project with a second phase named SIRS-2, which ran from December 1, 1999 until December 1, 2000. This second phase consisted of two sub-projects: SIRS/Server, a direct continuation of the SIRS-1 development, and SIRS/GDN, the Globe Distribution Network, a practical application of Globe for the (worldwide) distribution of files, in particular freeware and shareware. The costs of SIRS-2, € 142.941, have been fully subsided again by Stichting NLnet. SIRS-3 has been defined as the third phase of the SIRS project. Its purpose was to address a number of important issues in the prototype version resulting from SIRS-2, namely security, fault tolerance and management tools. The project plan for SIRS-3 describes these in more detail. This last phase of SIRS ran from 1 January 2001 until 1 February 2002. The costs of SIRS-3, € 145.210, have been fully subsidised again by Stichting NLnet. "},{"url":"https://nlnet.nl/project/sipcollab/","title":"SIPcollab","description":" SIPcollab Decentralized and secure collaborative editing on office documents Collaborative editing on documents is required (or at least very helpful) in a broad range of use-cases. Collaborative editing capabilities between peers gets rid of the need of server and enables usage in places and circumstances where it was not possible before. The Session Initiation Protocol (SIP) in combination with ZRTP and OTR offers encrypted multimedia (or \"whatever-media\") communication channels between individuals and groups. Common usages include voice and video conferencing, instant messaging (MSRP) and desktop sharing. While the latter technically allows people to present and share documents, it is brittle, bandwidth heavy and broadcast only - meaning that only a single user can edit a document. In order to provide more agile and interactive capabilities, the project adds collaboration facilities based on the collaborative webODF editor and the SIP/SIMPLE client SDK. Multiple users will be able to view and edit a document (such as a presentation or text document) with a group of people in parallel. The project will produce both a simple standalone version based on QML and an integrated version as a plugin to the Blink Qt project. KO GmbH "},{"description":" SIP-GUI Next Phase Graphical User Interface for the SIP SIMPLE client The goal of this project is to finish the GUI for Blink, the communication tool providing a combination of multiple media streams in SIP sessions --a future-proof design that will eventually take over other commercially closed solutions available on the market today. The Graphical User Interface for the SIP SIMPLE client project is a stand-alone project that is financed by AG Projects and NLnet. The project once completed will provide the source code and binary installation packages for Linux, Microsoft Windows and MacOSX operating systems. The packages will provide a fully featured graphical client for Voice, IM, file Transfer and Desktop Sharing based on SIP and MSRP protocols. In fact a fully open source package replacing Skype will appear on the market. The project's own website: http://wiki.icanblink.com/ AG Projects B.V. ","url":"https://nlnet.nl/project/sip-gui/","title":"SIP-GUI"},{"url":"https://nlnet.nl/project/sip-comm2/","title":"Jitsi (SIP-Communicator) Desktop","description":" Jitsi (SIP-Communicator) Desktop Desktop Streaming and Sharing with SIP Communicator The possibility to allow remote access to one's ongoing desktop session has been appealing to users ever since the early days of Internet communication. Especially the Desktop Sharing and Streaming features are of interest to virtually all internet users. This is probably why all commercial instant messengers ship with some form of implementation for this feature. Today it's still one of the major features for Microsoft's Windows Live Messenger, Apple's iChat and more recently Skype who started out with Windows-only support and extended it to Mac OS X with their latest version. However, the feature is generally unavailable with free/open source communicators, and the only way to share one's desktop in a platform independent way is to use dedicated solutions such as VNC applications and multi-platform clients for the Remote Desktop Protocol. This project is all about running Desktop Sharing and Streaming, stressing on certain characteristics, like ease of session establishment, interactivity, and privacy protection. The project was led by dr. Emil Ivov The project's own website: http://sip-communicator.org The project was renamed to Jitsi "},{"url":"https://nlnet.nl/project/sip-comm/","title":"Jitsi (SIP Comm Phone)","description":" Jitsi (SIP Comm Phone) Internet phone and instant messenger SIP Communicator is an audio/video Internet phone and Instant Messenger. It supports some of the most popular instant messaging and telephony protocols such as SIP, XMPP/Jabber (and hence GoogleTalk), AIM, ICQ, MSN, Yahoo! Messenger, IRC, Bonjour and new ones will be coming soon. This particular project concerns a number of tasks needed to be accomplished so that SIP Communicator could become a viable or even better alternative for Skype, but all in Open Source. The following tasks are to be accomplished within the scope of the project: Developing a Java implementation for the ICE protocol. Audio/video telephony for XMPP/Jabber. Conference calls. File transfer. The project's own website: http://sip-communicator.org The project was renamed to Jitsi "},{"title":"Σ-protocols","url":"https://nlnet.nl/project/sigmaprotocols/","description":" Σ-protocols Formalise and implement zero-knowledge proof Σ-protocol Σ-protocols are mature and widely-used cryptographic protocols used for digital signatures and for zero-knowledge proofs. This project is centered around their standardization and the development of a comprehensive specification and reference implementation. The main goal is to create a detailed and accessible specification for Σ-protocols and the Fiat-Shamir heuristic, to be presented in formats like HTML or PDF, along with a reference implementation. This effort aims to make these technologies understandable and usable by a broad audience, including developers, practitioners, students, and engineers. The end goal is to make this technology more accessible for privacy-preserving applications and non-cryptographers. The project's own website: https://github.com/mmaker/stdsigma This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" Shadow Internet An alternative communication infrastructure working phone to phone. Shadow Internet is an alternative communication infrastructure developed by researchers at Technical University Delft that enables people to distribute videos by copying them from phone to phone wirelessly. So even without an Internet connection you can share content. Specifically crafted to be resilient. The project's own website: https://github.com/Tribler Shadow Internet is an innovative and robust communication solution running on smart phones which ensures people are able to share information with each other under any circumstance, without being reliant on third party services and the availability of infrastructure. This will allow normal end users to view and share content with their friends, relatives and the rest of their environment. The Shadow Internet is an alternative communication infrastructure. Under active development for several years, it's specifically crafted to be resilient to sniffing, blocking, filtering and shutdown. A place for free expression and innovation. Censorship is a key threat to The Internet, with the Shadow Internet we will protect you. Android-based smartphones, the TOR protocol, Bittorrent and a novel reputation system form the technical foundations of this project. For the past years dozens of scientists and engineers have worked hard to realize their vision: full privacy protection using the TOR-inspired hidden services. The project is specifically targeted for recording and spreading of protest videos. Work on easy-to-use cryptography for protecting content on your phone and masquerading it as innocent content is ongoing. The Shadow Internet ensures people no longer are reliant on surveillance-prone commercial websites to view and share content with friends. Many smartphones have data limits and these deter people from uploading video files. The appliation should let you share content with friends simply by holding your phones against each other. A survey of robust and resilient social media tools is available in this paper by Paul Brussee and Johan Pouwelse The project is developed at Parallel and Distributed Systems at the Technical University Delft. ","url":"https://nlnet.nl/project/shadowinternet/","title":"Shadow Internet"},{"description":" Sesame storage and querying middleware for the Semantic Web Sesame is a storage framework for RDF data, the proposed W3C standard modeling languages for the Semantic Web. The RDF format is used to describe all sorts of things (the meta-data); besides the content of documents and web pages, RDF can be used to describe real life things like persons and organisations. This data can, for instance, be used as basis for news readers, search applications, or indexing. Sesame is a modular architecture for persistent storage and querying of RDF and RDF Schema. Sesame supports various querying languages and databases. Sesame also offers ontology management functionality such as change tracking and security. RDF is actively used in a large number of projects and products, like Adobe's XMP, The FOAF project, the Dublin Core Metadata Initiative, and the Open Directory Project. Sesame is used in a growing number of these projects as an invisible database component, whenever RDF statements have to be stored and retrieved. Some examples of application: Bibster: a Java-based system which assists researchers in managing, searching, and sharing bibliographic metadata (e.g. from BibTeX files) in a peer-to-peer network, using Sesame and SeRQL to store and query. Flink: social network browser based on FOAF and Sesame. Aduna AutoFocus: desktop search tool based on Sesame. Latest information: The project's own website: http://www.openrdf.org 2006-02-13: Sesame will give a tutorial during ESWC2006. more > > 2004-11-17: The Social Network browser Flink, based on FOAF and Sesame, won the Semantic Web Challenge during ISWC2004. Sesame leaflet for ISWC2004 in Hiroshima Japan. .pdf (229 kB) Poster session at the SANE2004 conference Amsterdam. .pdf (81 kB) ","url":"https://nlnet.nl/project/sesame/","title":"Sesame"},{"title":"Sesame","url":"https://nlnet.nl/project/sesame/how.html","description":" Sesame storage and querying middleware for the Semantic Web Originally, Sesame was developed by Aidministrator Nederland BV as a research prototype and one of the key deliverables in the European IST project On-To-Knowledge (EU-IST-1999-10132). Now, Sesame is being further developed by Aduna (the new name for Aidministrator) and the NLnet Foundation as an Open Source tool under the terms of the GNU Lesser General Public License (LGPL). Arjohn Kampman and Jeen Broekstra, both software developers at Aduna, are managing the project. Ongoing contributions are made by the Bulgarian company OntoText, which developed the Ontology Management Module of Sesame as part of the On-To-Knowledge project. 2006-04-03: Sesame2 API updated to new Java5 syntax features. Project plan (pdf ) and final report (pdf ). 2005-11-15: Project phase 2 final report. .pdf (118 kB) 2004-04-09: Project plan (Plan Van Aanpak) for Sesame phase 2, which will run till May 2005. .pdf (75 kB) 2004-03-25: Version 1.0 of Sesame has been released. more > > 2004-02-13: OpenRDF.org website launched. more > > 2003-12-04: The project's final report. more > > 2003-07-31: Development plans for the upcoming releases. more > > 2003-05-29: Version 0.9 of Sesame contains the first release of SeRQL. more > > 2003-04-10: Version 0.1 of the plug-in for IsaViz released. more > > 2003-02-12: Version 0.1 of the plug-in for OntoEdit, (the Ontology Engineering Environment) is released. more > > "},{"title":"Sesame","url":"https://nlnet.nl/project/sesame/description.html","description":" Sesame storage and querying middleware for the Semantic Web The Semantic Web In his book Weaving the Web, Tim Berners-Lee talks about the vision that inspired him to invent the World Wide Web. Although the Web as we know it today has already changed everyday life, facilitating communication between people all over the world as if they were each other'ss neighbours, Tim Berners-Lee's vision has yet to be fulfilled. The Web, as he saw it, included machines communicating with people and with each other, rather than people just using machines to talk to one another. He calls this web The Semantic Web. The Semantic Web is about the meaning of information, whereas the current World Wide Web is only about the information itself. For machines to be able to communicate with each other and with people, they will need a common understanding of what information means. For this, machine processable meta-information -- information about the information -- is needed. The World Wide Web Consortium, founded by Tim Berners-Lee, has been working on (and still works on) standards for defining this machine processable meta-information. The now omnipresent language XML was the first step. The next step was the definition of RDF (Resource Description Format), a format that allows you to define anything about everything and that uses XML as an interchange syntax. Next steps include the definition of languages for modelling information so that it becomes machine understandable. First inroads in this direction have been made with RDF Schema, OIL and DAML+OIL, languages which will serve as important input to the new Web-Ontology Working Group. Sesame Sesame is a software program that was originally developed in the IST-project On-To-Knowledge, which also produced the OIL language. In this project, a storage and querying service for RDF and RDF Schema was developed. This software was baptized Sesame. The most important features of Sesame are: Scalability Sesame has been designed with scalability as its primary focus. By design, it is able to scale from handhelds to powerful enterprise servers. Powerful query language The supported query language RQL is the only language of its kind, offering native support for RDF Schema semantics. Portability Sesame is written completely in Java, allowing it to be run on all mainstream platforms. Repository independence Sesame abstracts from the actual repository being used for storing data. This allows Sesame to be run on top of any DBMS, or even on completely different kinds of repositories. Extensibility Sesame's architecture allows for other functional modules to be plugged in, thus adding new functionality to the program. Flexible communication The architecture separates the communication details from the actual functionality through the use of protocol handlers. Supporting other communication protocols is only a matter of adding the appropriate protocol handler. As the amount of available meta-data grows, the need for a scalable repository and accompanying querying service will arise. Being able to offer this, Sesame has the potential to become an important building block of the Semantic Web. The flexibility and openness of Sesame's architecture will allow it to be integrated in a wide variety of applications. "},{"url":"https://nlnet.nl/project/serval/","title":"Serval","description":" Serval Mobile communication anywhere. Communicate anywhere, any time ... without infrastructure, without mobile towers, without satellites, without wifi hotspots, and without carriers. Use existing off-the-shelf mobile cell phone handsets. Serval enables mobile communications no matter what your circumstance: mobile communications in the face of disaster, in the face of poverty, in the face of isolation, in the face of civil unrest, or in the face of network black-spots. In short, Serval provides resilient mobile communications for all people. This system is the only mesh mobile telephony system that works on ordinary handsets, and is open source. It lets you use existing telephone numbers and can work without needing an internet connection. The project's own website: http://servalproject.org Project of Serval, Australia "},{"description":" Serval-LR SERVAL Long-range WiFi Add-on Serval Project's goal is making mobile phones useful, even when there is no cellular network or internet available. This particular project prototypes a \"helper device\" for long-range WiFi. Serval has developed various technologies that allow voice calls, SMS, file sharing and other services in a completely distributed manner. Robust security is being progressively introduced into these technologies, with voice calls already enjoying end to end encryption, and our UDP-like Mesh Datagram Protocol (MDP) also enjoying automatic encryption. The Serval Project is intended to be useful in disaster and emergency situations anywhere in the world, as well as for people in rural, remote and developing world settings where traditional cellular service may not be available or may be too expensive. The Serval Project's technologies also have obvious application to enabling freedom of speech and communications for people under oppressive regimes. Serval currently uses ad-hoc WiFi on mobile phones to form the mesh network. This requires root access on Android, and is unlikely to ever be possible on iPhone. Also, ad-hoc WiFi, while useful, has many limitations, including limited range and relatively high power consumption. This particular project aims to prototype a \"helper device\", that would consist of a WiFi-enabled Arduino-compatible device attached to a low-cost radio module, and then to integrate that hardware with the Serval platform. The result will be a box that allows any WiFi enabled phone (Android, iPhone, Blackberry, Nokia S60 etc) to connect to the mesh. Some platforms will have a first-class native client, e.g., Android, while others will be able to use an HTML client to access mesh functions. Moreover, the box will be capable of long-range communications to other such boxes. Current estimates suggest that ranges of 6x-18x WiFi range are possible, allowing line-of-sight range of perhaps 1km or more. Finally, the box will be able to be integrated with satellite data terminals and short-burst data modules (basically satellite SMS) to allow the connection of mesh networks to the outside world. The project's own website: http://servalproject.org Project of Serval, Australia ","url":"https://nlnet.nl/project/serval-lr/","title":"Serval-LR"},{"description":" Online Self-defence in Ten Minutes Online Self-defense in 10 minutes Bits of Freedom foundation develops an \"Online Selfdefense in ten minutes\" tool. Many people use the Internet carelessly and are not aware that such behavior entails risks for their privacy. And those who are familiar with this kind of risks often think that it is too difficult to undertake something to defend their privacy. The project's own website: https://www.bof.nl/ons-werk/webwijs/ This guide provides every Internet user with simple set of measures to protect them on the Internet in ten minutes. For more advanced users the guide provides links to specific tools for such self protection of their Internet surfing, email, social media applications, IP telephony and file sharing. Bits of Freedom ","title":"Online Self-defence in Ten Minutes","url":"https://nlnet.nl/project/selfdef/"},{"title":"SecuShare","url":"https://nlnet.nl/project/secushare/","description":" SecuShare A framework for sufficiently safe social interaction The SecuShare project implements a social messaging service based on the GNUnet peer-to-peer framework offering scalability, extensibility, and end-to-end encrypted communication. The scalability property is achieved through multicast message delivery, while extensibility is made possible by using PSYC (Protocol for SYnchronous Communication), which provides an extensible RPC (Remote Procedure Call) syntax that can evolve over time without having to upgrade the software on all nodes in the network. Another key feature provided by the PSYC layer are stateful multicast channels, which are used to store e.g. user profiles. End-to-end encrypted communication is provided by the mesh service of GNUnet, upon which the multicast channels are built. Pseudonymous users and social places in the system have cryptographical identities &emdash; identified by their public key &emdash; these are mapped to human memorable names using GNS (GNU Name System), where each pseudonym has a zone pointing to its places. The project's own website: https://secushare.org Why does this actually matter to end users? SecuShare aims to provide an easy to use, secure and censorship-resistant communication infrastructure that can easily be operated by normal end users. It combines a number of proven technologies and new innovative ideas into a new privacy-shielded communication infrastructure. SecuShare aims to provide a real-world usable alternative to insecure commercial communication channels currently in use. Its design goal is that we should not have to trust individual remote parties with access to our most private (meta)data, merely because they provide infrastructure components. This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"title":"Secushare Box","url":"https://nlnet.nl/project/secushare-box/","description":" Secushare Box Operating system extension of Secushare for hardware devices An operating system extension for hardware devices that turns them into automatable nodes in a distributed social mesh network, independent of central control. The objective is to offer an alternative to cloud-controlled IoT, empowering the owner of a device instead of its manufacturer. IoT devices are cryptographically linked to their owner's smartphones, PCs or other interfaces, using an initial vicinity rendez-vous procedure, akin to how bluetooth devices \"pair\". This integrates the new IoT device into the owner's social graph as a resource that can potentially be shared with others without the hassle of exchanging unsafe passwords. The project's own website: https://box.secushare.org Why does this actually matter to end users? The SecureShare project implements a social messaging service based on the GNUnet peer-to-peer framework offering scalability, extensibility, and end-to-end encrypted communication. The scalability property is achieved through multicast message delivery, while extensibility is made possible by using PSYC (Protocol for SYnchronous Communication), which provides an extensible RPC (Remote Procedure Call) syntax that can evolve over time without having to upgrade the software on all nodes in the network. Another key feature provided by the PSYC layer are stateful multicast channels, which are used to store e.g. user profiles. End-to-end encrypted communication is provided by the mesh service of GNUnet, upon which the multicast channels are built. Pseudonymous users and social places in the system have cryptographical identities – identified by their public key – these are mapped to human memorable names using GNS (GNU Name System), where each pseudonym has a zone pointing to its places. SecureShare aims to provide an easy to use, secure and censorship-resistant communication infrastructure that can easily be operated by normal end users. It combines a number of proven technologies and new innovative ideas into a new privacy-shielded communication infrastructure. For \"SecuShare Box\" the final target community is consumers who want to buy IoT devices that do not require them to trust manufacturer companies but rather work entirely between the devices the consumer owns. Indirectly the technology should be of interest to the IoT community and free software developers in general. It is relevant for companies who don't want to be left behind and preferring to offer ethical solutions instead of questionable cloud-based ones. This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"description":" Searx Searx is an internet metasearch engine that can be easily self-hosted by anyone. Searx is a free software internet metasearch engine which aggregates results from a significant amount (currently more than 70) search services. A private (or preferably shared) instance of Searx allow you to escape from the so called 'search bubble' created by overzealous personalisation of your search results. It give you a more diverse (or at least alternatively biased) view on the world, by combining the results of a variety of sources without filtering based on your previous searches. Searx also helps to reduce the amount of tracking and passive observation search users are subject to, by offering a layer of proxying isolation. The project's own website: http://searx.me Web searches reveal a great deal of information that many people consider sensitive and personal, which makes search users (which is pretty much everyone that uses a computer) vulnerable to behavorial targetting and other undesirable treatments. Searx was designed as a defense mechanism to protect your privacy as much as possible. It is an easy to use tool you can run for yourself or for others, on a server or even on a low-powered device such as a Raspberry Pi. Not only does Searx combine search results from a configurable amount of sources, it can also offer basic proxy capabilities so you can search the web without being observed. Searx searches on your behalf and keeps the tracking. Because you pay for it yourself, there is not need to track nor profiled users. There are many public instances hosted for instance by organisations like La Quadrature Du Net, in addition to private ones. Searx can easily be used over anonymising networks such as Tor for even more online privacy. Searx is available for free download via: https://asciimoo.github.io/searx. ","url":"https://nlnet.nl/project/searx/","title":"Searx"},{"url":"https://nlnet.nl/project/searsia/","title":"Searsia","description":" Searsia Searsia is a protocol and implementation for large scale federated web search. Searsia provides the means to create a personal, private, and configurable search engine, that combines search results freely from a very large number of sources. Searsia enables existing sources to cooperate such that they together provide a search service that resembles today’s large search engines. In addition to using external services at will, you can also use it to integrate whatever private information from within your organisation - so your users or community can use a single search engine to serve their needs. The project's own website: http://searsia.org Searsia is an open source engine and a protocol, created by academic researchers. Using Searsia you can : Manage and share large collections of independent sources; Select for each query the most relevant sources; Combine sources in an aggregated search interface; Searsia learns over time what kind of information each source provides. To see it in action check the search engine of the University of Twente that combines the results of about 30 sources, including results from Google's web crawl, from Courses, from News, the Telephone directory, the Timetables, as well as results from social media, such as Facebook, Twitter, Pinterest, and Flickr. The Searsia software is open source and available via: searsia.org. More about the team behind Searsia. Jointly funded by: "},{"description":" Search and Displace Find and redact privacy sensitive information The goal of this project is to establish a workflow and toolchain which can address the problem of mass search and displacement for document content where the original documents are in a range of forms, including a wide variety of digital document formats, both binary and more modern compressed XML forms, and potentially even encompassing older documents where the only surviving form is printed or even handwritten. The term \"displacement\" is meant to encompass actions taken on the discovered content that are beyond straight replacement, including content tagging and redaction, as well as more complex contextual and user-refined replacement on an iterative basis. It is assumed that this process will be a server application with documents uploaded as needed, on either an individual or bulk upload basis. The solution would be built in a modular fashion so that future deployments could deploy and/or modify only the parts needed. In practical terms this involves the creation of an open source tool chain that facilitates searching for private and confidential content inside documents, for instance attachments to email messages or documents that are to be published on a website. The tool can subsequently be used for the secure and automated redaction of sensitive documents; by building this as a modular solution enables the solution to be used “standalone” with a simple GUI, or used via command line, or embedded within 3rd party systems such as document management systems, content management systems and machine learning systems. In addition a modular approach will facilitate the use of the solution both with different languages (natural and programming) and different specialities e.g. government archives, winning tenders, legal contracts, court documents etc.. The project's own website: https://searchanddisplace.com Why does this actually matter to end users? Everyone knows that once something is online, it can be hard if not impossible to take that information down again. This is especially risky when you need to share information on a document that also has particularly sensitive or even confidential data on it. Considering the amount of documents businesses, organizations and individuals share online everyday, mistakes are inevitable and potentially very harmful, possibly leading to (identity) theft, blackmail, or worse. Search and discovery in this sense is also a matter of privacy protection and granular control, the same way confidential details are sometimes redacted in government documents. This control should also be possible for documents that are already online, when 'the harm is already done' and you are desperately looking for a way to take a file down again or edit out any sensitive details. This project can give users more control over what information they precisely want to share or publish online in their documents and what should be kept out of the public eye. A tool will be developed that can find out whether private or confidential information is leaked somewhere in the file and subsequently delete or cover up this data. The tool will cover documents in all shapes and sizes, ranging from digital forms and docs to printed files and even handwritten texts, and will be usable standalone or integrated in existing document or content management systems that organizations already use. The project aims to make a modular toolkit so the technology is relevant for all sorts of users, for example people working with government archives, court documents and legal contracts. Instead of forgoing transparency and data accessibility for privacy and confidentiality, this technology upholds both values crucial to a functioning democracy. Run by Moorcrofts This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"Search and Displace","url":"https://nlnet.nl/project/searchanddisplace/"},{"description":" Seahorse SmartCard Seahorse Smart Card Support Smart Cards provide solid, tamper-proof security. When used with modern web authentication technology, they can be used to provide a protection against phishing and can also be used to solve other problems facing one's identity on the web today. But, desktops ignore their existence.In order to get things rolling with better smart card support on the Desktop, users and developers need simple access to smart card technology. Seahorse is a key manager that's used on the GNOME Desktop. Currently it can manage stored passwords, PGP, and SSH keys. This project will add smart card support to the Seahorse key manager. This project will implement basic management of certificates and keys stored on smart cards in the Seahorse key manager. Users will be able to examine and use their smart card with the same management operations as available to certificates and keys stored in software key tokens. The project's own website: http://p11-glue.freedesktop.org Project of Collabora Ltd, UK ","title":"Seahorse SmartCard","url":"https://nlnet.nl/project/seahorse-sc/"},{"description":" x86-64 VM Monitor for seL4 verified microkernel Very restricted virtualized environment for higher security The security of any software system depends on its underlying Operating System (OS). However, even OSes such as Qubes, which are \"reasonably secure\" depend on large trusted computing bases (e.g. hypervisors) with hundreds of thousands of lines of code. For example, the Qubes' Xen Security Advisory Tracker reports that 53/283 (18%) of Xen vulnerabilities over the last eight years affected Qubes. As a step towards facilitating the implementation of more secure, Qubes-like systems, we propose to retarget it to the seL4 microkernel. seL4 is an open-source, formally-verified microkernel that has matured and been maintained for over a decade. seL4's small size (10,000 Lines of Code) and formal verification make it an appealing Xen replacement for Qubes, however, its virtualization support is currently limited. As a first step to enabling Qubes on seL4 we will implement a hardened, open-source, x86 64-bit Virtual Machine Monitor (VMM) for the seL4 microkernel capable of hosting the core Qubes OS virtual machines. The project's own website: https://trustworthy.systems/projects/TS/makatea Why does this actually matter to end users? How can you understand and trust a complex system, like the operating system managing the hardware and software on your computer? You can make the complexity simpler by cutting it up into parts, compartmentalizing what does what, where information is stored, which processes talk to each other. This way users can be sure their system only does what it is supposed to do and know precisely what goes in and what comes out. This can be done through virtual machines, which are isolated simulations of operating systems or programs on a computer. Simply put, you create virtual rooms where only one thing happens and only you have the keys to each door. This can give users complete control over what happens on their computer and ensures that if some malicious software finds a way in, it cannot get to the other rooms. This can be very important if your device contains sensitive information, if some ill-meaning third party tries to listen in, or when the device is part of some crucial infrastructure and is targeted for attacks. The Qubes operating system is a pioneer in creating an isolated yet workable desktop. Users can segment programs and data into separate cubes, based on trust. The default cubes are 'work', 'personal' and 'untrusted', that are each run in an isolated virtual machine. If you open a phishing email in your 'untrusted' cube and malware manages to make its way into this specific environment, it cannot get to 'personal' or 'work' and therefore cannot compromise that data (or the entire operating system, which is the case with popular operating systems like Windows that have a huge attack surface). Various colors (think green, yellow, red) can be used to indicate what window and program works in what qube. Security by isolation can and should be a great way to make operating systems more secure by design. Unfortunately even operating systems like Qubes need other programs to work that may be insecure (and have actual reported vulnerabilities). This project will make Qubes-like systems more secure by switching from a vulnerable dependency to a verified and well-maintained alternative. Run by Neutrality, University of New South Wales (UNSW), and ITL This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/seL4-64bitVMM/","title":"x86-64 VM Monitor for seL4 verified microkernel"},{"url":"https://nlnet.nl/project/sdr-phy/","title":"SDR PHY","description":" SDR PHY Create a GSM mobile phone consisting of completely open source software and SDR radio SDR (Software Defined Radio) allows for a low cost setup to serve a wide variety of changing radio protocols in real time. SDR is gaining popularity in the world of Open Source mobile communications. Thanks to the work of projects like Osmocom and OpenBTS, it is already possible to run a custom GSM network using Open Source software. Moreover, there is a few Open Source projects for LTE, such as OpenLTE, srsLTE and OpenAirInterface. However up to now there was no software defined GSM mobile phone. The \"SDR PHY for Osmocom BB\" project aims to fill this void. The project is focused on the client side of GSM protocol stack, and bridging the gap between existing GSM stack implementation project and SDR hardware. The project's own website: https://osmocom.org/projects/osmocom-bb-sdr-phy/wiki This project supports an exciting new effort to create a completely open GSM implementation, enabling many new use cases for SDR. The project will add the following features: Open Source mobile-side GPRS/EGPRS stack implementation CSD (Circuit Switched Data) implementation Integration of non-GSM audio codecs, e.g. Opus Extended SDR hardware compatibility (not only USRP) AGC (Automatic Gain Control) implementation Frequency hopping channels support Physical SIM-card interface (e.g. PCSC) Power measurement Ability to run on any frequency (enabling a network running i.e. on WiFi band) "},{"title":"SCTP-Linux","url":"https://nlnet.nl/project/sctp-linux/","description":" SCTP-Linux A better Linux SCTP The Internet transport layer has been extremely rigid since its inception. The very diverse requirements of today’s applications are mapped to only two services, provided by the two protocols that are broadly available, TCP and UDP. The Stream Control Transmission Protocol (SCTP) offers promising benefits to applications, but faces significant deployment problems. One of these problems is certainly related to shortcomings of its Linux implementation (\"LKSCTP\"), which cause it to perform much worse than TCP under most circumstances. It is obvious that, for SCTP to be an attractive option for application designers, it should always perform at least as good as TCP. The two most important TCP features that are not required according to the standard are missing in LKSCTP: auto-buffer tuning and pluggable congestion control. In this project: Auto-buffer tuning will be added to SCTP. Work towards adding pluggable congestion control will be carried out. An investigation of other, less significant differences between TCP and SCTP in Linux will be carried out. University of Oslo, Norway. "},{"title":"SchoolLan","url":"https://nlnet.nl/project/schoollan/","description":" SchoolLan computer networking as education support for primary schools The foundation SchoolLan ceased its activities officially on October 31, 2006. On the moment, no-one is working on a new release. The last release 5.2.0 was made in September 2004. SchoolLan brings an Internet infrastructure to Dutch primary schools. Pupils and teachers can get access to e-mail and websites with minimal effort. The systems are pre-configured to fit best in the school environment. SchoolLan has been developed to allow (remote) technical management within in a (technically naive) school environment. The design and configuration can easily be duplicated by similar educational institutions elsewhere. In other words, SchoolLan is a blueprint: a technical configuration/network design model. SchoolLan is based on the philosophy of the General Public License (GPL). This philosophy is reflected in the computer and network technology deployed, as well as in the educational content. The project's own website: https://www.schoollan.nl 2005-11-28: New dentist center Octant in Hoorn runs on the SchoolLan infrastructure. more > > SchoolLan was presented in May 2002 at the 3rd International System Administration and Networking Engineering Conference SANE 2002 in Maastricht. The conference paper gives a global overview of the techniques used. .pdf (17 kB) 2004-09-20: SchoolLan version 5.2.0 released. "},{"description":" SchoolLan computer networking as education support for primary schools Stichting SchoolLan is a non-profit organization. It operates fully independent from the government, commercial entities and organisations. Stichting SchoolLan receives software and advice from the Open Source community. The project was started in 1999. In August 2001 the foundation \"Stichting SchoolLan\" was set up. It aimed to be self-supporting in 2004, but failed to achieve this goal due to the disappointingly slow growth in the number of support contracts. As a result, the project down-sized in August 2004 from an organization with paid staff to a project driven by volunteers. In order to continue the support and development of the SchoolLan software, a platform of cooperating companies and users has been established in 2005. About 40 primary schools in total were running SchoolLan at the start of 2003. During 2004, the project down-sized from an organization with personnel into a project driven by volunteers. Last annual report of the foundation, covering 2005 and 2006. .pdf (97 kB) Annual report of the foundation covering 2004 .pdf (131 kB) Annual report of the foundation covering 2003 .pdf (435 kB) Annual report of the foundation covering 2002 .pdf (553 kB) Annual report of the foundation covering 2001 .pdf (41 kB) ","title":"SchoolLan","url":"https://nlnet.nl/project/schoollan/how.html"},{"url":"https://nlnet.nl/project/schoollan/description.html","title":"SchoolLan","description":" SchoolLan computer networking as education support for primary schools SchoolLan brings an Internet infrastructure to Dutch primary schools. Children and teachers can get access to e-mail and websites with minimal effort. The systems are pre-configured to fit best in the school environment. The SchoolLan system is based on an off the shelf PC Linux server, serving its Windows clients, targeted for small-scale educational environments (50-75 computers per school, or several cooperating schools situated close together). SchoolLan has been designed and configured to allow remote technical management within a (technically naive) school environment. SchoolLan also provides system/network administration applications which enable the school staff to install (Window) clients, maintain student accounts and working environments and use third party educational software from the server. SchoolLan is a blueprint for a technical configuration/network model: its Open Source (GPL) design and configuration can easily be duplicated by primary schools elsewhere. Implementation The technical core of SchoolLan is a network environment with a central Linux server, serving a heterogenous collection of Windows based clients. The clients can be (re)installed very easily with a preconfigured Windows OS (originally via BpBatch software and scripts, but nowadays via a PXE Linux bootstrapping mechanism). Networking services consist of (a.o.) Samba for Microsoft Networking, Sendmail for e-mail services, DHCP for dynamic IP address allocation, IPtables for hiding and protecting the intranet, BIND V9 for internal name service, Apache and webfiltering tools for internal and external web access, GipLan for student account management and educational software package management, etc. There is a template system for incorporating Windows based educational packages into the system. An extensive backup and archiving system is provided to ease the unattended backups. Stichting SchoolLan The foundation \"Stichting SchoolLan\" aims at stimulating the development and deployment of Information and Communication Technology (ICT) in an Open Source fashion for (primary) schools. The foundation is setting up the \"SchoolLan Platform\" as a group of cooperating companies and users to continue the support and development of the SchoolLan software. The operation is on a non-profit basis. "},{"title":"schc-rs","url":"https://nlnet.nl/project/schc-rs/","description":" schc-rs Faster low power networking for constrained devices Static Context Header Compression (SCHC), defined in RFC 8724, is a framework designed to provide efficient header compression and fragmentation for constrained devices in Low Power Wide Area Networks (LPWANs). The IETF has been working on standardizing SCHC over IEEE 802.15.4 networks, which are commonly used in Internet of Things (IoT) applications. The aim of schc-rs is to provide a Rust implementation of the SCHC protocol, enabling developers to leverage its benefits in their Rust-based applications. Together with the dot15d4-rs project and the smoltcp network stack, schc-rs aims to provide a future-proof solution for IoT devices communicating over IEEE 802.15.4 networks. Run by Vrije Universiteit Brussel This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"scalePNR","url":"https://nlnet.nl/project/scalePNR/","description":" scalePNR New place and route algorithms for large FPGAs The scalePNR project focuses on enhancing digital circuit design for large Field-Programmable Gate Arrays (FPGAs), which are complex chips used in everything from consumer electronics to mobile phone base stations to cameras to AI accelerators to internet backbone infrastructure to advanced computing systems. Traditionally, designing these chips has been a highly specialized and time-consuming task, due to the complexity and computational demands of arranging and determining efficient wiring between the millions of tiny logic blocks they contain. The goal of this effort is to tackle larger, more advanced FPGAs and make the process of designing circuits for these high-capacity chips more accessible and efficient, potentially leading to faster, more energy-efficient electronic devices. By researching and implementing new algorithms, the project aims to make it easier and quicker to design circuits that run cooler, faster, and more reliably, bringing the benefits of the latest technology to a broader audience and fostering innovation in numerous tech-driven sectors. The project's own website: https://github.com/mirekez/scalepnr This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"title":"SANE","url":"https://nlnet.nl/project/sane/","description":" SANE System Administration and NEtworking conferences The SANE Conferences are organized by the Dutch UNIX Users Group NLUUG, and target the International UNIX (and Linux/FreeBSD/Darwin) professional users community. The conference language is English. The SANE conference can be seen as scaled-down version of the USENIX's LISA conferences. The project's own website: http://www.sane.nl 2006-02-22: SANE2006 conference registration is open. NLnet was also involved in all earlier editions of this event: SANE 2004, SANE 2002, SANE 2000, and SANE '98."},{"description":" SANE System Administration and NEtworking conferences The SANE conferences are organized by the foundation Stichting SANE, with both work-force and financial support from the foundation Stichting NLnet and the association NLUUG, the UNIX User Group in The Netherlands. In addition to a loan and a guarantee of NLG 30,000, Stichting NLnet provided the treasurer for the Stichting SANE '98. Stichting SANE '98 was formally charged with the organization of the conference. Stichting NLnet sponsored SANE 2000 with a guarantee of NLG 40,000 and an interest-free loan of NLG 20,000. In addition, Stichting NLnet provided the treasurer and financial administration services for Stichting SANE, the entity formally charged with the organization of the SANE 2000 conference. Stichting NLnet sponsored SANE 2002 with a guarantee of €25,000 and an interest-free loan of €15,000. In addition, Stichting NLnet was providing the treasurer and financial administration services for Stichting SANE, the entity formally charged with the organization of the SANE 2002 conference. Besides, NLnet funded a Poster Session for €5,000. A large number of the NLnet sponsored projects contributed posters for this event. Stichting NLnet sponsored SANE 2004 with a guarantee of €40,000 and a loan of €40,000. In addition, Stichting NLnet provided the treasurer and financial administration services for Stichting SANE, the entity formally charged with the organization of the SANE 2004 conferences. NLnet supports SANE 2006 with a guarantee of €40,000 and an interest-free loan of €40,000. NLnet is happy to join forces with USENIX, SURFnet and NLUUG for the fifth SANE conference. ","url":"https://nlnet.nl/project/sane/how.html","title":"SANE"},{"description":" SANE System Administration and NEtworking conferences The loss of EurOpen, the umbrella organization of European UNIX user groups, was also a loss of the European platform for technical conferences in the Open Systems and (Internet) Networking area. The NLUUG's attempts to fill this gap has been supported financially and organizationally by USENIX, the American Advanced Computing Systems Technical and Professional Association, and by Stichting NLnet. SANE 1998 Conference The NLUUG, the UNIX User Group for the Netherlands, organized the first European oriented technical conference on System Administration and NEtworking 1998 (SANE98) in the week of November 18-20, 1998 in Maastricht, The Netherlands. SANE 2000 ConferenceIn view of the success of the SANE'98 conference, in both a technical and financial sense, the NLUUG decided to organize a similar conference in the year 2000, again in co-operation with USENIX and Stichting NLnet. The SANE 2000 conference was held on 22-25 May 2000, again in Maastricht, The Netherlands. SANE 2002 ConferenceTo continue a now well-established tradition, a third SANE conference took place in May 2002, again in Maastricht. SANE 2002 was again organized by the NLUUG, with support from Stichting NLnet and USENIX. ","url":"https://nlnet.nl/project/sane/description.html","title":"SANE"},{"description":" Samizdat Samizdat makes public key cryptography accessible Samizdat is intended, in part, as a tool for activists -- or, generally, for anyone who desires secure communication with others who lack the computer literacy (or merely patience) to configure public key cryptography or VPNs. Samizdat would also be useful to give an outsider access to a network without being easily detected; for example, it could facilitate document leaking. Samizdat is a LiveCD intended primarily to make public key cryptography accessible: to distribute public keys securely, and to pre-configure various applications of cryptography, especially VPN-based applications. Samizdat LiveCDs are self-replicating, with the replicated system not being identical, instead having one other's public keys and various other information. The replicated systems automatically become nodes on a VPN. The LiveCD serves as a secure boot medium for a fully-functional, fully-encrypted persistent system. This project integrates many existing projects: Tor, Onioncat, GPG, LUKS, Git and others. Project of Andrew Cady, USA. ","title":"Samizdat","url":"https://nlnet.nl/project/samizdat/"},{"description":" Sabayon creating a fast binary package manager using relational databases Sabayon is a free, open source, GNU/Linux distribution aimed to compete with Ubuntu in terms of hardware support, features and packages availability. The aim is to create an unpresended smart package manager. The challenge is creating a fast binary package manager (using relational databases), with strong AI (allowing just 2/3 developers to maintain about 12000 packages), able to solve most of the user-side issues automatically (such as API/ABI breakages, missing libraries, database corruptions, automatic kernel dependencies for external drivers, inverse dependencies), able to provide users a web2.0-alike experience by allowing them to share, extend, manipulate any content connected to packages (like screenshots, URLs, images, videos, rankings) directly from their system, able to provide a transparent client/server infrastructure to remotely manage infinite Sabayon installations, able to provide hot packaging formats, like Smart Packages (multiple packages packaged into one) and Smart Applications (unpack & run applications). All this while keeping a complete Portage compatibility and cooperating tightly with Gentoo Linux developers in bug hunting and feature proposals. The project's own website: http://www.sabayonlinux.org ","title":"Sabayon","url":"https://nlnet.nl/project/sabayon/"},{"url":"https://nlnet.nl/project/s6-rc/","title":"s6-rc","description":" s6-rc Service manager for s6-based systems The s6-rc service manager, part of the s6 ecosystem, is a correct and efficient alternative to software managing boot scripts like sysv-rc or OpenRC: it provides a bootability guarantee, a reliable logging infrastructure, parallel service start without race conditions, and the lowest resource usage of all existing service managers (which means it is very fast and will run on the smallest systems). However, it is not yet adopted by many Linux distributions, for lack of a high-level user interface and pre-provided boot scripts. We are adding these features to s6-rc so it can be easily integrated to more distributions currently relying on OpenRC, such as Alpine Linux, and also targeted as a backend for service description languages for use with automatic deployment to containers, VMs, clusters, or embedded systems. The goal is to make s6-rc an accessible and widely known service management alternative for fast, reliable and energy-friendly system deployment. The project's own website: https://skarnet.org/software/s6-rc/ This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/rust-query/","title":"rust-query","description":" rust-query Ergonomic API to write composable and nested relational queries The 'rust-query' library provides an API for the Rust programming language, to work with SQLite databases and build composable database queries with confidence. While the library already has many innovative features, it still lacks some of the essential features that are required for most applications. That is why this project adds support for booleans and datetimes in the schema (using check-constraints), more SQL operators, and custom non-unique indices. We will also improve developer experience with a guide, better error messages, and support for using rust-query with existing migration systems. The project's own website: https://github.com/LHolten/rust-query This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" rrdnsd DNS based load balancing and high availability rrdnsd implements DNS-based load balancing and failover in order to increase the reliability of geographically-distributed Internet services. It is designed to both scale up to managing hundreds of services but also scale down to small scale deployments. Written in Rust, it prioritizes resilience, ease of deployment and hands-off maintenance - without depending on 3rd-party services. It provides distributed connectivity monitoring using a quorum protocol. This allows detecting partial network outages without causing false positive alarms. The project's own website: https://rrdnsd.eu This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/rrdnsd/","title":"rrdnsd"},{"description":" RPKI-RTRlib RPKI/RTRlib The Resource Public Key Infrastructure (RPKI) is a component of secure interdomain routing and has recently been standardized in the IETF SIDR group (RFCs 6810/6811). RPKI is currently being rolled out, and is a significant and necessary step towards fully protecting BGP. However, the mechanism does incur additional load at BGP routers. In order to reduce that load, RPKI objects can be fetched and cryptographically validated by cache servers. The RPKI/RTR protocol defines a standard mechanism to maintain the exchange of valid RPKI data between cache server and router. RTRlib is one of the two open source reference implementation of RTR, originally created by researchers from the Computer Systems & Telematics group at Freie Universität Berlin and reseachers from the INET research group at Hamburg University of Applied Sciences, under the supervision of dr. Matthias Wählisch and Thomas Schmidt. The RTRlib is a real-time capable, open-source (MIT licensed) C library that implements the RPKI router part. Basically, it fetches data from an RPKI cache server and allows for prefix origin validation as well as initial steps of BGP path validation (draft 6810bis). The RTRlib can serve as the backend for BGP daemons and monitoring tools in real-world operations, as well as user guidance. The project's own website: http://rpki.realmv6.org/ The project has a public mailing list and forum: https://groups.google.com/d/forum/rtrlib rtrlib@googlegroups.com The RTRlib grants an easy and highly efficient access to cryptographically valid RPKI data without relying on a specific cache server or RPKI validator implementation. The RTRlib is useful for developers of routing software but also for network operators. Developers can integrate the RTRlib into BGP daemons to extend their implementation towards RPKI. Network operators may use the RTRlib to develop monitoring tools (e.g., to evaluate the performance of caches or to validate BGP data). Extensions like the RPKI browser plugin show prefix validation results to end users, allowing them to actually check for routing anomalies as they browse. The project will further advance and mature this software, and integrate and disseminate the solution - actively promoting its adoption by the wider internet community through e.g. a workshop held at IETF 95 in Berlin. link-lab ","url":"https://nlnet.nl/project/rpki-rtrlib/","title":"RPKI-RTRlib"},{"title":"RFID Guardian(2)","url":"https://nlnet.nl/project/rfid-guardian2/","description":" RFID Guardian(2) unified platform for RFID security and privacy administration The RFID Guardian is a battery-powered device that represents the first-ever unified platform for RFID security and privacy administration. The RFID Guardian acts as an 'RFID Firewall', enabling individuals to monitor and control access to their RFID tags by combining a standard-issue RFID reader with unique RFID tag emulation capabilities. Additionally, the RFID Guardian is useful as an RFID security diagnostic and auditing tool. The RFID Guardian Project is focused upon providing security and privacy in Radio Frequency Identification (RFID) systems. The goals of the project are to: Investigate the security and privacy threats faced by RFID systems Design and implement real solutions against these threats Investigate the associated technological and legal issues The project's own website: http://rfidguardian.org "},{"description":" RFID Guardian hardware prototyping of a mobile device for personal RFID security and privacy management. This Project intends to accelerate hardware prototyping of the RFID Guardian Project. All people getting in touch with the RFID technology, i.e. buyers and users of virtually any goods sold, shall have means to manage the information which is sampled and uncontrollably transmitted by the RFID chips. The RFID Guardian is a battery-powered device that represents the first-ever unied platform for RFID security and privacy administration. The RFID Guardian acts as an \"RFID Firewall\", enabling individuals to monitor and control access to their RFID tags by combining a standard-issue RFID reader with unique RFID tag emulation capabilities. Additionally, the RFID Guardian is useful as an RFID security diagnostic and auditing tool. This \"RFID Guardian Quick Start Action\" project is intended to bootstrap the larger RFID Guardian project. It is also intended to place the Quick Start Action in a larger context, and in this helping to transform the concept of the RFID Guardian into a commercial open-source hardware product. The project's own website: http://www.rfidguardian.org ","title":"RFID Guardian","url":"https://nlnet.nl/project/rfid-guardian/"},{"description":" ReX international exchange of scholars for software projects The ReX program aims at improving collaboration between research institutions working on computer software projects, especially those involving networking technology. Collaboration is improved by exchanging complementary research knowledge, and facilitated by a grants program covering costs of travel and temporary work abroad. USENIX runs various other grant programs which are primarily directed at students. ReX's primary goal is research exchange, and ReX attempts to achieve this by exchanging researchers (which may include students) between institutions. The project's own website: /project/rex/description/ Submit a ReX proposal Exchange between Lund (Sweden) and ISI (India) to develop a software oriented stream cipher for secure communication over networks. more > > Research exchange between the University of Pennsylvania (USA) and Leiden Institute of Advanced Computer Science (The Netherlands) to jointly develop a prototype for an extensible packet monitor based on Intel's IXP1200 network processor. more > > Research exchange between the University of Cambridge (UK) and Tilburg University (The Netherlands) on the automatic construction of electronic dictionaries for use in text mining and related applications using memory-based learning techniques. more > > Resarch EXchange between the Universita' dell'Aquila (Italy), and the University of Colorado in Boulder (USA) for the development of novel wireless applications that leverage the Internet­scale publish/subscribe middleware framework of Siena. more > > Research exchange between Delft University of Technology and the Berkeley Wireless Research Center to develope distributed localization algorithms for wireless sensor networks. more > > Research exchange between the Vrij Universiteit Amsterdam (The Netherlands) and CAIDA in San Diego (USA) on enhancing and developing tools for measuring Internet traffic in order to obtain better insight in the physical orgainzation of the network. more > > Exchange between the Vrij Universiteit Amsterdam (The Netherlands) and the University of Colorado (USA) to join efforts on the Globe Research project, in particular on the location service portion of Globe. more > > ","title":"ReX","url":"https://nlnet.nl/project/rex/"},{"description":" ReX international exchange of scholars for software projects ReX is a joined effort of USENIX and the NLnet Foundation. On the moment, no new proposals are being accepted because USENIX has to reconsider its participation pending its financial reorganization. ","title":"ReX","url":"https://nlnet.nl/project/rex/how.html"},{"description":"","title":"Research EXchange (ReX)","url":"https://nlnet.nl/project/rex/description/"},{"title":"ReX","url":"https://nlnet.nl/project/rex/description.html","description":" ReX international exchange of scholars for software projects The USENIX Association of Berkeley, California, and Stichting NLnet of the Netherlands formed a joint grant program, ReX (Research Exchange), aimed at facilitating the exchange of scholars among research institutions working on computer software projects, especially those involving networking technology. "},{"title":"reqwest","url":"https://nlnet.nl/project/reqwest/","description":" reqwest Memory safe HTTP client reqwest is the de-facto HTTP client for the Rust language, with batteries-included. In this project we will make many of its powerful features to be composable and reusable outside of reqwest. This includes converting its connection pool, proxying and redirection into middleware, and improving integration with existing middleware, such as retries. This ultimately enables two groups of people: some so they can use only the parts of reqwest they need. And others that want to use all of reqwest while inserting new middleware or customizing its default \"stack\". The project's own website: https://github.com/seanmonstar/reqwest This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Reproducible Builds","url":"https://nlnet.nl/project/reproduciblebuilds/","description":" Reproducible Builds Make the build processes behind software distributions reproducible This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code. The project's own website: https://Reproducible-Builds.org Why does this actually matter to end users? Whilst anyone can inspect the source code of free and open source software for malicious flaws, most software is distributed pre-compiled with no method to confirm whether they correspond. This incentivises attacks on developers who release software, not only via traditional exploitation, but also in the forms of political influence, blackmail or even threats of violence. This is particularly a concern for developers collaborating on privacy or security software: attacking these typically result in compromising particularly politically-sensitive targets such as dissidents, journalists and whistleblowers, as well as anyone wishing to communicate securely under a repressive regime. Whilst individual developers are a natural target, it additionally encourages attacks on build infrastructure as an successful attack would provide access to a large number of downstream computer systems. By modifying the generated binaries here instead of modifying the upstream source code, illicit changes are essentially invisible to its original authors and users alike. The motivation behind the Reproducible Builds project is therefore to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process. By promising identical results are always generated from a given source, this allows multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny. This ability to notice if a developer has been compromised then deters such threats or attacks ocurring in the first place as any compromise would be quickly detected. This offers comfort to front-liners that they not only can be threatened, but they would not be co-erced into exploiting or exposing their colleagues or end-users This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"title":"Remote PKCS#11","url":"https://nlnet.nl/project/remotePKCS11/","description":" Remote PKCS#11 Remote usage of PKCS#11 Setting up an encrypted connection across the internet requires establishing trust between the two endpoints. There are multiple ways, one of which is the use of asymetric keys. However, in many cases there will not be a suitable hardware crypto device available - and storing crypto credentials in userspace on lots of insecure devices (such as mobile phones) is quite risky. Managing and auditing usage of those credentials in such a case is a problem. The project entails two innovative ideas to isolate and organise credentials: \"Hosted PKCS#11\" which allow users to use a trusted remote crypto store instead of a local store (which is of course much easier to audit, assuming that the back end system on which the keys are stored is professionally managed by someone trustworthy), and \"Layered PKCS #11\" which can downgrade or upgrade identities to roles, groups and other attributes of a user (such as \"age\"). The project's own website: https://github.com/vanrein/quick-der/blob/master/arpa2/RemotePKCS11.asn1 This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"title":"Modular CA","url":"https://nlnet.nl/project/redwax/","description":" Modular CA Modular infrastructure for building secure internet services The Redwax Project provides a number of small and modular security tools to make it easy to build security services on the web. These can be combined to form various types of certificate authorities, issuing certificates with SPKAC and SCEP, servicing certificate revocation with CRLs and OCSP, and creating timestamps. The aim of the project is keep the security footprint and the number of dependencies as low as possible. The project's own website: https://redwax.eu Why does this actually matter to end users? The internet is becoming core to our society; from providing a place for democratic discourse to healthcare to finance and personal communication. The internet was not designed as a public infrastructure and most of the engineering trade-offs of the lower-layer technologies have generally erred on the side of accommodating fast growth and ease rather than values such as security, confidentiality and privacy Therefore, this project is aimed to decentralise trust management so that the values security, confidentiality and privacy can be upheld in public infrastructure and private interactions. We will strengthen the existing technologies and infrastructure by providing a modular and practical set of tools to manage public key based trust infrastructures as currently used. These tools capture and hard code a lot of industry best practice and specialist PKI knowledge so that they can be put into the hands of a much wider community than currently served by a few specialist industries The Redwax Project provides a number of small and modular security tools to make it easy to build security services on the web. These can be combined to form various types of certificate authorities, issuing certificates with SPKAC and SCEP, servicing certificate revocation with CRLs and OCSP, and creating timestamps. The project strives to keep the security footprint and the number of dependencies as low as possible. More about the Redwax Programme at The Commons Conservancy: https://www.commonsconservancy.org This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"description":" realXtend realXtend communications based on Telepathy realXtend is an open source project for creating a platform for interconnected virtual worlds. Virtual worlds excel at interpersonal communication and the component that enables textual and voice communications is a vital part of the system. This is exactly where the NLnet's contribution will be used for development of the communications component for the realXtend platform. This will be done based on the Telepathy framework. The intention is to start working on a voice over IP component and provide a version with basic functionality by Christmas 2009. The project's own website: http://www.realxtend.org ","url":"https://nlnet.nl/project/realxtend/","title":"realXtend"},{"description":" raylib Project creator/builder + feature development for raylib graphics library raylib is a C library intended for high-performance graphics applications creation. It was originally created for education with a focus on simplicity, not only on its exposed API but also on its open source code architecture and its build system. In 12 years raylib has greatly went beyond education to many other fields and today it's being used for videogames development, tools development, data visualization, graphics programming, academic research, embedded devices and, in general, for low-level graphics output in any kind of display. raylib has been binded to +50 programming languages and a very strong community and ecosystem have been created around it. Future plans for raylib include multiple modules improvements, with a new software backend to support GPU-less computers, with a focus on RISC-V powered devices; improved high-DPI support and skeletal animation system for 3d models; full collection of examples review (+150 examples) with the addition of new ones; new support tooling to ease raylib usage and setup: raylib project creator and raylib project builder; and multiple actions to increase raylib visibility and users reach. The project's own website: https://www.raylib.com This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/raylib/","title":"raylib"},{"description":" RaptorJIT RaptorJIT is a high-performance Lua virtual machine for network dataplanes. RaptorJIT is a fork of LuaJIT focused on predictably high performance. RaptorJIT takes a quantitive approach to performance. The value of an optimization must be demonstrated with a reproducible benchmark. Optimizations that are not demonstrably beneficial on recent CPU generations are removed. RaptorJIT was initially developed by the team behind Snabb Switch. The project's own website: https://github.com/raptorjit/raptorjit In network dataplanes performance needs to be predictable, which brings new requirements: Minimizing the performance impact of non-deterministic JIT decisions. Providing an accurate mental model of how the JIT works and which programming techniques are effective. Providing diagnostic tools (Studio) consistent with this mental model to make the actual operation transparent. Making profiling completely ubiquitous in development, testing, and production environments. The development process has to support moving quickly in these directions: Quality assurance based on repeatable standard benchmarks executed by CI. Streamlined codebase: x86-64 architecture, 64-bit heap (GC64), \"no #ifdef.\" Distributed development (\"Linux-style\") with many maintainers, forks, and merges. Once these requirements have been thoroughly satisfied then new requirements can be introduced. For example, ARM64 and other platforms can be supported as the project matures. ","title":"RaptorJIT","url":"https://nlnet.nl/project/raptorjit/"},{"title":"Support for OpenPGP v6 in rPGP","url":"https://nlnet.nl/project/rPGP-cryptorefresh/","description":" Support for OpenPGP v6 in rPGP Implement draft-ietf-openpgp-crypto-refresh in rPGP rPGP is a high-quality implementation of OpenPGP in pure Rust (OpenPGP is a standard for encryption, digital signatures and key management). rPGP is used in production in different contexts, among them the popular \"Delta Chat\" decentralized and secure messenger that is used by hundreds of thousands of users, worldwide. The OpenPGP standard has recently been revised to reflect current best cryptographic practices. The revision of the standard defines \"OpenPGP version 6\" and is currently being finalized  for publication as RFC 9580. This project will implement the new formats and features of OpenPGP v6 for rPGP. This will bring the new features of OpenPGP v6 to users of rPGP, and ensures future interoperability with all other modern OpenPGP implementations. The project's own website: https://github.com/rpgp/rpgp/ This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/qubes/","title":"Qubes","description":" Qubes A reasonably secure operating system Qubes OS is a security-oriented operating system (OS). Qubes is free and open-source software (FOSS). This means that everyone is free to use, copy, and change the software in any way. It also means that the source code is openly available so others can contribute to and audit it. The project's own website: https://www.qubes-os.org/ Most people use an operating system like Windows or OS X on their desktop and laptop computers. These OSes are popular because they tend to be easy to use and usually come pre-installed on the computers people buy. However, they present problems when it comes to security. For example, you might open an innocent-looking email attachment or website, not realizing that you’re actually allowing malware (malicious software) to run on your computer. Depending on what kind of malware it is, it might do anything from showing you unwanted advertisements to logging your keystrokes to taking over your entire computer. This could jeopardize all the information stored on or accessed by this computer, such as health records, confidential communications, or thoughts written in a private journal. Malware can also interfere with the activities you perform with your computer. For example, if you use your computer to conduct financial transactions, the malware might allow its creator to make fraudulent transactions in your name. Qubes takes an approach called security by compartmentalization, which allows you to compartmentalize the various parts of your digital life into securely isolated compartments called qubes. This approach allows you to keep the different things you do on your computer securely separated from each other in isolated qubes so that one qube getting compromised won’t affect the others. For example, you might have one qube for visiting untrusted websites and a different qube for doing online banking. This way, if your untrusted browsing qube gets compromised by a malware-laden website, your online banking activities won’t be at risk. Similarly, if you’re concerned about malicious email attachments, Qubes can make it so that every attachment gets opened in its own single-use disposable qube. In this way, Qubes allows you to do everything on the same physical computer without having to worry about a single successful cyberattack taking down your entire digital life in one fell swoop. More about Qubes OS team. "},{"description":" PurlValidator Check validity of software package identifiers online and offline Package-URL, or PURL, is the de-facto standard for identifying software packages, used by open source SCA tools, SBOM and VEX specs, and vulnerability databases. But using a standard syntax does not prevent errors: A recent (not yet published) study on the quality of software bill of materials (SBoM) revealed that for too often PURLs in SBOMs are still inconsistent, fake, incorrect, or misleading. This is a major impairment to any application of SBOMs, and industry-wide cybersecurity and application security. The PurlValidator project is a public service, based on PurlDB, to validate all the PURLs. An extension of the purl2all project, PurlValidator validates the PURL syntax against any known PURLs by exposing PurlDB's reference data of 20M+ PURLs. PurlValidator also provides decentralized libraries for offline use that can be integrated in multiple tech stacks for all major ecosystems, beyond what is already available for PURL tools. The goal of this project is to provide an accessible, single source of truth to the security and SBOM ecosystem at large and improve the quality and accuracy of PURLs in use, imperative for CRA compliance. The project's own website: https://aboutcode.org Run by AboutCode Europe ASBL This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/purlvalidator/","title":"PurlValidator"},{"description":" purl2sym FOSS code symbols indexing system Identifying corresponding source code compiled in natively compiled binaries is complex and important – only by knowing the code origin can one know if the code is subject to known vulnerabilities or licensing issues. In IoT and embedded devices, most of the code is composed of natively compiled binaries, with a significant Android-based ecosystem using Java with specific constraints: multiple programming languages (Java and Kotlin) and bytecode-compiled binaries. Many devices also embed secondary code (typically for admin and UI), such as Lua, JavaScript, Python, or PHP. To help with identification of binaries, it is important to aggregate collection of identifiers and symbols from FOSS code and index them to easily retrieve the data in efficient detection engines, based on automations and binary scanners. These symbols or identifiers are essential to software identification tools such as BANG that can match symbols in source and binaries and determine the corresponding source code for a given binary code input. purl2sym is a new data collection and indexing system to collect code symbols from FOSS source packages (and binaries in the future) and store them for reuse in other software analysis processes. The project's own website: https://www.aboutcode.org Run by AboutCode This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/purl2sym/","title":"purl2sym"},{"title":"purl2all","url":"https://nlnet.nl/project/purl2all/","description":" purl2all Discover metadata for software packages While we often simplify our mental model of the software supply chain by only looking at how source code is maintained and compiled with other source code into binaries which are distributed, in reality there are many more stakeholders that provide or curate information about software which is used by others as part of their decision process - and there are many supply chains concurrently, some of which are intertwined. The purl (package-url) initiative allows this information to be aggregated from all the different stakeholders in the software supply chains. The purl2all project aims to build a real-time, on-demand, decentralized and distributed knowledge base for all kinds of software packages metadata that can be used by other services that need the metadata; such as ScanCode, VulnerableCode, or any system, application or library using package-url (purl) as a way to identify packages and versions to lookup this data. The outcome will be a decentralized, on-demand software metadata collection system that will complement or replace centralized batch systems. The project's own website: https://www.aboutcode.org Run by AboutCode.org This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"url":"https://nlnet.nl/project/pulseaudio/","title":"PulseAudio","description":" PulseAudio PulseAudio echo cancellation The project aims to extend the PulseAudio sound server to support echo cancellation technologies needed to be able to do high quality VoIP conferencing. With the growing popularity of VoIP and videoconferencing, the issue of echo cancellation on the Linux desktop is growing in importance. The Linux audio layer has long been a struggling beast with a lot of competing solutions, all of them with their own set of flaws. Thanks to the increased resources put into the media layers by Linux distribution vendors, it seems that a combination of ALSA and PulseAudio is emerging as the standard sound system layer, with GStreamer being the de-facto application writers interface. Therefore the natural place to put a system wide echo cancellation would be in the Pulse Audio sound server. Development tasks: Implement echo cancellation ALSA test application Implement PulseAudio audio filter infrastructure Implement echo cancellation for PulseAudio Enable echo cancellation in Empathy Desktop linux Run by Collabora Multimedia. The project's own website: http://pulseaudio.org/ "},{"url":"https://nlnet.nl/project/proxyapp/","title":"Proxy App","description":" Proxy App Proxy appliance to utilize unused bandwidth networks The \"Generic Proxy Appliance\" projects will develop and implement an (internet) proxy appliance helping to utilize unused bandwidth in (wireless) networks A wireless community network, e.g. Wireless Leiden, can be used for various applications. First of all, it provides point-to-point communication between the users of the local the network: between individual users (using P2P, VoIP or VPN) or the user and some service provider which is directly connected to the network. Secondly, the network can be used as a Last Mile for the Internet access for both mobile and 'fixed' users. With the current broadband services, there is unused bandwidth at any given moment in time. This project's goal is to develop an internet proxy appliance with additional features allowing to utilize unused bandwidth in (wireless) networks. The proxy appliance will use Wireless Leiden infrastructure as breeding place for the prototype implementation. "},{"description":" Project Unnamed Full-featured, libre FPGA compilation toolchain The project summary for this project is not yet available. Please come back soon! The project's own website: https://prjunnamed.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Project Unnamed","url":"https://nlnet.nl/project/prjunnamed/"},{"title":"Privacy Preserving Disease Tracking","url":"https://nlnet.nl/project/ppdt/","description":" Privacy Preserving Disease Tracking Research into contact tracing privacy In case of a pandemic, it makes sense to share data to track the spread of a virus like SARS-CoV2. However, that very same data when gathered in a crude way is potentially very invasive to privacy - and in politically less reliable environments can be used to map out the social graph of individuals and severely threaten civil rights, free press. Unless the whole process is transparent, people might not be easily convinced to collaborate. The PPDT project is trying to build a privacy preserving contact tracing mechanism that allows to notify users if they have come in contact with potentially infected people. This should happen in a way that is as privacy preserving as possible. We want to have the following properties: the users should be able to learn if they got in touch with infected parties, ideally only that - unless they opt in to share more information. The organisations operating servers should not learn anything besides who is infected, ideally not even that. The project builds a portable library that can be used across different mobile platforms, and a server component to aggregate data and send this back to the participants. The project's own website: https://github.com/degregat/ppdt Why does this actually matter to end users? The saying goes 'desperate times call for desperate measures', but when you really think about it that is not really the case. It makes much more sense to keep ones head cool, and start taking serious coordinated action with a longer term perspective. Both the SARS-CoV2 pandemic (aka COVID-19 or the Corona virus) and the measures to slow down the spread of the virus have a major impact on society. Unfortunately, a significant number of people has already lost their lives, and the healthcare sector is in parts of the world overheating. In fighting a disease like this, oversight is everything. The most drastic of measures - like an area lockdown - are extremely expensive and invasive. And not a lot is known about the actual propagation of the virus in the real world. When is it safe to let people shop? Or go to school? As a citizen, you might be on the one hand inclined to help out - as the virus can pop up anywhere next. These days there is quite some technology that could be put to good use: the smartphones we carry around are amazingly capable devices, and they pack many features such as sensors and antennas. By levering those, we can gather many valuable insights. Helping to gather this kind of data is probably something good for yourself, others and society at large. In Asia, where the current pandemic started, there have been good experiences with mobile apps that let citizens create a collective measuring system. But before we rush into installing these apps: that data can also be quite sensitive in terms of privacy, and in some parts of the world you might have to fear more for your work as a journalist, whistleblower or activist than for this virus. And of course, cybercriminals as well as state actors currently have a perfect pretext for manipulating people into doing things they will very much regret later - whether using the \"desperate times\" mantra or not. Fear is not the best counsel, and no doubt some of these malicious actors will have success. Again, lets keep our head cool and lets get technology in place to help move things forward while at the same time keeping us out of the clutches. The PPDT project set out to design a privacy preserving contact tracing mechanism for mobile apps for disease tracking. This would allow to notify users if they have come in contact with potentially infected people, but would not leak other data such as who was where and met whom. It was meant for citizens first, while science and policy stand to benefit from the additional adoption that a carefully vetted, fully transparent and thus trustworthy open source solution brings. Note that after it became clear that there were a number of contact tracing apps in development the project steered towards consolidation of its efforts with others in the Temporary Contact Numbers Coalition: https://github.com/TCNCoalition/TCN This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" postmarketOS An independent mobile operating system postmarketOS is a mobile phone operating system for phones (and other mobile devices), based on Alpine Linux. Just like desktop Linux distributions, we have a package manager and a carefully crafted repository of trustworthy and privacy focused free software that will actually serve the users and not exploit them for their data. By sharing as much code as possible between various phone models, postmarketOS scales well and it becomes feasible to maintain devices even after OEMs have abandoned them. The project's own website: https://postmarketos.org Why does this actually matter to end users? In the new mobile world we live in now, control as a user is limited to the very surface of things. Significant privacy and security issues start directly below that surface. You don't really know what the platform actually does while executing apps, and more importantly, who sees your data - or if you are a business, looks at the data of your customers. When you use one of the hundreds of thousands of existing apps and games, you only see the service they provide. But you can't inspect or even see what more they take. What does an app do exactly when you click on the pretty icon? This is very much unlike for instance interacting with a web page, which is fully transparent. As it turns out, mobile apps do lots of things users do not know about, and would not agree with if they did. In some cases literally hundreds of companies have been known to get access to data on the phone. A consumer-friendly platform should empower the user to notice and take action, or even make it technically impossible. However, the companies that produce the operating systems seem to have other interests. Have you ever wondered why everyone tells you your desktop computer needs a firewall and you are allowed full control to see everything happen. Now stop and think about why your cell phone does not have the very same level of firewall capabilities, but only very much simplified and less capable? So what can we as a society do in the face of such a complex situation of market failure, anti-competitive practices, perverse incentives and general confusion? How do we give control back to the users? How do we create equal opportunities for European phone manufacturers? How do we stop the unfair \"platform tax\" on app developers, stimulating employment and startups? One reasonable direction is to try and lay the ground work for creating viable alternative platforms. Such a fundamental approach is necessary in order to end these extractive practices and the resulting lack of consumer freedom. This project develops a mobile operating system independent of Android based on the widely popular and open source Linux-system, complete with trustworthy and privacy-focused free (as in freedom) software. Staying clear of device-specific software, postmarketOS gives meaning to its name by ensuring all mobile phones running this operating system can be updated until they physically break. Run by Postmarket OS This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/postmarketOS/","title":"postmarketOS"},{"description":" postmarketOS daemons Add modern service daemons to postmarketOS postmarketOS keeps smartphones useful after they don't receive updates anymore: the original operating system gets replaced with an up-to-date lightweight open source software stack based on Alpine Linux. This project will add initial systemd support to postmarketOS, as well as making Pipewire the default audio server in postmarketOS. It will help switch the wifi backend to iwd by default, and design and prototype an immutable version of postmarketOS with an efficient A/B OTA mechanism with binary delta updates, and automatic rollback on failed updates. The project's own website: https://postmarketos.org Why does this actually matter to end users? Oftentimes people use postmarketOS to upcycle their old smartphones to small home servers (like Raspberry Pis). While still experimental, we also work towards enabling all typical smartphone features too so postmarketOS can fully replace the original operating system. Besides extending the lifetime of smartphones, in postmarketOS we value the user's privacy, security and in general control over their own device. Unlike current mainstream smartphone operating systems, it is not needed to register an account and get tracked to use the operating system. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/postmarketOS-daemons/","title":"postmarketOS daemons"},{"description":" postmarketOS v25.12 + v26.06 New versions of the mobile operating system postmarketOS postmarketOS keeps smartphones useful after they don't receive updates anymore: the original operating system gets replaced with an up-to-date lightweight open source software stack based on Alpine Linux. With Google's announcement to develop Android behind closed doors and the changing political landscape it is now more important than ever to fund truly open source smartphone operating systems that are developed in the open and independently of Silicon Valley. This project is for the v25.12 and v26.06 releases of postmarketOS, which will bring great improvements to reliability through more continuous testing and will also make the security feature of encrypting phones with postmarketOS easy to use. The project's own website: https://postmarketos.org Run by postmarketOS This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/pmOS-25-26/","title":"postmarketOS v25.12 + v26.06"},{"description":" postmarketOS: v23.12 and v24.06 Releases New versions of the mobile operating system postmarketOS postmarketOS keeps smartphones useful after they don't receive updates anymore: the original operating system gets replaced with an up-to-date lightweight open source software stack based on Alpine Linux. Oftentimes people use postmarketOS to upcycle their old smartphones to small home servers (like Raspberry Pis). While still experimental, we also work towards enabling all typical smartphone features too so postmarketOS can fully replace the original operating system. Besides extending the lifetime of smartphones, in postmarketOS we value the user's privacy, security and in general control over their own device. Unlike current mainstream smartphone operating systems, it is not needed to register an account and get tracked to use the operating system. Creating new releases allows us to keep the software stack up-to-date, to integrate important fixes, features and in general to get closer to provide a full smartphone experience. The project's own website: https://postmarketos.org Run by postmarketOS This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/pmOS-23-24/","title":"postmarketOS: v23.12 and v24.06 Releases"},{"description":" PKCS#11 v3 Contribute to standardisation of PKCS#11 for cryptographic tokens The project's own website: https://pitchfork.ist The PITCHFORK is a free/libre hardware device for compartmentalizing key material and cryptographic operations in a small and durable USB device. It uses a Cortex-M3 processor and stores all keys in the CPUs flash. The PITCHFORK has an embedded radio interface over which it can do secure key exchanges with other devices, including \"post-quantum\" cryptography. Over USB it can send and receive messages using various modern low-level crypto protocols providing different aspects of overall security. Stef Marsiske from the Pitchfork project team joined the OASIS PKCS #11 standards committee to make sure the intersection of PKCS # 11 supported algorithms and Pitchfork algorithms is no longer empty. Pitchfork is supported by NLnet and the Internet Hardening Fund. ","title":"PKCS#11 v3","url":"https://nlnet.nl/project/pkcs11-3/"},{"title":"Pitchfork","url":"https://nlnet.nl/project/pitchfork/","description":" Pitchfork Open hardware for compartmentalizing key material and cryptographic operations The PITCHFORK is a free/libre hardware device for compartmentalizing key material and cryptographic operations in a small and durable USB device. It uses a minimalist Cortex-M3 processor and stores all keys in the CPU flash memory. The PITCHFORK has an embedded radio interface over which it can do secure key exchanges with other devices, including \"post-quantum\" cryptography. Over USB it can send and receive messages using various modern low-level crypto protocols, providing different aspects of overall security. The project's own website: https://pitchfork.ist Why does this actually matter to end users? As we store more of our lives in our computers, and make our businesses, public and private life dependent on technology, we need cryptography to protect ourselves. A mere password is not really enough, if you think about the billions of camera's that can capture you entering a password - from mobile phone to hidden CCTV - after which it is trivial to reconstruct it. Cryptography basically means using math complexity to keep others from looking at the digital things you care about. Cryptography works with digital \"keys\" that allow you to hide information in plain sight: the original bits are replaced by scrambled bits, which are meaningless unless you have the keys. If you choose your cryptographic methods wisely someone will have to spend an inordinate amount of time trying to recreate the unencrypted object - even if they have the most powerful computers on the planet working day and night. Once a computer device you own is compromised, any cryptographic material on the device itself becomes available to the attacker to gain access to wherever that material can give access to - making your secrets as safe as the devices you use. Obviously, in consumer devices like mobile phones or laptops that protection is often very limited indeed - and unfortunately stored in plain text. That means someone can just crack open the device (or sometimes just boot it in a different way) and bypass any protections and passwords on the device itself. Once someone takes out the keys, they gain access to any confidential data. And if they went about carefully, how would you know? In a PITCHFORK device, the cryptographic material your security depends on is stored in isolated hardware which has been especially designed for that task. Its sole purpose is to protect cryptographic key material, no matter how advanced the threats you are facing. It provides the safest possible key container, and gives full transparency and control. This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"description":" Pitchfork PKCS#11 Contribute to OASIS standardisation PKCS#11 v3 PKCS #11 is the de facto standard for cryptographic tokens controlling authentication information (personal identity, cryptographic keys, certificates, digital signatures, biometric data). Due to the age of the standard, it was lacking a number of modern, so called 'quantum-resistant' algorithms. This small project enables open source developers from the Pitchfork project to contribute a number of important algorithms to the OASIS PKCS #11 standards committee in time for the pending new version of PKCS #11. The PITCHFORK is a free/libre hardware device for compartmentalizing key material and cryptographic operations in a small and durable USB device. It uses a Cortex-M3 processor and stores all keys in the CPUs flash. The PITCHFORK has an embedded radio interface over which it can do secure key exchanges with other devices, including \"post-quantum\" cryptography. Over USB it can send and receive messages using various modern low-level crypto protocols providing different aspects of overall security. Stef Marsiske from the Pitchfork project team joined the OASIS PKCS #11 standards committee to make sure the intersection of PKCS#11 supported algorithms and Pitchfork algorithms is no longer empty. The project's own website: https://pitchfork.ist This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. ","title":"Pitchfork PKCS#11","url":"https://nlnet.nl/project/pitchfork-pkcs/"},{"description":" pcb-rnd Modular printed circuit board editor Pcb-rnd is a modular printed circuit board editor that is designed with the UNIX mind set. It has a convenient GUI for editing the graphical data of the board but is also has a handy command line interface. Both the GUI and the CLI aspects are scriptable (in more than 10 scripting languages) and pcb-rnd can also process boards as a headless converter tool. It has support for various proprietary schematics/netlist and board formats which makes it also a good choice for converting free hardware designs coming in proprietary formats to free file formats. Among the upcoming challenges are a full rewrite of the Design Rule Checker, more file format support and making the menu system even more dynamic to match the modular nature of pcb-rnd better. The project's own website: http://repo.hu/projects/pcb-rnd/ Why does this actually matter to end users? Behind the screens of every mobile phone, laptop or tablet you will find essentially the same components that are produced by a small number of companies. Using patents and closed-off work methods these monopolists hold a firm grip on how essential technical building blocks of consumer electronics are actually made. Not only does this prevent innovation in the market, it also makes the devices that users, companies and governments across the world rely on for vital services and infrastructures essentially untrustworthy. If you cannot verify that the parts that make your device work are secure, can you really trust the device at all? One of the ways to break through this standstill, is to construct computer parts from the ground up and make your designs open for everyone to check and verify. Combine this open hardware with open source software and you have a device that, with the right knowledge and skills, is completely transparent and customizable. To create this open hardware, we need open design tools and file formats. This project will create open source tools to design and edit the most fundamental building blocks of almost all electronic devices: printed circuit boards. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/pcb-rnd/","title":"pcb-rnd"},{"title":"Parselov","url":"https://nlnet.nl/project/parselov/","description":" Parselov Syntactic analysis of documents and protocol messages based on formal descriptions Parselov is a system for the syntactic analysis of documents and protocol messages based on formal descriptions, as well as the analysis and manipulation of such formal descriptions. It makes it easy to build parsers, validators, converters, test case generators, and other tools. It also explains the process of syntactic analysis slightly differently than usual, which has helped me tremendously to \"understand parsing\". At the heart of the system is a computer program that converts a formal grammar (the IETF standard \"ABNF\" is used as input for testing, but it is easy to support W3C's \"EBNF\" format and similar formats thanks to this system) into a graph and additionally computes all possible traversals of this graph. The result is stored in a simple JSON-based data format. The project's own website: https://github.com/hoehrmann/demo-parselov Parselov is intended for software developers and protocol and data format designers. While specifications from standards bodies such as W3C and IETF do contain detailed formal and computer-readable descriptions of data formats and protocols, it is tremendously difficult to make good use of them with existing tools. Parselov intends to change that. "},{"url":"https://nlnet.nl/project/parrot/","title":"Parrot","description":" Parrot virtual machine for scripting languages Parrot is a virtual machine (VM) designed to execute bytecode for interpreted languages efficiently. Many modern programming languages do not translate programs into machine native instructions, but produce some intermediate bytecode which needs be interpreted by a virtual machine when the program is run. Parrot will run the bytecode for the Perl 6 programming language, which is being developed. There is already a partial Perl 6 compiler which uses Parrot. But Parrot is also able to be the run-time environment for various other compilers, of which some already have demonstration implementations. Other famous virtual machines are JVM and .NET. These environments are not Open Source and not free of restrictions. They also both target only staticly typed programming languages. As a result, they are not ideal environments for many popular (scripting) languages like Python, Ruby, and Perl. Parrot fills that gap. The project's own website: http://www.parrotcode.org 2005-12-02: Allison Randal details differences between Parrot and Java/.NET virtual machines in her journal. 2005-04-18: Press release: NLnet sponsors Parrot development. "},{"description":" Parrot virtual machine for scripting languages NLnet supports The Perl Foundation, which will contract the developers.Development on Parrot started in September 2001. A detailed status can be found in the mailing-list summaries. 2007-11-09: Status update: PDD24 (Events) and PDD26 (AST) completed. more > > 2007-10-16: The impact of the development grant. more > > 2007-09-18: Status update: PDD15 (Objects) and PDD17 (PMCs) completed. more > > 2007-09-14: Status update: Parrot can bootstrap Perl 6. more > > 2007-03-05: The IO PDD milestone is completed with the release of Parrot 0.4.8. more > > Status report. more > > 2005-04-19: General project plan for Parrot and Perl 6 development. .pdf (78 kB) ","url":"https://nlnet.nl/project/parrot/how.html","title":"Parrot"},{"title":"Parrot","url":"https://nlnet.nl/project/parrot/description.html","description":" Parrot virtual machine for scripting languages Development of Parrot Parrot is related to Perl 6, but it is not Perl 6. To find out what it actually is, we need to know a little about how Perl works. When you feed your program into perl, it is first compiled into an internal representation, or bytecode; then this bytecode is fed to an almost separate subsystem inside perl to be interpreted. So there are two distinct phases of perl's operation -compilation to bytecode, and interpretation of bytecode. This is not unique to Perl; other languages following this design include Python, Ruby, Tcl and, believe it or not, even Java. In previous versions of Perl, this arrangement has been pretty ad hoc: there hasn't been any overarching design to the interpreter or the compiler, and the interpreter has ended up being pretty reliant on certain features of the compiler. Nevertheless, the interpreter (some languages call it a Virtual Machine) can be thought of as a software CPU -the compiler produces \"machine code\" instructions for the virtual machine, which it then executes, much like a C compiler produces machine code to be run on a real CPU. Perl 6 plans to separate out the design of the compiler and the interpreter. This is why we've come up with a subproject, which we've called Parrot, which has a certain, limited amount of independence from Perl 6. Parrot is destined to be the Perl 6 Virtual Machine, the software CPU on which we will run Perl 6 bytecode. We're working on Parrot before we work on the Perl 6 compiler because it's much easier to write a compiler once you've got a target to compile to! The name \"Parrot\" was chosen after the 2001 April Fool's Joke which had Perl and Python collaborating on the next version of their interpreters. This is meant to reflect the idea that we'd eventually like other languages to use Parrot as their VM; in a sense, we'd like Parrot to become a \"common language runtime\" for dynamic languages. "},{"title":"Palea","url":"https://nlnet.nl/project/palea/","description":" Palea Finding unauthorized routes leaving your network Palea is a tool to help discover if devices on your (secured and firewalled) network are also unknowingly connected to unknown other networks that would facilitate attacks and information leaks to the outside. Such an unknown network could for instance be a known device on your trusted network that also has a USB dongle in it connected to the open internet over GSM/2G/3G/xG. By spoofing packets, Palea can be used to trick systems into exposing their connections to the internet. Palea can be run 24/7 on your network to also discover temporary connections. The project's own website: https://github.com/xychix/Palea-Express The project was created by idefense (NL). "},{"description":" p4-nix Combine Programming Protocol-independent Packet Processors language with declarative Nix packaging This project is aiming to democratize high capacity and high performance networking stacks by integrating the P4 DSL into Nix and making it easy to make an infrastructure relying on the technology by bringing up functional programming to the P4 world. Bringing P4 to Nix gives us amazing flexibility for dealing with network devices, making it easy to deploy, make artifacts, and so on, all the while exposing it to end-users who wouldn't necessarily know or use P4 otherwise. This also gives us the opportunity to look into automated deployment of hardware based networking devices, such as FPGA targets, directly from within Nix. The project's own website: https://nixos.org Run by newtype64 (https://newtype.fr) This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/p4-nix/","title":"p4-nix"},{"description":" p3pch4t Decentralized chat platform built on i2p P3pch4t is a decentralized chat platform built on i2p that aims to provide a feature-rich experience with huge privacy standards, so it will be easy for people to switch from well-known centralized/proprietary chat apps - such as Facebook Messenger, Telegram, Slack to one place that will have all features that user desire - including large file sharing, shared calendar, group chats, multiple devices and chat themes - all of that will come in a cross-platform app that will run on all major mobile and desktop platforms. Together with that, there will be a handful of libraries in different languages to interact with the network directly - to ensure that it is easy for other developers to extend the p3pch4t ecosystem, and to ensure that the standard for communication is well defined. The project's own website: https://github.com/MrCyjaneK/p3pch4t This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"p3pch4t","url":"https://nlnet.nl/project/p3pch4t/"},{"url":"https://nlnet.nl/project/p2panda-systemservice/","title":"p2panda System Service","description":" p2panda System Service Real-time collaboration, private sharing and unified local storage of desktop apps p2panda provides modular components for building modern, privacy-respecting and secure local-first applications. Our goal for the System Service Project is to help GTK and GNOME developers build apps that store data locally, share it privately across devices, and support collaboration — all without requiring an internet connection. For this grant we’re planning to integrate the p2panda stack into a shared system layer that multiple apps can reuse, simplifying development and moving towards a modern, local-first GNOME desktop. The system service will allow automatic, peer-to-peer synchronisation of data in the background and will expose a general sync API via an XDG Desktop Portal. The project's own website: https://p2panda.org Run by p2panda This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" OV-Chipkaart privacy friendly chip card for public transport This project is about the OV-chipkaart, a single national chipcard for all public transport in the Netherlands, which is similar to London's Oyster card or Hong Kong's Octopus card. It is a propriatory solution being introduced by Trans Link Systems (TLS), a consortium of public transport companies. Currently the OV-chipkaart is being tested in practice in and around Rotterdam and Amsterdam. National introduction has been postponed a couple of times, but is now foreseen in 2009. Early 2008 the OV-chipkaart has come under heavy attack because of both security and privacy concerns: Individual travel movements are collected centrally and will be used for direct marketing purposes. The Dutch Data Protection Authority (College Bescherming Persoonsgegevens, CBP) has therefore described the approach as: not in accordance with the law (CBP report). The cryptographic protection in the Mifare Classic chipcard, used in the personalised cards is broken. The throw-away cards have been cloned, enabling free travel. Very little is known about how the system actually works, and about how (private) data are protected. The aims for this project are twofold: On the one hand, to concentrate documenting of the current OV-chipkaart system, make a public repository of knowledge. Factual information about the design, strengths and weaknesses of the current system; an explanation of all the things that were in the news since roughly January 2008. On the other hand, experiment with the card in order to transparently develop a new system from scratch in which RFID technology is used for ticketing in public transport. Using an open design process, the design criteria and the quality of the solutions can be evaluated by a broad audience, including scientists, hackers, but of course also stakeholders such as transport companies. This process may eventually result in an open standard. The project's own website: https://ovchip.cs.ru.nl ","title":"OV-Chipkaart","url":"https://nlnet.nl/project/ov-chip/"},{"url":"https://nlnet.nl/project/osn-ppcp/","title":"OSN-PPCP","description":" OSN-PPCP Privacy-Preserving Communication Protocol for OSNs Today online social networks (OSNs) have become an indispensable platform for internet users to find friendship and share information. However, users are pretty much electronically naked in any OSN: (1) User’s data is in clear to the OSN service provider, and can be accessed by many other parties without any consent; (2) User’s activities are under surveillance by the OSN service provider. Numerous privacy breaches have been reported, often with disastrous consequences to the user concerned, such as getting fired by the employer, getting rejected from a job application, even leading to suicide. To mitigate the problem, most OSN service providers provide some privacy controls to users to protect their information. However, this is not the antidote and will never be, because the aforementioned problems (1) and (2) still remain. This project will design and implement a privacy-preserving communication protocol to mitigate the problems (1) and (2). In more detail, it will achieve the following features: A user always keeps his private data in encrypted form. Two users can match each other based on their respective private data sets, without revealing anything. Two friends who share some common private date, communicate in private. The communication will remain private against the OSN service provider and other users. The implementation will be based on the OpenSocial API, and programmed in javascript. The final form of the implementation will be a browser plug-in, for example for Firefox. "},{"title":"OSLD","url":"https://nlnet.nl/project/osld/","description":" OSLD Open-Source LTE Deployment (OSLD) Wireless communication technology is mostly proprietary, despite that we are using it every day. The mission of the Open-Source LTE Deployment (OSLD) project is promoting open-source radios, to get more people involved in developing software to create modern wireless communications systems. The project will develop an open-source LTE (Long Term Evolution, an 4G radio standard) library and tools for building sophisticated radios at low cost. LTE provides bandwidth on demand for different amounts of speeds and so improving the quality of service to people on the move. Available LTE processing chains are either proprietary or unsuitable for commercial products. This project will therefore use the open-source SDR framework ALOE. The primary objective of this OSLD project is promoting open-source SDRs and shared development of software for wireless communications systems. Specificly, the project will develop a modular LTE library for mobile terminals and base stations as well as improve the accessibility of ALOE for building sophisticated radio systems at low cost. Both, ALOE and the open-source LTE library, will leverage open-source R&D, complement university labs, facilitate and encourage shared development, and be a solid basis for innovation and commercialization. The expected project products are: modular, open-source LTE library for building base stations and mobile terminals on a cluster of general-purpose processors, new ALOE release and improved accessibility for shared development, user guides, installation manuals, frequently asked questions, renewed FlexNets web site containing OSLD section, virtual support office, collaborations, and commercial interest for ALOE and LTE library. The project's own website: http://flexnets.upc.edu/trac/ "},{"description":" Michael Baentsch - oqsprovider Post-quantum/quantum-safe cryptographic algorithms for OpenSSL Software engineering, protocols, cryptography Can you introduce yourself and your project? My name is Michael Baentsch; I'm a computer scientist by training and free-lance security software engineer by conviction working on open-source applications and integrations of cryptography. I've been contributing to the Open Quantum Safe (OQS) project for several years, including to a bespoke fork of the OpenSSL project that added quantum-safe crypto to OpenSSL for users to easily deploy \"post quantum\" OQS software via the well-known OpenSSL interfaces. At the start of 2021 I began work on an all-new provider, a plug-in feature available since OpenSSLv3 allowing the introduction of cryptographic algorithms via a simple binary extension. The result of this work named oqsprovider now allows seamless integration of all kinds of quantum-safe cryptography into any current deployments of OpenSSL (v3.x). This way, classic cryptographic algorithms in danger of being broken by the advent of quantum computers, such as RSA or EC, can be augmented or replaced by any of the \"post-quantum\" algorithms in standardization by NIST, such as ML-KEM and ML-DSA. What are the key issues you see with the state of the internet today? There are many problems with the way the internet is being used today, but I'd like to focus on the area of particular interest to me, namely the deployment of cryptographic technology in the internet: One big challenge I see in this space is that there is two broad \"tribes\" of people working in the space with a similar interest, but with what I perceive a sometimes imperfect mode of cooperation: One is the integrators or users of cryptography and the other being \"hard-core cryptographers\". The former sometimes don't know how to securely apply cryptographic technology while many of the latter don't thoroughly care about practical applications of their \"pure mathematics\". The result in some cases are either overly complicated-to-use crypto applications or in the worst case, insecure ones or even ones where no-one is aware of cryptography being used at all. How does your project contribute to correcting some of those issues? The oqsprovider aims to be a technological bridge for one particular problem area in this space, namely the integration of post-quantum cryptography into the TLS and X.509 internet standard protocols with minimum change/introduction of new risks at maximum ease of use. Due to the prevalence of OpenSSL implementing these standards in many core internet software components, such as nginx, curl or https, this work percolates to many essential open source internet \"backbone\" software components without cryptographers having to \"dirty their hands\" with \"productive code\" all the while the integrators and users don't really have to do more than activate oqsprovider to gain protection from the (still theoretical) risks of (future) quantum computers by way of a library (liboqs) maintained by cryptographers. What do you like most about (working on) your project? The most interesting part is making the software \"vanish\", i.e., become as simple to use such as for people to ultimately not notice it (\"just works\"). This requires sometimes minute, sometimes more drastic changes to the oqsprovider software itself but also to up- and downstream projects. As particularly the latter are sometimes large software stacks, finding the most elegant way to \"sneak in\" oqsprovider is a bit of a good riddle to solve. This typically requires the interaction with the true specialists of those packages: Getting to know them and working with them is always rewarding. Where will you take your project next? This really is no longer in my hands: Earlier this year, control of the project has been taken over by PQCA, a mostly US-corporate-driven, Linux-Foundation umbrella project. On the one hand, this can be seen as a sign of success and goodness as it may mean more rigour, more uptake and more contributions by more people. On the other hand, standard, \"large-project\" process and procedures are now constantly getting introduced that make contributions more cumbersome. My current hope indeed is that new people will join the project and alleviate me of these burdens -- particularly that of being sole maintainer. How did NGI Assure help you reach your goals for your project? NGI Assure was willing to fund part of my work on this project that otherwise was done entirely on a voluntary basis, driven by my personal interest to strengthen the open source community in general and OpenSSL in particular. Second, it also helped fund a third party that gave this code a glance over to straighten out coding practices in need of improvement, i.e., a \"code review\": This was pretty helpful to improve this code base and make it more reliable. Do you have advice for people who are considering to apply for NGI funding? In a nutshell: \"Don't be shy\". I never assumed there is a chance for a single person's vision to be supported by an external funding entity, but NGI Assure made this possible. Do you have any recommendations to improve future NGI programmes or the wider NGI initiative? As this has been an incredibly smooth and easy experience for me, my only recommendation is to make yourself more widely known in the open source community as a truly independent, non-political, non-commercial funding alternative for sensible new software. The processes and procedures as executed by NLnet and NGI are a breeze, truly supportive and easy-to-navigate for people valuing writing software code more than writing reports. Anything else you would like to add? Nothing, really: Thanks to NGI Assure and NLnet! Please help more folks and projects! Acknowledgements Image: courtesy of Michael Baentsch. Published on September 4, 2024 oqsprovider received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. .speaker-photo { width: 33%; margin-right: 10px; margin-left: 20px; margin-bottom: 20px; } .speaker-photo-border { border-radius: 10%; border-top-left-radius: 10; border-top-right-radius: 10%; border-bottom-right-radius: 10%; border-bottom-left-radius: 10%; } .img_icon_small { max-width: 40px; max-height: 40px; margin-right: 10px; /* Make icons small and create a little space on the right */ } .up { position: relative; top: -15px; /* Adjust the value to move the text up by the desired amount. Text moved up a bit to align with icon.*/ } div.interlude-small { font-size: 2em; line-height: 1.5em; margin: 0 15px; padding: 0 15px; border-left: 4px solid #3333FF; } ","title":"Michael Baentsch - oqsprovider","url":"https://nlnet.nl/project/oqsprovider/interview.html"},{"description":" oqsprovider Post-quantum/quantum-safe cryptographic algorithms for OpenSSL Quantum computers will bring to an end integrity and confidentiality provided by \"classic\" public key cryptography such as RSA and implemented in security application frameworks such as OpenSSL. Therefore, a new class of \"post-quantum\" or quantum safe crypto algorithms (QSC) is being standardized by NIST. In order to bring QSC to easy deployment, these algorithms need to be added to existing security installations: oqs-provider is a standalone integration of QSC into the OpenSSL software framework. By simply inserting an oqs-provider binary, any OpenSSL installation as well as all applications built on top of OpenSSL permitting crypto-providers is (to be) automatically enabled to use any QSC algorithm supported by the liboqs open source framework. liboqs in turn provides the QSC algorithms that are either finalists or candidates of the NIST Post-Quantum Cryptography standardization competition. This way, users of oqs-provider-enabled OpenSSL installations can cease to be concerned about the risk that quantum computers create. The Open Source communities working on OpenSSL and OpenQuantumSafe can benefit in turn from mutual validation and re-use of their respective work efforts. The project's own website: https://openquantumsafe.org This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","title":"oqsprovider","url":"https://nlnet.nl/project/oqsprovider/"},{"description":" OpenStreetMapNL maintenance software for OpenStreetMap Nederland () Het geodatalandschap verandert. Overheidsdata wordt meer en meer vrij beschikbaar. Belangrijke kaartenleveranciers TeleAtlas en Navteq verliezen hun onafhankelijke positie door inlijving bij TomTom respectievelijk Nokia. Tegelijkertijd neemt het belang van het `Geografische Web' steeds toe en nemen gebruikers van geografische informatie geen genoegen meer met een passieve gebruikersrol. De commerciële leveranciers herijken hun strategie teneinde een graantje te kunnen meepikken van `user generated content'. In dit veranderende landschap wordt OpenStreetMap steeds meer een factor om mee te rekenen --in het bijzonder in Nederland. Als onafhankelijke bron van een hoogwaardige, landsdekkende, volledige en bovendien vrij te gebruiken geodataset van Nederland eist OpenStreetMap een duidelijke plaats op. Dat zal niet ongemerkt blijven. Er zullen meer eindgebruikers komen. Er zullen meer bedrijven geïnteresseerd raken in het inzetten van OpenStreetMap-data in hun systemen, websites en applicaties. Nieuwe toepassingen zullen het levenslicht zien. Wellicht volgen er nog meer donaties van geografische data. Dit project is specifiek gericht op: Ontwikkelen van systemen voor backups, rollback-mogelijkheden, signaleren van wijzigingen en toekenning van niveaus van vertrouwen gekoppeld aan bijdragers en hun wijzigingen. Ontwikkelen van een lichtgewicht mobiele editor om het rechtstreeks controleren en aanpassen van de OpenStreetMap-data `in het veld’ mogelijk te maken. Ontwikkelen van een laagdrempeliger interface voor het doorgeven van eenvoudige wijzigingen door ‘leken’. The project's own website: http://www.openstreetmap.nl ","title":"OpenStreetMapNL","url":"https://nlnet.nl/project/openstreetnl/"},{"description":" openMSRP(3) GUI for the open source SIP SIMPLE client This project will implement the Graphical User Internet (GUI) for the open source SIP SIMPLE client. This is the Phase 2 of the works started earlier on the SIP client for IM, Presence and File transfer based on MSRP protocol. Once completed, the project will provide the source code and binary installation packages for Linux, Microsoft Windows and MacOSX operating systems. The packages will provide a fully featured graphical client for Voice, IM and Presence based on SIP protocol. The project's own website: http://www.msrprelay.org/ ","title":"openMSRP(3)","url":"https://nlnet.nl/project/openmsrp3/"},{"description":" openMSRP(2) multi-party Instant Message server based on MSRP This project aims to implement an open source MSRP multi-party IM chat server that works seamless with the MSRP relay implementation, already under development. The project's own website: http://www.msrprelay.org MSRP protocol (draft-ietf-simple-message-sessions) is work items of the SIP SIMPLE (SIP for Instant Messaging and Presence Leveraging Extensions) Working Group of the IETF, currently in the RFC queue (approved standard). At the moment, SIP SIMPLE lacks Open Source implementations, which hinders its adoption. One major components of the SIP SIMPLE framework is MSRP (The Message Session Relay Protocol) which implements session based Interactive Messaging, file transfers, and other media sharing between SIP devices. A complete MSRP suite consists of the following three components: Multi-party Instant Message (IM) server (this project) MSRP relay (under development) MSRP client (future development) The Multi-party Instant Message Sessions MSRP MSRP (IETF specification) defines a mechanism for sending instant messages within a peer-to-peer session, negotiated using the Session Initiation Protocol (SIP) and the Session Description Protocol (SDP). This document defines the necessary tools for establishing multi-party instant messaging (IM) sessions, or chat rooms, with MSRP. The Message Session Relay Protocol (MSRP) (IETF specification) defines a mechanism for sending a series of instant messages within a session. The Session Initiation Protocol (SIP) [RFC3261] in combination with the Session Description Protocol (SDP) [RFC3264] allows for two peers to establish and manage such sessions. In another application of SIP, a user agent can join in a multi-party session or conference that is hosted by a specialized user agent called a conference focus [RFC4353]. Such a conference can naturally involve an MSRP session as one of possibly many media components. It is the responsibility of an entity handling the media to relay instant messages received from one participant to the rest of the participants in the conference. Several such proprietary systems already exist in the Internet. Participants in a chat room can be identified with a pseudonym or nickname, and decide whether their real identity is disclosed to other participants. Participants can also use a rich set of features, such as the ability to send private instant messages to one or more participants, and the ability to establish sub-conferences with one or more of the participants within the existing conference. They also allow combining instant messaging with other media components, such as voice, video, white-boarding, screen sharing, and file transfer. Such conferences are already available today with other technologies different than MSRP; they are however not integrated with SIP protocol. For example, Internet Relay Chat (IRC)[RFC2810], Extensible Messaging and Presence Protocol [RFC3920] based chat rooms, and many other proprietary systems provide this kind of functionality. It makes sense to specify equivalent functionality for MSRPbased systems to both provide competitive features as well as enable interlocking between the systems and compatibility with SIP deployments. Architecture The depicted architecture leaves for the purpose of simplicity the MSRP relay out. The MSRP relay is necessary to ensure communication for clients located behind NAT and the MSRP IM chat server can include the MSRP Relay component to provide ubiquitous access for clients outside or behind NAT devices. Dissemination The Multi-party Instant Message (IM) server will be disseminated via its own web site, via the OpenSER user community, public open source repositories like Sourceforge and published at web sites the advocate the use of open source like Voip-info.org. The software will be provided with its own wiki page, documentation, source browsing and mailing list. This is a project of AG Projects BV, located in Haarlem, The Netherlands. ","url":"https://nlnet.nl/project/openmsrp2/","title":"openMSRP(2)"},{"description":" openMSRP openMSRP relay implementation This project aims to implement an Open Source MSRP relay based on IETF specifications RFC4975 and RFC4976. MSRP is the abbreviation of Message Session Relay Protocol, a protocol for transmitting a series of related instant messages in the context of a session. The aim is to provide a reference server side implementation of the SIP SIMPLE (SIP for Instant Messaging and Presence Leveraging Extensions) key component. The project contributes to the convergence of SIP (Session Initiation Protocol) and instant messaging. The Open Source MSRP relay implementation will have the following features: Open source implementation licensed under LGPL; Code written in Python programming language; Integration with a popular open source SIP Proxy (OpenSER). Plans for the future include the implementation of a multi-party Instant Message (IM) server and Open Source MSRP IM/File transfer client. The project's own website: http://www.msrprelay.org This is a project of AG Projects BV, located in Haarlem, The Netherlands. ","url":"https://nlnet.nl/project/openmsrp/","title":"openMSRP"},{"url":"https://nlnet.nl/project/opendocsoc/","title":"OpenDoc-Soc","description":" OpenDoc-Soc Dutch OpenDoc Society The aim of this project, is to initiate the Dutch OpenDoc Society which actively promotes the use of ODF -and other Open Standards- to existing organisations, like government, health care, and educational institutes. The project's own website: http://nl.opendocsociety.org [In Dutch only, sorry] Dit project bestaat uit de oprichting en naderhand actief in stand houden van de vereniging OpenDoc Society. Deze vereniging stelt zich als doel informatie uit te wisselen over het adopteren en gebruiken van ODF en andere Open Standaarden in het bedrijfs- en verenigingsleven, in de overheids- en zorgsector, in het onderwijs en overal waar privé-personen of organizaties interesse hebben om op een vrije manier documenten en informatie te delen. De bijdrage van NLnet wordt gebruiker voor o.a. de organisatorische aanloop van deze vereniging, zoals oprichtspapieren en website. Daarnaast komt er een ODF-tour: presentaties te lande voor KMO's, scholen, zorg instellingen, etc. Bedrijven worden aangeschreven, en werkgroepen gestart op basis van beroepsgroep. Er zal een certificatieprogramma voor bedrijven, overheidsinstanties en organizaties worden opgezet, op basis van internationaal reeds bestaand materiaal. Daarvoor worden audits organiseerd en wordt raad gegeven voor de tot stand brenging van een volledig Open ICT omgeving.This project is run by RedNose ICT Training & Advies."},{"title":"Cryptech.is","url":"https://nlnet.nl/project/opencryptoproject/","description":" Cryptech.is An open source open hardware security module to protect communications Cryptech.is is a project that want to design an open-source hardware cryptographic engine that can be built by anyone from public hardware specifications and open-source firmware. Anyone can then operate it without fees of any kind. The project's own website: https://cryptech.is Recent revelations have called into question the integrity of some of the implementations of basic cryptographic functions and devices used to secure communications on the Internet. There are serious questions about algorithms and about implementations of those algorithms in software and particularly hardware. The algorithmic issues are in the domain of the heavy math cryptography folk. But we must also deal with the implementation issues. The Open Crypto project is pursuing the development of an open-source hardware cryptographic engine that meets the needs of high assurance Internet infrastructure systems that use cryptography. The open-source hardware cryptographic engine must be of general use to the broad Internet community, covering needs such as secure email, web, DNS, PKIs, etc.The project solicits functional requirements from a wide range of organizations. It will focus on the classic low level cryptographic functions and primitives, and not get drawn into re-implementation of application protocol layers. This is an important and large project. Please consider contributing to this project. Cryptech.is "},{"description":" OpenBTS-HW OpenBTS hardware This project is a part of a bigger effort to create a completely open GSM network, from a low level hardware to high level software. The network is intended to be built with open-source software, such as OpenBTS, OpenBSC, FreeSwitch, Linux, etc. The hardware part of the project is more complex, because to date there is no open hardware for GSM base-stations. As a practical implementation this will set up completely open network providing affordable mobile service to people from Mayotte island. The project's own website: http://openbts.org/ ","title":"OpenBTS-HW","url":"https://nlnet.nl/project/openbts-hw/"},{"description":" openXC7 Improve hardware support for open source FPGA tooling FPGAs are reconfigurable chips capable of handling many electronic signals in parallel. They are used in network equipment like backbone switches, firewalls, video devices like surveillance cameras and radio equipment like mobile-phone base stations, radar systems and satellites to process high volumes of data with very low latency. FPGAs are also used to test digital circuit designs before they are manufactured as chips. The functionality of FPGAs is determined by a configuration file which is loaded into the FPGA at power-on. The configuration file is usually generated from a design file by a proprietary tool provided by the manufacturer of the FPGA. openXC7 will provide a complete set of open source tools to generate a configuration file for the widely used family of Xilinx Series 7 FPGAs from manufacturer Xilinx/AMD without having to use any proprietary tools. This will empower digital design engineers to have the guarantee that no backdoor is implemented on FPGA based devices by the proprietary design tool provided by the vendor. The availability of the source code of the FPGA design tool will also allow anyone to come up with new use cases for FPGAs currently not possible with existing tools. In this project the team will implement gigabit transceiver support, both for the widely used Artix7 and the Kintex7 families of devices, thus enabling complete open source network infrastructure (e.g. an open source 10 GB Ethernet switch). The second focal point will be identifying and fixing issues that arise from the community of users of the toolchain. The project's own website: https://github.com/OpenXC7 This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/openXC7/","title":"openXC7"},{"title":"S-SATA for openXC7","url":"https://nlnet.nl/project/openXC7-S-SATA/","description":" S-SATA for openXC7 Open source SATA phy and interface for FPGA's This project develops an open-source SATA controller for use with FPGA technology, specifically targeting the Xilinx Kintex/Artix7 family. SATA, which stands for Serial Advanced Technology Attachment, is a technology used to transfer data between a CPU and an attached persistent storage device. By creating an open-source hardware controller, this project will make it easier and more affordable for researchers and developers to implement dependable high-speed data storage solutions in their FPGA-based projects. Initially, the controller will support the 1500Mb/s data transfer speed typical of earlier SATA versions. Our development plan includes both building this controller, a hardware simulation of it, and software to demonstrate it. We then intend to implement it on actual hardware and prove it works. The project's own website: http://zipcpu.com/blog/2023/11/25/eth10g.html This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"title":"openPCIe2 Root Complex","url":"https://nlnet.nl/project/openPCIe2-RootComplex/","description":" openPCIe2 Root Complex Open hardware implementation of gen 2 PCIexpress in OpenXC7 This project will develop an open hardware implementation of PCIexpress 2.0, the high-speed serial computer expansion bus standard used to allow computer peripherals to be slotted into a motherboard. When designing open hardware, having such a critical part of a component depend on proprietary components is problematic. The open hardware PCIe/Gen2 Root Complex developed within this project would make a big step towards developing fully open hardware components. Prior efforts only provided a partial implementation, and depended on vendor-provided 'black boxes' that would prevent such designs to be used to create a working, fully open hardware solution. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/openEngiadina/","title":"openEngiadina","description":" openEngiadina Platform for creating, publishing and using open local knowledge OpenEngiadina is developing a platform for open local knowledge - a mashup between a semantic knowledge base (like Wikipedia) and a social network using the ActivityPub protocol. openEngiadina is being developed with small municipalities and local organizations in mind, and wants to explore the intersection of Linked Data and social networks - a 'semantic social network'. openEngiadina started off as a platform for creating, publishing and using open local knowledge. The structured data allows for semantic queries and intelligent discovery of information. The ActivityPub protocol enables decentralized creation and federation of such structured data, so that local knowledge can be created by indepent actors in a certain area (e.g. a music association publishes concert location and timing). The project aims to develop a backend allowing such a platform, research ideas into user interfaces and strengthen the ties between the Linked Data and decentralized social networking communities. The project's own website: https://openengiadina.net Why does this actually matter to end users? At your local supermarket or community center, everyone in the neighborhood can put up a note to announce a local event, sell something they do not longer need, or organize a fun party. Search and discovery in this way is organized completely equally: as long as no one messes with the notes or tries to keep someone away from the note board, everyone is free to search for what they need or have their services and products be discovered. On the internet, search and discovery is not always equally organized. Most users are free to get together, start a website and share what they want to share, but how can they be sure they are actually discovered? That is governed by search engines and social platforms, who make up their own rules which sites, profiles and messages are displayed in their search results and how they are ranked. Users have to rely on these intermediaries to get their information out into the world, and usually have no other choice but to simply accept the terms of service of these platforms. What if we could make online search work just as simple, democratic and transparent as a note board? Or even better? This project helps to make search and discovery on the internet more democratic by giving users the tools and technology they need to put their information out there on their own. If you want to organize a block party and announce the date to people in your community, you do not need to blindly trust some company to hopefully include your data in a list of search results users see when they are looking for local festivities. Instead, you can simply announce your party date in a particular way, and the technology this project will develop makes sure that this information can be easily found. This way, online search becomes a democratic community effort, instead of a commercial popularity contest. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"url":"https://nlnet.nl/project/openENOC/","title":"openENOC","description":" openENOC Scalable Ethernet-based Network-on-Chip openENOC is an open-source hardware and software project that develops a scalable Ethernet-based Network-on-Chip (NoC) architecture to enable modular and interoperable MPSoC designs. By using standard Ethernet Layer-2 as the native on-chip transport protocol, openENOC connects processors, accelerators, and peripherals in a flexible, packet-switched network that lowers barriers to building complex systems and bridges the gap between on-chip and off-chip networking. The project provides a complete, permissively licensed stack, including RTL components, integration APIs, verification infrastructure, and reference designs and targets workloads where traditional interconnects struggle to scale, such as cryptography and edge computing. All results will be released openly to support reuse, strengthen the open hardware ecosystem, and empower developers and organizations to build future-proof, interoperable, and community-driven MPSoC solutions. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"openCologne","url":"https://nlnet.nl/project/openCologne/","description":" openCologne CM4 form factor SoM for GateMate chips Currently there are few FGPA vendors in Europe. One of these vendors, CologneChip, produces the GateMate chips which have some high quality features compared to other FPGA's, such as a high speed SerDes. Recently we have seen the appearances of a number of affordable boards with these FPGA's. The challenge (and opportunity) is now to make sure that the open hardware community can benefit from these FGPA's as soon as possible. This project will design a new iteration of the popular open hardware ULX-boards (ULX5M) featuring GateMate chips, which will be compatible with the widely used CM4 form factor - so it can be slotted into many existing designs instantly. This opens up this strategic new FPGA target for a broader audience, and help breach the market. In addition, the project will make a portfolio of entry level projects that selectively put GateMate resources to good use, including its unique SerDes. Be they in RTL or HLS, implemented as pure hardware FSMs, or by using HW/SW co-design and SOC techniques, or integrated with LiteX - delivering a variety of real-life use cases. The project's own website: https://www.chili-chips.xyz/open-cologne This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" OfficeShots see how different office suites render your ODF document. The Open Document Format (ODF) is a new, vendor neutral and open standard for document exchange. ODF is currently supported by multiple office suites such as OpenOffce.org, KOffce, AbiWord and IBM Lotus Symphony. Microsoft has announced that MS Office will also include support for ODF. In an ideal world, all these ODF implementations would be fully compatible with each other and with the published standard. Unfortunately in the real world, multiple ODF versions with software bugs and other inconsistencies present document designers and authors with many of the same problems that HTML authors face on the world wide web. Different applications may display and handle ODF documents in different ways. This project will create a service called “ODF-Shots\" which lets ODF authors and designers upload documents to a webservice and see how different office suites render their documents. This allows authors of complex documents and designers of ODF templates to ensure that their documents work under many different office suites. The service works in a manner similar to Browser-shots where HTML authors can ensure that their designs work under various browser versions. The project's own website: http://officeshots.org ","url":"https://nlnet.nl/project/officeshots/","title":"OfficeShots"},{"description":" offen Ethical site analytics, controlled by the user Transparently handling data in the open creates mutual trust: Offen is a web analytics software that gives users insights into the data they are generating by giving them access to the same suite of analytics tools site operators themselves are using. Usage metrics come with explanations about their meaning, relevance, usage and possible privacy implications, and also details which kind of data is not being collected. Offen treats both users and operators as parties of equal importance. Users can expect full transparency and are encouraged to make autonomous and informed decisions regarding the use of their data, and operators are being enabled to collect needed usage statistics while fully respecting their users' privacy and data. No user data is being collected until the user has explicitly opted-in. All data can be deleted either selectively or in its entirety by the users. The project's own website: https://offen.dev/ Why does this actually matter to end users? As you fire up your computer, laptop or smartphone and click your browser icon to connect to your favorite site, do you know what happens behind the scenes? Many websites actually have dozens of different trackers, and some of these have such a global presence that they can form a pretty clear picture of ones online behaviour. Some argue that privacy is and has been dead for quite some time. As long as users have a quick internet connection and can access the web, email, games and messages without a hitch, they won't complain. But if you question people about the importance of online privacy, usually the answer is that it is indeed important and should be better protected. What is happening here? Perhaps we misunderstand carelessness with unfamiliarity. The technology behind most of our devices, our connection to the internet and the virtual spaces we inhabit is complex, yes, but the solutions we use to access them have also kept actual control away from us under the guise of 'intuitiveness' and 'pick up and play'. Playing here means playing by the rules of the developer, not by your own. What users instead should have are tools that give them actual access to what their devices do, what choices are made, and decide for themselves whether they agree with them or not. Privacy isn't dead, we just lack the tools to actually protect it. On the internet this would mean users need tools that first give them behind the scenes access and show how they are tracked and profiled. Then they should be able to flip a switch and decide, no, I don't want some unknown company to follow me around and record everything I do. This is what offen will develop: a tool that gives users just as much insight and control as a website owner has over data gathering and analysis - putting both on an equal footing. And the user remains in full control: before any data is actually collected, users can see precisely what would be collected about them, and who that data would be shared with. Since website owners needs to convince the visitor that they will respect her or his privacy in order to get their explicit consent, the rather than brutally grabbing any data she or he can get how that affects their privacy. Then they can either opt-in. This way, users have the tools and the access they need to make informed choices online and web site operators, who usually just want to know how many views their site gets and where their visitors are coming from, can respect the choices of their viewers. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/offen/","title":"offen"},{"title":"odfsvn","url":"https://nlnet.nl/project/odfsvn/","description":" odfsvn use SVN to maintain ODF documents ODFSVN is a toolset to store ODF documents in a subversion repository. Why you would want to use subversion for documents: it allows you to use all features of a version control system: all changes are archived along with change notes, roll back to previous versions, see who made what changes and why, etc. people share their changes on the document through a shared repository. You can always see all changes from all editors, update your version to the latest revision and submit your changes. ODFSVN stores all repository information in the ODF metadata, you do not need to configure anything on your system. To illustrate how this works lets examine the differences between using odfsvn and email when working on a document with multiple people. Take Alex, Burt and Charles who are working on a proposal. Alex writes a first draft and mails that to Burt and Charles. Burt makes a few changes and mails the updated document to Alex and Charles. Finally a few hours later Charles finds two emails with documents in his mailbox. He needs to read both emails to see which one has the latest revision of the document, download the attachment and edit that. When he is done revising the document he, sends his updates back to Alex and Burt. As you see, this scenario involves a number of emails being exchanged at every step, people having to switch from their email application to their office application and back again for every revision, and no quick method to check if you have the latest revision of the document. Now lets see how Alice, Bernice and Charlene prepare a new marketing proposal using odfsvn. Alice creates a first draft and uses odfsvn to store it in a central subversion repository and mails it to Bernice and Charlene. Bernice is the first to respond and uses the document to download the latest version. When she is finished making changes, she uses odfsvn to commit her changes to the repository. When Charlene comes back in after lunch, she sees the email from Alice. She grabs the attachment, just like Bernice did earlier, uses odfsvn to update the document. odfsvn updates the document to the version Bernice commited earlier and Charlene can start editing. The second scenario is much simpler: there is no longer a need to exchange extra emails or for people to switch between their mail and office applications: odfsvn will always be able to update a document to the latest revision. In a future version, when odfsvn will also be available as a plugin for OpenOffice.org, this will be completely automatic. The project's own website: http://odfsvn.sourceforge.net "},{"url":"https://nlnet.nl/project/odfkit/","title":"OdfKit","description":" OdfKit base library for processing ODF OdfKit is being designed as an open source library for creating, loading, storing, manipulating, saving and rendering documents in the OpenDocument Format (ODF). Like WebKit. It provides a framework of classes, functions and macros that can be used with a toolkit library like Qt or Gtk+ to create the actual library that can then be used in an application. Project deliverables: Odf Loader and saver Lossless roundtripping of documents from the beginning API for manipulating the document contents. This API should follow the specification of the OpenDocument toolkit. The project's own website: http://gitorious.org/odfkit KO Ghmbh in Germany. "},{"url":"https://nlnet.nl/project/odfautotests/","title":"ODF Autotests","description":" ODF Autotests a framework to help users and developers write test documents for ODF software The Open Document Format (ODF) is an international standard, a vendor neutral and open format for document exchange. ODF is currently supported by multiple office suites such as LibreOffice.org, Google Docs, Microsoft Office, Apache OpenOffice, WebODF and OX. In an ideal world, all these ODF implementations would be fully compatible with each other and with the published standard. Unfortunately in the real world, multiple ODF versions with software bugs and other inconsistencies present document designers and authors with many of the same problems that HTML authors face on the world wide web. Different applications may display and handle ODF documents in different ways. ODFAutoTests is a framework to help users and developers write test documents for ODF software. Tests are a great tool to help software and standards mature, but writing tests by hand is very time consuming. ODFAutoTests makes it easy to create them, and run them across multipe products. The project's own website: http://autotests.opendocumentformat.org "},{"url":"https://nlnet.nl/project/odf-xliff/","title":"ODF-XLIFF","description":" ODF-XLIFF convert ODF to Gettext PO and XLIFF for translation and localising Much content, both open and closed, is produced in office documents: word processing documents, presentations and spreadsheets. The advent of XML based formats such as OpenDocument Format (ODF) has made it possible to manipulate and add value to these documents. An important part of produced content is the ability to localise or adapt it to another culture. By translating documents it is possible for more people to access the information. This project aims the creation of a filter that can convert ODF documents into common translation formats (PO and XLIFF) so that they can be easily translated into other languages. Thus the objective of this project is to allow documents in the XML based OpenDocument format to be extracted for easier translation in translation tools. In order to reach this objective, a collaborative arrangement between Translate.org.za and Itaapy will be forged with the objective to build a solid platform by using the expertise from each organisation and software project, thereby providing a stronger platform for innovation in the future. The project's own website: http://translate.sourceforge.net/wiki/developers/projects/odf "},{"title":"ODF-Valid","url":"https://nlnet.nl/project/odf-valid/","description":" ODF-Valid ODF Online Validator to the command-line The current ODF Online Validator is hosted by Oracle Hamburg and due to the site shut-down, will be turned off any moment. The project will answer to this urgency and build an open, free, easy and out-of-the box web application - the command-line validator. The source code will be contributed to Apache, as the ODF Toolkit has become an Apache Incubator project. The project's own website: http://tools.odftoolkit.org/odfvalidator/ Project of Svante Schubert, Germany. "},{"title":"ODF-Symbian","url":"https://nlnet.nl/project/odf-symbian/","description":" ODF-Symbian view ODF on Symbian OS and other mobile systems As more and more governments are adopting ODF --some of them even as the obligatory document format-- it is disappointing that no open source viewer for Symbian OS or other mobile systems exists. (Symbian OS is the leading smartphone operating system in Europe, with a market share of about 80%) This project is aimed to support and release the source code of Mobile Office under a license like GPL3/LGPL3. The following will be supported by the funding: create an appropriate project under e.g Google Code, Sourceforge or other release Mobile Office's source code under an appropriate license add end-user documentation about Mobile Office as html and/or pdf pages as well as help content integrated into the application itself. finish up some remaining stuff to make it compatible with some changes done by OpenOffice.org, e.g. in relation to encryption of documents. The project's own website: http://www.sept-solutions.de/English/office.php "},{"url":"https://nlnet.nl/project/odf-recipes/","title":"ODF-Recipes","description":" ODF-Recipes ODF Software Recipes This project demonstrates what ODF libraries can do (and how) and helps attract users to them. For programmers and users ODF ODF is a great solution, and the projec thelps by showing its effectiveness and simplicity compared to legacy formats such as binary office formats and OOXML. The result of the project is a platform where any ODF library developer can upload its own library and benefit from this suite of recipes. Practically, such a project entails the opening of a wiki grouping cookbooks and recipes to perform defined tasks in those libraries. But instead of separating each library with its own pages, we'll compare them to perform the same task. Emulation... Pros and cons of each approach will be exposed. The developers of these libraries could compare its API with the other ones and find ideas to improve and complement it. Run by Itaapy. The project's own website: http://recipes.opendocsociety.org "},{"title":"ODF-Numbertext","url":"https://nlnet.nl/project/odf-nt/","description":" ODF-Numbertext number to text conversion for the upcoming ODF OpenFormula standard This project represents well-defined spreadsheet functions and a language-neutral algorithm for the number to text (number name) conversion for the upcoming ODF OpenFormula standard, also an OpenOffice.org Calc extension as a working implementation. It is a generalization of the BAHTTEXT function and a huge number language-dependent third-party extensions of Microsoft Office Excel 2003 and OpenOffice.org. This is an important function for spreadsheets, but there was no language-neutral solution yet. Finishing the project will imply support for a dozen new European languages, plus document the implemented functions and the algorithm. The project's own website: http://numbertext.org "},{"title":"ODF-KOffice4","url":"https://nlnet.nl/project/odf-koffice4/","description":" ODF-KOffice4 ODF track changes/tables in KOffice and Calligra Suite This project is about Writing and testing the code to produce valid ODF track changes according to the proposed ODF 1.2 track changes format. The ODF TC has received a proposal for a new and vastly improved change tracking format, that is able to capture an unprecedented nuance in change tracking. By creating a full blown implementation of the proposed specification in an ODF compliant suite, including the most difficult use case, the technical proposal is validated in a real world environment. The project will also implement Basic Change Tracking Migration to the new proposed format. Ganesh Paramasivan "},{"description":" ODF-KOffice3 ODF revisions in KOffice The open source cross-platform KOffice suite is an exemplary ODF implementer, currently lacking some features. In KOffice 2.1 there is only basic support for track changes as per the OASIS ODF specification. The project will add full support to the relevant KOffice products, to create another strong independent implementation of this part of the specification. Specifically, the following features are targeted: Bug-fixes to fix Danish Test Failures Complete Delete change implementation Tool-Tip Support Change Tracking for lists, images Change Tracking for tables Change Visualization Configuration Re-factoring to separate show and record. Text Layout Bug-Fixes Unit-Testing of Table Layout ","title":"ODF-KOffice3","url":"https://nlnet.nl/project/odf-koffice3/"},{"url":"https://nlnet.nl/project/odf-koffice2/","title":"ODF-KOffice2","description":" ODF-KOffice2 ODF metadata in KOffice KOffice has strong OpenDocument implementation, the main implementation outside the famous OpenOffice. The goal of this project is to add ODF metadata support to KOffice. The project's own website: http://metadata.wiki.opendocsociety.org "},{"title":"ODF-KOffice","url":"https://nlnet.nl/project/odf-koffice/","description":" ODF-KOffice ODF load and save in KOffice KOffice has long had a strong OpenDocument implementation, the main implementation outside the famous OpenOffice. In KOffice version 2, the text engine was upgraded to support more features and to support anonymous properties inside the text engine. This project aims to make KWord ready for release based on the new text engine. The new text engine requires that large parts of the existing ODF loading need to be reworked. The main task is therefore to make the ODF loading and saving code work as good (or even better) than with the latest stable release (1.6.3). To reach this goal, automated tests based will be created based on existing collection of ODF test-documents. The ODF-testsuite is available with an open licensing model, but is hardly used by any vendors. One reason for this is the amount of manual labor to load each test and visually confirm the on screen version is according to spec. The second problem is that the results are open to interpretation. The main project goal is to import relevant tests from the test-suite. This is estimated to contain around 100 tests. There will be a framework to load each test and code that tests if the loading succeeded and thus if the test passed. The second goal after this is to make a significant portion of the tests pass, which implies that KOffice can correctly load the ODF data. This goal includes implementing features in KWord that are required by ODF. The third goal, is that KWord as an application is finalized to be releasable at the KOffice 2.0.0 release. This includes fixing bugs and polishing the user interface. "},{"description":" ODF-DocMod Modularise ODF 1.2 documentation The modularization of the Open Document Format is one of the most important upcoming tasks for the OASIS ODF TC. Unfortunately it is not an easy step, as the model of the ODF 1.2 part 1 is listing about 600 XML elements about 1300 XML attributes. The modularization of these elements into logical pieces (like section, image, paragraph, table, etc.) is needed. To ease the TC's work and avoid errors such huge tasks are best being solved by tools, automating all the parts that can be automated. The idea is to provide a generated ODF documentation in HTML that lists alphabetically all attributes and elements of ODF. In addition this will allow to extract values for attributes and an easy to read backus naur form for all 'children elements'. Project of Svante Schubert, Germany ","url":"https://nlnet.nl/project/odf-docmod/","title":"ODF-DocMod"},{"description":" ODF-compare Creating Tracked Changes in Open Document Format by Document Comparison This project Provides an inter-operability demonstration of the proposed new track change format for ODT. There is an urgent need to demonstrate that the proposed tracked-change format for ODF works in practice. Therefore this project will provide a simple on-line demonstration of this. It will not be based specifically on ODF but will rather compare any two XML files and generate a tracked-change result. This will enable evaluators to put in, for example, two versions of an ODT table and see how the changes would be represented. The work will be done in two phases: Generate a tracked-change (TC) XML document from two XML input documents neither of which have any tracked change within them. This would be achieved by comparing the files using DeltaXML Core and then converting the DeltaXML delta format into the new TC format. Provide the above as a web service for access by a limited number of members of relevant technical committees. This would provide the ability to upload XML files and download a tracked-change representation of the changes. The web service will be maintained until January 2011. The project's own website: http://deltaxml.com/ DeltaXML Ltd. ","title":"ODF-compare","url":"https://nlnet.nl/project/odf-compare/"},{"url":"https://nlnet.nl/project/odf-changes2/","title":"ODF-changes2","description":" ODF-changes2 Standardisation for Tracked Changes in ODF This project is intended to assist the Standardization Committee preparing the standard for a syntax named XML Change ML (short for XML Change Markup Language) that allows for accurately describe any incremental change and edit to the content and structure of (compound) XML documents, typically in multiple editing sessions by different authors. OpenDocument already supports a track changes mechanism, but this is limited in scope and functionality. This project's contribution will be used as one of the starting points of the work of the XML Change Markup Language SC. The goal is to create a generic syntax that will allow for 100% reliable capturing of differences between different versions and states of office document of any class (text documents, spreadsheets, presentations), including those that have been enhanced by custom XML markup. Change should thus provide a futureproof, application neutral syntax, that should even be capable of being used to provide change tracking between versions of documents as they are converted to yet unpublished versions of the OpenDocument Format specification, using features not currently available - although this might involve significant complexity on the side of the software in meaningfully presenting this to users. The project's own website: http://deltaxml.com/ DeltaXML Ltd. "},{"description":" ODF-changes Representing Changes in Open Document Format This project addresses deficiencies in the ability of the Open Document format to record changes. This is deemed to be a critical area for the wider acceptance of this format. The current capability in this area has limited scope and a number of known problems. These issues mean that the Open Document format is significantly weaker in this area than Microsoft Word. The project's own website: http://deltaxml.com/ DeltaXML Ltd. ","title":"ODF-changes","url":"https://nlnet.nl/project/odf-changes/"},{"url":"https://nlnet.nl/project/odf-abiword/","title":"ODF-AbiWord","description":" ODF-AbiWord improving AbiWord OpenDocument Free and Open Source Software (F/OSS) is rapidly gaining market share, especially in the Netherlands, where the government stimulates the use of F/OSS in the entire public sector. On its way to full acceptation in the real (business) world, F/OSS applications need to meet open and widely accepted standards. For the domain of Word Processing the emerging standard is the OpenDocument specification. The goal of this project is to make the AbiWord word processor more compliant with the OpenDocument specification. Scope: Resolving the software bugs related to AbiWord's OpenDocument compatibility. The produced software improvements submitted to the AbiWord community. The project's own website: http://www.abisource.com/ "},{"description":" ODF-AbiChanges2 ODF Track changes in AbiWord (2) This is the continuation of the earlier project ODF Track changes. The ODF file format is an open format for storing computing documents. The format is gaining support for tracking changes made in revisions of documents. In order to advance the cause of including change tracking in the format ODF/ODT file format specification some office suites must be able to save and load the change tracking information. The project is to improve how paragraph merge is handled in the ODT+ChangeTracking code. Explicitely tracking of paragraph merges. This will render many of the current existing heuristics for tracking paragraph merge situations unnecessary. Project of Ben Martin, Australia. ","title":"ODF-AbiChanges2","url":"https://nlnet.nl/project/odf-abichanges2/"},{"description":" ODF-AbiChanges ODF Track changes in AbiWord The ODF file format is an open format for storing computing documents. The format is gaining support for tracking changes made in revisions of documents. In order to advance the cause of including change tracking in the ODF/ODT file format specification some office suites must be able to save and load the change tracking information. The project is to add initial support for change tracking to the ODF code in the Abiword word processor. Benjamin Martin, Australia ","url":"https://nlnet.nl/project/odf-abichanges/","title":"ODF-AbiChanges"},{"description":" OCS-Asterisk Open real-time connection between Microsoft OCS and Asterisk Asterisk [Description in Dutch only] Bij het opzetten van hosted corporate communicatiesystemen op basis van internettechnologie bewandelen commerciële leveranciers de weg die het snelst leidt tot adaptatie van hun product. Op het gebied van real-time communicatie wordt bijvoorbeeld vaak geclaimd dat producten 'SIP-compatible' zijn. Als het er op aankomt, zijn echter cruciale details niet of slechts beperkt geïmplementeerd. Het commerciële doel van Unicoms is het verbinden van traditionele of gehoste huiscentrales met een gehoste Unified Communication omgeving, op basis van SIP. In eerste instantie zal voor de Unified Communications dienst het Microsoft Office Communications Server platform ingezet worden. De koppeling die als eerste voorzien wordt, is die met de Open Source PABX software 'Asterisk'. Unicoms zal tegen de hierboven omschreven problematiek aanlopen en neemt een afstudeerder van Hogeschool INHOLLAND in de arm om een dergelijk scenario te onderzoeken, uit te testen en publiek te documenteren. Doel Deze aanvraag voor een bijdrage uit het fonds van NLnet is gericht op dat deel van de activiteiten van Unicoms die betrekking hebben op het openstellen van kennis die opgedaan wordt uit het koppelen van het commerciële SIP product 'Microsoft OCS' met de Open Source PABX software 'Asterisk'. De vergaarde kennis zal vertaald worden in 'recepten' of how-to's die in het 'Cookbook for Enhanced Communication Services' van TERENA (het Europese verband van Hoger Onderwijs & Onderzoeksnetwerken) gepubliceerd zal worden. Op dit moment wordt al gewerkt aan deel twee van het Cookbook via een Wiki door de zogenoemde Task Force on Enhanced Communication Services waarbij ongeveer twaalf NRENs aangesloten zijn. Het eerste deel heeft veel academische instellingen en andere geïntereseerden geholpen bij de besluitvorming over VoIP en de implementatie daarvan. Activiteiten en bijdrage NLnet Het opzetten van de gehoste Unified Communicationsdienst is een commercieel traject dat verder niet voor deze aanvraag van toepassing is. De aanvraag betreft uitsluitend die activiteiten die bijdragen aan de experimenten, het opdoen van de benodigde kennis en de beschrijving van de 'recepten' en het contact met de Task Force. Unicoms zal half oktober definitief opgericht zijn. Een student van INHOLLAND is reeds begonnen met de activiteiten, en een van de oprichters van Unicoms is reeds vanuit zijn vorige baan bij SURFnet bv als co-voorzitter bij de Task Force actief en zal die activiteit voortzetten op basis van vrijwillige tijdsbesteding. ","url":"https://nlnet.nl/project/ocs-asterisk/","title":"OCS-Asterisk"},{"description":" Strengthening NTP and NTS in ntpd-rs Memory-safe implementation of IETF time standards including NTPv5 and NTS NTP is one of the building blocks of the internet, and it and its security improvements are, therefore, of vital importance for a safer internet. Over the last year, we have created a new implementation of the Network Time Protocol called ntpd-rs, which includes Network Time Security support. In this project, we will work on growing adoption and strengthening our implementation. On the one hand, that means expanding platform support, packaging options, and implementing improvements suggested by early adopters. On the other hand, we see the need to increase the usability of NTS, which is not deployed widely. By contributing to improvements of NTP (NTPv5) and exploring the creation of an NTS pool, we aim to foster NTS adoption. The project's own website: https://tweedegolf.nl/en/pendulum Run by Tweede golf This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Strengthening NTP and NTS in ntpd-rs","url":"https://nlnet.nl/project/ntpd-rs/"},{"description":" Building blocks for Resilient Time Implement NTPv5 in ntpd + bootstrap procedure Time is essential for most security-critical protocols on the internet, such as DNS and TLS. As our time sources, such as GNSS signals, are coming under attack, making time synchronization as resilient as possible becomes even more critical. We need reliable time, even when time sources are unavailable or not trustworthy. This project will enhance time synchronization by improving how we synchronize time, both when systems are starting up and when they are in operation. Concretely it will contribute to stabilizing the draft of the next version of NTP, NTPv5, and implementing NTPv5 in ntpd-rs, and build a library for synchronizing multiple local clocks, maximizing the use of local stability (thereby providing a resilient building block for time synchronization for others to use). The team will also develop a resilient startup procedure, documenting the approach for implementers - and then implementing it for ntpd-rs. The project's own website: https://trifectatech.org/initiatives/time-synchronization/ Run by Trifecta Tech Foundation This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/ntpd-rs-NTPv5/","title":"Building blocks for Resilient Time"},{"description":" NoScript-Mob2 NoScript Mobile part 2 NoScript is a popular GPL add-on for Firefox and other Mozilla Gecko-based browsers which considerably increases the web client security in several innovative and ground-breaking ways. Numerous useful features make NoScript the most advanced browser security tool, used and respected by most web security experts and serving as an example and an inspiration for safety enhancements which are slowly finding their way in mainstream web browser technologies. This project is the follow up of the first NoScript Mobile project, and will implement specific components: XSS Filter, ClearClick, Mobile-friendly Setup Interface, Remote Synchronization, ABE component (Application Boundaries Enforcer). The way people use the web is steadily moving towards mobility: we've got smart phones rivaling in power and usability with desktop PCs, and open source mobile OSes, like the Debian-derivative Maemo by Nokia or, even more prominently, Google's Android, which open exciting scenarios but also pose significant challenges. The challenge NoScript wants to accept and win is bringing the safest web browsing experience on the mobile platforms. In order to achieve this, NoScript will be re-designed and re-implemented to be compatible with the latest Firefox Mobile versions, which run both on Android and Maemo devices, trying to retain as much as possible of its core components and functionality. The project's own website: http://noscript.net Project of Giorgio Maone, Italy. ","url":"https://nlnet.nl/project/noscriptmob2/","title":"NoScript-Mob2"},{"url":"https://nlnet.nl/project/noscriptmob/","title":"NoScript-Mob","description":" NoScript-Mob NoScript Mobile NoScript is a popular GPL add-on for Firefox and other Mozilla Gecko-based browsers, which considerably increases the web client security in several innovative and ground-breaking ways. Numerous useful features make NoScript the most advanced browser security tool, used and respected by most web security experts and serving as an example and an inspiration for safety enhancements which are slowly finding their way in mainstream web browser technologies. The way people use the web is steadily moving towards mobility: we've got smart phones rivaling in power and usability with desktop PCs, and open source mobile OSes, like the Debian-derivative Maemo by Nokia or, even more prominently, Google's Android, which open exciting scenarios but also pose significant challenges. The challenge NoScript wants to accept and win is bringing the safest web browsing experience on the mobile platforms. In order to achieve this, NoScript will be re-designed and re-implemented to be compatible with the latest Firefox Mobile versions, which run both on Android and Maemo devices, trying to retain as much as possible of its core components and functionality. The project's own website: http://noscript.net/nsa/ "},{"description":" NoScript-Andr Android Native NoScript NoScript is a popular GPL add-on for Firefox and other Mozilla Gecko-based browsers which increases the web client security in several innovative and ground-breaking ways. NoScript was extensively supported by NLnet and active users are currently almost 3 millions, and it has pretty much no competitors. That's because it goes very far beyond simple script blocking, having established itself as the \"ultimate\" security enhancement for the web browser, even though it's available on Mozilla Gecko-based browsers only. Unfortunately, no NoScript equivalent is available on mobile platforms yet. This is intended to be the unique final result of this project. The project's own website: http://noscript.net/nsa/ Project of Giorgio Maone, Italy. ","title":"NoScript-Andr","url":"https://nlnet.nl/project/noscriptandr/"},{"url":"https://nlnet.nl/project/noscriptabe/","title":"NoScriptABE","description":" NoScriptABE improve the ABE (Application Boundaries Enforcer) for NoScript NoScript is a popular (over two millions active users) add-on extending the Firefox open source web browser and other products based on the Mozilla Gecko engine. NoScript increases web client security by applying a Default Deny policy to JavaScript, Java, Flash, and other active content. It provides users with an one-click interface to easily whitelist sites they trust for active content execution. The Application Boundaries Enforcer (ABE) module will attempt to harden the web application oriented protections already provided by NoScript with a firewall-like component running inside the browser. This project is specifically focused on developing a new web browser component called ABE, aimed to mitigate or defeat Cross Site Request Forgery (CSRF) attacks against sensitive web applications. This component will be built on the existing request interception, tracing and blocking framework of NoScript, and it will be integrated in NoScript's broader web security infrastructure, together with whitelist-based scripting, active content execution policies, anti-XSS filters, ClearClick anti-ClickJacking protection and HTTPS/Secure Cookies enhancements. After a working ABE implementation as a NoScript component gets completed, a refactoring and repackaging activity to deploy it as a separate “ABE Firefox Add-On” will be done. The project's own website: http://noscript.net "},{"title":"NOMA","url":"https://nlnet.nl/project/noma/","description":" NOMA Network Operator Measurement Activity The Network Operator Measurement Activity — NOMA — is exploring the possibility of developing operator-driven network health measurements. NOMA aims to establish a platform for collaboration on the initial definition, collection and dissemination of operator network measurements (self-instrumentation), with a goal of ensuring a better, shared understanding of what “good” Internet looks like. This will allow new networks brought online to determine that they are well aligned with that target, and will give operators a better sense of when their networks are healthy or underperforming. The project's own website: http://www.techark.org/noma/ Monitoring and measurement are essential to successful operation of a network. Each network operator holds a key piece of the puzzle of “how well is the Internet working?”. In an ideal future, there will be better, shared understanding of what “good” Internet looks like, so that it is possible to ensure that new networks brought online are well aligned with that target, and so that operators can have a better sense of when their networks are underperforming. Getting there requires involvement of network operators to measure their own networks’ performance (self-instrument) and share some version of that information. NOMA will, through the collaboration of partner network operators, define an initial set of measurements to constitute the basic instrumentation of participating networks. Materials Presentations NOMA at the MAPRG meeting — July 2016. (You can watch the video of the MAPRG meeting delivery from the IETF YouTube channel - external site ). Introducing NOMA — April 2016. Whitepapers, reports Report from the first NOMA workshop, June 2016. Internet Measurements Landscape (2016): Systems, Approaches and a Comparative Framework, Whitepaper — Leslie Daigle & Phil Roberts (December 2016). Stop Guessing, Start Measuring: Collaborative Data Collection and Internet Fitness, Whitepaper — Leslie Daigle (December 2016) NOMA Data Measurements Project Template – DRAFT, December 2016 TechArk "},{"title":"Nodewatcher","url":"https://nlnet.nl/project/nodewatcher/","description":" Nodewatcher A comprehensive and scalable node management system for community wireless network. Project aimed at creating a wireless network node management system that can be used to manage and update large amounts of nodes in wireless networks such as community networks. The project's own website: http://nodewatcher.net/ The design and development of the nodewatcher platform comes from the needs and evolution of the wlan slovenija community wireless network. Its main idea is to automate as much as possible in building and operating a large wireless network. It encompasses functionalities sometimes named \"node database\", \"network dashboard\", \"network map\", but also a web-based firmware image generator, which allows easy generation of customized firmware images for each node individually. This technique improves efficiency significantly, and allows easy and failproof deployment of complex configurations even by people with no technical knowledge to do it otherwise. The idea is that once you register a new node and select target hardware, a customized firmware image for this node is generated, you just flash it, plug in and this is it. No additional configuration or web interface is needed. Because configuration is known, monitoring of the network can be done much better as it is known how each node should behave. If a node's hardware fails, you can just take new hardware (can be of different kind), flash it with same configuration, replace the node, and then later on analyze why previous hardware has failed. All this further lowers the workload, making maintenance easier and streamlined. Nodewatcher is not only solving the technical issues of running a mesh network efficiently, it is aimed at making a platform which supports the community and community spirit. The platform makes it transparent how the network operates, its health and how and who builds the network. For each volunteer, what and how much they contribute to the network, how important is their wireless node and how it is used. This feedback to the community is of vital importance and it has to be made in an intuitive and understandable, often non-technical, way, mostly through visualizations and designed graphical interface.UNICORE, Privoz 17B, 1000 Ljubljana (Slovenia) "},{"description":" node-Tor Implementation of Tor protocols for inside webpages Node-Tor is an open source project and the only existing implementation of the Tor protocol in Javascript. That gives it the unique property to not just run on a server or desktop, but also inside a regular webbrowser itself as a standalone secure webapp. It must not be misunderstood for just a re-implementation of Tor network nodes: the goal is much wider, because it allows any project related to privacy/security enhancement to implement the Tor protocol in their nodes and/or inside a web page. The browser client acts as a standalone node itself communicating via web interfaces such as Websockets with servers or through WebRTC with other browsers. The use of Javascript allows to reduce very significantly the code and libraries (prone to security breaches), simplifying the integration for developers (like removing the need to maintain installation packages since standard web interfaces can be used), simplifying the use for users. This offers a lot of potential for increasing security and privacy for everybody, since the technology can be accessed from any place and any device that has a browser or can run Javascript, including mobile devices. The project's own website: https://github.com/Ayms/node-Tor Why does this actually matter to end users? On the internet, every computer by design gets a unique number - a so called internet protocol address (or for short IP address). This address is used to send information from your computer to the other computer you want to communicate with, and of course back. Unlike a traditional radio, you often need to send messages to receive messages on the internet. Computers are a great engineering achievement but they are certainly not magic, and thus they need to be able to somehow find each other. The IP address makes this possible. Unfortunately, the fact that every computer has a unique number opens up the possibility of abuse by dishonest actors. Because even though it is none of their business, breaking privacy is a profitable business. If they link what you do on the left side of the internet to what you do on the right side of the internet, they can create a profile and sell this to the highest bidder - with any bad luck to people that want to use it for nefarious purposes. While work is under way to replace the design of the internet within the Next Generation Internet initiative, there are multiple ways to avoid your IP address being tracked on the current internet. A popular method to attempt to anonymise ones internet presence is to use the Tor network. Tor is a network of millions of computers and users that send messages among each other to confuse someone watching internet traffic. To use Tor, normally you have to install a specific bit of software on your computer that runs a service in the back end. Installing and maintaining that software does require some technical skill and the rights to install software on the computer you are using, which for instance at work or in schools may not apply. So not all users can equally benefit from this. Of course, having such software on your computer could be an argument in some countries to prosecute you. But installing it over and over again, is also not an option and requires even more technical skill - not to mention putting users at risk of installing some malware if their skills are limited. Using a so called live medium (like a thumbdrive or a CD) requires you to close every application you are running, and spend minutes rebooting the computer, every time you want to anonymously interact with some website. What if the burden of providing Tor access could be moved to someone offering a service on the world wide web? That way you could protect any interaction of all users with say a specific website, without the users needing to install anything. Node-Tor is a re-implementation of a part of the Tor protocol. It operates all but invisible to the user, and connects the user to the Tor network directly from the web browser - no configuration needed. This allows entirely new use cases for anonymisation. Run by Nais - Informatique Telecom This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/node-Tor/","title":"node-Tor"},{"url":"https://nlnet.nl/project/nlnetlabs/statuten.html","title":"NLnet Labs; Statuten","description":" NLnet Labs; Statuten Independent lab for Internet infrastructure development OPRICHTING STICHTING Heden, achtentwintig december negentienhonderd negenennegentig, verschijnt voor mij, Mr Thomas Pieter van Duuren, notaris met plaats van vestiging Utrecht: mevrouw Mr Tecla Maria Berkhout, kandidaat-notaris, geboren te Langedijk op drie oktober negentienhonderd zevenenvijftig, met het kantooradres 3584 BB Utrecht, Pythagoraslaan 2, te dezen handelend als schriftelijk gevolmachtigde van de stichting Stichting NLnet, met statutaire zetel te Amsterdam, kantoorhoudende te 2461 GG Ter Aar, Korteraarseweg 5c, ingeschreven bij de Kamer van Koophandel en Fabrieken voor Amsterdam, onder nummer 41208365. Van het bestaan van de gemelde volmacht is mij, notaris, gebleken uit een onderhandse akte van volmacht die aan deze akte wordt gehecht. De verschijnende persoon geeft vooraf het volgende te kennen: De stichting Stichting NLnet voornoemd is een stichting, welke als algemeen nut beogende instelling als bedoeld in artikel 24 lid 4 van de Successiewet 1956 is aangemerkt; Stichting NLnet voornoemd, heeft als doel het bevorderen van electronische informatie-uitwisseling en al hetgeen daarmee verband houdt; Stichting NLnet wil als uitvloeisel van haar vorenomschreven doel Open Source Software ten behoeve van Internet (verder) ontwikkelen; Om administratieve- en organisatorische redenen wil Stichting NLnet deze laatstgenoemde activiteiten als uitvloeisel van haar eigen activiteiten in een afzonderlijk door haar op te richten stichting uitoefenen; Ter uitvoering van het vorenstaande verklaart de verschijnende persoon bij deze akte namens Stichting NLnet als uitvloeisel van haar eigen activiteiten, een stichting op te richten en daarvoor de navolgende statuten vast te stellen: Definitie: Open Source Software: software waarvan de broncode (source) vrij ter beschikking is voor derden. STATUTEN NAAM EN ZETELArtikel 1 De stichting is genaamd: Stichting NLnet Labs De stichting heeft haar zetel in de gemeente Amsterdam. DUURArtikel 2De stichting is opgericht voor onbepaalde tijd. DOELEN EN MIDDELENArtikel 3 De stichting heeft - als uitvloeisel van de activiteiten van Stichting NLnet - ten doel het (verder) ontwikkelen van Open Source Software ten behoeve van het Internet en alle overige wetenschappelijke benaderingen, welke ten gunste kunnen komen aan bedoelde ontwikkeling, en voorts al hetgeen met één en ander rechtstreeks of zijdelings verband houdt of daartoe bevorderlijk kan zijn, alles in de ruimste zin. De stichting tracht haar doel onder meer, doch niet beperkt daartoe, te verwezenlijken door: het bieden van gelegenheid aan getalenteerde software ontwikkelaars om Open Source Software projecten ten bate van het Internet te ontwikkelen, uit te breiden, te onderhouden, en beschikbaar te stellen. het aangaan van samenwerkingen, in welke vorm dan ook, met andere ontwikkelaars op het gebied van de ontwikkeling van de onder a. bedoelde projecten; het bevorderen dat de ontwikkelde software een brede verspreiding vindt; het ter beschikking stellen van ontwikkelaars aan derden ten behoeve van ontwikkeling van specifieke Internet toepassingen. VERMOGENArtikel 4Het vermogen van de stichting wordt gevormd door: giften, subsidies, erfstellingen en legaten; inkomsten verworven door het uitvoeren van haar doelomschrijving; alle andere wettige baten. BESTUURArtikel 5 Het bestuur van de stichting bestaat uit drie personen. De leden van het bestuur worden benoemd door Stichting NLnet, met statutaire zetel te Amsterdam. Het bestuur kiest uit zijn midden een voorzitter, een secretaris en een penningmeester. De functies van secretaris en penningmeester kunnen door één persoon worden vervuld. Mochten in het bestuur om welke reden dan ook één of meer leden ontbreken, dan vormen de overblijvende bestuursleden, of vormt het enig overblijvende bestuurslid, niettemin een bevoegd bestuur, onverminderd de verplichting om zo spoedig mogelijk te voorzien in de vacature of vacatures. De leden van het bestuur genieten geen beloning voor hun werkzaamheden. Zij hebben wel recht op vergoeding van de door hen in de uitoefening van hun functie in redelijkheid gemaakte kosten. BESTUURSVERGADERINGEN EN BESTUURSBESLUITENArtikel 6 Vergaderingen zullen telkenmale worden gehouden wanneer de voorzitter dit wenselijk acht of indien één van de andere bestuursleden daartoe schriftelijk en onder nauwkeurige opgave van de te behandelen punten aan de voorzitter het verzoek richt, doch in ieder geval één maal per jaar. Indien de voorzitter aan een dergelijk verzoek geen gevolg geeft in dier voege, dat de vergadering kan worden gehouden binnen drie weken na het verzoek, is de verzoeker bevoegd zelf een vergadering bijeen te roepen met inachtneming van de vereiste formaliteiten. De vergaderingen worden binnen Nederland gehouden. De oproeping tot de vergadering geschiedt - behoudens het in lid 1 van dit artikel bepaalde - door de voorzitter ten minste zeven dagen tevoren, de dag der oproeping en die der vergadering niet meegerekend, door middel van oproepingsbrieven. De directeur van de stichting wordt tevens opgeroepen voor de bestuursvergaderingen. Hij heeft in die vergaderingen een adviserende stem. De oproepingsbrieven vermelden, behalve plaats en tijdstip van de vergadering, de te behandelen onderwerpen. Indien de door de statuten gegeven voorschriften voor het oproepen en houden van vergaderingen niet in acht zijn genomen, kunnen in een bestuursvergadering slechts geldige besluiten worden genomen met algemene stemmen in een vergadering waarin alle in functie zijnde bestuursleden aanwezig of vertegenwoordigd zijn. De vergaderingen worden geleid door de voorzitter. Bij diens afwezigheid voorziet de vergadering zelf in haar leiding. Van het verhandelde in de vergaderingen worden notulen gehouden door de secretaris of door één van de andere aanwezigen, door de voorzitter van de vergadering daartoe aangezocht. De notulen worden vastgesteld en getekend door de voorzitter en de secretaris van de desbetreffende vergadering dan wel vastgesteld door een volgende vergadering en alsdan getekend door de voorzitter en de secretaris van die volgende vergadering. Het bestuur kan ter vergadering alleen dan geldige besluiten nemen indien de meerderheid van de in functie zijnde bestuursleden ter vergadering aanwezig of vertegenwoordigd is. Een bestuurslid kan zich ter vergadering door een medebestuurslid laten vertegenwoordigen onder overlegging van een schriftelijke, ter beoordeling van de voorzitter van de vergadering voldoende, volmacht. Een bestuurslid kan slechts voor één medebestuurslid als gevolmachtigde optreden. Het bestuur kan ook buiten vergadering besluiten nemen, mits alle bestuursleden in de gelegenheid zijn gesteld schriftelijk per telefax of per e-mail hun mening te uiten. De bescheiden waaruit van een zodanig besluit blijkt worden bij de notulen gevoegd. Ieder bestuurslid heeft het recht op het uitbrengen van één (1) stem. Voorzover deze statuten geen grotere meerderheid voorschrijven komen alle bestuursbesluiten tot stand met volstrekte meerderheid van de uitgebrachte stemmen. Alle stemmingen ter vergadering geschieden mondeling, tenzij de voorzitter van de desbetreffende vergadering een schriftelijke stemming gewenst acht of één der stemgerechtigde aanwezigen dit voor de stemming verlangt. Schriftelijke stemming geschiedt bij ongetekende, gesloten briefjes. Blanco stemmen worden beschouwd als niet te zijn uitgebracht. Zij tellen wel mee ter bepaling van enig quorum. Het ter vergadering uitgesproken oordeel van de voorzitter van de desbetreffende vergadering omtrent de uitslag van een stemming is beslissend. Hetzelfde geldt voor de inhoud van een genomen besluit, voorzover werd gestemd over een niet schriftelijk vastgelegd voorstel. Wordt onmiddellijk na het uitspreken van het oordeel van de voorzitter van de desbetreffende vergadering de juistheid daarvan betwist, dan vindt een nieuwe stemming plaats, indien de meerderheid der vergadering of, indien de oorspronkelijke stemming niet hoofdelijk of schriftelijk geschiedde, een stemgerechtigde aanwezige, dit verlangt. Door deze nieuwe stemming vervallen de rechtsgevolgen van de oorspronkelijke stemming. BESTUURSBEVOEGDHEIDArtikel 7 Behoudens beperkingen volgens deze statuten, is het bestuur belast met het besturen van de stichting. Het bestuur is bevoegd te besluiten tot het aangaan van overeenkomsten tot verkrijging, vervreemding en bezwaring van registergoederen, en tot het aangaan van overeenkomsten waarbij de stichting zich als borg of hoofdelijk medeschuldenaar verbindt, zich voor een derde sterk maakt of zich tot zekerheidstelling voor een schuld van een derde verbindt, mits in alle gevallen op grond van een met algemene stemmen genomen bestuursbesluit in een vergadering, waarin alle in functie zijnde bestuursleden aanwezig of vertegenwoordigd zijn zonder dat in het bestuur enige vacature bestaat. Het bestuur draagt zorg voor de inschrijving van de stichting en van alle bestuursleden en de mutaties daarin in het handelsregister. VERTEGENWOORDIGINGArtikel 8De stichting wordt vertegenwoordigd door: het bestuur; of twee gezamenlijk handelende bestuursleden. EINDE BESTUURSLIDMAATSCHAPArtikel 9 Ieder bestuurslid treedt uiterlijk drie jaar na zijn benoeming of volgens een door het bestuur op te maken rooster van aftreden. Aftredende bestuursleden zijn onbeperkt terstond herbenoembaar. Het bestuurslidmaatschap eindigt: door overlijden; door (schriftelijk) bedanken; indien een bestuurder het vrije beheer of de vrije beschikking over zijn vermogen verliest; door ontslag door de rechtbank; door een daartoe strekkend bestuursbesluit, genomen in een vergadering waarin door alle overige in functie zijnde bestuursleden voor het ontslag van het betreffende bestuurslid is gestemd; alsmede door ontslag verleend door Stichting NLnet, met statutaire zetel te Amsterdam. Een bestuurder kan te allen tijde door een éénstemmig besluit van alle andere bestuurders worden geschorst. Een schorsing, die niet binnen drie maanden gevolgd wordt door een ontslag, eindigt door het verloop van die termijn. DIRECTEURArtikel 10 Het bestuur is bevoegd een directeur van de stichting te benoemen. Het bestuur is tevens bevoegd de directeur te schorsen en te ontslaan. De taken en bevoegdheden van de directeur worden in een door het bestuur op te maken reglement vastgelegd. Aan de directeur kan door het bestuur machtiging worden verleend, om in specifiek genoemde gevallen de stichting namens het bestuur te vertegenwoordigen. BOEKJAAR, JAARSTUKKEN EN BEWAARPLICHTArtikel 11 Het boekjaar van de stichting is gelijk aan het kalenderjaar. Het eerste boekjaar eindigt op éénendertig december tweeduizend. Het bestuur is verplicht van de vermogenstoestand van de stichting en van alles betreffende de werkzaamheden van de stichting, naar de eisen die voortvloeien uit deze werkzaamheden, op zodanige wijze een administratie te voeren en de daartoe behorende boeken, bescheiden en andere gegevensdragers op zodanige wijze te bewaren, dat te allen tijde de rechten en verplichtingen van de stichting kunnen worden gekend. Het bestuur is verplicht jaarlijks vóór één juli de balans en de staat van baten en lasten van de stichting te maken en op papier te stellen. Het bestuur is bevoegd een registeraccountant of accountant-administratieconsulent te benoemen teneinde de balans en de staat van baten en lasten te controleren. Het bestuur is verplicht de in dit artikel bedoelde boeken, bescheiden en andere gegevensdragers gedurende zeven jaren te bewaren. De op een gegevensdrager aangebrachte gegevens, uitgezonderd de op papier gestelde balans en staat van baten en lasten, kunnen op een andere gegevensdrager worden overgebracht en bewaard, mits de overbrenging geschiedt met juiste en volledige weergave van de gegevens en deze gedurende de volledige bewaartijd beschikbaar zijn en binnen redelijke tijd leesbaar kunnen worden gemaakt. STATUTENWIJZIGING EN ONTBINDINGArtikel 12 Het bestuur is na voorafgaand verkregen goedkeuring van Stichting NLnet bevoegd de statuten van de stichting te wijzigen, alsmede om de stichting te ontbinden. Besluiten hiertoe moeten worden genomen met tenminste twee derde meerderheid van de stemmen in een vergadering waarin alle van de in functie zijnde bestuursleden aanwezig of vertegenwoordigd zijn zonder dat in het bestuur enige vacature bestaat. Zijn niet alle bestuursleden tegenwoordig of vertegenwoordigd, dan kan binnen vier weken daarna een tweede vergadering worden bijeengeroepen en gehouden, waarin over het voorstel zoals dat in de vorige vergadering aan de orde is gesteld, ongeacht het aantal tegenwoordig of vertegenwoordigde bestuursleden, kan worden besloten, mits met een meerderheid van ten minste twee derde (2/3) van de stemmen. Statutenwijziging moet op straffe van nietigheid bij notariële akte tot stand komen. Ieder bestuurslid is afzonderlijk bevoegd zodanige akte te doen verlijden. De bestuursleden zijn verplicht een authentiek afschrift van de wijziging alsmede de gewijzigde statuten neer te leggen ten kantore van het handelsregister. Na ontbinding blijft de stichting voortbestaan voorzover dit tot vereffening van haar vermogen nodig is. Ter vereffening van het vermogen van de ontbonden stichting treden de bestuurders als zodanig op. De vereffenaars dragen zorg voor inschrijving van de ontbinding van de stichting bij het handelsregister. Een eventueel overschot na vereffening van de ontbonden stichting wordt besteed overeenkomstig het doel van de stichting. De boeken, bescheiden en andere gegevensdragers van de ontbonden stichting moeten worden bewaard gedurende zeven jaren na afloop van de vereffening door degene die hiertoe door het bestuur als zodanig is aangewezen. REGLEMENTENArtikel 13Het bestuur van de stichting kan reglementen vaststellen en wijzigen of op heffen. Een reglement mag niet in strijd zijn met de wet of met deze statuten. Op de vaststelling, wijziging en opheffing van de reglementen is het bepaalde in artikel 12 lid 1 van toepassing. SLOTBEPALINGENArtikel 14In alle gevallen, waarin noch de wet, noch deze statuten, noch de reglementen van de stichting voorzien, beslist het bestuur. Tenslotte verklaart de verschijnende persoon dat voor de eerste maal tot bestuurders van de stichting worden benoemd: de heer Teunis Hagen, wonende te 5971 AZ Grubbenvorst, De Bisweide 28, geboren te Opsterland op zes oktober negentienhonderd vijfenveertig, als voorzitter; de heer Tjepke Wytze van der Raaij, wonende te 3958 XH Amerongen, Koenestraat 92, geboren te Schoonebeek op achtentwintig juni negentienhonderd vierenvijftig, als penningmeester; mevrouw Frances Mary Brazier, wonende te 2461 GG Ter Aar, Korteraarseweg 5c, geboren te Toronto op twaalf mei negentienhonderd zevenenvijftig, als secretaris. De verschijnende persoon is mij, notaris, bekend. WAARVAN AKTE is verleden te Utrecht op de datum in het hoofd dezer akte vermeld. Na zakelijke opgave van de inhoud van deze akte en na het geven van een toelichting daarop aan de verschijnende persoon, heeft deze verklaard van de inhoud van deze akte te hebben kennisgenomen en daarmee in te stemmen. Vervolgens is deze akte onmiddellijk na beperkte voorlezing door de verschijnende persoon en mij, notaris, ondertekend. (Getekend) T.M. Berkhout, T.P. van Duuren "},{"title":"NLnet Labs","url":"https://nlnet.nl/project/nlnetlabs/","description":" NLnet Labs Independent lab for Internet infrastructure development NLnet Labs was originally founded in 1999 by Stichting NLnet to develop, implement, evaluate, and promote new protocols and applications for the Internet. Its activities are focused on topics directly relating to the Internet's infrastructure, such as DNS, DNSsec, IPv6, and routing. Meanwhile NLnet Labs is an independently governed, public benefit organisation. The project's own website: https://www.nlnetlabs.nl "},{"description":" NLnet Labs Independent lab for Internet infrastructure development NLnet Labs is a not-for-profit foundation with a long heritage in research and development, Internet architecture and governance, as well as stability and security in the area of DNS and inter-domain routing. For many years we have been responsible for three widely used and well respected DNS implementations: the authoritative nameserver NSD, the validating recursive resolver Unbound and the policy-based signer OpenDNSSEC. In the area of inter-domain routing, we are developing a full featured RPKI toolset to help prevent BGP hijacking. A detailed overview of its current and past activities can be found on the NLnet Labs website, and in its Annual Reports. 2006-09-06: New features: support for IXFR, NOTIFY, and DNAME. Support contracts also available. more > > Annual Report 2005 Stichting NLnet Labs .pdf (658 kB) 2004-02-17: Announcement of NSD release 2.0.0 more > > Annual Report 2004 Stichting NLnet Labs more > > .pdf Annual Report 2003 Stichting NLnet Labs more > > .pdf Annual Report 2002 Stichting NLnet Labs more > > .pdf Annual Report 2001 Stichting NLnet Labs more > > .pdf Annual Report 2000 Stichting NLnet Labs more > > .pdf Statuten Stichting NLnet Labs more > > ","title":"NLnet Labs","url":"https://nlnet.nl/project/nlnetlabs/how.html"},{"description":" NLnet Labs Independent lab for Internet infrastructure development The remarkably fast growth of the Internet and its technology is, in the NLnet Foundation's opinion, primarily due to the permanent free availability of protocol specifications and the reference implementations of these specifications. The free exchange of modules and applications has often led to the development of completely new applications and network services, like browsers (Mosaic) and encryption technology (SSH, PGP). This \"open\"-ness has had a very stimulating influence, and maintaining and protecting this situation is deemed crucial for the survival of a healthy Internet world. One of the ways to realize the above is to contribute materially to the expansion and maintenance of the large pool of open source software for the Internet. The term open source is being used here as a catch-all for a large variety of models for the unrestricted development and distribution of software in source form (GNU Public License, BSD license, Artistic license etc.). Open source software is used on a large scale in the Netherlands; however, contributions to its development are found to a lesser degree. By bundling a number of talented developers in the form of a software development laboratory, a new impulse can be given to the latter. To implement the above philosophy, the NLnet Foundation has established a new entity with the name Stichting NLnet Labs (NLnet Labs Foundation). NLnet Labs is a stichting (Foundation) under Dutch law, and will employ a group of 4 to 6 talented software developers to work on developing and maintaining open source style software for the Internet. NLnet Labs activities started on January 1, 2000. A detailed overview of its current and past activities can be found on the NLnet Labs website. ","title":"NLnet Labs","url":"https://nlnet.nl/project/nlnetlabs/description.html"},{"description":" Nix Store disk usage improvements Reduce storage overhead for Nix deployments The project summary for this project is not yet available. Please come back soon! This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/nixstore-diskusage/","title":"Nix Store disk usage improvements"},{"description":" Software vulnerability discovery Automating discovery of software update and vulnerabilities nixpkgs-update automates the updating of software packages in the nixpkgs software repository. It is a Haskell program. In the last year, about 5000 package updates initiated by nixpkgs-update were merged. This project will focus on two improvements: One, developing infrastructure so that the nixpkgs-update can run continuously on dedicated hardware to deliver updates as soon as possible, and Two, integrating with CVE systems to report CVEs that are addressed by proposed updates. I believe these improvements will increase the security of nixpkgs software and the NixOS operating system based on nixpkgs. The project's own website: https://github.com/ryantm/nixpkgs-update Why does this actually matter to end users? Software security for many users is a given, an assumption, something you do not and should not have to think about too hard. If you open an app on your phone, install new software on your laptop or boot up your tablet, you assume the software you use is safe, secure and that the developers have done their job right. With the amount of software coming out and the tangled web of inter-dependencies that exist today, this assumption of trust is hard to live up to. Especially since software vulnerabilities are constantly hunted for by malicious parties that want to get into our data and devices for blackmail, theft or on a larger and more dangerous scale, disruption of vital processes like power grids. One of the ways to make sure users do not have to worry about the applications they have installed is to automate the search and discovery of software vulnerabilities. Detecting and fixing security risks automatically can help to mitigate vulnerabilities that were recently uncovered by vendors and developers. Of course there is little that can be done about so called zero-day exploits, but as soon as a problem is known developers typically start working on fixing their software. As a user you want to get those fixes as soon as possible, because the fact that a problem is now public increases the attack surface of software that companies, governments and people use to share sensitive data. Criminals can read bug reports too, and can opportunistically seize the chance to move in. This project helps to make the internet more safe by shortening the path between software releases and the users. Installing a piece of software on a server or computer is quite simple these days. But behind the software repositories with tens of thousands of software applications, hides a lot of work and logistics. This is because a computer application typically isn't a single self-contained program, but assumes a lot of other software to be present on the computer. This helps to save your harddisk from having many copies of exactly the same file in different places, which is not just ecological waste but also a security liability. These so called \"dependencies\" need to be taken into account. A security issue in a major dependency can cause a lot of other application to be insecure. So why does this need any work at all? Well, these dependencies are all independently produced by individual developers, small and large companies and communities. A significant human effort is required to monitor all kinds of software archives around the world for new versions. When a new version is discovered, so called packagers need to manually perform a number of tasks to arrive at the point where normal users can just install an update. Nixpkgs-update automatically discovers and updates software packages, and the Nix packaging system makes sure all the dependencies are properly handled. With funding from NGI Zero this project will extend its efforts to automatically search for reported vulnerabilities in software packages, and make sure that updates which solve these issues are communicated and prioritised. The result is that users will be deploying and using the latest versions of software quicker, and can automatically install critical updates 24/7. If you are a company running a server on the public internet, that is critically important for your security and that of the rest of the net. As such, the project contributes to an operational internet that is more responsive to threats. We all need to be able to trust that the software we use is the latest, most reliable version that can be had. This project makes it possible to deliver on that assumption. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"Software vulnerability discovery","url":"https://nlnet.nl/project/nixpkgs-update/"},{"title":"Nixcloud Webservices","url":"https://nlnet.nl/project/nixcloud-webservices/","description":" Nixcloud Webservices Declarative web services based on NixOS Create example webservices in different programming languages to benefit from the Nixcloud web services abstraction. The project's own website: https://nixcloud.io NixOS is a Linux distribution with a unique approach to package and configuration management. Built on top of the Nix package manager, it is completely declarative, makes upgrading systems reliable, and has many other advantages. It is used increasingly in complex environments where reproducible behaviour and configurability matter, from desktop systems to some of the top 500 supercomputers. NixOS currently allows only one instance for a particular service, so in order to allow multiple instances, a module needs to have explicit support for it. The web services abstraction solves this by generalizing this to all of its service modules. "},{"title":"Nixcloud Mail","url":"https://nlnet.nl/project/nixcloud-mail/","description":" Nixcloud Mail Declarative mail server based on NixOS Getting email infrastructure right is hard, and typically involves a lot of tweaking and manual optimisation. The goal of this project is to provide an easy out of the box mail infrastructure with declarative technology that adheres to modern email standards such as DKIM, SPF, DMARC, DNSSEC and IPv6. The project's own website: https://nixcloud.io NixOS is a Linux distribution with a unique approach to package and configuration management. Built on top of the Nix package manager, it is completely declarative, makes upgrading systems reliable, and has many other advantages. It is used increasingly in complex environments where reproducible behaviour and configurability matter, from desktop systems to some of the top 500 supercomputers. The results of this project should greatly simplify the creation, delivery and maintenance of robust and secure email services - including the management of associated DNS records. "},{"description":" NILO reference implementation of PXE-based network boot module NILO wants to create an Open Source reference implementation of a PXE-based network boot module, with a footprint that is small enough to include in the EPROM on the most popular Network Interface Cards. NILO was originally conceived in discussions on the Etherboot and Netboot mailing lists, and is closely related to these projects. A commercial solution is available in the form of a PXE bootrom from Bootix The project's own website: http://nilo.sourceforge.net ","title":"NILO","url":"https://nlnet.nl/project/nilo/"},{"description":" NILO reference implementation of PXE-based network boot module The project definition for NILO has been written by Ken Yap, one of the key persons on the Etherboot e-mail list. The implementation work has been performed by Rob Savoye, with a grant of NLnet. This project has not been completed successfully. The current NILO snapshot runs in protected mode, it makes a BOOTP/DHCP request and loads a file using TFTP. However, it encounters problems when it tries to re-enter real mode to execute the program. ","url":"https://nlnet.nl/project/nilo/how.html","title":"NILO"},{"description":" NILO reference implementation of PXE-based network boot module As a result of discussions about the possibilities for stimulating computer networks within (primary and secondary) education (schoolLAN project), and of personal initiatives for the establishment of a school network in two primary schools, and some interaction with the Etherboot/Netboot e-mail list and the BpBatch project at the University of Geneva, Stichting NLnet has requested the definition of the Network Interface LOader (NILO) project. NILO focuses on a reference implementation of a network boot module based on the PXE standard from Intel for network cards. The topic has been discussed extensively on the Ethernet/Netboot e-mail list. Ken Yap, one of the key persons of this e-mail list, has written a project definition in cooperation with Stichting NLnet. A successful search for suitable candidates for the necessary implementation work and for monitoring the project has been conducted via the Internet. The implementation work started on 1 February 1999, with Rob Savoye as the implementer. The total cost of the project is estimated at US$ 35,000, and is fully subsidised by NLnet Foundation. According to the original planning, NILO would have been completed around October 1999. Due to several unfortunate and unexpected delays, completion is now expected in early 2000. Follow-up projects are possible. ","title":"NILO","url":"https://nlnet.nl/project/nilo/description.html"},{"title":"nftables","url":"https://nlnet.nl/project/nftables/","description":" nftables A modular packet filtering framework providing enhanced userspace control nftables is the intended successor of the popular iptables, providing a new modular packet filtering framework e.g. for operating systems based on the popular Linux kernel. Besides a modular code base that is better suited for modern multiprotocol networking environments, the nftables project aims to introduce powerful new userspace tools which will allow users to dynamically perform packet filtering on custom protocols (including but not limited to new proposed internet standards as defined by the Internet Engineering Task Force). Existing packet filtering solutions would require a recompiled kernel module in the same situation. The end result is that users will have more autonomy on what gets filtered and how, which make them less dependent on the technical choices of vendors and communities. The nftables project has been accepted in Linux mainstream kernel. The project's own website: http://www.nftables.org/ Nftables provides a framework that can potentially replace all existing duplicated Linux packet classification frameworks such as BPF, {ip,ip6,arp,eb}tables and tc. As a proof to the community, the project will implement support for filter raw socket traffic using nftables as a drop-in replacement for the BPF (which originally designed in the nineties, it requires up to eight instructions to compare an IPv6 address). The result of this task is to deliver the patches to kernel mainstream that will provide this new userspace feature. This should also open some debate on the providing support to use nftables at other points of the networking stack such as ingress (for policing) and egress (for shaping). Nftables will come with powerful userspace libraries, allowing third party userspace applications. The project will support distribution of rulesets over the network. This can facilitate the distribution of rulesets from one centralized unique point, which should help to make it easier for system administrators to maintain multiple firewalls. It should also be useful in a classical primary-backup high-availability setup. The architecture may also serve as a repository to distribute rule-set feeds that from some authority that you decide to trust. The initial version should already provide a basic infrastructure and features for the rule-set distribution software using one centralized point for rule-set distribution. One key feature to motivate users to migrate to nftables is to provide a simple utility that translates their rule-sets to nftables. We already have a compatibility layer that uses a kernel extension denominated 'nft_compat' which allows you to use all existing {ip,ip6,arp,eb}tables target and matches from the nftables framework. However, the main problem with the current approach is that there is no real rule-set translation, instead we are re-using part of the existing x_tables kernel infrastructure. Netfilter project (Spain) "},{"title":"Faster and configurable datapath/Linux xfrm","url":"https://nlnet.nl/project/nftables-xfrm/","description":" Faster and configurable datapath/Linux xfrm Rewriting nftables to optimise for xfrm The project entails rewriting nftables (which is a subsystem of the Linux kernel responsible for packet filtering and classification) to make it easier to combine with xfrm (which is the common framework to work with IPSec in Linux). IPsec was originally developed in conjunction with IPv6 but is just as often used with IPv4 as well. IPSEC encrypts traffic, providing key features absent in the regular IP layer - like data integrity, data origin authentication and confidentiality. The project is expected to make an important contribution to improving the IPSEC capabilities, usability, speed and robustness in many systems. The project's own website: https://netfilter.org Why does this actually matter to end users? nftables is the successor of the popular iptables, providing a new modular packet filtering framework e.g. for operating systems based on the popular Linux kernel. Besides a modular code base that is better suited for modern multiprotocol networking environments, the nftables project introduces powerful new userspace tools which will allow users to dynamically perform packet filtering on custom protocols (including but not limited to new proposed internet standards as defined by the Internet Engineering Task Force). The nftables project is part of the Linux mainstream kernel. xfrm is an IP framework for transforming packets (such as encrypting their payloads). This framework is used to implement the IPsec protocol suite (with the state object operating on the Security Association Database, and the policy object operating on the Security Policy Database). xfrm is a basic building block for IPSec on Linux, among other things. The existing layered network stack model (OSI layers) is rather unflexible. In very specific and controlled network setups, this results in wasted CPU running code that you probably don't need, reducing overall network performance. The goal of this project is to enhance nftables to allow flexible network datapath configuration by reusing existing Linux networking stack components in a Lego(R) Fashion. The idea is to plug the specific network components that model your network datapath, to improve overall performance of Linux xfrm, hence IPSec. There are a number of programmable datapath kits now available under FOSS license. This contribution is different in the sense that the goal is kind of achieve a hybrid, by combining stable Linux kernel networking code with a higher degree of configurability. Programming your network datapath from scratch can be error-prone. This approach fills the gap between rigid network stack (as in Linux) with this fully programmable kits. This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"title":"Improvements for next generation Linux firewalling","url":"https://nlnet.nl/project/nftables-API/","description":" Improvements for next generation Linux firewalling Netfilter kernel improvements, user space tools and testing This project comprises a series of preventive and corrective actions as well as improvements for the next generation firewall software offered by the Netfilter project (https://www.netfilter.org) available in the Linux kernel, such as the enhancement of the set and map infrastructure, the resolution of existing limitations in the user space tool and libraries, enhancements to the filtering policy optimisation infrastructure, improved string match support and the extension of the test coverage for early detection of regression. The project's own website: https://netfilter.org Run by Netfilter project This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":"","title":"","url":"https://nlnet.nl/project/nextpnr-large/"},{"description":" nextpnr for GW-5 Add support to nextpnr for Gowin GW-5 FPGA family This project focuses on enhancing the open-source FPGA design toolchain (specifically nextpnr and Apicula), to support the Gowin GW-5 series of FPGAs. This initiative involves creating detailed documentation and developing tools to understand and utilize these FPGAs effectively. By extending nextpnr and Apicula to generate valid bitstreams for the GW-5 series, the project aims to make advanced FPGA technology more accessible and usable for designers and engineers around the world. The project's own website: https://github.com/Seyviour/sdram-tang-nano-20k-os-example This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/nextpnr-GW-5/","title":"nextpnr for GW-5"},{"url":"https://nlnet.nl/project/netevkit/","title":"NetEventKit","description":" NetEventKit building an open source Network Event Kit The Network Event Kit (NEK) is a kit allowing to quickly and cheaply build a network for various types of events. This kit will offer both cabled and over-the-air infrastructure. Besides to building an Open Source Network Event Kit, the purpose is to gain knowlegde and experience in a practial setup that has value for Open communities. "},{"url":"https://nlnet.nl/project/netaidkit/","title":"NetAidKit","description":" NetAidKit The NetAidKit is a pocket size, USB powered router for safer mobile networking. The NetAidKit is a pocket size, USB powered router that connects everything to everything, designed specifically for non-technical users. The easy to use web interface will allow you to connect the NetAidKit to a wireless or wired network and share that connection with your other devices, such as a phone, laptop or tablet. The project's own website: https://www.netaidkit.net/ Once the NetAidKit is connected to a wireless or wired network, you can make it connect to a Virtual Private Network or the anonymising TOR network at the click of a button. Any devices connected to the NetAidKit will use these extra security features automatically, without needing to configure each of the devices separately. The NetAidKit was designed for regular people and requires no technical expertise whatsoever to use. The NetAidKit is an open source project initiated by Free Press Unlimited's Internet Protection Lab. "},{"description":" nat64 Implement a NAT64 gateway to run on open-source operating systems IPv4 and IPv6 networks are incompatible. The IETF recommendation has usually been to rely on dual-stack deployment: have both networks coexist until IPv6 takes over Ipv4. However, IPv6 growth has been much slower than anticipated. Therefore, new IPv6-only deployments face an interesting challenge communicating with the predominantly IPv4-only rest of the world. A similar problem is encountered when legacy IPv4-only devices will need to reach the IPv6 Internet. This project is about implementing an open-source NAT64 gateway to run on open-source operating systems such as Linux and BSD. The NAT64 Open Source implementation would benefit the engineering of the solution as well as providing initial implementation feedback. Moreover, an Open Source implementation will become the reference for the whole community, such as end users, network administrators, and protocol designers. Users will finally be able to deploy IPv6 connectivity without fear of being cut off from the rest of the Internet. In many situations, dual-stack deployment is not possible. For these cases, a gateway such as the proposed one is needed. It will enable completely new deployments, and users will automatically benefit. Moreover, an Open Source implementation will empower users by giving them access to the source code and letting them customize the gateway to accommodate new scenarios. The implementation will target both Linux and BSD (FreeBSD, NetBSD, OpenBSD). It will be portable to other POSIX systems. DNS ALG functionality will be added to Bind and Unbound. A patch will be produced and submitted to the Bind project and to the Unbound project for inclusion in their main distributions. IPv4/IPv6 translation functionality will be added to the Linux and BSD kernels. ","url":"https://nlnet.nl/project/nat64/","title":"nat64"},{"description":" Namecoin Decentralized, censorship resist Internet infrastructure for e.g. DNS and identities Namecoin is a blockchain project that provides a decentralized naming system and trust anchor. Its flagship use-case is a decentralized top-level domain (TLD) which is the cornerstone of a domain name system that is resistant to hijacking and censorship. Among other things, this provides a decentralized trust anchor for Public Key Infrastructure that does not require third party trust. It operates independent from the DNSSEC root trust chain, and can thus offer additional security under some circumstances. The project's own website: https://www.namecoin.org Why does this actually matter to end users? Without a PKI that is resistant to hijacking and censorship, the security guarantees of TLS are fundamentally incomplete. Namecoin is a very promising blockchain project that can, in principle, be used with any PKI or DNS-like naming system. By removing third-party trust from the TLS PKI, users are protected from man-in-the-middle (MITM) attacks and domain name seizures. Namecoin has some unique characteristics such as that Namecoin domain names can declare their TLS fingerprints directly &mdash without having to trust a certificate authority, notaries, or the regular DNS infrastructure. Namecoin can make anonymity networks significantly more usable by giving them a human-readable domain name, such as wikileaks.bit instead of kpvz7ki2v5agwt35.onion. In addition to the TLS PKI and anonymity networks, Namecoin can provide usable, trustless, and censorship-resistant alternatives to a range of critical security infrastructure, such as: * PGP fingerprints for email and software signing. * OTR fingerprints for XMPP. * Usernames for the Ricochet Tor-based chat software. * TLS client certificates for passwordless login to websites. This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. ","url":"https://nlnet.nl/project/namecoin/","title":"Namecoin"},{"title":"Multisoni","url":"https://nlnet.nl/project/multisoni/","description":" Multisoni Modern and efficient real-time audio playback engine Multisoni is a versatile audio engine for all creative uses. For demanding real-time uses (such as video games, VR, live installations) there is a lack of free/libre audio authoring tools to map playback and effects to trigger events and interaction parameters, suitable for industrial purposes. Multisoni is designed to meet this need: it manages many input sources - either samples or synthesis, with support for input plugins - source and effect patching, and rendering for a variety of output systems ranging from binaural stereo to complicated multichannel setups, drawing on existing open-source solutions for audio hardware abstraction and raw audio stream management. One of its main objectives is to put creative users - sound designers, composers - on an equal footing with developer users. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" MU-Jingle jabber-based VoIP protocol When a meeting between a scattered group of people needs to take place, a phone conference is a popular solution, especially in a business context. These calls can become costly especially when participants have to make long distance or international calls to participate. With the advent of cheap and abundant Internet connectivity, there is an opportunity to lower costs by transmitting call data over Internet connections. Additionally, the increasing ubiquity of webcams allows video as well as audio to be transmitted. The proprietary Skype service has become very popular for this purpose. Jabber's extension for audio/video conferencing is limited to communications between two users. Extending Jabber further to support multi-party audio/video conferences will allow it to match the functionality of proprietary offerings, whilst still providing all the benefits of XMPP. It is intended that Multi-User Jingle improves over three existing solutions: Jingle: by supporting more than two participants. Skype: by being an open standard with a free software implementation. SIP: by supporting reliable peer-to-peer connectivity, as opposed to requiring dedicated media relay infrastructure, thereby allowing a video stream from each participant without the need for multiplexing. In general, by adding support for multi-user audio/video to XMPP, users do not have to give up the benefits of XMPP in order to make a multi-user call. Deliverables A prototype client, using a Jabber-based protocol to negotiate an audio conference between at least three people. An updated prototype client able to negotiate multiple streams (simultaneous audio and video). First draft of XMPP extension document, based on the experience developing the prototype. First draft of Telepathy API allowing creation and management of multi-user calls. A version of Gabble able to negotiate a MU-Jingle call according to the draft standard. The final draft of the MU-Jingle protocol description, incorporating implementation experience. A version of Gabble corresponding to the nal draft of the protocol. The project's own website: http://telepathy.freedesktop.org/wiki/MultiUserJingle ","url":"https://nlnet.nl/project/mujingle/","title":"MU-Jingle"},{"url":"https://nlnet.nl/project/morphle/","title":"Morphle","description":" Morphle free and anonymous powerful but simple to use end-user website editing Morphle is a project to stitch and glue together a large number of web 2.0 and 3.0 technologies. The principle technologies to be used will be HTML and javascript-tool-kits and the web-tools built into Squeak. And it will be through Squeak's web-tools that Morphle will be able to hide the former tools (HTML, javascript and the like) from the end-user. What will be achieved through this arrangement is, among other things, to provide the end-user with the ability to combine very easily web page parts such as snippets, widgets or components to create incredible web-sites. This tying together of these kinds-of-parts is often referred to as web mash-ups. The second component of the Morphle project is to offer all of these tools through the Internet and accessed directly through the browser. Eventually, Morphle's hosting system will served-up from next-generation large scalable web-server (called Morphel) at very low costs. This project is about putting an alpha release of a meta-website online. The website will offer free and anonymous powerful but simple to use end-user website editing based on state of the art component ecapsulation technologies in the hands of everyone. The project's own website: http://www.morphle.org "},{"description":" mobile-nixos NixOS for mobile phones and tablets The mobile-nixos project seeks to provide a coherent tool to produce configured boot images of NixOS GNU/Linux on existing mobile devices (cellphones, tablets). The goal is to provide a completely integrated mobile operating system, allowing full use of the hardware's capabilities, while empowering the user to exercise their four software freedoms to use, study, share and improve the software. The project's own website: https://mobile-nixos.github.io Why does this actually matter to end users? Consumers that go shopping for a new cell phone or tablet these days, at the surface have quite a choice. Even the cheapest of mobile phones sold today, is surprisingly powerful compared to that of a couple of years ago. All that seems left for consumers to do is to match their own sense of style and of course budget. If they are really eager, they might compare a limited set of technical specifications: How long does the battery last? How big and bright is the screen? And do games and movies run smoothly? Most users tend to not even bother about that, eager to jump straight to the app stores filled with more applications than a human could feasibly install in their life. What more could a mere user want? Somewhere in the back of our minds there may be lingering some larger, less happy thoughts. What about security and privacy? Who really is in control of our devices? It is not easy to connect the joyous occasion of our (often much anticipated) purchase of a really cool new gadget with societal resilience, our collective future well-being or any other of the larger economic effects of our individual choices... In the early GSM era, there wasn't a single dominant operating system from a single vendor. The market was competitive and rather straightforward from todays perspective. Major efforts like Symbian (which ran on the very popular phones of erstwhile market leader Nokia, but also on those of Siemens, Alcatel, Bosch, Sharp, Sony Ericsson etc) were the result of a pragmatic collaboration on more or less equal footing of many manufacturers. These had a shared development responsibility, and equal opportunities. None of them knew how their users actually used the phones they created: that was the business of the customer. The subsequent rise of the smartphone resulted in market disarray, because the dynamics of the new situation were so different. It wasn't so much a difference in technical quality that set the new masters of the universe apart, it was a complete change of the underlying business model and value proposition few people properly understood - if any. The real-world cost of developing and maintaining the first generation of mobile platforms was non-trivial, and price competition in the devices was heavy. And then suddenly a no-visible-cost and feature-rich smartphone operating system appeared on the market. It wasn't produced by any of the current competitors or by an open consortium. The source was a single company that had heavily invested into this for strategic reasons. In parallel Apple was able to launch its own effort, take its slick iPod music player and its strong media presence and market visibility in the desktop space. Their premium iPhone line addressed the most luxurious part of the market - also with the help of Google. The CEO's of both companies even sat on each others boards, so the strategy was certainly aligned. It was a perfect coup. Among the two of them they effectively levered the possibilities of the mobile smartphone platforms, media stores and restricted-access platform-owned app stores to take ownership and control of large parts of the software and content ecosystems at global scale. Traditional phone manufacturers (many of which were European due to the success of the pioneering GSM standard) had historically been just selling a phone at competitive margins (with \"no strings attached\"). The whole economy of their operations and ecosystem of collaboration was effectively pushed aside by this audacious new strategy. The new Android operating system was funded not by the sale of the product itself, but by the promise of future user data gathering without real limits or much oversight - which had elsewhere proven to be able to create giant revenues. And unlike a desktop computer, a phone is nearly always on. It moves wherever the user goes, and thus it is always near. It has a camera, a microphone and lots of sensors. When users search for something, they use the default search bar which you control. So effectively the new \"smart\" phone was primarily a vehicle for extensive data gathering about users, which could be resold and monetized later on. The manufacturers could get the operating system for free. The small margins that could be made on selling the software to they were negligible compared to the advantages later on. And of course at the time there was still a generation adoration of these \"tech darlings\" - press wrote lovingly about the \"reality distortion field\" around Apple's CEO Steve Jobs. Right from the start this conceiled play was extremely profitable for both of them, allowing lots of subsequent investment - into their platforms, into the developer tools, into marketing and into legislative lobby. The \"mobile first\" strategy actually worked out better than anyone would have imagined, especially because the mobile phone operating system produced by Google turned out to be more than just a \"loss leader\". The market funnel of the free option it provided only became visible at the end. Technically advanced and more fair platforms appeared, but were unable to counter the \"winner takes all\" development in time. At present the vast majority of the phones are sold using one of only two operating systems: Android and iOS. In the absence of effective policy and legislative efforts to curb this unfortunate situation, that market dominance is a hard problem to solve at a technical level. In our consumer bubble, we actively contributed and still contribute to this. The software stores of both platforms may offer consumers plenty of options at the application level. This seems quite healthy at first. But when you analyse the situation, it is far from how society should want this to be. This all starts with the fact that users do not have to manually install all applications. Apple has full control and puts its own software in pole position. Google is able to make the manufacturers do the same through contractual obligations. The result is the same: a strategic choice of end user applications is preinstalled alongside the platform, and effortlessly available to all users. Many of us have meanwhile become used to these omnipresent \"free\" but closed \"blockbuster\" applications that ship alongside the dominant platforms. As we know from history, for instance through the famous European anticompetition cases against dominant technology companies taking control over web browsers, media players and portable runtimes (Java/C#), preinstalled applications have a huge competitive advantage. Not all users are as technically competent, and this creates enough inertia with consumers to keep manufacturers on a leash. The huge market share of platform 'defaults' like Android's default browser have a deep impact on the market, leaving little room for web developers to follow pretty much all what Google implements - even if they disagree or would actually like to follow proper web standards as produced by W3C. Who can afford for their website or web application to look worse on an operating system with the majority of market share? Apple holds all the cards closely to its chest, and keeps full control. As long as it has Google as competitor, it feels secure of anti-competition measures. Their main strategy to even increase control is to buy suppliers, or make them sign exclusive contracts keeping others at bay. The defense strategy of Google is publishing most of Android source code. Manufacturers can and have tried to build alternative versions based on that. But in the market real-world control remains tightly with Google through the critical applications which need the \"blockbuster\" restrictively licensed apps and the larger infrastructure - both of which remain tightly closed. A certain percentage of users will always at some point demand these \"free\" applications, while others cannot withstand the social lock-in and will actively push vendors to bow down. No small time manufacturer can afford to be out. The platforms realise this powerful position very well, and are not afraid to lever it. Either a manufacturer is all-in, or all-out: it cannot selectively allow individual users to use blockbuster applications later on. This cut-throat dillemma has left the companies that make the actual phones little choice but to accept unattractive licensing conditions that restrict their freedom to innovate. And even if they do comply with all the demands including a non-disclosure agreement to seal their lips, their license can be withdraw at any time. In fact this may even happen due to geo-political pressure, as a very large Chinese manufacturer of Android found out to its great dismay in May 2019 when it was banned from future upgrades to Android. While part of this was retracted later, the fact is that such a thing could happen to any phone vendor using Android at any time. Thhe rigid control over the platform and the app stores was originally meant as a way to secure access to consumer data. These days, it is actually making an awful lot of money on its own. Consumers are paying a huge and very direct cost for the 'free platform' deal of the manufacturers. The dominant mobile platforms both charge developers up to an incredible 30% of their revenues (more than any VAT rate around the world!). If your company wants to sell enough apps to make a living, you will want to use the default sales channel with the most users. This of course is the platform app store, which comes preinstalled on the prime spot. In fact, most users would not know how to install apps any other way, or are warned against that with scary messages. Selling through the app store means you have to pay up and at the same time obey all kinds of rules. The companies behind the mobile platforms themselves can at any time see an interesting market emerging. At that point there is a clear unequality of arms: if they want, the next update will put their own applications preinstalled on hundreds of millions of devices. This giving them a clear and unfair business advantage over anyone else in the market. Meanwhile developers ironically pay for the privilege of being allowed to exclusively develop for the platform concerned, and sell the outcome in the default (and most restrictive) app store. The platform almost certainly has a higher more profit margin from the average developer, even if it is a direct competitor. But what can developers do? Their investment into the software they wrote is hard-wired to the initial choice of platform...? Non-trivial applications that run on one mobile platform do not run on another, and require additional effort to write in a way where they can. This invisible 'cost of diversity' to the larger ecosystem of creators (which is orders of magnitude bigger) contributed significantly to the \"winner takes all\" scenario at platform level. When the European Commission orders some app to be developed for citizens to access its services, crowdsource data gathering or inform them of passenger rights, it does not care about creating someting for the users of the innovative Finnish mobile platform Sailfish from Jolla - or in fact anyone else. If you look at the apps officially published by the European Commission on the app stores, you will not find any app for any European mobile platform ever published there. The same 'selfish' short term considerations will of course be made even more frequently by smaller actors with less deeper pockets, like independent publishers. As a result the market will make the largest platforms larger, and will completely ignore the rest. In the new mobile world we live in now, control as a user is limited to the very surface of things. Significant privacy and security issues start directly below that surface. You don't really know what the platform actually does while executing apps, and more importantly, who sees your data - or if you are a business, looks at the data of your customers. When you use one of the hundreds of thousands of existing apps and games, you only see the service they provide. But you can't inspect or even see what more they take. What does an app do exactly when you click on the pretty icon? This is very much unlike for instance interacting with a web page, which is fully transparent. As it turns out, mobile apps do lots of things users do not know about, and would not agree with if they did. In some cases literally hundreds of companies have been known to get access to data on the phone. A consumer-friendly platform should empower the user to notice and take action, or even make it technically impossible. However, the companies that produce the operating systems seem to have other interests. Have you ever wondered why everyone tells you your desktop computer needs a firewall and you are allowed full control to see everything happen. Now stop and think about why your cell phone does not have the very same level of firewall capabilities, but only very much simplified and less capable? So what can we as a society do in the face of such a complex situation of market failure, anti-competitive practices, perverse incentives and general confusion? How do we give control back to the users? How do we create equal opportunities for European phone manufacturers? How do we stop the unfair \"platform tax\" on app developers, stimulating employment and startups? One reasonable direction is to try and lay the ground work for creating viable alternative platforms. Such a fundamental approach is necessary in order to end these extractive practices and the resulting lack of consumer freedom. Smart phones are really just small computers. This means we can build upon plenty of meanwhile mature building blocks and technical work done over decades. In fact, both Android and iOS followed the same path. They were not created from scratch, but based on existing open source projects for desktop and server operating systems. There is nothing magical, it is just engineering work. This is what this project contributes to: it will use the most powerful software packaging system currently available as a basis, and will attempt to make it run on standard mobile phones. This will bring many fundamental building blocks along for free. Of course there is much work needed after that to create something suitable for end users, but it will significantly lower the threshold for the community and provides a great starting point for anyone to join in. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/mobile-nixos/","title":"mobile-nixos"},{"title":"mitmproxy","url":"https://nlnet.nl/project/mitmproxy/","description":" mitmproxy HTTP/3 Support and OS Proxy Mode for intercepting local proxy mitmproxy is a versatile tool for debugging, testing, privacy measurements, and penetration testing. It can be used to intercept, inspect, modify and replay network communication from websites and mobile applications. This project is about the development of two new major features to mitmproxy: HTTP/3 Interception and a new OS proxy mode. With an increasing number of apps using the HTTP/3 protocol to communicate, we are adding support for it in mitmproxy so that it can be observed just as well as other protocols. For the second part of this project, we will be adding a new operating mode that makes it possible to inspect applications running on the user's device with a single click. These features collectively empower users to gain insights into what data their own devices are sending out. The project's own website: https://mitmproxy.org This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" minipgp6 Lean implementation of modern OpenPGP minipgp6 is a very lean OpenPGP software stack. It implements a modern subset of the OpenPGP standard as specified in RFC 9580. It intentionally doesn't aim for backward compatibility with many currently common OpenPGP formats in favor of simplicity. However, all modern OpenPGP implementations will interoperate seamlessly with the formats minipgp6 supports. The project's own website: https://codeberg.org/heiko This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/minipgp6/","title":"minipgp6"},{"title":"Minedive","url":"https://nlnet.nl/project/minedive/","description":" Minedive P2P search over webRTC The minedive project is building several components: first, minedive is a browser extension aiming to allow users to search the web while preserving their anonymity and privacy. The second is an open source reference implementation of its rendez-vous server. minedive instances connect each-other (via WebRTC data channels) forming a two layered P2P network. The lower layer (L1) provides routing, the upper layer (L2) provides anonymous and encrypted communication among peers acting as a MIX network. This architecture guarantees that peers which know your IP address (L1) do not know search data for (L2) and vice-versa. A central (websocket) rendez-vous server is needed to find and connect with L1 peers, and to exchange keys with L2 peers, but no search goes through it. We are running a default server which can be overridden by users who want to run their own (using our reference implementation or a custom one). Users can also set the extension to pick peers from a given community (identified by an opaque tag). Currently all requests are satisfied by letting L2 peers return results from the 1st page of mainstream search engines (as they see it, in an attempt to escape the search bubble). While this will stay as a fallback, we plan to implement web crawling on peers, doing keyword extraction from URLs in local bookmarks and history and ranking with open algorithms, being transparent with users about which techniques are used and open to suggestions. The project's own website: https://github.com/ckin-it/minedive/wiki Why does this actually matter to end users? Search and discovery are some of the most important and essential use cases of the internet. When you are in school and need to give a presentation or write a paper, when you are looking for a job, trying to promote your business or finding relevant commercial or public services you need, most of the time you will turn to the internet and more importantly the search bar in your browser to find answers. Searching information and making sure your name, company or idea can be discovered is crucial for users, but they actually have little control over this. Search engines decide what results you see, how your website can be discovered and what information is logged about your searches. And because many fundamental internet technologies were not designed with security or privacy in mind, it is quite simple to identify you online (and difficult to shield off what you do, search for and lookup). What filters and algorithms search technology apply usually remain opaque for users. They can only follow the rules laid out for them, instead of deciding on their own what, where and how to find the information they are looking for. Most people would be quite surprised and very uncomfortable if every time they visited a library, someone walks behind them to write down their name, precisely time how long they look at a certain row of books and note what titles they take with them. All this data however is registered by most commercial search engines. This project helps users protect their online privacy when they look up information online by mixing up all kinds of very personal data (not just your search terms, but what computer you use, where you live, etcetera) in such a way that it becomes next to impossible to uniquely identify you. This prevents search engines and platforms from taking your personal data and building very personal profiles to sell you ads and unnecessarily 'personalize' what search results you get to see and what remains hidden from you. Users can simply install this technology as an extension to their browser and search the way they are used to. Run by CKIN This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"title":"mikroPhone","url":"https://nlnet.nl/project/mikroPhone/","description":" mikroPhone Open Hardware feature phone mikroPhone is currently a basic feature phone with extensible open source firmware. It is a fully open hardware device and it can easily be built in a home lab. It is intended to protect user's privacy to the highest possible level and to bring data sovereignty back to its users. This project focuses on further improvement of the basic phone device and integration of ARM module that runs GNU/Linux OS. Since linux module is entirely optional, it is not used for handling any critical functions of the device (e.g. cellular voice and secure VoIP calls, SMS messaging) and it can be powered-up on demand. This would solve common problems of linux smartphones such as poor basic phone functionality and short battery life. The goal of the project is to provide an option of enjoying a fully usable linux smartphone. The project's own website: https://mikrophone.net This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" mgmt config Real-time system automation tool mgmt is a fast and modern automation tool for managing services and servers. It lets users model how that infrastructure should look, behave and react over time. Instead of separating provisioning, configuration management, and orchestration, it unifies these concepts and lets you build elegant distributed systems while also running as a distributed system. It can manage anything from home labs to full production infrastructure and helps organizations reduce operational overhead while repatriating workloads. Within this grant the project will among others work on performance enhancements, add new models, function error locations and lsp/syntax highlighting, improve documentation as well as making it easier to import automation rules from external resources. The project's own website: https://mgmtconfig.com This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"mgmt config","url":"https://nlnet.nl/project/mgmt-config/"},{"description":" Meshtool Mesh network toolkit, database and web-based API. This project aims to advance open mesh technology by providing the communities behind these networks with a comprehensive toolkit to build and maintain their networks. Meshtool aims to assist in mesh network monitoring, administration and research. It is designed to aggregating multiple data sources into useful 2D/3D geographic map overlays, provide remote node management and facilitate the use of live mesh segments as protocol testbeds. Mesh DB (or simply Mdb), provides the data-layer implementation for this task. Mdb aims to make it easier for mesh communities to share data, exposing it through a generic web-based API. This provides a framework against which portable mesh community applications may be developed and shared, much like OpenSocial. The project's own website: http://taproot.org.il/project/mt/meshtool.xhtml Project by Amir Sagie, Israel. ","title":"Meshtool","url":"https://nlnet.nl/project/meshtool/"},{"description":" Meemoo Meemoo: hackable web apps Meemoo is intended to lowering the threshold for app makers - ideally everybody should be able to create web apps. When people think of an app, thy do not think of something that one can open, hack, and change how it works. Meemoo will give everybody this freedom. Meemoo is a framework that connects Open Source modules, powered by any web technology - it is a browser-based modular dataflow/patching framework. It all happens on the web, so it is easy to share a hacked app by copying the source code. The way that the data flows from module to module is defined and visualized by colorful wires. It becomes simple like that: If you can connect a video player to a TV, you can program a Meemoo app. The project will also build a community site for sharing, forking, and creating with Meemoo apps. The site will also be open source, so schools and other organizations can set up their own open or closed version. The site will be built on Unhosted/ownCloud for maximum data portability. The project's own website: http://meemoo.org/ ","url":"https://nlnet.nl/project/meemoo/","title":"Meemoo"},{"description":" MAPS defending Internet e-mail from abuse by spammers MAPS is a service to limit the transport of known-to-be-unwanted mass e-mail based on the address of the sending MTA (Mail Transfer Agent). MAPS operates with little overhead: other anti-spam systems typically operate \"later in the pipeline,\" by first accepting the e-mail, and then analysing its headers and/or content for a possible rejection. MAPS tries to avoid accepting the spam message to start with. Although more expensive in terms of network and computing resources, accepting the email does allow personalization and content analysis of the spam, which MAPS does not offer. The project's own website: http://mail-abuse.org The four main services offered are the RBL: the Realtime Blackhole List, DUL: the Dial-up User List, RSS: the Relay Spam Stopper, and NML: the Non-conforming Mailing List. ","url":"https://nlnet.nl/project/maps/","title":"MAPS"},{"title":"MAPS","url":"https://nlnet.nl/project/maps/how.html","description":" MAPS defending Internet e-mail from abuse by spammers NLnet Foundation became a lifetime member of MAPS by a payment of US$ 25,000. This money has been used in conjunctions with a number of other grants to guarantee the initial development of the MAPS organization. MAPS is now managed and staffed by experienced Internet professionals. In addition, MAPS relies on the support of its numerous volunteers, most of whom have professional backgrounds in computing, networking and the Internet. "},{"description":" MAPS defending Internet e-mail from abuse by spammers Unsolicited distribution of (nearly always commercial) e-mail (SPAM) is causing problems, due to unnecessary use of time and resources at the receiver side, and often  misuse of resources of third parties (MTA relays) by the sender. A number of people haven taken (mainly technical) actions to prevent SPAM, often in an uncoordinated fashion at the receiver side. Paul Vixie (known from a.o. ISC), on his own personal initiative and responsibility, has compiled a black list of senders, by tracing the senders of SPAM using his deep technical Internet knowledge. When contacting the sender and/or his ISP by telephone or e-mail, and advising with respect to counter-measures against SPAM does not have the desired results, the Internet addresses in question are added to a black list named Realtime Blackhole List (RBL). Then the Mail Abuse Protection System (MAPS) allows Internet users to use this RBL in various ways for blocking e-mail, or even possibly all network traffic originating from the non-cooperating SPAM'mer. To ensure the continuity of the MAPS system, and to remove the personal legal risks for Paul Vixie, the non-profit organisation MAPS, LLC has been established in California, USA. NLnet Foundation attempted to support this initiative financially in 1998, but this did not succeed due to a number of fundamental contractual problems. Nevertheless, NLnet Foundation considers the MAPS initiative of great importance for healthy operation of the Internet, and has therefore looked for another way to support MAPS. Per 1 January 1999, Stichting NLnet has acquired a lifetime membership from MAPS, LLC for US$ 25,000. A number of such sponsor memberships will allow MAPS, LLC to cover its initial costs until the service has become financially self-supporting. ","url":"https://nlnet.nl/project/maps/description.html","title":"MAPS"},{"url":"https://nlnet.nl/project/mailman-ssls/","title":"Mailman-SSLS","description":" Mailman-SSLS openPGP and S/MIME support in mailman Currently, there is no re-encrypting mailing list manager with support for both PGP and S/MIME. Mailman is the most popular Open Source mailing list manager. The Secure List Server project \"mailman-pgp-smime\" aims to include OpenPGP and S/MIME support in Mailman, the GNU Mailing List Manager. Adding re-encryption will enable groups of people to cooperate and communicate securely via email: mail can get distributed encrypted to a group of people, while the burden of managing individual keys is dealt with by the list software, not the sender. Furthermore, authentication is possible: the list server software takes care of checking this. This way, strong security for groups of people gets available for a wide audience. Technical specification This project will publish a patch for the official Mailman distribution. This patch handles both RFC 2633 (S/MIME) and RFC 2440 (OpenPGP) email messages. A post will be distributed only if the PGP (or S/MIME) signature on the post is from one of the list members. For sending encrypted email, a list member encrypts with the public key of the list. The mailing list server will decrypted the posting and re-encrypted it with the public keys of all list members. In order to achieve this, each list has a public and private key. (The private keys optionally protected by passphrases) Furthermore, new list settings are defined: gpg_postings_allowed: is it allowed to send to this list postings which are encrypted with the GPG list key? gpg_msg_distribution: are subscribers allowed (or even forced) to upload their GPG public key in order to receive all messages encrypted? gpg_post_sign: should posts be GPG signed with an acknowledged subscriber key before being distributed? gpg_msg_sign: should the server sign encrypted messages? Similar settings are defined for S/MIME. Finally, each subscriber can upload her PGP and S/MIME public key using the Mailman webinterface. The project's own website: http://non-gnu.uvt.nl/mailman-ssls/ "},{"description":" Mail::Box software for e-mail handling in Perl Mail::Box is a module for the Perl programming language. This module can be used for automation of various e-mail related tasks. With support of NLnet, the module is promoted and improved. Perl's module archive CPAN contains dozens of e-mail related modules. One of the goals for Mail::Box is to replace most of them with a modern, well documented and consistent library. The project's own website: http://perl.overmeer.net/mailbox/ Latest release of the Mail::Box code from CPAN. 2002-09-18: Presentation at YAPC::Europe 2002, the yearly European Perl mongers meeting. ","title":"Mail::Box","url":"https://nlnet.nl/project/mailbox/"},{"title":"Mail::Box","url":"https://nlnet.nl/project/mailbox/how.html","description":" Mail::Box software for e-mail handling in Perl The NLnet Foundation supports Mark Overmeer to improve the quality of the Mail::Box library, and the promotion of the module. The funding must broaden the support for the module within the Perl community. 2004-01-12: Mail::Box final report. more > > 2003-12-05: Mail::Box phase 2, last status report. more > > 2003-10-01: Mail::Box phase 2, third status report. more > > 2003-07-15: Mail::Box phase 2, second status report. more > > 2003-05-14: Mail::Box phase 2, first status report. more > > Project plan for the second phase of Mail::Box. more > > The Mail::Box Project Plan. more > > 2003-02-03: Final report on the first phase of the Mail::Box project. more > > .pdf (76 kB) .ps (62 kB) "},{"description":" Mail::Box software for e-mail handling in Perl Mail::Box is a module for the Perl programming language, which implements scripting of e-mail handling. The goal for the Mail::Box project, as sponsored by the NLnet Foundation, is to get more people involved in the development of this module. Besides, it will contribute to quality improvements of the existing code. The NLnet Foundation supports: extensive checking of all code against the standards, as described in RFCs; creation and promotion of a Mail::Box mailing list; search for operating system specialists to port and maintain the module for their OS; search for participants in development of the module; attempts to phase-out older e-mail related modules from CPAN; bug-fixes and other daily maintenance during the time span of this project. ","url":"https://nlnet.nl/project/mailbox/description.html","title":"Mail::Box"},{"url":"https://nlnet.nl/project/machine-check/","title":"machine-check","description":" machine-check Tool for formal verification for machine-code Common bug-finding approaches like software testing do not guarantee the absence of bugs. Formal verification can prove the absence of bugs, but the added description and proving complexity means it only tends to be used for critical systems. The current state-of-the-art tools are complex to use and hard to reason around when they fail. Machine-check aims to bring scalable yet intuitive formal verification to non-experts, leveraging the Rust ecosystem for description of digital machines including processors with machine-code programs loaded into memory. Ultimately, this should lead to increased reliability, safety, and security of programs and systems. The project's own website: https://machine-check.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Machine-check usability","url":"https://nlnet.nl/project/machine-check-UX/","description":" Machine-check usability Formal verification of software written in machine code Machine-check is a tool for formal verification of digital systems, able to automatically determine whether a system described in a subset of the Rust language fulfills some specification. This project aims to improve it in multiple areas such as the usability of its graphical user interface, the ease of writing system descriptions and properties, and the ability to compose systems from parts. The project's own website: https://machine-check.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/mCaptcha/","title":"mCaptcha","description":" mCaptcha Privacy-friendly Proof of Work (PoW) based CAPTCHA system Existing CAPTCHA systems expect visitors to identify objects to prevent spam, which makes the web inaccessible to persons with cognitive, auditory, and visual special needs. They log Internet Protocol (IP) addresses and use tracking technologies, like cookies, to track and profile their users across the internet. IP logging and cookie-based tracking are privacy-invasive, inaccurate, and impossible to use with anonymizing technologies like Tor and VPNs. Censors can abuse the opaque nature of these systems to prevent certain groups from accessing certain types of information. Independent testing for bias is not possible since the documentation doesn't exist for their methods and algorithms. mCaptcha is an attempt at creating a self-hosted alternative to reCAPTCHA and hCaptcha with a focus on privacy, transparency, user experience, and accessibility. mCaptcha’s Proof of Work (PoW) mechanism uses strong cryptographic principles that guarantee idempotency and transparency. mCaptcha doesn’t log IP addresses and doesn’t require tracking user activity across the internet. Censors can’t use mCaptcha to deny access to information without detection. Also, the PoW mechanism requires minimal user interaction to solve the CAPTCHA, which will significantly improve the accessibility of the web. The project's own website: https://mcaptcha.org This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"title":"Securing Decentralised Live Information with m-ld","url":"https://nlnet.nl/project/m-ld/","description":" Securing Decentralised Live Information with m-ld Collaborative editing of LInked Data based on CRDT m-ld is a software technology for live information sharing. It enables software engineers to reliably add real-time collaboration, support for offline working, and service resilience to both new and existing software architectures. It achieves this by operating at an \"information\" level, creating reusable patterns for maintaining the consistency and integrity of application content that is being edited from multiple locations at once. m-ld is built from the ground up on a W3C standard information representation, contributing ideas for its evolution, and is committed to open standards and open source. This project will research and prototype modifications to the primitives of the m-ld core protocol to natively support strong assurance of data integrity and traceability, with authority assignable to identified users or groups, so that they can be reliably assured of the integrity and controlled availability of their data. The project's own website: https://m-ld.org/ Run by m-ld.io Ltd This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" Lychee Reliable and fast link checker to combat linkrot Links are the glue that holds the web together, but broken links undermine our collective digital knowledge. With 54% of Wikipedia references and 70% of links in legal journals now dead, link rot is a serious threat to information accessibility and makes for an unpleasant web experience. Lychee is a fast, memory-efficient CLI tool written in Rust that detects broken links in Markdown, HTML, and plain text. Over the past 4 years, it has been adopted by tens of thousands of public repositories and organizations like Google, Microsoft, and AWS. The project will focus on three key milestones: implementing recursion support to check entire websites at once, adding per-host rate limiting to prevent server overload and stabilizing the codebase for a 1.0 release. By improving Lychee, we're helping everyone from small websites to major platforms maintain their corner of the open web and preserve our digital heritage. The project's own website: https://lychee.cli.rs/ Run by corrode This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/lychee/","title":"Lychee"},{"url":"https://nlnet.nl/project/ltsp-desktop/","title":"LTSP Deskop","description":" LTSP Deskop Remote desktop via an LTSP-Cluster Thin clients (PCs where all data is kept on a remote server and only the desktop is kept locally), are already in use for a long time. These days, increased bandwidth and Cloud Computing allow us to go further, even to stream the complete desktop from the Internet. The possibility to start a desktop \"on demand\" from the cloud offers interesting new collaboration possibilities: any application can instantly become remote accessible. For instance, having a graphic design reviewed by a design interface specialist. Or program together/review code within a single IDE instance. The goal of this project is to completely integrate remote access to a cluster of LTSP servers that can be directly accessible or streamed from any private or public cloud (like Amazon EC2 or Eucalyptus). At start, the project is targeted at Open Source specialists which should test the new functionality, translations and design. Development versions are simple to test: no need to \"scrap\" my computer: simply instantiate a remote development desktop. Schools are a second target. Schools will be able to distribute any application to any computer with the LTSP-Cluster. Schools all over the World will be able to provide the complete school environment to any child (using Windows, Linux or Mac computer). All students have access to the same educational tools. The project's own website: https://wiki.stgraber.org/LTSP-Cluster "},{"title":"lpnTPM","url":"https://nlnet.nl/project/lpnTPM/","description":" lpnTPM TPM 2.0 compliant open hardware Trusted Platform Module lpnTPM is Open Source Software (OSS), and Open Source Hardware (OSHW) Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. What makes lpnTPM different from generally available solutions is openness. Software and hardware of lpnTPM can, without limits, be audited, fixed, and customized by communities and businesses. Open design address the lack of trustworthiness of proprietary closed source TPM products, which currently dominate the whole market. lpnTPM in production mode protects software by secure boot technology, and only the lpnTPM owner will update it. TPM modules enable measured boot and support verified boot, Dynamic Root of Trust for Measurement, and other security features. Another benefit of lpnTPM would be physical design, which solves the lack of standardization around pinout and connector. The ultimate goal of lpnTPM is to provide a trustworthy platform for future open evolution of Trusted Platform Module software and its application to various computing devices, resulting in better adoption of platform security. The project's own website: https://lpnplant.io Run by LPN Plant Sp. z o.o. This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"url":"https://nlnet.nl/project/lokalize/","title":"Lokalize","description":" Lokalize cross-platform computer-aided translation system KAider was renamed to Lokalize and will be included in kdesdk package for KDE. Lokalize is a computer-aided translation system that focuses on productivity and performance. Translator does only creative work (of delivering message in his/her mother language in laconic and easy to understand form). Lokalize implies paragraph-by-paragraph translation approach (when translating documentation) and message-by-message approach (when translating GUI). This project will develop of a cross-platform computer-aided translation system. Currently it is fine-tuned for open source software translation and is used in production by contributors of KDE, openSUSE, and several other projects. The project's own website: http://techbase.kde.org/Projects/Summer_of_Code/2007/Projects/KAider "},{"description":" Statuten Stichting LogReport Foundation tools for computer/network log file analysis Afschrift van de akte houdende oprichting van de stichting Stichting LogReport Foundation gevestigd te Eindhoven, Akte d.d. 21 augustus 2000 OPRICHTING STICHTING Heden, eenentwintig augustus tweeduizend, verschijnt voor mij, mr. Jan Willem Anton Schenk, kandidaat-notaris, hierna ook te noemen \"notaris\", waarnemer van mr. Kornelis Hans Pentinga, notaris, met plaats van vestiging Utrecht: mevrouw Cinderella Patricia van Liempdt, kandidaat-notaris, met het kantooradres 3584 BB Utrecht, Pythagoraslaan 2, geboren te Utrecht op achttien november negentienhonderd vierenzeventig, als schriftelijk gevolmachtigde van: de heer Teunis Hagen [KNIP], hierna te noemen: \"Hagen\"; de heer Tjepko Wytze van der Raaij [KNIP] , hierna te noemen: \"Van der Raaij\"; en de heer Jakob Schripsema, [KNIP] hierna te noemen: \"Schripsema\". Van de machtiging van de verschijnende persoon blijkt uit een onderhandse akte van volmacht, welke onmiddellijk na het passeren aan deze akte zal worden gehecht. De verschijnende persoon, handelend als gemeld, geeft vooraf het volgende te kennen: De stichting: Stichting NLnet, met statutaire zetel te Amsterdam, is een stichting, welke als algemeen nut beogende instelling als bedoeld in artikel 24 lid 4 van de Successiewet 1956 is aangemerkt; Stichting NLnet, voornoemd, heeft als doel het bevorderen van electronische informatie-uitwisseling en al hetgeen daarmee verband houdt; Stichting NLnet wil als uitvloeisel van haar vorenomschreven doel Open Source Software ten behoeve van Internet (verder) ontwikkelen; Om administratieve- en organisatorische redenen wil Stichting NLnet deze laatstgenoemde activiteiten als uitvloeisel van haar eigen activiteiten in een afzonderlijk door haar op te richten stichting uitoefenen. De verschijnende persoon verklaart namens Hagen, Van der Raaij en Schripsema bij deze akte een stichting op te richten en daarvoor de navolgende statuten vast te stellen: Definitie: Open Source Software: software waarvan de broncode (source) vrij ter beschikking is voor derden. Periode: de periode van twee (2) jaren te rekenen vanaf de oprichting van de stichting. Stichting NLnet: de stichting: Stichting NLnet, met statutaire zetel te Amsterdam. STATUTEN NAAM EN ZETELArtikel 1 De stichting is genaamd: Stichting LogReport Foundation De stichting heeft haar zetel in de gemeente Eindhoven. DUURArtikel 2De stichting is opgericht voor onbepaalde tijd. DOEL EN MIDDELENArtikel 3 De stichting heeft ten doel: het ontwikkelen, onderhouden en verspreiden van hulpmiddelen en kennis voor het verwerken van log files van netwerk/computer systeemtoepassingen en het genereren van rapporten op basis van dergelijke logfiles; het stimuleren van het gebruik van bovengenoemde hulpmiddelen en kennis bij het beheren van informatiesystemen; het stimuleren van auteurs van netwerk/computer systeemtoepassingen tot het opnemen van voorzieningen in deze toepassingen voor het genereren van zinvolle gestandaardiseerde en automatisch te verwerken informatie in log files; het bijdragen aan de ontwikkeling en invoering van productonafhankelijke log file formaten (standaards); het creëren van een forum voor systeem beheerders en software ontwikkelaars op het gebied van toepassing en analyse van log file informatie; en voorts al hetgeen met één en ander rechtstreeks of zijdelings verband houdt of daartoe bevorderlijk kan zijn, alles in de ruimste zin. De stichting tracht haar doel onder meer, doch niet beperkt daartoe, te verwezenlijken door: het bieden van gelegenheid aan getalenteerde software ontwikkelaars om Open Source Software projecten ten bate van het Internet te ontwikkelen, uit te breiden, te onderhouden, en beschikbaar te stellen; het aangaan van samenwerkingen, in welke vorm dan ook, met andere ontwikkelaars op het gebied van de ontwikkeling van de onder a. bedoelde projecten; het bevorderen dat de ontwikkelde software een brede verspreiding vindt. Alle door de stichting ontwikkelde software en documentatie wordt steeds onder Open Source condities ter beschikking gesteld van de gemeenschap. VERMOGENArtikel 4Het vermogen van de stichting wordt gevormd door: giften, subsidies, erfstellingen en legaten; alle andere wettige baten. BESTUURArtikel 5 Het bestuur van de stichting bestaat uit drie (3) personen. Tijdens de Periode worden twee (2) van de leden van het bestuur benoemd door Stichting NLnet. Het derde bestuurslid wordt benoemd door de hiervoor gemelde leden. Na de Periode zullen bestuursleden bij wege van coöptatie worden benoemd. Het bestuur kiest uit zijn midden een voorzitter, een secretaris en een penningmeester. De functies van secretaris en penningmeester kunnen door één persoon worden vervuld. Mochten in het bestuur om welke reden dan ook één of meer leden ontbreken, dan vormen de overblijvende bestuursleden, of vormt het enig overblijvende bestuurslid, niettemin een bevoegd bestuur, onverminderd de verplichting om zo spoedig mogelijk te voorzien in de vacature of vacatures. De leden van het bestuur genieten geen beloning voor hun werkzaamheden. Zij hebben wel recht op vergoeding van de door hen in de uitoefening van hun functie in redelijkheid gemaakte kosten. BESTUURSVERGADERINGEN EN BESTUURSBESLUITENArtikel 6 Vergaderingen zullen telkenmale worden gehouden wanneer de voorzitter dit wenselijk acht of indien één van de andere bestuursleden daartoe schriftelijk en onder nauwkeurige opgave van de te behandelen punten aan de voorzitter het verzoek richt, doch in ieder geval één maal per jaar. Indien de voorzitter aan een dergelijk verzoek geen gevolg geeft in dier voege, dat de vergadering kan worden gehouden binnen drie (3) weken na het verzoek, is de verzoeker bevoegd zelf een vergadering bijeen te roepen met inachtneming van de vereiste formaliteiten. De vergaderingen worden binnen Nederland gehouden. De oproeping tot de vergadering geschiedt - behoudens het in lid 1 van dit artikel bepaalde - door de voorzitter ten minste zeven (7) dagen tevoren, de dag der oproeping en die der vergadering niet meegerekend, door middel van oproepingsbrieven. De directeur van de stichting wordt tevens opgeroepen voor de bestuursvergaderingen. Hij heeft in die vergaderingen een adviserende stem. De oproepingsbrieven vermelden, behalve plaats en tijdstip van de vergadering, de te behandelen onderwerpen. Indien de door de statuten gegeven voorschriften voor het oproepen en houden van vergaderingen niet in acht zijn genomen, kunnen in een bestuursvergadering slechts geldige besluiten worden genomen met algemene stemmen in een vergadering waarin alle in functie zijnde bestuursleden aanwezig of vertegenwoordigd zijn. De vergaderingen worden geleid door de voorzitter. Bij diens afwezigheid voorziet de vergadering zelf in haar leiding. Van het verhandelde in de vergaderingen worden notulen gehouden door de secretaris of door één van de andere aanwezigen, door de voorzitter van de vergadering daartoe aangezocht. De notulen worden vastgesteld en getekend door de voorzitter en de secretaris van de desbetreffende vergadering dan wel vastgesteld door een volgende vergadering en alsdan getekend door de voorzitter en de secretaris van die volgende vergadering. Het bestuur kan ter vergadering alleen dan geldige besluiten nemen indien de meerderheid van de in functie zijnde bestuursleden ter vergadering aanwezig of vertegenwoordigd is. Een bestuurslid kan zich ter vergadering door een medebestuurslid laten vertegenwoordigen onder overlegging van een schriftelijke, ter beoordeling van de voorzitter van de vergadering voldoende, volmacht. Een bestuurslid kan slechts voor één medebestuurslid als gevolmachtigde optreden. Het bestuur kan ook buiten vergadering besluiten nemen, mits alle bestuursleden in de gelegenheid zijn gesteld schriftelijk, per telefax of per e-mail hun mening te uiten. De bescheiden waaruit van een zodanig besluit blijkt worden bij de notulen gevoegd. Ieder bestuurslid heeft het recht op het uitbrengen van één (1) stem. Voorzover deze statuten geen grotere meerderheid voorschrijven komen alle bestuursbesluiten tot stand met volstrekte meerderheid van de uitgebrachte stemmen. Alle stemmingen ter vergadering geschieden mondeling, tenzij de voorzitter van de desbetreffende vergadering een schriftelijke stemming gewenst acht of één der stemgerechtigde aanwezigen dit voor de stemming verlangt. Schriftelijke stemming geschiedt bij ongetekende, gesloten briefjes. Blanco stemmen worden beschouwd als niet te zijn uitgebracht. Zij tellen wel mee ter bepaling van enig quorum. Het ter vergadering uitgesproken oordeel van de voorzitter van de desbetreffende vergadering omtrent de uitslag van een stemming is beslissend. Hetzelfde geldt voor de inhoud van een genomen besluit, voorzover werd gestemd over een niet schriftelijk vastgelegd voorstel. Wordt onmiddellijk na het uitspreken van het oordeel van de voorzitter van de desbetreffende vergadering de juistheid daarvan betwist, dan vindt een nieuwe stemming plaats, indien de meerderheid der vergadering of, indien de oorspronkelijke stemming niet hoofdelijk of schriftelijk geschiedde, een stemgerechtigde aanwezige, dit verlangt. Door deze nieuwe stemming vervallen de rechtsgevolgen van de oorspronkelijke stemming. BESTUURSBEVOEGDHEIDArtikel 7 Behoudens beperkingen volgens deze statuten, is het bestuur belast met het besturen van de stichting. Het bestuur is bevoegd te besluiten tot het aangaan van overeenkomsten tot verkrijging, vervreemding en bezwaring van registergoederen, en tot het aangaan van overeenkomsten waarbij de stichting zich als borg of hoofdelijk medeschuldenaar verbindt, zich voor een derde sterk maakt of zich tot zekerheidstelling voor een schuld van een derde verbindt, mits in alle gevallen op grond van een met algemene stemmen genomen bestuursbesluit in een vergadering, waarin alle in functie zijnde bestuursleden aanwezig of vertegenwoordigd zijn zonder dat in het bestuur enige vacature bestaat. Het bestuur draagt zorg voor de inschrijving van de stichting en van alle bestuursleden en de mutaties daarin in het handelsregister. VERTEGENWOORDIGINGArtikel 8De stichting wordt vertegenwoordigd door: het bestuur; of twee gezamenlijk handelende bestuursleden. EINDE BESTUURSLIDMAATSCHAPArtikel 9 Ieder bestuurslid treedt uiterlijk drie (3) jaar na zijn benoeming af, of eerder volgens een door het bestuur op te maken rooster van aftreden. Aftredende bestuursleden zijn onbeperkt terstond herbenoembaar. Het bestuurslidmaatschap eindigt: door overlijden; door (schriftelijk) bedanken; indien een bestuurder het vrije beheer of de vrije beschikking over zijn vermogen verliest; door ontslag door de rechtbank; door een daartoe strekkend bestuursbesluit, genomen in een vergadering waarin door alle overige in functie zijnde bestuursleden voor het ontslag van het betreffend bestuurslid is gestemd. Een bestuurder kan te allen tijde door een éénstemmig besluit van alle andere bestuurders worden geschorst. Een schorsing, die niet binnen drie maanden gevolgd wordt door een ontslag, eindigt door het verloop van die termijn. DIRECTEURArtikel 10 Het bestuur is bevoegd een directeur van de stichting te benoemen. Het bestuur is tevens bevoegd de directeur te schorsen en te ontslaan. De taken en bevoegdheden van de directeur worden in een door het bestuur op te maken reglement vastgelegd. Aan de directeur kan door het bestuur machtiging worden verleend, om in specifiek genoemde gevallen de stichting namens het bestuur te vertegenwoordigen. BOEKJAAR, JAARSTUKKEN EN BEWAARPLICHTArtikel 11 Het boekjaar van de stichting is gelijk aan het kalenderjaar. Het eerste boekjaar eindigt op éénendertig december tweeduizend. Het bestuur is verplicht van de vermogenstoestand van de stichting en van alles betreffende de werkzaamheden van de stichting, naar de eisen die voortvloeien uit deze werkzaamheden, op zodanige wijze een administratie te voeren en de daartoe behorende boeken, bescheiden en andere gegevensdragers op zodanige wijze te bewaren, dat te allen tijde de rechten en verplichtingen van de stichting kunnen worden gekend. Het bestuur is verplicht jaarlijks vóór één juli de balans en de staat van baten en lasten van de stichting te maken en op papier te stellen. Het bestuur is bevoegd een registeraccountant of accountant-administratieconsulent te benoemen teneinde de balans en de staat van baten en lasten te controleren. Het bestuur is verplicht de in dit artikel bedoelde boeken, bescheiden en andere gegevensdragers gedurende zeven (7) jaren te bewaren. De op een gegevensdrager aangebrachte gegevens, uitgezonderd de op papier gestelde balans en staat van baten en lasten, kunnen op een andere gegevensdrager worden overgebracht en bewaard, mits de overbrenging geschiedt met juiste en volledige weergave van de gegevens en deze gedurende de volledige bewaartijd beschikbaar zijn en binnen redelijke tijd leesbaar kunnen worden gemaakt. STATUTENWIJZIGING EN ONTBINDINGArtikel 12 Gedurende de Periode is het bestuur na voorafgaand verkregen goedkeuring van Stichting NLnet bevoegd de statuten van de stichting te wijzigen met inachtneming van het bepaalde in lid 2 van dit artikel, alsmede om de stichting te ontbinden. Besluiten hiertoe moeten worden genomen met tenminste twee derde (2/3) meerderheid van de stemmen in een vergadering waarin alle van de in functie zijnde bestuursleden aanwezig of vertegenwoordigd zijn zonder dat in het bestuur enige vacature bestaat. Zijn niet alle bestuursleden tegenwoordig of vertegenwoordigd, dan kan binnen vier (4) weken daarna een tweede vergadering worden bijeengeroepen en gehouden, waarin over het voorstel zoals dat in de vorige vergadering aan de orde is gesteld, ongeacht het aantal tegenwoordig of vertegenwoordigde bestuursleden, kan worden besloten, mits met een meerderheid van ten minste twee derde (2/3) van de stemmen. Na de Periode is het bestuur bevoegd de statuten van de stichting te wijzigen met inachtneming van het bepaalde in lid 2 van dit artikel, alsmede om de stichting te ontbinden. Besluiten hiertoe moeten worden genomen met algemene stemmen in een vergadering waarin alle van de in functie zijnde bestuursleden aanwezig of vertegenwoordigd zijn zonder dat in het bestuur enige vacature bestaat. Zijn niet alle bestuursleden tegenwoordig of vertegenwoordigd, dan kan binnen vier (4) weken daarna een tweede vergadering worden bijeengeroepen en gehouden, waarin over het voorstel zoals dat in de vorige vergadering aan de orde is gesteld, ongeacht het aantal tegenwoordig of vertegenwoordigde bestuursleden, kan worden besloten, mits met algemene stemmen. Artikel 3 \"DOEL EN MIDDELEN\", alsmede lid 5 van dit artikel van deze statuten kan niet worden gewijzigd. Statutenwijziging moet op straffe van nietigheid bij notariële akte tot stand komen. Ieder bestuurslid is afzonderlijk bevoegd zodanige akte te doen verlijden. De bestuursleden zijn verplicht een authentiek afschrift van de wijziging alsmede de gewijzigde statuten neer te leggen ten kantore van het handelsregister. Na ontbinding blijft de stichting voortbestaan voorzover dit tot vereffening van haar vermogen nodig is. Ter vereffening van het vermogen van de ontbonden stichting treden de bestuurders als zodanig op. De vereffenaars dragen zorg voor inschrijving van de ontbinding van de stichting bij het handelsregister. Een eventueel overschot na vereffening van de ontbonden stichting wordt besteed overeenkomstig het doel van de stichting. De boeken, bescheiden en andere gegevensdragers van de ontbonden stichting moeten worden bewaard gedurende zeven (7) jaren na afloop van de vereffening door degene die hiertoe door het bestuur als zodanig is aangewezen. REGLEMENTENArtikel 13Het bestuur van de stichting kan reglementen vaststellen en wijzigen of op heffen. Een reglement mag niet in strijd zijn met de wet of met deze statuten. Op de vaststelling, wijziging en opheffing van de reglementen is het bepaalde in artikel 12 lid 1 van toepassing. SLOTBEPALINGENArtikel 14In alle gevallen, waarin noch de wet, noch deze statuten, noch de reglementen van de stichting voorzien, beslist het bestuur. Tenslotte verklaren de verschijnende personen dat - in afwijking van het bepaalde in artikel 5 leden 2 en 3 - voor de eerste maal tot bestuurders van de stichting worden benoemd met de volgende functies: de heer Teunis Hagen, als voorzitter; de heer Tjepko Wytze van der Raaij, als penningmeester; en de heer Jakob Schripsema, als secretaris. De verschijnende personen zijn mij, notaris, bekend. WAARVAN AKTE is verleden te Utrecht op de datum in het hoofd dezer akte vermeld. Na zakelijke opgave van de inhoud van deze akte en na het geven van een toelichting daarop aan de verschijnende personen, heeft deze verklaard van de inhoud van deze akte te hebben kennisgenomen en daarmee in te stemmen. Vervolgens is deze akte onmiddellijk na beperkte voorlezing door de verschijnende persoon en mij, notaris, ondertekend. (getekend) C.P. van Liempdt-, J.W.A. Schenk. UITGEGEVEN VOOR AFSCHRIFT door mij Mr. Jan Willem Anton Schenk, kandidaat-notaris, als waarnemer van Mr Kornelis Hans Pentinga, notaris met plaats van vestiging Utrecht, op op eenentwintig augustus tweeduizend. RCSID: $Id: statuten.html,v 1.3 2001/03/08 09:41:46 wytze Exp $","title":"Statuten Stichting LogReport Foundation","url":"https://nlnet.nl/project/logreport/statuten.html"},{"title":"LogReport","url":"https://nlnet.nl/project/logreport/","description":" LogReport tools for computer/network log file analysis Log files are often treated like the unwanted by-product of IT activity, sitting somewhere in a dark corner of a computer system, examined only occasionally, usually in the case of after-the-fact reactive problem solving. LogReport aims to change this. These files contain the traces of computer activity, and by intelligently analyzing these traces, one can increase existing system efficiency and improve future system design. The LogReport project serves a dual purpose: developing and maintaining Lire, an Open Source reporting and analysis software package, and serving as a nexus of documentation, ideas, and thoughts on the topic of log files and their potential applications. There are quite a few specific tools for analyzing particular types of log files. However, LogReport's Lire is designed as a generic tool, with plug-in capability for handling a wealth of different types of log files and report integration features. From 2000 till 2005, the activities of this project were bundled in the Foundation Stichting LogReport. Thereafter, the project continued on voluntary basis. The project's own website: http://www.logreport.org 2002-12-09: Lire is featured in Brave-GNU-World issue 45. LogReport presented a poster with paper at the SANE 2002 conference. This poster received the Best Poster Award. more > > 2002-02-17: Booklet handed out at FOSDEM 2002: Lire: Integrated Analysis of all your Internet and Intranet Services'. .ps (183 kB) .pdf (243 kB) 2002-02-17: Slides for FOSDEM 2002. .pdf (105 kB) "},{"url":"https://nlnet.nl/project/logreport/how.html","title":"LogReport","description":" LogReport tools for computer/network log file analysis Since January 2005, LogReport is driven by volunteers. Before that, it was organized as foundation which received fundings from NLnet. 2005-04-18: Annual Report 2004 LogReport Foundation more > > .pdf (86 kB) 2005-01-01: The foundation Stichting LogReport has been discontinued. The development will continue as volunteer driven project. 2004-09-03: LogReport released Lire version 2.0, and thereby completes its project with NLnet. Development of Lire will continue. 2004-06-10: Annual Report 2003 LogReport Foundation more > > .pdf (101 kB) 2003-12-01: Logreport releases Lire roadmap 2.0. The first step on that road is made with Lire version 1.4, which contains major speed improvements. 2003-08-08: Formal subsidy request for the development of Lire 2.0. more > > 2003-07-14: Proposal for the development of Lire 2.0. more > > Annual Report 2002 LogReport Foundation more > > .pdf (163 kB) Annual Report 2001 LogReport Foundation more > > .pdf (40 kB) Annual Report 2000 LogReport Foundation more > > .pdf (103 kB) Bylaws of foundation Stichting LogReport (discontinued). more > > "},{"url":"https://nlnet.nl/project/logreport/description.html","title":"LogReport","description":" LogReport tools for computer/network log file analysis In April 2000, NLnet Foundation's board was approached by a group of people in Eindhoven, The Netherlands, with a plan to establish a website aimed at log file processing. The website would be supported by a new organisation aimed at solving log file problems in a wider sense (knowledge dissemination, tool development, report generation service etc.). After several long discussions, this culminated in August 2000 with the establishment of LogReport Foundation, a non-profit framework for performing the activities outlined above. The goals of the LogReport Foundation are the following: development, maintenance and distribution of tools and knowledge for processing log files of network/computer system applications and generating reports based on such log files; stimulating the use of the above tools and knowledge in the management of information systems; convincing authors of network/computer system applications to integrate support in their applications for generating useful standardized and machine-processable log file information; contributing to the development and adoption of product independent log file formats (standards); creating a forum for system managers and software developers in the area of log file information applications and analysis. The Open Source philosophy is a leading idea for all activities of the LogReport Foundation: all software and documentation developed by or under contract from the LogReport Foundation will be made freely available in source form to the network community. This principle has been strongly established in the statute of the LogReport Foundation. "},{"url":"https://nlnet.nl/project/loap/","title":"LOAP","description":" LOAP The DNS: A Life of a Protocol \"The DNS: Life of a Protocol\" is the working title for a new project by Carl Malamud. This technopolitical analysis of the Internet from the viewpoint of the life of one protocol attempts to provide some insight into both technology and politics. This project resulted in an eye-opening poster series picturing the differences between politics and technicians in the realm of internet governance. presentation on OSCON 2006: 10 Government Hacks. Also available in a reworked version by Hackzine. "},{"url":"https://nlnet.nl/project/loap/how.html","title":"LOAP","description":" LOAP The DNS: A Life of a Protocol Stichting NLnet sponsors the production of this book with US$ 6000. This project is being undertaken by Carl Malamud, who is the author of several publications including Exploring the Internet and Internet Talk Radio. Carl was the founding chairman of ISC. He is currently a Senior Fellow and the CTO at the Center for American Progress, a \"think\" tank in Washington, D.C. "},{"url":"https://nlnet.nl/project/loap/description.html","title":"LOAP","description":" LOAP The DNS: A Life of a Protocol \"The DNS: A Life of a Protocol\" [working title of the project] is a technopolitical analysis of the life of the Domain Name System, using it as a lens to look at the broader issue of \"Internet Governance,\" a term that was poorly choosen but is much in use. Starting as a simple replacement for an even simpler host file, the DNS protocol has grown into a big business, a quasi governmental international framework, and a strategic battleground for trademarks wars. Research on this project began in late 2004. It has gone through several incarnations, starting as a book. In the fall of 2005, some real progress was made when the author convinced the ITU that he was \"bona fide media,\" which resulted in his attendance at the WSIS Tunis meeting, where the festivities were duly filmed. Following that, Carl conducted filmed interviews with a variety of root server operators, regional registries, former IETF officials, current ICANN officials, and various inventors and maintainers of the DNS. This results of this investigation work will be packaged as a \"movie\" intended for general audiences in mid-2006. Since this is about the Internet, it seems to make sense to take the raw interviews with people such as DNS inventor Paul Mockapetris and release them on the net in their raw state. This means, when watching the final edited movie, the viewer can go back to the full interviews (or even mix their own movie). Currently, most of the field interviews have been conducted and over 75 high-def and DVCAM tapes have been digitized. Raw footage should start showing up on the net by the end of January and we expect the final product/movie to be available for down-load by mid-year. "},{"description":" Verifying and documenting live-bootstrap A reproducible, automatic, complete end-to-end bootstrap The goal of the live-bootstrap project is to compile the necessary tools to compile Linux from a minimal binary footprint to avoid the possibility that a (binary) compiler could be used to introduce back-doors into the Linux kernel. As a user of the live-bootstrap project, one should be able to trace and review all steps and sources used. The goal of this project is to facilitate this. The project's own website: https://fransfaase.github.io/Emulator This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Verifying and documenting live-bootstrap","url":"https://nlnet.nl/project/live-bootstrap/"},{"description":"","title":"","url":"https://nlnet.nl/project/linkblocks/"},{"title":"libvips","url":"https://nlnet.nl/project/libvips/","description":" libvips Add animated PNG and enhanced JPEG XL support to libvips libvips is an image processing meta-library, whose development the European Commission funded back in the 1990s. Applications can outsource the heavy lifting of handling a variety of image types to this library. The library has meanwhile grown very popular with web developers around the world; the node binding, for example, is downloaded more than 5 million times a week at the time of writing. In addition to scrutinizing the security of the library, this project will implement two key improvements to libvips: animated PNG support, and enhanced JXL support. The former capability (the addition of animated PNG support) can be gained from another NGI Zero project, libspng. libvips uses libspng for PNG read and write, so by extending libvips to use these new libspng features, they will become available to a large developer community very quickly. Second, libvips has had preliminary support for the JXL format since libjxl v0.4. Since then, the libjxl API has evolved considerably and the libvips connector needs updating, especially in the areas of large image support and HDR, both increasingly important with the steady improvement of smartphone cameras. The project's own website: https://www.libvips.org/ This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"libspng","url":"https://nlnet.nl/project/libspng/","description":" libspng A fast and safe implementation of Portable Network Graphics libspng is a platform-independent C library for handling IETF's Portable Network Graphics (PNG) images. The goal of this project is to provide a robust and fast library with an easy to use API. It is designed to be a modern alternative to the reference implementation, written from scratch using secure coding standards. It comes with an extensive test suite and is fuzz tested, it is also fastest decoder overall. The NGI Zero grant will be used to develop complete PNG write support, architecture-specific performance optimizations, including improvements to testing, decoding and documentation. The project's own website: https://libspng.org Why does this actually matter to end users? Computer security for many people is a matter of trust, blind faith even. As we use the internet for basically everything and our devices and networks become increasingly complex, it takes more time and effort to understand and verify each layer of technology (even more so for devices that are glued together and software that is hidden behind restrictive licenses). And because new solutions are built on top of existing legacy systems, we continue to rely on technology that does not always meet today's needs for security and privacy any longer. Building a future-proof internet does not only require totally new and outrageous ideas, but also fixing persistent problems and outdated parts: you can only build a fancy new house on a strong foundation. This project aims to provide an alternative for a widely used component that handles one of the most common (open) image formats, PNG. To prevent errors in handling images and security vulnerabilities, an alternative component will be delivered that can easily be tested and verified for correctness. This helps website technology and applications used all over the world function a little bit safer. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"title":"libspng APNG","url":"https://nlnet.nl/project/libspng-animated/","description":" libspng APNG Add Animated PNG (APNG) image read- and write support to libspng libspng is a modern C library for reading and writing images in the Portable Network Graphics (PNG) file format. Created from the ground up with security and ease of use in mind, it provides an alternative to the reference implementation and a migration path to a simpler API, an extensive test suite ensures interoperability. The goal of this project is to implement Animated PNG (APNG) support and make it a more viable alternative to the reference implementation. The project's own website: https://libspng.org This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" librice Pure Rust implementation of IETFs real-time communication standard ICE The Interactive Connectivity Establishment (ICE) protocol is everywhere in real-time communication, providing a rendezvous mechanism allowing to establish e.g. a SIP or WebRTC connection. Addition of another protocol, TURN, allows hosts which are behind a middleware box or CPE (which is the most common scenario in the IPv4 realm) to still successfully set up a bi-directional path. This puts ICE/TURN at the heart of communication. This project will implement the four key TURN RFCs in librice - a pure Rust implementation of ICE. The project's own website: https://github.com/ystreet/librice Run by Centricular Ltd This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"librice","url":"https://nlnet.nl/project/librice/"},{"description":" Michał “rysiek” Woźniak - LibResilient Create robust web presence with service workers and DHT Decentralised solutions Can you introduce yourself and your project? I’m Michał “rysiek” Woźniak, a techie, information security expert, and lifelong digital human rights activist. I have worked at OCCRP, one of the investigative journalism outlets that broke the Panama Papers, where I was responsible (among others) for website hosting infrastructure. The experience of running a high-stakes website that can randomly get a lot of traffic (or a DDoS) led me to think of new ways of keeping websites up, even if their infrastructure might be down. That’s where the idea of LibResilient comes from. In short, LibResilient is a tool that allows a website to stay up and accessible to returning visitors even if the original site is down for whatever reason, without relying on centralized Internet gatekeepers. What are the key issues you see with the state of the internet today? Centralization is my pet peeve.​ Centralization of infrastructure, control, and power makes it difficult -almost impossible in some cases- to run a website or provide an online service aligning oneself with the interests of a few gigantic internet companies. Another problem is brittleness. How “modern” websites are built makes them extremely easy to break: a modified third-party script, a font hosted on a third-party server, and a style sheet from a major CDN not loading often take websites down. Admins and developers give away much control over their websites to random companies – often several of them at a time – for no real gain. It’s enough for one of these companies to have a hiccup for hundreds of thousands of sites to become unusable. How does your project contribute to correcting some of those issues? I would say that LibResilient attempts to solve the underlying issues that drive website operators to use centralized services. It’s almost impossible, financially and technically, for most NGOs and small media organizations to self-host their websites in a way that can withstand a DDoS or a two-orders-of-magnitude traffic spike. So, they find shelter behind centralized DDoS protection services. But... What if their returning readers could still see the site, navigate it, and access new content in their browsers without installing anything or changing any settings—even if the organization’s servers are overwhelmed for whatever reason? What if many such organizations could pool their server resources together easily and host each other’s content without having to trust each other with TLS keys? This is already possible with LibResilient. What do you like most about (working on) your project? I am giddy with excitement about doing something genuinely original that I know can be immensely useful —and, at the same time, might undermine the position of centralized gatekeepers. Where will you take your project next? LibResilient is nearing a stable beta stage. I would love to get some organizations to deploy it once it’s there. How did NGI Assure help you reach your goals for your project? It was very nice to receive funding; it was a motivating factor and allowed me to work on the project more than I would have otherwise. But as necessary, if not more, was the external nudge of “I promised to do this,” soft deadlines, good feedback from, and excellent contact with, their team about the project. Do you have advice for people who are considering applying for NGI funding? Just do it. It takes half an hour and is definitely worth it. And not just in the financial sense! Do you have any recommendations to improve future NGI programmes or the wider NGI initiative? Not really! Every step of the way, I was pleasantly surprised with how things were set up (administratively and technologically), how good the feedback was, and how open they were to inevitable course corrections. Really hard for me to find anything to nitpick on! Acknowledgements Image: courtesy of Michał Woźniak. Published on November 7, 2024 LibResilient received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. .speaker-photo { width: 33%; margin-right: 10px; margin-left: 20px; margin-bottom: 20px; } .speaker-photo-border { border-radius: 10%; border-top-left-radius: 10; border-top-right-radius: 10%; border-bottom-right-radius: 10%; border-bottom-left-radius: 10%; } .img_icon_small { max-width: 40px; max-height: 40px; margin-right: 10px; /* Make icons small and create a little space on the right */ } .up { position: relative; top: -15px; /* Adjust the value to move the text up by the desired amount. Text moved up a bit to align with icon.*/ } div.interlude-small { font-size: 2em; line-height: 1.5em; margin: 0 15px; padding: 0 15px; border-left: 4px solid #3333FF; } ","url":"https://nlnet.nl/project/libresilient/interview.html","title":"Michał “rysiek” Woźniak - LibResilient"},{"description":" libresilient Create robust web presence with service workers and DHT A browser-based decentralized content delivery network, implemented as a JavaScript library to be deployed easily on any website. LibResilient uses ServiceWorkers and a suite of non-standard in-browser delivery mechanisms, with a strong focus on decentralized tools like IPFS. Ideally, users should not need to install any special software nor change any settings to continue being able to access an overloaded LibResilient-enabled site as soon as they are able to access it once. The project's own website: https://resilient.is This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/libresilient/","title":"libresilient"},{"description":" LibreDocs LibreDocs This project aims to develop a open web-based office suite and offer it online for everybody to use, free of charge. Contrary to GoogleDocs leaving users in control of the documents they author with it. Using Unhosted it will separate user data from the application. Libre Docs is a perfect proof of concept for Unhosted. It will help the Unhosted project evolve from a conceptual phase to proven technology, after which many more applications can follow this successful path. There are three distinguishing advantages to applications like Google Docs. It is free and thus allows the technology to evolve freely, without generating lock-in and monopolies. The Unhosted web architecture is better than hosted software because it separates user data from applications. It is storing the data in a location that is chosen by the user and not at the premises of an application provider, leading to better privacy control and security. Project of Max Wiehle, Germany. ","title":"LibreDocs","url":"https://nlnet.nl/project/libredocs/"},{"title":"libnix","url":"https://nlnet.nl/project/libnix/","description":" libnix Native Nix on MS Windows The libnix project improves the Windows support of the Nix package manager, by making nix and nix-build work natively on the Windows platform. By creating a ‘libnix’ on top of this, it will allow package managers like node, cargo, pip, and vcpkg to use Nix for building their dependencies. The effort helps bring declarative, reliable packaging systems to a wider audience. The project's own website: https://lastlog.de/blog/libnix_roadmap.html This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Improving asynchronous execution in GNUnet Add synchronous processing to GNUnet This project concerns foundational improvements to GNUnet, a Free Software framework for building secure, decentralised and privacy-preserving applications. Rather than adding a new end-user feature to this GNU project, this effort will focus on strengthening shared core components that affect how efficiently GNUnet operates in practice. The aim is to modernise parts of the system’s internal execution model so that GNUnet can remain more responsive under load, make better use of available resources, and provide a stronger technical foundation for future development. In practical terms, the project will improve how core GNUnet components coordinate work, exchange information and interact with supporting services, especially in configurations where multiple subsystems run closely together. The expected results include higher overall performance, lower battery consumption on mobile devices, and a more responsive user experience across higher-level services and applications built on top of these core components. The project's own website: https://www.gnunet.org/ This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Improving asynchronous execution in GNUnet","url":"https://nlnet.nl/project/libgnunetutil/"},{"description":" LEAP/Torbirdy LEAP integration into Torbirdy Due to its age and design flaws securing email is notoriously hard. Without an easy-to-use e-mail client most users will not be able to adequately protect themselves. LEAP allows easy set-up of secure e-mail providers, but currently LEAP integration into e.g. the popular Thunderbird email client requires manual configuration and does not provide anonymity of the connection from the client to the server via Tor. What if users could profit from automatically encrypting email and retain their privacy? The project's own website: https://trac.torproject.org/projects/tor/wiki/torbirdy The project will integrate LEAP usage into the well-regarded plug-in TorBirdy to allow easy to use email integration. The integration with LEAP into TorBirdy will allow a \"one-click\" install for Thunderbird to provide better anonymity and a working email client for the LEAP project. This will result in the highest-level of anonymity, privacy, and security possible today with e-mail. A project of the LEAP Encryption Access Project. ","url":"https://nlnet.nl/project/leap-torbirdy/","title":"LEAP/Torbirdy"},{"description":" Project Proposal Local Content Caching: An Investigation local content caching system for new search engine architecture Principal Investigators Mr. Gordon Clare, MSc. Mr. Kim Hendrikse, MSc. Mrs. Elizabeth Mattijsen Keywords Distributed information retrieval, meta-search engines, content caching, content processing, intelligent agents. Introduction Centralized search engines, allowing searching of a fraction of the entire internet, are encountering significant scalability problems as servers struggle to keep up with the exponential growth of content providers and the amount of content provided. The main problem for a search engine, or any other content \"user\" for that matter, is keeping an up-to-date (processed) copy of the content of each content provider. Because there is no \"protocol\" for content providers to let search-engines know that there is new content, or that old content has been deleted or updated, search engines periodically \"visit\" the content provider, often fetching content that was fetched before. Valuable resources are used in this process, while the results are still inherently out of date. Another problem is that content providers on the Internet provide content in a form that is good for the human reader, but which is not really ideal for the type of processing needed to create a search engine or similar process. This six month pilot-project will investigate what would be needed to create a system of local content caching, in which a content provider can notify a Local Content Cache of new (or updated or deleted) content. This content will then be collected by that Local Content Cache, possibly in a form more suitable for content processing than the form in which it is presented to the human reader. Such a Local Content Cache can then be used by a search engine, or any other content \"user\" such as an intelligent agent, for its own purposes. A proof of concept implementation of the software needed for a Content Provider, a Local Content Cache and Content Users such as search engines and intelligent agents, will be part of this pilot-project. In the end, the concept of a \"Local Content Cache\" can only be successful if there is a sufficiently well defined \"localization\" of the cache, i.e. which content provider should use which Local Content Cache. In that respect further investigation, and possibly development, will be needed before the Local Content Cache can be really utilized on the Internet as a whole. This further investigation will _not_ be part of this project, but possibly of a follow-up project. However, these issues will be kept in mind when making design decisions in the \"Local Content Caching: An Investigation\" pilot-project. The results of the pilot-project will be utilized - in the first instance - by NexTrieve to build a search engine on top of a Local Content Cache, and by any other party that would want to participate in this pilot-project. Goal The goal of this pilot-project is to create a functioning proof-of-concept in which: one or more Content Providers can notify a Local Content Cache of new, updated or deleted content. a Local Content Cache can then fetch the indicated content from the Content Provider in the manner and at the time indicated by the Content Provider. the content fetched by the Local Content Cache is stored on the server on which the Local Content Cache software modules are running a Content User is able to interrogate the Local Content Cache for a list of new, updated or deleted content. a Content User is able to obtain this content from the Local Content Cache. a Content User such as NexTrieve (or any other Content User that participates in this pilot-project) can be demonstrated to work on the content as provided by the Local Content Cache. Furthermore a description of the software, protocol(s) and API(s) developed for this pilot-project will be provided. Recommendations from the team for further (re-)development of these will also be provided. The question as to whether or not it seems worthwhile to continue the pilot-project into a full-fledged project, in which the localization issues are also addressed (which Content Provider uses which Local Content Cache), will also be answered. All results of this pilot-project are to be made available to the public domain. The copyrighted NexTrieve search engine is excluded from this requirement. Composition of the Research Team Elizabeth Mattijsen project manager, research & development Kim Hendrikse research & development Gordon Clare research & development Elizabeth Mattijsen will be responsible for the project management and will regularly report project status. She will also be partly responsible for development work. Elizabeth Mattijsen has over 25 years experience in the development and introduction of Computer Based Training in the workplace. Since 1994 she has been involved with the development of websites on a commercial basis, using the expertise that she gained in CBT. Lately she has been involved in the development of NexTrieve search engine software, particularly the support software written in Perl. Kim Hendrikse is the original developer and designer of NexTrieve, a project that started back in 1995 with the initial \"fuzzy\" search engine. He has a broad base of experience in the Unix/C/networking fields gained in New Zealand, London and the Netherlands. In addition to design and development work on NexTrieve, he has developed and maintained two national search engines (one in the Netherlands and one with a virtual presence in New Zealand) and is responsible for the design and maintenance of the company network. Gordon Clare, a New Zealander by origin, has experience of a wide variety of sofware development fields ranging from real time high resolution image processing though to development of multi-threaded interpreter environments. He has spent several years in France working as a Systems Architect for a distributed C++/C/Java Windows based document management system. Since September 2000 he has been involved with the core development of the new generation NexTrieve search engine working from Rennes, France, with daily internet telephony contact to Echt. This team has been working on the next generation of the NexTrieve search engine software over the past 1.5 years, recently culminating in the release of NexTrieve 2.0. This team has participated in the Text Retrieval Conference (TREC) in 2001. All team-members have a thorough understanding of the issues involved with the processing of content in different ways.The infrastructure of Nexial in Echt will be used for this pilot-project. This applies to the technical infra-structure, such as a voice-over-IP connection with Mr. Clare in Rennes (France) allowing for very close cooperation, as well as other (administrative and secretarial) services of the office itself. Architectural Overview Content Provider A Content Provider (in the context of this pilot-project) is a server that makes its content available as web-pages using the HTTP protocol. The Content Provider contacts the Local Content Cache whenever it wants the Local Content Cache to fetch specific new or updated content, or when it wants the Local Content Cache to delete content that was fetched before. This process is called \"Update Notification\". After the Local Content Cache has accepted an Update Notification, it will attempt to fetch the indicated content from the Content Provider: a process we call \"Update Fetch\". Content Provider issues that will be addressed in this pilot-project are: a configurable (Perl) module for Content Providers, the so-called Content Provider Module. the constraints that should apply to the Update Notifications that a Local Content Cache may wish to honour, or \"Update Notification Constraints\". the constraints within which a Local Content Cache may fetch the indicated content from the Content Provider, the so-called \"Update Fetch Constraints\". Within the bounds of this pilot-project, a Content Provider Module will be implemented as one or more Perl Modules. It will allow easy configuration for file-system based websites and will also allow database driven websites to supply information for generating Update Notifications. The Content Provider will also maintain state information about when a specific piece of content was most recently specified in an Update Notification, initially using a very simple database back-end for storage of this state information. Update Notification Whenever a Content Provider decides that new content is ready to be fetched by the Local Content Cache, an Update Notification is sent to the Local Content Cache. In this Update Notification, the Content Provider only specifies (among other things) which content should be fetched, not the content itself. Update Notification issues that will be addressed in this pilot-project are: an easy configurable way for file-system based websites to create Update Notifications automatically on a regular basis. the type of protocol to be used for the Update Notification: should a new protocol be developed or will it be sufficient to use an existing protocol such as HTTP or FTP? checking the authenticity of the Update Notification: how can the Local Content Cache \"know\" whether the Update Notification is genuine. In the pilot-project only the \"known IP-number\" authentication will be allowed, allowing Update Notifications only from IP-numbers that are configured to be valid to the Local Content Cache. indication of a \"fetch\" URL and a \"virtual\" URL, i.e. allowing the Content Provider to provide a special version of the content for the Local Content Cache other than the one normal users would see. For instance, a Content Provider might wish to supply a generic XML version of its content, rather than a completely rendered HTML-version. indication of any special authentication that the Local Content Cache should use to do the Update Fetch. The Content Provider may only wish to make an XML version available when secured with a username and password. indication of the Update Fetch Constraints. indication of other types of data (\"attributes\") that the Local Content Cache should associate with the content, such as expiration date, copyright information, which Content Users are allowed access, etc. the response from the Local Content Cache, indicating either acceptance or (maybe partial) refusal of the Update Notification and the reason why. the development of an Update Notification API, which will be used by the Local Content Cache Module for handling the Update Notifications of Content Providers. Update Notification Constraints A Local Content Cache may decide to refuse an Update Notification (maybe partly) for a number of reasons. These constraints may be based on: type of content: a Local Content Cache may decide not to cache specific types of content, such as (streaming) media files and graphics files. The type of content will most likely be indicated using generally accepted MIME-types, such as text/plain, text/html and application/ms-word. overflow of disk-space quota: a Local Content Cache may enforce a maximum amount of disk-space that the content of a specific Content Provider may fill. overflow of bandwidth quota: a Local Content Cache may enforce a maximum amount of bandwidth that may be used by a Content Provider in an Update Fetch. any other type of constraint that we might find to be useful during the pilot-project. Update Fetch Constraints A high powered, high bandwidth Local Content Cache will be capable of \"drowning\" an underpowered, low bandwidth Content Provider with an Update Fetch. The Content Provider can therefore specify Update Fetch Constraints which will limit the Update Fetch to: a specific period in which the Update Fetch should take place, e.g. at night when the load of the Content Provider is low. at a specific rate, e.g. no more than 1 file per every 10 seconds. at a specific bandwidth, e.g. no more than 64Kbit/second, granularity to be determined. any other type of constraint that we might find to be useful during the pilot-project. Local Content Cache Modules Within the bounds of this pilot-project, the Local Content Cache Modules will consist of a collection of C-libraries as well as C-programs that: can run as a daemon for accepting and handling Update Notification requests from Content Providers, as defined in the \"Update Notification API\". execute the Content Fetch, which, within the bounds of this pilot-project, always consist of an HTTP GET request. store the content and its meta-data (\"attributes\") in the Content Storage, outlined in the \"Content Storage API\". allow Content Users access to the content of a specific Content Provider, as defined in the \"Content User API\". Content Storage The content that is collected by the Local Content Cache from the Content Provider must be stored somewhere. Within this pilot-project a very simple yet modular approach will be taken. Issues that will be addressed with regards to Content Storage and the Content Storage API are: an API for storing content fetched from the Content Provider. an initial implementation of a content storage backend, probably based on an open-source database system such as MySQL in combination with a ReiserFS-based file storage system. The ReiserFS file system seems particularly adept at handling huge numbers of small files and many files in a single directory, which significantly improves performance. Content Users Within the bounds of this pilot-project, only a limited number of Content Users will be allowed to participate. Because the team is familiar with the NexTrieve search engine, this is a logical candidate for an initial Content User in the pilot-project. Another likely candidate is the use of intelligent agents, in cooperation with the SAFIR project. If the Local Content Cache concept is to be developed further it seems likely that a network protocol will be developed for offering content from a Local Content Cache to a Content User. For the proof-of-concept goal that we want to reach a fully defined network protocol does not seem to be needed at this stage. Deliverables The following deliverables will be made available at the conclusion of the pilot-project: a configurable Content Provider Module, written in Perl, allowing Content Providers to specify Update Notifications. a set of configurable Local Content Cache Modules, written in C, implementing the various API's of the Local Content Cache. the pilot-project Final Report, in which the findings of various implementation issues and decisions will be described. Recommendations for the future development of the Local Content Cache concept will also be made. It seems appropriate to dedicate a separate server for the development and testing of this pilot-project. One way of obtaining the use of a server for the duration of the pilot-project is to lease one (including bandwidth) at XS4ALL. An alternative could be that an investment is made in a machine: this would be more costly initially, but such a server would also be available without additional cost in a possible follow-up project. Any other way in which a separate server with enough bandwidth can be made available for development would also be fine, including use of servers supplied by Nexial Systems. Phases The project will be divided up into 4 phases, each with their own deliverables. The first two phases will be 4 weeks each, the last two phases will be 8 weeks each. The amount of work in each phase will approximately be the same, but more overhead will be involved in the last two phases as they are spread out much more in time. The following deliverables will be available for review at the end of the respective phase: Phase 1: exploratory phase In this phase a detailed Project Design will be produced. This will entail an initial specification of the Content Notification protocol along with definition of the components that comprise the system as a whole and their interfacing requirements. Any minimal testing that is necessary to verify the validity of the design will also be done during this phase. To ensure that any source developed for this project will be open source, the project will use a service such as SourceForge as a project repository and create a mailinglist for the discussion of the project. Phase 2: initial development phase In this phase most of the development of the Content Provider Module as well as most of the Local Content Cache modules will be done. At the end of this phase a fully operational, CPAN ready, Content Provider Module will be provided with basic documentation, as well as Local Content Cache modules in C that are capable of doing a Content Notification -> Content Fetch cycle and storing the result in the Local Content Cache. Phase 3: refinement of protocols and modules The third phase will be used to further refine the protocols and modules developed and transform the software into a form suitable for external use. During this phase, the world will be made aware of this project in a wider manner, inviting people to participate in this project as a content provider. At the end of this phase complete and ready-to-use fully documented modules will be available using as much of the feedback from the world as possible. Phase 4: content users and final project report In this phase the activities start to shift from a purely developmental and research type to a more \"gospel spreading\" type of activity. This phase will also be used to accommodate the content users of the Local Content Cache, by supplying them with an initlal API for obtaining information from the Local Content Cache. Content users of the Local Content Cache will at least be one GPL search engine, such as ht://Dig or SWISH++, and the NexTrieve search engine software. The final report with recommendations for the future will also be made available at the end of this phase. ","title":"Project Proposal Local Content Caching: An Investigation","url":"https://nlnet.nl/project/lcc/proposal/"},{"url":"https://nlnet.nl/project/lcc/initial-design.pdf","title":"initial-design.pdf","description":""},{"url":"https://nlnet.nl/project/lcc/","title":"LCC","description":" LCC local content caching system for new search engine architecture This six month pilot-project will investigate what would be needed to create a system of local content caching, in which a content provider can notify a Local Content Cache of new (or updated or deleted) content. This content will then be collected by that Local Content Cache. The cache can then be used by a search engine, or any other content \"user\" such as an intelligent agent, for its own purposes. A proof of concept implementation of the software needed for a Content Provider, a Local Content Cache and Content Users, such as search engines and intelligent agents, will be part of this pilot-project. LCC attempts to provide an alternative for scalability problems encountered by centralized search engines. The project's own website: http://www.sourceforge.net/projects/lococa/ 2002-10-14: Whitepaper describing the current implementation of LCC. more > > .pdf (51 kB) A poster about the Local Content Caching project has been presented at SANE 2002. more > > "},{"description":" LCC local content caching system for new search engine architecture The project is run by Kim Hendrikse and Gordon Clare of Nexial Systems. They are also the creators of the proof-of-concept implementation. Gordon is currently the project manager. Funding for this pilot project has been granted by Stichting NLnet, for a total of € 48.000. Local Content Caching (LCC) project proposal more > > The LCC's Initial Design. .pdf (287 kB) 2002-10-14: Final status report. more > > Functional pilot code can be downloaded from the development site for LCC. ","title":"LCC","url":"https://nlnet.nl/project/lcc/how.html"},{"description":" LCC local content caching system for new search engine architecture Introduction Centralized search engines, allowing searching of a fraction of the entire internet, are encountering significant scalability problems as servers struggle to keep up with the exponential growth of content providers and the amount of content provided. The main problem for a search engine, or any other content \"user\" for that matter, is keeping an up-to-date (processed) copy of the content of each content provider. Because there is no \"protocol\" for content providers to let search-engines know that there is new content, or that old content has been deleted or updated, search engines periodically \"visit\" the content provider, often fetching content that was fetched before. Valuable resources are used in this process, while the results are still inherently out of date. Another problem is that content providers on the Internet provide content in a form that is good for the human reader, but which is not really ideal for the type of processing needed to create a search engine or similar process. This six month pilot-project will investigate what would be needed to create a system of local content caching, in which a content provider can notify a Local Content Cache of new (or updated or deleted) content. This content will then be collected by that Local Content Cache, possibly in a form more suitable for content processing than the form in which it is presented to the human reader. Such a Local Content Cache can then be used by a search engine, or any other content \"user\" such as an intelligent agent, for its own purposes. A proof of concept implementation of the software needed for a Content Provider, a Local Content Cache and Content Users such as search engines and intelligent agents, will be part of this pilot-project. Architectural Overview The goal of this pilot-project is to create a functioning proof-of-concept in which: one or more Content Providers can notify a Local Content Cache of new, updated or deleted content. a Local Content Cache can then fetch the indicated content from the Content Provider in the manner and at the time indicated by the Content Provider. the fetched data can provide different \"views\" of the same underlying data (i.e., the data can be provided in several different forms) the content fetched by the Local Content Cache is stored on the server on which the Local Content Cache software modules are running. a Content User is able to interrogate the Local Content Cache for a list of new, updated or deleted content. a Content User is able to obtain this content from the Local Content Cache. a Content User can be shown to work on the content as provided by the Local Content Cache. ","title":"LCC","url":"https://nlnet.nl/project/lcc/description.html"},{"title":"Lantern","url":"https://nlnet.nl/project/lantern-dnssec/","description":" Lantern DNSSEC in Lantern The goal of Lantern - a censorship circumvention and monitoring-prevention tool - is to build an easy-to-use, secure, and indestructible tool to keep the internet open and unfettered for anyone in the world. Lantern uses a P2P infrastructure, particularly the LittleShoot P2P stack, along with the LittleProxy HTTP proxy and the Smack XMPP client library. All of these utilize DNS in a number of areas. In environments where e.g. the government has access and control over all network traffic in and out of the country authenticity of DNS records is of paramount importance. This project aims integrating of DNSSEC into every DNS lookup in Lantern, including all DNS lookups in the LittleProxy, Smack, and LittleShoot sub-modules. The project's own website: http://www.getlantern.org/ Project of Brave New Software Project, Inc. "},{"title":"Ksplice2","url":"https://nlnet.nl/project/ksplice2/","description":" Ksplice2 Ksplice for mainline Linux and Fedora With previous support from NLnet, Ksplice has made the free software Linux distribution Ubuntu be the first operating system in the world that does not require regular reboots for security updates. Ksplice Ltd has started providing rebootless OS updates to more than 10,000 users of Ubuntu -a significant step, but larger-scale deployment is needed in order for the technology to become truly mainstream. The goals of this project are: to freely provide rebootless OS updates to 100,000+ users running the major community Linux distributions, and to get the Ksplice kernel software merged into the mainstream Linux kernel. The NLnet support is used for the development required to get Ksplice tool merged into the mainstream Linux kernel and the development work on the Uptrack application required to freely bring rebootless updates to Fedora, the second most popular desktop Linux distribution behind Ubuntu. These initiatives are critical to the path of taking this open innovation to mainstream adoption. Specifically, getting Ksplice merged into the mainstream Linux kernel is the best way to ensure that Ksplice has the full support of the diverse Linux kernel community. This support will improve Ksplice’s technical quality and encourage more people to trust and use Ksplice. Bringing Ksplice beyond Ubuntu is necessary since so many Linux users use distributions other than Ubuntu. One of Linux’s strengths is the variety of choices that it provides, so it makes sense to provide Ksplice for many community Linux distributions rather than just one community Linux distribution. Fedora is the next step in this direction. The project's own website: http://www.ksplice.com "},{"description":" Ksplice update the Linux kernel without rebooting Ksplice is a new technology for protecting the security and reliability of machines on the network. Currently, all computer systems need to be rebooted regularly to apply OS updates, in order to be secure against potential attacks over the network. Ksplice makes it possible for system administrators and end-users to perform OS updates effortlessly, without a reboot. This project will make an open source Linux distribution be the first operating system in the world that does not require regular reboots for security updates. This technology also has the potential to significantly hinder network attackers by reducing the window of vulnerability during which computer systems are running software with known problems. Thus, Ksplice solves the underlying weakness in the system so that no malicious activity, no matter how it has been disguised, will be able to achieve its objective of compromising the system. The project's own website: http://www.ksplice.com 2009-06-02: NLnet project Ksplice wins MIT $100k business plan contest. 'Uninterrupted updates offer vast improvement of security' more > > ","title":"Ksplice","url":"https://nlnet.nl/project/ksplice/"},{"title":"Koruza","url":"https://nlnet.nl/project/koruza/","description":" Koruza KORUZA is an innovative open-source open-hardware wireless communication system, employing a new low-cost approach to designing free-space optical network systems, enabling building-to-building connectivity with a highly collimated light beam at a capacity of 1 Gbps (1000 Mbps) at distances up to 100 m. It is designed to be suitable for home as well as professional users, enabling organic bottom-up growth of networks by eliminating the need for wired fiber connections and associated high installation costs. The simplicity of use, low-cost and compact size allow the system to be deployed in any network. The project's own website: https://koruza.net Fast and low-cost Internet access is one of the primary goals of this time. Prompt deployment of information networks in any environment is key to bridging the digital divide, as well as boosting the economic development. \"The Digital Agenda for Europe 2020\" aims to enable intermediate broadband access (100 Mbps) for at least half of Europe's households, at this time available just for a few due to very high infrastructure costs. Cost-effective, advanced and immediately available access technologies are needed to empower the world to construct the digital future.How does it work? KORUZA system connects two locations with a clear line of sight up to 100 m apart by placing a unit on either side. Infrared light of low power enables the connectivity at 1 Gbps while remaining eye-safe (Class 1). The system has sufficient capacity to be used for multi-user daisy-chain wireless connections. With the annual connection reliability greater than 99%, that can be increased further by adding a slower redundant Wi-Fi connection, KORUZA is suitable for branching out the high-capacity of a limited number of fiber access networks to a much wider population. The vast majority of existing free-space communication systems is designed for enterprise, carrier or military use, unsuitable for wider population. For whom? KORUZA is an open-source open-hardware ultrafast networking technology, innovating use of free-space optical networks by using mass produced electro-optical modules and combining them with 3D printing technology, simplifying the overall design. It is suitable for deployment in all situations - from home networks, community wireless networks to service providers. It is primarily designed for urban environments, where Wi-Fi networks suffer from spectrum congestion, disturbing each other and limiting their capacity and reliability. KORUZA is resilient to these problems as its light beam is highly collimated, thus numerous units can coexist in a dense urban area, where the demand for capacity is high and distances are relatively short. It is being developed to be a small and simple unit that can be mounted on a wall, window shelf or a pole, even by untrained professionals without specialized tools. Home users can thus simply establish the connection with a neighbour who has a fiber broadband connection. Community wireless networks can use the system to boost their wireless backbone capacity. Internet service providers can employ it for last-mile access and inter-user connectivity. Development KORUZA is based on our previous work, a bachelor research project by Luka Mustafa: Very Affordable Laser Ethernet Transceiver, at University College London under supervision of Dr. Benn Thomsen. The results of the development and experimental observations are as well presented in a paper Reintroducing Free-Space Optical Technology to Community Wireless Networks on AMCIS2013 conference in Chicago, scientifically confirming the design approach of implementing modules primarily developed for wired optical networks in free-space optical systems, at a distance of 125 m with capacity 1 Gbps. Inštitut za Razvoj Naprednih Aplikativnih Sistemov (Slovenia) "},{"title":"Kolab-Sync","url":"https://nlnet.nl/project/kolab/","description":" Kolab-Sync ActiveSync your Kolab Kolab is a modular groupware solution being used in a wide variety of settings, including heterogeneous environments with KDE Kontact and Microsoft Outlook clients. Differentiating features for Kolab include a security centric design and support for end-to-end encryption on GNU/Linux and Windows. Kolab is also unique in that it has no proprietary components and offers a strong migration path on the desktop from Windows to GNU/Linux and has been designed with strong privacy in mind. The next generation of Kolab clients will bring secure semantic search in encrypted email for Kontact, the primary Kolab client, on GNU/Linux, Windows, Mac OS X, Maemo and Windows Mobile. This project is being co-financed by Intevation GmbH. The project's own website: http://wiki.kolab.org/ "},{"url":"https://nlnet.nl/project/keysigningsuite/","title":"DNSSEC Key Signing Suite","description":" DNSSEC Key Signing Suite A best practise for DNSSEC Key Signing DNSSEC provides trust in the DNS by guaranteeing the authenticity and integrity of DNS responses. As DNS is of fundamental importance to most Internet communication, this is a vital function that needs safeguarding. Beyond providing trust in the DNS, DNSSEC is a key enabler for other technologies that improve the security, privacy and trust of Internet users. In the DNSSEC Key Signing Suite project we build a set of tools, scripts and guidelines (a playbook) to facilitate simple key signing with a standardised ceremony that has automated checks and audits where possible. The impact of this will be twofold. First, it leads to reliable, predictable and verifiable key ceremonies, which improves the trust in DNSSEC. Second, it will significantly ease the burden of operation, bringing the use of a validated and trustworthy signing procedure within reach for many more DNSSEC operators than today (e.g. smaller or less profitable top-level domain operators). Why does this actually matter to end users? You mobile phone doesn't really understand what for instance \"NLnet.nl\" or \"www.wikipedia.org\" mean, when you type either name into a web browser. Being a web browser, it will not come as a surprise that the software will assume you want to visit some website. But it doesn't really know where that website is located on the internet. It doesn't need the physical place of course, but it needs the number that unique identifies the web server so it can connect. All your mobile phone does know, is how to ask that question to other, specialised computers. These computers actually also probably don't know, unless they have recently answered the same question for another user. Names can change really fast for good reasons, so you would need to refresh this data a lot - otherwise users would end up on the wrong computer. The computers you send your question to, will have a good working understanding how the so called \"domain name system\" of the internet works. More in particular, the name we asked for needs to be cut up in smaller pieces that need to be read backwards. There is a short code at the end, which points to a country - or provides some other meaningful clue as to where more information can be learned about the still unknown parts of the name. The short code (which people tend to call a \"top level domain\") is uniquely managed by a single professional organisation. It is actually called a registry because that is literally what it does: it registers all the names people use. One organisation registers names which end in \".nl\", others take care of \".org\" or \".eu\". There is an invisible list that has all the top level domains on it. This list is called the \"root zone\" of the internet, and it is quite important because everything that uses a name will need to start its search there. It is the registry organisation which can provide additional details about the segment next up, in this case \"wikipedia\" or \"NLnet\". But it will still not know all the answers itself, so your question will travel to yet more computers. We are getting close now to the computers that these organisations have selected to take care of their domain name. In the case of NLnet this computer will be able to give the right answer straightaway, and this answer needs to be sent back across the entire chain of computers. In the case of wikipedia, the fact we still have a \"www\" part to look for, could mean that inside Wikimedia foundation there would still be another computer which could be responsible for everything under that label. The same could go for fr.wikipedia.org or ro.wikipedia.org - the label www is only meant for human consumption, but computers actually don't need it. After just a few steps, we started getting part of the answer we were looking for, and all of these parts are sent back to your phone. And at some point in time, we have the entire answer. Now how do we know that the answer we obtained in this recursive way really can be reliably traced back to the right computers running the root zone of the internet - the so called root servers? Simple, because there are digital signatures on each part of the answer. For the root zone, there is a so called cryptographic key which is distributed widely - there is only one for the whole world. Chances are you have that key on your phone or computer, and your internet provider certainly has. When the question arises where .org is, this digital signature will make sure you know the right internet address to go. There you can ask the organisation that is responsible for the next part of the answer. For each computer that gives another level of detail, new signatures are added. So in the end you should have a complete proof for every step: or in other words, a trust chain. Those signatures on the answers are really important: your computer has nothing else to underpin trust. If someone is able to falsify these signatures, they could use this to manipulate answers for everything \"below\". This includes not just domain names, but also other things people have put into the DNS like certificates. So great effort is spent on making sure everything happens in a really safe way, leaving nothing to chance. And as a matter of technical hygiene, the cryptographic key needs to be changed regularly. For the root of the internet, there is in fact a grandiose ceremony which involves flying in people from all over the world to closely watch how the keys are replaced. The event is attended by journalists and observers. Of course this kind of public event is really expensive, but there is only one root zone of the internet and it only happens once every couple of years - so it is kind of a special event. Organisations running a top level domain, also need a thorough procedure. They may not have the same budget, however. True, some of the larger organisations may have multi-million euro annual budgets, but others certainly do not. So far there was not a canonical procedure shared among these organisations, meaning that there was room for ambiguity and misinterpretation that could have serious consequences for the economy and society alike. Also, policy makers responsible for national and regional policies were unsure what was expected from them. This project aims to fill this hiatus. It will design a tight and secure procedure that gathers all the best practices for key signing for domain name registries. The project is a collaboration between European experts that are responsible for the software that has been running on some of the root servers of the internet for many years, and a not-for-profit from the USA that actually operates several top level domains across the world. Their combined experience and technical expertise will make this a very important contribution to establishing trustworthy and secure operational practices on the internet. Run by Stichting NLnet Labs This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Key Management Key Management The life cycle of cryptographic credentials which can be used for servers to serve up services with TLS typically contains a lot of manual steps. This administrative burden is a significant cost factor and built-in delay that needs to be overcome if we want to harden the internet at scale. Especially rollovers are cumbersome and error-prone. Automation is needed to make strong encryption the default on the internet, and this project aims to create a set of integrated open source tools to manage cryptographic keys in a provably correct way. The project stems from the ARPA2 project, and builds on/integrates with the NCSC/NLnet funded TLS Pool from the SecureHub project. The project's own website: https://gitlab.com/arpa2 This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. ","title":"Key Management","url":"https://nlnet.nl/project/keymanagement/"},{"url":"https://nlnet.nl/project/kdmap-patcher/","title":"Kernel DMA Protection Patcher (kdmap-patcher)","description":" Kernel DMA Protection Patcher (kdmap-patcher) Automated UEFI patching for pre-boot DMA protection Direct Memory Access (DMA) attacks remain an often overlooked vector in many threat models, despite increasing attention in recent I/O interconnects. While Thunderbolt 4 introduces spec-mandated mitigations via Kernel DMA Protection, millions of systems using USB4, Thunderbolt 1–3, and similar modern DMA-capable interconnects remain vulnerable due to unpatched or misconfigured firmware. Kernel DMA Protection Patcher (kdmap-patcher) is a Free Software, OS-agnostic UEFI (BIOS) extension designed to harden systems against DMA attacks from the pre-boot stage. It programmatically detects and remediates vendor-specific UEFI firmware bugs that disable or misconfigure DMA protection. Where protections are entirely absent, kdmap-patcher extends UEFI firmware with a device-tailored configuration enabling Kernel DMA Protection. Once mitigations are applied, kdmap-patcher seamlessly hands off control to the OS bootloader, enabling a significantly improved DMA security posture from the earliest stages of the boot process. The project's own website: https://thunderspy.io/kdmap-patcher Why does this actually matter to end users? Direct Memory Access (DMA) attacks remain an often overlooked vector in many threat models, despite increasing attention in recent I/O interconnects. While Thunderbolt 4 introduces spec-mandated mitigations via Kernel DMA Protection, millions of systems using USB4, Thunderbolt 1–3, and similar modern DMA-capable interconnects remain vulnerable due to unpatched or misconfigured firmware. Kernel DMA Protection Patcher (kdmap-patcher) is a Free Software, OS-agnostic UEFI (BIOS) extension designed to harden systems against DMA attacks from the pre-boot stage. It programmatically detects and remediates vendor-specific UEFI firmware bugs that disable or misconfigure DMA protection. Where protections are entirely absent, kdmap-patcher extends UEFI firmware with a device-tailored configuration enabling Kernel DMA Protection. Once mitigations are applied, kdmap-patcher seamlessly hands off control to the OS bootloader, enabling a significantly improved DMA security posture from the earliest stages of the boot process. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Katzenpost Observation resistant secure messaging layer Secure messaging is among the most fundamental privacy challenges of today. While there are meanwhile several widely used offerings that can encrypt instant messages you send to others, there are very few reliable options that are able to keep others from finding out who you were communicating with - and when. The most popular end-to-end messaging application do not adequately protect the identities of who-is-talking-to-who from the infrastructure operators. Katzenpost aims to offer a traffic analysis resistant messaging layer that allows all the participants in the network to have significantly more privacy than other mechanisms. It offers a decentralized mixnet architecture that works similarly to onion routing, where message routing information is encrypted, and differs in that each message is a fixed size, has random forwarding delays, and is accompanied by cover traffic messages to frustrate passive traffic analysis. The project aims to be a building block for other to build applications on, lowering the threshold for existing applications to benefit from increased privacy and confidentiality. The project's own website: https://katzenpost.mixnetworks.org Why does this actually matter to end users? One of the things people enjoy the most about the internet, is that it enables them to talk to others remotely almost without limit. Internet allows anyone connected to keep closely connected with friends and family, and help their kids solve a math problem while they are at work. People collaborate with their colleagues from the couch of their living room, the cafe where they enjoy lunch or on their cell phone on the bus to the gym. Businesses can easily service their customers where this is most convenient to them, without having to travel themselves. This is so convenient, that some businesses have already moved entirely online. Internet communication has become the nerve center of whole neighbourhoods, where people watch over the possessions of their neighbours while these are away for work or leisure. However, users have a hard time to understand how privacy is impacted if they use the wrong technology. Because internet works almost everywhere, the natural privacy protection of the walls of a house, a school or an office is gone. Unlike the traditional phone companies, many of the large technology providers run their business not on delivering an honest service but on secretly eavesdropping on their users and selling information to others. It is mostly not about what you say, so it is relatively easy for providers to allow some form of privacy by encrypting messages. The more interesting parts are who talks to whom, when, and where they are in the real world while they meet on the internet. if you want to be reachable across the internet, you have to constantly let the communication provider follow you wherever you go. This makes the private and professional lives of citizens an open book to companies that with the help of AI and other technologies make billions from selling 'hidden data' normal people are completely unaware of even exists. And of course in societies that are not so democratic, this type of information is critical to bring down opposition and stifle human rights. End-to-end encryption has become more commonplace with major online messaging and communication tools, but encoding what you say to your friends online does not mean that the service provider cannot see who you contacted, when, from where. This metadata might be even more important than the content of an online conversation. If you want to profile or track someone, you can get a lot of information from the people they talk to, where they come from, who their friends are, etcetera. Katzenpost is a free software project that creates a decentralized and anonymous communication system and with this proposal, will add a security layer that prevents traffic analysis. Through traffic analysis third parties can intercept and examine messages to find out certain patterns, for example who is speaking to who, even though everything is encrypted. Resisting traffic analysis is an important effort to ensure users actually private communication. This project aims to advance the state of art and provide a concrete building block for other applications to use and make their application more secure and private. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/katzenpost/","title":"Katzenpost"},{"description":" k3lp Unicode Keyboard3 Layout Parser k3lp (/kɛlp/) is a mobile-first library designed to support parsing and utilizing Unicode Keyboard3 files. Keyboard3 is an enhanced and rewritten standard developed by The Unicode Consortium and officially released with CLDR 45. It offers an open and interoperable standard for declaring and sharing keyboard layouts. Although the standard has been available for some time, there is currently no ready-to-use open-source library to effectively utilize these files. This is where k3lp comes into play, aiming to provide an easy-to-use, multi-platform library written in Kotlin 2.0. The library includes all the necessary business logic for layout parsing and streamlining keyboard developers' workflows, however the actual user interface implementation is left to the library consumer. Initially targeting Android and iOS developers in need of keyboard layout logic and tested in the open-source FlorisBoard keyboard, this library is capable of running on all platforms where the JVM runs on or where Kotlin compiles to. The project's own website: https://codeberg.org/k3lp/k3lp This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/k3lp/","title":"k3lp"},{"url":"https://nlnet.nl/project/jitsi3/","title":"Jitsi-FMJ","description":" Jitsi-FMJ Replacing JMF with FMJ Jitsi became a focus project of NLnet as it offers free, open and secure alternative for Skype and similar communication tools. Today it offers chat, Audio/Video calls with SIP and XMPP, and Jitsi is the only tool which does it in a secure way (using ZRTP), on all three major operating systems. At the heart of Jitsi's media service lies the Java Media Framework (JMF) of SUN, which was not released under a FLOSS license. Free Media for Java (FMJ) which was founded by Ken Larson is meant to be a free and open alternative of JMF. The goal of this subproject is to continue the work on the FMJ project and take it to a stage where it can be used within Jitsi as a viable alternative of JMF. This would hugely benefit the community: It will essentially provide Java developers with an active, free media library. More importantly however, it will be an essential step toward porting Jitsi to other environments such as Android or porting it as a web application. The project's own website: http://jitsi.org Project of Jitsi, France/Bulgaria "},{"description":" Jitsi-DNSSEC DNSSEC for Jitsi (SIP Communicator) Jitsi (formerly known as SIP Communicator), is a Java based open source VoIP and Instant Messaging client supporting various protocols such as SIP and XMPP. Trying to not being just another SIP Client it incorporates security mechanisms like ZRTP for encrypted media streams (audio, video, desktop sharing, etc.) and OTR for instant messages. While these technologies provide a high level of security for the user data, the signaling metadata is blindly sent to the servers returned from DNS a query. Securing the connection to the server through TLS helps, but the connection can still be compromised when a rogue certificate can be obtained (for example from a government CA). At first sight signaling data seems not important, but looking at the newest developments in the Far East and North African countries it implies that some unfriendly people might only be interested in the metadata. DNS is responsible for converting names into network addresses to locate servers. Users usually receive the addresses of DNS servers from their internet provider. As conventional DNS provides no security mechanisms, a rogue DNS can very easily supply the user with faked responses to requests and therefore redirecting him to an arbitrary server. Jitsi, or any other client application, relies on the replies from the DNS servers. When a VoIP account is configured to use a specific server, it passes all traffic to the address obtained from the possibly rogue DNS server. Transporting the metadata over TLS to the server does not really solve the problem as some governments run certification authorities that are trusted by the operating systems and web browsers. A malicious server would therefore silently be able to listen to all metadata traffic. This is where DNSSEC comes into play. DNSSEC can guarantee the integrity and authenticity of replies. A DNSSEC aware client can be sure that a validated response is the one intended by the owner of the requested domain name. This avoids nearly all situations where a server tries to redirect the client to a malicious server. The project will add client side DNSSEC validation and certificate checking to Jitsi, thus making end-to-end SIP communication secure. The project's own website: http://jitsi.org Run by FHNW, the University of Applied Sciences Northwestern Switzerland. ","url":"https://nlnet.nl/project/jitsi2/","title":"Jitsi-DNSSEC"},{"description":" Jitsi Better and Open Source alternative for Skype During the last fifteen months SIP Communicator became a real open source alternative for Skype. It support Audio/Video calls with SIP (and very soon XMPP), and Instant messaging for almost all popular protocols such as XMPP/Jabber/GoogleTalk, MSN, AIM, ICQ, IRC, Yahoo! Messenger, Bonjour, and more to come (like Facebook). Jingle conference calls and Jingle encrypted calls features are also implemented and being tested. This project is about adding new features to SIP Communicator (soon to be called jitsi) that would take it beyond what's currently possible with Skype, as well as other closed platforms, which would address an even wider span of communications use-cases. Some of these feature, like video conferencing, would make it even more unique than it currently is. Others, like the support for MUJI and new audio/video codecs, add to its wide interoperability. The list of tasks in this project is: Video conference calls Google mode of operation for Jingle and ICE4J Using HTTPS as a telephony transport Support for H.263plus and VP8 Support for G.722 Completing audio/video calls support with MSN Cross-protocol conference calls Using Outlook, Address Book, and Thunderbird as sources of contact information LDAP support Support for MUJI conference calls The project's own website: http://sip-communicator.org ","url":"https://nlnet.nl/project/jitsi/","title":"Jitsi"},{"description":" Jingle Nodes Jingle Relay Nodes Specifications and Prototypes One of the main goals of the first version of the Jingle Protocol was to create a P2P enabled protocol, depending on XMPP for routing but at the same time able to negotiate sessions and exchange content without main proxy servers. After 5 years we still don't have implementations which supported the current specifications in full. SIP on the other hand, is not very efficient and simple to use for P2P connections, but is widely deployed. It is much simpler to install and, although with higher costs, does provide media connectivity. \"Jingle Nodes\" simplifies the erection of (public) relays, It also makes every buddy in your contact list a potential Node. An additional positive aspect is that a client does not need to run its own Relay Node, but only configure its \"usage specification\" (no more than two or three pages), as the application runs on the server side. The project's own website: http://xmppjingle.blogspot.com/ ","url":"https://nlnet.nl/project/jingle-nodes/","title":"Jingle Nodes"},{"url":"https://nlnet.nl/project/jiglibjs/","title":"JigLibJS","description":" JigLibJS JigLib to JavaScript for use with WebGL JigLib is an open source 3D rigid body physics engine. So far, most of the web browser implementations of this technology (including open source libraries such as Papervision3d and the ARToolkit) are reliant on closed source 3rd party plugins (Flash, Silverlight, Unity3D etc.). The project will create an open source, community driven port of JigLib to JavaScript for use with WebGL, thus providing a portable API for linking to other WebGL JavaScript libraries such as GLGE. Within the project a demo application showcasing the potential of this library and of WebGL will be produced, this in order to stimulate interest and participation in the open source community. The major aims of this project are: to prove the use of WebGL as a viable replacement for plugins. to help with the implementation of WebGL in browsers by providing regression and performance test results. to stimulate growth in the Open Source community around WebGL by giving them a library and an attractive Demo to work with. to attract and encourage contributors to WebGL by placing all source code and documentation in the public domain using the BSD license for both code and documentation. to stimulate the use of the open standard WebGL (instead of closed solutions such as Flash, Silverlight etc.) by the web development community. to facilitate innovation in 3D physics based UI design and interactivity online. The project's own website: http://www.jiglibjs.org Competa IT "},{"title":"jaq","url":"https://nlnet.nl/project/jaq/","description":" jaq Implementation of jq in Rust with formal semantics JSON is a data format that is frequently used to publish Open Data. jq is a widely used programming language that allows citizens to easily process JSON data. There are several tools to run jq programs, including jq, gojq, and jaq. Of these three tools, jaq is the fastest (judging from several benchmarks), despite having the smallest code base. This project centers on improving jaq and the wider jq ecosystem: First, we want to advance the development of jaq, in particular to support more features of jq. Next, we want to make jaq more accessible, by creating JavaScript bindings for jaq. This will allow developers to integrate jaq into websites. Furthermore, this will allow users to run jaq from a browser, respecting their privacy by processing data on their machines. Finally, we want to create formal semantics for jq, based on jaq's execution approach. This will allow users to better understand how jq programs behave. The project's own website: https://github.com/01mf02/jaq This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" iuh-openbsc An open source implementation of 3G OpenBSC is a project aiming to create a Free Software, (A)GPL-licensed software implementations for the GSM/3GPP protocol stacks and elements. OpenBSC was created by the Osmocom project, a not-for-profit, community-driven project creating various FOSS projects related to mobile communications. OpenBSC is not just a standard BSC, but a GSM network in a box software, implementing the minimal necessary parts to build a small, self-contained GSM network. OpenBSC includes functionality normally performed by the following components of a GSM network: BSC (Base Station Controller), MSC (Mobile Switching Center), HLR (Home Location Register), AuC (Authentication Center), VLR (Visitor Location Register), EIR (Equipment Identity Register). The project's own website: http://openbsc.osmocom.org/trac/ The open source OpenBSC project is both used for research purposes as well as in empowering rural communities to set up their own communication networks. The project will add 3G support to OpenBSC to be used with off-the-shelf 3G components, creating the first open 3G stack that would allow anyone to set up their own experimental network. Sysmocom - systems for mobile communications GmbH Alt-Moabit 93 10559 Berlin GERMANY ","url":"https://nlnet.nl/project/iuh-openbsc/","title":"iuh-openbsc"},{"url":"https://nlnet.nl/project/it/","title":"it","description":" it Radically decentralised version control with CRDTs The project summary for this project is not yet available. Please come back soon! The project's own website: https://github.com/kim/it This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" ISC BIND 9 implementation of DNS protocols with full IPv6 and DNSsec support BIND (Berkeley Internet Name Domain) is an implementation of the Domain Name System (DNS) protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System. The BIND DNS Server is used on the vast majority of name serving machines on the Internet, providing a robust and stable architecture on top of which an organization's naming architecture can be built. The resolver library included in the BIND distribution provides the standard APIs for translation between domain names and Internet addresses and is intended to be linked with applications requiring name service. BIND 9 is mostly compatible with BIND 8 but is a full rewrite. Its architecture has been designed to take advantage of new computer technology (multi-threading) and to provide full support for new features required by IPv6 and DNSsec. The project's own website: http://www.isc.org/products/BIND/ The Internet Software Consortium ","title":"ISC BIND 9","url":"https://nlnet.nl/project/iscbind9/"},{"title":"ISC BIND 9","url":"https://nlnet.nl/project/iscbind9/how.html","description":" ISC BIND 9 implementation of DNS protocols with full IPv6 and DNSsec support The BIND 9 development is performed by the Internet Software Consortium and its subcontractors. Funding for this work has been contributed by a variety of computer system vendors, ISPs, the US government and Stichting NLnet. Stichting NLnet has contributed a total of € 347,562 towards BIND 9 development. The first full release of BIND 9, 9.0.0, was released in September 2000. Follow-up releases 9.1.0 to 9.1.3 appeared in January 2001 to July 2001, while the most current full release, 9.2.1, appeared in May 2002. Work is on-going on 9.2.2 (bug fixes) and 9.3.0 (new features). "},{"description":" ISC BIND 9 implementation of DNS protocols with full IPv6 and DNSsec support The Internet Software Consortium (ISC) is a non-profit organization with the aim to produce reference software implementations of essential Internet standards. These implementations are generally of high quality: examples in the area of network production are well known. One of the best known projects of ISC is BIND (\"Berkeley Internet Name Daemon\"), an implementation of the Internet Domain Name Service protocol. BIND is the standard implementation, is a crucial building block for all Internet traffic, and is widely used. In 1998, ISC drew up an implementation plan for BIND 9. In addition to a number of extensions and architectural changes to its predecessor, BIND 8, this plan aims to solve scaling problems due to, for instance, database handling completely in memory. BIND 9 will also provide a solid implementation of Secure DNS; the authentication and verification of database records and name servers. ISC found a number of computer vendors willing to finance this development. However, the project's implementation was threatened by significant delays due to the low speed with which contracts and funding could be effectuated. Also, the fear that licensing restrictions may be placed on the new implementation, limiting its widespread availability, was a reason to fund this project. The NLnet Foundation provided an initial subsidy of US$ 85,000 to ISC, which permitted the start of the BIND 9 work in August 1998, and also ensured its widespread, availability. At the same time, this has sped up the implementation of a number of DNSSEC security features. In the meantime, the financial support promised by the computer vendors has become available. According to the original plan, the first scalable version of BIND 9 should have been available in May 1999, and the complete production version, including all security features, in October 1999. However, the development effort has been seriously underestimated. According to the revised project plan, a complete release of BIND 9 will be available around May/June 2000. In July 1999, Stichting NLnet has provided ISC with a guarantee of US$ 500,000 to cover additional development costs which possibly couldn't be recovered from other subsidies or development income, under the condition that the BIND 9 code was published under BSD licensing conditions. The NLnet Labs, another project initiated by Stichting NLnet, has worked on the evaluation and deployment of secure DNS systems based on the BIND 9 implementation. ","title":"ISC BIND 9","url":"https://nlnet.nl/project/iscbind9/description.html"},{"description":" Handling Data from IPv6 Scanning Scanning tools for scaling up IPv6 scans Scanning is state of the art to discover hosts on the Internet. Today’s scanning relies on IPv4 and simply probes all possible addresses. But global IPv6 adoption will render brute-forcing useless due to the sheer size of the IPv6 address space, and demands more sophisticated ways of target generation. Our team developed such an approach that generally allows to probe all subnets in the currently deployed IPv6 Internet within reasonable time. Positive responses are however scarce in the IPv6 Internet; thus, we include error messages in our analysis as they provide meaningful insight into the current deployment status of networks. First experiments covering only parts of the Internet were promising and at least 5% of our probes trigger error messages. However, a full scan would lead to approx. 10^14 responses causing Petabytes of data, and demands an adequate solution of data handling. In this project, we will develop a data storage and analysis solution for high-speed IPv6 scanning. It will process the high amount of received data concurrently with scanning, and provide continuous results while scanning for long periods. This effort enables full scans of the IPv6 Internet. The project's own website: https://scanning.sba-research.org/ Why does this actually matter to end users? The internet, when you put it very simply, is like a phone book. If you want to reach someone, you pickup the phone (or fire up your device) and call a specific number (type in a website or email address with a particular domain name). Now that not only our computers need addresses, but also our phones, televisions, and even our refrigerators, we have been quickly reaching the point where the phone book becomes full. Luckily, there are ways to make the phone book of internet addresses a great deal larger, so that there are thousands of times more addresses for all the sensors and devices we are currently installing everywhere around us. Switching from the old to the new phone book is not without problems however, and the new address space is actually so massive, we can hardly keep track of it all. This project takes a smart approach to scanning new internet addresses and will help us keep tabs on how the 'new' internet is doing. Run by SBA Research This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/ipv6scanning/","title":"Handling Data from IPv6 Scanning"},{"title":"Internet of Coins","url":"https://nlnet.nl/project/internetofcoins/","description":" Internet of Coins Create a decentralized, self-sustaining economy by implementing inter-blockchain connectivity Internet of Coins is an environment for personal finance. As a decentralized open source platform it enables an optimally inclusive financial network, interlinking all digital forms of value. It allows you to trade digital assets and currencies peer to peer, with an easy to use interface and the opportunity to earn fees by participating as an allocator. The project's own website: https://commonsconservancy.org/programmes The present cryptocurrency industry is fragmented and potentially at risk of becoming financially and politically centralized. Internet of Coins wants to integrate different token value systems into an interconnected and financially liquid web. More about the Internet of Coins Programme at The Commons Conservancy. A collaboration of: "},{"title":"All projects","url":"https://nlnet.nl/project/","description":" All projects Since 1997 NLnet foundation has funded many projects, on many different layers of the internet as well as on capacity building, standards setting, open hardware, software licenses and education. Projects supported by NLnet foundation inlude: Filter: All theme funds Binary Analysis Fund e-Commons Fund FileSender GetEduroam Internet Hardening Fund NGI Assure NGI Fediversity Fund NGI Mobifree Fund NGI TALER Fund NGI Zero Core NGI0 Commons Fund NGI0 Discovery NGI0 Entrust NGI0 PET NREN Open Social Fund SimpleSAMLphp Fund User-operated Internet Fund VPN Fund project fund start end #Seppo! NGI0 Entrust 2022 Portable ActivityPub implementation (H)IDE for Guile Hoot NGI0 Commons Fund 2026 Scheme on WASM /kbin NGI0 Entrust 2023 Mobile app and feature additions to /kbin 0cpm 2013 0cpm, open firmware for digital telephony 0KNOW NGI Assure 2022 2024 Group Theoretic Zero-knowledge Proofs (0KNOW) 0WM NGI Zero Core 2024 Measure and visualize Wi-Fi coverage 5C NGI0 Commons Fund 2025 Continuous Code Compliance Control Center 802.11n feature of openwifi NGI0 PET 2020 2020 Open Hardware implementation of wifi A Distributed Software Stack For Co-operation NGI0 Discovery 2019 2020 Facilitating easy ad hoc cooperation A proof of concept of identity-based encryption NGI0 PET 2019 2019 Make encryption simpler A Secret Key Store for Sequoia PGP NGI Assure 2021 2024 Standards-compliant private key store for OpenPGP A-A-P 2003 tools for developing, distributing, and installing software AALT (Accelerated Analog Layout Tool) NGI0 Entrust 2023 More efficient analog layout generation for chips) Abelujo NGI TALER Fund 2026 Abelujo - free software for bookstores AbiCollab 2013 AbiWord Telepathy and SIP backends AbiMacOS 2011 Port Abiword to MacOS AbiRDF 2012 Abiword RDF AbiRDF2 2013 Abiword RDF-2 Accessible KDE File Management NGI0 Commons Fund 2025 Accessible file dialogs throughout KDE applications Accessible security NGI0 PET 2019 2022 Integration effort of independent security efforts like Qubes, Heads, coreboot, etc ActivityPods NGI0 Entrust 2023 2025 Framework for fully-decentralized social apps, combining ActivityPub and Solid Pods ActivityPods 3.0 NGI0 Commons Fund 2025 Encrypted Solid-compatible Pods ActivityPub community steward Open Social Fund 2025 2026 ActivityPub Polls for WordPress NGI0 Commons Fund 2025 WordPress plugin for social polls ActivityPub Quote Posts NGI0 Entrust 2024 Quote Posts in ActivityPub and Mastodon Ada Bootstrap Compiler NGI0 Commons Fund 2025 Full source bootstrap for Ada Adding 32-bit ARM support to QBE and Hare NGI0 Commons Fund 2025 Full Arm32 support for QBE compiler Adding redaction to Cpdf NGI0 Commons Fund 2026 Robust, standards-compliant PDF redaction Adding TPM Support to Sequoia PGP NGI Assure 2021 2022 Implement use of TPM 2.0 crypto hardware for OpenPGP Adding Web-of-Trust Support to PGPainless NGI Assure 2022 2023 Web-of-Trust specification support for Java Adera NGI0 Discovery 2021 2022 Relevant scientific research results Adno NGI0 Commons Fund 2026 Annotate and share curated cultural and scientific content Adopting the Noise Key Exchange in Tox NGI Assure 2021 2024 Improved security of Tox instant messaging with NoiseIK Advanced UEFI Capsule Update for coreboot with EDK II NGI0 Commons Fund 2025 Secure firmware updates, also via fwupd AEAP NGI0 Discovery 2020 2022 Automated e-mail address porting to a new provider Aerogramme NGI Assure 2022 2024 Standards-compliant open-source IMAP server with server-side encryption Aerogramme 1.0 NGI0 Commons Fund 2025 Standards-compliant, reliable and secure groupware AGFL 2002 parser generator system for natural languages Agorakit NGI0 Entrust 2023 Groupware which is a friendly online home to communities AHA! 2003 transparent adaptive functionality for web servers AI Horde NGI Zero Core 2023 Collaborative infrastructure for running generative AI models AI-VPN NGI0 PET 2020 2022 Local machine-based learned analysis of VPN trafffic Aiohttp type checking NGI0 Commons Fund 2025 2026 Improve typechecking for Aiohttp HTTP Client/Server framework Alaveteli GDPR and Search NGI0 Commons Fund 2025 Better search and redacting capabilities for Alaveteli FOI request portal Alder Lake Desktop NGI0 PET 2022 2022 Open firmware for widely used Desktop/Workstation motherboard AlekSIS NGI0 Entrust 2023 All-libre extensible kit for school information systems AlekSIS: Integration and Communication NGI Zero Core 2025 SCIM, timetabes and other features for AlekSIS ALIAS 2003 analysis of legal and technical implications of the use of software agents Alive2 NGI Zero Core 2023 2025 Translation validation for LLVM allowd NGI0 Commons Fund 2025 Memory-safe policy rules using D-Bus Alps Webmail NGI0 Commons Fund 2025 Minimalist open source webmail in Go Amaranth HDL NGI0 Commons Fund 2025 Design FPGAs and ASICs in Python Ambulant 2007 providing a reference SMIL 3.0 implementation An OpenScience flavour of Bonfire on NixOS for preprints NGI0 Commons Fund 2025 Discuss preprints based on W3C ActivityPub federation Analog/Mixed-Signal Library NGI0 PET 2021 2022 OSHW component library for ASIC design Anchorboot NGI0 Entrust 2023 2025 Pre-built UEFI replacement firmware for ARM-based ChromeOS devices using coreboot/U-Boot Androguard NGI Mobifree Fund 2025 Static and dynamic analysis of Android apps Android translation layer (ATL) NGI Mobifree Fund 2024 Run Android apps on Linux Anomos 2011 a pseudonymous, encrypted multi-peer-to-peer file distribution protocol Anonymisation for Data Donations NGI Assure 2022 2024 Facilitate platform scrutinization through anonymised data contributions Apicula NGI0 Entrust 2022 2024 Open source tools for working with Gowin FPGAs Apicula IO primitives NGI0 Entrust 2023 2025 Add additional IO primitives to libre Gowin FPGA tools APKpatcher/PyAxml NGI Mobifree Fund 2025 Support tool to manipulate APK and AXML file AppBundler NGI Zero Core 2024 2026 Package (graphical) Julia apps for all platforms Arcan-A12 NGI0 Entrust 2022 2025 Explorative p2p protocol for fast and secure remote desktops Arcan-A12 Directory NGI Zero Core 2024 Server side scripting API for Arcan's directory server Arcan-A12 Endpoints NGI0 Commons Fund 2026 Unifying distributed remote desktops Arcan-A12 Tools NGI Zero Core 2024 A12 clients for different platforms and devices such as drawing tablets Archiyou NGI0 Commons Fund 2025 Parametric design and building AREXERA Crawler NGI0 Discovery 2021 2022 C++ based web crawler Ari NGI Assure 2023 2024 Purely functional programming language designed to \"type\" binary files Arkin NGI0 Commons Fund 2026 Optical Tweezers Microscope Armbian User-operated Internet Fund 2021 Versatile OS for ARM-based single board computers ARMify NGI0 Entrust 2023 2025 Auto-Identification of MCU Models to Simplify ARM Bare-Metal Reverse Engineering ARPA2 2017 Working towards a decentralised global internet that offers security and privacy by design. ARPA2 LDAP Middleware NGI0 PET 2019 2022 Privacy enhancing middleware ARPA2 resource ACL and HTTP SASL modules for NGINX NGI0 PET 2019 2019 Extend consistent access control to NGINX webserver ARPA2 Steamworks Internet Hardening Fund 2017 2019 ARPA2 Steamworks ARPA2 Steamworks Near-instantaneous controlled configuration settings over any network ArtistHub NGI0 Discovery 2020 2020 Allow creative artists to gain visibility and build reputation on the web Assessing Cyber Security 2015 This report aims to assessing what we know about cyber security threats based on a review of 70 studies published by public authorities, companies, and research organizations from about 15 countries over the last few years. It answers the following questions: what do we know about the number, origin, and impact of cyber attacks? What are the current and emerging cyber security trends? And how well are we prepared to face these threats? Asynchronous ESP32 802.11 MAC NGI0 Commons Fund 2025 IEEE 802.11 MAC Stack for ESP32 family chips in Rust Atom-Based Routing 2003 Improving global internet routing by implementing atom-based routers. Atomic Data NGI Assure 2021 2023 Typesafe handling of LinkedData Atomic Tables NGI0 Entrust 2022 2023 Self-hostable tabular structured data solution AtomicServer Local-First NGI0 Commons Fund 2025 AtomicServer Local-First Headless CMS Audio/Video Calls in Libervia NGI Assure 2022 2024 Encrypted Audio/Video Calls in multi-frontend XMPP client Authenticated DNSSEC bootstrapping NGI Assure 2022 2024 Secure in-band announcements of DNSSEC parameters Authlib NGI0 Commons Fund 2025 Reliable OAuth and OIDC handling in Python Autocrypt for Thunderbird NGI0 PET 2019 2022 Make email encryption extremely simple Autogram 2.0 NGI0 Commons Fund 2026 Create and validate eIDAS-compliant digital signatures Automate FOSS license compatibility determination NGI Zero Core 2024 Check software projects for license (in)compatibility + compliance Automated clearing of source code files Binary Analysis Fund 2022 More efficient retrieval of security and license compliance contextual information Automatic component and via placement for Topola NGI0 Commons Fund 2026 Complete PCB schematic-to-layout flow Automating mobile app interception with Frida NGI0 Entrust 2022 2024 Mobile app network introspection for security research Automerge NGI Zero Core 2023 Add Merkle Search Tree support to Automerge AVantGaRDe NGI0 Entrust 2023 Reliable Foundations of Local-first Graph Databases Bab NGI0 Commons Fund 2025 Efficient proof of validity of streamed data Babelia NGI0 Discovery 2021 2022 Search engine and crawler in Scheme Back to source: trust but verify all the packages NGI0 Entrust 2023 2024 Analysis pipeline for mapping and cross-referencing binaries with source code Back2Source next NGI Zero Core 2024 Better matching of binaries with source code badkeys NGI Zero Core 2024 Detect compromised cryptographic public keys Balthazar NGI0 PET 2019 2022 One laptop for the new internet age. Balthazar - One laptop for the new internet age. NGI0 PET 2020 2022 A secure fully open hardware laptop Balthazar Casing NGI0 Entrust 2022 2024 Open hardware laptop Bana NGI0 Entrust 2023 2025 Personal network oriented ActivityPub powered social networking BB3-CM4 NGI0 Entrust 2022 2024 CM4 compatible MCU board BB3-CM5 NGI0 Commons Fund 2025 Modular OSHW test & measurement equipment BBBsecureChat NGI0 PET 2020 2022 Add E2EE instant messaging to Big Blue Button meetings Bcachefs NGI0 Entrust 2023 Next generation file system Bcachefs userspace integration NGI0 Commons Fund 2025 Next generation filesystem BeaconDB NGI0 Commons Fund 2025 Libre wireless positioning database Bertie NGI Assure 2022 2024 Formally verified TLS 1.3 implementation betrusted NGI0 PET 2019 2019 A protected hardware device for your private matters. Betrusted OS NGI0 PET 2019 2022 An embedded OS for cryptographic devices Betrusted software NGI0 PET 2019 2022 A minimalist and secure OS for embedded communication devices Betrusted Storage NGI0 PET 2020 2022 Plausably deniable encrypted storage Better support for display notches and cutouts in Phosh NGI Zero Core 2025 Better custom shape screen support for Wayland Betula Open Social Fund 2025 bewCloud NGI Fediversity Fund 2025 2025 Light-weight self-hosted cloud storage and productivity bhyve idle load mitigation NGI0 Commons Fund 2026 Reduce overhead on bhyve Type-2 hypervisor BIDS: Binary Identification of Dependencies with Search NGI Zero Core 2024 Identify known open source elements present in binaries BigBlueButton server-side plugins NGI0 Commons Fund 2025 Server-side extensions for BBB videoconferencing tool binary-analysis-ng improvements Binary Analysis Fund 2019 2022 Integrate Kaitai in binary-analysis-ng BIND DLZ 2005 BIND 9 Dynamically Loadable Zones implementation Bitmask NGI0 PET 2019 2019 User-friendly and secure VPN configuration Bits of Freedom 2006 support for Bits of Freedom BlenderWeb 2009 free 3D animation and compositing suite Blind crypto and OAuth2 for ARPA2 NGI0 Commons Fund 2025 Advancing HTTP-SASL and keyless identity Blink for Windows NGI0 Entrust 2024 Modern cross-platform SIP client Blink Qt Messaging NGI Assure 2021 2024 Add modern encryption to SIP softphone Blink RELOAD NGI0 Discovery 2019 2022 Secure P2P real-time communications with RELOAD Blitz - a modular web renderer NGI Zero Core 2024 Rust-based browser engine BlockNote NGI0 Entrust 2023 An modern, open source Block-based editor bluetuith NGI Zero Core 2024 Bluetooth connection/device manager for the terminal Bonfire federated groups NGI0 Entrust 2022 2025 Create, join and manage federated groups across instances Bonfire Framework NGI0 Entrust 2023 2025 Elixir-based ActivityPub implementation and library with groups and RBAC Bonfire Search & Discovery NGI0 Discovery 2021 2022 Improving search and discoverability in the Fediverse Borg - European Graphics Processing Unit NGI0 Commons Fund 2025 Foundational workflow for an open-source GPU Bottles NGI0 Commons Fund 2025 Bridges the gap between Linux and Windows software BrailleRAP NGI0 Entrust 2024 Low-cost open hardware for creating Braille content BrailleRAP NGI0 Commons Fund 2026 Open source Braille and graphics embosser Briar NGI0 PET 2019 2020 A secure messaging app with offline capabilities Briar Desktop NGI Assure 2022 2023 E2EE online and offline messaging and discussion Bricophone 2009 community-oriented mobile phone infrastructure Bring x86_64-gnu (the 64bit Hurd) to Guix NGI0 Commons Fund 2025 2026 Port Guix to the GNU Hurd microkernel Bromal NGI0 Commons Fund 2026 Lightweight messaging server for Matrix protocol BrowserAudit NGI Zero Core 2024 2025 Test common security standards and features in browsers Bubble-up NGI0 Commons Fund 2024 Declaritive schema migrations for sqlite databases Bugbane NGI Mobifree Fund 2025 App for self-conducting device forensics on Android devices Build Transparency (Trustix) NGI0 PET 2020 2020 Towards a decentralized supply chain for software Building blocks for Resilient Time NGI0 Commons Fund 2025 Implement NTPv5 in ntpd + bootstrap procedure bzip2 in Rust e-Commons Fund 2024 2024 Memory safe implementation of bzip2 compression algorithm C/C++ Package Registry NGI0 Commons Fund 2025 Common registry for software written in C/C++ Cable NGI Assure 2022 2024 A new wire protocol for cabal (and beyond) cables.gl NGI0 Entrust 2024 2025 Creative tool for graphics and 3D content cables.gl editor features NGI0 Commons Fund 2025 Create beautiful, interactive, visual web content CAcert support for CAcert CAIEC 2008 Investigate information offered by consumer organisations CAKE-MAINT NGI Zero Core 2024 Improve network queue management algorithms on Linux CalDAV Notes NGI0 Commons Fund 2026 Standards-based approach to notetaking levering VJOURNAL Calligra-SVG 2012 Improve fallback mechanisms in Calligra ODF loading and saving. Calligra-Windows 2012 Bringing Calligra Suite to Windows Canaille NGI0 Entrust 2022 2025 Zero-knowledge opinionated OpenID Connect (OIDC) server. Canarytail User-operated Internet Fund 2021 Warrant canary standardization and automation CanIWebView NGI Mobifree Fund 2025 Contributing to standardisation of WebView in W3C Capability-based security for Redox NGI0 Commons Fund 2025 Capsicum style cabilities in Redox CARGO NGI0 Commons Fund 2025 Automatic Generation of Analog + Mixed Integrated Circuits with Coriolis Cartes NGI Zero Core 2024 Modern web map application with transit support Caster NGI0 Entrust 2022 Open-hardware high-refresh-rate electrophoretic display controller Castopod NGI0 Discovery 2020 2022 Podcasting in the fediverse Castopod Mobile NGI0 Discovery 2021 2022 Userfriendly mobile podcasting application Castopod Plugins NGI0 Entrust 2023 2025 Add plugins to the Castopod podcast server Catalogs in MariaDB NGI0 Entrust 2023 Enable true multi-tenacy in the MariaDB database Cell broadcast support for the Linux Mobile Stack NGI0 Entrust 2024 2025 Implement SMS-CB for emergency messages on Linux CeroWRT 2018 an experimental firmware to push forward the state of the art of edge networks and routers. CeroWRT II User-operated Internet Fund 2021 2022 Make Wi-Fi routers faster and more reliable Certbot ECDSA support Internet Hardening Fund 2020 2022 Charon NGI0 Entrust 2022 2025 Privacy-enabling account management and SSO solution Chips4Makers ASICs NGI0 PET 2019 2019 Choreographic Programming: From Theory To Practice NGI Assure 2023 2024 Generating a standard library of core distributed algorithms with formal proofs Circuit Painter NGI0 Commons Fund 2025 Creative tool for programmable PCB creation CityBikes NGI0 Commons Fund 2024 Open access API for bike sharing information claim.li NGI0 Commons Fund 2025 Decentralised annnotation tool based on Dokieli ClassQuiz NGI0 Commons Fund 2025 Libre quizing tool Clearance NGI0 Commons Fund 2025 Curating changes to OpenStreetMap data of interest Client Proof-of-Work in TLS NGI Zero Core 2024 Mitigation against DoS amplification on the TLS handshake Cloud hosting service portability NGI0 Entrust 2023 Service portability for cloud hosting platforms CNSPRCY NGI Assure 2022 2024 E2EE connections between trusted devices COCOLIGHT NGI Zero Core 2024 Lightweight version of Communecter Code Genetics NGI0 Commons Fund 2025 Scanning tool for identifying code origins CodeYard 2008 Open-Source software development for students in secondary education Coko Docs NGI Assure 2022 2024 A modern, open source replacement for Google Docs and Drive Collabora Online and LibreOffice NGI0 Discovery 2021 2022 Improved visual document search for cloud service Collabora Online Multi-user Infinite Canvas NGI0 Commons Fund 2024 Infinite Canvas / collaborative presentation mode for Collabora Online Collabora Online/LibreOffice Accessibility NGI0 Entrust 2023 2023 Private and accessible collaborative editing with Collabora Online/LibreOffice Collation + i18n support in musl libc NGI Zero Core 2024 Complete POSIX internationalised functions in musl libc Collection of Verified multi-platform Gatewares NGI Zero Core 2024 Comprehensive repository of open source gateware designs Coloquinte NGI0 Entrust 2022 High performance placement of cells inside digital electronic circuitry Commune NGI0 Entrust 2023 2025 User-friendly persistent chat/voice rooms Condensation Data System NGI Assure 2022 2024 CRDT-driven data store that guarantees data ownership Conferences 2010 Sponsoring of various conferences Configurable Communication Channels for qaul NGI0 Commons Fund 2025 Distributed messaging over verifiable P2P channels Connect by Name NGI0 Discovery 2020 2022 Library for easy connection setup Connected Places Open Social Fund 2025 All the news happening in the Fediverse Contributron NGI TALER Fund 2025 Privacy aware donation portal with Taler payments Control plane for Nix-based systems NGI Zero Core 2024 Dynamic system management and orchestration with Nix Converged Security Suite +AMD NGI0 Entrust 2023 Add AMD support to Converged Security Suite Converged Security Suite Improvements NGI Assure 2022 2023 Open source tooling for BIOS configuration Conversations NGI0 PET 2019 2020 A secure mobile messaging client Conversations 3.0 NGI Assure 2022 2024 Secure and standards-compliant XMPP client for Android Converse XMPP Chat on Mobile NGI0 Commons Fund 2025 Embeddable XMPP client for mobile usage Convo XMPP client NGI0 Commons Fund 2025 Federated E2EE messaging for KaiOS feature phones Conzept encyclopedia NGI0 Discovery 2021 2022 An alternative encyclopedia Coreblocks RISC-V processor core NGI0 Commons Fund 2026 Out-of-order RISC-V processor in Amaranth Corteza Discovery NGI0 Discovery 2021 2021 (Geo)search and discovery within federated services CP2PC 2003 common programming interface for peer-to-peer systems CPAN6 2011 collecting collections of digital information Cpdf Accessibility NGI0 Entrust 2024 2025 Implement PDF/UA in cpdf CRAVEX NGI0 Entrust 2024 2025 Cyber Resilience Application for Vulnerability Exploitability Exchange CRAVEX 2 Code Reachability NGI Zero Core 2025 Do vulnerable dependencies actually impacts security or not? CRAVEX integration NGI Zero Core 2025 Integrated vulnerability exploitability management Cross-root ARIA NGI Zero Core 2024 2026 Standardisation for Accessibility when using Shadow DOM Cryptech.is 2015 An open source open hardware security module to protect communications CryptoLyzer NGI Assure 2022 2023 Cryptographic settings analyzer library CryptoLyzer IKE NGI Zero Core 2024 Add IKE protocol to CryptoLyzer protocol analyser CryptPad NGI0 PET 2019 2019 Real-time collaboration with client-side encryption CryptPad Auth NGI Assure 2021 2024 Implement external identity mechanisms to E2EE collaborative editor CryptPad Auth Improvements NGI Assure 2024 2024 Better user management, 2FA and SSO for CryptPad CryptPad Blueprints NGI0 Entrust 2022 2024 Server-side encrypted collaborative editor CryptPad for communities NGI0 PET 2019 2019 Collaborative web editor with client-side encryption CryptPad Notes NGI0 Commons Fund 2025 E2EE collaborative rich text editor CryptPad Quality Test Suite NGI Assure 2024 2024 Continuous testing of critical CryptPad functionality CryptPad Scalable Server NGI0 Commons Fund 2025 Improve the architecture of CryptPad CryptPad WCAG NGI Assure 2024 2024 Accessibility improvements to CryptPad suite CryptPad: Project Dialogue NGI0 PET 2020 2020 Secure surveys and polls for Cryptpad CUGAR 2011 Implement a Wireless Access Point and a back-end CurveForge NGI0 Commons Fund 2026 Add optimized post-quantum arithmetic to cryptographic toolkit CuteHIP 2010 lightweight implementation of Host Identity Protocol (HIP) on Java DANCE4All NGI0 Entrust 2023 Implement DANCE specification in GnuTLS and MbedTLS Darkstar NGI Zero Core 2025 Open source vulnerability management solution Dat Private Network NGI0 PET 2019 2022 Private storage in DAT Data Package implementation in TypeScript NGI0 Commons Fund 2025 2025 Reference implementation of data definition language and data API Data packages NGI0 Entrust 2023 2024 Specification + improved tooling for external data set descriptions DataLab NGI Zero Core 2024 2025 Scientific platform for signal and image processing + visualisation DataLab Experimental Web interface (DEW) NGI0 Commons Fund 2026 Scientific platform for processing and analysing signals and images DATALISP NGI Assure 2022 2024 Universal data interchange format using canonical S-expressions DatamiPods NGI0 Commons Fund 2024 Visualisations for (federated) Solid data DAVx⁵ WebDAV Push NGI0 Entrust 2022 Share Contacts, Calendars, Tasks, Notes & Journals DCnets NGI0 PET 2019 2019 Implementation of Dining Cryptographers Network Debug Adapter with Nix NGI0 Entrust 2023 Implement the Debug Adaptor Protocol for Nix Decibel 2007 service architecture for multi-media based communication Decidim revamp NGI0 Commons Fund 2024 Tools for participatory democracy Deep Firmware 2017 Active discovery of known and unknown security vulnerabilities in firmware Delta Tauri NGI0 Entrust 2023 2025 DeltaChat implemented in Tauri DeltaBot NGI0 Discovery 2019 2020 Social discovery over mail-based chat DeltaChat/WebXDC NGI0 Entrust 2022 2024 Portable private apps that can be shared in e.g. chat DeltaTouch NGI0 Entrust 2024 2025 DeltaChat on UBports mobile phones Democratic SendComm NREN 2017 Easy to use connected open hardware device Detecting Forged-Origin BGP hijacks NGI Zero Core 2024 2025 Probabilistic detection of BGP hijacking DeviceCode NGI0 Entrust 2024 2025 Structured technical information about consumer devices dhcpcanon NGI0 PET 2019 2022 Network configuration with better privacy Diesel NGI Zero Core 2024 2025 Safe and performant query builder and ORM written in Rust Diesel CLI NGI0 Commons Fund 2026 Safe and performant database queries in Rust DIFR-TSPM 2009 a demonstrator of a different way to inform consumers about the RFID tags DIME Internet Hardening Fund 2017 2019 A new encrypted, end-to-end email protocol Dino NGI0 PET 2020 2022 User-friendly and secure instant messaging Dino NGI0 Commons Fund 2025 User-friendly and secure instant messaging based on XMPP Discourse ActivityPub NGI0 Discovery 2019 2022 Connecting internet discussions with ActivityPub Discover and move your coins by yourself NGI0 Discovery 2019 2019 A safe way to explore and work with cryptocurrency forks Distributed GNU Shepherd NGI0 Entrust 2024 A Secure Distributed System Layer for Networked Cluster Computing Distributed Mechanism Learning NGI Assure 2021 2024 Privacy preserving ways of distributed data usage Distributed object programming in Dart NGI0 Commons Fund 2025 Easily create peer-to-peer and federated software Distributed Private Trust NGI0 PET 2019 2019 Decentralised trust and reputation system Distributed Trust for Web Servers NGI0 PET 2020 2022 Establishing a Distributed Trust Authority django-allauth NGI0 Entrust 2023 2025 Versatile authentication for Django DjNRO upgrade and wifi mapping NGI0 Commons Fund 2025 Find nearby wifi access points in federated wifi communities DMT NGI0 Entrust 2023 Implementation of MOSFET Parameter Extraction Flow for Sky130 into DMT DNSCCM 2012 DNS NSCP implementation for BIND and NSD DNSSEC Key Signing Suite NGI0 PET 2019 2022 A best practise for DNSSEC Key Signing DNSSEC-mail 2013 DNSSEC for OpenDKIM and OpenDMARC DNSvizor NGI0 Entrust 2023 2025 Privacy-enhanced DNS resolver and DHCP server DocSpec to Rust/WASM NGI0 Commons Fund 2026 Document conversion SDK for rich text formats Dokieli NGI0 Entrust 2024 2025 Decentralised article publishing, annotations and social interactions Dokieli Collaborative NGI0 Commons Fund 2025 Secure decentralised and collaborative content authoring Dolphin authorisation NGI0 Entrust 2023 2025 Avoid privilege escalation in the Dolphin file manager Domain-specific LabPlot NGI0 Commons Fund 2026 Domain specific visualisations and fit models for LabPlot Domino: Security Proofs that Scale NGI0 Commons Fund 2026 Analysis and verification of real-world cryptographic protocols Donations smaller contributions to various activities Dowse 2016 Dowse is a smart digital network appliance for home based local area networks. Draupnir NGI Zero Core 2024 Moderation bot for Matrix servers dream2nix NGI Assure 2022 2024 Automate reproducible packaging for various language ecosystems DRTM implementation for AMD processors NGI0 PET 2020 2020 Unified framework for dynamic RTM Drupal ActivityPub integration NGI Fediversity Fund 2024 More comprehensive W3C ActivityPub support in Drupal Drupal ActivityPub module usability enhancements NGI0 Commons Fund 2026 Improved UX and Client-to-Server capabilities for Drupal ActivityPub Drupal ActivityPub Social Recipe NGI0 Commons Fund 2025 Add ActivityPub capabilities to existing Drupal sites Dual SIM for Mobile Linux NGI0 Commons Fund 2026 Support multiple SIM cards in open mobile OS-es Dual-level Specification Inference NGI Assure 2022 2024 Make formal verification more practical with dual-level Specification Inference DUT Control NGI0 Entrust 2023 2025 Unified Control Interface for Firmware Security Tests dweb-search NGI0 Discovery 2021 2022 Index DHT based distributed webs Dynamic indexing for real time graph database NGI0 Discovery 2021 2022 Provide faster query results through algorithmic preprocessing E-Paper Open Standards (EPOS) NGI0 Commons Fund 2026 Standards, reference implementation and test suite for e-paper e-Passports 2009 use of (hardware) electronic passports for user authentication over internet E2EE OCapN Federated Relays NGI0 Commons Fund 2025 Add relays to OCapN's capability-based networking Earthstar NGI Assure 2021 2022 P2P protocol and APIs for collaborative and social applications Earthstar (Encryption, Safety, and Local Sync) NGI Assure 2022 2024 Improve security, encryption and sync capabilities in Earthstar CRDT Easy Transit 2 NGI Mobifree Fund 2025 Public transit navigation app with some offline capabilities EcoNet Linux NGI0 Commons Fund 2025 Add Linux kernel support for EcoNet MIPS processors Edalize ASIC backend NGI0 PET 2020 2022 Create open hardware silicon with a fully free software toolchain EDeA NGI0 Entrust 2022 Repeatable, automated measurement data capture EDeA NGI0 Discovery 2020 2022 A forge suitable for open hardware development EduLuanti NGI0 Entrust 2024 2025 Education platform centered around 3D/cube world Luanti eduP2P Test Suite VPN Fund 2024 System, integration and performance tests for eduP2P eduVPN Making secure VPN network technology available to everyone eduVPN Accessibility & UX Improvements VPN Fund 2025 Inclusive and user-friendly design for eduVPN eduVPN app VPN Fund 2019 2019 Add Wireguard protocol to federated VPN suite eduVPN multi-protocol VPN Fund 2019 2019 Review of the eduVPN multi-protocol project. eduVPN on Apple VPN Fund 2020 2020 eduVPN for Apple devices eduVPN on Apple part II VPN Fund 2020 2020 Improved version of eduVPN for Apple devices EEZ DIB NGI0 PET 2020 2022 EEZ DIY Instrument Bus EEZ flow for EEZ Studio NGI0 Entrust 2023 Open Hardware Test & Measurement equipment EEZ Studio NGI0 Entrust 2022 2023 Open source tooling for measurement and test equipment EGIL SCIM client NGI0 PET 2019 2019 System for Cross-domain Identity Management Ejabberd Great Invitations NGI0 Commons Fund 2025 More pleasant user registration for ejabberd XMPP server Element Call on Cisco Room hardware NGI0 Commons Fund 2026 E2EE Matrix video conferences on existing Cisco hardware ELF Linking Analytic tools for UNIX' Executable and Linkable Format ELF tools in Rust NGI0 Entrust 2024 Porting patchelf and install_name_tool to a flexible Rust crate Elliptic curve encryption speed-up using SIMD NGI0 Entrust 2024 Low-level instructin optimisation for curve25519-dalek & Arkworks Elm Matrix SDK NGI0 Entrust 2023 Better moderation for Matrix rooms and servers elRepo.io - Resilient, distributed content sharing NGI0 Discovery 2019 2022 Resilient, human-centered, distributed content sharing and discovery. Email <=> XMPP gateway NGI Zero Core 2023 2025 Bridge instant messaging with email Email for expert news NGI0 Discovery 2021 2022 Keep up to date with a flow of publication Embeddable Common Lisp NGI0 Commons Fund 2025 Common Lisp for browser environments embedded-cal NGI0 Commons Fund 2025 An embedded systems-friendly verified crypto provider EMerge NGI0 Commons Fund 2026 Open Source tool in Python for RF Finite Element simulation Empowering Mobilizon NGI0 Commons Fund 2025 Find, create, organise and curate events Encaya NGI Zero Core 2024 TLS interop with alternative/decentralised CA mechanisms Encoding for Robust Immutable Storage (ERIS) NGI Assure 2021 2024 Encrypted and content-addressable data blocks End-To-End Encryption for Jitsi Meet NGI0 PET 2020 2022 Proven strong encryption for open source video conferencing End-to-end NixOS boot security NGI Fediversity Fund 2025 Ensure whole-system security with verified boot for NixOS configurations Enhance the vulnerability database NGI Zero Core 2024 Enhance the VulnerableCode vulnerability database Enhancing Firefox for Linux on Mobile NGI Zero Core 2024 Mobile native feature-complete Firefox Enhancing vula and related libraries NGI0 Commons Fund 2025 Automatic local network encryption for IPv4/IPv6 with PQC Enhancing vula with IPv6 and REUNION rendezvous NGI0 Entrust 2024 2025 IPv6, hybrid post-quantum improvements & REUNION support for Vula EPE (Ecran-Papier-Editer | Screen-Paper-Editing) NGI0 Commons Fund 2024 Creative libre software tools for print media ePoc NGI0 Commons Fund 2026 Micro learning platform for decentralized educational resources Erik Synchronization Protocol for RPKI NGI0 Commons Fund 2025 Protect BGP with Resource Public Key Infrastructure signatures ERPnext TALER payment gateway NGI TALER Fund 2025 Refactor ERPnext payment module and integrate Taler Etebase - protocol and encryption enhancements NGI0 PET 2020 2020 Redesign EteSync protocol and encryption scheme EteSync - iOS application NGI0 PET 2019 2019 Encrypted synchronisation for calendars, addressbook, etc EU Voice-Video case study Open Social Fund 2024 Integrating Fediverse into Public Administration Event Federation Plugin for WordPress NGI0 Entrust 2023 Add ActivityPub to events created with most common WordPress event plugins EventFahrplan NGI0 Entrust 2022 Conference schedule app with strong offline capabilities EventFahrplan NGI Zero Core 2024 User-friendly mobile event app Every Door NGI0 Commons Fund 2024 Efficient and customizable mobile OpenStreetMap editor EVQI NGI0 Commons Fund 2025 Unified data exchange for electrical Vehicle charging Expanding the Felix86 emulator NGI0 Commons Fund 2026 x86 and x86-64 userspace emulator for RISC-V Linux Explain NGI0 Discovery 2019 2022 Deep search on open educational resources Explain Direct Providing effective and efficient access paradigms for open educational material Extend EFI support in BSDs NGI0 Discovery 2022 2022 Bring automated firmware update to BSDs Extending PeerTube NGI0 Discovery 2019 2019 Adding advanced search capabailities to PeerTube Extensive openwifi support for OpenWRT NGI Zero Core 2024 Software Defined Radio Wifi for OpenWRT routers Exter NGI Zero Core 2023 Proxy-based external browser extensions F-Droid App Overhaul NGI Mobifree Fund 2025 Modernise the F-Droid mobile app store F-Droid Architecture for Reproducible Apps NGI0 Commons Fund 2026 Reusable stack for reproducible builds of FOSS apps F3D NGI0 Commons Fund 2024 2026 Cross-platform, fast and minimalist 3D viewer F3D Animations, Rendering and Integrations NGI0 Commons Fund 2026 Cross-platform, fast and minimalist 3D viewer f8 NGI Zero Core 2023 Modern 8-bit instruction set FABulous Demo SoC NGI0 Entrust 2022 2025 SoC with open source FPGA based on FABulous Faircamp 1.0 NGI0 Entrust 2024 2025 Self-hostable, maintenance-free websites for audio producers FairSync NGI0 Discovery 2019 2022 Simplify aggregation and discovery of places and events Fairwaves 2013 Fairwaves Fashion Freedom Supporting research, development, and education to bring the fashion industry into the 21st century Fast RSA + PQ Blind Signatures NGI0 Entrust 2023 Fast multiprecision integers for blind RSA and Post-Quantum signatures Faster and configurable datapath/Linux xfrm Internet Hardening Fund 2017 2019 Rewriting nftables to optimise for xfrm FastScan NGI Zero Core 2024 Performance improvements for ScanCode Toolkit/ScanCode.io FastWave NGI0 Entrust 2023 Modern waveform VCD parser fdtshim NGI Zero Core 2024 Simplify use of Device Tree Binaries for Linux installers Feather UI NGI Zero Core 2023 2025 Declarative cross-platform UI toolkit FedCM for Solid NGI0 Commons Fund 2025 User-friendly Federated logins for Solid Community Server Federated eIDAS-compatible signing portal NGI Zero Core 2024 Qualified digital signatures using eID cards Federated software forges with Forgejo NGI0 Entrust 2022 2025 Add ActivityPub based federation to Forgejo Federated software forges with Gitea NGI0 Discovery 2021 2022 Use W3C ActivityPub to federate amond software forges Federated Task-Tracking with Live Data NGI Assure 2022 2024 Track tasks and issues in a federated way Federated Timesheets NGI Assure 2022 2023 Interoperable machine-readable time tracking Federated webinars for eduMEET NGI Zero Core 2024 Extended platform for distributed online webinars based on eduMEET FederatedCode Next NGI0 Commons Fund 2024 UI and curation queue for VulnerableCode data enrichment Federating Mirlo NGI0 Commons Fund 2025 Connecting artists and audiences with ActivityPub Federating pedagogical immersive experiences NGI0 Commons Fund 2025 Framework for playful learning content in enhanced reality FediMod FIRES NGI0 Entrust 2024 Tooling for Fediverse moderation Fediverse Test Framework NGI Zero Core 2023 2024 Test bench for ActivityPub implementations Fediverse Test Suite NGI Zero Core 2023 2024 Interoperability effort for W3C ActivityPub fediverse.space NGI0 Discovery 2019 2022 Find your way in the Fediverse Fediverser Open Social Fund 2024 Easier migration towards Fediverse alternatives FemtoStar Project NGI0 PET 2020 2022 Open Hardware Communications Satellite FFII 2008 support for the Foundation for a Free Information Infrastructure FIDO 2.2 NGI Assure 2023 2024 Open hardware implementation of FIDO CTAP 2.2 Fidus Writer NGI0 Entrust 2023 2025 Real-time collaborative web-based online editor for academia Fidus Writer modularisation NGI0 Commons Fund 2025 Semantic word processor for collaborative writing and structured documents FileSender FileSender 2019 2019 FileSender Crypto Improvements FileSender FileSender 2019 2019 Security improvements for FileSender FileSender FileSender 2020 2020 Improve streaming downloads and encryption FileSender FileSender is a secure and private way to share large files with anyone. FileSender IDOR and Rate Limiting FileSender 2022 2022 Security improvements to FileSender FileSender Multistage FileSender 2021 2021 Improve FileSender scalability FileSender secure passwords FileSender 2020 2020 FileSender UX ZIP FileSender 2020 2020 Encrypted multi-file streaming FileSender UX/UI FileSender 2022 2024 UX/UI overhaul of FileSender Filling the Gaps in Testing Open-Source Firmware NGI0 Commons Fund 2026 Improved infrastructure for Open-Source Firmware quality assurance Finish porting Replicant to newer Android version NGI0 PET 2019 2022 Alternative, free software version of Android Firmwire full-system 5G baseband emulation NGI Zero Core 2024 Easier testing of 5G baseband modems with FirmWire First Classify Documents NGI0 Discovery 2021 2022 Categorise different types of official documents Fix the Pitch Black Attack in Freenet routing NGI0 PET 2019 2019 A decentralized distributed platform for private communication Flarum NGI0 Entrust 2023 Add federation and much more to the extensible forum software Flarum. Flashkeeper NGI Zero Core 2024 Write Protection on SOIC-8 flash chips without soldering Flatline Server NGI0 Commons Fund 2025 Independent server for Signal protocol Fleetbase on Solid: A production-ready supply chain solution NGI0 Entrust 2023 2025 Federated open source supply chain solution using Solid Flock XR NGI0 Commons Fund 2025 2026 3D visual creativity and coding tool Flock XR: Keyboard + Mobile/Touchscreen UX NGI0 Commons Fund 2026 Creative coding platform for 3D virtual worlds and spatial apps flohmarkt NGI0 Commons Fund 2025 Self-hostable web app for creating, sharing and answering classified ads flop! NGI0 Commons Fund 2025 Automatic generation of optimised time rosters FLOSS 2008 Stimulating FLOSS dissemination in The Netherlands FLOSS-manuals 2009 on-demand printing of Open Source manuals FMD NGI Mobifree Fund 2025 Privacy-preserving mobile device location foaHandler NGI Zero Core 2024 2025 Reverse engineer the OpenAccess file format Fobnail NGI Assure 2021 2023 Remote attestation delivered locally Folksonomy engine for the food ecosystem NGI0 Discovery 2020 2022 Data modelling by the community Follow-me slideshow for Collabora Online NGI0 Commons Fund 2024 Accessible slideshows for videoconferencing tools ForgeFed NGI0 Discovery 2019 2022 Federation for software collaboration tools ForgeFed NGI0 Entrust 2022 Federating software forges with ActivityPub ForgeFed Frontend NGI Zero Core 2024 Improved UI for federated version controlrepositories ForgeFlux NGI0 Entrust 2023 Software Forge independent federation with ActivityPub and F3 Forgejo NGI0 Entrust 2023 An open source software forge with a focus on federation Forgejo NGI0 Commons Fund 2025 Self-hosted lightweight software forge Formulas NGI0 Commons Fund 2025 2026 Programmatic reuse of spreadsheet formula's FOSS Code Supply Chain Assurance NGI Assure 2022 2023 Mitigate attacks through software dependencies FOSS Code Supply Chain Assurance II NGI0 Entrust 2023 2024 Add approximate matching capabilities to software vulnerability discovery FOSS Warn NGI Zero Core 2024 Aggregate source of emergency alerts FPGA Fault Injection Testing NGI0 Entrust 2024 2025 Better testing towards preventing fault injection in FPGA's FPGA-ISP-UVC-USB2 NGI Zero Core 2024 Open hardware FPGA-based USB webcam Fractal NGI0 PET 2020 2022 Native client for the Matrix protocol Free and open source NPU Drivers NGI Zero Core 2024 Libre drivers for Neural Processing Units Free Software Vulnerability Database NGI0 PET 2022 2022 A resource to aggregate software updates Free Software Vulnerability Database NGI0 Discovery 2019 2022 A resource to aggregate software updates FreeBSD sudo-rs e-Commons Fund 2024 2024 Port to FreeBSD and legacy compatibility FreeBSD-3G 2010 network drivers for 3G cards on FreeBSD Frictionless libraries NGI0 Commons Fund 2025 Make Frictionless libs compatible with latest version Friendly Forge Format (F3) NGI Assure 2022 2024 Proposed Standard for secure communication between software forges Frugal EDA NGI Zero Core 2025 Energy-efficient circuits and systems through quantum superconductivity FSF 2008 support for the Free Software Foundation FSF Europe 2010 support for the Free Software Foundation Europe FSF Priority 2010 stimulating High Priority Projects of the Freedom Software Foundation FTEproxy 2015 FTE enables developers to build systems resistant to surveillance and censorship. Full-source GNU Mes on ARM and RISC-V NGI Assure 2020 2024 Expand full-source bootstrap to other CPU platforms Fully Open Chip Design NGI0 Commons Fund 2025 Silicon-proven toolchain for VLSI design Funfedi.dev NGI0 Commons Fund 2026 Testing correct implementation of W3C ActivityPub Funkwhale NGI0 Entrust 2022 2025 ActivityPub-driven audio streaming and sharing Funkwhale NGI0 Discovery 2019 2022 ActivityPub-driven audio streaming and sharing Funkwhale Federation NGI0 Commons Fund 2025 Extend ActivityPub capabilities for Funkwhale FuSa proven Slint NGI0 Entrust 2023 2025 Certifiable functional safety for Slint UI toolkit FuseSoc-compatible Web Catalog NGI0 Commons Fund 2025 2025 A catalog of gateware that can be easily used with FuseSoC fwupd NGI0 Discovery 2020 2020 Automatic Firmware updates for BSD operating systems Galene NGI Zero Core 2024 High quality libre videoconferencing server Galene NGI0 Commons Fund 2026 Libre high quality videoconfering solution Gancio NGI Zero Core 2024 Shared agenda for local communities that supports Activity Pub Garage NGI0 Entrust 2023 Lightweight geo-distributed data store compatible with Amazon S3 Garage Administration UI NGI0 Commons Fund 2024 Easier administration for selfhosted storage buckets Garage reliability and performance NGI0 Commons Fund 2026 Open-source S3 compatible distributed object storage service Gash NGI Assure 2021 2024 Port Gash to GNU Mes for auditable bootstrap GDPR Compliance 2018 Support instruments for the country adoption of the GDPR Genealogos NGI0 Entrust 2023 2024 Nix to SBOM generator targeting the CycloneDX format Genodepkgs NGI0 PET 2020 2022 When Genode and Nixpkgs meet Geographic tagging of Routing and Forwarding NGI0 Discovery 2019 2022 Geographic tagging and discovery of Internet Routing and Forwarding Geolexica reverse NGI0 Discovery 2021 2022 Reverse Semantic Search and Ontology Discovery via Machine Learning Geoloquent NGI0 Commons Fund 2025 Location service for desktop and mobile Linux Gesture Typing for AOSP-derived Keyboards NGI Mobifree Fund 2025 More efficient text input for mobile touch screen devices GetDNS Internet Hardening Fund 2017 2019 Deliver DNSSEC as a building block in harsh environments GISS 2009 independent infrastructure for streaming radio and TV Global Directories 2014 Distributed contact information discovery mechanism Globule 2005 user-centric Content Delivery Network GLOW-SG13G2 (Gate Library for Open Flow - SG13G2) NGI0 Commons Fund 2026 Digital standard cell library for IHP SG13G2 process GNS Migration and Zone Management NGI0 Entrust 2022 Registrar tools for adoption of GNU Name System GNU Guix NGI0 Discovery 2019 2022 Discovery of service configurations in a declarative setup GNU Guix - Cuirass NGI0 PET 2020 2020 Continuous integration system for GNU Guix/Linux + Hurd GNU Mes NGI0 PET 2019 2019 Help create an operating system we can trust GNU Mes interpreter speedup effort NGI Zero Core 2024 Increase performance of full source bootstrap GNU Mes on ARM NGI0 PET 2019 2022 Trustworthy bootstrap for operating systems on ARM ISA GNU Mes RISC-V NGI Assure 2021 2022 Bringing the trustworthy bootstrap to RISC-V GNU Mes Tower NGI Assure 2021 2024 GNU Mes with alternative scheme implementations and WASM GNU Mes: Full Source bootstrap NGI0 PET 2020 2022 GNU Name System NGI0 Discovery 2019 2022 Authenticated naming system for the internet from GNU project GNU social NGI0 Discovery 2020 2022 Modernizing the original FOSS Social Network GNU Taler NGI0 PET 2019 2022 Advanced electronic payment system for privacy-preserving payments GNU Taler KYC NGI Assure 2022 2024 Know-Your-Customer support for GNU Taler GNU Taler Payment Provider for be-BOP NGI TALER Fund 2025 Integrate Taler payments into be-BOP shopping cart/POS software GNU Taler Tryton/GNUHealth integration NGI TALER Fund 2024 GNU Taler module for Tryton ERP/GNU Health GNU Taler wallet app for iOS NGI0 Entrust 2022 2025 Mobile GNU Taler payments for portable Apple devices GNU Taler Wallet ID Lookup Service NGI TALER Fund 2024 Optional discovery of TALER wallet addresses linked to digital identities GNUnet 2009 implementation and evaluation of an improved routing algorithm for GNUnet GNUnet CONG NGI0 Entrust 2023 Modernise the network stack of GNUnet GNUnet Messenger API NGI Assure 2021 2024 API for decentralized instant messaging using CADET GNUnet on Android NGI Zero Core 2024 Port GNUnet protocol stack to Android mobile OS GnuTLS Internet Hardening Fund 2017 2019 Implement TLS-KDH in GnuTLS GO-FOSS 2008 Teach employees in SMEs and NGOs the benefits of FOSS GoActivityPub NGI0 Commons Fund 2025 Help people develop Fediverse software in Go GoatCounter NGI0 PET 2019 2022 Privacy-friendly web analytics for small websites GoogleSharing 2011 GoogleSharing anonymizing proxy Gorgon CI NGI0 Entrust 2023 2025 Continuous integration testing for PRs against software dependencies Gosling NGI Assure 2021 2022 Generic Onions Services Library Project GoToSocial NGI0 Entrust 2022 Lightweight ActivityPub social network server GoToSocial NGI0 Entrust 2023 Improvements to ActivityPub server written in Go GoToSocial performance & connectivity NGI0 Commons Fund 2025 Advanced moderation and federation features for GoToSocial Goupile NGI Zero Core 2024 Secure forms including Clinical Report Forms (eCRF) Govdirectory Open Social Fund 2025 Global directory of public bodies on the fediverse GPG Lacre project NGI0 PET 2020 2022 Best effort encryption of mail flows with OpenPGP GPGPU Playground NGI Zero Core 2024 A virtual GPU to learn GPU programming GPLv3 2007 GNU Public Licence v3 Development and Publicity Project GPRS/EGPRS support in Osmocom CNI for Ericsson RBS User-operated Internet Fund 2021 Graphics acceleration on Replicant NGI0 PET 2019 2022 Free software graphics drivers for mobile phones Graphite 2D graphics editor NGI0 Commons Fund 2025 Keyframe animation and vector editing intuitive UI enhancements Grate project NGI Zero Core 2025 2025 Linux support for Tegra 2/3/4 devices Great Black Swamp NGI Assure 2021 2024 Decentralized cloud storage with provider-independent security Great OCR for SANE NGI0 Discovery 2021 2022 Integrate OCR capabilities into open source scanning tools Great scanning and OCR for mobile devices NGI0 Discovery 2021 2022 GSM-Sec 2011 GSM Security Project, debugging GSM transactions Guix Peer-to-Peer substitutes NGI Assure 2023 2024 Guix-Daemon NGI Zero Core 2023 Transition to a Guile implementation of the guix-daemon GUN P2P Encryption Internet Hardening Fund 2017 2019 A realtime, decentralized, offline-first, graph database engine Hackathons and sprints contributions to various hackathons and sprints Haketilo/Hydrilla NGI0 Discovery 2021 2022 Browser extension for site customisatoin Handling Data from IPv6 Scanning NGI0 Discovery 2019 2022 Scanning tools for scaling up IPv6 scans Haphaestus NGI0 Entrust 2022 Lightweight JavaScript-free browser engine written in Haskell happyDomain NGI Zero Core 2025 Simplify DNS zone management Hardening OpenPGP CA deployments NGI Assure 2021 2024 HSM support for OpenPGP key infrastructure Hardware 2D graphics engine NGI Zero Core 2025 Additional functionality and better performance for FPGA-based 2D video controller Hardware accelerated 2D graphics NGI0 Entrust 2023 2024 Design hardware accelerated 2D graphics using C to Verilog Hardware Bill-of-Materials (HBOM) generator NGI Zero Core 2024 Create CycloneDX HBoM compliant inventory of hardware Hassle-free Peppol bootstrapping and onboarding NGI0 Commons Fund 2026 Open, reproducible, certification-ready e-invoicing stack for Peppol Heads-OpenPGP NGI Assure 2022 2024 OpenPGP Authenticated Heads and long-time awaited security improvements Heavy Compiler Collection NGI0 Commons Fund 2025 Unified DSP and Interface Design for Audio Plugins Herbees NGI0 Commons Fund 2025 Scalable intermediated P2P messaging based on Simplex Messaging protocol Himalaya NGI Assure 2022 2023 End-to-end encryption capable scriptable email Hockeypuck NGI Zero Core 2024 Next generation OpenPGP keyserver Holo Routing NGI Zero Core 2023 2025 A novel routing stack in Rust, including IS-IS routing How AdTech works NREN 2020 2020 Improving public awareness of AdTech and privacy HTML export for Typst NGI Zero Core 2024 Markup based typesetting for multichannel publishing HTTPS-Obs 2011 HTTPS Observatory Hubzilla NGI0 Discovery 2020 2022 Federated social networking environment Hubzilla performance improvements NGI0 Commons Fund 2025 Make Hubzilla more efficient and expand Superblock Husk NGI0 Commons Fund 2025 Pass-through solution for automatic OpenPGP encryption HWIOS 2011 Hybrid Web In OpenSim (HWIOS) Hyper 8 Video System NGI0 Commons Fund 2026 Self-hostable, maintenance-free video publishing tool Hyper Hyper Space NGI Assure 2021 2024 Cryptographically secure append-only distributed data layer Hyper Hyper Space Sync Engine and adapters NGI Zero Core 2025 Secure P2P data synchronisation Hypermachines: Realtime and Collaborative P2P Search NGI0 Discovery 2021 2022 Realtime and Collaborative P2P Search IC workspace NGI0 Entrust 2022 Open Source IC Design Management Tool Icebreaker NGI0 Discovery 2021 2022 Gemini centric viewpoint of coding issues and bug tracking Icestudio NGI0 Entrust 2023 Visual developer tool for development of FPGAs Icosa Gallery NGI0 Commons Fund 2025 Community-led 3D creation and sharing tools Icosa Gallery NGI0 Entrust 2023 2025 Open, decentralised platform for 3D assets IIDS 2013 Interactive Intelligent Distributed Systems imap-codec library NGI Assure 2022 2024 Release version 1.0 of the imap-codec library Implement inline Verilog/VHDL through Yosys NGI0 Commons Fund 2026 Functional simulation in Haskell from existing Verilog/VHDL code Implement sound support in the Hurd NGI0 PET 2019 2019 Add audio capabilities to the multiserver microkernel from GNU Improve Email Encryption in KMail NGI0 PET 2019 2022 Adopt improvements in Email Encryption in KMail Improve Okular digital signature support NGI Assure 2021 2022 Improve open source tooling for digital signatures Improvements for next generation Linux firewalling NGI0 Entrust 2023 2025 Netfilter kernel improvements, user space tools and testing Improving and extending Kaitai Struct NGI0 Entrust 2023 2025 Rust parsing for binary analysis tool Kaitai Struct Improving asynchronous execution in GNUnet NGI0 Commons Fund 2025 Add synchronous processing to GNUnet Improving Matrix E2E encryption UX Internet Hardening Fund 2017 2019 Better usability of Matrix.org E2E encryption Improving OpenSSH's Authentication and PKI NGI Assure 2021 2024 Improving SSH Authentication with OpenPGP transitive trust Improving the deployability of Multipath TCP NGI Zero Core 2023 Improve MPTCP support in the Linux kernel Improving the deployability of Multipath TCP, part 2 NGI Zero Core 2024 Improve MPTCP support in the Linux kernel Improving WebKit on Windows NGI Zero Core 2024 Improve Windows support for the WebKit browser engine IMSI Pseudonymization NGI0 PET 2019 2019 Better privacy protection for 2G-5G IN COMMON NGI0 Discovery 2019 2022 Public platform to map and act together for the Commons In-document search NGI0 Discovery 2020 2022 Interoperable Rich Text Changes for Search In-memory Krill e-Commons Fund 2023 2024 Integrate kvx store in Krill RPKI daemon Incroxigraph NGI0 Commons Fund 2026 Extend Oxigraph with continuous live evaluation of SPARQL queries Independent captions and transcript augmentation NGI0 Discovery 2021 2022 Speech-to-text integration for Waasabi Indigenous NGI0 Discovery 2020 2022 Indieweb mobile clients Inko NGI0 Entrust 2023 Programming language with deterministic automatic memory management Inochi2D NGI0 Entrust 2024 2025 Open source 2D animation/puppeteering framework Integration of Waydroid on mobile GNU/Linux NGI Zero Core 2024 Run Android apps in Linux containers on mobile devices Interledger interoperability inquiry NGI TALER Fund 2024 Investigate synergy between Interledger and GNU Taler Internationalization (i18n) for Silex NGI0 Commons Fund 2026 Add i18n to GraphQL-aware static site generator Internet of Coins Create a decentralized, self-sustaining economy by implementing inter-blockchain connectivity Interoperability of Events in the Fediverse NGI0 Commons Fund 2025 A common approach to using the ActivityPub Event object type Interoperable Certificate Store for OpenPGP NGI Assure 2022 2024 Standardisation effort for shared OpenPGP certificate storage Interpeer NGI0 Discovery 2019 2022 Collaboration infrastructure with near real-time p2p data synchronization Interpeer SDKs NGI Assure 2022 2024 Secure and efficient peer-to-peer networking stack Interpretation feature for Big Blue Button NGI Zero Core 2024 Adding translator streams for live interpretation to BBB conference software Inventaire NGI0 Discovery 2020 2020 Wikidata-based social sharing of reading experiences Inventaire recommender NGI0 Discovery 2021 2022 Book recommendations in Inventaire Inventaire Self-hosted NGI0 Entrust 2023 Self-hosted book inventories that share the wikidata-powered bibliographic database io_uring-like IO for Redox NGI0 Commons Fund 2025 Introduce ring buffers in Redox to increase I/O performance iOS support for AccessKit NGI0 Commons Fund 2025 Cross-platform abstraction over accessibility APIs IPDL NGI Assure 2022 2024 Equational Proofs for Distributed Cryptographic Protocols IPDL II NGI Zero Core 2023 2026 A new process logic aimed at formal proofs for cryptographic algorithm ipfs-search.com NGI0 Discovery 2019 2022 Search engine for the Interplanetary File System IPv6-monostack - upstream Linux SIIT/NAT64 NGI Zero Core 2023 Commoditizing NAT64 and IP/ICMP translation to accelerate IPv6 deployment Irdest NGI0 Discovery 2021 2022 Local P2P mesh discovery of devices and users Irdest - OpenWRT Image and Bluetooth LE NGI0 Entrust 2023 Add Bluetooth LE connections to Irdest Irdest IP Traffic Proxy NGI Zero Core 2024 Route existing IP-network traffic through an Irdest network Irdest spec, db, route scoring NGI0 Entrust 2023 Route scoring and other routing improvements for Irdest meshnets IRMA made easy NGI0 PET 2019 2019 Usability research into attribute based authentication IronCalc NGI Zero Core 2024 Embeddable spreadsheet engine written in Rust IronCalc NGI0 Commons Fund 2026 Fast spreadsheet engine in Rust IronCalc for Nextcloud NGI0 Commons Fund 2025 Embed IronCalc spreadsheet engine into Nextcloud Ironclad NGI Zero Core 2024 Hard real-time capable kernel written in SPARK/Ada Ironclad - Networking developments NGI0 Commons Fund 2026 Real-time capable, UNIX-like operating system kernel in SPARK/ADA ISC BIND 9 2001 implementation of DNS protocols with full IPv6 and DNSsec support ISCC-CORE typescript implementation library NGI Zero Core 2024 Decentralised content identifiers through ISO 24138. IsMyPhonePwned NGI Mobifree Fund 2025 Scan phone security directly from a web browser iso14229 NGI Zero Core 2025 Universal Diagnostic Services for automotive diagnostics it NGI0 Entrust 2023 Radically decentralised version control with CRDTs iTowns NGI0 Commons Fund 2024 Visualise 2D and 3D geospatial data on virtual globes & maps iuh-openbsc 2017 An open source implementation of 3G IzzyOnDroid NGI Mobifree Fund 2024 Third party repository for FOSS Android apps Jabber/XMMP 2008 Strengthening Trust in Jabber/XMPP Technologies jaq NGI0 Entrust 2023 2025 Implementation of jq in Rust with formal semantics JavaScript Restrictor NGI0 PET 2020 2022 Increasing Security and Privacy of JavaScript APIs JellyfishOPP NGI0 Entrust 2023 2025 Open Hardware device for power profiling JigLibJS 2011 JigLib to JavaScript for use with WebGL Jingle Nodes Jingle Relay Nodes Specifications and Prototypes Jitsi 2011 Better and Open Source alternative for Skype Jitsi (SIP Comm Phone) Internet phone and instant messenger Jitsi (SIP-Communicator) Desktop 2011 Desktop Streaming and Sharing with SIP Communicator Jitsi-DNSSEC 2012 DNSSEC for Jitsi (SIP Communicator) Jitsi-FMJ 2012 Replacing JMF with FMJ JShelter NGI0 PET 2020 2022 Cross-browser extension to make javascript less exploitable JShelter Manifest V3 NGI0 Entrust 2022 2024 Make JShelter compatible with Manifest V3 JShelter UX NGI0 Commons Fund 2025 Upgrading JShelter to increase functionality and user adoption json-joy NGI Assure 2023 2024 JSON data structure as a CRDT JSON-Joy Peritext NGI Zero Core 2023 Rich-text CRDT implementations for json-joy CRDT k3lp NGI Zero Core 2024 Unicode Keyboard3 Layout Parser Kaidan NGI0 PET 2020 2022 Adding encryption to userfriendly cross-platform XMPP client Kaidan NGI Assure 2022 2024 Encrypted A/V calls, group chat messaging Kaidan A/V NGI0 PET 2022 2022 Secure audio and video calls for Kaidan and QXmpp Kaidan Auth + portability NGI0 Entrust 2023 Account portability and Client/Server Authentication for the Kaidan XMPP client Kaidan Mediasharing NGI Assure 2024 2024 Media sharing and improved contacts for Kaidan XMPP Kaidan MUC + legacy OMEMO NGI0 Commons Fund 2025 Multi-user chat and improved legacy interoperability for Kaidan XMPP client Kami NGI Zero Core 2023 Choreography programming language integrated with the Rust ecosystem Karrot NGI0 Discovery 2021 2022 Save and share food waste Karrot NGI0 Entrust 2023 2025 Location-aware community self-organisation Katzen NGI Assure 2021 2023 Meta-data resistant instant messaging over the Katzenpost mixnet Katzen Metadata Minimizing Messenger NGI0 Entrust 2023 Privacy preserving instant messaging using a modern mixnet Katzenpost NGI0 PET 2019 2022 Observation resistant secure messaging layer Kazarma NGI0 Discovery 2020 2022 Bridge ActivityPub and Matrix realms Kazarma Release NGI0 Entrust 2023 Bridge between ActivityPub and Matrix protocol Kbin NGI0 Entrust 2022 ActivityPub based link sharing and microblogging KDE Connect NGI Assure 2022 2024 KDE Connect discovery and transport protocol improvements KDE Plasma Gestures NGI0 Commons Fund 2025 Advanced customisable gesture input on desktop and mobile KDE Plasma Wayland NGI Zero Core 2023 2025 Accessibility and advanced graphics input support for KDE Plasma Wayland Kdenlive NGI0 Commons Fund 2025 Parametrised keyframes for modern non-linear video editor Kernel DMA Protection Patcher (kdmap-patcher) NGI0 Commons Fund 2025 Automated UEFI patching for pre-boot DMA protection Key Management Internet Hardening Fund 2017 2019 Key Management Keyhive NGI Zero Core 2024 Edge Names, invites and group key agreement for local first data Keyoxide NGI0 Discovery 2020 2022 Self-hostable identity proofs with bidirectional linking verification Keyoxide Mobile NGI Assure 2022 2024 Mobile client for identity magement tool Keyoxide Keyoxide v2 NGI Assure 2022 2024 Add cryptographic signature based to Keyoxide KiCad User-operated Internet Fund 2022 Professional open source electronics design application KiCad Frontpanel Generator NGI0 Commons Fund 2026 Create matching front panels for KiCad PCBs automatically KiCad-10 NGI0 Commons Fund 2025 Cross Platform Electronics Design Automation Suite KiCad-IPC NGI Zero Core 2023 Add RPC API, multichannel designs and schematic variant system to FOSS EDA suite KiKit NGI0 Entrust 2022 Tooling for automation of production of PCB designed in KiCAD Kintex-nextpnr NGI Assure 2022 2023 Open toolchain for high performance FPGAs Kiwi IRC NGI0 PET 2020 2022 Self-hosted web IRC environment Knowledge Graph Portal Generator NGI Zero Core 2024 Automatically generate custom web interfaces for structured data Kolab-Sync 2012 ActiveSync your Kolab Koruza 2015 Krill High Availability NGI0 Entrust 2022 Making Krill RPKI daemon deployment more robust Ksplice 2009 update the Linux kernel without rebooting Ksplice2 2011 Ksplice for mainline Linux and Fedora KWin and Wayland input NGI0 PET 2020 2022 Secure windowing system for KWin LabPlot NGI Zero Core 2024 2025 Scientific and engineering data analysis and visualisation LambdaNative F-Droid integration NGI Mobifree Fund 2024 Portable, Productive and Performant App Development with Scheme Land NGI0 Commons Fund 2024 Code editor building on Tauri and VSCodium Langsec in Pectore NGI0 PET 2019 2022 A secure pacemaker created from formal grammars LANShield NGI Zero Core 2024 2025 Constrain local network access for mobile devices Lantern 2013 DNSSEC in Lantern Latest OMEMO support to Converse.js with libomemo.js NGI0 Commons Fund 2025 E2EE for web-based XMPP client Layer-2-Overlay NGI Assure 2021 2024 Generalising the GNUnet Layer-2 Overlay for broader usage LCC 2002 local content caching system for new search engine architecture LDAP Synchronization Connector NGI Zero Core 2024 Synchronize data from/to various data sources with LDAP LeanFTL NGI0 Commons Fund 2025 Flash Translation Layer library for embedded systems LeanFTL Extreme Wear Leveling NGI0 Commons Fund 2026 EWLF support for Flash Translation Layer library LEAP/Torbirdy 2017 LEAP integration into Torbirdy lemmur NGI0 Discovery 2021 2022 A Lemmy mobile client Lemmy NGI0 Discovery 2020 2022 ActivityPub for link aggregation Lemmy Federation NGI0 Discovery 2021 2022 Lemmy Federation and ActivityPub compliance Lemmy private communities NGI0 Entrust 2022 2024 Add private communities to Lemmy federated link aggregator Lemmy Scale NGI Zero Core 2023 ActivityPub-powered social link aggregation and discussion Lens/FreeCAD integration NGI0 Commons Fund 2025 Collaborate on parametric CAD Models for hardware design Let's Connect VPN provisioning VPN Fund 2022 2022 Preprovisioning VPN profiles for managed devices Let's Connect! Client-Server to P2P NGI Assure 2022 2024 Add P2P features to Let's Connect! Letswifi/Geteduroam GetEduroam 2022 Make federated wifi access provisioning safer and more convenient Letswifi/Geteduroam Portal GetEduroam 2022 Make federated wifi access provisioning safer and more convenient lib1305 NGI Zero Core 2024 2025 Microlibrary for Poly1305 hashing lib25519 for ARM NGI0 Entrust 2023 2024 Add 64bit ARM optimisations to lib25519 lib25519 using NEON for ARM64 NGI Zero Core 2024 ARM64 optimisations for lib25519 microlibrary lib25519: Secure and efficient computation of X25519 and Ed25519 Internet Hardening Fund 2021 2023 LiberaForms NGI Assure 2021 2024 End tot End Encrypted Forms LiberaForms NGI0 Commons Fund 2025 Self-hostable E2EE libre form server Liberaforms NGI0 PET 2020 2020 Open source form server libnix NGI Zero Core 2023 Native Nix on MS Windows librarian NGI0 Discovery 2019 2022 Custom meta-search Libre Car Control NGI0 Entrust 2023 2024 Automotive development platform, protocol analyzer and hacking multi-tool Libre Diagnostic NGI Zero Core 2024 2025 Open hardware car diagnostics Libre Payments in Ruby NGI TALER Fund 2025 GNU Taler Integration for ethical trade Libre Silicon compiler NGI0 PET 2019 2022 Synthesize, place and route hardware description to silicon Libre-Chip CPU with proof of No Spectre bugs NGI0 Commons Fund 2025 Open Hardware high performance CPU with speculative execution Libre-SOC NGI0 PET 2019 2022 A fully open hardware System-on-a-Chip Libre-SOC Cavatools: Power ISA Simulator NGI Assure 2021 2024 Power ISA Simulator Libre-SOC Formal Correctness Proofs NGI0 PET 2019 2022 Mathematical unit tests for open hardware System-on-Chip Libre-SOC Formal Standards Development NGI0 PET 2019 2022 Formal Standards for OpenPower extensions from Libre-SoC Libre-SOC HPC NGI0 Entrust 2022 Work on High Performance Compute capabilities for Libre-SOC Libre-SOC OpenPOWER ISA WG NGI0 Entrust 2022 Steward ISA extension proposals through OpenPOWER External RFC Process Libre-SOC Video Acceleration NGI0 PET 2019 2022 Optimised video acceleration instructions for Libre RISC-V SoC Libre-SOC, Coriolis2 ASIC Layout Collaboration NGI0 PET 2019 2022 Open tooling for ASIC Layout Libre/OpenCores FuseSoc backend NGI0 Discovery 2021 2022 Discovery and use of open hardware gateware through LibreCores and OpenCores Librecast NGI Assure 2021 2024 E2E encrypted multicast Librecast Live NGI0 Discovery 2019 2022 Live streaming with multicast Librecast Overlay Multicast NGI Zero Core 2024 Privacy-preserving, energy efficient data replication and verification Librecast Studio NGI0 Commons Fund 2025 Community platform for multimedia collaboration and events LibreCellular NGI0 PET 2020 2022 Open hardware 4G Mobile Network LibreCellular NGI0 Entrust 2022 2025 FOSS technology stack for 4G networks LibreCellular 5G NGI0 Commons Fund 2026 Open hardware SDR-based 5G cellular network LibrEDA NGI0 PET 2020 2020 An integrated development environment for chip design LibreDocs 2012 LibreDocs LibreOffice CRDT NGI0 Entrust 2023 Real-time collaboration between several, distributed LibreOffice instances LibreOffice/Collabora Online typography NGI0 Entrust 2023 2025 Add interoperability and state-of-the-art web typography to LibreOffice/Collabora Online line break LibrePCB NGI0 Entrust 2023 2024 EDA software suite to develop printed circuit boards LibrePCB 2.0 NGI0 Commons Fund 2024 2026 New UI & powerful features for a future-proof LibrePCB LibreQoS NGI0 Entrust 2023 Improve congestion control for wifi networks LibreQoS 2.1 NGI Zero Core 2024 Transactional Move System and improved APIs for LibreQoS LibreSilicon NGI0 PET 2019 2022 Free/open source semiconductor manufacturing process LibreSilicon: Pad Cell Generator NGI0 Commons Fund 2025 Custom pad cells for integrated chip layout generation libresilient NGI Assure 2021 2024 Create robust web presence with service workers and DHT librice NGI0 Commons Fund 2024 2026 Pure Rust implementation of IETFs real-time communication standard ICE libspng NGI0 PET 2021 2022 A fast and safe implementation of Portable Network Graphics libspng APNG NGI0 Entrust 2023 Add Animated PNG (APNG) image read- and write support to libspng libvips NGI Zero Core 2024 Add animated PNG and enhanced JPEG XL support to libvips Lightmeter NGI0 PET 2020 2022 Email server configuration lifecycle management Liminix NGI0 Entrust 2022 Nix-based OS for domestic WiFi routers, access points etc Linked Data Objects (LDO) Upkeep and Upgrade NGI0 Commons Fund 2026 SHACL and other improvements for Linked Data Objects library LinkedDataHub NGI0 Discovery 2021 2022 Framework to handle Linked Data at scale LinuxBoot for all NGI0 Commons Fund 2026 Small, auditable and reproducible firmware stack LIP6 VLSI Tools NGI Assure 2021 2024 Logical validation of ASIC layouts LiteX NGI0 Entrust 2023 Developer framework for FPGA and ASIC designs Livebook NGI0 Commons Fund 2025 Robust and distributed data and ML workflows with Python, Elixir, and Livebook Lix RPC NGI0 Commons Fund 2025 RPC framework for scaling Nix Lizard NGI0 Discovery 2019 2022 E2E Rendez-vous and discovery LLM2FPGA NGI0 Commons Fund 2025 Run Open Source LLMs locally on FPGAs LO/CODE Book project NGI Zero Core 2024 Professional typography inside LibreOffice LOAP 2006 The DNS: A Life of a Protocol Local Production of Antennas for LibreRouter (LoPaLiR) User-operated Internet Fund 2021 2024 Reliable open hardware Antennas for LibreRouter LogReport 2004 tools for computer/network log file analysis Lokalize 2009 cross-platform computer-aided translation system Loops NGI Zero Core 2024 ActivityPub based sharing of short video clips Loops Live NGI0 Commons Fund 2026 Federated short video platform for the Fediverse lpnTPM NGI Assure 2021 2022 TPM 2.0 compliant open hardware Trusted Platform Module LTE support in OsmoCBC (Cell Broadcast Centre) User-operated Internet Fund 2021 2022 Open source Cell Broadcast Centre for mobile networks LTSP Deskop Remote desktop via an LTSP-Cluster LumoSQL NGI0 PET 2019 2022 Create more reliable, distributed embedded databases LumoSQL at-rest data security NGI Assure 2021 2024 Modern embedded database with encryption and signed data Luna PnR NGI0 PET 2021 2022 A versatile and fast new open-source place and route tool LUNA SuperSpeed USB Improvements NGI0 Commons Fund 2025 FPGA implementation of USB 3 LunaPnR Phase 2 NGI0 Entrust 2022 A versatile and fast new open-source place and route tool Lychee NGI Zero Core 2024 Reliable and fast link checker to combat linkrot Macaw Instant Messenger Web/Desktop NGI0 Commons Fund 2025 XMPP client written in Rust Machdyne NGI0 Entrust 2023 Modular open compute hardware Machine Usable Output for Sequoia NGI0 Commons Fund 2025 Reliable, scriptable memory-safe OpenPGP with JSON input/output machine-check NGI Zero Core 2025 Tool for formal verification for machine-code Machine-check usability NGI0 Commons Fund 2026 Formal verification of software written in machine code MaDada NGI0 Discovery 2021 2022 Using LinkedData to improve FOI processes Maemo Leste NGI0 PET 2019 2022 An independent mobile operating system focused on trustworthiness Maemo Leste Daedalus NGI0 Commons Fund 2025 Improve device coverage and advanced security for mobile Linux distro Maemo Leste Telepathy NGI Assure 2022 2024 Modernise open source real-time communications stack Magic Wormhole/SPAKE2 Internet Hardening Fund 2017 2019 Securely send files between two computers with minimum fuss Maho NGI TALER Fund 2026 Self-hostable ecommerce platform Mail::Box 2003 software for e-mail handling in Perl MailBox renewal NGI Zero Core 2024 Performance upgrade of MailBox mail modules Mailman-SSLS 2009 openPGP and S/MIME support in mailman Mailpile 2 (moggie) NGI0 Entrust 2023 Building a secure, modern e-mail client for self-hosting Mailpile Search Integration NGI0 Discovery 2019 2022 Personal email search engine Mainline Linux on ARM Chromebooks NGI0 Commons Fund 2025 Open firmware and standards-based boot for Mediatek MT818x/MT819x based devices Mainstreaming Anonymity for Developers (MAD) NGI0 Entrust 2023 2024 Add Onion Services to interactive internet applications Maintenance and portability of sudo-rs NGI Zero Core 2024 Make sudo-rs available cross-platform Makatea NGI0 Entrust 2022 2026 An x86, 64-bit Virtual Machine Monitor for the seL4, verified microkernel Manas NGI0 Entrust 2023 Rust modules for Solid clients and servers Mangaki NGI0 Discovery 2020 2022 Advanced group recommendations Manyfold NGI0 Commons Fund 2025 2026 ActivityPub-powered tool for storing and sharing 3d models Manyfold NGI0 Entrust 2023 Manage private collections of 3D models Manyfold; Printing, Customisation, and Versioning NGI0 Commons Fund 2025 ActivityPub-powered tool for storing and sharing 3d models Manyverse NGI0 PET 2019 2019 An off-line capable privacy-centric social messaging app Manyverse Private Groups NGI Assure 2022 2024 Implement SSB Private Groups in Manyverse MapComplete NGI0 Entrust 2022 Thematics OpenStreetMap-viewer and editor. MAPS defending Internet e-mail from abuse by spammers Mapterhorn NGI Zero Core 2024 2026 Open terrain tile sets and data catalog Mapterhorn Imagery NGI0 Commons Fund 2026 Aggregating open data orthophoto imagery Marginalia Search NGI0 Entrust 2022 2024 A fresh take on search Massive FOSS scan NGI0 Commons Fund 2024 License scan on the whole Software Heritage archive Mastodon - groups, filtering, moderation NGI0 Discovery 2021 2022 Group support with ActivityPub Mastodon for institutions NGI0 Commons Fund 2025 Features for institutional instances of Mastodon Matridge spaces NGI0 Commons Fund 2026 Gateway for XMPP users to transparently chat in Matrix rooms Maturing the Gancio back-end NGI0 Commons Fund 2026 Better scale Fediverse-capable shared agenda for local communities Mautic Portability NGI0 Commons Fund 2024 Portable marketing campaigns for Mautic Mautic Portability Phase 2 NGI0 Commons Fund 2025 Portable marketing campaigns for Mautic Maven Heaven NGI0 Commons Fund 2025 Scan, review, curate and fix metadata of Java packages mCaptcha NGI0 Entrust 2022 Privacy-friendly Proof of Work (PoW) based CAPTCHA system Meemoo 2013 Meemoo: hackable web apps MEGA65 Phone NGI0 PET 2019 2022 A phone simple enough to understand in full MEGA65 Phone Modular MVP NGI Zero Core 2024 OSHW mobile device with form-factor of hand-held game consoles MeiliSearch NGI0 Discovery 2020 2022 Modern and responsive search Mellium NGI Assure 2022 2024 Add OMEMO support to XMPP library Mepo NGI0 Discovery 2021 2022 Lightweight mobile map search Meshtool 2012 Mesh network toolkit, database and web-based API. Meta-Press.es NGI0 Discovery 2020 2020 A press search engine in your browser Meta-Press.es NGI0 Discovery 2021 2022 Retrieve news feeds and search locally MetaMorph NGI0 Commons Fund 2026 New modules, functionalities and interfaces for voxel engine Luanti mgmt config NGI0 Commons Fund 2026 Real-time system automation tool Micro25519 NGI Zero Core 2023 Lightweight Elliptic Curve Cryptography for microcontrollers Mifos X (Apache Fineract) NGI0 Commons Fund 2025 Type safety for/refactoring of Apache Fineract banking software mikroPhone NGI0 Entrust 2023 2026 Open Hardware feature phone Minedive NGI0 Discovery 2019 2022 P2P search over webRTC minipgp6 NGI0 Commons Fund 2025 Lean implementation of modern OpenPGP MirageVPN NGI Assure 2023 2024 Robust OpenVPN client and server, and QubesOS client Miru NGI Zero Core 2024 Multi-track video editing and real-time AR effects Miru Collaborative Video Editor NGI0 Commons Fund 2025 Local-first video and AR editing Misskey NGI0 Discovery 2021 2022 Misskey federation and ActivityPub compliance mitmproxy NGI0 Entrust 2023 2025 HTTP/3 Support and OS Proxy Mode for intercepting local proxy MLS for XMPP NGI Zero Core 2023 Add Message Layer Security to XMPP MNT Reform NGI0 PET 2020 2022 A trustworthy open hardware laptop MNT Reform Next NGI0 Entrust 2023 2025 New iteration of the MNT open hardware laptop MNT Reform QCS6490 Module NGI Zero Core 2024 MNT Reform compatible open Hardware processor module MNT Reform Touch NGI0 Commons Fund 2025 Open Hardware tablet device Mobile Test Farm NGI0 PET 2022 2022 Test farm setup for aftermarket mobile operating systems Mobile Typst editor NGI0 Commons Fund 2025 Mobile editor/viewer for Typst documents mobile-nixos NGI0 PET 2019 2022 NixOS for mobile phones and tablets MobileAtlas NGI0 PET 2020 2022 A distributed open hardware test infrastructure to analyse mobile networks MobileAtlas NGI0 Entrust 2022 2025 Taking roaming measurements to the next levelMobileAtlas Mobilizon NGI0 Discovery 2021 2022 Find, create and organize events Mobilizon UX NGI Zero Core 2023 2025 Share events on the fediverse MoboSearch NGI0 Discovery 2021 2022 Providing an alternative view on the Android App ecosystem Mobroute NGI0 Entrust 2023 2025 A minimalist FOSS public-transportation router/tool suite Modern High-Level Python OpenPGP library NGI0 Commons Fund 2026 Python integration of Stateless OpenPGP Modernizing Paged.js Web-to-Print NGI0 Commons Fund 2025 Quality typesetting based on HTML and CSS Modular CA Internet Hardening Fund 2017 2019 Modular infrastructure for building secure internet services Modular Meta-Press.es NGI0 Entrust 2022 Reusable decentralised meta-search engine Mollymawk NGI Zero Core 2025 Mollymawk - orchestration and management of MirageOS unikernels Monal IM NGI Assure 2022 2024 Free Jabber/XMPP client for iOS and macOS Monal IM UI NGI0 Entrust 2023 Modern UI for XMPP on iOS and macOS Morphle 2009 free and anonymous powerful but simple to use end-user website editing Mosaic NGI0 PET 2021 2022 Trustworthy open hardware design tool for electrical engineers Mosaic Simulation NGI Zero Core 2024 2026 EDA tool for analog chip design MOTIS NGI0 Commons Fund 2025 European Public Transport Door to Door Real-Time Routing with MOTIS Movedata NGI Zero Core 2024 Privacy-preserving, energy efficient data replication and verification Movim NGI Zero Core 2024 Add end-to-end encrypted videocalls to Movim XMPP Movim NGI0 PET 2020 2020 Add OMEMO encryption to Movim XMPP client Mox NGI0 Entrust 2023 Modern full-featured open source secure mail server Mox API e-Commons Fund 2023 2024 Modern full-featured open source secure mail server Mox management and automation NGI Zero Core 2025 Automated email server management and administration MPTCP NGI0 Discovery 2020 2022 MultiPath TCP MTE - the MirageOS Taler Exchange NGI TALER Fund 2024 Implement Taler Exchange functionality in OCaml-based unikernel MU-Jingle 2009 jabber-based VoIP protocol muchrooms NGI0 Commons Fund 2025 XMPP group chat implementation in Rust Multi browsing context support in Servo NGI Assure 2024 2024 Allow Servo browser engine to render beyond atomic pages Multilingual Marginalia NGI Zero Core 2024 Search engine focused on quality discovery Multipath TCP on Linux NGI0 Commons Fund 2025 C Flag support and path-manager improvements for MPTCP Multiprocess Mode in Servo NGI Zero Core 2024 Speed up Servo with parallelisation Multisoni NGI Zero Core 2024 Modern and efficient real-time audio playback engine Multitenant CAS NGI0 Commons Fund 2025 Better scalable Single Signon Enterprise Authentication Mustang - UI components NGI0 Commons Fund 2024 2025 Integrated email, team chat, video conference, calendar and file exchange Mustang UX NGI0 Commons Fund 2024 2025 Integrated email, team chat, video conference, calendar and file exchange MWoffliner NGI Zero Core 2025 2025 Software to make Wikipedia and other Mediawiki content available offline Mynij NGI0 Discovery 2019 2022 Portable indexing and search engine for mobile Naja NGI0 Entrust 2022 2024 EDA tool focused on post logic synthesis Naja DNL NGI0 Entrust 2023 Add Dissolved and Batch Netlists to Naja EDA Namecoin Internet Hardening Fund 2017 2019 Decentralized, censorship resist Internet infrastructure for e.g. DNS and identities Namecoin: Core Infrastructure NGI0 Discovery 2020 2022 Alternative domain name system Namecoin: Electrum-NMC NGI Assure 2023 2024 Security hardening and futureproofing Namecoin and Electrum-NMC Namecoin: TLS Internet Hardening Fund 2021 2023 Various TLS integrations for Namecoin Namecoin: ZeroNet and Packaging NGI0 Discovery 2020 2022 Make ZeroNet work with Namecoin Namespace-specified imports in GHC NGI Zero Core 2024 2025 Fine-grained namespace control in Haskell Nanoarguments NGI0 Commons Fund 2026 Global, federated graph of scientific claims as LinkedData nat64 2010 Implement a NAT64 gateway to run on open-source operating systems Native DTLS 1.3 implementation in Go NGI0 Commons Fund 2025 Add DTLS 1.3 to PION real-time media stack Native IFC for FreeCAD NGI0 Entrust 2023 ISO-compliant Building Information Modeling in FreeCAD NaxRiscv core improvements NGI0 Entrust 2022 2024 Open hardware out-order Risc-V CPU NEFUSI NGI0 Discovery 2021 2022 NEFUSI: A novel NEuroFUzzy approach for semantic SImilarity assessment NeoChat NGI Assure 2021 2024 Native Matrix encrypted instant messaging client NetAidKit 2016 The NetAidKit is a pocket size, USB powered router for safer mobile networking. NetBSD Reproducibility NGI Zero Core 2025 Extend Reproducibility for CTF Debugging Infos and NetBSD Image Creation NetEventKit 2009 building an open source Network Event Kit neuropil NGI0 Discovery 2019 2019 Privacy by design P2P search including IoT neuropil NGI Assure 2021 2024 DHT based overlay network New data types for GNU Octave NGI0 Commons Fund 2025 Advanced data analysis workflows in GNU Octave Next Generation Browser Profile Workflow NGI Assure 2024 2024 A profile system for the Verso browser Nextcloud NGI0 Discovery 2019 2022 Unified and intelligent search within private cloud data NextGraph NGI Assure 2022 2024 Interlinked data graphs, with privacy, security, data locality, and interoperability in mind NextGraph Framework NGI0 Commons Fund 2025 SDK's and API's for the NextGraph Framework nextpnr for GW-5 NGI Zero Core 2024 2026 Add support to nextpnr for Gowin GW-5 FPGA family nftables 2015 A modular packet filtering framework providing enhanced userspace control NILO 2000 reference implementation of PXE-based network boot module Nitro Porter support expansion Open Social Fund 2025 Nitrokey NGI0 PET 2019 2022 Open hardware for encryption and authentication Nitrokey 3 NGI0 Entrust 2022 2025 PIV/FIPS 201-3 and extended hardware support for Trussed/Nitrokey Nitrokey 3 FIDO2 Level 2 NGI0 Commons Fund 2025 Achieve formal certification for open hardware security key Nitrokey 3 Storage NGI0 Commons Fund 2025 Add encrypted storage capabilities to Nitrokey 3 Nitter NGI0 Entrust 2023 Alternative privacy-preserving FOSS UI for Twitter Nix Integration for Hop3 NGI0 Commons Fund 2024 Nixify the Hop3 self-hosted cloud platform Nix Store disk usage improvements NGI0 Commons Fund 2026 Reduce storage overhead for Nix deployments NixBox NGI Zero Core 2024 Nix integration with netbox Nixcloud Internet Hardening Fund 2017 2019 Declarative internet services based on NixOS Nixcloud Mail Declarative mail server based on NixOS Nixcloud Webservices Declarative web services based on NixOS NixEdgeOpt NGI Fediversity Fund 2025 Adaptive placement and migration of NixOS services NixOS Agent-Based Deployment Stack NGI Fediversity Fund 2025 Fleet management for partially off-line NixOS deployments NixOS/Clevis NGI Assure 2023 2024 Unattented disk decryption with Clevis on NixOS Nixpkgs Clarity NGI Fediversity Fund 2025 State of the art automated license detection for Nixpkgs NLnet Labs Independent lab for Internet infrastructure development node-Tor NGI0 PET 2019 2019 Implementation of Tor protocols for inside webpages NodeBB NGI Zero Core 2023 ActivityPub support and accessibility improvements for forum software NodeBB context discovery NGI0 Commons Fund 2025 Improving safety, long-form text + threaded discussion elements Nodewatcher 2015 A comprehensive and scalable node management system for community wireless network. Noise Explorer-VerifPal NGI0 PET 2019 2019 Automated proofs and code generation for secure protocols Noise Nugget NGI0 Commons Fund 2026 FOSS digital audio processing NOMA 2017 Network Operator Measurement Activity Nominatim NGI0 Discovery 2020 2022 Multi-lingual support in address search Nominatim as a library NGI0 Entrust 2022 2023 Self-hostable address/location retrieval for OpenStreetMap NoScript Commons Library: Surrogate Scripts NGI0 Commons Fund 2025 Reusable script replacement functionality for privacy/security browser extensions NoScript Contextual Policies & LAN protection NGI0 PET 2020 2022 Application Boundaries Enforcer (ABE) for new generation of browsers NoScript-Andr 2013 Android Native NoScript NoScript-Mob 2011 NoScript Mobile NoScript-Mob2 2011 NoScript Mobile part 2 NoScriptABE 2009 improve the ABE (Application Boundaries Enforcer) for NoScript Nova JavaScript engine NGI Zero Core 2024 Independent JavaScript engine written in Rust NovyWave NGI Zero Core 2024 Waveform visualizer for gateware development NVE NGI0 Commons Fund 2026 Co-simulation framework for hardware designers Nym Credentials NGI0 PET 2020 2022 A decentralised solution for authentication Nyxt NGI0 Discovery 2019 2022 A programmable browser with advanced search integration Nyxt NGI0 Discovery 2021 2022 Browser integration of federated, distributed platforms Nyxt Webextensions NGI0 Entrust 2022 Independent implementation of WebExtensions O-ESD NGI Zero Core 2024 Open-hardware for ElectroStatic Discharge testing OCaml direct style transition NGI Zero Core 2025 2026 Helping with the transition of OCaml programs from Lwt to Eio OCaml-QUIC NGI Zero Core 2023 Implement QUIC/QUIC-TLS/QPACK and HTTP/3 in OCAML OCap layer for Haskell actor library NGI0 Entrust 2023 Implement OCapN and Syndicate in Haskell's troupe OCCRP Aleph disambiguation NGI0 Discovery 2020 2022 OCCRP Aleph: disambiguating different people and companies OCS-Asterisk 2008 Open real-time connection between Microsoft OCS and Asterisk ODF Autotests a framework to help users and developers write test documents for ODF software ODF-AbiChanges 2011 ODF Track changes in AbiWord ODF-AbiChanges2 2011 ODF Track changes in AbiWord (2) ODF-AbiWord improving AbiWord OpenDocument ODF-changes 2011 Representing Changes in Open Document Format ODF-changes2 2011 Standardisation for Tracked Changes in ODF ODF-compare 2011 Creating Tracked Changes in Open Document Format by Document Comparison ODF-DocMod 2013 Modularise ODF 1.2 documentation ODF-KOffice 2009 ODF load and save in KOffice ODF-KOffice2 2010 ODF metadata in KOffice ODF-KOffice3 2010 ODF revisions in KOffice ODF-KOffice4 2011 ODF track changes/tables in KOffice and Calligra Suite ODF-Numbertext 2009 number to text conversion for the upcoming ODF OpenFormula standard ODF-Recipes 2011 ODF Software Recipes ODF-Symbian 2009 view ODF on Symbian OS and other mobile systems ODF-Valid 2013 ODF Online Validator to the command-line ODF-XLIFF 2009 convert ODF to Gettext PO and XLIFF for translation and localising OdfKit 2011 base library for processing ODF odfsvn 2009 use SVN to maintain ODF documents Off-the-Record messaging version 4 NGI0 PET 2019 2022 Advanced protocol for secure messaging Offen NGI0 Discovery 2020 2022 Privacy-respecting site analytics offen NGI0 PET 2019 2019 Ethical site analytics, controlled by the user OfficeShots see how different office suites render your ODF document. Offline Translator NGI Mobifree Fund 2025 On-device translations using open models Oil Shell NGI Assure 2022 2023 A new dialect of shell that is less error-prone Oil Shell NGI Assure 2022 2023 Modern shell language and runtime Oils for Unix NGI0 Commons Fund 2025 An upgrade path for legacy shell Oils for Unix NGI0 Entrust 2023 2025 Bringing shell environments into the 21st century Oku NGI0 Entrust 2023 2024 A browser and encrypted data vault based on IPFS Omnom NGI0 Discovery 2021 2022 Self-hosted bookmarking and snapshotting with search Omnom NGI Zero Core 2024 2025 Add social layer to personal bookmarking OnBaSca NGI0 PET 2019 2019 Tor Bandwidth Scanner Online Self-defence in Ten Minutes 2010 Online Self-defense in 10 minutes Ontogen NGI Assure 2022 2024 From datasets in DCAT catalogs to knowledge graphs Ontogen and Mud NGI0 Commons Fund 2024 Advanced versioning and identity management for RDF datasets Opaque Sphinx NGI0 PET 2019 2022 Secure password-based authentication with Opaque/Sphinx Opaque Sphinx Server and Clients NGI0 PET 2019 2022 Server and tools for modern authentication OpaqueStore/Sphinx 2.0 e-Commons Fund 2023 2024 Store arbitrary sized secrets + IRTF/CFRG compliant SPHINX implementation Open Banking Gateway Taler Wallet Top-Up/Merchant Verification NGI TALER Fund 2024 Add GNU Taler support to Open Banking Gateway Open Beam Interface Lite NGI0 Commons Fund 2025 Generic interface for high end scanning and patterning devices Open Cloud Mesh NGI Zero Core 2023 Improved specs and test suite for Open Cloud Mesh protocol Open Energy Profiler Toolset NGI0 Entrust 2023 Modular open hardware Energy Profiling Open Everything Facts NGI0 Commons Fund 2024 Powering consumer choice on anything with a bar code Open Hardware Manuals NGI Zero Core 2023 2025 Automatically generate user-friendly documentation for open hardware elements Open Hospitality Network NGI0 Discovery 2021 2022 Federated hospitality with ActivityPub Open Know-How Search NGI0 Discovery 2021 2022 Search Open Hardware Projects Open Logic - Signal Processing Elements NGI0 Commons Fund 2025 Standard Library for FPGA development Open MLS Infrastructure NGI Assure 2021 2023 End-to-end encrypted group messaging Open PCIe and M.2 hardware and software platform NGI0 Commons Fund 2026 Standard form factor open hardware extension cards Open Prices - Scaling price collection NGI0 Commons Fund 2025 Crowdsourced consumer product price collection Open Source Battery Management System (OpenBMS) NGI0 Commons Fund 2026 Complete FOSS solution for battery management Open source ePDG for VoWiFi User-operated Internet Fund 2021 Enhanced Packet Data Gateway for mobile infrastructure Open source ESP32 802.11 MAC NGI Zero Core 2023 2025 Open source wifi drivers for ESP32 Open source MILAN hardware and software stack NGI0 Commons Fund 2026 Reliable real-time media streaming over ethernet networks Open Terms Archive vendor lock-in break NGI0 Commons Fund 2025 Public tracking of the evolution of terms and conditions Open Virtual File System (VFS) for Linux NGI0 Commons Fund 2026 Create a standard API for files stored across the net Open Web Calendar Stack NGI Zero Core 2023 Aggregate public and private web calendars Open Web Calendar Stack II NGI Zero Core 2024 Recurring events and calendar merging Open-source accelerator platform for large FPGAs NGI0 Commons Fund 2025 Low cost hardware accelerated workloads with open toolchains Open-source firmware for modern AMD boards NGI0 Commons Fund 2025 2025 Base port of Coreboot to AMD platform using OpenSIL Open-source firmware for modern AMD boards part 2 NGI0 Commons Fund 2025 Extending coreboot support for AMD Phoenix SoC to AM5 socket OpenAGPS NGI Mobifree Fund 2024 Privacy-friendly, self-hostable location service OpenBTS-HW 2012 OpenBTS hardware OpenCarLink NGI Zero Core 2024 Security tooling for vehicle ODB2 ports OpenCartoCam NGI0 Commons Fund 2025 360-degree camera with hardware-accelerated object detection OpenCloud Federation NGI0 Commons Fund 2026 Implement Open Cloud Mesh Specification in OpenCloud openCologne NGI0 Entrust 2024 2025 CM4 form factor SoM for GateMate chips openCologne/PCIe NGI0 Commons Fund 2025 Create PCIe EndPoint for GateMate FPGA's OpenCryptoHW NGI Assure 2021 2024 CGRA- based reconfigurable open-source cryptographic IP cores OpenCryptoLinux NGI Assure 2022 2024 Make Linux run on OpenCryptoHW OpenCryptoTester NGI Assure 2022 2024 System-on-Chip for hardware/software testing OpenDoc-Soc 2011 Dutch OpenDoc Society OpenEMSH NGI Zero Core 2024 Automatic mesher for FDTD simulation openEngiadina NGI0 Discovery 2019 2022 Platform for creating, publishing and using open local knowledge openENOC NGI0 Commons Fund 2026 Scalable Ethernet-based Network-on-Chip OpenEPT Ecosystem NGI0 Commons Fund 2025 High-end open hardware to analyse energy consumption Openfire IPv6 support NGI Zero Core 2024 2024 Add IPv6 support to the Openfire XMPP server Openfire Next-Gen Connectivity NGI Zero Core 2024 Authentication/SASL improvements to Openfire XMPP server OpenFlexure Microscope NGI0 Commons Fund 2025 Enabling telepathology with open hardware high end microscopes OpenHarbors NGI Zero Core 2024 Dynamic Tunneling of WPA over IP/L2TP OpenIMSd NGI Zero Core 2024 4G/VoiceOverLTE support for open source mobile OSes Opening up Apple’s Low Latency Wi-Fi Protocol NGI Mobifree Fund 2025 Open-source interoperable implementation of LLW for Linux Openki Roles NGI0 Commons Fund 2024 Restructuring role management in libre tool for crowd-sourced education Openki.net NGI0 Discovery 2019 2022 Make local events and meetups discoverable openMSRP 2008 openMSRP relay implementation openMSRP(2) 2008 multi-party Instant Message server based on MSRP openMSRP(3) 2009 GUI for the open source SIP SIMPLE client openPCIe2 Root Complex NGI Zero Core 2024 Open hardware implementation of gen 2 PCIexpress in OpenXC7 OpenPGP Certificate Authority NGI0 PET 2019 2022 Managing OpenPGP keys for communities and organisation OpenPGP refresh for Conversations NGI0 Commons Fund 2026 Modernise OpenPGP implementation for Android XMPP client OpenQRNG NGI Assure 2022 2024 Open source, certified Quantum Random Number Generator OpenStreetMap Speed Limits NGI0 Discovery 2021 2022 Infer default speed limits for better quality OpenStreetMap-based routing OpenStreetMap-NG NGI0 Commons Fund 2025 Alternative implementation of OpenStreetMap OpenStreetMapNL 2009 maintenance software for OpenStreetMap Nederland OpenTough NGI0 Commons Fund 2026 Open-source rugged enclosure for modular laptop mainboards OpenVoiceOS - From Beta to Breakthrough NGI0 Commons Fund 2025 Free and open, self-hostable voice assistant openwifi: 802.11a/g/n maturity NGI Zero Core 2024 Improved stability, data rate and reach of openwifi openXC7 NGI0 Entrust 2023 2025 Improve hardware support for open source FPGA tooling OPERA-DSP NGI Zero Core 2024 Open hardware FMCW Radar signal processing in FPGA Optimized Image Codecs NGI Zero Core 2025 More efficient image handling for embedded systems oqsprovider NGI Assure 2021 2023 Post-quantum/quantum-safe cryptographic algorithms for OpenSSL Ordie NGI0 Entrust 2022 Designing a SoC for Betrusted Organic Maps NGI0 Entrust 2023 2024 Privacy-focused Android & iOS offline maps application Organic Maps bookmarks, hike and bike NGI Zero Core 2025 Improved bookmarks, address search, map styles and driving Organic Maps сonvergent UI with Qt Quick/Kirigami NGI Zero Core 2025 Declarative cross-platform UI for navigation ORION NGI0 Commons Fund 2026 INspire-aligned raster map tiles for gvSIG ONline OSF Crawler Cooperation NGI0 Discovery 2021 2022 Support Infrastructure for Open Search initiatives OSLD 2013 Open-Source LTE Deployment (OSLD) OSN-PPCP 2012 Privacy-Preserving Communication Protocol for OSNs OV-Chipkaart 2011 privacy friendly chip card for public transport Overte NGI0 Entrust 2023 Virtual reality based social platform Overte Visual Scripting NGI Zero Core 2024 Feature enhancements of FOSS virtual reality platform OVT 13 NGI0 Entrust 2023 Open Hardware laptop OWASP blint NGI Mobifree Fund 2024 Versatile binary linter, malware research tool and SBOM generator OWASP dep-scan NGI Zero Core 2024 2025 Security and risk audit tool owi NGI Zero Core 2023 2025 Symbolic evaluator and fuzzing of WASM software Owi 2 NGI0 Commons Fund 2025 Cross-language symbolic execution via Wasm Owncast NGI0 Discovery 2021 2022 ActivityPub powered Livecasting p2panda NGI Assure 2022 2024 p2p protocol and event-driven data store p2panda System Service NGI0 Commons Fund 2025 Real-time collaboration, private sharing and unified local storage of desktop apps p2panda: group encryption and capabilities NGI0 Entrust 2023 2025 Add group encryption and capabilities to peer-to-peer SDK P2Pcollab NGI0 Discovery 2019 2022 Decentralised social search and discovery p3pch4t NGI Zero Core 2023 Decentralized chat platform built on i2p p4-nix NGI Assure 2022 2024 Combine Programming Protocol-independent Packet Processors language with declarative Nix packaging Packet classification extensions for Netfilter NGI Assure 2021 2024 High throughput packet classification of tunneled traffic Padding Machines for Tor NGI0 PET 2019 2019 Protect metadata in the Tor onion routing network Padne NGI0 Commons Fund 2026 Open source power delivery network analyser padne Palea 2011 Finding unauthorized routes leaving your network Panoramax NGI0 Commons Fund 2024 2025 Digital, collaborative immersive street level imagery Panoramax video uploads NGI0 Commons Fund 2026 Add street level imagery from user-provided video Papis NGI0 Commons Fund 2026 Highly extensible document and bibliography manager Parley NGI0 Commons Fund 2025 Rich text layout and editing library Parley - rich text layout library NGI0 Commons Fund 2025 Cross-app rich text copy/paste for Parley Parrot 2009 virtual machine for scripting languages Parselov 2017 Syntactic analysis of documents and protocol messages based on formal descriptions Passthrough Authentication NGI0 Entrust 2023 Authentication proxy using Kerberos and SPNEGO Patchouli NGI Zero Core 2024 Arbitrary-sized open hardware EM pen products Payment Module for Nuxt/Vue.js NGI TALER Fund 2024 Module to add GNU Taler support in Nuxt/Vue.js pcb-rnd NGI0 PET 2020 2022 Modular printed circuit board editor pcb-rnd, sch-rnd NGI0 Entrust 2022 2025 Open source EDA suite PdfDing NGI0 Commons Fund 2025 Webbased selfhosted PDF manager, viewer and editor Peer-to-Peer Access to Our Software Heritage NGI Assure 2021 2023 Access Software Heritage data via IPFS DHT PeerDB Search NGI0 Discovery 2021 2022 Search for semantic and full-text data peermaps NGI0 Discovery 2021 2022 Peer to peer cartography PeerTube NGI0 Discovery 2021 2022 A decentralised streaming video platform PeerTube - Remote Transcoding NGI0 Entrust 2022 2024 Remote Transcoding for distributed video sharing network PeerTube for Institutions NGI0 Commons Fund 2025 Make PeerTube easier to manage and moderate at scale Peertube plugin livechat NGI0 Commons Fund 2025 Public and private messaging for Peertube content + live streams Peertube plugin livechat NGI0 Entrust 2022 Integrated chat for Peertube live streams Peertube-Desktop NGI0 Discovery 2020 2022 Enjoy and share federated videos Peppol for the masses NGI Assure 2021 2023 Hybrid self-hosted e-invoicing with decentralized identities Persistent Storage for Goblins NGI Zero Core 2024 Integrate ERIS content-addressable encrypted storage to Goblins Personal Food Facts NGI0 Discovery 2019 2019 Privacy protecting personalized information about food Perspectives: Making Models NGI0 Entrust 2022 Generate software from open models for human interaction patterns PGP4civiCRM NGI0 PET 2019 2022 Add email encryption to CRM Pijul ecosystem NGI Zero Core 2024 A modern patch-based version control system Pijul Hybrid NGI Zero Core 2024 Hybrid patch-based/snapshot-based system for distributed versioning Pimalaya PIM NGI Zero Core 2024 Memory-safe emails, contacts, calendars, tasks and more Pimalaya: email NGI0 Entrust 2023 2024 Open source personal information management pimsync NGI0 Commons Fund 2026 Reliable synchronisation for contacts and calendars Pinbot NGI0 Commons Fund 2025 Design and deploy test jigs for electronics Pion User-operated Internet Fund 2021 Network congestion measurement for adaptive real-time applications PiRogue Tool Suite NGI Mobifree Fund 2025 Consensual mobile device forensic analysis and incident response solution Pitchfork Internet Hardening Fund 2017 2019 Open hardware for compartmentalizing key material and cryptographic operations Pitchfork PKCS#11 Internet Hardening Fund 2017 2019 Contribute to OASIS standardisation PKCS#11 v3 Pithus NGI Mobifree Fund 2025 Free and open-source mobile threat intelligence PixelDroid NGI0 Discovery 2020 2022 Share and browse photos in the fediverse with a mobile app PixelDroid/Media editor NGI0 Entrust 2023 Native PixelFed/ActivityPub image sharing app Pixelfed NGI0 Discovery 2019 2020 ActivityPub driven decentralised photo sharing platform Pixelfed NGI0 Entrust 2022 2024 Open source, federated photo sharing platform using ActivityPub Pixelfed Live NGI0 Discovery 2020 2022 Live streaming and other Pixelfed enhancements PKCS#11 v3 2018 Contribute to standardisation of PKCS#11 for cryptographic tokens Plasma Mobile powermanagement improvements NGI Zero Core 2024 Better power management on mobile Linux Plaudit NGI0 Discovery 2019 2022 Make good science discoverable through endorsements Pleroma NGI Zero Core 2023 Scalable ActivityPub server written in Elixir Pnut NGI0 Commons Fund 2025 Reproducible build of GCC on POSIX shell Pnut everywhere NGI0 Commons Fund 2026 Compiles (a subset of) C to human-readable POSIX shell or binary Podlibre NGI0 Commons Fund 2025 Dedicated, customizable podcast editor PodOS NGI0 Commons Fund 2025 Personal Online Data Operating System aimed at exploring W3C Solid pods Poliscoops NGI0 Discovery 2019 2022 Make political news and online debate accessible Polyglot jaq NGI0 Commons Fund 2025 2026 Data wrangling tool focusing on correctness, speed, and simplicity. Pomme d’API NGI0 Commons Fund 2024 Improvements around the Open Food Facts API Popularizing PeerTube NGI0 Entrust 2023 2025 Decentralised video platform powered by ActivityPub Port of AMDVLK/RADV 3D Driver to the Libre-SOC NGI0 PET 2019 2022 Adapt Vulkan Drivers to the Libre-SoC Port Phosh to GTK4/libadwaita NGI0 Commons Fund 2025 Open source user interface for mobile phones Portable Libre Diagnostic NGI0 Commons Fund 2026 Reliable open automotive diagnostics stack Porting Guix to Riscv64 NGI Assure 2022 2024 Port Guix software collection to Riscv64 architecture Porting the Lucid Language to Open Platforms NGI0 Commons Fund 2025 Make writing high-performance data-plane software easier Post-Quantum Crypto in DNSSEC NGI Assure 2022 2024 Experimental platform for DNSSEC with post-quantum cryptography postmarketOS NGI0 PET 2020 2022 An independent mobile operating system postmarketOS daemons NGI Zero Core 2024 Add modern service daemons to postmarketOS postmarketOS v25.12 + v26.06 NGI0 Commons Fund 2025 New versions of the mobile operating system postmarketOS postmarketOS/phosh-mobile-settings integration NGI Zero Core 2023 2026 Consolidate functionality of FOSS mobile settings applications postmarketOS: v23.12 and v24.06 Releases NGI Zero Core 2023 2024 New versions of the mobile operating system postmarketOS PowerCommons NGI0 Commons Fund 2026 OpenPower A2O Core Revival Practical Decentralised Search and Discovery NGI0 Discovery 2019 2022 Search and discovery inside mesh/adhoc networks Practical Tools to Build the Context Web NGI0 Discovery 2020 2022 Declarative setup of P2P collaboration Pre-Scheme NGI Zero Core 2024 Compile Scheme directly to portable C PRESC Classifier Copies Package NGI0 Discovery 2021 2022 Implementing Machine Learning Copies as a Means for Black Box Model Evaluation and Remediation pretalx NGI0 Entrust 2022 2025 Open source tooling for events and conferences Pretty Easy Privacy Internet Hardening Fund 2017 2019 At scale simulation over GNUnet with different realistic user behavior scenarios Privacy Enhancements for PowerDNS and DNSdist NGI0 PET 2019 2022 Make it easier to deploy private DoT/DoH resolvers Privacy Infrastructure for Corteza Federations NGI0 Discovery 2021 2022 Allow users to locate and browse their private data wherever Privacy Preserving Disease Tracking NGI0 Discovery 2020 2020 Research into contact tracing privacy Privacy-friendly online age verification NGI0 Commons Fund 2025 Age verification done right Private Key Operations for Keyoxide NGI Assure 2022 2023 Implement Private Key Store design in Keyoxide Private Searx NGI0 Discovery 2019 2022 Add private resources to the open source Searx metasearch engine PrivateRecSys NGI0 Discovery 2020 2022 Privacy-Friendly Recommendation System Probabilistic NAT Traversal NGI Assure 2022 2024 Last resort ad hoc connections for GNUnet Progressive Web App - ActivityPub API Open Social Fund 2025 General purpose web client for ActivityPub Project SERVFAIL NGI0 Commons Fund 2025 Tools for DNS hosting Project Unnamed NGI0 Commons Fund 2025 Full-featured, libre FPGA compilation toolchain Proper Webcam support in Qemu NGI Zero Core 2023 Better virtualisation of camera interfaces Prosody IM NGI Assure 2021 2024 Implement SASL authentication mechanism for XMPP Protomaps NGI Zero Core 2023 Self-hostable maps based on OpenStreetMap data Provability Fabric NGI0 Commons Fund 2026 Verifiable evidence and run-time security for AI systems ProveThis NGI Assure 2022 2024 Prove statements about authenticated API resources Proxy App 2010 Proxy appliance to utilize unused bandwidth networks PSYC2 2015 Next iteration of the Protocol for SYnchronous Conferencing PTP gateware with openXC7 NGI0 Entrust 2023 PTP on FPGA timing cards and SDR cards with openXC7 PTT NGI Zero Core 2024 Unikernel Mailing list server in OCAML PulseAudio 2011 PulseAudio echo cancellation purl2all NGI0 Entrust 2023 2024 Discover metadata for software packages purl2sym NGI0 Entrust 2023 2024 FOSS code symbols indexing system PurlValidator NGI0 Commons Fund 2025 Check validity of software package identifiers online and offline Pushing forward for CSS Print NGI0 Commons Fund 2025 High end print from HTML and CSS Py2HWSW NGI Zero Core 2023 A tool to manage embedded HW/SW project Py3DTiles - Textured Mesh tiling NGI Zero Core 2024 OGC 3DTiles 1.1 support for 3D tile conversion tool PyCM NGI Assure 2022 2023 Evaluate the performance of ML algorithms PyCM NGI0 Commons Fund 2025 Machine learning post-processing and analysis Python bindings to the rattler library NGI0 Entrust 2023 2025 Python supply-chain with dream2nix NGI Assure 2023 2024  Towards a secure, extensible & reproducible Python supply-chain with dream2nix Pythonic Slint NGI0 Entrust 2023 2025 Add a full-blown Python API to Slint PyUVM SPI Verification Component NGI0 Commons Fund 2026 Add Serial Peripheral Interface support to PyUVM verification tool QGIS Panoramax Plugin NGI0 Commons Fund 2026 Extension to manage Panoramax data with QGIS Qryptr NGI0 Commons Fund 2025 Air-gapped open hardware encryption device Quantum-Proof Zenroom NGI Assure 2022 2022 Implementation of Quantum-Proof Cryptography in Zenroom Quantum-Safe Cryptography in Sequoia PGP NGI0 Commons Fund 2025 Implement draft-ietf-openpgp-pqc in Sequoia PGP Qubes 2017 A reasonably secure operating system Qubes OS NGI0 PET 2019 2022 Bring the security of Qubes OS to people with disabilities R5N-DHT NGI Assure 2021 2024 Formalisation within IETF of R5N Distributed Hash Table design RA-Sentinel NGI0 Entrust 2023 FPGA-based Radio Receiver for securing Wifi against hacking attacks RA-Sentinel AoA NGI0 Commons Fund 2025 Direction aware sensing of RF-based attacks RA-Sentinel Code Liberation NGI0 Commons Fund 2025 Royalty free synthesizable Verilog code for signal processing Rackweaver NGI Zero Core 2024 Design and manage physical infrastructure hosting Radio-Meshnet NGI0 Entrust 2022 Self-sustained Community and Emergency Radio Networking RADIUSdesk User-operated Internet Fund 2021 2024 Open wifi mesh deployment application RADIUSdesk Multi WAN NGI0 Entrust 2023 Add Multiwan to RADIUSdesk RAIJIN NGI0 Entrust 2022 2025 Open Hardware brain measurements with near-infrared spectroscopy Raptor Lake Desktop NGI0 Entrust 2023 2024 Implement open-source firmware for modern mainboards and chipsets RaptorJIT RaptorJIT is a high-performance Lua virtual machine for network dataplanes. rasn NGI Assure 2021 2023 Safe ASN.1 codec framework for Rust Rauthy NGI Zero Core 2025 2025 Reliable OpenID Connect IdP and IAM solution. raylib NGI0 Commons Fund 2025 Project creator/builder + feature development for raylib graphics library Re-isearch NGI0 Discovery 2020 2022 Vectorise text with a flexible unit of retrieval Re-isearch Schmate NGI0 Commons Fund 2024 Extending re-Isearch with a flat vector datatype for embeddings Reach NGI0 Commons Fund 2025 Cryptographic Infrastructure for Anonymous Communication Reaction NGI Zero Core 2025 Event-based system programming Real time graph database search engine NGI0 Discovery 2021 2022 Live filtering on graph database streams Real Time Litex Extension NGI Zero Core 2025 2026 Real time capabilities for FPGA-based RISC-V core realXtend 2010 realXtend communications based on Telepathy Record Federation for Corteza Clouds NGI0 Discovery 2020 2020 Data federation over ActivityPub Redash NGI0 Discovery 2020 2022 Predictive text entry without a keyboard Redox Flow Battery NGI0 Entrust 2024 Development Kit for Open-Source Hardware Redox Flow Battery Redox OS Unix-style Signals NGI Zero Core 2024 Add Unix-style signal handling to Redox Operating System Reduce osm2pgsql resource usage NGI0 Commons Fund 2026 More efficient database usage for OSM data Reduced Feature-set Packet Filter NGI0 Commons Fund 2025 High throughput software firewall Redwax NGI0 PET 2019 2022 Standardisation of client side PKI interfaces Redwax Server Modernisation NGI0 Commons Fund 2025 Self-hostable X509 certificate based identity management solution Reinstatement of crypto.signText() NGI Assure 2021 2024 Cryptographic signatures brought back to the browser Remote PKCS#11 Internet Hardening Fund 2017 2019 Remote usage of PKCS#11 Remote Sniffnet NGI0 Commons Fund 2025 Network monitoring tool + traffic analyser Renderling NGI Zero Core 2024 Real-time rendering library on top of WebGPU Renderling ecosystem NGI0 Commons Fund 2025 Renderling Reowolf NGI0 PET 2019 2022 Rip and replace for BSD socket insecurity ReOxide NGI0 Entrust 2023 Improving Rust Decompilation Repath Studio NGI0 Commons Fund 2025 SVG editor written in Clojurescript Replicant on Guix NGI0 PET 2020 2022 Reproducible build infrastructure for Replicant Replicant on Pinephone 1.2 NGI0 Entrust 2023 2024 Add basic support for the Pinephone 1.2 to Replicant Reproducible bootstrap path for 'Node.js' based on GNU Guix NGI0 Commons Fund 2025 Build Node.js from source with Guix Reproducible Builds NGI0 PET 2019 2022 Make the build processes behind software distributions reproducible Reproducible Builds in the Scala ecosystem NGI0 Commons Fund 2025 Deterministic builds for software written in Scala Reproducible F-Droid NGI0 Entrust 2023 2025 Building a trusted app ecosystem with F-Droid Reproducible-openSUSE NGI0 Entrust 2024 Reproducible distribution of openSUSE rolling release reqwest NGI Zero Core 2024 Memory safe HTTP client RETETRA NGI0 PET 2020 2022 Security Analysis of Proprietary Cryptography in Terrestrial Trunked Radio RETETRA3 NGI0 Entrust 2024 2025 Security research into TETRA standard Reverse Engineering Toolkit NGI0 Entrust 2023 2026 Reducing e-waste through Reverse Engineering ReX 2003 international exchange of scholars for software projects RFID Guardian 2009 hardware prototyping of a mobile device for personal RFID security and privacy management. RFID Guardian(2) 2010 unified platform for RFID security and privacy administration Ricochet Refresh NGI0 PET 2019 2019 Anonymous, meta-data free secure messaging Ricochet Refresh UX NGI0 Commons Fund 2025 Making privacy more user-friendly Ripple NGI0 PET 2021 2022 Safer and faster incremental software builds RISC-V bootstrapping effort via GNU Mes NGI Assure 2023 2024 Allow bootstrapping Guix on RISC-V via GNU Mes RISC-V Phone NGI0 PET 2020 2022 Open hardware RISC-V Phone RIVET NGI0 Commons Fund 2025 Cointegration of RISC-V systems with Ethernet Rivista NGI Zero Core 2024 Publish and consume news feeds via XMPP RNP Confium NGI0 PET 2020 2022 Distributed trust store enabling threshold encryption Road Signs for Digital Payments NGI TALER Fund 2024 2025 Safe, usable financial interfaces for poorly-schooled adults. Robotnix NGI0 PET 2020 2022 Reproducible Builds of Android with NIX Robur private DNS resolver and DHCP server NGI0 PET 2019 2022 Secure network configuration and DNS resolution Rocket CWMP NGI0 PET 2019 2022 Remote governance and configuration for internet equipment Rosenpass NGI Assure 2022 2024 Post Quantum Security Add-On for WireGuard Rosenpass API NGI Assure 2024 2024 Improved API's and platform coverage for Rosenpass Rosenpass Broker NGI Zero Core 2024 Expanding the Rosenpass API's to enable easy integration in applications Rotonda Secure Extensions NGI0 Entrust 2022 Implement BGPSec in Rust and integrate into Rotonda RPKI-RTRlib 2017 RPKI/RTRlib rrdnsd NGI Zero Core 2024 DNS based load balancing and high availability RTranslator 3.0 NGI Mobifree Fund 2025 Real-time local translation app for spoken word for Android Rust crate auditing and source correspondence checks NGI Zero Core 2024 Better supply chain security for Rust crates + packages in distributions Rust Threadpool NGI0 PET 2019 2022 Improve privacy of Rust threading library rust-query NGI0 Commons Fund 2025 Ergonomic API to write composable and nested relational queries Rusted Platform Module (RPM) NGI0 Commons Fund 2024 Programming TPMs in pure Rust RVVM NGI Zero Core 2024 RISC-V Virtual Machine S-SATA for openXC7 NGI0 Entrust 2024 Open source SATA phy and interface for FPGA's s6-rc NGI Zero Core 2024 Service manager for s6-based systems Sabayon 2009 creating a fast binary package manager using relational databases Samizdat 2012 Samizdat makes public key cryptography accessible SANE System Administration and NEtworking conferences SASL Works for the InternetWide Architecture NGI0 PET 2019 2022 Integrate new authentication mechanisms into SASL SASL XMSS NGI0 PET 2019 2019 Make SASL work with XMSS protocol scalePNR NGI0 Entrust 2023 New place and route algorithms for large FPGAs SCE, DelTiC and Antler NGI Zero Core 2023 High-Fidelity Congestion Control schc-rs NGI0 Commons Fund 2025 Faster low power networking for constrained devices Scheme Testing Framework NGI Zero Core 2024 Modernise testing for Scheme SchoolLan 2006 computer networking as education support for primary schools SCIM integrations NGI0 Entrust 2022 System for Cross-domain Identity Management (SCIM) SCION Open Source Implementation NGI Zero Core 2024 2026 Performance improvements for SCION reference Implementation SCION-enabled IPFS and libp2p NGI Zero Core 2023 Enhancing IPFS Performance and Resilience through SCION's Path-Aware Networking SCION-Pathdiscovery NGI0 Discovery 2019 2022 Secure and reliable decentralized storage platform SCION-RAINS NGI0 Discovery 2021 2022 RAINS, Another Internet Naming Service (or, a DNS alternative) SCTP-Linux 2011 A better Linux SCTP SDCC NGI0 Entrust 2022 2024 Small Device C Compiler compiler for 8-bit microcontrollers SDCC NGI0 Commons Fund 2025 Modern compiler for 8-bit microcontrollers SDR PHY 2019 Create a GSM mobile phone consisting of completely open source software and SDR radio Seahorse SmartCard 2012 Seahorse Smart Card Support Search and Displace NGI0 Discovery 2019 2022 Find and redact privacy sensitive information Searsia 2017 Searsia is a protocol and implementation for large scale federated web search. searx NGI0 Discovery 2019 2022 Federating self-hosted search hubs searx NGI0 Discovery 2019 2019 A privacy-respecting, hackable metasearch engine Searx 2018 Searx is an internet metasearch engine that can be easily self-hosted by anyone. SEARXR NGI0 Discovery 2020 2022 Virtual reality for web search SecSync NGI Assure 2021 2024 Efficiently combine end-to-end encryption with CRDTs Secure Apache PLC4J NGI0 Commons Fund 2025 Unified interface to PLCs and industrial devices Secure User Interfaces (Spritely) NGI0 PET 2019 2022 Usability of decentralised social media Secure Web Tokens for Linux NGI Zero Core 2024 TPM 2.0 backed FIDO2/U2F tokens on Linux SecurEAP: Secure Enterprise Wi-Fi on Linux NGI0 Commons Fund 2025 Improve Wi-Fi security and privacy Securing Decentralised Live Information with m-ld NGI Assure 2021 2023 Collaborative editing of LInked Data based on CRDT Securing Internet protocols with decentralized identity NGI0 Commons Fund 2025 DIDs and Verified Credentials as SASL method Securing Internet protocols with DIDs NGI Assure 2022 2024 Bridge Decentralized Identifiers with standardised authorisation mechanisms Securing NixOS services with systemd NGI Assure 2021 2024 Securing PLCs via embedded protocol adapters NGI0 PET 2020 2022 Open hardware protocol adapters for industrial automation Security audit of Sailfish FOSS components NGI Zero Core 2025 Analyse security of secrets, Sailfish ofono and Sailjail SecuShare Internet Hardening Fund 2017 2019 A framework for sufficiently safe social interaction Secushare Box Internet Hardening Fund 2017 2019 Operating system extension of Secushare for hardware devices SeedVault NGI0 PET 2020 2022 Private backups of mobile applications SeedVault Integrity NGI0 Entrust 2023 2024 Add integrity checking and WebDAV support to SeedVault Android backups SelectCast: Anycast in Path Aware Networks NGI0 Commons Fund 2026 Anycast for SCION and other path-aware networks SelfHostBlocks NGI Zero Core 2024 NixOS based server management for self-hosting SelfPrivacy NGI0 Entrust 2023 Reproducible self-hosting stack based on NixOS SelfPrivacy Catalog NGI Fediversity Fund 2025 SelfPrivacy SensifAI NGI0 Discovery 2019 2022 AI driven image tagging Sequoia GPG Chameleon NGI Assure 2021 2024 Implement well-known API's for using OpenPGP Sequoia PGP NGI Assure 2021 2024 Improve interface of Sequoia PGP commandline Serialization in Kaitai Struct for Java and Python Binary Analysis Fund 2022 2023 Declaratively modify and create complex binary file formats Serval 2011 Mobile communication anywhere. Serval-LR 2013 SERVAL Long-range WiFi Add-on Serverless and Metadata Reduction for XMPP NGI0 Commons Fund 2025 Enable XMPP on local networks, and reduce medata exposure Servo NGI0 Entrust 2023 2024 Independent Rust-based browser engine Servo CSS NGI0 Entrust 2024 2025 CSS feature parity for Servo browser engine Servo Developer Experience Improvements NGI Assure 2024 2024 Improve productivity for Servo developers Servo Editability and Interactivity Enhancements NGI0 Commons Fund 2025 Keyboard interaction within the Servo browser Servo improvements for Tauri NGI Assure 2024 2024 Verso offscreen + multiview Servo Script Improvement NGI Zero Core 2024 2025 Refactoring Servo’s script crate Servo WebAPIs for Service Worker NGI0 Commons Fund 2025 Non-blocking, async Service Workers for Servo browser engine Servo Webview for Tauri NGI Assure 2022 2024 Integrated portable webview based on Servo engine into Tauri Servo: Benchmarking and Statistics NGI Zero Core 2024 Infrastructure for benchmarking and testing Servo SES - SimplyEdit Spaces NGI Assure 2022 2023 SimplyEdit Spaces - collaborative presentations Sesame 2006 storage and querying middleware for the Semantic Web Shadow Internet 2016 An alternative communication infrastructure working phone to phone. ShapeThing SHACL renderer NGI0 Commons Fund 2026 View, edit and filter semantic data Shinobi NGI0 Commons Fund 2026 An incremental AOSP build tool using Nix dynamic derivations SiCl4 NGI0 Entrust 2023 Tool for interactive reverse engineering of digital logic. Signature PDF NGI Assure 2022 2024 Self-hosted tool to add signature to PDFs Signature PDF NGI0 Commons Fund 2025 PDF editing and server-based digital signing workflow SignRoom NGI Assure 2022 2024 Zenroom based signature and credential platform Silicon verification NGI0 Entrust 2022 2025 Non-destructive, in-situ inspection of physical chips SIMcurity: Tools for Securing the SIM interface NGI Mobifree Fund 2025 Protect phones and users against SIM vulnerabilities and hostility Simmel NGI0 Discovery 2019 2019 A wearable contact tracing beacon/scanner SimpleSAMLphp SimpleSAMLphp Fund 2025 2025 SAML 2.0 Service + Identity Provider SimpleSAMLphp 2.6 SimpleSAMLphp Fund 2025 Extendable Authentication + Identity Provider SIP improvements for GNOME Calls NGI0 Commons Fund 2025 Add DTLS-SRTP to GNOME Calls SIP RELOAD NGI0 Entrust 2023 REsource LOcation And Discovery, a peer-to-peer (P2P) signaling protocol SIP-GUI 2011 Next Phase Graphical User Interface for the SIP SIMPLE client SIPcollab 2015 Decentralized and secure collaborative editing on office documents SIPproxy64/6bed4 2012 0cpm, SIPproxy64, 6bed4, applet, freeswitch RTT SIRS 2002 Scalable Internet Resource Service Slint on iOS NGI Zero Core 2024 iOS support for typed declarative UI toolkit Slint port for Android NGI Zero Core 2023 2025 Port the Rust-based Slint UI toolkit to Android Slint Visual Editor NGI0 Commons Fund 2026 User-friendly design of graphical user interfaces Slintify LibrePCB 2.0 NGI0 Commons Fund 2025 Add missing features to Slint UI toolkit to accommodate demanding applications Slips Immune I NGI0 Commons Fund 2024 Active IDP using ARP poisoning Slipshow NGI0 Commons Fund 2025 A different paradigm for presentations including flipchart style annotations Slixfeed NGI Zero Core 2024 News feed delivery through standard-based instant messaging SMAesH-Mode NGI Zero Core 2024 Side-channel protected hardware implementation of AES Smart lookup & inference for Semantic Data NGI0 Commons Fund 2024 2025 Knowledge mapping within a postgresql database smoltcp RPL NGI Assure 2022 2024 Implement Routing Protocol for Low-Power and Lossy networks SnabbWall 2017 SnabbWall is a layer-7 network flow detector and firewall application. Sniffnet NGI0 Commons Fund 2024 2025 User-friendly network monitoring application Snix-{Store/Build} NGI Zero Core 2023 Improve store and builder component of Snix SocketHUB 2014 A polyglot communication server for the decentralized internet SocksTrace NGI Zero Core 2024 2026 Ptrace based proxy leak detector SoCLinux NGI Zero Core 2024 Easier driver development for Py2HWSW framework Software Heritage NGI0 Discovery 2019 2022 Collect, preserve and share the source code of all software ever written Software Heritage listers + tooling NGI0 Entrust 2023 2025 Performance improvements and new listers/tooling for Software Heritage Software metadata NGI0 Entrust 2023 2025 Decentralized, federated metadata about software applications Software vulnerability discovery NGI0 Discovery 2019 2019 Automating discovery of software update and vulnerabilities Solar FemtoTX motherboard NGI0 Commons Fund 2025 Low-power motherboard that can run on solar power Solid Application Interoperability NGI0 Discovery 2021 2022 Solid Application Interoperability NGI0 Discovery 2021 2022 Solid Application Interoperability NGI0 Entrust 2022 Interoperable Data sharing flows and discovery for Solid Solid Application Interoperability NGI Zero Core 2024 Easy to deploy authorization for Solid Applications Solid Compound NGI0 Entrust 2023 A software library/framework to simplify designing for W3C Solid Solid Control NGI0 PET 2020 2022 Access Control mechanism for data and services within Solid Solid Data Modules NGI0 Entrust 2023 2025 Improve data accessibility and prevent data corruption in Solid Pods SOLID Data Workers NGI0 PET 2019 2022 Toolkit to ingest data into SOLID Solid NC 2024 NGI Zero Core 2024 2025 Add more Solid capabilities to Nextcloud Solid Share NGI Mobifree Fund 2025 Digital Mobile Wallet for W3C Solid Solid Usable App Tools Project NGI0 Entrust 2022 Improve developer experience for W3C Solid Solid Wallet NGI Assure 2022 2024 Authorization reasoning, rule-based controls and fluid integration for Solid Solid-ActivityPub Interop NGI0 Commons Fund 2026 Bridge W3C Solid and ActivityPub Solid-NextCloud app NGI0 Discovery 2020 2022 Bridge Nextcloud to Solid Solid-Search NGI0 Discovery 2020 2022 Queries in a pod SolidOS NGI0 Commons Fund 2025 Data management tool and browser for Solid solidtime NGI0 Commons Fund 2025 Privacy-friendly time tracking for teams and individuals Sonar: a modular peer-to-peer search engine NGI0 Discovery 2019 2022 Modular peer-to-peer search engine Sortix os-test NGI0 Commons Fund 2025 POSIX test suite Source-based Nextcloud + Onlyoffice NGI Fediversity Fund 2024 Declarative packaging for Nextcloud and Onlyoffice on NixOS sourcehut NGI0 Discovery 2021 2022 Graph query support for software development platform Space grade Instrumentation Amplifier ASIC NGI0 Commons Fund 2026 Validate open toolchains with Open Hardware with high quality ASIC Space Tube NGI0 Entrust 2023 2024 Group-to-group instant messaging Spacylize NGI0 Commons Fund 2025 Use LLMs to train more efficient and reliable NLP models Spade NGI Zero Core 2024 Standalone Hardware Description Language SPEAR 2012 Secure Peer-to-peer Services Overlay Architecture Spectrum NGI0 PET 2019 2022 A security through compartmentalization based operating system Spectrum Applications NGI0 Entrust 2023 Add running graphical applications to the compartmentalized desktop OS Spectrum Spectrum: Virtualisation Platform NGI0 Commons Fund 2025 A secure OS with app isolation SpinalHDL, VexRiscv, SaxonSoc NGI0 PET 2020 2022 Open Hardware System-on-Chip design framework based on SpinalHDL SpinalWaves & SpinalTrace NGI0 Commons Fund 2026 Typed waveform viewing and error source tracing for SpinalHDL Spritely NGI0 Discovery 2021 2022 Capability based petname system Spritely (and OCapN) NGI Assure 2022 2023 Enable secure P2P applications with Object Capabilities Spritely Oaken NGI Zero Core 2025 Secure 3rd party extensibility with capability-based Scheme Squishy NGI0 Entrust 2024 SCSI multi tool and gateware library SSH Stamp NGI0 Commons Fund 2025 Secure SSH-to-UART bridge for devices with a serial port. Stalwart Collaboration Server NGI Zero Core 2024 Integrated solution for email, calendaring and file management Stalwart Mail Server NGI0 Entrust 2022 2023 Robust full featured mail infrastructure in Rust Standard Cell Library NGI0 PET 2020 2022 Open Standard Cell Library with automated dimensioning of transistors Standardizing KEMTLS NGI Assure 2021 2023 Post-quantum TLS without handshake signatures Standards Grammar Catalog/Toolchain NGI Zero Core 2023 Open Standards Grammar Catalog/Toolchain Statime NGI Assure 2021 2022 Memory-safe high-precision clock synchronization Statime PTP Master NGI Assure 2022 2023 Statime - Zero-allocation cross-platform Precision Time Protocol Stencila v2 for ERA and EPP NGI Zero Core 2023 Add editable, runnable code to scientific publications Storing Efficiently Our Software Heritage NGI0 Discovery 2021 2022 Faster retrieval within Software Heritage Stract NGI0 Entrust 2023 2024 Explorative search engine Stratosphere IPS 2016 A behavioral-based free software Intrusion Prevention System. StreetComplete NGI0 Discovery 2019 2019 Fix open geodata with OpenStreetMap StreetComplete NGI0 Discovery 2021 2022 Collaborative editing in OpenStreetMap StreetComplete Multiplatform NGI0 Commons Fund 2025 OpenStreetMap editing beyond Android StreetComplete UX NGI0 Discovery 2021 2022 Improve usability of StreetComplete StreetComplete/AllThePlaces NGI0 Entrust 2023 2025 Ingest data from AllThePlaces into StreetComplete Strengthening NTP and NTS in ntpd-rs NGI0 Entrust 2023 Memory-safe implementation of IETF time standards including NTPv5 and NTS Structured Email for Roundcube NGI Zero Core 2023 Add schema.org metadata awareness to open source email Structuring the System Layer with Dataspaces NGI0 PET 2020 2022 Implementing a secure and scalable system layer on mobile Stubby Internet Hardening Fund 2017 2019 A local DNS Privacy stub resolver using DNS-over-TLS Subliminal Messaging NGI Assure 2022 2024 Embedded secure channels within traditional and internet telephony Suhosin-NG NGI0 PET 2019 2022 Harden PHP 7 and PHP 8 applications Supersizing the Gun NGI0 PET 2020 2022 Chipwhisperer open hardware for side channel analysis Support for 64-bit integer expressions in Kaitai Struct NGI0 Commons Fund 2025 Cross-language code generation for binary parsing Support for Microblogging and Social Feeds to Converse NGI0 Commons Fund 2025 Add social networking functionality to Converse Support for OpenPGP v6 in rPGP NGI Zero Core 2024 Implement draft-ietf-openpgp-crypto-refresh in rPGP Surfer Waveform Viewer NGI Zero Core 2024 Analyse signal levels in simulated circuits Sustainable web apps with m-ld NGI Assure 2022 2024 Empower users and developers with distributed interlinked data using local-first principles SWD Debug support in VexRiscv NGI0 Commons Fund 2026 Functional SWD debugging support for VexRiscv/VexiiRiscv SWH package manager Data Ingestion NGI0 Discovery 2021 2022 Add Package managers to Software Heritage Swirl 2014 Implementation of PPSPP proposed standard in Erlang Sylk chat NGI0 PET 2020 2022 Add instant messaging features to Sylk Sylk Client NGI0 PET 2019 2019 Secure multiparty videoconferencing application Sylk Contacts NGI0 Commons Fund 2025 Cross-protocol real-time communications client Sylk Mobile NGI0 PET 2020 2020 Secure real-time mobile communications SylkRTC 2015 SylkRTC synit-nixos NGI Zero Core 2024 Expand synit system layer and integrate in NixOS T-Rust - In Rust we Trust NGI0 Commons Fund 2025 Scan, review, curate and fix metadata of Rust crates TALER Bullion NGI TALER Fund 2024 Infrastructure for GNU Taler Payments with non-fiat Currencies Taler for local currencies. NGI0 Entrust 2022 2023 Free software banking backend for local currencies Taler in Liberapay NGI TALER Fund 2025 Implementation of Taler as payment provider in Liberapay TALER integration in flohmarkt NGI TALER Fund 2024 Secure payments for P2P classified adds federating with ActivityPub Taler Integration into F-Droid Ecosystem NGI TALER Fund 2025 Secure, Streamlined and Integrated Payment Processing for F-Droid Taler OpenAPI specification NGI TALER Fund 2025 JSON/YAML OpenAPI for key GNU Taler API's Taler plugin for Fastify NGI TALER Fund 2025 Add low-code zero-config Taler plugin for the Fastify web server framework Taler-Dolibarr Integration NGI TALER Fund 2025 Taler payment handling for Dolibarr ERP software Taler-Kivitendo Integration NGI TALER Fund 2025 Integrate Taler with the Kivitendo ERP platform Taler-Odoo Payment System NGI TALER Fund 2024 Integration module for TALER in Odoo TalerPHP NGI TALER Fund 2025 PHP SDK for GNU Taler REST API Integration Tantum Search NGI0 Discovery 2019 2022 Context-enhanced search driven by schema.org Tasteweb NGI0 Entrust 2023 Develop new web of trust mechanisms Tau NGI Zero Core 2023 Remote sharing of terminal sessions Tauri Apps NGI Assure 2021 2022 A safer run-time for web technology based apps TBD DSP toolkit NGI0 Commons Fund 2025 Open hardware audio processing module TCP-multipath 2011 Design and empirical evaluation of secure and efficient multipath communication Teamtype NGI Zero Core 2023 2024 Real-time co-editing of local text files Telecommunication in HF over Internet Protocol (IPoHF) User-operated Internet Fund 2021 High-throughput software-defined wireless telecommunications Tenzu NGI0 Commons Fund 2026 Lightweight project management tool for agile teams Termux NGI Mobifree Fund 2024 Android terminal app and software distro/run-time TerosHDL NGI Assure 2022 2024 Assisting hardware developers to deliver safer designs TerosHDL usability NGI0 Commons Fund 2025 Open source IDE for FPGA/ASIC development TerosHDL: OSS, GHDL, NVC NGI0 Entrust 2023 IDE with support for Open SYthesis Suite and GHDL/NVC simulators Test Procedures for MOSFET SPICE Model Validation NGI0 Commons Fund 2024 Verilog-A compact models validation for Open PDK's TeXlyre NGI0 Commons Fund 2026 Local-first typesetting editor for LaTeX and Typst with real-time collaboration The Commons Conservancy Legal infrastructure for public benefit efforts The Libre-SOC Gigabit Router NGI Assure 2021 2024 Native Open Hardware chip implementation of crypto primitives The MacBook Liberation Project NGI0 Entrust 2024 Implement Coreboot support to various Apple devices The Open Green Web NGI0 Discovery 2019 2022 Ethical meta-search filter on green hosted websites The PeARS app NGI0 Discovery 2021 2022 Building low-resource Web search applications from cognitive models The search for ethical Apps NGI0 Discovery 2021 2022 Create custom, self-hostable app stores for Android(-like) OS-es The third mainport 2014 Digital Infrastructure in the Netherlands - The Third Mainport The Ultimate Bookkeeping System NGI0 Commons Fund 2025 Bookkeeping but in a portable, offline-first and privacy-friendly way ThinkQuest 2007 educational web contests Threadiverse Reproducible Deployment NGI Zero Core 2025 Reproducible deployment for Threadiverse servers Threat intelligence sharing NGI0 Entrust 2022 2024 Privacy-Preserving Sharing of Threat Intelligence in Trusted Adversarial Environments Threshold OPRFs NGI0 Entrust 2023 Bringing the power of Threshold OPRFs to the people Thunderbird - native EteSync integration NGI0 PET 2019 2022 Add encrypted sync to Thunderbird Ties NGI0 Commons Fund 2025 Federated bookmark manager based on ActivityPub Tiliqua NGI0 Commons Fund 2025 Open audio DSP for FPGAs Timesheets 2013 Adaptive time-based application development Platform TimeWalker 2002 tools for visualising huge amounts of log data Timing Modeling and Integrated Verification in Naja NGI0 Commons Fund 2025 Timing aware netlist optimisation with Logic Equivalence Checking Timing-Driven Place-and-Route (TDPR)  NGI0 PET 2020 2022 Open hardware tool to synthesize digital silicon circuits Tin Snipe DAQ NGI0 Commons Fund 2025 Digital Aquisition module TinkerFlow NGI0 Commons Fund 2026 Graph based editor for VR/XR process‑authoring TISG trustable image sensor gateware NGI0 Entrust 2023 FPGA based camera providing encrypted video streams Titanic NGI Zero Core 2025 Database server to synchronize vast collections of CRDT documents TLS-KDH Internet Hardening Fund 2017 2019 Combined Kerberos and Diffie-Hellman as an authentication mechanism for TLS TLS-KDH mbed NGI0 PET 2019 2022 Implement TLS-KDH into mbed Tooling to improve security and trust in GNU Guix NGI0 Discovery 2020 2022 Contextual software vulnerability discovery Topola NGI0 Entrust 2023 2025 Topological (rubberband) router for printed circuit boards Tor hidden services 2009 Protect publisher and users of the services against identification Tor low-bandwidth 2009 Tor for modem and mobile users Torch Lens Maker NGI0 Commons Fund 2025 Open-source optical systems engineering TOS;DR A user rights initiative to rate and label website terms & privacy policies TOS;DR OTA backend NGI0 Entrust 2022 2024 Integrate Terms of Service;Didn't Read with Open Terms Archive TouchUp NGI0 Commons Fund 2025 Enhance the GNOME Shell User Experience on Touch Devices Toward a Fully-Verified SCION Router NGI Zero Core 2024 2025 Formal verification of the reference open source SCION Router Toward a Fully-Verified SCION Router II NGI Zero Core 2024 2025 Align router code with formal verification tooling TPM 2.0 for HEADS NGI Assure 2022 2023 TPM 2.0 support for open source BIOS replacement firmware Tracing and rebuilding packages NGI Zero Core 2024 Improved metadata/provenance for build artifacts Tracking Exposed Increase transparency behind personalization algorithms Tracking the Trackers NGI0 PET 2019 2019 Automated scanning for spyware in mobile applications Tracking weasel NGI0 Entrust 2022 2024 Detect privacy violations in mobile apps TrailBase NGI0 Commons Fund 2026 Backend-as-a-Service for building networked applications TramaBOL NGI0 Commons Fund 2025 Optimising COBOL compiler and memory-safe runtime Transitioning SMM Ownership to Linuxboot NGI Zero Core 2024 2025 More robust defense Against Firmware Vulnerabilities Transparency Toolkit NGI0 Discovery 2019 2022 A decentralized hosted archiving service with search TrenchBoot - DRTM launch between coreboot and UEFI payload NGI0 Commons Fund 2025 Protect coreboot payload with dynamic Roots of Trust Trenchboot as Anti Evil Maid NGI0 Entrust 2023 2024 Integrate Trenchboot into Qubes OS as defense mechanism against physical compromise TrenchBoot as Anti Evil Maid - UEFI boot mode support NGI Zero Core 2024 2025 Add UEFI to the Qubes integration of Trenchboot with AEM TrenchBoot for AMD platform in Linux kernel NGI0 Entrust 2023 2025 Upstream TrenchBoot AMD support to the Linux kernel Trussed NGI0 PET 2022 Open hardware for encryption and authentication Trust and Safety providers for the Fediverse Open Social Fund 2024 Sharing moderation and compliance mechanisms between ActivityPub-based networks Trust semantic learning and monitoring NGI Assure 2022 2023 Measure on-going trust between interacting agents Trusted Boot Module 2018 An open hardware trusted boot manager TrustING NGI Assure 2021 2022 Ultrafast AS-level Public-Key Infrastructure Trustix NGI Assure 2021 2024 Make build logs available as publicly verifiable, tamper-proof Merkle trees TSCH-rs NGI Zero Core 2023 Time Slotted Channel Hopping implement in Rust tslib NGI Zero Core 2024 Better configuration and callibration of touchscreen devices Turtle 2007 P2P infrastructure for safe sharing of sensitive data Tusky NGI Zero Core 2024 Android client for ActivityPub Tvix NGI Assure 2021 2024 Alternative Rust-based software build transparency TwinSite-2000 international web-competition for secondary schools TwPM NGI Assure 2022 2024 Open hardware implementation of Trusted Platform Module Type Inference for Nix NGI Assure 2023 2024 Adding static typing and type inference to Nix TypeCell NGI Assure 2021 2024 CRDT-based collaborative block-based editor Typed Nix NGI0 Commons Fund 2026 Static type system for Nix programming language. Typst PDF Accessibility NGI0 Commons Fund 2025 Increase a11y of Typst's output uberClock NGI Zero Core 2024 High precision open hardware clocks using multi-mode crystal oscillators UberDDR3 NGI0 Entrust 2023 Open Hardware DDR3 memory controller uberDDR4 NGI0 Commons Fund 2025 High-performance, standalone DDR4 memory controller. Uberflow 2015 An Open-Source OpenFlow Controller Implementing the North-Bound Interface uberWAVE NGI0 Commons Fund 2025 Full featured live interactive waveform viewer UEFI Capsule Update for coreboot with EDK II NGI0 Entrust 2023 2025 Implement more robust firmware updates in coreboot UEFI isolation in VM from non UEFI firmware NGI Assure 2022 2024 Safer booting into UEFI-compliant operating system UEFI Secure Boot support for NixOS NGI Assure 2021 2024 Add a self-sovereign root of trust as part of supply chain security uFork NGI0 Entrust 2023 2025 A memory-safe pure-actor virtual machine uFork/FPGA NGI Zero Core 2023 A memory-safe pure-actor processor soft-core ULX4M NGI0 PET 2021 2022 A modular open hardware FPGA platform uMap NGI0 Entrust 2023 2025 Collaborative custom mapping with OpenStreetMap data uMap Vector Tiles NGI0 Commons Fund 2024 Use vector tiles to build custom maps with OpenStreetMap data UmTRX 2013 UmTRX, cheaper mobile communication Unexpected Keyboard Autocomplete/Correct NGI Mobifree Fund 2025 Input correction for popular alternative Android keyboard Unhosted 2012 Unhosted, separating data servers from application servers Unhosted 2015 The Unhosted project enables separation of storage and applications UnifiedPush NGI Zero Core 2024 2025 Decentralized and open-source push notification protocol UnifiedPush NGI Zero Core 2024 Decentralized push notification protocol with libre implementations Universal DID Resolver and Registrar NGI0 PET 2019 2019 Tooling for decentralized identifiers Universal EInk Solutions NGI0 Commons Fund 2025 Consistent API for e-paper Universal Sensor Libraries NGI0 Commons Fund 2025 Shared libraries for different types of sensors Updating Solid test harnesses for Linked Web Storage NGI0 Commons Fund 2026 Add W3C Linked Web Storage Specification to Solid test suite Upstreaming Sailfish OS ConnMan improvements NGI0 Commons Fund 2026 Consolidation of improvements to ConnMan connection manager URL Frontier NGI0 Discovery 2020 2020 Develop a API between web crawler and frontier URL Frontier 2.0 NGI0 Discovery 2021 2022 Enterprise features for URLFrontier Usability of Linux firewall userspace tools NGI0 PET 2019 2022 Userspace tooling for Linux kernel Netfilter USB 3 PHY implementation on GateMate FPGAs NGI0 Commons Fund 2025 USB 3 PHY implementation with Cologne Chip GateMate FPGA Transceiver VACASK NGI0 Commons Fund 2026 High-performance Analog Simulation ValOS Cryptographic Content Security project NGI0 PET 2019 2022 Cryptographic Content Security for ValOS variation graph (vgteam) NGI0 Discovery 2019 2022 Privacy enhanced search within e.g. genome data sets VDD project virtual operating system instances on arbitrary terminals vdirsyncer/pimsync NGI0 Entrust 2022 2025 Synchronise calendars and contacts Vector based similarity search index for QLever database NGI0 Commons Fund 2026 Improved search for scalable open-source graph database VeriBench NGI0 Commons Fund 2026 Verilog-AMS Testbench Framework for Open EDA Verification Verified Credentials with zero-knowledge SPARQL queries NGI0 Commons Fund 2026 Enabling derived W3C Verifiable Credentials with Zero Knowledge Proof (ZKP) Verified Differential Privacy for Julia NGI0 PET 2020 2022 Proving sound privacy guarantees through a type system Verified Reowolf NGI Assure 2021 2024 Formal protocol verification with Reowolf Verifpal NGI0 PET 2019 2019 Prove soundness of verification in Verifpal Verifying and documenting live-bootstrap NGI Zero Core 2024 A reproducible, automatic, complete end-to-end bootstrap Verilog-A distiller NGI0 Commons Fund 2024 Automated porting of models from C to Verilog-A Verilog-AMS in Gnucap NGI0 Entrust 2022 2024 Mixed-signal modelling and simulation with Verilog-AMS Verilog-AMS in Gnucap NGI0 Commons Fund 2025 Improve performance and Verilog-AMS coverage in Gnucap Verilog-AMS in Gnucap (cont'd) NGI0 Entrust 2023 2025 Analog/Mixed modelling and simulation in Gnucap VersatAI NGI Zero Core 2024 Automation of ML/AI algorithm support in computational accellerators VersaTiles NGI0 Commons Fund 2024 Simplify vector map tile creation, hosting, and interaction Verso Views NGI Zero Core 2024 A Functional Browser Based on Servo VexiiRiscv NGI Zero Core 2024 Next generation of the VexRiscv in-order FPGA softcore VFRAME: Visual Defense Tools NGI0 PET 2019 2022 Use computer-vision to shield privacy in video video box NGI0 PET 2019 2022 Affordable open hardware video-to-network Video chat privacy NGI0 PET 2019 2022 Add privacy features to video chats ViewerJS 2014 A multiformat document viewer for embedding, combining WebODF.js and PDF.js VirtNet 2007 network stack virtualization for FreeBSD Virtualizing device firmware NGI0 PET 2019 2022 Creating digital twins for auditing and testing appliances VirtuAndroid NGI Mobifree Fund 2025 Application-layer virtualization for Android apps Vita Internet Hardening Fund 2017 2019 A fast IPSEC-based VPN gateway Vita NGI0 PET 2019 2019 A high performance IPSEC implementation Vivliostyle NGI0 Commons Fund 2025 Typesetting system leveraging web technologies vm-builder NGI Zero Core 2023 2025 Virtual Machine Build, Life Cycle and Integration in monolithic and microkernel platforms Vouivre NGI Zero Core 2023 A dependent type system for machine learning in Lisp VoWiFi Watchdog NGI Mobifree Fund 2025 Identify blocks and misconfigurations for VoWiFi VPN Vulnerability Testing Suite VPN Fund 2025 2026 Test VPN implementations for network based attacks Vula NGI Assure 2022 2023 Encrypted ad hoc local-area networking Waasabi Framework NGI0 PET 2020 2022 P2P Live Streaming for events Waterfall NGI0 Commons Fund 2025 Agile framework for the development and deployment of watermarking schemes Wax NGI Zero Core 2023 2025 Add ODF, legacy office and PDF capabilities to Wax Wayland input method support NGI Zero Core 2024 Better specification for Wayland input methods Waytale NGI0 Commons Fund 2025 Spatially organized interactive 2D social space wcoord (wireless-coordination) NGI0 Commons Fund 2025 Easy configuration of wireless networks WeasyPrint NGI Zero Core 2025 Print rendering engine for HTML and CSS Web Annotation NGI0 Discovery 2019 2022 Building blocks for interoperable annotation systems Web on Managarm: Usability, Stability, Security NGI0 Commons Fund 2026 Microkernel-based OS with consistent asynchronous I/O Web Shell NGI0 PET 2019 2022 Desktop and security environment for web apps Weblate Android SDK NGI Mobifree Fund 2025 Live localisation updates for Android apps WebODF 2011 ODF editor in the browser WebODF-Dissem 2012 WebODF Dissemination Webview library with Verso for Tauri NGI Zero Core 2024 2025 Refactor parts of Verso into a WebView library Webxdc evolve NGI Zero Core 2024 Comparative analysis of HTML5 app containers webxdc PUSH NGI0 Entrust 2023 2025 Towards an usable, interoperable and trustworthy web app ecosystem WebXDC XMPP NGI0 Entrust 2024 Standardisation effort for WebXDC integration in XMPP WebXray Discovery NGI0 Discovery 2019 2022 Expose tracking mechanism in search hubs WgMath NGI Zero Core 2024 Open GPU scientific computing for every platform Whippet NGI Zero Core 2023 2025 A new local maximum in safe, managed memory Whisperfish NGI0 Entrust 2023 Cross-platform mobile client for Signal and derivatives Wikirate Frameworks NGI0 Commons Fund 2025 2026 Open corporate data in Wikirate through the lens of standards WikiRate Insights NGI0 Discovery 2020 2022 Transforming WikiRate ESG Platform User Experience to Maximise Reliable Data Insights WikiRate Insights 2 NGI0 Discovery 2021 2022 Dedicated text search architecture for environmental, social and corporate governance platform WikiRate: More Sites, More Cites NGI Assure 2022 2023 Persistent citation for Dekko-based open source data collections Wiktionary QA tools NGI0 Commons Fund 2025 QA tools to improve the quality, reliability, and consistency of Wiktionary Willow Sync NGI Zero Core 2023 2025 General Sync Protocol for Willow written in Rust Winden/Magic Wormhole dilation NGI Assure 2022 2024 Improving Magic-Wormhole by implementing dilation and multiple file support for the web WireGuard NGI0 PET 2020 2020 Scale up WireGuard WireGuard Internet Hardening Fund 2017 2019 A fast and modern VPN that utilizes state-of-the-art cryptography Wireguard NGI0 PET 2019 2022 Take modern network tunnels to the next level WireGuard as a MirageOS unikernel NGI0 Commons Fund 2025 Implement WireGuard in OCaml and run as unikernel WireGuard on FPGA NGI0 Entrust 2023 FPGA implementation of Wireguard protocol written in SpinalHDL Wireguard Rust Implementation NGI0 PET 2019 2019 Implementation of WireGuard in a type safe language Wireguard Windows client NGI0 PET 2019 2022 Native Wireguard protocol client for Windows Wireguard-1GE FPGA NGI0 Entrust 2023 2025 Implement Wireguard in Verilog Wishbone Streaming NGI0 PET 2019 2022 Add Streaming capabilities to Wishbone Wisper 2007 long distance wifi internet infrastructure Wispwot NGI Assure 2022 2024 Implement generalized scalable protection against disruptive behavior in content discovery Wobble Web NGI Zero Core 2024 Hybrid graphics editor and coding environment Wolvic NGI0 Entrust 2022 2024 Web browser designed for use in XR devices Wolvic User Interface NGI0 Entrust 2024 Flexible windows, tabs, zooming and web rendering in Wolvic WordPress ActivityPub NGI0 Discovery 2021 2022 Bring ActivityPub social networking to the widely used Wordpress Wormhole 2012 Project Wormhole WPA3 support for OpenBSD 802.11 wireless NGI0 Commons Fund 2025 Wi-Fi Protected Access 3 for OpenBSD WPE Android NGI Zero Core 2023 2024 Embedded-friendly Webview based on WebKit WPIA CA Infrastructure Internet Hardening Fund 2017 2019 Deployment infrastructure for certificate authorities WPT automatic testing for platform accessibility mappings NGI Zero Core 2024 Improve testing of platform a10y support in Web Platform Tests Wsdr NGI0 Commons Fund 2025 Cloud-based Cellular Network in a Browser WWW SCION NGI0 Entrust 2024 2026 Path-aware web server/proxy deployment and browsing x86-64 VM Monitor for seL4 verified microkernel NGI0 PET 2020 2022 Very restricted virtualized environment for higher security xBSD porting and packaging NGI TALER Fund 2025 Porting and packaging of Taler components for xBSD systems XMPP Interoperability + Conformance Testing NGI Zero Core 2023 2025 Development of an XMPP Test Suite XMPP-ActivityPub gateway NGI0 Discovery 2020 2022 XMPP, ActivityPub and E2EE Pubsub xqerl NGI0 Discovery 2021 2022 Performant (Erlang) implementation of W3C XQuery and XML database XR Fragments NGI0 Entrust 2022 Discover, reference, navigate and query 3D online content XR Fragments Teamware NGI0 Commons Fund 2025 Design, deploy, federate and integrate portable XR experiences xrsh NGI0 Entrust 2023 Interactive text/OS terminal inside WebXR XSSer 2011 Cross Site Scripting testing XWiki NGI0 Discovery 2019 2022 Bring wiki capabilities into the Fediverse XWiki ActivityPub NGI0 Discovery 2020 2022 First class ActivityPub support in XWiki YaCy Grid SaaS NGI0 Discovery 2019 2022 Yama Analytics NGI0 Commons Fund 2024 Privacy-friendly analytics microservice using server logs Yanartas NGI0 Commons Fund 2026 Libre intertial hardware security module YAWS - Yet Another Web Server NGI Zero Core 2024 Sans IO web server written in Rust Yrs NGI Assure 2021 2021 Collaborative editing with CRDT written in Rust Yrs persistent documents NGI0 Commons Fund 2025 Yrs/Yjs compatible layer for persistent key-value stores Yrs Undo NGI Assure 2022 2024 Rust-based CRDT framework for real-time multi-user applications Yrs weak links NGI0 Entrust 2023 2026 More efficient CRDT by interconnecting and synchronising data structures inside documents YunoHost and the Internet Cube NGI0 PET 2019 2022 Solutions for DIY-ISP's and self-hosters YunoHost Packaging + Declarative Settings NGI0 Commons Fund 2026 Frugal and ergonomic selfhosting Zero-allocation web servers in roc NGI Zero Core 2023 Web server framework with constant memory usage Zerocat Chipflasher Flashrom Interface NGI0 PET 2019 2022 Hardware to flash alternative/libre firmware to BIOS chips ZeroPhone Next NGI Zero Core 2024 Hackable open hardware mobile phone ZetaOffice NGI0 Discovery 2020 2022 Encrypted collaborative editing in the browser Zilch NGI Zero Core 2023 Tools for efficient granular builds and introspection ZIP file format description Binary Analysis Fund 2022 2023 Documenting the ZIP file format for reverse engineers and developers Zip linting and bzip2 in Rust NGI Zero Core 2024 More secure handling of popular archive formats Zosimos NGI0 Commons Fund 2025 GPU accellerated image buffer and compute system Zrythm NGI0 Commons Fund 2026 Libre digital audio workstation ZSipOs NGI0 PET 2019 2019 Open hardware for telephony encryption ZSWatch NGI0 Commons Fund 2025 Open smartwatch including software, hardware, and mechanics Σ-protocols NGI0 Entrust 2023 2025 Formalise and implement zero-knowledge proof Σ-protocol "},{"description":" imap-codec library Release version 1.0 of the imap-codec library With an expected volume of 333 billion messages per day in 2022, email is one of today's most common methods to exchange information on the Internet. For better or worse, email is unlikely to go away soon, meaning that even the latest software needs to support it in a trustworthy and resilient way. imap-codec is a misuse-resistant IMAP parsing and serialization library focusing on correctness and security. It should pave the way for a new generation of email clients, servers, and utilities written in Rust and become a reusable building block for the Next Generation Internet. To archive that, it is essential to stabilize the API, improve testing, provide excellent documentation, and establish a welcoming and sustainable open-source environment for imap-codec. The project's own website: https://github.com/duesee/imap-codec This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","title":"imap-codec library","url":"https://nlnet.nl/project/imap-codec/"},{"title":"IIDS","url":"https://nlnet.nl/project/iids/","description":" IIDS Interactive Intelligent Distributed Systems The IIDS research group at the Technical University of Delft (TUDelft) initially started as an NLnet initiative in 2000 at the Vrije Universiteit Amsterdam. The group's research focuses on management of large-scale interactive distributed systems, in particular on mobile agent systems. Self-management is the ultimate goal. The AgentScape framework, services, applications, and analyses of legal implications of the use of agent systems, are all factors to increase the potential of this new technology. The project's own website: http://www.iids.org Publications in Journals and on conferences. "},{"url":"https://nlnet.nl/project/iids/how.html","title":"IIDS","description":" IIDS Interactive Intelligent Distributed Systems "},{"description":" IIDS Interactive Intelligent Distributed Systems The IIDS group's research focuses on management of large-scale interactive distributed systems. Management of large-scale distributed \"open\" systems is a challenge, especially if autonomous processes are part of the model. In closed systems, with their own sets of rules and obligations, some form of central control may be possible. In open systems this is not the case. Trust and security clearly play an important role inhibiting centralized management. Local management becomes increasingly more important. Self-management is the next step: self-configuration, self-healing, self-optimization, and self-protection of autonomous systems. Together they make it possible for large-scale systems to fend for themselves. As good understanding of configuration and reconfiguration processes is mandatory for the first two aspects. Agents are examples of processes that may roam the Internet. They are autonomous, can communicate with each other and interact with services and objects. As a result they may, for example, negotiate contracts, perform transactions, but also decide to spawn off new agents to perform specific tasks. This clearly does not decrease the complexity of managing large-scale distributed open systems on the Internet: it emphasises the need for new technology. New types of directory services, for example, are needed. Which technology should be used to design these services, is, however, unclear. The research programme of IIDS focuses on the implications of the use of mobile processes, of agents in particular: the technology needed to develop and manage large scale agent systems. Scalability, reliability, security, and heterogeneity of such systems are aspects that need to be considered if the Internet is ever to be used to its full potential. Middleware, services and applications are the main parts of this programme. Middleware, together with services, provides the support. Self-management of the middleware is a next step in this line of research. Applications provide insight in requirements and provide the means with which to evaluate the results. The focus of the research continues to be (1) on the middleware AgentScape Operating System (AOS) and the related services, in particular configuration services, and (2) on the legal implications of the use of agent systems. The Java version of the AgentScape middleware will provide a more stable basis for application development and support. ","url":"https://nlnet.nl/project/iids/description.html","title":"IIDS"},{"title":"iTowns","url":"https://nlnet.nl/project/iTowns/","description":" iTowns Visualise 2D and 3D geospatial data on virtual globes & maps iTowns is an open-source framework designed for web-based visualisation, navigation and interaction with 2D and 3D geospatial data on globes and maps. Built on Open Geospatial Consortium (OGC) open standards, it is developed with data and service interoperability in mind. It seamlessly integrates with geographical services, offering support of standard raster and vector data, including aerial imagery and terrain models. The framework supports large, heterogeneous 3D datasets such as OGC's 3D Tiles, making it ideal to build application for urban-planning and environmental monitoring. It can be easily extended to support other open formats, offering a highly customizable platform for developers. iTowns is a geographic commons, developed collectively by a diverse community of contributors, comprising independent developers, public organizations, research laboratories and private companies. It aims to provide an European alternative to Big Tech products which often overlook a broad class of users. Instead, iTowns offers a modular framework to build a wide range of use cases, including visualisation, GIS, environmental and educational applications, making it versatile and adaptable for different geospatial projects. The project's own website: http://www.itowns-project.org Run by IGN This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"HWIOS","url":"https://nlnet.nl/project/hwios/","description":" HWIOS Hybrid Web In OpenSim (HWIOS) The HWIOS project (Hybrid Web In OpenSim) is meant to create an accessible interface to the popular and most developed virtual world platform called OpenSimulator. One of the main problems of OpenSimulator is that it's too technical for people who want to perform basic operations within this virtual world platform. Compared to the existing or being developed tools like wiredux, gridmix, unga, the HWIOS tool has decentralized service management through osservices (sideproject of hwios), it's page-refresh-less (preperation for gwave kind functionality), it's very liberally licensed (bsd license), it has tms map support through osmaps (sideproject of hwios), and it's well structured. The hybrid web interface communicates directly with OpenSimulator server, and is thus able to hide the most of the complexity of admin tasks, and therefor makes most admin tasks easier for less technically oriented user. Besides administrative tasks like user-, service- and land-management, HWIOS is meant to become a general-use next-gen webportal with virtual world support. The whole web application doesn't use page refreshing (html over json transport), and is strongly focussed on supporting html5 features, like collaborative text editing through web sockets. It is not concerned about backwards compatibility with older browsers, but will only support the most current html5 featured browsers (chromium and shortly Firefox). It's build on top of tools like Python, Django, Twisted and JQuery. This project is being co-financed by SurfNet. The project's own website: http://forge.opensimulator.org/gf/project/hwios/ "},{"url":"https://nlnet.nl/project/https-obs/","title":"HTTPS-Obs","description":" HTTPS-Obs HTTPS Observatory The project collects an Internet-wide dataset of all publicly visible TLS CA certificates in order to search for CA-certified Man In The Middle (MITM) attacks against HTTPS privacy and measure the extent to which browsers really need to trust 60-200 CAs completely. Extended datasets measuring from multiple source networks (via Tor) and using SNI will also be collected. In collaboration with volunteers from security consulting firm iSEC Partners, EFF intends to write a program that accesses every Web server on the public IPv4 Internet running HTTPS on port 443. We will create a complete dataset of the certificates each server offers to visitors. Then we will analyze the data, comparing: Who is the Certificate Authority? For which domains is the certificate valid? Where is the machine issuing the certificate located? Who operates that network With these data it will be possible to answer the following questions: How many CA services are used by publicly accessible sites? Which ones are rarely used? Can one find evidence of specific MITM attacks in the form of publicly visible attack servers (that victims in the wild would have been redirected to via DNS or other mechanisms) or in the form of network-layer attacks detected against our own survey machines? Concrete evidence would be useful for motivating browser developers to adopt more secure trust models. How many domains intentionally use more than one apparently legitimate, apparently valid certificate at the same time? (This impacts on the design of enhancements to the TLS trust model) How many sites in the wild show different valid certificates to users who come from different parts of the Internet? How many CAs are used primarily or exclusively in particular countries or DNS domains? By Electronic Frontier Foundation "},{"url":"https://nlnet.nl/project/happyDomain/","title":"happyDomain","description":" happyDomain Simplify DNS zone management happyDomain is an interface designed to make domain name management more accessible, intuitive, and efficient. By consolidating domain names from multiple providers and abstracting technical complexities that often lead to common mistakes, happyDomain empowers operational teams to handle their domain needs effortlessly, saving time and reducing friction. Its modern interface offers essential features such as history tracking, one-click rollbacks, logical groupings for services, and a REST API for automation. Built with carefully selected technologies, happyDomain provides a fast and lightweight experience, suitable for both large-scale infrastructures and personal use. Our mission is to help individuals and organizations regain independence on the Internet by simplifying domain management and fostering confidence. Whether for system administrators, agencies, freelancers, or privacy-conscious users, happyDomain transforms domain management into an accessible and seamless task for all. The project's own website: https://happydomain.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Hackathons and sprints","url":"https://nlnet.nl/project/hackathons/","description":" Hackathons and sprints contributions to various hackathons and sprints Sprints and hackathon are meetings that bring together developers and other interested people to work on a project side by side. Especially for distributed or virtual teams that are used to work asynchronously, this temporary change of pace combined with being locked up in a room together, can be very productive. In a few days of intense, dedicated in-person interaction, sprints and hackathons may boost a project in terms of new features, resolving long standing technical debt, trying out new ideas as well as help to improve group cohesion. 2007-03-17: Decibel Hackathon. details 2007-02-11: First European Perl Hackathon details 2006-09: Various Debian BSP Marathons (BSP = bug squashing party) details 2006-08-03: OpenDocument Day at Akedemy. details 2006-06-14: The OpenBGPD and OpenOSPFD mini hackathon of OpenBSD. details 2006-05-26: KDE MultiMedia Meeting. details 2006-01-13: Developing a new release of OpenSync. details 2005-05-27: KDEPIM meeting, bringing together developers of KDE's Kontact applications. details 2003-05-10: Yearly OpenBSD and OpenSSH developers meeting. details "},{"description":" Hackathons and sprints contributions to various hackathons and sprints ","title":"Hackathons and sprints","url":"https://nlnet.nl/project/hackathons/how.html"},{"title":"Hackathons and sprints","url":"https://nlnet.nl/project/hackathons/description.html","description":" Hackathons and sprints contributions to various hackathons and sprints 2007 Decibel Hackathon [17-18 March 2007 in Darmstadt, Germany] This hackathon is part of project Decibel, which is sponsored by NLnet. Read the minutes of the meeting. 2007 First European Perl Hackathon [2-4 March 2007 in Arnhem, The Netherlands] NLnet contributed to the organization of this hackathon, with special focus on the advancement and spreading of new network technologies; in this case the Parrot and CPAN6 projects. NLnet sponsored this event with €400. 2006 Debian BSPs NLnet sponsors a number of Debian developer meetings which form part of a BSP Marathon (BSP = bug squashing party), to support the upcoming \"Etch\" release of the Debian GNU/Linux distribution and to improve its quality. These activities contribute to an important NLnet goal: spreading new network technology. For instance, Debians next release contains major upgrades to the network tools. In addition, most parts of Debian will be made IPv6-compatible, e.g. the next stable release will contain iptables which support stateful IPv6-rules (which for lots of people is important for their firewalls to support IPv6 there). NLnet contributed to  8-11 September 2006, Vienna Austria: €825. The 16 participants were able to fix many bugs, with work on iproute2, wireshark, zeroconf, and xulrunner (Mozilla). 15-17 September 2006, Jülich Germany: €430. The 20 participants worked (amongst other things) on improved security, as can be read in the brief report. 29 Sept - 1 Oct 2006, Utrecht Netherlands; €960. About 15 people worked on various issues related to Debian's upcoming release named Etch. Read the short report 2006 OpenDocument Day at aKademy [September 26, 2006] OpenDocument Day at aKademy offers software developers interested in ODF an opportunity to exchange ideas, build relations and collaborate in an informal setting. NLnet sponsors this event to a maximum of €5,000. See the announcement and report. 2006 OpenBGPD and OpenOSPFD mini Hackathon [June 14 till 18, 2006] This mini Hackathon will concentrate on better routing support in OpenBSD. NLnet sponsored this event with €5,000. See the Announcement and report. 2006 KDE MultiMedia Meeting [May 26 till 28, 2006] An international KDE developer meeting about multimedia. Its focus is to make the pervasive role of multimedia easier to manage for users and developers. NLnet sponsored the travel expenses of the participants with €6000. See the announcement, the final report (PDF), and the blogs about the event. 2006 OpenSync [January 13 till 15, 2006] OpenSync is a cross platform and desktop agnostic syncing solution for mobile devices and desktops. OpenSync uses plugins for syncing different kinds of devices, which can be easily plugged into the framework. Website of OpenSync. See the final report. 2005 KDEPIM-NL [May 27 till 29, 2005] The KDE desktop is the graphical user interface plus a large set of commonly needed applications, one of which is the Personal Information Manager (PIM) named Kontact: the agenda and e-mail application of KDE. This KDEPIM meeting 2005 braught together developers of the Kontact applications. NLnet sponsored this event with a donation of €2,000. See the sponsor request and final report. 2003 OpenBSD Hackathon [May 10 till 18, 2003] Yearly OpenBSD and OpenSSH developers meeting. The event took place in Calgary Canada, from May 10 till May 18, 2003. NLnet sponsored this event with an donation to of €10,000. See the sponsor request and final report. "},{"description":" GUN P2P Encryption A realtime, decentralized, offline-first, graph database engine Gun is a realtime, decentralized, offline-first, graph database engine. GUN works peer-to-peer by design, meaning you have no centralized database server to maintain or that could crash. It allows to build decentralized, federated, or centralized apps. The SEA (Security, Encryption, Authorization) framework allows to use the latest native Web Crypto API for cryptographic functions like ECDSA, PBKDF2, AES, and more. With GUN developers can build fully decentralized end-to-end encrypted applications, using a \"web of trust\" mechanism. The project's own website: https://gun.eco This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. ","url":"https://nlnet.nl/project/gun/","title":"GUN P2P Encryption"},{"url":"https://nlnet.nl/project/gsm-sec/","title":"GSM-Sec","description":" GSM-Sec GSM Security Project, debugging GSM transactions The popular GSM cell phone standard uses outdated security and provides much less protection than its increasing use in security applications suggests. This project aims to correct the disconnection between technical facts and security perception by creating a GSM tool that allows users to record and analyze GSM data. This project complements several other current open research projects into GSM technology. These projects --including OpenBTS, OpenBSC, and OsmoconBB-- create open re-implementations of network equipment and hand sets to make the technology more accessible and open. It builds on these insights and shows the security limits of the technology. The feedback loop, however, goes both ways: the record and decode tool, for example, will allow the OpenBTS base station to operate on multiple frequencies thereby supporting more concurrent phone calls. The target audiences of the tools are security and radio researchers. By Security Research Labs. "},{"title":"GPLv3","url":"https://nlnet.nl/project/gpl3/","description":" GPLv3 GNU Public Licence v3 Development and Publicity Project The creation of GPL version 3 brought together thousands of organizations, software developers, and software users from around the globe, in an effort to update the worlds most popular Free Software license. The GPLv3 was one of the largest participatory comments and adoption efforts ever undertaken. On June 29th 2007, the GPL and LGPL version 3 documents were released in their final version. AGPLv3 was launched on November 19th 2007. The project's own website: https://gplv3.fsf.org "},{"description":" GPLv3 GNU Public Licence v3 Development and Publicity Project Stichting NLnet sponsors this effort with 150,000€ NLnet also contributes to the Free Software Foundation (FSF) and Free Software Foundation Europe (FSF Europe). 2007-09-14: Progress report: GNU AGPLv3, GNU FDLv2, and GNU SFDL are still underway, Microsoft challanges GPLv3, and video tutorials planned. more > > 2007-07-20: Progress report: GPLv3 and LGPLv3 are released. more > > 2007-03-28: GPL version 3 draft 3 released. more > > 2006-07-27: GPL version 3 draft 2 released. more > > 2006-01-16: GPL version 3 draft 1 available: the first discussion draft. This release was accompanied by the first GPLv3 conference, discussing the licence changes. (Transcript of the opening session) more > > 2005-11-30: Process definition released: first discussion draft will arrive in January 2006. .pdf (60 kB) 2005-09-22: Interview with Richard Stallman in O'Reilly's OnLamp magazine, discussing GPL and especially GPL3 development. 2005-09-06: Press release, project kick-off. more > > ","title":"GPLv3","url":"https://nlnet.nl/project/gpl3/how.html"},{"description":" GPLv3 GNU Public Licence v3 Development and Publicity Project GPL version 3 Written by Richard M. Stallman, the founder of the GNU Project and Free Software Foundation, the GNU General Public License (\"the GPL\") is the Constitution and central license of the Free Software movement, securing users' rights to freely study, copy, modify, reuse, share and redistribute software. The GPL builds upon the ethical and scientific principle of free, open and collaborative improvement of human knowledge, which was central to the rapid evolution of areas like mathematics, physics, or biology, and adapts it to the area of information technology. By now, the GPL is employed by tens of thousands of software projects, companies and governments around the world, and is supported by large communities of software developers and users who wish to share their work for the benefit of all. The GNU system, the Linux kernel, Samba, MySQL, and many thousands of other GPL'd programs, offer high technological quality as well as political and economic independence and sustainability. GPL'd software runs on or is embedded in devices ranging from cellphones, PDAs and home networking appliances to mainframes and supercomputing clusters. Independent software developers around the world, as well as every large corporate IT buyer and seller, and a surprisingly large proportion of individual users, interact with the GPL. The current version of the license, which was written in 1991 and is now 14 years old, has become central to the activities and operation of a large part of all companies and governments and is now in need of review. The development of version 3 of this licence will bring together thousands of organizations, software developers, and software users from around the globe during 2006, in an effort to update the worlds most popular Free Software license. The GPLv3 promises to be one of the largest participatory comments and adoption efforts ever undertaken. The global process will be overseen by the Free Software Foundation with support from its legal counsel the Software Freedom Law Center (SFLC). Free Software Foundation Europe will be coordinating the European activities closely with both organizations and contributing to the global communication effort. ","title":"GPLv3","url":"https://nlnet.nl/project/gpl3/description.html"},{"description":" GoogleSharing GoogleSharing anonymizing proxy GoogleSharing is a special kind of anonymizing proxy service, designed for a very specific threat. It ultimately aims to provide a level of anonymity that will prevent google from tracking your searches, movements, and what websites you visit. GoogleSharing is not a full proxy service designed to anonymize all your traffic, but rather something designed exclusively for your communication with Google. The system is totally transparent, with no special \"alternative\" websites to visit. Your normal work flow should be exactly the same. GoogleSharing is different from general anonymizing proxies: Most will mask your IP address, but not the identifying information in your HTTP headers. Google will still know who you are based on your Cookies, User Agent, etc. If the proxy does attempt to anonymize HTTP headers, they will do it by completely stripping cookies from your request. Google does not like this, and will tag you as a SPAM bot (how convient for them to do), which will force you to type in a CAPTCHA every time you issue a Google search, and will prevent you from issuing Maps requests at all. These types of proxies can be slow. It's not necessary to proxy all of your internet traffic if you're just trying to protect yourself from Google. Since GoogleSharing only proxies Google traffic, our bandwidth needs are much lower and thus our performance is much greater. GoogleSharing is different from Google replacements: GoogleSharing does not require that users change their workflow by visiting different websites. GoogleSharing supports all Google services which don't require a login, so it does more than just anonymize search. As Google continues to expand its grasp of the internet, GoogleSharing will automatically expand with it, automatically anonymizing whatever new services emerge in a fully transparent way. GoogleSharing has the potential to be fully distributed. As we make the move towards distributing requests across multiple configured servers, this is a definite step in the direction of P2P. The project's own website: http://www.googlesharing.net ","title":"GoogleSharing","url":"https://nlnet.nl/project/googlesharing/"},{"description":" GO-FOSS Teach employees in SMEs and NGOs the benefits of FOSS The main goal of this project is to develop a group of skilled professionals on FOSS within the community of SMEs (Small and Medium Enterprises) and NGOs (large Non Governmental Organizations). The project's own website: http://www.ossmovement.org It is well realized by the OSS Movement, that the community needs available skilled peoples to embrace FOSS confidently so that they are able to get professional support as and when needed. Training courses greatly improve the personal motivation and articulation skills. It is a systematic process of awareness and capacity building. Under the GO-FOSS project, the OSS Movement will offer free training on FOSS to IT professionals of SMEs and NGOs. This training program will enable the participants to design stable, secured and reliable FOSS based Information Technology solutions in their infrastructure as well as developing migration plan of their existing IT infrastructure to FOSS based solution. The participants will then be able to replicate their knowledge and expertise across the community. The OSS Movement will also conduct a FOSS Support Center called \"FOSS-Clinic\" during the training period under the GO-FOSS project. This support center will offer free support amongst the FOSS users, allowing the users to meet the FOSS experts face to face for the solutions to meet their specific needs. This support center will also remain open for the non-FOSS users to find out the solutions on FOSS for their deployments and show them how FOSS can meet their particular needs better than other closed source counterpart more reliably, efficiently with maximum security. The vision of this initiative is to promote the empowerment of the people through appropriate FOSS interventions. ","title":"GO-FOSS","url":"https://nlnet.nl/project/go-foss/"},{"title":"GNUnet","url":"https://nlnet.nl/project/gnunet/","description":" GNUnet implementation and evaluation of an improved routing algorithm for GNUnet GNUnet is GNU's framework for secure peer-to-peer networking. The framework is designed to support a range of applications. The primary application at this point is anonymous and censorship-resistant file-sharing. The main thrust of the proposed research is the design, implementation, deployment and evaluation of a secure, fully decentralized P2P routing protocol. Centralization increases operational costs, creating prominent targets for attacks and single points of failure as well as raising privacy concerns. The resulting network must be open, allowing new peers to join at any time. Adversaries are assumed to participate in the network, and the protocols must gracefully degrade in the presence of adversaries. Graceful degradation means that adversaries may only reduce the efficiency of network operations, and that this reduction in eciency should be at most proportional to the resources available to the adversary. Our quest for practical protocols also implies that the design must handle real-world constraints. In particular, we want to handle connectivity issues that arise on the Internet (for example, due to firewalls). We use the term restricted-route networks to describe networks with restrictions limiting direct communications between participants. The proposed protocol also addresses the possibility of peers leaving the overlay network abruptly, joining and leaving the network frequently, and the fact that the amount of resources available to peers can differ by a few orders of magnitude. Our goal is to come up with adaptive protocols which adjust resource allocation based on automatically obtained network performance metrics that characterize the behavior of faulty or malicious nodes. Specifically, if an alternative path without faulty nodes exists, it must be possible for the routing algorithm to eventually discover it. The routing protocol must also be able to address disproportional consumption of resources. In particular, an adversary should not be able to issue a request that consumes more than a small constant factor of resources above the amount consumed by the normal operation of benign nodes. As a result, the proposed new protocol is able to prevent peers from launching asymmetric attacks, which leverage weaknesses in the system and magnify the damage caused. NLnet's contribution is used to pay a graduate student's salary for a full year (the university will waive tuition) to work on the implementation and evaluation of an improved routing algorithm for GNUnet. The routing algorithm will be implemented as a GNUnet service which means that many (existing and future) applications using the GNUnet framework will be able to take advantage of it. The specific proposed work is about a new routing algorithm that will support scalable and secure routing in a restricted-route topology. The project's own website: http://gnunet.org "},{"description":" Pretty Easy Privacy At scale simulation over GNUnet with different realistic user behavior scenarios The “Emulation over GNUnet for large user numbers and diferent realistic user behavior scenarios plus tuning“ serves as a preparation and prerequisite for the integration of GNUnet into p≡p‘s encryption app-solutions to obfuscate not only content but also metadata of written digital communications. p≡p wants to protect not just the contents of communications, but also its metadata (who communicates with whom, from who etc.) to allow for anonymous communications. p≡p has the goal, to have GNUnet (one of the official GNU projects) integrated in its core technology as the “holy grail” to fully restore privacy by technical means and to bridge people from classical means of communications (email, existing chat protocols) towards the fully decentralized GNUnet peer-to-peer network. With the simulation of GNUnet's behavior for large user numbers and different realistic user behavior scenarios we want to test and improve its stability and scalability. GNUnet protects metadata by tunneling text messages on identity- as well as account-level. GNUnet is a framework for secure peer-to-peer (P2P) networking, which is censorship-resistant, provides end-to-end encryption and is able to not just protect contents, but also metadata, thus anonymizing who’s communicating with whom and finally restoring full privacy. GNUnet's functioning doesn’t rely on any central infrastructure. It allows to bypass classic communication channels like email, if both peers have GNUnet. So far there is no information if GNUnet is reliable for large numbers of users. The integration into p≡p will be the first real-world mass-deployment of GNUnet. In order to facilitate a scalable configuration or adaption of GNUnet in p≡p, we thus want to build a simulation of user behavior for p≡p over GNUnet. We will model which shares of written digital communication can be expected on which devices and how GNUnet behaves for these data traffics. The simulation will be done for different user numbers (e.g. 1k, 10k, 100k, 1mio) as well as for various user behavior scenarios and net structures (e.g. preconditions for net neutrality/censorship by governments etc.). Scientific groundwork and expertise (e.g. “Large Scale Distributed Evaluation of Peer-To-Peer Protocols”, Sree Harsha Totakura, 2013) as well as close contact with the GNUnet team is at hand. This simulation will gain crucial insights for GNUnet deployments in real world situations being of major importance for related FOSS projects far beyond the integration into p≡p, so secure communication over a free Internet can be achieved. The project's own website: https://pep.foundation Run by PEP This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. ","title":"Pretty Easy Privacy","url":"https://nlnet.nl/project/gnunet-test/"},{"url":"https://nlnet.nl/project/globule/","title":"Globule","description":" Globule user-centric Content Delivery Network Globule is a research project that aims at developing a user-centric Content Delivery Network (CDN). Such a network consists as an overlay in which the nodes are owned by end users rather than ISPs. In Globule, nodes transparently collaborate to provide strong guarantees with respect to performance and availability of Web documents. To this end, modules were developed that extend the basic functionality of the Apache2 Web server, and take care of automatically replicating Web documents, and redirecting clients to the replica server that can best service the request. The project's own website: http://www.globule.org 2005-09-22: Globule final report .pdf (25 kB) 2004-09-13: Globule initiates contest for all residents of the Netherlands to contribute to the project. "},{"description":" Globule user-centric Content Delivery Network Globule is being developed at the \"Vrije Universiteit van Amsterdam\" (VUA), Faculty of Science. NLnet support the development with one full time scientific programmer. 2005-09-22: Globule final report. .pdf (25 kB) 2004-09-13: Gobule released version 1.2, which contains full Windows support and the first version of \"disconnection master operation\". 2004-07-15: Project proposal to bring Globule to Windows. .ps (74 kB) ","url":"https://nlnet.nl/project/globule/how.html","title":"Globule"},{"title":"Globule","url":"https://nlnet.nl/project/globule/description.html","description":" Globule user-centric Content Delivery Network Globule is a research project that aims at developing a user-centric Content Delivery Network (CDN). Such a network consists as an overlay in which the nodes are owned by end users rather than ISPs. In Globule, nodes transparently collaborate to provide strong guarantees with respect to performance and availability of Web documents. To this end, we have developed modules that extend the basic functionality of the Apache2 Web server, and take care of automatically replicating Web documents, and redirecting clients to the replica server that can best service the request. Globule has been developed for UNIX platforms, and has been tested on Solaris and Linux. The current target of the project is to make Globule easily available for a large group of potential users, in particular those that have Windows machines. Users of Globule on Windows will initially be able to set up a Web site on their own machine of which the content is managed by standard tools such as Word and Netscape Composer. The main reason for wanting to make Globule available for Windows is that Globule is designed to run on end-user machines. We aim at wide-spread deployment, which then makes the Windows community a better target than the focusing only on the UNIX community. There are many benefits in establishing a reasonable-sized user base, including feedback on bugs, performance, usability, functionality, usefulness, and so on. In general, it will lead to an improvement of Globule as a whole. Another important reason is that by explicitly focusing on general end users (rather than technical, UNIX-oriented users), we believe that requirements for functional enhancements will be properly prioritized. By concentrating on important user requirements, we should be able to more easily establish a user base, which, in turn contributes to the potential success of the project. Although the project has its internal goal set to promote the use of Globule and its support for adaptive replication, what would make Globule attractive for (Windows) end users is that they can set up a Web site on their own personal computer, which remains available even when that computer is shut down. Availability while being disconnected, combined with pure local development and maintenance will be the selling point for WinGlob. "},{"title":"Global Directories","url":"https://nlnet.nl/project/globaldirectory/","description":" Global Directories Distributed contact information discovery mechanism A global directory is a way of retrieving contact information from others, using standard technology, so you can employ automatic tools that download and update contact information without manual intervention - or without any third parties snooping into your private or business social environment. Moreover, you can use the same technology to share any relevant information (such as keys for protection of your email) to anyone. The project's own website: http://globaldir.arpa2.net Imagine receiving a phone call from a number you've never dealt with. Now imagine you can ask the internet to share information about the caller, even before you decide to answer the call. It could be the fire department telling you your house is on fire, the family lawyer about a sensitive matter or a company trying to sell you the final edition of the Encyclopia Brittanica. In each situation you might have different requirements and wishes. Imagine what that would mean to the efficiency with which you communicate with people if they can magically unlock any information to you they are willing to share, and vice versa - and for your device to be able to handle that automatically. That would mean you would send your location to the fire department, encrypt the call with the lawyer and have your phone tell the company selling the encyclopedia you are not interested. That means you can send a document to the person you are talking to without clamping the phone to your shoulder or typing their email address with one hand. It gets even prettier when you contact the remote directory through a hub of your own. Your hub could help you to attach personal notes to that particular caller. For example, the pizza your partner ordered last time and definitely doesn't ever want to eat again. Or an internal contact reference code. Or a picture of that person you took yourself. Your hub might even dig up letters or bills that you have sent to the caller. And if you enjoy your privacy, it could even store the Short Authentication String used during the previous ZRTP-enciphered call. Interestingly, the technology to do this already exists, and it is commonly used and rock-solid. Chances are that your mobile devices can use it with a simple app already -- an LDAP client is available for most desktops and smaller platforms. The technology is just not usually installed by default, because most people don't ask for it -- they simply don't realise how much more the Internet has to offer than web and email. This project aims to show how global directories can deliver more control over your online presence. A project by: internetwide.org "},{"description":" GISS independent infrastructure for streaming radio and TV G.I.S.S. is an international network of free media activists, joining to build an infrastructure for free media experiences, radios and televisions like the Horitzo TV project (Spanish) in Barcelona. More concretely, right now the G.I.S.S. is an infrastructure with different components and tools for setting up an independent radio or TV channel easily. New work to be done in the course of the project focuses on the following aspects: Improvement of the topology of the network: currently all transmissions are passing through a main server and the upload to that server is saturated, so we should introduce new main servers and rebuild the architecture of the servers. Development of a specific version of icecast: for now the version we use lacks some essential features for us like the encryption of IPs (anonymizing like requested by the Indymedia network), a more specific load-balancing mechanism (using the instant load of each server) and more complementary features regarding the master/slave configuration. The live CD is in a usable state, but it should be improved to include more audio-visual and streaminig tools, like Cinelerra, free, gstreamer and other useful tool for video editing and broadcasting. Another component of the system is a kind of 'mediabase' archive tool, similar to you-tube but using only free software and Ogg/Theora format. Although a prototype already exists, it should be improved and be customizable for every user. The new GPL package will be called 'Distributed Multimedia Database System' (DMDBS). Most of our activities are located in Europe and South America, we would like to extend that network to other countries (India, Bolivia, Morocco). We already have some contacts to organize some workshops there. The project's own website: http://giss.tv ","url":"https://nlnet.nl/project/giss/","title":"GISS"},{"description":" GetDNS Deliver DNSSEC as a building block in harsh environments Encrypted communication between two random end points on the internet cannot happen without additional infrastructure through which security parameters are exchanged. The getdns library is an modern asynchronous DNS library for application developers, with an API vetted by application developers. getdns has especially good stub-resolving capabilities, and has been developed alongside and in close co-operation with recent standards for stub resolving; such as DNS over TLS (RFC7858), and acquiring DNSSEC at stub resolving level (DNSSEC roadblock avoidance - RFC8027). The project's own website: https://getdnsapi.net/ Why does this actually matter to end users? Encrypted communication between two random end points on the internet cannot happen without additional infrastructure through which security parameters are exchanged. DANE (DNS-Based Authentication of Named Entities) is a method of bootstrapping encrypted TLS channels without third parties (i.e. Certificate Authorities) having to vouch for a name. It provides the owner of the name the means to authenticate the keys used for their TLS enabled services themselves, by putting the key material (or a reference for it) in the DNSSEC signed zone for the name. DNSSEC validation is an absolute requirement to verify DANE enabled TLS sessions. DANE was recently added as a mandatory standard of the Dutch government by Forum Standaardisatie together with startTLS. Applications that employ DANE to setup TLS connections need to be able to retrieve and verify DNSSEC records reliably. New work in TLS, embedding DANE in an extension, needs to be able to validate DNSSEC to authenticate a TLS session (see: https://tools.ietf.org/html/draft-ietf-tls-dnssec-chain-extension-01). Because of the technical complexity of DNSSEC, DANE support has so far been quite complex for developers to work with. The getdns library is an modern asynchronous DNS library for application developers, with an API vetted by application developers. getdns has especially good stub-resolving capabilities, and has been developed alongside and in close co-operation with recent standards for stub resolving; such as DNS over TLS (RFC7858), and acquiring DNSSEC at stub resolving level (DNSSEC roadblock avoidance - RFC8027). One of the key features of getdns is the ability to deliver DNSSEC as a building block in harsh environments. In the project we implement a number of essential components to this library, and work on mechanisms to make it easy to integrate the library also at a system level. Run by NLnet Labs This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. ","title":"GetDNS","url":"https://nlnet.nl/project/getdns/"},{"description":" fwupd Automatic Firmware updates for BSD operating systems Security holes in the equipment we run are discovered all the time, and firmware is continuously upgraded as a result. But how do users discover what they need to upgrade to protect themselves? The goal of the \"fwupd/LFVS integration in the BSD distributions\" is to reuse the effort done by the fwupd/LVFS project and make it available in the BSD-based systems as well. The fwupd is available on Linux-based systems since 2015. It is an open-source daemon for managing the installation of firmware updates from LVFS. The LVFS (Linux Vendor Firmware Service) is a secure portal which allows hardware vendors to upload firmware updates. Over the years, some major hardware vendors (e.g. Dell, HP, Intel, Lenovo) have been uploading their firmware images to the LVFS so they can be later installed on the Linux-based systems. The integration of the fwupd in the BSD-based systems would allow reusing the well-established infrastructure so more users can take advantage of it. The project's own website: https://fwupd.org Why does this actually matter to end users? Most users rely on antivirus programs to keep their system and important data safe and private. Visited sites, downloaded files, email coming in and out, everything should pass through a digital border control that keeps malware and spyware out. Perform a complete system scan every other month and most users will be reassured: I am safe. The truth is that there is more than one way into your system and not every backdoor is properly protected. Attackers can also target the most fundamental software on your device, which is also known as firmware. A common example is the BIOS or Basic Input/Output System that every computer has to boot up and load the operating system. Accessing the BIOS and installing malicious software on such a fundamental level gives attackers far-reaching control over a system (which is why it is used for ransomware) and the user usually does not even realize it. And updating their BIOS probably is not something they do (if they are even aware of it at all). That is unfortunate, because a number of hardware vendors do put out updates for their firmware that you can update your computer with. To make firmware updating more commonplace, you should simply get a notification that you need to get the latest update. That is what this project aims to do for a widely used firmware update effort for Linux-based operating systems. This way users outside of the more experienced small clique of hardware geeks can also be sure their device is trustworthy, from the software they actually run to the programs that start everything up and keep their system going. As Linux-based systems are used everywhere and sometimes perform vital functions to local and wider area networks, a straightforward project like this can actually contribute to a more resilient and reliable global internet. Security should not be a black box. Instead, users should be able to choose from plug & play solutions that work together nicely and cover most if not all exits in their systems. Or they should have a one-stop-shop solution, a big green button they can press for total security. Run by 3mdeb Embedded Systems Consulting This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"fwupd","url":"https://nlnet.nl/project/fwdup-BSD/"},{"url":"https://nlnet.nl/project/fteproxy/","title":"FTEproxy","description":" FTEproxy FTE enables developers to build systems resistant to surveillance and censorship. fteproxy provides transport-layer protection to resist keyword filtering, censorship and discriminatory routing policies. Its job is to relay datastreams, such as web browsing traffic, by encoding streams as messages that match a user-specified regular expression. The project's own website: https://fteproxy.org/ Network communications are increasingly becoming the target of surveillance and censorship. One natural defense is to use traditional cryptographic protocols — traditional encryption incurs low-overhead and does a good job of providing privacy. However, because encryption is so effective, many governments (e.g., Iran, Pakistan, and China) are willing to block state-of-the-art cryptographic protocols such as TLS and SSH. Figure 1: A government can easily identify that a client and server are using an encryption protocol, and refuse the connection. Our Solution: Format-Transforming Encryption Format-Transforming Encryption (FTE) is a novel cryptographic primitive that extends traditional encryption. Traditional cryptographic primitives take a key and a message as input, and output an unformatted ciphertext. FTE takes a key, message and format (a compact set descriptor) as input and outputs a ciphertext in the format set. As an example, a format may describe the set of valid messages from an uncensored protocol, such as HTTP. The software that realizes Format-Transforming Encryption, fteproxy, bootstraps FTE to relay arbitrary data streams. fteproxy uses regular expressions to describe and transmit messages from an uncensored protocol (e.g., HTTP), but may actually be relaying a censored protocol (e.g., Tor, TLS, SSH, etc.) To a government, traffic looks like HTTP, even though it may actually be a censored protocol. Figure 2: fteproxy transparently encrypts communications such an uncensored protocols looks like a censored protocol. Kevin P. Dyer "},{"description":" FSF Priority stimulating High Priority Projects of the Freedom Software Foundation The Freedom Software Foundation high-priority projects list serves to foster the development of projects that are important for increasing the adoption and use of free software and free software operating systems. The priority projects list shows areas where free software development needs to accelerate in order to stop users from being drawn to proprietary software and operating systems. It lists holes that aren't fully covered by existing projects. NLnet's contribution will be used to support development sprints around the priority projects, including the project to produce free software drivers for network routers. The project's own website: http://www.fsf.org/campaigns/priority.html ","title":"FSF Priority","url":"https://nlnet.nl/project/fsfpriority/"},{"url":"https://nlnet.nl/project/fsfeurope/","title":"FSF Europe","description":" FSF Europe support for the Free Software Foundation Europe The Free Software Foundation Europe (FSF Europe) is a charitable non-governmental organization dedicated to all aspects of Free Software in Europe. Access to software determines who may participate in a digital society. Therefore the freedoms to use, copy, modify and redistribute software - as described in the Free Software definition - allow equal participation in the information age. The FSF Europe works towards all European aspects of Free Software and especially the GNU Project. It is actively supporting development of Free Software and furthering GNU-based systems, such as GNU/Linux. Also, it provides a competence center for politicians, lawyers and journalists in order to secure the legal, political and social future of Free Software. The NLnet Foundation is stimulating efforts made by FSF Europe to adapt and embed Free Software licenses, like GPL, LGPL, and FDL in the European legal system(s). Besides, NLnet supports the Freedom Task Force, which provides licensing services to individuals, projects and businesses involved with Free Software. The project's own website: http://www.fsfeurope.org FSF Europe was founded in 2001 as the European sister organization of the Free Software Foundation in the United States, which receives support from NLnet as well. The American (international) FSF/GNU. "},{"url":"https://nlnet.nl/project/fsfeurope/how.html","title":"FSF Europe","description":" FSF Europe support for the Free Software Foundation Europe Stichting NLnet is a Patron of the Free Software Foundation Europe, NLnet also contributes to the American (international) FSF, on regular basis. 2007-10-09: FTF sponsor contract extended. more > > 2007-09-14: The FTF legal network continues to grow. A conference on European law concerning Open Source is being planned. more > > 2007-07-20: progress report. more > > 2006-11-13: press release. more > > 2007-01-24: initial project report. .pdf (301 kB) In 2006, NLnet donated € 10.000, and continues as a \"Patron of the Free Software Foundation Europe\". NLnet also continues to support the GPLv3 development by FSF and FSF Europe. In 2005, NLnet donated € 10.000, and continues as a \"Patron of the Free Software Foundation Europe\" In 2004, Stichting NLnet donated € 10.000, and therefore can call itself: \"Patron of the Free Software Foundation Europe\". In 2002, Stichting NLnet donated € 5.000. "},{"description":" FSF Europe support for the Free Software Foundation Europe The Free Software Foundation Europe (FSF Europe) was founded in 2001 as the sister organization of the Free Software Foundation (FSF) in the USA to take care of all aspects of Free Software in Europe. Several factors made this step necessary. First of all, Free Software has ceased being an American phenomenon, Europe has one of the strongest communities of Free Software developers and many considerable projects of the recent past have their roots in Europe. Secondly, the dominating perception of software is as a purely economic property, which is why it is being treated this way by politics and press. But software already transcends daily life in an increasing manner and becomes a deciding factor. Just as other developments in the past of mankind, software develops from being an economic to a cultural property with increasing presence in everyday life. Other than developments that seem to be comparable at first glance like printing press, car or telephone, software is purely virtual. It can not only be reproduced without loss, this reproduction also serves its evolution. This makes software have properties that are very different from those of other phenomenons in history; the invention of software probably has the biggest similarities with the discovery of language, writing or science. It is essential for the future of mankind that software as a cultural property will remain accessible for everyone and is preserved in libraries like other knowledge. In order to achieve this, a new way of thinking has to be established with the decision-makers of the population, the politicians. To inspire this new way of thinking is a crucial task for the FSF Europe. The third objective is securing Free Software. The GNU General Public License and GNU Lesser General Public License of the Free Software Foundation are the most-often licenses used Therefore it is incumbent on the FSF and FSF Europe to ensure the legal safety of the largest part of Free Software. Fourthly, the long-term success is based upon the practical realization of Free Software. Because of this, the FSF Europe and the FSF work together on the organizatory aspects of the GNU Project, assist and maintain the development of Free Software and support companies and people willing to switch to Free Software. And finally, software contains an immense commercial potential. In order to permanently build the awareness for Free Software, it is necessary to also involve the economy. This means perspectives need to be opened for companies to build their business on or around Free Software. Offering these perspectives and counseling in their application is also a task for the FSF Europe. Further considerations on the topic of Free Software can be found at: http://www.gnu.org/philosophy/philosophy.html. ","title":"FSF Europe","url":"https://nlnet.nl/project/fsfeurope/description.html"},{"url":"https://nlnet.nl/project/fsf/","title":"FSF","description":" FSF support for the Free Software Foundation The Free Software Foundation (FSF) is the principal organizational sponsor of the GNU Project. FSF relies on voluntary support from individuals, organizations and companies who support FSF's mission to preserve, protect and promote the freedom to use, study, copy, modify, and redistribute computer software, and to defend the rights of Free Software users. The project's own website: http://www.fsf.org In March 2001, an European sister organization was founded, which has similar objectives as the American (international) FSF. This FSF Europe is sponsored by NLnet as well. "},{"url":"https://nlnet.nl/project/fsf/how.html","title":"FSF","description":" FSF support for the Free Software Foundation Stichting NLnet made repetative donations to the Free Software Foundation (FSF) to support its activities:       1999     US$ 10.000 2000 US$ 10.000 2001 US$ 15.000 2002 US$ 15.000 2004 US$ 15.000 2005 US$ 18.000 2006 US$ 18.000 To be continued... NLnet also contributes to the Free Software Foundation Europe (FSF Europe). Besides, NLnet supports the GPLv3 development by FSF and FSF Europe. "},{"url":"https://nlnet.nl/project/fsf/description.html","title":"FSF","description":" FSF support for the Free Software Foundation In the past fifteen years, GNU software has proven to be of fundamental importance for many Open Source software projects. Many projects would never have been imagined or started without the availability of GNU software tools. Also, the example set by the GNU licensing model GPL is eminently important for the development of publicly available software technology. The Free Software Foundation, guardian of the GNU project, has played and continues to play a very important role, even though the GNU system may appear complete (but isn't really). New projects are still being started (e.g. GNOME), and new versions of previously developed software are being distributed. Due to its principally non-commercial base, the Free Software Foundation can only exist thanks to donations and volunteer work. A financial contribution is therefore a good way to support the work of the FSF. There is a tendency to take the work of the FSF for granted, but this is detracting from the efforts which are necessary to keep this prolific software source flowing. The relationship between the activities of the Free Software Foundation, such as the GNU project, and the goals of Stichting NLnet is indirect. NLnet is generally focussing on the stimulation of the development of specific network (internet) technology etc. In the case of GNU and FSF, network technology is not always directly involved. However, the core technology of GNU, as embodied by gcc, gdb and the GNU software development tools for example, is of crucial importance for the development of publicly available network (internet) technology and deserves the support by NLnet because of its exceptional position. "},{"description":" FreeBSD-3G network drivers for 3G cards on FreeBSD The project started by improving 3GPP support for Option GT GPRS/EDGE cards, to provide a second serial channel to retrieve signal quality and other status info from the data card while being online. Starting off with the OpenMoko 3GPP implementation, this was quickly replaced with own development due to memory constraints on embedded systems. Later, similar functionality was added for data cards which use an internal USB-hub with several serial ports connected. The project contains: development of a FreeBSD driver for data cards supported by the Linux hso driver; development of FreeBSD driver for nozomi type Option cards; improvements to, and open sourcing of, the 3GPP protocol daemon; and setup of Knowledge Base website. Each of these individual subprojects is valuable on its own. Sub0hr-project 'Setup of wiki/website' would provide the Open Source community as a whole a needed central point for information on this topic. Building a new site is necessary to not only gather information but also process the various sources into a coherent source of information, providing more value than information presentation on its own. ","url":"https://nlnet.nl/project/freebsd-3g/","title":"FreeBSD-3G"},{"url":"https://nlnet.nl/project/foaHandler/","title":"foaHandler","description":" foaHandler Reverse engineer the OpenAccess file format Commercial CAE programs still dominate the community that designs electronic circuits. One of the most widely used file format here uses the OpenAccess API controlled by Si2. Unfortunately, this API is available only for members of the OpenAccess coalition. The project \"foaHandler\" aims at creating open-source programs for reading and writing OpenAccess files. Their internal data structure will be investigated by reverse engineering the file content of schematics, component symbols and layouts. Then, routines will be created that make it easy to import and export OpenAccess files in open-source programs like circuit simulators, layout programs etc. Example files and documentation will be published, too. This makes the data exchange between free and commercial EDA applications possible. The project's own website: https://dd6um.darc.de/foa This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"FLOSS","url":"https://nlnet.nl/project/floss/","description":" FLOSS Stimulating FLOSS dissemination in The Netherlands The promotion of FLOSS (Free/Libre/Open-Source Software) in The Netherlands needs people. This project will educate FLOSS ambassadors who will disseminate open source philosophy and methods amongst non-profit organisations, SME's and local governments. Volunteers will become ambassadors, trained in the essence of Open Source principles and technology. Communication techniques will be taught to help contact a peer group of NGO's, SME's, and local governments. The program is run by Gendo BV, located in Leiden, The Netherlands. "},{"url":"https://nlnet.nl/project/floss-manuals/","title":"FLOSS-manuals","description":" FLOSS-manuals on-demand printing of Open Source manuals FLOSS Manuals produces high quality collaboratively authored manuals about how to use free software. Within this project FLOSS Manuals integrates the content creation platform with Print on Demand services. This will enable collaborative authoring of manuals online, and the output directly to book form available for purchase via a print on demand service. The project wil result in a platform allowing: To extend our available output formats. We currently enable output to html, basic pdf, and we have inclusion api. However its very necessary to extend this to output to docbook, man pages, and the forthcoming new scribus file format. To tie in manual production and remixing to a print on demand service. To build RSS subscription services for manuals. The project's own website: http://en.flossmanuals.net "},{"url":"https://nlnet.nl/project/filesender/","title":"FileSender","description":" FileSender FileSender is a secure and private way to share large files with anyone. FileSender is a self-hosted service that allows you to share very large files with anyone. The project's own website: https://www.filesender.org/ FileSender is a (self-)hosted service that allows people to share large files with anyone. It works through your web browser to send a file to any email address. FileSender was created with the needs of scientists and researchers in mind, which means that it scales to extreme file sizes. Private instances of FileSender are currently in use by many national research networks and scientific institutes across the world. Donating to this programme Donate by bank transfer (no costs within Europe) Account holder Stichting NLnet Science Park 400 1098 XH  Amsterdam    The Netherlands Account number BIC: INGBNL2A IBAN: NL30 INGB 0007 2288 90 Name of the bank ING BANK NV P.O.Box 1800 1000 BV Amsterdam The Netherlands Or check the overview of projects More about the FileSender Programme at [ The Commons Conservancy ] A collaboration of: "},{"description":" FFII support for the Foundation for a Free Information Infrastructure The FFII is a non-profit organisation with branches in various European countries. FFII concentrates on the spread of data processing literacy. They support the development of public information products based on copyright, free competition, and open standards. In daily practice, FFII is the driving force of the movement which fights against the legalisation of software patents in the European legislation. This means in practice: active lobbying in the European administration in Brussels (in particular the European Parliament), distributing lots of information and press releases, and organising conferences and demonstrations (both physically and on the web). The project's own website: http://www.ffii.org 2003-10-20: NLnet Foundation's view on the software patents situation in the EU. more > > ","url":"https://nlnet.nl/project/ffii/","title":"FFII"},{"description":" FFII support for the Foundation for a Free Information Infrastructure In April 2003, Stichting NLnet made a donation of € 2000 to the Foundation for a Free Information Infrastructure (FFII) to support its activities against Software Patents in Europe. In August 2003, another donation of € 3000 was made to the FFII to support its actions against the Software Patents Bill scheduled for voting in the European Parliament on September 1, 2003. In 2005, € 5,000 were donated. In 2006, € 10.000 was contributed to support FFII's on-going struggle against Software Patents in Europe. ","url":"https://nlnet.nl/project/ffii/how.html","title":"FFII"},{"url":"https://nlnet.nl/project/ffii/description.html","title":"FFII","description":" FFII support for the Foundation for a Free Information Infrastructure The FFII is a non-profit organisation with branches in various European countries. FFII concentrates on the spread of data processing literacy. They support the development of public information products based on copyright, free competition, and open standards. In daily practice, FFII is the driving force of the movement which fights against the legalisation of software patents in the European legislation. This means in practice: active lobbying in the European administration in Brussels (in particular the European Parliament), distributing press releases and information, and organising conferences and demonstrations (both physically and on the web). The very comprehensive (and therefore sometimes inconveniently arranged) website can be found at www.ffii.org. The most important persons within FFII are Hartmut Pilch (chairman) and Erik Josefsson (lobbyist in Brussels). But in addition to them a large number of dedicated volunteers is participating in many countries (Belgium, Poland, England, Sweden, Germany, ...). In the Netherlands vrijschrift.org is acting as the local representative of FFII. In October 2004 NoSoftwarePatents.com has been set up as an active campaign throughout Europe. This has been done in a professional fashion by Florian Müller with financial backing from three IT companies (1&1, RedHat and MySQL AB). In March 2005 it was announced that FFII will take over this campaign. Whether this means that the IT companies mentioned will now support FFII financially is not quite clear --*nbsp;the campaign manager Florian Müller is stepping back to start other things. In 2005, an ambitious plan was made for scaling up FFII's activities with respect to software patents. In essence, Hartmut Pilch expects to be able to effectively counter the very well funded pro-software patent lobby with a number of concentrated activities. However, this will push up FFII's costs significantly. NLnet is supporting FFII's activities in 2005 with a donation of € 5.000 (bringing the total contribution of NLnet to FFII to € 10.000). "},{"description":" fediverse.space Find your way in the Fediverse Fediverse.space is a tool for understanding decentralized social networks, and searching through them. The fediverse, or federated universe, is the set of social media servers, hosted by individuals across the globe, forming a libre and more democratic alternative to traditional social media. When displaying these servers in an intuitive visualization, clusters quickly emerge. For instance, servers with the same primary language will be close to each other. There are more subtle groupings, too: topics of discussion, types of users (serious vs. ironic), and political leanings all play a role. fediverse.space aims to be the best tool for understanding and discovering communities on this emerging social network. The project's own website: https://fediverse.space Why does this actually matter to end users? A lot of the people we talk to, the media we watch and the services we search for are found in or through using social media. For users these platforms offer easy and usually free services to send public and private messages, stay updated on relevant news and promote your business or product. But the services these social media offer do actually come at a personal and societal cost. The platforms are not neutral exchange platforms like the rest of the internet. They do not just deal with all messages they receive in the same way. Part of the corporate social network model is to give some messages preferential treatment over others, i.e. there is a noticeable bias towards those that pay. People only have so much attention they can spare every day, and the companies decide what you cannot skip based on what they get paid. This would be equivalent to you always seeing the newsletter from Coca Cola at the top of your email client, but only half of the emails from your father or local charity because they are automatically put in a folder out of sight. This \"pay to play\" creates a knockout race for attention fueled by commerce, not by arguments, emotions, ethics or societal considerations. This exposure is worsened by the fact that the platforms monetize your data and behaviour. Social media companies create fine-grained personal profiles, that even include attributed political, relational and other deeply personal matters. By clustering people, profiles becomes more crisp and valuable. But they tend to push people step by step to more extreme options. You liked marijuana. You like drugs. Maybe you like cocaine? You visited a site with conspiracy theories. Well, here is another one which is even more incredible. When these profiles are made available to advertisers at a premium price, psychometrics such as used by Cambridge Analytica (and others), these allow to influence subsets of the population in both subtle and crude ways. These selfish business practices continuously raise fundamental societal questions: how do we feel about social media being used by foreign state actors to influence democratic elections through very personalized (and misguided) political campaigns? And how do we contain the algorithmic pressure towards global extremes, rather than brings people together as one would expect from a social network? Another problematic issue to address is monoculture. Social networks do not allow to cross the boundary of their service in an easy way, leading to social lock in and a \"winner takes all\" scenario. This limits choice, but also exposes users to legal dangers. Confidential discussions through \"private\" messages for instance turn out to be not so private, such as the case where a United States got the social network Twitter to hand over the personal communication from European human rights activists and a member of the Icelandic parliament over a severe human rights violation by the USA military. The European Court of Human Rights would certainly not have allowed this, but it happened outside of our jurisdiction - even if all the actors never left Europe. The federated universe, abbreviated to fediverse, wants to offer social media users a more transparent, ethical and decentralized environment to talk, find and connect. This is done through a plethora of completely independent servers hosted by organisations and individuals around the world. Each has their own policy, each has their own community and reputation. But they can all interoperate. If you don't like any of the existing options, or want to do something different or innovative, you download some open source software and start your own. If you feel some server is toxic, or misbehaves, it just takes one click to stop listening to what is being said. And there is no need to share data with anyone, if you want to. Every node can essentially be a complete social network in itself. The fediverse is not confined to what a single company wants to do - in every way. That means a broader offering in terms of design, usability and user experience, in terms of technology, ethics and culture. Essentially every server is a full-fledged social network in itself, able to talk to other social networks when it wants. People can use the fediverse for traditional social networking, but they can also integrate it with other services such as online video sharing, all without the fear of having their data being monetized or their activity profiled. Switching from closed social networks to the fediverse contributes to privacy and trust, by enabling users to understand and control who sees their data. The fediverse as a network of social networks, is also more resilient than a single network could ever be. Fediverse.space will help to discover where discussions and communities that interest users take place. This is an essential feature for a decentralised technology. Searching among the different social networks on the fediverse is still in its infancy, and behaves different from traditional document based search. Fediverse.space visualizes and allows to categorise the hosted servers in different ways, and even analyse trends. For example you can see most discussed topics, primary language used, or any other category that helps users find the network most interesting for them to join. Such a tool improves the discoverability and usability of alternative social environments and can help users switch from the traditional commercial social media to the next generation of open social networks. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/fediverse_space/","title":"fediverse.space"},{"title":"fdtshim","url":"https://nlnet.nl/project/fdtshim/","description":" fdtshim Simplify use of Device Tree Binaries for Linux installers The fdtshim project aims to implement a distribution-agnostic and hardware-agnostic method, and protocols, to load the correct hardware- specific DeviceTree on UEFI systems. With fdtshim, installation media for distributions can become truly generic, and support boot from different DT-incompatible kernels. Its usage is transparent to the user, and ensures the system will continue working after a major kernel update, whether booting from the current kernel, or the previously working kernel. Using fdtshim makes it much easier for end users to boot live and install media on different devices with different architectures: mobile phones, tablets, embedded systems, laptops, servers and workstations The project's own website: https://github.com/fdtshim/ This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Fashion Freedom","url":"https://nlnet.nl/project/fashionfreedom/","description":" Fashion Freedom Supporting research, development, and education to bring the fashion industry into the 21st century The Fashion Freedom Initiative wants to make sure that everyone benefits from new advances in technology in the fashion industry and beyond. It aims to assist the industry and the wider society in transitioning into a new phase where social responsibility, art, usability, privacy and sustainability are combined into a better and smarter fashion for everyone. Designing and making clothes isn't just a luxury for the affluent, or a prerogative of large factories and consumer brands: it is a universal need at the largest possible scale. The project's own website: https://www.fashionfreedom.eu/ Clothing is an important and meaningful part of our daily lives in many ways. It is quite literally the closest thing to our physical selves in the world, an external skin that protects us and regulates our temperature. In addition to its many functional qualities, clothing is the embodiment of fashion: an essential part of how individuals and groups express themselves esthetically and convey personal and social identities. Clothing is — amazingly enough — still dependent on a lot of manual techniques, dating back often centuries ago and passed on from generation to generation. Interesting innovations are now entering the realm of fashion and clothing through e.g. smart fabrics but also through novel methods of crafting threedimensional garments from two-dimensional fabric as eco-friendly and durable as possible. The idea of clothing as a sensor network, tool or interface holds great promises, but - like with any technology - one should also consider how this may affect privacy, ownership and control. You may not be able to simply upgrade your smart jacket, but you cannot afford it being hacked either - so where possible you will need best practises such as security by design and privacy by design. The Fashion Freedom Initiative is an exiting new effort to bring the fashion industry forward, bringing along the best approaches from elsewhere. Its strategy is to produce free software, tools, open manufacturing and training materials that empower anyone to understand, design and create better fashion - for themselves and others. The Fashion Freedom Initiative is part of The Commons Conservancy. Donating to this programme Donate by bank transfer (please add a reference 'Fashion Freedom') Account holder Stichting NLnet Science Park 400 1098 XH  Amsterdam    The Netherlands Account number BIC: INGBNL2A IBAN: NL30 INGB 0007 2288 90 Name of the bank ING BANK NV P.O.Box 1800 1000 BV Amsterdam The Netherlands A collaboration of: "},{"url":"https://nlnet.nl/project/fairwaves/","title":"Fairwaves","description":" Fairwaves Fairwaves Fairwaves project is aiming at removing one more obstacles on the way to cheap and ubiquitous wireless networks --absence of free (open source), yet production quality building blocks for wireless equipment. There are plenty of expensive proprietary solutions you can use for coding. Fairwaves is set to develop an Open Source framework for PHY and MAC levels of wireless protocols which will allow \"free as in beer\" development. It should foster innovation in the wireless communications and allow more projects like OpenBTS and Opendigitalradio to emerge. Alexander Chemeris, Russia "},{"title":"f8","url":"https://nlnet.nl/project/f8/","description":" f8 Modern 8-bit instruction set Among microcontrollers (µC), 8/16-bit µC are an important part of the embedded systems ecosystem since they tend to have substantially lower resource and energy costs than the larger, more powerful 32-bit and 64-bit µC. However, existing 8/16-bit µC architectures tend to be either somewhat inefficient (e.g. MCS-51) or single-vendor (e.g. STM8, Rabbit). The latter are at a high risk of being discontinued when a vendor pulls out of the 8/16-bit market, and this has been announced recently for the STM8 and Rabbit architectures. One possible solution is to develop an efficient free architecture for 8/16-bit µC. The f8 is such an approach. It is based upon extensive experience from the large number of 8/16-bit architectures supported by the free Small Device C compiler (SDCC). Like RISC-V did for 32/64-bit architectures, f8 is based on lessons learned from the strengths and weaknesses of existing 8/16-bit architectures. The project's own website: https://sdcc.sourceforge.net/ This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Explain Direct","url":"https://nlnet.nl/project/explaindirect/","description":" Explain Direct Providing effective and efficient access paradigms for open educational material Open source technical solutions for analyzing, recommending, and querying open educational materials within the context of higher education The project's own website: https://explain.direct Finding the right information about something you don't yet understand in full yourself can be challenging, especially given the amount of information that is available today. In learning institutions it is important to facilitate exploration, so students can themselves find topics they find interesting or relevant. How do you find out which materials will allow students to quickly gain additional knowledge on a certain topic? Explain Direct does this by allowing students to either go deeper or broader. Given a set of educational resources, it will use state-of-the-art content analysis and recommendation techniques to provide material that combines the current topic with others, or dives deeper into the topic. The project is developed by Feedback Fruits. Jointly supported by: "},{"description":" e-Passports use of (hardware) electronic passports for user authentication over internet Over the past two years, electronic passports (e-passports) have been introduced in most countries of the world. An e-passport embeds a chip with card holder details. While there are concerns about the privacy consequences of the introduction, caused by the contactless nature of communication and the sensitive nature of contained biometric data, these also presents a unique opportunity: it provides every citizen of the world with a strong authentication token within a global Public Key Infrastructure (PKI). The technical standards which describe how to verify the authenticity of electronic passports are open and publicly available from the International Civil Aviation Organization (ICAO). Although likely not intended as such by ICAO, e-passports are ideal for authenticating users of Web services. The current proposal intends to build such an Identity 2.0 solution with open source software. We propose to create a trustworthy identity solution that allows a user to use their e-passport for authentication at regular websites or webservices (e.g. for e-government like services). Such a solution may contain a browser plug-in that integrates the software developed in JMRTD with an open source identity selector (perhaps compatible with InfoCard). Additionally, the solution may require the establishment of a central server that acts as an identity provider (perhaps compatible with OpenID). A question that will need to be answered is to what degree end-users and service providers need to trust our identity provider (in case of end-users: trust with respect to dealing with privacy sensitive data). ","url":"https://nlnet.nl/project/epassports/","title":"e-Passports"},{"description":" embedded-cal An embedded systems-friendly verified crypto provider Embedded-cal develops a verified implementation of the cryptographic provider in Rust which is compatible with popular embedded platforms. This cryptographic provider will be 1) fast on popular embedded platforms; 2) resistant to certain classes of side-channel attacks; 3) usable without the Rust standard library. The module will lever the available hardware acceleration support of popular microcontroller units for embedded systems and fill in the gaps in hardware support through software implementations. The module will be formally verified for secret independence using the hax framework, a verification tool for high assurance code. The project's own website: https://github.com/lake-rs/embedded-cal Run by Inria Paris This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"embedded-cal","url":"https://nlnet.nl/project/embedded-cal/"},{"description":" elRepo.io - Resilient, distributed content sharing Resilient, human-centered, distributed content sharing and discovery. In this project AlterMundi and NetHood collaborate to develop a critical missing part in decentralized and distributed p2p systems: content search. More specifically, this project will implement advanced search for elRepo.io, the self-hosted and distributed culturesharing platform currently under active development by AlterMundi and partners. Search functionalities will expand on the already proven coupling of thelibxapian searching and indexing library and turtle routing. The distributed search functionality will be implemented to be flexible and modular. It will become the meeting point of three complementary threads of on-going work: Libre technology and tools for building Community Networks (LibreRouter & LibreMesh), fully decentralized, secure and anonymous Friend2Friend software (Retroshare), and a transdisciplinary participatory methodology for local applications in Community Networks (netCommons). The project's own website: https://elrepo.io/ Why does this actually matter to end users? Culture is the glue that ties global and local communities together. The words people use, food they share and songs they sing makes up a collective language that says 'this is who we are, this is what our culture means to us'. To satisfy this very human need, communities need some common infrastructure that brings its members together in a space where they can share their culture, without any (commercial or governmental) interference. Internet technology can help create such a public space, a digital commons, through networks that communities host themselves and use to share their culture among peers. elRepo.io can help communities everywhere build their own networked home where they can safely store and share audio, video, text and other file formats. The network is resistant to any form of central censorship and can even be used when internet connectivity is down, as content is stored and can be exchanged locally. To make such networks become more relevant to, for example new members of a community, this project will add a content search function to the existing distributed peer-to-peer platform. Run by NetHood + AlterMundi This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"elRepo.io - Resilient, distributed content sharing","url":"https://nlnet.nl/project/elrepo_io/"},{"description":" Ejabberd Great Invitations More pleasant user registration for ejabberd XMPP server One of the biggest hurdles for XMPP in terms of widespread adoption compared to single vendor solutions is a somewhat more complicated onboarding process. To not open their service to unsolicited messages and abuse administrators often opt to not allow open registration, which complicates things even more. To counter these obstacles, recently the concept of „Great Invitations“ was introduced by one of the XMPP servers, aiming to make the onboarding process as seamless as possible - a single link is enough to guide a potential future participant. The goal of this project is to follow this pleasant way of onboarding, and implement it for ejabberd. The project's own website: https://ejabberd.im This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/ejabberd-invites/","title":"Ejabberd Great Invitations"},{"url":"https://nlnet.nl/project/eglTF/","title":"","description":""},{"description":" eduVPN Making secure VPN network technology available to everyone eduVPN/Let's Connect is an effort to make VPN technology commonly available, by building better and more user-friendly tools to connect to trusted parts of the internet. The project's own website: https://www.commonsconservancy.org/ We live in a society that wants to be online whenever possible, and WiFi is a common technology for achieving connectivity. Unlike the \"home\" network (which could be described as a 'trusted' environment because you connect from a known device to an access provider you selected yourself), we also make heavy use of public offerings of WiFi that offer far less guarantees. When being a guest on third party networks, we should take precautions against a numer of risk (such as the risk of rogue attacks on our connections and systems). Let's Connect (branded EduVPN for the educational community) is an implementation of such facilities, which was originally designed with educational institutions as an audience but is now available for anyone to benefit from. The eduVPN programme produces a family of open source tools that can be used to set up a VPN server, federate with other servers, connect various types of client devices, etcetera. Subprojects Federated eduVPN - François Kooman eduVPN Python client - Gijs Molenaar More about the eduVPN Programme at [ The Commons Conservancy ] A collaboration of: ","url":"https://nlnet.nl/project/eduvpn/","title":"eduVPN"},{"title":"eduVPN multi-protocol","url":"https://nlnet.nl/project/eduVPN-multiprotocol/","description":" eduVPN multi-protocol Review of the eduVPN multi-protocol project. The eduVPN framework is currently build on top of OpenVPN 2.x. A new design will be delivered in order to accommodate WireGuard next to OpenVPN. WireGuard is a very simple, fast and modern VPN that utilizes state-of-the-art cryptography. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform and widely deployable. The project's own website: https://www.eduvpn.org/ "},{"url":"https://nlnet.nl/project/eduVPN-apple/","title":"eduVPN on Apple","description":" eduVPN on Apple eduVPN for Apple devices eduVPN is a program under the Commons Conservancy, a non-for-profit foundation focusing on free and open source projects. The goal of the project is to provide a comprehensive and reliable, open source VPN solution for all platforms. This project aims to improve the security and usability of the macOS- and iOS-apps. The project's own website: https://eduvpn.org "},{"description":" eduVPN on Apple part II Improved version of eduVPN for Apple devices eduVPN is a program under the Commons Conservancy, a non-for-profit foundation focusing on free and open source projects. The goal of the project is to provide a comprehensive and reliable, open source VPN solution for all platforms. The project is plagued by some nasty bugs that have been found hard to fix by the community. This particular project aims to deliver a new and more user-friendly user interface for the macOS and iOS-app, as well as implement a new server discovery mechanism in these apps. The project's own website: https://eduvpn.org ","url":"https://nlnet.nl/project/eduVPN-apple-II/","title":"eduVPN on Apple part II"},{"title":"eduVPN app","url":"https://nlnet.nl/project/eduVPN-app/","description":" eduVPN app Add Wireguard protocol to federated VPN suite Let's Connect aims to provide a comprehensive and reliable, open source VPN solution for all platforms. For the codebase containing the Mac/iOS implementation of the EduVPN app a continuous integration setup is needed, which should be inspectable by the wider internet community and based on open and/or freely available tooling. Furthermore, the iOS and Mac apps of Let's Connect/EduVPN should rely on as few third party dependencies as possible - as such dependencies introduce risk, for example due to bugs or dependency poisoning. This project will set up the CI infrastructure and prune the dependency to reduce the attack surface on the app. The project's own website: https://www.eduvpn.org/ "},{"title":"eduVPN Accessibility & UX Improvements","url":"https://nlnet.nl/project/eduVPN-a11y-UX/","description":" eduVPN Accessibility & UX Improvements Inclusive and user-friendly design for eduVPN The goal of this project is to improve the user experience (UX) and accessibility of eduVPN and Let's Connect. This includes analysing the full digital ecosystem of both ecosystems, meaning mobile and desktop apps as well as websites. The goal is to achieve a consistent and WCAG 2.1 (AA)-compliant user experience across the various platforms. This includes expert review, small-scale in-person user testing and remote larger-scale testing to improve overall accessibility and usability. The expected outcome is a set of UI redesign ready for implementation by the developers. The project's own website: https://www.eduvpn.org "},{"url":"https://nlnet.nl/project/eduP2P-testsuite/","title":"eduP2P Test Suite","description":" eduP2P Test Suite System, integration and performance tests for eduP2P eduP2P is a peer-to-peer (P2P) VPN solution based on WireGuard. This project will develop a comprehensive test suite for eduP2P, consisting of three types of tests: system tests (that verify whether it is possible to establish P2P connections using eduP2P when the addresses of peers have undergone Network Address Translation), integration tests (that verify the functionality of smaller components of eduP2P in isolation by testing the source code), and performance tests (that measure metrics such as the throughput, delay and packet loss of an eduP2P connection). The test suite makes the continued development of eduP2P easier by making it possible to discover and fix functionality and performance issues present in eduP2P. "},{"description":" Federated webinars for eduMEET Extended platform for distributed online webinars based on eduMEET The main aim of the project is a new functional scope of eduMEET: federated webinars for big online meetings. eduMEET is a free and open-source video conferencing (VC) application that allows organisations of any size to build and deploy cost-effective on-premises web-based VC services. It is an easy-to-use solution that originated within the European Research and Education community. It is focused on security and privacy, and designed to give full control and ownership of ones own data and video streams. A key aspect of the project is providing efficient engines for communication between distributed eduMEET instances, in order to provide support for large scale webinars. Additionally, eduMEET will add dedicated layout for webinars (speaker’s view), specific user roles and privileges (Panelist and Passive Participant) as well as a management module. The end result will be a full featured webinar platform that is an attractive low cost alternative to expensive proprietary services. The project's own website: https://edumeet.org/ Run by Poznan Supercomputing and Networking Center / GÉANT / The Commons Conservancy This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Federated webinars for eduMEET","url":"https://nlnet.nl/project/eduMEET-webinars/"},{"description":" ePoc Micro learning platform for decentralized educational resources ePoc (Electronic Pocket Open Course) is an open-source project designed to provide a full, decentralized, and privacy-first microlearning solution. This is achieved through a mobile and web reader (with web support coming soon), a simple file format specification, and an intuitive visual editor on desktop. The tools prioritize user-friendliness, privacy, and decentralization, ensuring users avoid vendor lock-in (no central server or account is needed). For educators, organizations, and learners, ePoc enables the creation and consumption of bite-sized, interactive modules (such as quizzes, videos, or flashcards) and allows sharing via links, QR codes, or local files. The project's own website: https://epoc.inria.fr/en Run by Inria This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"ePoc","url":"https://nlnet.nl/project/ePoc/"},{"description":" Federated eIDAS-compatible signing portal Qualified digital signatures using eID cards Existing electronic document signing platforms often lack support for advanced or qualified electronic signatures available under the EU's eIDAS standard, relying instead on simpler signatures without stronger legal validity. Our federated eIDAS-compatible signing portal addresses this gap by providing an open-source user-friendly platform for creating qualified electronic signatures using government-issued eID cards and other qualified signature creation devices. Unlike existing alternatives, our project integrates seamlessly with desktop and mobile signer applications, both open-source and commercial, enabling intuitive qualified document signing, validation, archiving, and API integration with third-party systems. Its federated manner ensures that independent portal instances can securely exchange documents, simplifying the adoption of qualified electronic signatures across Europe, reducing reliance on proprietary solutions, and improving digital administrative workflows. The project's own website: https://github.com/slovensko-digital/autogram-portal Run by Slovensko.Digital This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/eIDAS-portal/","title":"Federated eIDAS-compatible signing portal"},{"title":"dweb-search","url":"https://nlnet.nl/project/dweb-search/","description":" dweb-search Index DHT based distributed webs dweb-search is a Free and Open Source (FOSS) search engine for directories, documents, videos, music on the Interplanetary Filesystem (IPFS), supporting the creation of a decentralized web where privacy is possible, censorship is difficult, and the internet can remain open to all. This project implements a publicly accessible IPFS thumbnail service and creaties a UI specifically to explore music or videos. The project's own website: https://github.com/ipfs-search/dweb-search-frontend This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" Dowse Dowse is a smart digital network appliance for home based local area networks. Dowse is a smart digital network appliance for home based local area networks (LAN), but also small and medium business offices, that makes it possible to connect objects and people in a friendly, conscious and responsible manner. The project's own website: http://dowse.equipment/ Dowse aims to be a critical engineering project, abiding to the principles stated in the Critical Engineers Manifesto. Dowse provides a central point of soft control for all local traffic: from ARP traffic (layer 2) to TCP/IP (layers 3 and 4) as well as application space, by chaining a firewall setup to a transparent proxy setup. A core feature for Dowse is that of hiding all the complexity of such a setup. Its motto is: \"to perceive and affect all devices in the local sphere\". By replacing the outdated proprietary ISP ‘gateway’ with an open and user-visible device, Dowse creates a new platform that leverages its topologically unique access and influence in the domain of the local-area network. It introduces a visible, malleable, knowable communications hub to the language of the small network. Dowse seizes on the power of the technologically/topologically necessary gateway/hub role to create development opportunities which cannot exist on other platforms. Dowse becomes the locus of a specific new class of end-user-visible applications which are able to perceive and affect all devices in the local sphere, whether they are open or closed. ... Read the whitepaper The project is led by the team at Dyne.org. ","url":"https://nlnet.nl/project/dowse/","title":"Dowse"},{"url":"https://nlnet.nl/project/donations/","title":"Donations","description":" Donations smaller contributions to various activities Besides the larger support activities and donations, NLnet also helps-out small projects. Since 2005, they got grouped on this page. 2018-04: 15th anniversary of European Digital Rights (EDRi), an organisation that works to defend the pillars of a democratic society and campaigns for the rule of law and rights online, in particular for the right to privacy and to freedom of expression, whenever they are threatened by corporate or governmental activities. 2017-10: Travel support for various individuals to attend the NGI workshop at CWI in Amsterdam in October 2017. 2017-08: NGI Idea grant for a young, Berlin based internet researcher and open source developer to delve into the needs of the open internet, and write up ideas on an intervention logic to make the NGI vision come true. 2017-06: Support Kennisland and its Communia partners in a collaborative effort to analyse the 2500+ amendments proposed to upcoming EC regulation aimed at modernize the EU copyright framework. Copyright is strongly linked to user rights and free expression, as well as access to information on the open internet. 2017-04: Support the 2017 edition of Holland Strikes back, an event to create awareness about current cybersecurity issues. 2017-02: Support SHA 2017, a non profit outdoor Hacker camp that took place in The Netherlands as part of a series of events happening every four years — more in particular GHP, HEU, HIP, HAL, WTH, HAR and OHM. 2016-10: Support the 2016 edition of Holland Strikes back, an event to create awareness about current cybersecurity issues. 2015-10: Support the 2015 edition of Holland Strikes back, an event to create awareness about current cybersecurity issues. 2015-09: Support the Green Web Foundation, with a travel grant to attend a CENTR event in Copenhagen. 2013-05: Travel support for the Serval Project leader to attend and present Serval at the International Summit for Community Wireless Networks (IS4CWN) in Berlin in October 2013. 2013-04: OHM2013: \"Observe. Hack. Make.\" is an international technology and security conference in a unique form. Five days of technology, ideological debates and hands-on tinkering will take place at Geestmerambacht, The Netherlands. OHM2013 continues the tradition of the four-yearly Dutch outdoor technology conferences. OHM2013 is the largest such hackercamp in Europe in 2013 and is projected to attract 3000-4000 visitors from all over the planet. OHM2013 is unique in the line of 4-yearly hacker conferences, as each edition has turned out to be. 2011-09: Sponsoring of the Dutch IPv6 Award 2011 for the best implementation of the IPv6 protocol in the systems of an organisation. In contrast to previous awards this donation will mainly be used for creating an extensive website with substantive practical instructions and manuals (both technical and business process) for implementation of IPv6 in organisations. 2011-09: Sponsoring of Svante Schubert's trip to the ODF Plugfest 2011 in Berlin. Svante gave a convincing technical presentation about the change tracking mechanism in ODF. 2011-02: Contribution to Big Brother Awards, The Netherlands. 2011-02: Travel expenses for Alexander Chemeris, the leader of Fairwaves, to the SDR'11-Europe conference in Brussels in June 22-24 2011-02: Sponsoring of the exhibition stand of Crypto Stick at CeBIT, Germany. The German Privacy Foundation's open source product offers easy and high-secure encryption and for authentication in network environments. 2010-10: Ben Martin, one of the leading Koffice developers from Australia, was invited to attend the ODF plugfest in Brussels to test work in AbiWord and KOffice on RDF and Track changes with other implementers. 2010-08: The Dutch IPv6 Task Force presents an Award to get attention on the early adaptors of IPv6. See the donation description. 2010-03: Foundation Randomdata; See the donation description. 2010-03: Foundation RaumZeitLabor See the donation description. 2009-11-19: NLnet sponsors the travel expenses and conference costs for Thomas Zander to Orvieto, Italy. Thomas is one of the key KDE developers of ODF software. He will visit both the ODF plugfest and OOoCon 2009. 2009-10-01: The e-Passport project combined ePassport technology with user-centric identity management systems. This provoked discussion in popular news media, amongst other things about the privacy aspects of this solutions. The resulted in a paper \"User-centric identity using ePassports\" which will be presented at SecureComm 2009 in Athens, Greece. NLnet covers the travel expenses. 2009-06-01: Travel costs of Bert Wijnen to three IETF meetings. 2009-06-01: Exhibit of Blender at the annual Siggraph convention in New Orleans USA. 2009-06-01: Presentation of MSRP library & SIP IM system at the Terena Network Conference 2009 in Malaga, Spain. 2009-02-01: Hacking at Random 2009, the 20th anniversary edition of the Dutch outdoor technology and security conference. 2009-02-01: eLiberatica 2009, annual Open Source and Free Software conference for healthy and sustainable FLOSS business models. Bucharest, Romania. 2008-12: Congress \"Tilting Perspectives on Regulating Technologies\", University of Tilburg, The Netherlands. 2008-11: ELC Europe 2008 (Embedded Linux Conference), Ede, The Netherlands. 2008-11: KDEPIM Quality Sprint 2008-2009, Groningen, The Netherlands. 2008-09: Launch of GPLv3 in The Netherlands, Tilburg, The Netherlands 2008-08: aKademy 2008, Sint-Katelijne-Waver, Belgium. 2008-07-10: European meeting of GNU project maintainers in Bristol, UK. 2008-06: Debian Bug Squashing Party, Utrecht, The Netherlands. 2008-05: NLUUG Spring 2008 conference, Ede, The Netherlands 2007-11: NLUUG Autumn 2007 conference, Amsterdam, The Netherlands 2007-11: Harvards World-wide Thematic Conference \"Improving access to public services\", The Hague, The Netherlands 2007-11: GO-FOSS training and support center for NGO and SME sector, Bangladesh. 2007-10: Sponsoring CAcert New Board meeting in Germany 2006-03-13: NLnet contributed €4000 towards a campaign by dutch Firefox supporters to publish a page-size advertisement for promoting Mozilla Firefox in the free tabloid \"Sp!ts\". See also the donation description. .pdf (2 MB) 2005-12-09: Travel report of Simon Josefsson's visit to IPR-wg on IETF 64. See also the donation description. more > > 1998-06:In co-operation with the NLUUG, NLnet sponsored Guido van Rooij's participation in the FreeNIX track of the USENIX Technical Conference in June 1998 in New Orleans, USA. See also the donation description. "},{"title":"Donations","url":"https://nlnet.nl/project/donations/how.html","description":" Donations smaller contributions to various activities "},{"url":"https://nlnet.nl/project/donations/description.html","title":"Donations","description":" Donations smaller contributions to various activities IPv6 Awards [August 2010] De Nederlandse IPv6 Task Force heeft in 2009 voor het eerst de IPv6 Awards uitgereikt om aandacht te vestigen op de voorlopers op het gebied van IPv6-implementaties. De voorlopers op dit gebied dienen namelijk als voorbeeldfunctie en als aanjagers. Er zijn zes categorieën gedefinieerd waarin prijzen worden uitgeloofd: Overheid, Bedrijfsleven, Internet Service Providers, Onderwijs & onderzoeksinstellingen, Publicatie & onderwijscurriculum en Particulieren. NLnet draagt bij aan Award in de categorie Bedrijfsleven. In 2010 zal de IPv6 awards uitreiking nogmaals georganiseerd worden omdat voorbeelden van IPv6 implementaties nog steeds nodig zijn om awareness te creëren en om voorlopers te belonen als aanjager. De organisatie van de IPv6 awards 2010 zal door de Task Force/ECP-EPN uitgevoerd worden en zal op donderdag 25 november, tijdens het ECP-EPN jaarcongres plaats vinden. Foundation Randomdata [March 2010] Randomdata is a hackerspace where people with common interests, usually in technology meet, socialize and collaborate. The Randomdata hackerspace is an open community lab, workbench, machine shop, workshop and/or studio where people of diverse backgrounds come together to share resources and knowledge to build/make things. Foundation RaumZeitLabor [March 2010] Foundation RaumZeitLabor is a Hackerspace in the Rhein-Neckar area. It is a meetingplace for hackers in the area. It is similar to existing Hackerspaces around the world, but there is no such space in a 50km radius around Heidelberg/Mannheim. Most of our group will focus on hardware --making circuits, CNC mills, rapid prototyping. Advertisement for Firefox [Published 13 March 2006] NLnet contributed €4000 towards a campaign by dutch Firefox supporters to publish a page-size advertisement for promoting Mozilla Firefox in a Dutch newspaper. The advertisement appeared on Monday March 13, 2006 in the tabloid \"Sp!ts\", a free newspaper distributed in trains and other public places. With a readership of approximately 1.6 million people, one of the largest national papers. The whole edition of Sp!ts can also be seen online as the digital edition of 13 March (pdf ). The Firefox advertisement (pdf ) alone. Simon Josefsson to IPR-wg [Initiated 11 November 2005] NLnet supported the visit of Simon Josefsson (Stockholm, Sweden) to the IPR-wg during IETF 64 in Vancouver (Canada), with a donation of €500 to cover travel expenses. In the working group, Simon expressed his concerns about various problems with copying permissions for RFCs and other IETF contributions. Read the travel report in HTML or PDF. Participation in FreeNIX Guido van Rooij is the security officer in the FreeBSD's project core team, in addition to a number of other positions. The NLnet Foundation sponsored his activities is to help stimulate the formation of an active group of people around FreeNIX/ Open Source within the NLUUG community. Such a group would be a good source for feature requests with respect to Open Source software. NLnet Foundation's interests are primarily network related topics. A small group of people has been formed, and an e-mail list was maintained for about one and a half year but has since been closed down due to lack of traffic. However, a useful side-effect of this activity has been the formation of a new special interest group (SIG) of the NLUUG under the name NLFUG, the Netherlands FreeBSD Users Group. In January 2002, the NLFUG was renamed into D-Bug, the Dutch BSD User Group. The D-BUG (website ) aims at bundling the interests of the Dutch *BSD (primarily FreeBSD) community. "},{"title":"DNSSEC-mail","url":"https://nlnet.nl/project/dnssec-mail/","description":" DNSSEC-mail DNSSEC for OpenDKIM and OpenDMARC Until recent developments of domain name authentication, Internet mail has not had access to scalable mechanisms for validating an identity associated with a message. Any identifier could be used fraudulently. The Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are relatively new technologies that create a foundational change by validating domain identifiers. However they are only the first step. DMARC takes additional steps in allowing domain owners to publish statements about their email use of their identifiers and DMARC facilitates much easier operational reporting from mail recipients to domain owners. Thus this project will improve use of DNSSEC in the email security space. Two major upcoming applications will drive this: DMARC which relies on the DNS for advertising policy information. Domain-based reputation system that relies on DKIM, which in turn relies on secure DNS use to advertise keys and polices. OpenDKIM includes DNSSEC support via libunbound of NLnet Labs. The project's own website: http://www.trusteddomain.org/ Run by The Trusted Domain Project, USA. "},{"url":"https://nlnet.nl/project/dnsccm/","title":"DNSCCM","description":" DNSCCM DNS NSCP implementation for BIND and NSD There is a clear need for a common DNS(SEC) name server management and control system. DNS is such a vital part of any organization's network infrastructure that it is common to run multiple different DNS implementations. However, each implementation has its own distinctive configuration and control utilities. A common interface should greatly simplify management of diverse infrastructures. In 2007, the IETF working group determined there was a need for standardized management of nameservers for DNS and in 2011 the requirements draft addressing this got accepted as RFC6168. An IEFT draft is under development, which proposes a Nameserver Control Protocol (NSCP) to meet these requirements. The primary focus of this prokect is to develop an implementation of NSCP for current releases of BIND and NSD, the most widely used open source authoritative nameservers. The project's own website: http://dnsccm.org Run by Project of Sinodun Internet Technologies, UK "},{"description":" django-allauth Versatile authentication for Django The goal of django-allauth is to offer a free, secure, well integrated, reusable authentication solution for the Django framework, covering all functionality related to local and social user accounts, multi-factor authentication, in various configurations, with flows that just work. By simpliyfing the complexities associated with user authentication, django-allauth empowers Django developers of all kinds to focus on building their web applications without compromising on the authentication features provided to their end users. The project's own website: https://allauth.org This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/django-allauth/","title":"django-allauth"},{"description":" Distributed Mechanism Learning Privacy preserving ways of distributed data usage Mechanism design is a field concerned with finding rules for economic processes which incentivize self-interested agents to behave in a way, such that a common goal is reached. This project aims to build robust infrastructure for mechanism design via machine learning, to make theoretical results more applicable to practical networked deployments. We plan to do this by finding solutions for the following two problems and making them accessible to developers, while keeping the required domain knowledge to a minimum: On the one hand, a trusted third party is often assumed to exist, which is supposed to learn and execute the mechanism. In practice, finding neutral trusted parties who do not stand to gain anything from cheating can be hard. To solve this problem, we distribute the computation of the trusted party over multiple computers, ideally controlled by different entities, using multiparty computation. This way, we get a more robust trust base with better alignment of incentives. On the other hand, current models often assume prior knowledge about preference distributions of agents to learn optimal mechanisms. In practice, this knowledge is not always available. We exchange finding optimal solutions using prior information with finding approximate solutions using no prior information, by way of differentially private learning. This results in more general applicability, especially in settings with sparse information. The project's own website: https://github.com/degregat/dist-mech-learn This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/dist-mech-learn/","title":"Distributed Mechanism Learning"},{"url":"https://nlnet.nl/project/dime/","title":"DIME","description":" DIME A new encrypted, end-to-end email protocol The DIME project has three distinct goals: to make end-to-end email encryption transparent and automatic, to minimize the leakage of metadata, and to enshrine the standards which make automation resistant to manipulation by advanced persistent threats. This has led to the development of a set of protocols and data formats which combine the best of current technologies into an integrated system that gives adequate protection, yet remains flexible. It allows for people to improve their security without sacrificing functionality. The project's own website: https://darkmail.info/spec Why does this actually matter to end users? In today’s networked and asynchronous world, email continues to be at the heart of our online conversations, and despite its detractors, continues to grow in significance. Last year, over 2.6 billion people used email, exchanging nearly 205 billion messages per day. Yet the percentage of messages protected by end-to-end encryption remains so small, that it makes those who encrypt automatic \"targets\" and large-scale commercial adoption economically challenging. Email as it is currently being used is insecure, unreliable, and easily readable by any attacker in a post-Snowden world. DIME seeks to establish an open standard capable of simultaneously providing security by default and preserving the benefits email users have come to expect. DIME follows in the footsteps of innovative email protocols, but takes advantage of the lessons learned during the 20-year history of PGP/GPG. DIME is federated, remains a store and forward medium, and allows strangers to contact each other securely. Anyone with a domain name can deploy a DIME compatible server and begin enjoying the benefits of DIME. Run by Lavabit This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"description":" The third mainport Digital Infrastructure in the Netherlands - The Third Mainport Download 2013 report or view in the browser.Download the 2014 report or view in the browser. Read the press release The project's own website: https://www.dinl.nl Digitale Infrastructuur Nederland","url":"https://nlnet.nl/project/digitalmainport/","title":"The third mainport"},{"title":"TheThirdMainport.pdf","url":"https://nlnet.nl/project/digitalmainport/TheThirdMainport.pdf","description":""},{"description":"","url":"https://nlnet.nl/project/digitalmainport/DriverForTheOnlineEcosystem.pdf","title":"DriverForTheOnlineEcosystem.pdf"},{"description":" DIFR-TSPM a demonstrator of a different way to inform consumers about the RFID tags Increasingly, products for sale in shops are being tagged by RFID tags. These tags contain a unique product or item number, which can be read out wirelessly over a short distance by an RFID reader. Their function in shops and supermarkets is similar to the ubiquitous paper barcode, except that RFID tags can also be read out if the tag is not in plain sight of the reader. This means these tags can also be read out surreptitiously when walking around the store, or afterwards when the items are in your shopping bag and you are walking on the street. This also holds true for payment cards and travel passes (e.g. the OV chipcard in the Netherlands) that people carry with them. This has raised concerns about the impact for RFID technology on the privacy in our society. The goal of the project is to develop a demonstrator of a different way to inform consumers about the RFID tags on the items they buy or the tags that surround them in their environment. Main idea is to use a mobile phone to display information about RFID tags in the vicinity. In particular, the setup of the demonstrator will operate as follows. A consumer sets his privacy preferences in a profile stored on his mobile phone. If he holds the phone close to a product in a shop containing an RFID tag, the phone will read the tag number from the tag. It will then query (over the Internet, either through GPRS, UMTS or WiFi) the backoffice to retrieve the privacy policy corresponding to the tag number. Then it will match the tag policy with the consumer policy, and present the result of the match to the consumer on the display of the mobile phone in an intuitive and appealing manner. This demonstrator will be used to show how such a concept: empowers users in deciding for themselves how their privacy is affected and how to respond to that information, and allows producers to efficiently communicate their privacy policy to consumers. The project's own website: http://www.difr.nl/?page_id=10 ","title":"DIFR-TSPM","url":"https://nlnet.nl/project/difr-tspm/"},{"description":" dhcpcanon Network configuration with better privacy This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. When your computer enters a new network as a guest, it will need to receive information to be able to send and receive packets. The internet standard responsible for this is called Dynamic Host Configuration Protocol (DHCP). Traditional DHCP and DHCPv6 can potentially leak information which can be abused to uniquely identify a certain device - and thus track a user. dhcpcanon is a DHCP client implementation that implements the technical standard RFC7844, DHCP Anonymity Profiles. The new standard provides guidelines for minimizing information disclosure via DHCP. This project will produce DHCP clients implementing the Anonymity Profiles for restricted devices as microcontrollers and easy integration with network management tools. The project's own website: https://dhcpcanon.readthedocs.io Why does this actually matter to end users? Privacy is a matter of control. When you want to protect your privacy, it does not mean you never tell anyone anything, it means you want to be in control of who you share your personal information with. On the internet a lot of control is taken away from you. The technology that lets you connect to networks all around the world and find information anywhere it is stored is built around identification, both of its users and the virtual places they visit. Unfortunately, many crucial networking standards and protocols were not designed with user privacy in mind, let alone giving them any sense of control over who can see what they do online. This vacuum has been filled with all sorts of tracking and tracing schemes that can make detailed profiles of people, which can then be (mis)used for commercial or even criminal gain. One of the protocols that is both a crucial part of how the internet works and also a potential privacy hazard is DHCP, or Dynamic Host Configuration Protocol. This protocol, like the name states, dynamically distributes important identifiers like internet procotol addresses (IP addresses) when users connect to a particular network. These identifiers can be leaked and then used to identify and track the device of a specific user. dhcpcanon gives back users some control over their online privacy by minimizing any personal information that can be disclosed through DHCP. The project helps to implement an existing and proven technical standard on DHCP privacy protection into current networks. This way the internet community can take practical steps to make our online life more private and move forward to a more privacy-friendly technology. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"dhcpcanon","url":"https://nlnet.nl/project/dhcpcanon/"},{"description":" Democratic SendComm Easy to use connected open hardware device Decocratic SenComm is an open hardware LoRaWAN capable device, aimed at the educational sector. The subgigaherz LoRa network and the IP networked LoRaWAN can be used to transmit data at relatively large distances with very simple commodity infrastructure, and Democratic SendComm is therefore for instance suitable for measurement data from actuators and sensors in low-bandwidth scenario's. The whole design is available under the CERN HW license. The project's own website: https://git.europalab.com/NLNetfound/dsendcomm Why does this actually matter to end users? Democratic Sendcomm aims to build an easy to use (like Micro:Bit or Raspberry Pi) connected telemetry appliance with just enough configurability to teach democratic communication while keeping the learning curve flat. It would deliver open hardware licenced (CERN HW license) design of cheap yet high performance LoRaWAN devices. Requirements include or resemble functions of Tor's Atlas project while design resembles that of typical Physical Web beacons. The communication technology is subgigaherz LoRa and IP networked LoRaWAN. At its developer core, the project aims to provide research access and resources to the academic an open source communities. It's wider reach extends to young students in schools as well as hobby makers worldwide (such as hackerspaces). The project should include all documents needed for device production (schematic, layout, Gerber files, instructions). Run by Europalab Networks ","title":"Democratic SendComm","url":"https://nlnet.nl/project/democraticsendcomm/"},{"description":" Deep Firmware Active discovery of known and unknown security vulnerabilities in firmware Understanding firmware is very difficult without the proper tools. The project builds an advanced prototype for scanning of security aspects of firmware based on the open source Binary Analysis Tool. The project's own website: http://binaryanalysis.org Electronic devices typically derive their functionality because of embedded software, often referred to as firmware. Firmware suffers from all the normal weaknesses of software, but has the additional handicap that the interface to the device is often very limited. It is therefore often hard to adequately grasp the risk of devices being compromised. Deep Firmware Inspection is an R&D project that add security capabilities to the open source firmware scanning tool Binary Analysis Tool. The result is a tool with a number of unique features, such as scanning of password databases, matching of security information from vulnerability disclosure with a corpus of firmware, version identification of software components and much more. BAT uses symbol and string table comparisons to read binary code in firmware formats and compare it with source code without undertaking any reverse engineering. This approach has proven extremely effective in discovering real-world issues. Advanced users can also build a customized knowledgebase containing information about upstream suppliers, chip-sets, offsets, file systems and application strings to improve the fidelity of scans. Download BAT v.27 (final version): Github.com | NLnet.nl Or check out the fine manual If you are interested in supporting future work similar to Deep Firmware, contact Michiel Leenaars (director of strategy at NLnet). The project is led by Armijn Hemel. Deep Firmware was co-funded by NCTV through the programme \"veilig door innovatie\" and NLnet. ","url":"https://nlnet.nl/project/deepfirmware/","title":"Deep Firmware"},{"url":"https://nlnet.nl/project/deepfirmware/bat-manual.pdf","title":"bat-manual.pdf","description":""},{"description":" Decibel service architecture for multi-media based communication Decibel (formerly known as \"OpenCDI\") provides a generic infrastructure, which integrates existing communication protocols --like any plugin based solution would do-- without the need for an application which presents everything in one user interface. It creates components and services, each optimized for a special task (or role). When a component realizes user interaction, the service will provide the technology. A service-based architecture will interconnect components to fulfill a given task. Decibel will integrate the efforts of Tapioca, KCall, and OpenTAPI. The MOTUIM projects has comparible motives, but has not yet taken of. The project's own website: http://decibel.kde.org 2007-03-17: Decibel helt a hackathon (report in PDF) in Darmstadt, Germany. 2007-03-08: Decibel considered one of the \"Pillars of KDE4\". Article at dot.kde.org. 2006-07-06: Decibel short concept, depicted in incoming and outgoing use-cases (all PDF documents) ","title":"Decibel","url":"https://nlnet.nl/project/decibel/"},{"title":"Decibel","url":"https://nlnet.nl/project/decibel/how.html","description":" Decibel service architecture for multi-media based communication Decibel will be implemented at basysKom. Basyskom is a German company with strong roots to the Open Source community. The founder of the company (Eva Brucherseifer) is the head of the KDE association. Stichting NLnet supports the development of Decibel to a maximum of €60,000. 2007-09-14: Final status report: targets reached. more > > 2007-07-20: Third status report. more > > 2006-10-24: Second status report. more > > 2006-05-31: Status report: Decibel gets up steam. more > > 2006-05-01: OpenCDI renamed to Decibel 2006-03-01: The OpenCDI project plan. .pdf (375 kB) 2006-02-26: Kick-off presentation at FOSDEM. .pdf (75 kB) "},{"description":" Decibel service architecture for multi-media based communication The aim of this initial project --which started off under the name OpenCDI-- is to create a platform independent telephony framework for the implementation of Computer Telephony Integration (CTI) and telephony applications. It provides a simple method to access conventional PSTN hardware as well as IP telephony setups. The applications use Decibel as a desktop service interface. Thus it represents the interface to local communication middleware. The main infrastructure of Decibel will be implemented with libraries that are part of the upcoming LSB 3 standard and that are available on other platforms like Windows and Linux Embedded as well. This includes libraries such as {\\tt libstdc++}, glib, and Qt. Decibel sits on top of the Tapioca framework, which will provide the basic communication interfaces and protocol implementations. Tapioca is the implementation of the Telepathy architecture, which defines the DBUS protocol specification for integrating various components. This assures interoperability between platforms. We intend to create a framework that sits on top of the Tapioca API; to share communities and to work together. The use of the existing IPC specification enables the use of existing Tapioca backends. Where necessary, we will extend the existing framework and specifications and discuss this with the community. The communication protocol used by the applications will be DBUS, using the protocol specification provided by the Tapioca project. The architecture of the framework will consist of a plugin structure which can be extended easily. These plugins (called backends) provide resource services which are handled by the service manager. One of them will provide an adapter which accesses PBX systems (CTI 3rd party control). Others contain a softphone implementation (CTI 1st party control) or a remote control of a hardphone (CTI 1st party control). Additional backends will provide services for audio subsystems, audio codecs, video codecs, media protocols, etc. The backend interfaces will be discussed with the Tapioca project, so that we can make sure Tapioca backends work with Decibel and vice versa. Decibel will be independent to any desktop environment, but the first proof of concept implementation will be integrated into the KDE- Desktop environment to show its power and flexibility. ","url":"https://nlnet.nl/project/decibel/description.html","title":"Decibel"},{"description":" CuteHIP lightweight implementation of Host Identity Protocol (HIP) on Java The project of the Helsinki Institute for Information Technology (HIIT) will create a lightweight implementation of Host Identity Protocol (HIP) on Java. Existing HIP implementations have been evolving since 2004 and became complex and hard to maintain and use. There is a need for new simple implementation of RFC5201-5202 that is cross-platform (not bound to any Operating System) and not limited to run on any vendor hardware. The project will make CuteHIP implementation using Java. It will be based on SourceForge open repository for public access and contributions. Although there are more open-source HIP implementations (HIPL, OpenHIP, Hip4inter.net), those are limited to certain platforms like Linux; no implementation is written on Java yet. The CuteHIP implementation shall be interoperable with existing implementations but shall be new and hence free of accumulated bugs. ","title":"CuteHIP","url":"https://nlnet.nl/project/cutehip/"},{"description":"","title":"","url":"https://nlnet.nl/project/current/"},{"title":"Current projects","url":"https://nlnet.nl/project/current.html","description":" Current projects On this page you find an overview of recent projects which have either been recently completed or are — at this moment — working with NLnet funding. For a complete overview please check the overview of all projects, or use the thematic index to look up projects based on thematic funds and specific themes. Click on the name of the project to find out more about it. Filter: project description 0WM Measure and visualize Wi-Fi coverage Hardware 2D graphics engine Additional functionality and better performance for FPGA-based 2D video controller 5C Continuous Code Compliance Control Center Firmwire full-system 5G baseband emulation Easier testing of 5G baseband modems with FirmWire Adno Annotate and share curated cultural and scientific content AI Horde Collaborative infrastructure for running generative AI models APKpatcher/PyAxml Support tool to manipulate APK and AXML file Android translation layer (ATL) Run Android apps on Linux AVantGaRDe Reliable Foundations of Local-first Graph Databases Abelujo Abelujo - free software for bookstores iOS support for AccessKit Cross-platform abstraction over accessibility APIs ActivityPods 3.0 Encrypted Solid-compatible Pods Progressive Web App - ActivityPub API General purpose web client for ActivityPub Ada Bootstrap Compiler Full source bootstrap for Ada Aerogramme 1.0 Standards-compliant, reliable and secure groupware NixOS Agent-Based Deployment Stack Fleet management for partially off-line NixOS deployments Agorakit Groupware which is a friendly online home to communities Alaveteli GDPR and Search Better search and redacting capabilities for Alaveteli FOI request portal AlekSIS All-libre extensible kit for school information systems AlekSIS: Integration and Communication SCIM, timetabes and other features for AlekSIS Alps Webmail Minimalist open source webmail in Go Amaranth HDL Design FPGAs and ASICs in Python Yama Analytics Privacy-friendly analytics microservice using server logs Androguard Static and dynamic analysis of Android apps Mifos X (Apache Fineract) Type safety for/refactoring of Apache Fineract banking software Perspectives: Making Models Generate software from open models for human interaction patterns Arcan-A12 Directory Server side scripting API for Arcan's directory server Arcan-A12 Endpoints Unifying distributed remote desktops Arcan-A12 Tools A12 clients for different platforms and devices such as drawing tablets Archiyou Parametric design and building Arkin Optical Tweezers Microscope Armbian Versatile OS for ARM-based single board computers AtomicServer Local-First AtomicServer Local-First Headless CMS Authlib Reliable OAuth and OIDC handling in Python Autogram 2.0 Create and validate eIDAS-compliant digital signatures Automated clearing of source code files More efficient retrieval of security and license compliance contextual information Automerge Add Merkle Search Tree support to Automerge BB3-CM5 Modular OSHW test & measurement equipment Interpretation feature for Big Blue Button Adding translator streams for live interpretation to BBB conference software BIDS: Binary Identification of Dependencies with Search Identify known open source elements present in binaries Bab Efficient proof of validity of streamed data Back2Source next Better matching of binaries with source code BeaconDB Libre wireless positioning database Betula BigBlueButton server-side plugins Server-side extensions for BBB videoconferencing tool Blink for Windows Modern cross-platform SIP client Blitz - a modular web renderer Rust-based browser engine BlockNote An modern, open source Block-based editor Borg - European Graphics Processing Unit Foundational workflow for an open-source GPU Bottles Bridges the gap between Linux and Windows software BrailleRAP Low-cost open hardware for creating Braille content BrailleRAP Open source Braille and graphics embosser Bromal Lightweight messaging server for Matrix protocol Bubble-up Declaritive schema migrations for sqlite databases Bugbane App for self-conducting device forensics on Android devices Tracing and rebuilding packages Improved metadata/provenance for build artifacts C/C++ Package Registry Common registry for software written in C/C++ CAKE-MAINT Improve network queue management algorithms on Linux CARGO Automatic Generation of Analog + Mixed Integrated Circuits with Coriolis TramaBOL Optimising COBOL compiler and memory-safe runtime CRAVEX integration Integrated vulnerability exploitability management CRAVEX 2 Code Reachability Do vulnerable dependencies actually impacts security or not? Converged Security Suite +AMD Add AMD support to Converged Security Suite Pushing forward for CSS Print High end print from HTML and CSS CalDAV Notes Standards-based approach to notetaking levering VJOURNAL Canarytail Warrant canary standardization and automation Capability-based security for Redox Capsicum style cabilities in Redox Cartes Modern web map application with transit support Circuit Painter Creative tool for programmable PCB creation CityBikes Open access API for bike sharing information Implement inline Verilog/VHDL through Yosys Functional simulation in Haskell from existing Verilog/VHDL code ClassQuiz Libre quizing tool Clearance Curating changes to OpenStreetMap data of interest Cloud hosting service portability Service portability for cloud hosting platforms Code Genetics Scanning tool for identifying code origins Miru Collaborative Video Editor Local-first video and AR editing Coloquinte High performance placement of cells inside digital electronic circuitry COCOLIGHT Lightweight version of Communecter Upstreaming Sailfish OS ConnMan improvements Consolidation of improvements to ConnMan connection manager Connected Places All the news happening in the Fediverse OpenPGP refresh for Conversations Modernise OpenPGP implementation for Android XMPP client Support for Microblogging and Social Feeds to Converse Add social networking functionality to Converse Converse XMPP Chat on Mobile Embeddable XMPP client for mobile usage Latest OMEMO support to Converse.js with libomemo.js E2EE for web-based XMPP client Convo XMPP client Federated E2EE messaging for KaiOS feature phones Coreblocks RISC-V processor core Out-of-order RISC-V processor in Amaranth Open-source firmware for modern AMD boards part 2 Extending coreboot support for AMD Phoenix SoC to AM5 socket Fully Open Chip Design Silicon-proven toolchain for VLSI design Adding redaction to Cpdf Robust, standards-compliant PDF redaction CryptPad Notes E2EE collaborative rich text editor CryptPad Quality Test Suite Continuous testing of critical CryptPad functionality CryptPad WCAG Accessibility improvements to CryptPad suite CryptoLyzer IKE Add IKE protocol to CryptoLyzer protocol analyser CryptPad Auth Improvements Better user management, 2FA and SSO for CryptPad CryptPad Scalable Server Improve the architecture of CryptPad CurveForge Add optimized post-quantum arithmetic to cryptographic toolkit DANCE4All Implement DANCE specification in GnuTLS and MbedTLS DAVx⁵ WebDAV Push Share Contacts, Calendars, Tasks, Notes & Journals Securing Internet protocols with decentralized identity DIDs and Verified Credentials as SASL method DMT Implementation of MOSFET Parameter Extraction Flow for Sky130 into DMT Darkstar Open source vulnerability management solution DataLab Experimental Web interface (DEW) Scientific platform for processing and analysing signals and images DatamiPods Visualisations for (federated) Solid data Decidim revamp Tools for participatory democracy Diesel CLI Safe and performant database queries in Rust Dino User-friendly and secure instant messaging based on XMPP Distributed GNU Shepherd A Secure Distributed System Layer for Networked Cluster Computing DjNRO upgrade and wifi mapping Find nearby wifi access points in federated wifi communities DocSpec to Rust/WASM Document conversion SDK for rich text formats Dokieli Collaborative Secure decentralised and collaborative content authoring Domino: Security Proofs that Scale Analysis and verification of real-world cryptographic protocols Draupnir Moderation bot for Matrix servers Drupal ActivityPub Social Recipe Add ActivityPub capabilities to existing Drupal sites Drupal ActivityPub integration More comprehensive W3C ActivityPub support in Drupal Drupal ActivityPub module usability enhancements Improved UX and Client-to-Server capabilities for Drupal ActivityPub Embeddable Common Lisp Common Lisp for browser environments EDeA Repeatable, automated measurement data capture EEZ flow for EEZ Studio Open Hardware Test & Measurement equipment ELF tools in Rust Porting patchelf and install_name_tool to a flexible Rust crate ELF Linking Analytic tools for UNIX' Executable and Linkable Format EMerge Open Source tool in Python for RF Finite Element simulation EPE (Ecran-Papier-Editer | Screen-Paper-Editing) Creative libre software tools for print media E-Paper Open Standards (EPOS) Standards, reference implementation and test suite for e-paper Asynchronous ESP32 802.11 MAC IEEE 802.11 MAC Stack for ESP32 family chips in Rust EVQI Unified data exchange for electrical Vehicle charging Easy Transit 2 Public transit navigation app with some offline capabilities EcoNet Linux Add Linux kernel support for EcoNet MIPS processors Elm Matrix SDK Better moderation for Matrix rooms and servers Empowering Mobilizon Find, create, organise and curate events Encaya TLS interop with alternative/decentralised CA mechanisms Erik Synchronization Protocol for RPKI Protect BGP with Resource Public Key Infrastructure signatures EventFahrplan Conference schedule app with strong offline capabilities EventFahrplan User-friendly mobile event app Every Door Efficient and customizable mobile OpenStreetMap editor Exter Proxy-based external browser extensions F-Droid App Overhaul Modernise the F-Droid mobile app store LambdaNative F-Droid integration Portable, Productive and Performant App Development with Scheme F-Droid Architecture for Reproducible Apps Reusable stack for reproducible builds of FOSS apps F3D Animations, Rendering and Integrations Cross-platform, fast and minimalist 3D viewer FMD Privacy-preserving mobile device location FOSS Warn Aggregate source of emergency alerts FPGA-ISP-UVC-USB2 Open hardware FPGA-based USB webcam FastScan Performance improvements for ScanCode Toolkit/ScanCode.io FastWave Modern waveform VCD parser FederatedCode Next UI and curation queue for VulnerableCode data enrichment FediMod FIRES Tooling for Fediverse moderation EU Voice-Video case study Integrating Fediverse into Public Administration Interoperability of Events in the Fediverse A common approach to using the ActivityPub Event object type Fediverser Easier migration towards Fediverse alternatives Source-based Nextcloud + Onlyoffice Declarative packaging for Nextcloud and Onlyoffice on NixOS Expanding the Felix86 emulator x86 and x86-64 userspace emulator for RISC-V Linux Fidus Writer modularisation Semantic word processor for collaborative writing and structured documents FileSender Multistage Improve FileSender scalability FileSender UX ZIP Encrypted multi-file streaming FileSender Security improvements for FileSender FileSender secure passwords Enhancing Firefox for Linux on Mobile Mobile native feature-complete Firefox Filling the Gaps in Testing Open-Source Firmware Improved infrastructure for Open-Source Firmware quality assurance Flarum Add federation and much more to the extensible forum software Flarum. Flashkeeper Write Protection on SOIC-8 flash chips without soldering Flatline Server Independent server for Signal protocol Flock XR: Keyboard + Mobile/Touchscreen UX Creative coding platform for 3D virtual worlds and spatial apps flohmarkt Self-hostable web app for creating, sharing and answering classified ads flop! Automatic generation of optimised time rosters Follow-me slideshow for Collabora Online Accessible slideshows for videoconferencing tools ForgeFed Federating software forges with ActivityPub ForgeFed Frontend Improved UI for federated version controlrepositories ForgeFlux Software Forge independent federation with ActivityPub and F3 Forgejo An open source software forge with a focus on federation Forgejo Self-hosted lightweight software forge Native IFC for FreeCAD ISO-compliant Building Information Modeling in FreeCAD Frictionless libraries Make Frictionless libs compatible with latest version KiCad Frontpanel Generator Create matching front panels for KiCad PCBs automatically Frugal EDA Energy-efficient circuits and systems through quantum superconductivity Funfedi.dev Testing correct implementation of W3C ActivityPub Funkwhale Federation Extend ActivityPub capabilities for Funkwhale GLOW-SG13G2 (Gate Library for Open Flow - SG13G2) Digital standard cell library for IHP SG13G2 process GNS Migration and Zone Management Registrar tools for adoption of GNU Name System New data types for GNU Octave Advanced data analysis workflows in GNU Octave GNU Mes interpreter speedup effort Increase performance of full source bootstrap GNUnet on Android Port GNUnet protocol stack to Android mobile OS GNUnet CONG Modernise the network stack of GNUnet GPGPU Playground A virtual GPU to learn GPU programming Galene High quality libre videoconferencing server Galene Libre high quality videoconfering solution Gancio Shared agenda for local communities that supports Activity Pub Maturing the Gancio back-end Better scale Fediverse-capable shared agenda for local communities Garage Lightweight geo-distributed data store compatible with Amazon S3 Garage Administration UI Easier administration for selfhosted storage buckets Garage reliability and performance Open-source S3 compatible distributed object storage service USB 3 PHY implementation on GateMate FPGAs USB 3 PHY implementation with Cologne Chip GateMate FPGA Transceiver Collection of Verified multi-platform Gatewares Comprehensive repository of open source gateware designs Geoloquent Location service for desktop and mobile Linux Gesture Typing for AOSP-derived Keyboards More efficient text input for mobile touch screen devices SIP improvements for GNOME Calls Add DTLS-SRTP to GNOME Calls Verilog-AMS in Gnucap Improve performance and Verilog-AMS coverage in Gnucap GoActivityPub Help people develop Fediverse software in Go GoToSocial Lightweight ActivityPub social network server GoToSocial performance & connectivity Advanced moderation and federation features for GoToSocial GoToSocial Improvements to ActivityPub server written in Go Persistent Storage for Goblins Integrate ERIS content-addressable encrypted storage to Goblins Goupile Secure forms including Clinical Report Forms (eCRF) Govdirectory Global directory of public bodies on the fediverse Graphite 2D graphics editor Keyframe animation and vector editing intuitive UI enhancements (H)IDE for Guile Hoot Scheme on WASM Reproducible bootstrap path for 'Node.js' based on GNU Guix Build Node.js from source with Guix Guix-Daemon Transition to a Guile implementation of the guix-daemon Hardware Bill-of-Materials (HBOM) generator Create CycloneDX HBoM compliant inventory of hardware Hyper Hyper Space Sync Engine and adapters Secure P2P data synchronisation Blind crypto and OAuth2 for ARPA2 Advancing HTTP-SASL and keyless identity Heavy Compiler Collection Unified DSP and Interface Design for Audio Plugins Haphaestus Lightweight JavaScript-free browser engine written in Haskell OCap layer for Haskell actor library Implement OCapN and Syndicate in Haskell's troupe SCE, DelTiC and Antler High-Fidelity Congestion Control Hockeypuck Next generation OpenPGP keyserver Nix Integration for Hop3 Nixify the Hop3 self-hosted cloud platform Hubzilla performance improvements Make Hubzilla more efficient and expand Superblock Husk Pass-through solution for automatic OpenPGP encryption Hyper 8 Video System Self-hostable, maintenance-free video publishing tool Universal Sensor Libraries Shared libraries for different types of sensors Space grade Instrumentation Amplifier ASIC Validate open toolchains with Open Hardware with high quality ASIC Telecommunication in HF over Internet Protocol (IPoHF) High-throughput software-defined wireless telecommunications IPv6-monostack - upstream Linux SIIT/NAT64 Commoditizing NAT64 and IP/ICMP translation to accelerate IPv6 deployment ISCC-CORE typescript implementation library Decentralised content identifiers through ISO 24138. Incroxigraph Extend Oxigraph with continuous live evaluation of SPARQL queries Icestudio Visual developer tool for development of FPGAs Icosa Gallery Community-led 3D creation and sharing tools Optimized Image Codecs More efficient image handling for embedded systems Federating pedagogical immersive experiences Framework for playful learning content in enhanced reality Collabora Online Multi-user Infinite Canvas Infinite Canvas / collaborative presentation mode for Collabora Online Inko Programming language with deterministic automatic memory management Inventaire Self-hosted Self-hosted book inventories that share the wikidata-powered bibliographic database Micro25519 Lightweight Elliptic Curve Cryptography for microcontrollers Irdest - OpenWRT Image and Bluetooth LE Add Bluetooth LE connections to Irdest Irdest IP Traffic Proxy Route existing IP-network traffic through an Irdest network Irdest spec, db, route scoring Route scoring and other routing improvements for Irdest meshnets IronCalc Embeddable spreadsheet engine written in Rust IronCalc for Nextcloud Embed IronCalc spreadsheet engine into Nextcloud IronCalc Fast spreadsheet engine in Rust Ironclad Hard real-time capable kernel written in SPARK/Ada Ironclad - Networking developments Real-time capable, UNIX-like operating system kernel in SPARK/ADA IsMyPhonePwned Scan phone security directly from a web browser IzzyOnDroid Third party repository for FOSS Android apps JSON-Joy Peritext Rich-text CRDT implementations for json-joy CRDT JShelter UX Upgrading JShelter to increase functionality and user adoption Accessible KDE File Management Accessible file dialogs throughout KDE applications KDE Plasma Gestures Advanced customisable gesture input on desktop and mobile Knowledge Graph Portal Generator Automatically generate custom web interfaces for structured data Kaidan Auth + portability Account portability and Client/Server Authentication for the Kaidan XMPP client Kaidan MUC + legacy OMEMO Multi-user chat and improved legacy interoperability for Kaidan XMPP client Support for 64-bit integer expressions in Kaitai Struct Cross-language code generation for binary parsing Kami Choreography programming language integrated with the Rust ecosystem Katzen Metadata Minimizing Messenger Privacy preserving instant messaging using a modern mixnet Kazarma Release Bridge between ActivityPub and Matrix protocol Kbin ActivityPub based link sharing and microblogging /kbin Mobile app and feature additions to /kbin Kdenlive Parametrised keyframes for modern non-linear video editor Keyhive Edge Names, invites and group key agreement for local first data KiCad Professional open source electronics design application KiCad-10 Cross Platform Electronics Design Automation Suite KiCad-IPC Add RPC API, multichannel designs and schematic variant system to FOSS EDA suite KiKit Tooling for automation of production of PCB designed in KiCAD Krill High Availability Making Krill RPKI daemon deployment more robust In-memory Krill Integrate kvx store in Krill RPKI daemon LDAP Synchronization Connector Synchronize data from/to various data sources with LDAP Linked Data Objects (LDO) Upkeep and Upgrade SHACL and other improvements for Linked Data Objects library LLM2FPGA Run Open Source LLMs locally on FPGAs LO/CODE Book project Professional typography inside LibreOffice LUNA SuperSpeed USB Improvements FPGA implementation of USB 3 Domain-specific LabPlot Domain specific visualisations and fit models for LabPlot Land Code editor building on Tauri and VSCodium LeanFTL Flash Translation Layer library for embedded systems LeanFTL Extreme Wear Leveling EWLF support for Flash Translation Layer library Lemmy Scale ActivityPub-powered social link aggregation and discussion Lens/FreeCAD integration Collaborate on parametric CAD Models for hardware design Letswifi/Geteduroam Portal Make federated wifi access provisioning safer and more convenient Letswifi/Geteduroam Make federated wifi access provisioning safer and more convenient LiberaForms Self-hostable E2EE libre form server Libre-Chip CPU with proof of No Spectre bugs Open Hardware high performance CPU with speculative execution Libre-SOC HPC Work on High Performance Compute capabilities for Libre-SOC Libre-SOC OpenPOWER ISA WG Steward ISA extension proposals through OpenPOWER External RFC Process SCIM integrations System for Cross-domain Identity Management (SCIM) LibreCellular 5G Open hardware SDR-based 5G cellular network Portable Libre Diagnostic Reliable open automotive diagnostics stack LibreOffice CRDT Real-time collaboration between several, distributed LibreOffice instances LibreQoS Improve congestion control for wifi networks LibreQoS 2.1 Transactional Move System and improved APIs for LibreQoS LibreSilicon: Pad Cell Generator Custom pad cells for integrated chip layout generation Librecast Overlay Multicast Privacy-preserving, energy efficient data replication and verification Librecast Studio Community platform for multimedia collaboration and events Automate FOSS license compatibility determination Check software projects for license (in)compatibility + compliance Liminix Nix-based OS for domestic WiFi routers, access points etc Updating Solid test harnesses for Linked Web Storage Add W3C Linked Web Storage Specification to Solid test suite Dual SIM for Mobile Linux Support multiple SIM cards in open mobile OS-es LinuxBoot for all Small, auditable and reproducible firmware stack LiteX Developer framework for FPGA and ASIC designs Livebook Robust and distributed data and ML workflows with Python, Elixir, and Livebook Loops ActivityPub based sharing of short video clips Loops Live Federated short video platform for the Fediverse Opening up Apple’s Low Latency Wi-Fi Protocol Open-source interoperable implementation of LLW for Linux MetaMorph New modules, functionalities and interfaces for voxel engine Luanti Porting the Lucid Language to Open Platforms Make writing high-performance data-plane software easier LunaPnR Phase 2 A versatile and fast new open-source place and route tool MEGA65 Phone Modular MVP OSHW mobile device with form-factor of hand-held game consoles Open source MILAN hardware and software stack Reliable real-time media streaming over ethernet networks MNT Reform Touch Open Hardware tablet device MNT Reform QCS6490 Module MNT Reform compatible open Hardware processor module Test Procedures for MOSFET SPICE Model Validation Verilog-A compact models validation for Open PDK's MOTIS European Public Transport Door to Door Real-Time Routing with MOTIS Multipath TCP on Linux C Flag support and path-manager improvements for MPTCP Improving the deployability of Multipath TCP Improve MPTCP support in the Linux kernel Improving the deployability of Multipath TCP, part 2 Improve MPTCP support in the Linux kernel Mainline Linux on ARM Chromebooks Open firmware and standards-based boot for Mediatek MT818x/MT819x based devices MTE - the MirageOS Taler Exchange Implement Taler Exchange functionality in OCaml-based unikernel The MacBook Liberation Project Implement Coreboot support to various Apple devices Macaw Instant Messenger Web/Desktop XMPP client written in Rust Machdyne Modular open compute hardware Machine Usable Output for Sequoia Reliable, scriptable memory-safe OpenPGP with JSON input/output Maemo Leste Daedalus Improve device coverage and advanced security for mobile Linux distro Maho Self-hostable ecommerce platform MailBox renewal Performance upgrade of MailBox mail modules Mailpile 2 (moggie) Building a secure, modern e-mail client for self-hosting Web on Managarm: Usability, Stability, Security Microkernel-based OS with consistent asynchronous I/O Manas Rust modules for Solid clients and servers Manyfold; Printing, Customisation, and Versioning ActivityPub-powered tool for storing and sharing 3d models MapComplete Thematics OpenStreetMap-viewer and editor. Mapterhorn Imagery Aggregating open data orthophoto imagery Multilingual Marginalia Search engine focused on quality discovery Catalogs in MariaDB Enable true multi-tenacy in the MariaDB database Massive FOSS scan License scan on the whole Software Heritage archive ActivityPub Quote Posts Quote Posts in ActivityPub and Mastodon Mastodon for institutions Features for institutional instances of Mastodon Matridge spaces Gateway for XMPP users to transparently chat in Matrix rooms Improving Matrix E2E encryption UX Better usability of Matrix.org E2E encryption Mautic Portability Phase 2 Portable marketing campaigns for Mautic Mautic Portability Portable marketing campaigns for Mautic Maven Heaven Scan, review, curate and fix metadata of Java packages Practical Decentralised Search and Discovery Search and discovery inside mesh/adhoc networks Modular Meta-Press.es Reusable decentralised meta-search engine WireGuard as a MirageOS unikernel Implement WireGuard in OCaml and run as unikernel Federating Mirlo Connecting artists and audiences with ActivityPub Miru Multi-track video editing and real-time AR effects Mobile Typst editor Mobile editor/viewer for Typst documents Caster Open-hardware high-refresh-rate electrophoretic display controller Open Terms Archive vendor lock-in break Public tracking of the evolution of terms and conditions Mollymawk Mollymawk - orchestration and management of MirageOS unikernels Monal IM UI Modern UI for XMPP on iOS and macOS Movim Add end-to-end encrypted videocalls to Movim XMPP Mox Modern full-featured open source secure mail server Mox management and automation Automated email server management and administration muchrooms XMPP group chat implementation in Rust Multitenant CAS Better scalable Single Signon Enterprise Authentication Collation + i18n support in musl libc Complete POSIX internationalised functions in musl libc NVE Co-simulation framework for hardware designers Naja DNL Add Dissolved and Batch Netlists to Naja EDA Timing Modeling and Integrated Verification in Naja Timing aware netlist optimisation with Logic Equivalence Checking Namecoin: ZeroNet and Packaging Make ZeroNet work with Namecoin Nanoarguments Global, federated graph of scientific claims as LinkedData NextGraph Framework SDK's and API's for the NextGraph Framework Nitro Porter support expansion Nitrokey 3 Storage Add encrypted storage capabilities to Nitrokey 3 Nitrokey 3 FIDO2 Level 2 Achieve formal certification for open hardware security key Nitter Alternative privacy-preserving FOSS UI for Twitter Control plane for Nix-based systems Dynamic system management and orchestration with Nix NixBox Nix integration with netbox Debug Adapter with Nix Implement the Debug Adaptor Protocol for Nix NixEdgeOpt Adaptive placement and migration of NixOS services End-to-end NixOS boot security Ensure whole-system security with verified boot for NixOS configurations Nixpkgs Clarity State of the art automated license detection for Nixpkgs NoScript Commons Library: Surrogate Scripts Reusable script replacement functionality for privacy/security browser extensions NodeBB ActivityPub support and accessibility improvements for forum software NodeBB context discovery Improving safety, long-form text + threaded discussion elements Noise Nugget FOSS digital audio processing Nova JavaScript engine Independent JavaScript engine written in Rust NovyWave Waveform visualizer for gateware development Nyxt Webextensions Independent implementation of WebExtensions O-ESD Open-hardware for ElectroStatic Discharge testing Open Beam Interface Lite Generic interface for high end scanning and patterning devices OCaml-QUIC Implement QUIC/QUIC-TLS/QPACK and HTTP/3 in OCAML Distributed object programming in Dart Easily create peer-to-peer and federated software E2EE OCapN Federated Relays Add relays to OCapN's capability-based networking OPERA-DSP Open hardware FMCW Radar signal processing in FPGA ORION INspire-aligned raster map tiles for gvSIG ONline Oils for Unix An upgrade path for legacy shell OVT 13 Open Hardware laptop OWASP blint Versatile binary linter, malware research tool and SBOM generator Owi 2 Cross-language symbolic execution via Wasm Offline Translator On-device translations using open models Ontogen and Mud Advanced versioning and identity management for RDF datasets OpenAGPS Privacy-friendly, self-hostable location service Open Source Battery Management System (OpenBMS) Complete FOSS solution for battery management WPA3 support for OpenBSD 802.11 wireless Wi-Fi Protected Access 3 for OpenBSD OpenCarLink Security tooling for vehicle ODB2 ports OpenCartoCam 360-degree camera with hardware-accelerated object detection OpenCloud Federation Implement Open Cloud Mesh Specification in OpenCloud Open Cloud Mesh Improved specs and test suite for Open Cloud Mesh protocol openCologne/PCIe Create PCIe EndPoint for GateMate FPGA's OpenEMSH Automatic mesher for FDTD simulation OpenEPT Ecosystem High-end open hardware to analyse energy consumption Open Energy Profiler Toolset Modular open hardware Energy Profiling Open Everything Facts Powering consumer choice on anything with a bar code OpenFlexure Microscope Enabling telepathology with open hardware high end microscopes OpenHarbors Dynamic Tunneling of WPA over IP/L2TP Openki.net Make local events and meetups discoverable Open Logic - Signal Processing Elements Standard Library for FPGA development Modern High-Level Python OpenPGP library Python integration of Stateless OpenPGP Open Prices - Scaling price collection Crowdsourced consumer product price collection OpenStreetMap-NG Alternative implementation of OpenStreetMap OpenTough Open-source rugged enclosure for modular laptop mainboards Open Virtual File System (VFS) for Linux Create a standard API for files stored across the net OpenVoiceOS - From Beta to Breakthrough Free and open, self-hostable voice assistant Open Web Calendar Stack Aggregate public and private web calendars Open Web Calendar Stack II Recurring events and calendar merging Extensive openwifi support for OpenWRT Software Defined Radio Wifi for OpenWRT routers openwifi: 802.11a/g/n maturity Improved stability, data rate and reach of openwifi Openfire Next-Gen Connectivity Authentication/SASL improvements to Openfire XMPP server Openki Roles Restructuring role management in libre tool for crowd-sourced education Ordie Designing a SoC for Betrusted Organic Maps сonvergent UI with Qt Quick/Kirigami Declarative cross-platform UI for navigation Organic Maps bookmarks, hike and bike Improved bookmarks, address search, map styles and driving Reduce osm2pgsql resource usage More efficient database usage for OSM data GPRS/EGPRS support in Osmocom CNI for Ericsson RBS Open source ePDG for VoWiFi Enhanced Packet Data Gateway for mobile infrastructure Overte Virtual reality based social platform Overte Visual Scripting Feature enhancements of FOSS virtual reality platform Configurable Communication Channels for qaul Distributed messaging over verifiable P2P channels Open-source accelerator platform for large FPGAs Low cost hardware accelerated workloads with open toolchains Open PCIe and M.2 hardware and software platform Standard form factor open hardware extension cards PGP4civiCRM Add email encryption to CRM Native DTLS 1.3 implementation in Go Add DTLS 1.3 to PION real-time media stack Secure Apache PLC4J Unified interface to PLCs and industrial devices PTP gateware with openXC7 PTP on FPGA timing cards and SDR cards with openXC7 PTT Unikernel Mailing list server in OCAML Padne Open source power delivery network analyser padne Modernizing Paged.js Web-to-Print Quality typesetting based on HTML and CSS Panoramax video uploads Add street level imagery from user-provided video Papis Highly extensible document and bibliography manager Parley Rich text layout and editing library Parley - rich text layout library Cross-app rich text copy/paste for Parley Passthrough Authentication Authentication proxy using Kerberos and SPNEGO Patchouli Arbitrary-sized open hardware EM pen products PdfDing Webbased selfhosted PDF manager, viewer and editor Peertube plugin livechat Public and private messaging for Peertube content + live streams PeerTube for Institutions Make PeerTube easier to manage and moderate at scale Peertube plugin livechat Integrated chat for Peertube live streams Hassle-free Peppol bootstrapping and onboarding Open, reproducible, certification-ready e-invoicing stack for Peppol Yrs persistent documents Yrs/Yjs compatible layer for persistent key-value stores Manyfold Manage private collections of 3D models Port Phosh to GTK4/libadwaita Open source user interface for mobile phones Better support for display notches and cutouts in Phosh Better custom shape screen support for Wayland PiRogue Tool Suite Consensual mobile device forensic analysis and incident response solution Pijul ecosystem A modern patch-based version control system Pijul Hybrid Hybrid patch-based/snapshot-based system for distributed versioning Pimalaya PIM Memory-safe emails, contacts, calendars, tasks and more pimsync Reliable synchronisation for contacts and calendars Pinbot Design and deploy test jigs for electronics Pion Network congestion measurement for adaptive real-time applications Pithus Free and open-source mobile threat intelligence PixelDroid/Media editor Native PixelFed/ActivityPub image sharing app Plasma Mobile powermanagement improvements Better power management on mobile Linux Pleroma Scalable ActivityPub server written in Elixir Pnut Reproducible build of GCC on POSIX shell Pnut everywhere Compiles (a subset of) C to human-readable POSIX shell or binary PodOS Personal Online Data Operating System aimed at exploring W3C Solid pods Podlibre Dedicated, customizable podcast editor Pomme d’API Improvements around the Open Food Facts API PowerCommons OpenPower A2O Core Revival Pre-Scheme Compile Scheme directly to portable C Protomaps Self-hostable maps based on OpenStreetMap data Provability Fabric Verifiable evidence and run-time security for AI systems Py2HWSW A tool to manage embedded HW/SW project Py3DTiles - Textured Mesh tiling OGC 3DTiles 1.1 support for 3D tile conversion tool PyCM Machine learning post-processing and analysis PyUVM SPI Verification Component Add Serial Peripheral Interface support to PyUVM verification tool Adding 32-bit ARM support to QBE and Hare Full Arm32 support for QBE compiler QGIS Panoramax Plugin Extension to manage Panoramax data with QGIS Vector based similarity search index for QLever database Improved search for scalable open-source graph database Proper Webcam support in Qemu Better virtualisation of camera interfaces Qryptr Air-gapped open hardware encryption device RA-Sentinel FPGA-based Radio Receiver for securing Wifi against hacking attacks RA-Sentinel AoA Direction aware sensing of RF-based attacks RA-Sentinel Code Liberation Royalty free synthesizable Verilog code for signal processing RADIUSdesk Multi WAN Add Multiwan to RADIUSdesk Reduced Feature-set Packet Filter High throughput software firewall RIVET Cointegration of RISC-V systems with Ethernet Lix RPC RPC framework for scaling Nix Fast RSA + PQ Blind Signatures Fast multiprecision integers for blind RSA and Post-Quantum signatures RTranslator 3.0 Real-time local translation app for spoken word for Android RVVM RISC-V Virtual Machine Rackweaver Design and manage physical infrastructure hosting Re-isearch Schmate Extending re-Isearch with a flat vector datatype for embeddings ReOxide Improving Rust Decompilation Reach Cryptographic Infrastructure for Anonymous Communication Reaction Event-based system programming Redox Flow Battery Development Kit for Open-Source Hardware Redox Flow Battery Redox OS Unix-style Signals Add Unix-style signal handling to Redox Operating System io_uring-like IO for Redox Introduce ring buffers in Redox to increase I/O performance Redwax Server Modernisation Self-hostable X509 certificate based identity management solution Renderling Real-time rendering library on top of WebGPU Renderling ecosystem Renderling Repath Studio SVG editor written in Clojurescript NetBSD Reproducibility Extend Reproducibility for CTF Debugging Infos and NetBSD Image Creation Reproducible-openSUSE Reproducible distribution of openSUSE rolling release Reproducible Builds in the Scala ecosystem Deterministic builds for software written in Scala Ricochet Refresh UX Making privacy more user-friendly Rivista Publish and consume news feeds via XMPP Free and open source NPU Drivers Libre drivers for Neural Processing Units Element Call on Cisco Room hardware E2EE Matrix video conferences on existing Cisco hardware Rosenpass API Improved API's and platform coverage for Rosenpass Rosenpass Broker Expanding the Rosenpass API's to enable easy integration in applications Rotonda Secure Extensions Implement BGPSec in Rust and integrate into Rotonda Rust crate auditing and source correspondence checks Better supply chain security for Rust crates + packages in distributions Rusted Platform Module (RPM) Programming TPMs in pure Rust SCION-enabled IPFS and libp2p Enhancing IPFS Performance and Resilience through SCION's Path-Aware Networking SDCC Modern compiler for 8-bit microcontrollers SIMcurity: Tools for Securing the SIM interface Protect phones and users against SIM vulnerabilities and hostility SIP RELOAD REsource LOcation And Discovery, a peer-to-peer (P2P) signaling protocol SMAesH-Mode Side-channel protected hardware implementation of AES SSH Stamp Secure SSH-to-UART bridge for devices with a serial port. Security audit of Sailfish FOSS components Analyse security of secrets, Sailfish ofono and Sailjail Scheme Testing Framework Modernise testing for Scheme An OpenScience flavour of Bonfire on NixOS for preprints Discuss preprints based on W3C ActivityPub federation SecurEAP: Secure Enterprise Wi-Fi on Linux Improve Wi-Fi security and privacy SelectCast: Anycast in Path Aware Networks Anycast for SCION and other path-aware networks SelfHostBlocks NixOS based server management for self-hosting SelfPrivacy Reproducible self-hosting stack based on NixOS SelfPrivacy Catalog SelfPrivacy #Seppo! Portable ActivityPub implementation Quantum-Safe Cryptography in Sequoia PGP Implement draft-ietf-openpgp-pqc in Sequoia PGP Serverless and Metadata Reduction for XMPP Enable XMPP on local networks, and reduce medata exposure Project SERVFAIL Tools for DNS hosting Servo: Benchmarking and Statistics Infrastructure for benchmarking and testing Servo Servo Developer Experience Improvements Improve productivity for Servo developers Servo Editability and Interactivity Enhancements Keyboard interaction within the Servo browser Multi browsing context support in Servo Allow Servo browser engine to render beyond atomic pages Multiprocess Mode in Servo Speed up Servo with parallelisation Servo WebAPIs for Service Worker Non-blocking, async Service Workers for Servo browser engine ShapeThing SHACL renderer View, edit and filter semantic data Shinobi An incremental AOSP build tool using Nix dynamic derivations SiCl4 Tool for interactive reverse engineering of digital logic. Signature PDF PDF editing and server-based digital signing workflow Internationalization (i18n) for Silex Add i18n to GraphQL-aware static site generator SimpleSAMLphp 2.6 Extendable Authentication + Identity Provider Herbees Scalable intermediated P2P messaging based on Simplex Messaging protocol FuSa proven Slint Certifiable functional safety for Slint UI toolkit Slint Visual Editor User-friendly design of graphical user interfaces Slint on iOS iOS support for typed declarative UI toolkit Slintify LibrePCB 2.0 Add missing features to Slint UI toolkit to accommodate demanding applications Slips Immune I Active IDP using ARP poisoning Slipshow A different paradigm for presentations including flipchart style annotations Slixfeed News feed delivery through standard-based instant messaging Remote Sniffnet Network monitoring tool + traffic analyser Snix-{Store/Build} Improve store and builder component of Snix SoCLinux Easier driver development for Py2HWSW framework Peer-to-Peer Access to Our Software Heritage Access Software Heritage data via IPFS DHT Solar FemtoTX motherboard Low-power motherboard that can run on solar power Solid-ActivityPub Interop Bridge W3C Solid and ActivityPub FedCM for Solid User-friendly Federated logins for Solid Community Server Solid Share Digital Mobile Wallet for W3C Solid Solid Compound A software library/framework to simplify designing for W3C Solid Solid Application Interoperability Interoperable Data sharing flows and discovery for Solid Solid Application Interoperability Easy to deploy authorization for Solid Applications SolidOS Data management tool and browser for Solid Solid Usable App Tools Project Improve developer experience for W3C Solid solidtime Privacy-friendly time tracking for teams and individuals Sortix os-test POSIX test suite Spacylize Use LLMs to train more efficient and reliable NLP models Spade Standalone Hardware Description Language Dual-level Specification Inference Make formal verification more practical with dual-level Specification Inference Spectrum Applications Add running graphical applications to the compartmentalized desktop OS Spectrum Spectrum: Virtualisation Platform A secure OS with app isolation SpinalWaves & SpinalTrace Typed waveform viewing and error source tracing for SpinalHDL Spritely Oaken Secure 3rd party extensibility with capability-based Scheme Squishy SCSI multi tool and gateware library Stalwart Collaboration Server Integrated solution for email, calendaring and file management Standards Grammar Catalog/Toolchain Open Standards Grammar Catalog/Toolchain Stencila v2 for ERA and EPP Add editable, runnable code to scientific publications StreetComplete Multiplatform OpenStreetMap editing beyond Android Structured Email for Roundcube Add schema.org metadata awareness to open source email Surfer Waveform Viewer Analyse signal levels in simulated circuits Sylk Contacts Cross-protocol real-time communications client T-Rust - In Rust we Trust Scan, review, curate and fix metadata of Rust crates Taler OpenAPI specification JSON/YAML OpenAPI for key GNU Taler API's TALER Bullion Infrastructure for GNU Taler Payments with non-fiat Currencies ERPnext TALER payment gateway Refactor ERPnext payment module and integrate Taler Taler Integration into F-Droid Ecosystem Secure, Streamlined and Integrated Payment Processing for F-Droid Taler plugin for Fastify Add low-code zero-config Taler plugin for the Fastify web server framework Interledger interoperability inquiry Investigate synergy between Interledger and GNU Taler Taler in Liberapay Implementation of Taler as payment provider in Liberapay GNU Taler Wallet ID Lookup Service Optional discovery of TALER wallet addresses linked to digital identities Taler-Odoo Payment System Integration module for TALER in Odoo Open Banking Gateway Taler Wallet Top-Up/Merchant Verification Add GNU Taler support to Open Banking Gateway Libre Payments in Ruby GNU Taler Integration for ethical trade GNU Taler Tryton/GNUHealth integration GNU Taler module for Tryton ERP/GNU Health GNU Taler Payment Provider for be-BOP Integrate Taler payments into be-BOP shopping cart/POS software TALER integration in flohmarkt Secure payments for P2P classified adds federating with ActivityPub Payment Module for Nuxt/Vue.js Module to add GNU Taler support in Nuxt/Vue.js Taler-Kivitendo Integration Integrate Taler with the Kivitendo ERP platform TBD DSP toolkit Open hardware audio processing module TISG trustable image sensor gateware FPGA based camera providing encrypted video streams Client Proof-of-Work in TLS Mitigation against DoS amplification on the TLS handshake TSCH-rs Time Slotted Channel Hopping implement in Rust The Ultimate Bookkeeping System Bookkeeping but in a portable, offline-first and privacy-friendly way Taler-Dolibarr Integration Taler payment handling for Dolibarr ERP software xBSD porting and packaging Porting and packaging of Taler components for xBSD systems TalerPHP PHP SDK for GNU Taler REST API Integration Tau Remote sharing of terminal sessions Tenzu Lightweight project management tool for agile teams Termux Android terminal app and software distro/run-time TerosHDL usability Open source IDE for FPGA/ASIC development TerosHDL: OSS, GHDL, NVC IDE with support for Open SYthesis Suite and GHDL/NVC simulators TeXlyre Local-first typesetting editor for LaTeX and Typst with real-time collaboration Threadiverse Reproducible Deployment Reproducible deployment for Threadiverse servers Threshold OPRFs Bringing the power of Threshold OPRFs to the people Tiliqua Open audio DSP for FPGAs Tin Snipe DAQ Digital Aquisition module TinkerFlow Graph based editor for VR/XR process‑authoring Titanic Database server to synchronize vast collections of CRDT documents Automatic component and via placement for Topola Complete PCB schematic-to-layout flow Torch Lens Maker Open-source optical systems engineering TouchUp Enhance the GNOME Shell User Experience on Touch Devices TrailBase Backend-as-a-Service for building networked applications TrenchBoot - DRTM launch between coreboot and UEFI payload Protect coreboot payload with dynamic Roots of Trust Tusky Android client for ActivityPub Typed Nix Static type system for Nix programming language. Typst PDF Accessibility Increase a11y of Typst's output HTML export for Typst Markup based typesetting for multichannel publishing Advanced UEFI Capsule Update for coreboot with EDK II Secure firmware updates, also via fwupd UberDDR3 Open Hardware DDR3 memory controller uberDDR4 High-performance, standalone DDR4 memory controller. Unexpected Keyboard Autocomplete/Correct Input correction for popular alternative Android keyboard UnifiedPush Decentralized push notification protocol with libre implementations Universal EInk Solutions Consistent API for e-paper VACASK High-performance Analog Simulation Verified Credentials with zero-knowledge SPARQL queries Enabling derived W3C Verifiable Credentials with Zero Knowledge Proof (ZKP) VeriBench Verilog-AMS Testbench Framework for Open EDA Verification Verilog-A distiller Automated porting of models from C to Verilog-A VersaTiles Simplify vector map tile creation, hosting, and interaction VersatAI Automation of ML/AI algorithm support in computational accellerators Servo improvements for Tauri Verso offscreen + multiview Next Generation Browser Profile Workflow A profile system for the Verso browser Verso Views A Functional Browser Based on Servo SWD Debug support in VexRiscv Functional SWD debugging support for VexRiscv/VexiiRiscv VexiiRiscv Next generation of the VexRiscv in-order FPGA softcore VirtuAndroid Application-layer virtualization for Android apps Vivliostyle Typesetting system leveraging web technologies OpenIMSd 4G/VoiceOverLTE support for open source mobile OSes VoWiFi Watchdog Identify blocks and misconfigurations for VoWiFi Vouivre A dependent type system for machine learning in Lisp Enhancing vula and related libraries Automatic local network encryption for IPv4/IPv6 with PQC Free Software Vulnerability Database A resource to aggregate software updates Enhance the vulnerability database Enhance the VulnerableCode vulnerability database CanIWebView Contributing to standardisation of WebView in W3C ActivityPub Polls for WordPress WordPress plugin for social polls WPT automatic testing for platform accessibility mappings Improve testing of platform a10y support in Web Platform Tests Wsdr Cloud-based Cellular Network in a Browser Waytale Spatially organized interactive 2D social space Waterfall Agile framework for the development and deployment of watermarking schemes Integration of Waydroid on mobile GNU/Linux Run Android apps in Linux containers on mobile devices Wayland input method support Better specification for Wayland input methods WeasyPrint Print rendering engine for HTML and CSS WebXDC XMPP Standardisation effort for WebXDC integration in XMPP Weblate Android SDK Live localisation updates for Android apps Webxdc evolve Comparative analysis of HTML5 app containers WgMath Open GPU scientific computing for every platform Whisperfish Cross-platform mobile client for Signal and derivatives Wiktionary QA tools QA tools to improve the quality, reliability, and consistency of Wiktionary WireGuard on FPGA FPGA implementation of Wireguard protocol written in SpinalHDL Wobble Web Hybrid graphics editor and coding environment Wolvic User Interface Flexible windows, tabs, zooming and web rendering in Wolvic Event Federation Plugin for WordPress Add ActivityPub to events created with most common WordPress event plugins MLS for XMPP Add Message Layer Security to XMPP XR Fragments Discover, reference, navigate and query 3D online content XR Fragments Teamware Design, deploy, federate and integrate portable XR experiences YAWS - Yet Another Web Server Sans IO web server written in Rust Yanartas Libre intertial hardware security module Privacy-friendly online age verification Age verification done right YunoHost Packaging + Declarative Settings Frugal and ergonomic selfhosting ZSWatch Open smartwatch including software, hardware, and mechanics Zero-allocation web servers in roc Web server framework with constant memory usage ZeroPhone Next Hackable open hardware mobile phone Zilch Tools for efficient granular builds and introspection Zip linting and bzip2 in Rust More secure handling of popular archive formats Zosimos GPU accellerated image buffer and compute system Zrythm Libre digital audio workstation allowd Memory-safe policy rules using D-Bus ARPA2 Working towards a decentralised global internet that offers security and privacy by design. badkeys Detect compromised cryptographic public keys Bcachefs Next generation file system Bcachefs userspace integration Next generation filesystem bhyve idle load mitigation Reduce overhead on bhyve Type-2 hypervisor bluetuith Bluetooth connection/device manager for the terminal cables.gl editor features Create beautiful, interactive, visual web content claim.li Decentralised annnotation tool based on Dokieli Elliptic curve encryption speed-up using SIMD Low-level instructin optimisation for curve25519-dalek & Arkworks Democratic SendComm Easy to use connected open hardware device Donations smaller contributions to various activities Federated eIDAS-compatible signing portal Qualified digital signatures using eID cards ePoc Micro learning platform for decentralized educational resources Federated webinars for eduMEET Extended platform for distributed online webinars based on eduMEET eduP2P Test Suite System, integration and performance tests for eduP2P eduVPN Accessibility & UX Improvements Inclusive and user-friendly design for eduVPN eduVPN multi-protocol Review of the eduVPN multi-protocol project. eduVPN Making secure VPN network technology available to everyone Ejabberd Great Invitations More pleasant user registration for ejabberd XMPP server embedded-cal An embedded systems-friendly verified crypto provider Explain Direct Providing effective and efficient access paradigms for open educational material f8 Modern 8-bit instruction set Fashion Freedom Supporting research, development, and education to bring the fashion industry into the 21st century fdtshim Simplify use of Device Tree Binaries for Linux installers FileSender FileSender is a secure and private way to share large files with anyone. Global Directories Distributed contact information discovery mechanism Hackathons and sprints contributions to various hackathons and sprints happyDomain Simplify DNS zone management iTowns Visualise 2D and 3D geospatial data on virtual globes & maps Internet of Coins Create a decentralized, self-sustaining economy by implementing inter-blockchain connectivity iso14229 Universal Diagnostic Services for automotive diagnostics it Radically decentralised version control with CRDTs iuh-openbsc An open source implementation of 3G k3lp Unicode Keyboard3 Layout Parser Kernel DMA Protection Patcher (kdmap-patcher) Automated UEFI patching for pre-boot DMA protection lib25519 using NEON for ARM64 ARM64 optimisations for lib25519 microlibrary Improving asynchronous execution in GNUnet Add synchronous processing to GNUnet libnix Native Nix on MS Windows libspng APNG Add Animated PNG (APNG) image read- and write support to libspng libvips Add animated PNG and enhanced JPEG XL support to libvips Verifying and documenting live-bootstrap A reproducible, automatic, complete end-to-end bootstrap Lychee Reliable and fast link checker to combat linkrot mCaptcha Privacy-friendly Proof of Work (PoW) based CAPTCHA system machine-check Tool for formal verification for machine-code Machine-check usability Formal verification of software written in machine code mgmt config Real-time system automation tool minipgp6 Lean implementation of modern OpenPGP Multisoni Modern and efficient real-time audio playback engine Nixcloud Mail Declarative mail server based on NixOS Nixcloud Webservices Declarative web services based on NixOS Nix Store disk usage improvements Reduce storage overhead for Nix deployments Strengthening NTP and NTS in ntpd-rs Memory-safe implementation of IETF time standards including NTPv5 and NTS Building blocks for Resilient Time Implement NTPv5 in ntpd + bootstrap procedure openENOC Scalable Ethernet-based Network-on-Chip openPCIe2 Root Complex Open hardware implementation of gen 2 PCIexpress in OpenXC7 S-SATA for openXC7 Open source SATA phy and interface for FPGA's p2panda System Service Real-time collaboration, private sharing and unified local storage of desktop apps p3pch4t Decentralized chat platform built on i2p PKCS#11 v3 Contribute to standardisation of PKCS#11 for cryptographic tokens postmarketOS v25.12 + v26.06 New versions of the mobile operating system postmarketOS postmarketOS daemons Add modern service daemons to postmarketOS Project Unnamed Full-featured, libre FPGA compilation toolchain PurlValidator Check validity of software package identifiers online and offline Support for OpenPGP v6 in rPGP Implement draft-ietf-openpgp-crypto-refresh in rPGP RaptorJIT RaptorJIT is a high-performance Lua virtual machine for network dataplanes. raylib Project creator/builder + feature development for raylib graphics library reqwest Memory safe HTTP client rrdnsd DNS based load balancing and high availability rust-query Ergonomic API to write composable and nested relational queries s6-rc Service manager for s6-based systems scalePNR New place and route algorithms for large FPGAs schc-rs Faster low power networking for constrained devices SDR PHY Create a GSM mobile phone consisting of completely open source software and SDR radio Serval-LR SERVAL Long-range WiFi Add-on Maintenance and portability of sudo-rs Make sudo-rs available cross-platform synit-nixos Expand synit system layer and integrate in NixOS Ties Federated bookmark manager based on ActivityPub TOS;DR A user rights initiative to rate and label website terms & privacy policies Tracking Exposed Increase transparency behind personalization algorithms Trusted Boot Module An open hardware trusted boot manager tslib Better configuration and callibration of touchscreen devices uFork/FPGA A memory-safe pure-actor processor soft-core uMap Vector Tiles Use vector tiles to build custom maps with OpenStreetMap data uberClock High precision open hardware clocks using multi-mode crystal oscillators uberWAVE Full featured live interactive waveform viewer wcoord (wireless-coordination) Easy configuration of wireless networks xrsh Interactive text/OS terminal inside WebXR NLnet Foundation currently supports the following projects with in-kind contributions: The Commons Conservancy Legal infrastructure for public benefit efforts NLnet Labs Independent lab for Internet infrastructure development "},{"description":" CUGAR Implement a Wireless Access Point and a back-end This project aims to develop and implement a (Wireless) Access Point and a back-end for it using only Open Source software components. The Access Point (AP) together with the back-end makes secure environment for Closed User Group Services. This allows a secure connection between AP and the back-end when using a non-secure transport medium (like the Internet). The whole system is being developed as an \"appliance\" and a back-end software package. AP itself will be implemented on small embedded systems in order to ease the deployment. The back-end (authentication, management, routing) can run on a generic UNIX system. Hogeschool Leiden ","title":"CUGAR","url":"https://nlnet.nl/project/cugar/"},{"description":" Reinstatement of crypto.signText() Cryptographic signatures brought back to the browser Since the 1990s Netscape and Firefox supported the ability to sign an arbitrary piece of text with a digital certificate, and have that signature returned to the webserver. The texts being signed have historically ranged from transaction records, financial declarations, and court documents. This project implements a set of Native Browser Web Extensions that bring the digital signing of text to all modern browsers that support the NMBE standard. The process of choosing the certificates and generating the signatures is performed outside of the browser, using APIs native to each operating system. Web pages communicate with the extensions using the Javascript crypto.signText() function, and the signed documents are returned packaged as a PKCS7 response. The project aims to make digital signing accessible, while being browser agnostic. The project's own website: https://redwax.eu/rst This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","title":"Reinstatement of crypto.signText()","url":"https://nlnet.nl/project/crypto.signText/"},{"url":"https://nlnet.nl/project/cpan6/","title":"CPAN6","description":" CPAN6 collecting collections of digital information People are designed to collect things, whether it is food, postal stamps, or digital information. On our hard-drives, we collect software, photos, development sources, documents, music, e-mail, and much more. The typical application sees this `collecting' as secundary problem to their main task, offering little help in administering the data produced with it. CPAN6 focusses purely on this aspect, and can therefore improve the way people work in general. There are many kinds of digital collections, like ftp-servers and home-directories, but as far as known, there is no infrastructure like CPAN6 which is designed to manage groups of collections in a simple way. Managing collections is a basic need for many kinds of applications, but there is not yet a common infrastructure to do it. The project's own website: https://web.archive.org/web/20220111010258/https://cpan6.org/ "},{"url":"https://nlnet.nl/project/cpan6/how.html","title":"CPAN6","description":" CPAN6 collecting collections of digital information The NLnet Foundation supports Mark Overmeer to promote the design and to start implementing CPAN6 with 30,000 euro. 2007-09-14: Progress report: CPAN6 presented at YAPC::Europe and the European Linux Conference. more > > 2007-07-06: First progress report. more > > 2007-03-28: the project plan. .pdf (43 kB) "},{"description":" CPAN6 collecting collections of digital information People are designed to collect things, whether it is food, postal stamps, or digital information. On our hard-drives, we collect software, photos, development sources, documents, music, e-mail, and much more. The typical application sees this `collecting' as secundary problem to their main task, offering little help in administering the data produced with it. CPAN6 focusses purely on this aspect, and can therefore improve the way people work in general. Brief history The Perl community has a very succesfull module archive, named CPAN. In just over 11 years, it has collected more than 11,000 different open source modules, contributed by thousands of authors. Many other programming language communities have tried to create their own version of CPAN, but none was so successful yet. One of the disadvantages of CPAN is that it is very much entangled with Perl5, so it cannot be used to implement other archives. And this starts to bite the Perl community itself as well: with the upcoming release of Perl6 (with Parrot as large product aside), the old infrastructure needs a major overhaul. In the process of abstracting the archive's functionality --combining the features of CPAN with modern needs like authentication-- it was discovered that the resulting design could benefit close to all applications: every time someone collects any form of digital information. Even, to organize ones home directory. Now, the target for CPAN6 has become to be included as Open/Save option in any application. ","title":"CPAN6","url":"https://nlnet.nl/project/cpan6/description.html"},{"description":" CP2PC common programming interface for peer-to-peer systems CP2PC (pronounced \"copy to pc\") develops a minimal programming interface to peer-to-peer (P2P) file-sharing systems. Client side applications can be built on top of this interface by other projects. In addition, the project includes development of a simple GUI client that integrates various file-sharing systems. Several P2P networks exist that are used for sharing files among clients, such as Gnutella and Mnet (aka Mojo Nation). Each network uses its own suite of protocols, leading to a number of client applications that are difficult or impossible to integrate. In particular, each P2P network has its own proprietary client-side software. In fact, some P2P systems are based on the same technology but cannot be integrated easily. An example of this is the Fasttrack's P2P protocol suite, on which Kazaa, Grokster and Morpheus are based. CP2PC intends to bridge these gaps by developing a single client which can work with a variety of P2P networks. The project's own website: http://www.cs.vu.nl/pub/globe/cp2pc/ 2003-06-20: Article to be published in LinuxJournal about the final results of the CP2PC project. .pdf (216 kB) A short paper \"Down with hierarchy: File-sharing with CP2PC\" was presented at the SANE 2002 conference. The project also presented itself with a poster. more > > .pdf (9 kB) The Globe Project's website. ","title":"CP2PC","url":"https://nlnet.nl/project/cp2pc/"},{"description":" CP2PC common programming interface for peer-to-peer systems CP2PC is a project carried out by the Globe group at the Vrije Universiteit and fully funded by Stichting NLnet. 2003-06-20: Article to be published in LinuxJournal about the final results of the CP2PC project. .pdf (216 kB) 2003-04-25: The project has ended with this final report. more > > ","url":"https://nlnet.nl/project/cp2pc/how.html","title":"CP2PC"},{"url":"https://nlnet.nl/project/cp2pc/description.html","title":"CP2PC","description":" CP2PC common programming interface for peer-to-peer systems The aim of the CP2PC project (pronounced copy to pc) is to develop a minimal programming interface to file-sharing peer-to-peer systems. Client side applications can be built on top of this interface by different groups. In addition, a simple GUI client will be developed as part of the project that will integrate the various P2P protocols. The first step is to examine the functionality present in current P2P systems. Some of the functionality is shared by many systems; other functionality is particular to just a few systems: Uploading files to a decentralised storage system. Searching for files. Clients can easily join or leave the network Chatting Particulars of client applications are also taken into account: Visual presentation of search results. Monitoring of the network and connectivity to the network. Based on these experiences, a programming interface will be derived that maps to each of the P2P protocols. The targets of this project are: a description of the requirements of a unified file-sharing application. a specification of a unified file-sharing API that can be used to develop both clients (front-ends) and CP2PC compatible file-sharing network access components (back-ends). a mapping of this API onto a number of existing file-sharing networks. an implementation of a number of back-ends for existing file-sharing networks an implementation of a simple (bare bones) client an implementation of a GUI client "},{"description":" Conferences Sponsoring of various conferences NLnet historically contributed directly and indirectly to various third party conferences. In some cases, like the renowned SANE conferences, not only financially but also with man-power. Besides these large activities, it used to sponsor smaller events on an irregular bases. Those smaller conference contributions are collected on this page. Currently, NLnet puts the focus on R&D activities — this may change in the future, also depending on suitable budgets for this to become available. Meeting people in person and real human contact can greatly simplify working together on complex topics, and to coordinate work. NLnet provides the guarantee for up to €20,000 to the Internet Society in order to be able to host the 78th IETF meeting in Maastricht. Big Brother Awards 2010, details GUADEC 2010 in The Hague, July 24-20, 2010 The eleventh edition of the yearly international Gnome event, to be held in The Hague, The Netherlands. Congress Staat van de Privacy (State of Privacy) Landelijk Congres der Bestuurskunde (LCB). details ElectroSmog, the International Festival for Sustainable Immobility, March 18-20, 2010. details \"TNC 2010\" conference, by TERENA, the Trans-European Research and Education Networking Association. details \"Hacking At Random 2009, an international technology & security conference. details \"Dyne:bolic workshops\" in Indonesia, Singapore, and India. details \"Improving Access to Public Services\", a world-wide thematic conference organized by the Center of Government Studies of Leiden University and KennisLand. details \"BSDCon Europe 2002\", the general BSD conference. details 2001-10-09: \"Hackers At Large 2001\" international conference. details YAPC::Europe, a Perl conference. details ","url":"https://nlnet.nl/project/conferences/","title":"Conferences"},{"description":" Conferences Sponsoring of various conferences ","url":"https://nlnet.nl/project/conferences/how.html","title":"Conferences"},{"description":" Conferences Sponsoring of various conferences Big Brother Awards The Big Brother Awards 2010 'honor' individuals, companies, government institutions and proposals that have severely violated privacy since the last edition was held. The public has submitted their favourite candidates via e-mail, after which an expert Jury is confronted with the difficult task of recognizing the supreme privacy violations out of these nominees. The decision of the Jury is made public during the Award ceremony, where the Awards are presented to the \"lucky\" winners. Staat van de Privacy De privésfeer van burgers is in het gedrang. Maatregelen zoals de centrale opslag van vingerafdrukken en het veelvuldig tappen van telefoongesprekken zijn slechts twee schakels in een steeds langer wordende keten van maatregelen. Service en natuurlijk veiligheid spelen hierbij een grote rol. Maar hoe ver mogen overheden en private organisaties inbreuk maken op de persoonlijke levenssfeer van burgers? Het Landelijk Congres der Bestuurskunde (LCB), een tweedaags congres dat elk jaar door studenten wordt georganiseerd, moet deze vraag proberen te beantwoorden. 2010 ElectroSmog International Festival for Sustainable Immobility, March 18-20, 2010. The ElectroSmog festival is a critique of the worldwide explosion of mobility, and an exploration of the new forms of connectedness with others offered to us by network and communication technologies. The question is if these new forms of connectedness can help us to develop a viable new lifestyle less determined by speed and constant mobility, which is both ecologically and socially more sustainable. The festival program is streamed live via this website. Audiences can follow events, discuss and contribute online, avoiding the need for long-distance travel. website. 2010 Terena Networking Conference Sponsoring of the TNC 2010 conference of TERENA, the Trans-European Research and Education Networking Association. TERENA is an association in which those interested in advanced network technology collaborate, innovate and share knowledge in order to foster the development of Internet technology, infrastructure and services to be used by the research and education community. TERENA conferences have been at the heart of developments in European research and education networking for more than two decades. Network and application experts, end-users and corporate partners gather there to share views and lend a hand in shaping the future of networking. Website 2009 Hacking At Random (HAR) Sponsoring of the Hacking At Random 2009, an International technology & security conference. This is the 5th edition in a four-yearly series of unique events bringing together an international audience of ICT security experts. Four days of technology, ideological debates and hands-on tinkering. This is the 20th anniversary edition of the four-yearly Dutch outdoor technology-conference taken place on August 13-16, 2009 near Vierhouten, NL. Website 2007 Dyne:bolic Workshops Dyne.org and Bricolabs, Amsterdam, get sponsoring from NLnet for a Dyne:bolic workshop given by Jaromil Denis in Indonesia, Singapore, and India. The purpose of the workshop is to promote a no-cost alternative to proprietary multimedia software solutions by means of the dyne:bolic computer operating system and multimedia tool suite. 2007 CSG The Center for Government Studies (CGS) of the University of Leiden, and KennisLand organize a conference names Improving Access To Public Services. This world-wide thematic conference will take place in The Hague, The Netherlands on November 6-8, 2007. The objective of this conference, is to encourage the world-wide dialogue taking place on how to re-assert democratic values in the delivery of services. Many policymakers, practitioners, and students are struggling to determine how best to provide equal access to health-care, education, justice, entrepreneurship, and such. For more details, see the conference web-page. 2002 BSDCon The Berkeley Software Distributions (BSDs) represent one of the oldest and most vigorous streams of Open Source software. Together, OpenBSD, FreeBSD, NetBSD, Darwin, Mac OS X, and BSD/OS represent millions of servers and desktops. The BSD operating systems have long been part of the backbone of the Internet in everything from embedded applications to large server installations, and will soon be widely deployed on consumer desktops. If you want to develop cutting-edge network applications, then BSDCon is the place to be. Meet the movers and shakers of the BSD community, and learn how you can use BSD as part of your enterprise-grade solutions. NLnet supported BSDCon Europe 2002 with a guarantee and interest-free loan of €10.000. 2001 HAL2001 [August 10, 2001] The \"Hackers At Large 2001\" International Conference. attracted over 2000 guests from all over the world and from many different disciplines to debate, get on-line, relax, build and discuss cool stuff, and engage in good old analog interfacing. See the sponsor request and final report. NLnet sponsored this event with €10,000. 2001 YAPC::Europe The Perl community has three yearly conferences. The largest meeting is TPC (The Perl Conference), which is organized by O'Reilly Conferences. TPC is a large, expensive, professional conference. Next to this, two cheap and cosy conferences are organized by YAS: the American and European YAPC's. They are inexpensive and organized by volunteers, but have great talks! With over 200 satisfied participants, the conference was a success. NLnet has sponsored the second conference room and the proceedings CD-rom for this event. ","title":"Conferences","url":"https://nlnet.nl/project/conferences/description.html"},{"title":"The Commons Conservancy","url":"https://nlnet.nl/project/commonsconservancy/","description":" The Commons Conservancy Legal infrastructure for public benefit efforts [The Commons Conservancy] is an initiative to provide a lightweight organisational structure for open project. Its mission is to strive towards a stable democratic and open global information society in which individuals can collectively scrutinise, reconfigure and improve upon any technology they depend on - unleashing and empowering human innovation at the widest possible scale, with the express intention to empower any individual to participate in all facets of social, cultural, economic and private life under conditions of his or her own choosing and with secure and reliable technology they can have full control over themselves. The project's own website: https://commonsconservancy.org The stichting tries to achieve its mission by facilitating the development and distribution of free and open technology (and everything relevant to make full use of that technology in the broadest possible sense), so it can be (re)used, studied, shared and modified by anyone without prior permission, contributing to retaining the privacy and autonomy of individuals without forcing them to make ethical compromises, be subject to social bias or fear for ones personal safety. The project is incorporated into a separate foundation that facilitates virtual foundations, that operate as independent programmes underneath The Commons Conservancy. "},{"description":" CodeYard Open-Source software development for students in secondary education Computer Science is a growing subject in secondary education (12-to-18-year old students). In 2007 it will become a core profile course for the Dutch high school curriculum. The CodeYard project aims to draw students to the production of Open Source Software (OSS). Students can use the infrastructure and expertise of the CodeYard project to produce OSS, which can be passed on to future generations of students. This should lead to a wider use of OSS. Many projects stimulate the use of OSS in educational settings, but none of these projects engage the students at high schools in the design. The project's own website: http://www.codeyard.nl 2007-05-07: Two students of the `Koninklijk Lyceum Antwerpen' win the Capgemini Open Source Award 2007 with their `Game Designer'. more > > 2006-09-05: Article in Linux.com: \"CodeYard is a playground for students of open source.\" 2006-03-11: Article in the leading dutch newspaper NRC: \"Software on the Schoolyard\". Newspaper article (PDF) Article on CodeYard in Livre Magazine. .pdf (365 kB) ","title":"CodeYard","url":"https://nlnet.nl/project/codeyard/"},{"url":"https://nlnet.nl/project/codeyard/how.html","title":"CodeYard","description":" CodeYard Open-Source software development for students in secondary education The CodeYard project is an initiative of the Computer Science Department of the Radboud University Nijmegen, in The Netherlands. 2007-10-09: CodeYard moves into phase two: growing into a self-sustained organization. more > > 2007-09-14: CodeYard has shown to be a very successful concept, and is aiming for persistence. more > > 2005-06-16: First progress report of CodeYard, June 2005. more > > 2005-03-21: Project plan \"Open Source programming for Pupils\" .pdf (155 kB) "},{"url":"https://nlnet.nl/project/codeyard/description.html","title":"CodeYard","description":" CodeYard Open-Source software development for students in secondary education Computer Science is a growing subject in high schools (12-to-18-year old students). In 2007 it will become a 'profielkeuzevak', a core profile course, for the Dutch high school curriculum. The CodeYard project aims to attract students to the production of Open Source Software (OSS). Students can use the infrastructure and expertise of the CodeYard project to produce OSS which can be passed on to future generations of students, leading to a wider use and more production of OSS. The CodeYard project aims to attract students to OSS by providing infrastructure with low barriers to entry and local expertise related to the technical issues the students may face. New software will be developed to support students working together using the SUbversion revision control system. Students should find out that writing OSS is fun. In this respect the community-building aspect of CodeYard is more important than the code that might be written there. We need to attract students to OSS so that they stick around in the long term, and do not just use it briefly to fulfil their high school credits requirements. In this sense the CodeYard project is an idealistic one, and depends on the enthusiasm and cooperation of local high school students. There are many projects that illustrate the use of OSS in educational or high school settings, and there are even entire Linux distributions (for instance SkoleLinux) devoted to it. Stichting NLnet supports several such educational projects, like SchoolLan and ThinkQuest. Other projects, such as Ratio, are geared towards providing educational material on specific subjects (Mathematics, in Ratio's case). None of these projects engage the students at high schools in the design, implementation, and testing of the products being delivered. The Open Source philosophy behind them is just that --behind them. CodeYard aims to bring it to the forefront and actively engage students in the Open Source community. "},{"url":"https://nlnet.nl/project/claim.li/","title":"claim.li","description":" claim.li Decentralised annnotation tool based on Dokieli The Web is full of claims that are often hard to verify, leaving readers to rely on trust in the author or in the source document itself which is a risky approach when evidence is scarce. Expert annotations can help, but they too may contain unverified statements, so simply annotating original claims isn’t enough. The claim.li project addresses this by enabling a client-side editor that supports annotating both claims and their annotations, creating a transparent, layered system of accountability. Built on the decentralized annotation tool dokieli, it promotes open authoring, annotation, and collaboration across the Web. Run by KU Leuven This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"","url":"https://nlnet.nl/project/choreo-rs/","description":""},{"description":" CeroWRT an experimental firmware to push forward the state of the art of edge networks and routers. This project aims to be a reference implementation of the Comprehensive Queue Management Made Easy (CAKE) project based on CeroWrt, the experimental firmware aiming to push forward the state of the art of edge networks and routers. The project's own website: http://www.bufferbloat.net/projects/cerowrt Read the paper Piece of CAKE: A Comprehensive Queue Management Solution for Home Gateways, by Toke Høiland-Jørgensen, Dave Täht, Jonathan Morton This project aims to be a reference implementation of the Comprehensive Queue Management Made Easy (CAKE) project based on CeroWrt, the experimental firmware aiming to push forward the state of the art of edge networks and routers. The project has been merged into the Linux kernel net-next tree, and is expected to be heading to a device near you soon. The project is led by the team at Bufferbloat.net. ","title":"CeroWRT","url":"https://nlnet.nl/project/cerowrt/"},{"description":" Calligra-Windows Bringing Calligra Suite to Windows The Calligra project is an ambitious new take on productivity and creativity. Built on the powerfull cross-platform QT and KDE technology platforms, it offers a complete open source office suite that sports exciting new features and offers excellent support of the OpenDocument Format.The project will port a number of open source library to the Microsoft Windows platform and produce a standalone Windows installer that users can download and execute. Applications include The Windows Calligra applications will check on startup whether a new version is available and warn the user. The applications will be built using Microsoft Visual C++ to conform best to platform standards. Visit the website of Calligra and Krita. The project's own website: http://calligra.org Words is an intuitive word processor application with desktop publishing features. With it, you can create informative and attractive documents with ease. Sheets is a fully-featured spreadsheet application. Use it to quickly create spreadsheets with formulas and charts, to calculate and organize your data. Stage is a powerful and easy to use presentation application. You can dazzle your audience with stunning slides containing images, videos, animation and more. Kexi for integrated data management Flow for diagramming and flowcharting Karbon for drawing vector graphics Plan for project planning Krita for painting and image editing KO GmbH in Germany, producers of Krita Studio. ","title":"Calligra-Windows","url":"https://nlnet.nl/project/calligra-windows/"},{"description":" Calligra-SVG Improve fallback mechanisms in Calligra ODF loading and saving. The ODF standard specifies that adraw:framecan contain text boxes, ODF objects, binary objects, images, applets, plug-ins or floating frames. No current ODF-handling application can handle all of these. The standard anticipates this and specifies a fall-back mechanism by recommending to include an image representation of the object into the frame in addition to the object itself. The image specification does not limit the formats for the images but recommends that vector graphics are stored in the SVG format and bitmap graphics in the PNG format. We propose to improve the fallback mechanism for unsupported objects in the Calligra suite. KO Ghmbh in Germany. ","url":"https://nlnet.nl/project/calligra-svg/","title":"Calligra-SVG"},{"description":" CAIEC Investigate information offered by consumer organisations This project concerns investigation of the structure of the information offered to the Dutch consumer by consumer organisations. In the first phase of this project, the team will conduct research on the strategy of the Dutch consumer organisation Consumentenbond and their implementation thereof. In the next phase, recommendations how to change this strategy will be worked out. In the last phase, these recommendations will be presented to Consumentenbond. The program is run by OpenOffice BV , located in Amsterdam, The Netherlands. ","title":"CAIEC","url":"https://nlnet.nl/project/caiec/"},{"description":" CAcert support for CAcert CAcert, Inc., is a non-profit community-oriented Certificate Authority that provides a general service to the community by issuing, where possible, free X.509(v3) certificates for personal and/or server-side use. CAcert services the Open Source digital certificate security needs of users across six continents. Certificates issued by the nonprofit CA form the foundation for many server-side (web) and personal (email) security implementations. The organization enjoys international media attention for its policy of providing for free the very same types of certificates often sold by closed-source, commercial CAs (such as industry leaders Thawte and Verisign) for hundreds, sometimes thousands, of dollars. The project's own website: http://www.cacert.org 2007-10-01: Additional support granted to complete the CACert security audit more > > ","title":"CAcert","url":"https://nlnet.nl/project/cacert/"},{"url":"https://nlnet.nl/project/cacert/how.html","title":"CAcert","description":" CAcert support for CAcert Stichting NLnet provides financial support to CAcert to fund selected projects. At the same time, the NLnet boards supports the maturing of CAcert's organization with advice and by initiating new international contacts. 2007-09-14: Equipment moved to Holland. New intermediate board elected. Plans for new regulation, to be discussed at TOP Hackathon. more > > 2007-03-09: Servers relocated from Australia to The Netherlands. more > > 2005-12-02: The Web of Trust is growing fast, with CAcert present on most major Open Source event. more > > 2005-06-10: CAcert presented itself during NLUUG and KDE-PIM meetings, growing the community. Application is being extended with external security tokens. more > > 2005-03-16: Holland tops CAcert Assurers list. more > > 2004-11-22: CAcert added over 200 new assurers during the HCC Dagen. more > > 2004-10-05: CAcert had a successful grow of European community during SANE 2004. more > > 2004-06-22: NLnet provides a grant of up to US$ 16,000 to CAcert for organizing a launch of CAcert at the USENIX Annual Technical Conference more > > 2003-11-12: NLnet supports the Initiation of CAcert, Inc. more > > "},{"url":"https://nlnet.nl/project/cacert/description.html","title":"CAcert","description":" CAcert support for CAcert CAcert, Inc., is a non-profit community-oriented Certificate Authority that provides a general service to the community by issuing, where possible, free X.509(v3) certificates for personal and/or server-side use. CAcert services the Open Source digital certificate security needs of users across six continents Certificates issued by the nonprofit CA form the foundation for many server-side (web) and personal (email) security implementations. The organization enjoys international media attention for its policy of providing for free the very same types of certificates often sold by closed-source, commercial CAs (such as industry leaders Thawte and Verisign) for hundreds, sometimes thousands, of dollars. Certificates While practical applications for the PGP/GPG infrastructure decline and the use of X.509 solutions increase in popularity, CAcert fills the gap between untrusted, self-signed (so-called \"home-brew\") certificates and their prohibitively expensive (commercial or governmental) counterparts. By enforcing the same stringent requirements for identity verification as other CAs, integrating this level of sophistication with the well-established community \"web\" trust model, and enabling its users to enhance their own trust status by seeking Assurance from qualified members of the trust community, CAcert has built a system that uses Open Source principles in the management and development of human, as well as software, elements. CAcert offers certificates for secure sockets layer, encrypted/authenticated email communications, wireless authentication, code signing, electronic document certification, client-server authentication, and more. Future products/services under consideration include an open, X-509-based alternative to Microsoft's proprietary \"Passport\" single log-in product, as well as various methodologies for integrating certificates with commodity token/smart-card products. Challenges Both developers and board members alike are resolved to tackling any and all obstacles that stand in the way of CAcert's stated goals. Current efforts include: the development of quality, user-friendly software to service a wide variety of user needs, concerns, and skill levels; the creation of standardized, public policies governing the use and support of certificates within the open source community; enhancing the existing Assurer base so that it can scale properly world-wide; continuing existing efforts to work with developers for purposes of gaining inclusion within certain products (e.g. Mozilla); and, increasing CAcert's user base and total number of certificates in circulation to provide additional leverage with future developers/OEMs. "},{"url":"https://nlnet.nl/project/cables.gl/","title":"cables.gl","description":" cables.gl Creative tool for graphics and 3D content Cables is a tool which allows people to create beautiful, interactive, visual web content without knowing how to type a line of code. Your work is easily exportable at any time, so you can embed it into your website, use it an immersive VR experience, or integrate into other kinds of creative output. Cables patches can be published, shared, copied and remixed by the entire community. This allows people to constantly learn new things from each other. By developing a standalone version, that works outside of the browser, cables will open up even more for contributions from the open source community. It will be, at the same time, a development environment for contributors, and an offline version of the cables editor. As a side effect, using it with native modules on any major platform and operating system will open up a whole new area of how and where to use cables to create content. The project's own website: https://cables.gl Why does this actually matter to end users? Sometimes a picture or an animation tells a thousand words, other times they go far beyond words. Cables is a unique design tool which allows anyone to intuitively create interactive visuals interactively. With an easy to navigate interface and real time feedback, Cables allows for rapid prototyping and fast adjustments, regardless of experience level. You are provided with a set of operators, such as mathematical functions, shapes, materials and post processing effects. By connecting these to each other using virtual cables you create the experience you have in mind. Once you are done, you can export your work and embed it wherever you need it: from a web page to an immersive VR experience. Run by undefined development This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"url":"https://nlnet.nl/project/cables.gl-editorfeatures/","title":"cables.gl editor features","description":" cables.gl editor features Create beautiful, interactive, visual web content Cables is a tool which allows people to create beautiful, interactive, visual web content without knowing how to type a line of code. Your work is easily exportable at any time, so you can embed it into your website, use it an immersive VR experience, or integrate into other kinds of creative output. Cables patches can be published, shared, copied and remixed by the entire community. This allows people to constantly learn new things from each other. There is both a browser based version and a standalone, offline version offering a user-friendly development environment. This new grant adds an improved keyframing- and animation user interface (timeline) that makes cables.gl much more accessible for animators and motion designers. The team will also add a physics engine, Gaussian Splatting (a new method of rendering realistic 3d scenes), dynamic operator instancing/repeating, a stepping debugger and a comprehensive shadergraph system that allows to create complex shaders by combining small modules. The project's own website: https://cables.gl Run by undefined development This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"Cpdf Accessibility","url":"https://nlnet.nl/project/cPDF-UA/","description":" Cpdf Accessibility Implement PDF/UA in cpdf The Cpdf accessibility project extends the popular open-source PDF processing tool Cpdf to support PDF/UA (ISO 14289), the standard for accessible PDF. PDF/UA helps those with disabilities who use screen readers and other tools to navigate documents by tagging PDFs with metadata describing the logical structure of the content. Such metadata can also help all users by allowing reliable text re-flow, and better searching within documents. There is very little open-source tooling for accessible PDF at present, so this will represent a significant step forward. The work will involve adding functionality to Cpdf for the inspection and manipulation of existing PDF/UA files, and the creation of new ones from scratch. These tools will be useful to PDF/UA developers as well as to end users. The project's own website: https://coherentpdf.com/cpdf Run by Coherent Graphics Ltd This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" bzip2 in Rust Memory safe implementation of bzip2 compression algorithm The `bzip2` compression format is still used in many legacy settings. onsequently, it is part of the supply chain of many projects. To mitigate these risks, this project will deliver a memory-safe implementation of bzip2 through drop-in replacements of the libraries and a safe Rust `bzip2` binary. The project's own website: https://trifectatech.org/initiatives/data-compression Run by Trifecta Tech Foundation + Armijn Hemel This project was funded through the e-Commons Fund, a fund established by NLnet with financial support from the Netherlands Ministry of the Interior and Kingdom Relations. ","title":"bzip2 in Rust","url":"https://nlnet.nl/project/bzip2-Rust/"},{"description":" Bricophone community-oriented mobile phone infrastructure The Bricophone is a community-oriented mobile phone infrastructure in Open Source. It is a low cost, low energy, open hardware, open source project built for communities up to ten thousand people within regional distances. The characteristic of the Bricophone infrastructure is that it does not require any static infrastructure like relays, antennas, or digital data centers. This provides the opportunity for special uses in poor communities, mass rescueing in disastered areas, and cultural and social activities like festivals and other mass events. The project's own website: http://www.bricophone.org Bricophone user's profiles populations and communities in areas where regular cellular phone infrastructure is not possible for economical, energetic, or environemental reasons: areas with a poor population, mountains, seas, desertic or humid areas, protected natural or archeological sites. populations and communities in areas where regular cellular phone infrastructures lack power or have been destroyed: war or natural catastrophes as earthquakes, floods, cyclones, and cold or hot extremeties. communities in social or cultural mass meetings, lile festivals, protests, gatherings. The Bricophone is not a replacement for regular cellular infrastructures nor an open-source cellullar phone for regular mobile phone networks. Features The sole purpose of the Bricophone infrastructure is voice communication. It works with brand-new wireless sensor network technologies used in industrial equipement. The main caracteristics of these new sensors technologies are mesh-networking, low-cost, and very low power consumption. These three technical caracteristics are the key of the project's potentialities. Mesh networking is a technology where each point of the network can route information to any other point in the same connected network. The routing of the information is done automatically as in internet, by an automatic choice of the closest device without central control. The Very Low Cost of the specialized wireless chips of the Bricophone allow to equipate different devices, not only for building mobile bricophones, but also for routing devices to transfer the calls though longer distances. The compactness of the electronic components allow the creation of very small devices. The low cost and relative simplicity of the hardware allows DIY (Do It Yourself) possibility and further improvements by the Bricophone community, as we can see in the Arduino project. The Low Power Consumption allows the utilisation of solar, wind or muscular energy, or very long period powering. Low energy powered bricophone routers can run month or years without maintenance, even in harsh environnements. Project setup In Spring 2007, the first basic voice-over-wireless tests with sensor technologies were executed. In September 2007, the first workshop took place in Brussles. In November, a workshop took place in Brazil. The next steps programmed by the leading team for the coming months: A multi-lingual website replacing the first existing pages Communication tools for community works: wiki, code repository, forum, mailing list Prototyping workshops in hardware, software and community tools in Paris (F), Brussles (B), Amsterdam (NL), Sheffield (UK), Barcelona (E) during 2008. Communication and partnership: Artfactories network, (a platform of international resources for creative centres) and Bricolabs network are participants of the project and will disseminate the knowledge through their networks. Dissemination workshops The first planned DIY fabrication and dissemination workshop will be helt in Dakar, Senegal, in the Ker Thiossane Art Center, during the Pixelache 2009 festival. More dissemination workshops will follow in the different continents, at the initiative of local community members. Risks There is a technological risk which no-one can predict on the moment, about the quantity and the quality of calls that can be routed through a huge mesh-network. Even the producers of these new technologies have no answers yet, although they claim that their networks can have more than 65,000 nodes. Our first calculations predict a critic mass of just a thousand people per network, when not all communicating at the same time, which is sufficient for our goals (rescuing people in disasters etc). ","url":"https://nlnet.nl/project/bricophone/","title":"Bricophone"},{"url":"https://nlnet.nl/project/bof/","title":"Bits of Freedom","description":" Bits of Freedom support for Bits of Freedom Bits of Freedom is a privacy and digital rights organisation. Major topics of concern to Bits of Freedom are copyright, the balance between law enforcement and privacy, freedom of speech, and spam. Bits of Freedom is a not-for-profit organisation based in Amsterdam, the Netherlands. BOF organises both public and closed events to promote its ideas, often in collaboration with other organisations. Amongst the events BOF organises is the annual presentation of the Big Brother Awards. The project's own website: http://www.bof.nl 2006-07-21: Bits of Freedom seizes its activities on 1 September 2006, caused by a lack of both capable personnel and finances. more > > 2004-09-27: Bits of Freedom organizes a conference () about alternative copyright systems. "},{"title":"Bits of Freedom","url":"https://nlnet.nl/project/bof/how.html","description":" Bits of Freedom support for Bits of Freedom Stichting NLnet made repetitive donations to Bits of Freedom to support its activities:       2004     € 6.000 Support symposium about copyright laws 2005 € 10.000 Support for the bi-weekly newsletter 2006 € 6.666 Support for activities in 2006   2006-01-02: BoF had an active 2005. Read the overview on the main subjects it worked on. more > > "},{"url":"https://nlnet.nl/project/bof/description.html","title":"Bits of Freedom","description":" Bits of Freedom support for Bits of Freedom About BOF Bits of Freedom is a privacy and digital rights organisation. Major topics of concern to Bits of Freedom are; copyright, the balance between law enforcement and privacy, freedom of speech and spam. Bits of Freedom is a not-for-profit organisation based in Amsterdam, the Netherlands. BOF organises both public and closed events to promote its ideas, often in collaboration with other organisations. Amongst the events BOF organises is the annual presentation of the Big Brother Awards. Being well aware that the world is bigger than the Netherlands, BOF helped to found a European coalition of privacy and civil rights organisations, European Digital Rights. EDRI produces a bi-weekly newsletter in English, called EDRI-gram. NLnet supports the BOF newsletter Bits of Freedom produces a two-weekly e-mail newsletter since 2003. The newsletter is written in Dutch and focusses on political and legal aspects of digital civil rights in the Netherlands. The newsletter is read by legal professionals, politicians, journalists and many concerned members of the public. The BOF newsletter does not limit itself to internet related issues, but also deals with technology in a broader sense: biometrics, cctv, rfid, and drm. In the past years the newsletter has seen a steady growth in the number of subscribers, which is now at 6500. The newsletter is sent through a mailinglist and archived at the BOF website. Bits of Freedom considers the newsletter not only as a means to inform the public about emerging issues, it also serves as a way to put developments on the agenda of journalists and politicians. Articles in the newsletter lead on a regular basis to media reports and initiatives in the Dutch Parliament (\"questions to the minister\"). "},{"title":"bluetuith","url":"https://nlnet.nl/project/bluetuith/","description":" bluetuith Bluetooth connection/device manager for the terminal Bluetuith is a lightweight Text User Interface (TUI) based Bluetooth manager for the terminal, which allows users to manage a multitude of different Bluetooth based functions, like pairing, connection, file transfers, handling audio playback and networking and so on seamlessly via an easy-to-use interface. The project aims to extend support to as many other platforms as possible, to achieve multiplatform support, and provide users with a familiar interface to control Bluetooth across different platforms. The project also aims to solve the issue of communication and user-friendliness of platform specific Bluetooth stacks, by creating daemons/services native to that platform, and lightly wrapping native APIs and exposing a standard set of APIs that will allow any client to be built cross-platform and to connect and control Bluetooth (Classic especially) in a much more efficient and uniform manner. The project's own website: https://darkhz.github.io/bluetuith This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/blenderweb/","title":"BlenderWeb","description":" BlenderWeb free 3D animation and compositing suite There is currently no open source platform capable of delivering rich web content similar in scope and impact to Adobe Flash and Shockwave or Microsoft Silverlight. Creators and developers are tied to proprietary tools and software if they wish to create rich interactive content for online distribution and consumption. This creates a high barrier to entry in many countries the cost of Adobe software licenses can be more than a years salary for an artist --so only those individuals of wealth can make use of this communications medium. This project is devoted to the development of the web plugin of the game engine, improve its security and resource utilization and add functionality, in general produce an end-to-end solution and open source platform capable of delivering 2d and 3d content of a richness and variety similar to that available in the propriety Adobe Flash and Adobe Shockwave plugins. The project's own website: http://www.blender.org/ "},{"url":"https://nlnet.nl/project/bitmask/","title":"Bitmask","description":" Bitmask User-friendly and secure VPN configuration Bitmask is a Desktop and Android client designed to achieve a zero-configuration end-user experience for setting up a VPN that connects to a given set of providers - those that follow the LEAP platform specification. To do so, clients rely on providers exposing configuration files on well-known urls, according to their particular setup regarding the available VPN gateways and transports. This project aims at adding low-end routers a new extra platform that users can choose when installing BitmaskVPN. Running VPN software in a commonly available router, with hardware-based user interfaces, will greatly extend the target audience for Bitmask. To achieve this goal, a porting of the BitmaskVPN client will be done in nim, a statically typed language that generates small native and dependency-free executables, allowing the setup of the VPN with the switch of a hardware button. Finally, the resulting port will be packaged for OpenWRT, and build scripts will be made available for providers to offer to their users a ready-to-use flashing image for a selection of routers. The project's own website: https://bitmask.net Why does this actually matter to end users? The internet is unfortunately not only populated just by kind and careful people. And it wasn't designed to be secure either. This is a dangerous and rather unfortunate combination of circumstances, and one you should take into account when you use the internet. When you go online outside of your house or office, chances are you use whatever wireless network you can find to get online. Mobile internet subscriptions are still expensive, so it is logical people seize every opportunity to connect for free. While this is a daily habit for many millions of people, and often nothing bad happens, it does expose you to serious risks. This is because your computer doesn't really know a lot about the world. It depend on information it gets from the networks it connects to. If the network happens to cheat, the computer often has very little defenses. If you use an untrustworthy network to connect you to the internet, you move yourself into the middle of enemy territory. While you happily enjoy your free bits it provides as a way to buy money, it has ample opportunity to exploit all kinds of security weaknesses against you. Essentially, if you got away scot free with connecting to an unsafe network, it probably wasn't your security that held anyone back. You were just lucky that no-one serious tried to do anything - this time. So it is recommended to not connect over wifi networks you don't know. Unless of course you've arranged for a secure tunnel that allows you to teleport your internet traffic across the unsafe local network to the real internet unscathed. The concept is surprisingly simple: individual messages sent through the Internet, called packets, are encrypted using some mechanism, and this encrypted message then substitutes the original one, making all communications sent through the tunnel unreadable to eavesdroppers and unalterable to attackers. Proven cryptography protects the integrity of the traffic flowing through the tunnel. And once the packets reach the other end of the tunnel, they can be unpacked. From that point onwards they may continue their life as normal internet traffic. Travelling the path in reverse path is of course also possible: packets sent from the internet to your computer are protected in exactly the same way. In anticipation of better technologies that should arrive with the next generation internet, such tunnels (which can be created with a virtual private network or VPN) are a key technology to guarantee consumer safety. They play a major role in protecting users both from snooping and malicious traffic injection. Sadly, the tools to create these secure tunnels is rather cumbersome (if not plain hard) to work with. This has prevented mass adoption. Bitmask wants to make encrypted communication accessible and easy for users to use. The open source application offers email encryption which handles all the complicated cryptography on its own and a virtual private network that takes extra security measures to make sure no personal information is leaked. This project aims to make these privacy and trust enhancing technologies more accessible and 'plug & play' by fitting BitmaskVPN into commonly available routers. Any VPN provider will be able to offer their clients a router with VPN built in: all they have to do is install it in their home and flip the switch. This way privacy and trust enhancing technology can actually become a part of the everyday devices internet users are accustomed to, making their online experience more private and secure without any complex technological setup or hassle. Run by LEAP Encryption Access Project This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"url":"https://nlnet.nl/project/bind-dlz/","title":"BIND DLZ","description":" BIND DLZ BIND 9 Dynamically Loadable Zones implementation BIND DLZ allows DNS data to be modified without interrupting the DNS server's normal operation. It accomplishes this by moving DNS data out of BIND's in memory database into an external database. BIND DLZ works with a large variety of databases and has made flexibility a priority in its design. Additionally, BIND DLZ makes available an API which can be used to create custom drivers to access nearly any database, or provide other functionality such as DNS load balancing. BIND DLZ is unique in that it builds upon BIND 9, the most recent version of the popular open source DNS server. It is our goal to merge BIND-DLZ into BIND's main source tree in the future, so that the features of BIND DLZ are available in the main BIND distribution. The project's own website: http://bind-dlz.sourceforge.net Bind-DLZ is included in Bind since version 9.4. See BIND 9. Download BIND-DLZ. DLZ poster at SANE 2002 more > > "},{"description":" BIND DLZ BIND 9 Dynamically Loadable Zones implementation BIND-DLZ is being developed by Rob Butler, a J2EE web developer with a special interest in BIND. NLnet is the full sponsor of the project. 2006-05-09: Bind-DLZ included in Bind 9.4 more > > 2004-04-16: DLZ phase 2 is completed with the release of a new high performance driver. But work continues on the DLZ project. more > > 2003-11-02: BIND-DLZ release 0.6.0 with support for LDAP, and many important bug-fixes. more > > 2003-09-03: BIND-DLZ now has a website, with loads of documentation about the project. 2003-06-05: ODBC driver has been made available. 2003-04-04: Berkeley DB driver and supporting utility program have been made available. 2002-09-28: The MySQL and File System Drivers have been made available. BIND DLZ project plan phase 2. more > > .pdf (97 kB) Final report for project phase 1. more > > BIND DLZ project plan phase 1. more > > .pdf (19 kB) ","url":"https://nlnet.nl/project/bind-dlz/how.html","title":"BIND DLZ"},{"description":" BIND DLZ BIND 9 Dynamically Loadable Zones implementation BIND DLZ (Dynamically Loadable Zones) allows zones to be added and removed from BIND 9 without restarting/ reloading/ reconfiguring the server. BIND can continue to operate and serve DNS data while that data is modified. The goals of the BIND DLZ project are: Allow BIND zone and record data to be stored in a database. Allow adding / removing / modifying zones and records without interrupting BIND's normal operation. Have changes required to support this capability be merged into BIND and not maintained as a separate patch. Develop production level drivers for a variety of databases. The DLZ Project is broken down into two parts: Phase 1 made changes to BIND 9's existing code to support a new database interface (called DLZ), and also provided a driver (for the PostgreSQL database) using this new interface. The new interface allows BIND to query DLZ drivers and determine if it is authoritative for a zone. Phase 2 continues with the development of additional DLZ drivers to support more database backends. Phase 2 will provide MySQL, File System, Berkeley DB, ODBC and LDAP drivers. With such a variety of drivers available DLZ can be configured and optimized to meet almost any need. Phase 2 will be completed by a full round of performance testing for each of the DLZ drivers. ","url":"https://nlnet.nl/project/bind-dlz/description.html","title":"BIND DLZ"},{"description":" bhyve idle load mitigation Reduce overhead on bhyve Type-2 hypervisor bhyve is a BSD-licensed Type-2 hypervisor originating from the FreeBSD project. Apart from FreeBSD, it also runs on the OpenSolaris-derived illumos distributions such as OmniOS, OpenIndiana, and SmartOS. It is capable to run unmodified guest operating systems such as Windows, Linux, various BSDs, and various illumos Distributions. As any hypervisor, bhyve operates with a certain overhead, one aspect of which is the idle load caused by otherwise idle guest VMs on the host system. Naturally, less idle load means more efficient operation of the host, less energy use, and increased host capacity without the need for additional hardware. This project aims to analyze the idle load behaviour of various guest operating systems running on bhyve to identify the causes of increased idle load. Additionally, this project intends to improve the idle load behaviour by implementing support for at least one additional hypervisor feature such as paravirtualized timecounters. The project's own website: https://bhyve.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"bhyve idle load mitigation","url":"https://nlnet.nl/project/bhyve-idle/"},{"description":" bewCloud Light-weight self-hosted cloud storage and productivity BewCloud is a nimble self-hosted cloud storage and collaboration platform offering efficient shared file storage and groupware. BewCloud's goal is to allow anyone to run their own personal private cloud software in cheap devices. It tries to keep its feature set deliberately simple, and not go beyond the core apps/functionality users need and satisfy all use cases - for that there are more customizable and extensible alternatives like Nextcloud and ownCloud. This allows bewCloud to have a pleasant user experience and a small resource footprint (CPU, memory). BewCloud is built with TypeScript and Deno using Fresh. Within the scope of this grant, the project will work on the main pieces that are frequently requested and currently missing: calendaring and address books, and public file sharing. The project's own website: https://bewcloud.com This project was funded through the NGI Fediversity Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, as a pilot programme under the aegis of DG Communications Networks, Content and Technology. NGI Fediversity is part of the Horizon Europe research and innovation programme under grant agreement No. 101136078. ","url":"https://nlnet.nl/project/bewCloud/","title":"bewCloud"},{"title":"betrusted","url":"https://nlnet.nl/project/betrusted/","description":" betrusted A protected hardware device for your private matters. Betrusted aims to be a secure communications device that is suitable for everyday use by non-technical users of diverse backgrounds. We believe users shouldn’t have to be experts in supply chain or cryptography to gain access to our ultimate goal: privacy and security one can count on. Today’s “private key only” secure enclave chips are vulnerable to I/O manipulation. This means there is no essential correlation between what a user is told, and what is actually going on. Betrusted will build a full technology stack, including silicon, device, OS, and UX that is open for inspection and verification. Betrusted is a simple, secure, and strong device that aims to advance Internet freedom. The project's own website: https://betrusted.io Why does this actually matter to end users? As our lives get more digital every day, we use the internet to have important conversations - both personal and professionally. We also store and share more and more sensitive personal data on devices. On the internet you cannot just close the door to talk privately. So we need digital safe spaces and digital locks and vaults that are just as reliable and easy to use to store our secrets and mediate our communication. Recently manufacturers have started to build so-called hardware enclaves or secure elements into their devices that function like a digital safe: even if someone is able to get some software installed into your computer, phone or laptop, they should not be able to immediately access what is in the safe. But of course, creating a secure space or making a digital safe in an environment you don't really control or understand is really hard. All the technical protection no longer matters when someone can invisibly take control or peer over your shoulder. Especially since you as a user can't see yourself what is happening on the inside of your digital house. A safe and a rogue application can and will look completely identical to a user, and there is simply no way to distinguish among them based on their appearance. Users install many unknown games and applications all the time (\"install our app to start getting discounts now!\"), and forget that this is actually letting more or less random entities run unknown software on the phone that holds some of their most important information. And what if the operating system of your computer or phone itself has an unhealthy interest in your data or metadata, or is weakly protected to that others can just enter - similar to how unsafe it would feel if your landlord or the janitor is a peeping tom or a thief? Betrusted is a dedicated open hardware device with the goal to create safe and more easily protected private channels for your communication. You can have a frivolous phone to play games, and do all the other things you meanwhile use your phone for. The Betrusted device is a complementary device that restricts itself to protecting the things that matter most, like your conversations and phone calls. It will also be able to hold passwords, digital versions of your passport (and other digital credentials and attributes), and whatever sensitive digital information you need to keep completely secure. The idea is to create a portable, dedicated physical vault isolated from everything else you do, and with a deliberately limited feature set which makes it much harder to attack. The device can connect to your phone through wifi, and is ideally suited for so-called end-to-end encryption. This means you don't need a separate subscription. It does not matter if your phone is hacked or if the free wifi you use is safe or not - the internet skips your phone and betrusted can set up encrypted communication with end-to-end assurance. The overall approach is security through isolation and simplicity: you can never leave a backdoor open if you don't build a door in the first place. As a user you can verify this, because the entire design and development of the device will be open to the public, from the software it runs down to the silicon that makes up its chips. A transparent, easy to use and secure digital safe that you can actually trust, with an configurable and easily understandable interface you want to use. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"url":"https://nlnet.nl/project/bcachefs/","title":"Bcachefs","description":" Bcachefs Next generation file system bcachefs aims to be a next generation Linux filesystem, with a fully modern featureset and vastly improved performance, scalability and reliability as compared to other next generation filesystems. Additionally, we aim to improve upon the state of the art in a number of areas such as extensibility, which will aid in development in other areas that have historically had to reinvent technology that already exists in local filesystems (distributed systems), repairability (online check and repair, self healing), and ease and correctness of development with the use of Rust. The project's own website: https://bcachefs.org This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" Bcachefs userspace integration Next generation filesystem bcachefs is a next generation filesystem for Linux, with a fully modern featureset and vastly improved performance, scalability and reliability as compared to legacy filesystems. The main focus of this grant is achieving stability, but on the side there will be work on userspace integration with systemd, reworking the cryptographic API to be more robust, as well as adding the potential for users to generate telemetry data - in order to capture edge cases in the real-world. The project's own website: https://bcachefs.org Run by bcachefs This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Bcachefs userspace integration","url":"https://nlnet.nl/project/bcachefs-crypto-API/"},{"description":" badkeys Detect compromised cryptographic public keys Public key cryptography is an important building block of Internet security through protocols like TLS or SSH. Key generation vulnerabilities in cryptographic implementations can compromise the security of these mechanisms. The tool badkeys allows identifying public keys affected by known vulnerabilities. The project will implement improvements to badkeys' coverage of known-compromised keys and regular monitoring of public keys in TLS certificates, DNSSEC, and DKIM for known vulnerabilities. The project's own website: https://badkeys.info This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/badkeys/","title":"badkeys"},{"description":" Atom-Based Routing Improving global internet routing by implementing atom-based routers. Atom-Based Routing aims at significantly reducing the growth of BGP table size and updates, in particular in the internet backbone, through the use of BGP policy atoms. The intent is to devise a routing protocol (or adapt a routing protocol such as BGP) which makes use of atoms to achieve a protocol of lower complexity. The project's own website: http://www.caida.org/projects/routing/atoms/ 2004-03-31: The final paper \"Beyond CIDR Aggregation\" was published as technical report at CAIDA. Slides of the presentation held at CAIDA/WIDE workshop. .pdf (179 kB) The project plan explains the concept under research. more > > The paper \"Complexity of global routing policies\", by Andre Broido and KC Claffy, describes some problems with BGP tables and introduces policy atoms. .ps (286 kB) .pdf (603 kB) ","title":"Atom-Based Routing","url":"https://nlnet.nl/project/atombr/"},{"url":"https://nlnet.nl/project/atombr/how.html","title":"Atom-Based Routing","description":" Atom-Based Routing Improving global internet routing by implementing atom-based routers. Three organisations are cooperating in the Atom-Based Routing Project: CAIDA, the Cooperative Association for Internet Data Analysis at The University of California San Diego Supercomputer Center (UCSD), RIPE NCC, the Réseaux IP Européens Network Coordination Centre Association, and NLnet Labs, the network research laboratory of Stichting NLnet. The project team consists of Patrick Verkaik (employed by RIPE NCC, funded by NLnet Labs), Andre Broido (CAIDA) and K Claffy (CAIDA). Progress and results of this project will be presented at forthcoming IETF and RIPE meetings. 2004-03-31: The project was concluded with a final project report, accompanied by a technical report. Download source code. 2003-05-12: Atom-based routing discussed at RIPE meeting 45. Slides .pdf (137 kB) 2003-03-16: Atom-based routing discussed at IETF meeting 56. Slides .pdf (85 kB) 2003-02-14: Interim Report more > > The Atom-Based Routing Project Plan. more > > "},{"description":" Atom-Based Routing Improving global internet routing by implementing atom-based routers. Routing protocols such as BGP operate on individual prefixes. Each update, table entry, and computation is based on a single prefix as the basic element. Although several prefixes may be stored or transmitted at a time by BGP, the prefix remains the basic element of the protocol. For example, an update message may carry a route containing several prefixes, but the receiving BGP router will still need to consider each prefix in the message separately in its computations. A routing protocol based on atoms will treat a number of prefixes as equivalent and amortise overhead of the protocol over the equivalent prefixes. Such a routing protocol is the goal of this project. The effects of atom-based routing are similar to CIDR in that both are able to summarise prefixes (as aggregates and atoms respectively) and treat the summary as a unit. An important difference is that CIDR aggregation can be performed independently by each router; however by definition the computation of an atom requires cooperation between many routers.200207-plan/index.html More details about the benefits of Atom-based Routing can be found in the project plan.","title":"Atom-Based Routing","url":"https://nlnet.nl/project/atombr/description.html"},{"description":" Assessing Cyber Security This report aims to assessing what we know about cyber security threats based on a review of 70 studies published by public authorities, companies, and research organizations from about 15 countries over the last few years. It answers the following questions: what do we know about the number, origin, and impact of cyber attacks? What are the current and emerging cyber security trends? And how well are we prepared to face these threats? Over the years, a plethora of reports has emerged that assess the causes, dynamics, and effects of cyber threats. This proliferation of reports is an important sign of the increasing prominence of cyber attacks for organizations, both public and private, and citizens all over the world. In addition, cyber attacks are drawing more and more attention in the media. Such efforts can help to better awareness and understanding of cyber threats and pave the way to improved prevention, mitigation, and resilience. This report aims to help in this task by assessing what we know about cyber security threats based on a review of 70 studies published by public authorities, companies, and research organizations from about 15 countries over the last few years. It answers the following questions: what do we know about the number, origin, and impact of cyber attacks? What are the current and emerging cyber security trends? And how well are we prepared to face these threats? The focus of the examined reports differs widely. Some reports look at all possible cyber attacks, others zoom in on specific threats such as Distributed Denial of Service attacks or malware. Some reports focus on a specific sector, or one country, others have a global scope. Methodologies used by the reports are often inconsistent and sometimes opaque: some are based on self-reporting (e.g., surveys), while others use data generated by software. One of the main observations of our study is that the range of estimates in the examined investigations is so wide, even experts find it difficult to separate the wheat from the chaff. This leads to the conclusion that, although there is no shortage in the number of reports, well defined and comparable cyber threat data and risk assessments are missing.Download the report or view in the browser. The project's own website: http://www.hcss.nl/reports/assessing-cyber-security/164/ The Hague Centre for Strategic Studies (HCSS)","title":"Assessing Cyber Security","url":"https://nlnet.nl/project/assessingCybersecurity/"},{"description":" ARPA2 Working towards a decentralised global internet that offers security and privacy by design. The ARPA2 project is an ambitious attempt to make the internet work the way we all expect it to work: a distributed, secure and private infrastructure that serves as a solid basis for a global information society. The internet brought so many advantages that it grew explosively, but that unprecedented growth of an experimental infrastructure that had many (and sometimes intentional) fundamental weaknesses - in terms of e.g. scalability and more importantly of security - resulted in an ossified network that has a lot of technical debt accumulated. It takes a concerted effort to fix these holes and bring secure internet technologies towards real end-users and deep into the infrastructure where many important upgrades are waiting for adoption. The project's own website: http://arpa2.net ARPA2 is a set of coherent, longer term open source efforts thoughtfully engineering towards an overall architecture scalable to run the future internet that is secure by design. It brings together proven technologies, new insights and talented people to solve the hard challenges. NLnet supports ARPA2 from the Internet Hardening Fund, with support from the programme \"[veilig] door innovatie\" from the Netherlands government. For a complete overview of projects visit the ARPA2 website. ARPA2 is administered by: Internet Wide Organisation ","title":"ARPA2","url":"https://nlnet.nl/project/arpa2/"},{"description":" ARPA2 resource ACL and HTTP SASL modules for NGINX Extend consistent access control to NGINX webserver In most of our daily interactions with a remote server we depend on the application running on the server to properly authenticate the user within the browser session, and to manage who can do what. However, if we want to enforce stronger guarantees with regards to restricted resources and tasks, our options are much more limited. This project from the ARPA2 community wants to move the state of the art in access control forward by combining the extensible SASL standard with a well-defined generic ACL mechanism that also allows for pseudonimity. The project will produce a self-contained library and two modules for a popular web server (NGINX) that use the new library. With the NGINX HTTP SASL module a user-agent can authenticate to the web server using any SASL mechanism the server supports. With the NGINX ARPA2 ACL module the web server can determine whether an authenticated user has authorization for the request that he/she sent. I.e. a user makes the request: \"DELETE /messages/10\" and the server can then decide based on the authenticated user, the action and resource whether this is allowed or not. The project's own website: http://arpa2.net/ Why does this actually matter to end users? For some use cases, web servers need to be a bit smarter. They are really good at serving up web pages really fast, which is the core of their task. Yet out of the box they understand very little of what they are doing, or who they are interacting with. That is pretty much left to the applications running on such a server. In some instances, it could be quite beneficial if some of these responsibilities could be delegated to the webserver. That way, developers can focus on applications themselves rather than on keeping unwanted or unauthorised visitors out. We all want websites to be as secure as possible. We also want to grant users as much privacy as we can. Technical measures can of course be taken at the level of the application, as is done traditionally. But it is quite easy to make mistakes, and a lot of work. An awful lot of work. Developers waste a lot of time on implementing the same steps over and over. It would be a lot easier if some web tool can just assume that only valid users would enter, and that some reliable source would authoritatively tell them what rights they need to get. This project from the ARPA2 community wants to deliver such a solution. It has already developed open source software libraries that offer an easy way to distinguish between who is entitled to see something and who isn't. This solution can already be used with all kinds of existing software, because it is compatible with the most popular standards organisations use to keep this data. And you can even work with all kinds of roles and pseudonyms, so unlike most traditional solutions their work isn't completely hardwired to individual people. The latter often leads to people giving their overpowered user credentials to others to quickly get stuff done. In the project, they will now implement it in such a way that all users of the most popular webserver of the moment can take advantage of the power of these libraries. This will help developers outsource one of their headache tasks to a simple and trustworthy open source server component, written by specialists with a focus on security, auditability and standards support. This will in turn simplify applications, will reduce their cost and improve their performance. And of course the small codebase will be significantly easier to analyse in terms of security. Run by Netsend This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"ARPA2 resource ACL and HTTP SASL modules for NGINX","url":"https://nlnet.nl/project/arpa2-nginx/"},{"title":"GnuTLS","url":"https://nlnet.nl/project/arpa2-gnutls/","description":" GnuTLS Implement TLS-KDH in GnuTLS TLS-KDH is a mechanism that adds Kerberos authentication to the Transport Layer Security (TLS) network protocol. TLS-KDH is developed under the flag of ARPA2 (www.arpa2.net) and is formalized in the form of a draft Internet specification for the IETF RFC standards track. This project serves to create a prototype implementation of the protocol within GnuTLS. For a more extensive overview of advantages of TLS-KDH we refer to the project homepage (http://tls-kdh.arpa2.net). The project's own website: https://github.com/arpa2/gnutls-kdh This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"description":" Anomos a pseudonymous, encrypted multi-peer-to-peer file distribution protocol Anomos introduces a layer of security and anonymity currently absent in peer to peer file sharing protocols. Through the study of cryptography and anonymous networks such as TOR, a system is being designed which allows any individual to safely distribute files to a large audience without fear of legal or social repercussions. This technology is an important part of modern free society, and a tool which may be used around the world to bring about positive social change. With Anomos, one can distribute the file anonymously to thousands of people at once. Because Anomos is based on BitTorrent, each download makes the network faster, more robust, and harder to eliminate. This technology can benefit thousands of people all around the world, to those who live in religiously oppressive places, those to whom the mere accusation of apostasy or sexual deviance could be life threatening; to mash-up artists concerned about copyright infringement, or anyone fearful that their actions on the Internet may lead to unjust punishment. First and foremost, Anomos has been designed as a tool for free speech. The project's own website: http://anomos.info/wp/ ","title":"Anomos","url":"https://nlnet.nl/project/anomos/"},{"title":"projectplan.pdf","url":"https://nlnet.nl/project/ambulant/projectplan.pdf","description":""},{"url":"https://nlnet.nl/project/ambulant/","title":"Ambulant","description":" Ambulant providing a reference SMIL 3.0 implementation The Ambulant Open SMIL Player is an open-source, full W3C SMIL player. It is intended for researchers who need source-code access to a complete SMIL player environment. It may also be used as a stand-alone SMIL player for applications that do not need proprietary media formats. The player will support a range of SMIL profiles (including desktop and mobile configurations) and will run under Linux and Win32. A Macintosh OS-X port is also expected. The target community for the Ambulant Player are developers of multimedia protocols, networks and infrastructures. The Ambulant Player represents the first phase of a multi-year project aimed at improving network level support for multimedia information processing. As one of the results, the Ambulant team contributed considerably to the SMIL 3.0 specification. The project's own website: https://www.AmbulantPlayer.org "},{"description":" Ambulant providing a reference SMIL 3.0 implementation Several organizations are cooperating in the Ambulant Open SMIL Player project: CWI, the Dutch National Center for Mathematics and Computer Science in Amsterdam. (Dick Bulterman, Jack Jansen, and Sjoerd Mullender) Anadelta from Greece. (Kleanthis Kleanthous) The initiator of the project is the CWI, but other institutes and companies take part in development. 2007-10-03: Status report. Review of the final draft for SMIL 3.0, and implementation commences. more > > 2007-07-20: Status report. Release of final draft for the SMIL 3.0 specification and initial implementation of the new features in Ambulant. more > > 2006-12-13: Status report. Working on embedded distributions: content enrichment engine for interactive TV, and displaying books for the blind. more > > 2005-12-14: Ambulant released version 1.6, with SMIL 2.1 support. more > > 2005-06-09: Status report. Software release version 1.4. The software will be integrated into AMIS DTB: a multimedia player for blind users. Two presentations at the Holland Open Source conference. more > > 2005-01-21: Ambulant released version 1.2, with syntax checker and plugin support. more > > 2004-11-11: Development of Ambulant continues. The project plan voor Ambulant/NxG. .pdf (97 kB) 2004-07-21: Ambulant released version 1.0. more > > 2004-10-11: Final report for the Ambulant Player Phase 1. .pdf (250 kB) 2004-04-23: \"Ambulant/X Player\" released. This distribution supports nearly the entire SMIL 2.0 specification and is available in source form for Linux, Linux/PDA, Mac OS X, Windows and WinCE distributions. Custom installers are available for Mac OSX, WIN32/Desktop and WinCE/PocketPC. The Ambulant team also release a set of six SMIL demonstrators that can be used to evaluate the Ambulant/X player (and other SMIL players). 2003-10-30: \"Ambulant/M Player\" released. 2003-04-15: Excerpts from the project plan. .pdf (77 kB) ","title":"Ambulant","url":"https://nlnet.nl/project/ambulant/how.html"},{"description":" Ambulant providing a reference SMIL 3.0 implementation The Ambulant Open SMIL 2.0 Player is an open-source implementation of theSMIL 2.0 standard. It is intended for researchers who need source-code access to a complete SMIL player environment. It may also be used as a stand-alone SMIL player for applications that do not need proprietary media formats. The player will support a range of SMIL 2.0 profiles, including desktop and mobile configurations based on specifications provided by the 3GPP Mobile Multimedia community. The player will be written in C++. Target implementations are for Linux and Windows implementations. A Mac OS-X implementation is also planned, depending on partner resources. The target community for the Ambulant Player are developers of multimedia protocols, networks and infrastructures. Since building new infrastructure components is difficult enough, nobody seems to have time to integrate their work in a standard player environment. We want to build a platform that will encourage the development of comparable multimedia research output. By providing what we expect will be a standard baseline player, other researchers and development organizations can concentrate on integrating extensions to the basic player (either in terms of new media codecs or new network control algorithms). Other researchers can then have access to both the baseline player and the extensions. We hope that this will help results verification, improve the quality of multimedia research and stimulate growth in the multimedia research marketplace. The Ambulant Player represents the first phase of a multi-year project aimed at improving network-level support for multimedia information processing. ","url":"https://nlnet.nl/project/ambulant/description.html","title":"Ambulant"},{"description":" allowd Memory-safe policy rules using D-Bus Authentication and authorization are crucial components of a modern Linux system's security. For the desktop Linux environment, Polkit is used as a central authentication and authorization component. But ever since 2012, its policy rules have been based on JavaScript. Requiring a garbage-collected programming language to be started up for the tiny snippets of rules is excessive, especially in resource-constrained environments. We will prototype an alternative approach to the current Polkit daemon, utilizing the existing external D-Bus interfaces, but improving the internal design. We also aim to demonstrate to the Freedesktop community, especially the systemd team, that Rust is well-suited for these core desktop applications, producing small and efficient binaries with limited dependencies. The project's own website: https://github.com/trifectatechfoundation Run by Trifecta Tech Foundation and Zeeshan Ali Khan This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"allowd","url":"https://nlnet.nl/project/allowd/"},{"url":"https://nlnet.nl/project/alias/","title":"ALIAS","description":" ALIAS analysis of legal and technical implications of the use of software agents Properties associated to agents such as autonomy, pro-activity, reasoning, learning, collaboration, negotiation, and social and physical manifestation are properties developed by man. Notions such as anonymity and privacy acquire new meanings in the \"digital world.\" New concepts such as pseudo-anonymity emerge. Until now, much research on deployment of information technology has been done as a separate discipline. Computer Science and AI develop the technical expertise and applications. Law then fits these applications into existing legal frameworks (taking US, European and Dutch traditions into account), proposing new frameworks if and when needed. In this project, members of the two disciplines AI and Law are collaboratively investigating the legal possibilities and limitations of agent technology, ultimately leading to recommendations for both disciplines. The project's own website: http://www.iids.org/alias/ Final report on project ALIAS. .pdf (31 kB) .doc (67 kB) 2003-08-15: Conclusions at the end of the ALIAS project. more > > Report IR-CS-004ALIAS, Analysing Legal Implications and Agent Information Systems, which concludes this ALIAS project. .pdf (829 kB) ALIAS discussion forum The publications and presentations from the ALIAS project are listed on the project's website "},{"url":"https://nlnet.nl/project/alias/how.html","title":"ALIAS","description":" ALIAS analysis of legal and technical implications of the use of software agents The ALIAS project studies the legal and technical implications of the use of software agents, by combining the expertise within: The Intelligent Interactive Distributed Systems Group at the Vrije Universiteit Amsterdam. This group's research focuses on support for the development of large scale intelligent, interactive, distributed systems. This includes middleware (AgentScape), services (an agent factory and directory services), applications (distributed information retrieval and distributed design). The Computer Law Institute at the Vrije Universiteit studies both the legal implications of the use of IT and the prospects and limits of using IT for legal practice. Agents are one of the key research issues. The Center for Law, Public Administration and Informatization focuses in its research on legal implications of Information and Communication Technologies, regulatory issues concerning ICT and reconceptualization of law in light of developments such as dematerialization, de-territorialisation, de-identification, and a loss of human involvement. Stichting NLnet is fully sponsoring this two-year research project with an estimated total cost of € 188.120. Besides, NLnet is also funding one of the partners in this research project, the IIDS group. 2003-08-15: Conclusions at the end of the ALIAS project. more > > Report IR-CS-004ALIAS, Analysing Legal Implications and Agent Information Systems, which concludes this ALIAS project. .pdf (829 kB) "},{"description":" ALIAS analysis of legal and technical implications of the use of software agents Goal of the research Properties associated to agents such as autonomy, pro-activity, reasoning, learning, collaboration, negotiation, and social and physical manifestation are properties developed by man. Notions such as anonymity and privacy acquire new meanings in the \"digital world.\" New concepts such as pseudo-anonymity emerge. Until now, much research on deployment of information technology has been done as a separate discipline. Computer Science and AI develop the technical expertise and applications. Law then fits these applications into existing legal frameworks (taking US, European and Dutch traditions into account), proposing new frameworks if and when needed. In this project, members of the two disciplines AI and Law are collaboratively investigating the legal possibilities and limitations of agent technology, ultimately leading to recommendations for both disciplines. Discussion Forum Using agents on the internet will eventually lead to many legal questions. Some of those can be foreseen, and specific technical measures may prevent the agent from falling into some legal pitfalls. For this purpose, the ALIAS project analyses legal and technical implications of software agent applications. Much still needs to be discussed. Please join the discussion forum on http://soapbox.cs.vu.nl/ALIAS/. ","url":"https://nlnet.nl/project/alias/description.html","title":"ALIAS"},{"url":"https://nlnet.nl/project/alias/alias-final.pdf","title":"alias-final.pdf","description":""},{"description":" AHA! transparent adaptive functionality for web servers AHA! is a general-purpose adaptive hypermedia add-on for web servers. It enables a web server to serve pages with conditionally included page fragments, and with link anchors that are conditionally colored or hidden. Adaptation is based on a domain model, a user model, and an adaptation model, using concepts, pages, fragments and condition-action rules. Where other adaptive architectures focus on specific areas of application, with a consequent layout and presentation, AHA! is centered at maintaining a user model and the generation of adaptive html regardless of actual content or layout. The project's own website: http://aha.win.tue.nl AHA! 2.0 Tutorial and demonstration. A description of the poster presented at the SANE 2002 conference. .pdf (285 kB) Long list of all publications related to this project. ","url":"https://nlnet.nl/project/aha/","title":"AHA!"},{"description":" AHA! transparent adaptive functionality for web servers The project was defined by Paul De Bra, full professor at the Computing Science Department of the Eindhoven University of Technology. Funding for the first two years of this project has been granted by Stichting NLnet. Phase 1 was completed on July 1, 2002; a first prerelease of AHA! 2.0 was made available. Phase 2 was completed July 1, 2003. The final release of AHA! 2.0 arrived on August 12, 2003. A first prerelease of AHA! 3.0 is expected by January 2004. Details about the functionality in AHA! 2.0 and 3.0 can be found in the progress reports and in the publications on aha.win.tue.nl. 2003-08-12: AHA! version 2.0 Announced. more > > 2003-05-29: Progress report more > > 2003-04-02: Progress report more > > 2003-02-05: Progress report more > > 2002-12-11: Progress report more > > 2002-04-09: Progress report more > > 2002-02-25: Progress report more > > 2001-12-04: Progress report more > > 2001-10-02: Progress report more > > 2001-08-29: Progress report more > > Adaptive Hypermedia for All (AHA) project proposal more > > ","url":"https://nlnet.nl/project/aha/how.html","title":"AHA!"},{"title":"AHA!","url":"https://nlnet.nl/project/aha/description.html","description":" AHA! transparent adaptive functionality for web servers The purpose of the AHA! project is to define, study and implement a facility for extending Web-servers with transparent, adaptive functionality. A Web-server is extended with a (servlet) module that registers users automatically, maintains a detailed user profile, and adapts the delivered information and the link structure based on that user profile. This server-side extension isgeneric, i.e. application independent, andopen, meaning that the source of the information may itself be external to the server running the adaptive engine. More concretely, the AHA! project consists of two phases of one year each, with two people working in parallel. The funding of the second year shall depend on the outcome of the first year. The goals (research and development) of the two phases are: Phase 1: Design and development of a generic, open, adaptive engine, building on the initial AHA! prototype. The extensions include the ability to perform adaptation on documents from an external source, the ability to handle (and link to) composite objects, and better authoring support. Phase 2: Extending the design and implementation to allow richer user-models (with arbitrary attributes and value-domains), while maintaining desirable properties such as termination and confluence. A second extension will be the ability to define page constructors, i.e. ways to dynamically construct pages out of sets of information fragments. The authoring environment will also be extended to include support for these richer user models and page constructors. The research results will be published in national and international conferences and journals. The software will be published on the Internet and distributed as Open Source, using the GNU licensing scheme. After completion of the first phase, we shall start actively promoting the use of AHA! for applications in education, electronic commerce and corporate websites. "},{"description":" Why AGFL under a GNU licence parser generator system for natural languages AGFL is a typical solution in search of a problem: when given a grammar and its associated lexicon covering some natural language like english, it is easy to generate an efficient parser for that language, but very few applications demand such a parser because such parsers are a rarity: linguists are traditionally more concerned with giving an abstract \"account\" of language than with doing the painstaking work to describe a particular language in a more or less complete and consistent way most NLP projects set out to produce a parser intended for some particular purpose, rather than a grammar to be used for many different purposes most parsers are written in some programming language for efficiency, so that the knowledge contained in them is buried in code and there is no collaborative improvement of existing parsers others are written in some proprietary formalism and jealously hidden from the eyes of the non-initiated commercial users are deterred from using parsers already developed elsewhere by unpredictable financial demands and the absence of maintenance since there is no demand for such parsers, there is little or no supply. In order to break this stalemate, the AGFL project has brought the AGFL system in the public domain: AGFL is provided as a common formalism to be used freely by any linguist, guaranteeing the automatic generation of efficient parsers the system comes with a number of grammars and lexica for free, in particular the EP4IR (English Phrases for Information Retrieval) grammar of English anybody is invited to use the AGFL system and the accompanying EP4IR grammar and lexicon of English for whatever purpose he likes, including commercial purposes, as long as the GPL is adhered to anybody can make and share his improvements to the free grammars and lexica, or add new ones in the same spirit. ","url":"https://nlnet.nl/project/agfl/under-gnu.html","title":"Why AGFL under a GNU licence"},{"description":" AGFL parser generator system for natural languages With the AGFL (Affix Grammars over a Finite Lattice) formalism for the syntactic description of Natural Languages, very large context free grammars can be described in a compact way. AGFLs belong to the family of two level grammars, along with attribute grammars: a first, context-free level is augmented with set-valued features for expressing agreement between parts of speech. The AGFL parser includes a lexicon system that is suitable for the large lexica needed in real life NLP applications. The project's own website: http://ftp.cs.kun.nl/agfl/ AGFL is brought to you under a GNU licence. This will help linguists to share improvements. more > > The most recent release of AGFL-GNU. ftp ","url":"https://nlnet.nl/project/agfl/","title":"AGFL"},{"description":" AGFL parser generator system for natural languages This project is performed by the research group on Compiler Construction at the department of Computer Science of the University of Nijmegen (KUN). The costs of this project, approximately € 114.000, have been fully subsidised by the NLnet Foundation. Final Report about the AGFL/GNU Project. more > > The AGFL-GNU project's proposal. more > > ","title":"AGFL","url":"https://nlnet.nl/project/agfl/how.html"},{"url":"https://nlnet.nl/project/agfl/description.html","title":"AGFL","description":" AGFL parser generator system for natural languages The goal of this project is to make the AGFL (Affix Grammars over a Finite Lattice) linguistic parser generator system publicly available as a tool for the development of NLP (Natural Language Processing) applications. The AGFL formalism for the syntactic description of Natural Languages has been developed by the Department of Software Engineering, University of Nijmegen. It is a formalism in which large context free grammars can be described in a compact way. AGFLs belong to the family of two level grammars, along with attribute grammars: a first, context-free level is augmented with set-valued features for expressing agreement between parts of speech. The AGFL parser generation system for Natural Languages generates efficient parsers from AGFL grammars. It includes a lexicon system that is suitable for the large lexica needed in real life NLP applications. Natural Language Processing (NLP) is an important enabling technology for future web-based applications: from filtering and narrowcasting to more intelligent search machines and services based on the automatic interpretation of the contents of documents. The state-of-the-art in search machines on the web is based mainly on the use of keywords and applying linguistic techniques to enhance recall. An example is the Linguistix software library, incorporated in commercial search machines like Altavista and Askjeeves, which performs tagging, lemmatization and fuzzy semantic matching. Besides individual keywords, some use is also made of phrases, but this is mostly limited to those noun phrases which can easily be extracted. An important step forward in precision is to be expected from the use of more complicated linguistic phrases, including the verb phrase. Progress in this respect is hampered by the lack of parsers for natural languages, which can extract and normalize all phrases suitable for Information Retrieval applications with sufficient speed and precision. Present day natural language parsing technologies are still of limited value to applications: most sophisticated parsers have been developed for mechanical translation rather than for retrieval purposes most parsers are developed using proprietary software, and few are in the public domain, so there is little synergy between projects; parsing speeds are generally low in relation to the speed of the Internet. That is why there is a need for tools that are available in the public domain, and suitable for the development of efficient parsers for Information Retrieval applications. The AGFL system is such a tool. "},{"description":" AbiRDF2 Abiword RDF-2 Abiword is an open source word processing application with advanced collaboration features. The project is to improve RDF support in abiword with the goal of increasing user adoption and interest in the technology. The following improvements are foreseen: Support for office:annotation-end in Abiword's ODF handling C++ Semantic Objects which relate to common RDF vocabularies. Drag and Drop to/from Semantic Objects Presenting drag and drop possibilities, both from other applications into an ODF file, and from an ODF file to other applications, should entice users to see ODF as a solid single file container for storage and transmission of not only words but also semantics. The project's own website: http://abisource.com/ Project run by Ben Martin, Australia ","url":"https://nlnet.nl/project/abi-rdf2/","title":"AbiRDF2"},{"url":"https://nlnet.nl/project/abi-rdf/","title":"AbiRDF","description":" AbiRDF Abiword RDF NLnet strives to broaden the footnote of the ODF standard. RDF (Resource Description Framework) is one of the distinguishing features of ODF. The project is to enhance the existing RDF support in Abiword. Many use cases which are highly user oriented are being handled: drag and drop, sidepanels, notifications, stylesheets, and hookups to Web services. Allowing SPARQL queries will significantly enhance the possibility of ODF for real time collaboration. The project's own website: http://abisource.com/ Project run by Ben Martin, Australia "},{"title":"AbiMacOS","url":"https://nlnet.nl/project/abi-macos/","description":" AbiMacOS Port Abiword to MacOS Within the scope of this project the open and free word processor AbiWord will be ported to MacOS platform and submitted to the AppStore. The project's own website: http://abisource.com/ Project of Fabiano Fidêncio, Brazil. "},{"url":"https://nlnet.nl/project/abi-collab/","title":"AbiCollab","description":" AbiCollab AbiWord Telepathy and SIP backends This project is centered around AbiWord, a Free and Open Source word processor, which supports most of the features people have come to expect from a modern word processor. It also comes with features that are not present in competing products, most notably support for real time document collaboration through the AbiCollab plugin. The AbiCollab plugin allows multiple people to work on-line on the same document at the same time. This eliminates the error prone practice of sending document updates over email to co-authors to keep everyone in sync. AbiCollab is designed to be transport protocol independent. It currently supports collaborating over plain TCP, XMPP/Jabber, the OLPC mesh network and over the AbiCollab.net service. This project aims creation of two additional AbiCollab transport backends. The first would use the Telepathy framework. The second AbiCollab backend would be based on the SIP SIMPLE client SDK. The project's own website: http://abisource.com/ Run by AbiSource Corporation BV. "},{"description":" A-A-P tools for developing, distributing, and installing software The A-A-P project intends to provide a series of tools for developing, distributing and installing software. The two main programs are aap (a replacement for make) and agide (the A-A-P GUI IDE). The agide program provides a portable framework to combine existing programs. Agide provides interfaces between editors, viewers, debuggers, cross referencers, etc. These are used connect any editor to any debugger, without the need to implement every combination. Agide relates to many existing tools and adds the glue to make them work together. A central element is the A-A-P recipe. It is a powerful replacement for Makefiles and shell scripts. The Aap program is used to execute the recipes. It can be used for building software, version control, maintaining a web site, installing ported software, and much more. The project's own website: http://www.A-A-P.org/ 2004-04-14: A large article about A-A-P was featured in LinuxJournal edition May 2004. 2003-10-10: Zimbu Awards for Adriaan de Groot, Rui Lopez, and Jörg Beyer. 2003-07-04: A-A-P releases version 1.0, and celebrates it with contest (\"Win the A-A-P Award\") and a presentation on OSCON2003. More in this progress report. A-A-P has its place on SourceForge as well. Look there or on the project's own website for more documentation, mailing lists, and tools. Description of the A-A-P project presented as a poster at the SANE 2002 conference (pictures). .pdf (89 kB) ","title":"A-A-P","url":"https://nlnet.nl/project/a-a-p/"},{"url":"https://nlnet.nl/project/a-a-p/how.html","title":"A-A-P","description":" A-A-P tools for developing, distributing, and installing software Bram Moolenaar is leader of this project. Bram is employed by Stichting NLnet Labs. Monthly status report, edition July 2003. more > > Monthly status report, edition June 2003. more > > Monthly status report, edition May 2003. more > > Monthly status report, edition April 2003. more > > Monthly status report, edition March 2003. more > > 2003-03-18: A-A-P releases Agide version 0.1. Agide stands for the \"A-A-P GUI IDE\". Monthly status report, edition February 2003. more > > 2003-01-17: Third version of the project plan. Version 1.0 release schedule has been sped up; it is now planned to be available in July 2003. An additional version 1.1 has been added to the plan. .txt (20 kB) 2002-10-29: A-A-P version 0.1 released. more > > "},{"title":"A-A-P","url":"https://nlnet.nl/project/a-a-p/description.html","description":" A-A-P tools for developing, distributing, and installing software Developing open-source software requires the knowledge of a large number of tools. This makes it difficult to help improve an existing project and even more difficult to start one. A-A-P makes it a lot easier to work on a software project in a distributed environment. The main sources may be obtained from a CVS server, the patches for a port to your system from an ftp server, and additionally whatever changes have made yourself. A recipe describes all of this and how to automatically build the program. Furthermore, when you make changes to the project, A-A-P provides you with the actions to make a patch and send it to the right place or just keep it locally. You can do version control without having to know the exact commands for it. For large projects, A-A-P provides the possibility to only have those local parts that you are working on. The rest is obtained only when needed. You can browse the project to find the source code and documentation that you need. A-A-P knows where to find it. A-A-P forms a framework in which many tools can work together. Interfaces are specified so that tools can be plugged in easily. You are free to choose the tools that you know and like. Building software using a recipe. The recipe contains all the information needed to build a program. Automatic detection of system properties and downloading of the required files. Browsing a project to find out how it works. Locate the code that you want to work on and read related documentation. Package a new version of a project for others to install. Upload changed files to a global server. Portable over many systems, at least most Unix variants, MS-Windows and possibly the Macintosh. Open source, free software. "},{"description":" Zrythm Libre digital audio workstation Zrythm is a digital audio workstation (DAW) that enables musicians and producers to create professional-quality music. Built with modern C++ using Qt/QML and JUCE, it targets electronic music workflows with advanced capabilities such as signal-based modulation and clip looping that proprietary tools have long monopolized. Building on lessons learned from the v1 release, this grant accelerates development toward Zrythm v2, porting core functionality to the new Qt/QML stack: audio and MIDI recording, arranger editing, and chord assistance. The goal is a stable, mature alternative to proprietary DAWs that guarantees users the freedom to study, modify, and share their creative tools. The project's own website: https://www.zrythm.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Zrythm/","title":"Zrythm"},{"title":"Zosimos","url":"https://nlnet.nl/project/Zosimos/","description":" Zosimos GPU accellerated image buffer and compute system Zosimos is a statically typed language with an embeddable interpreter for raster graphics compositing pipelines. Built on Rust's `wgpu` to target WebGPU it abstracts, through native capabilities or emulation, color-space aware editing capabilities across platforms including the web. The implementation builds on SPIR-V graphics and compute shaders to execute largely asynchronously and close to hardware capabilities. The user facing programming language provides an image manipulation interface with operations similar to those found in GEGL and imagemagick. The project's own website: https://github.com/HeroicKatora/zosimos This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Zip linting and bzip2 in Rust More secure handling of popular archive formats Zip is a widely used format for distributing files. It is a rather permissive file format, opening the door to various attacks such as zip bombs. The `bzip2` compression format is still used in many legacy settings. Consequently, it is part of the supply chain of many projects. To mitigate these risks, this project will deliver a) a zip linter checking for suspicious file contents in zip files and b) a memory-safe implementation of bzip2 through drop-in replacements of the libraries and a safe Rust `bzip2` binary. The project's own website: https://trifectatech.org/initiatives/data-compression Run by Trifecta Tech Foundation + Armijn Hemel This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Zip linting and bzip2 in Rust","url":"https://nlnet.nl/project/ZipLinting/"},{"url":"https://nlnet.nl/project/Zilch/","title":"Zilch","description":" Zilch Tools for efficient granular builds and introspection Zilch is an experimental test bed for alternative approaches to building programs, services, and full Linux distributions. Being built on top of Nix, it is entirely compatible with NixOS. The goal of this project is to research and develop a set of tools that allow a developer to write programs and patch existing upstream projects, while keeping the reproducibility and sandboxing afforded to them by Nix. The project's own website: https://puck.moe/git/zilch This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" ZetaOffice Encrypted collaborative editing in the browser ZetaOffice is an online open source office application based on LibreOffice, the leading implementation of the ISO/IEC 26300 OpenDocument Format standard. It can run fully client-side inside a regular browser - meaning you can view and edit office documents without an install required. This provides the technical foundations to support true P2P editing of complex office documents. The ability to remove the entire dependency on a server means that document collaboration is moving towards zero-knowledge implementations – where no single-point of architectural failure exists and no data is required to sit unencrypted on a non-user owned (or trusted) server instance. This would allow ZetaOffice in the future to provide end-to-end encryption – both for the peer2peer use case, as well as securely keeping documents encrypted when at rest. That means data is safe when the user is disconnected, whether it is stored on an untrusted server or in the local Web storage. The project's own website: https://zetaoffice.net Why does this actually matter to end users? Collaboratively writing a document together in real-time with others is still a bit magic. Someone else, perhaps on the other side of the planet, is typing something. And within a fraction of a second, the text magically appears on your screen. This amazing technology is the ideal companion for say an online meeting - everyone can contribute, and correct any flawed minutes without much effort. For this kind of collaboration in real-time, there is a limited set of options in the market you can use. Most available services in the market like Google Docs, Microsoft Office or Collabora Online share one very undesirable characteristic: you need to fully trust the company running the service you use. Whomever has access to the servers used to connect everyone together, can read everything you have written - and deleted. That means that if you need to work on something confidential like an important contract, you may want to reconsider using the service. Especially if you write about sensitive topics like corruption, money laundering, war crimes or state surveillance, this open backend you cannot control is a really significant problem. Peer-to-peer collaboration is a way for internet users to connect and work together directly, without the need for a central authority or in-between layer. Work can be crowd-sourced, instead of organized by one central party which is more vulnerable to attack, misuse and censorship. Together, peers can publish data, subscribe to other people's messages and documents, recommend and disseminate information and news and tag correct and informed articles and stories, that can then be searched by others. The group filters what data and information should be spread wide and far and what should be forgotten, not a third party (i.e. the search engine provider) that will not give access to its search algorithm to protect their commercial interests. This project will build a solution that allows users to edit documents together while making sure that the office software runs completely on their own device, with all their work is end-to-end encrypted. This way an office suite that uses open source software and open standards only is also protected against single points of failure (like a server that goes down or is compromised) and can guarantee proper encryption of potentially sensitive documents. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/ZetaOffice/","title":"ZetaOffice"},{"title":"ZeroPhone Next","url":"https://nlnet.nl/project/ZerophoneNext/","description":" ZeroPhone Next Hackable open hardware mobile phone This project is building a hacker-friendly personal device platform, providing people with an assortment of building blocks that can be reused in building devices of their own. It sets out to deliver a featureful device for day-to-day use, with cellular and wireless connectivity, and bringing a powerful user interface that can easily be used in others' projects. The platform's design prioritizes self-assembly capabilities, respect for the user's privacy, extensive documentation that makes the platform's building blocks all that more accessible, and forming a community aimed at helping other hackers build their own devices. The platform's inherent modularity also provides a testbench for designing open-source replacements for commonly closed-source parts of the DIY portable device ecosystem, as well as development of open firmware for currently-closed-source components. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Zero-allocation web servers in roc","url":"https://nlnet.nl/project/ZeroAllocation-webserver/","description":" Zero-allocation web servers in roc Web server framework with constant memory usage Memory consumption in web servers is hard to predict and control. Our zero-allocation web server guarantees constant memory usage and per-request memory caps. These guarantees and capabilities make web infrastructure more reliable, because it is actually possible to calculate how much server capacity is required for a certain amount of traffic. The vast majority of webservers are written in a language with automatic memory management. They cannot provide the guarantees that our webserver can, and often have other downsides like poor general performance and GC pauses. The core of our webserver is written in rust, and while it works in a rust-only context, is meant to be used in combination with the roc programming language, a fast, friendly, functional language with automatic memory management, but without GC pauses. Users will be able to write web applications using roc, without having to consider how memory is allocated. At the same time, we manage the memory as efficiently as possible under the hood. The project's own website: https://github.com/tweedegolf/nea Run by Tweede golf B.V. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Quantum-Proof Zenroom Implementation of Quantum-Proof Cryptography in Zenroom Zenroom is a tiny secure execution environment that integrates in any platform and application, even on a chip or a web page. It executes human-readable smart contracts for all kinds of use cases, such as databases, blockchains and much more. Zenroom is scriptable in an English-like language called Zencode. During this project quantum-proof cryptography will be implemented in Zenroom by strictly adhering to ECDH specifications for common session exchanges, signature and verification, applying liboqs transparently as a back-end to existing Zencode scenarios. This makes it seamless to substitute existing EC implementations with the same Zencode. The result will be a fully portable software (plain C, no hardware acceleration) of the NIST quantum-proof competition winner algorithm and full alignment with its final test vectors. The project's own website: http://zenroom.org/ Run by Dyne.org Foundation This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/Zenroom-oqs/","title":"Quantum-Proof Zenroom"},{"description":" ZSipOs Open hardware for telephony encryption ZSIPOs is a fully open source based encryption solution for internet telephony. It takes the shape of a little dedicated gadget you connect with a desktop phone. At its core the device does not have a normal chip capable of running regular software (including malware) but a so called FPGA (Field Programmable Gate Array). This means the device cannot be remotely updated (secure by design): the functionality is locked down into the chip, and the system is technically incapable of executing anything else. This means no risk of remote takeover by an attacker like with a normal computer or mobile phone connected to a network like the internet. The whole system is open hardware, and the full design is available for introspection. Normal users and security specialists get transparent access to the whole system and can easily check, what functionality is realized by the FPGA. This means anyone can verify the absence of both backdoors and bugs. ZSIPOs is designed to be fully compatible with the standard internet telephony system (SIP) which is the one used with traditional telephony numbers. The handling is done in principal by a regular internet phone (Dial, Confirm once – done). The cryptographic system is based on the standard RFC 6189 - ZRTP (with “Z” like Phil Zimmermann, the father of PGP), meaning it can also be used when using internet telephony on a laptop or mobile phone - of course without the additional guarantee of hardware isolation. There is no need to trust in an external service provider to establish the absolute privacy of speech communication. The exchange and verification of a secure key between the parties ensures end-to-end encryption, meaning that no third party can listen into the call. To that extent the device has a display to exchange security codes. The same approach can also also used for secure VPN Bridgeheads, secure storage devices and secure IoT applications and platforms. The ZSipOS approach is an appropriate answer on today security risks: it is completely decentralized, and has no dependency on central instances. It has a fully transparent design from encryption hardware to software. And it is easy to use with hundreds of millions of existing phones. The project's own website: https://www.vipcomag.de/ Why does this actually matter to end users? Consumers and businesses overpay for computer hardware, because the market is not working well. When you go to a store to buy a laptop or mobile phone, you may see different brands on the outside but choice in terms of what is inside the box (in particular the most expensive component, the processor technology) is pretty much limited to the same core technologies and large vendors that have been in the market for decades. This has a much bigger effect on the users than just the hefty price tag of the hardware, because the technologies at that level impact all other technologies and insecurity at that level break security across the board. In the field of software, open source has already become the default option in the market for any new setup. In hardware, the situation is different. Users - even very big users such as governments - have very little control over the actual hardware security of the technology they critically depend on every day. Security experts continue to uncover major security issues, and users are rightly concerned about the security of their private data as well as the continuity of their operations. But in a locked-down market there is little anyone can do, because the lack of alternatives. European companies are locked out of the possibility to contribute solutions and start new businesses that can change the status quo. The issue of insecure hardware becomes even more important when you think of fast and widespread the use of smartphones has grown. The device that we carry with us every single day and use to call each other, do our personal banking, maintain our social life and manage a host of other online services with is frustratingly opaque and riddled with security vulnerabilities and backdoors. And because most smartphones are produced by a select number of massive companies, the entry to market for more secure and private alternative smartphone hardware is practically impossible. One way to circumvent the status quo of smartphones is to go around the phone itself. Instead of designing a secure and private smartphone from scratch, the ZsipOS adds a plugin device to your phone that handles encoded internet telephony completely on its own. A user only has to connect the gadget to their phone and call someone. The program on the device will establish a cryptographic tunnel, basically a secure channel, that ensures no one can listen in or in anyway modify the call. Users also do not need to trust an external service provider to handle the call. Because the device is designed to only establish encrypted calls and because it handles everything instead of the smartphone it is connected to, there is little to no risk of an attacker getting in through some forgotten backdoor. The design of the device and the program it runs is completely transparent so security experts can test and verify everything that ZsipOS does and promises to do. Ultimately ZsipOS is an accessible, surefire and fully transparent solution for encrypted internet telephony that fits with any smartphone out there. Run by VIPcom GmbH This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/ZSipOs/","title":"ZSipOs"},{"title":"ZSWatch","url":"https://nlnet.nl/project/ZSWatch/","description":" ZSWatch Open smartwatch including software, hardware, and mechanics ZSWatch is a free and open source smartwatch you can build almost from scratch - including software, hardware, and mechanics. Everything from the lowest level BLE radio driver code to PCB and casing is available for introspection or to be customised to suit your needs.In this project, the team will add interesting new capabilities such as Heart Rate and Blood Oxygen sensor hardware, create a new iteration of hardware to improve wearability, improve documentation, make it easier to upgrade, and make various improvements to the software including optimising power consumption The project's own website: https://zswatch.dev This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" ZIP file format description Documenting the ZIP file format for reverse engineers and developers The ZIP file format was originally a compression format, but is meanwhile used a lot in projects. Although there is a historical specification (dating back to 1990), there are plenty of edge cases as well as files not following the specification. These for instance add extra data (electronic signatures/keys, pad data, (an example are Android APK files) or change headers (Dahua firmware files). Information is scattered on various webpages, and can be hard to decipher. The goal is to gather this information in one place and to describe the format properly with examples. Given the broad usage of ZIP files in many use cases by different actors, this will be an ongoing effort - as new exceptions and extensions continue to be uncovered. The project's own website: https://github.com/armijnhemel/binaryanalysis-ng ","url":"https://nlnet.nl/project/ZIP-format/","title":"ZIP file format description"},{"title":"YunoHost Packaging + Declarative Settings","url":"https://nlnet.nl/project/YunoHost-DeclarativeSettings/","description":" YunoHost Packaging + Declarative Settings Frugal and ergonomic selfhosting YunoHost is a turnkey self-hosting solution based on Debian, designed to simplify server administration while being reliable, secure, and lightweight. In the scope of this grant, YunoHost will implement OIDC and introduce a new generation of packaging mechanism. The OIDC support will align YunoHost with modern SSO practices through the OpenID Connect protocol, with improved security aspects compared to the current homemade SSO. It also facilitates integration with third-party services that support OIDC, while maintaining consistency with YunoHost’s current architecture and centralizing identity management. Packaging v3 will define a more declarative and standardized approach to application packaging. It restructures package design by consolidating scripts and formalizing configuration management, with the aim of limiting redundancy and complexity. Common operations such as system configuration, service management, and lifecycle tasks (install, remove, backup / restore, upgrade) will be abstracted and automated. This approach is expected to improve maintainability and consistency across packages, determinism, security aspects, and pave the way to advanced features. The project's own website: https://yunohost.org Run by Support Self Hosting (SSH) This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"Yrs","url":"https://nlnet.nl/project/Yrs/","description":" Yrs Collaborative editing with CRDT written in Rust Yrs \"wires\" will be a native port (in the Rust programming language) of the Yjs shared editing framework. Abstractly speaking, Yjs allows many users to concurrently manipulate state that eventually converges. It is a popular solution for enabling collaborative editing (Google Docs style) on the web because it is indefinitely scalable, works peer-to-peer, and has a rich ecosystem of plugins. There are plugins that allow you to connect with other peers over different network providers (WebRTC, Websocket, Dat/Hyper, IPFS, XMPP, ..) and there are many editor plugins that allow you to make existing (rich-)text editors collaborative. The Yjs project is about connecting projects with each other and providing a network-agnostic solution for syncing state. A native port will allow native applications (e.g. XI, Vi, Emacs, Android, iPhone, ..) to sync state with web-based applications. We chose Rust because it's well suited to be embedded in other languages like C/C++, PHP, Python, Swift, and Java. With Yrs, we want to connect even more projects with each other and provide a modern collaboration engine for native applications. The Rust implementation will implement the full feature set of the shared types, including the event system. This will enable users to parse existing Yjs documents, manipulate them, and implement collaborative applications. The port will make it easy to \"bind\" to another language so that the shared state is available in other languages as well. There will likely be a WASM binding, a C++ binding, and a Python binding (provided by Quantstack). Other existing features like awareness, selective Undo/Redo manager, relative positions, and differential updates will be added after the initial release. The project's own website: https://docs.rs/yrs This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"url":"https://nlnet.nl/project/Yrs-WeakLinks/","title":"Yrs weak links","description":" Yrs weak links More efficient CRDT by interconnecting and synchronising data structures inside documents Yrs weak links project aims to extend existing implementation of Yjs/Yrs - one of the most popular free and open source libraries for building collaborative peer-to-peer applications - with new primitives such as cursors allowing for a seamless integration with rich text editors, and an ability to cross-reference and react to changes occuring in a different parts of an application: be it for display or other evaluation purposes like referencing cells in spreadsheet calculations. All of these will be possible while preserving eventual consistency in an environment where applications need to be operable and accept changes coming from many different users even when offline or when the standard Internet access is not available. The project's own website: https://yjs.dev This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" Yrs Undo Rust-based CRDT framework for real-time multi-user applications Yrs \"wires\" is a native port (in the Rust programming language) of the Yjs shared editing framework. Abstractly speaking, Yjs allows many users to concurrently manipulate state that eventually converges. It is a popular solution for enabling collaborative editing (Google Docs style) on the web because it is indefinitely scalable, works peer-to-peer, and has a rich ecosystem of plugins. There are plugins that allow you to connect with other peers over different network providers (WebRTC, Websocket, Dat/Hyper, IPFS, XMPP, ..) and there are many editor plugins that allow you to make existing (rich-)text editors collaborative. This project will add a selective Undo/Redo manager, include support for other native clients and to interop with languages like Java, PHP and Swift. The goal is to reach full feature compatibility with Yjs and improve its performance even more - bringing a collaborative, decentralized experience where users' data lies in their own hands. The project's own website: https://yjs.dev This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/Yrs-Undo/","title":"Yrs Undo"},{"description":" Privacy-friendly online age verification Age verification done right There is a broad need for open source privacy-friendly age verification, now that countries around the world are starting to impose age limits for online platforms. Often it is left to providers to come up with a working solution. A privacy-friendly mechanism is badly needed, especially for smaller platforms (including self-hosted instances of decentralised social media in the fediverse) with limited own capacities. This project will create a reusable library which will enable mobile apps to read and parse data from electronic passports (MRTDs) using the device’s NFC capability. This library will implement the necessary standards (ICAO 9303) and protocols to communicate with the passport chip, retrieve personal data, and ensure security measures are upheld. The library will automatically perform Basic Access Control (BAC) or Password Authenticated Connection Establishment (PACE) as needed to establish a secure channel with the chip. Users will be able to give a proof of age (without further exposing any private information) simply by holding their phone near a passport or ID card in the correct manner. The project aims for interoperability with passports from a wide range of countries (EU, US, UK, etc.), accounting for different standards or optional features. Additionally, the project will extend the Yivi identity wallet app with functionality to read personal attributes (like name, date of birth, etc) from passports, via NFC, and issue them to the app. The project's own website: https://yivi.app Run by Yivi B.V. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Yivi-AgeVerification/","title":"Privacy-friendly online age verification"},{"description":" Yanartas Libre intertial hardware security module Yanartas is an open-source hardware security module (HSM). Yanartas is a secure storage for cryptographic secrets that is protected against advanced attackers including nation-state adversaries using an array of active tamper detection sensors. Unlike something like a smartcard or crypto wallet, the sensors of an HSM like Yanartas are always on and the attacks are detected the moment they happen. As part of the project, everything needed to build your own HSM including hardware source files, firmware, and documentation will be published. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Yanartas/","title":"Yanartas"},{"description":" YaCy Grid SaaS YaCy Grid Search-as-a-Service creates document crawling indexing functionality for everyone. Users of this new platform will be able to create their custom search portal by defining their own document corpus. Such a service is an advantage as a privacy or branding tool, but also allows scientific research and annotation of semantic content. User-group specific domain knowledge can be organized for custom applications such as fueling artificial intelligence analysis. This should be a benefit i.e. for private persons, journalists, scientists and large groups of people in communities like universities and companies. Instances of the portal should be able to self-support themselves financially: there is turn-key infrastructure to handle payments for crawling/indexing amounts as a subscription on a periodical basis while search requests are free for everyone. The portal will consist of free software, and users can download the portal software itself together with the acquired search index data - so everyone can start running a portal for themselves whenever they want. The project's own website: https://searchlab.eu Why does this actually matter to end users? Search and discovery are some of the most important and essential use cases of the internet. When you are in school and need to give a presentation or write a paper, when you are looking for a job, trying to promote your business or finding relevant commercial or public services you need, most of the time you will turn to the internet and more importantly the search bar in your browser to find answers. Searching information and making sure your name, company or idea can be discovered is crucial for users, but they actually have little control over this. Search engines decide what results you see, how your website can be discovered and what information is logged about your searches. What filters and algorithms are used is unclear for users. They can only follow the rules laid out for them, instead of deciding on their own what, where and how to find the information they are looking for. Instead of relying on just a few companies for the incredibly important task of organizing online information, users can also collaborate and organize search and discovery together, providing more control over indexing and ranking, as well as better privacy protection. YaCy is a long-running project where peers index the contents of websites themselves and use decentralized search software that is not managed by a central organization or authority , preventing for example censorship or user tracking. The peer-to-peer approach to web search not only gives users more control and privacy protection, it can also allow organizations, businesses and individuals to organize their own search portal. This project intends to use the existing indexing and search technology of YaCy to create decentralized, peer-to-peer search as a turnkey service. This can be useful for example for universities who need specific search tools to go through massive caches of scientific research, or companies that want to index and look through specific domain knowledge. This way, anyone can easily customize search how they see fit, all the while protecting user privacy. Run by YaCy.net This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/YacyGrid/","title":"YaCy Grid SaaS"},{"description":" YAWS - Yet Another Web Server Sans IO web server written in Rust HTTP protocols are everywhere, from embedded devices to big data centers. YAWS (Yet Another Web Server) is a harmonized, environment-neutral, open source HTTP server — or, rather, a web server capability that can be used to create web servers. It can be used with modern WebAssembly, io_uring, microkernel, RISC-V or embedded runtimes; even without POSIX, standard library or operating system support. YAWS democratizes HTTP by allowing everyone to integrate a modern HTTP interface safely and securely into where ever and whatever they build. The project's own website: https://github.com/yaws-rs This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"YAWS - Yet Another Web Server","url":"https://nlnet.nl/project/YAWS/"},{"url":"https://nlnet.nl/project/XWikiActivityPub/","title":"XWiki ActivityPub","description":" XWiki ActivityPub First class ActivityPub support in XWiki XWiki is a modern and extensible open source wiki platform. XWiki is the first wiki that is part of the larger federation of collaboration and social software (a.k.a. fediverse), allowing users to collaborate externally. XWiki is embracing the W3C ActivityPub specification. Specifically we're implementing the server part of the specification, to be able to both view activity and content happening in external services inside XWiki itself and to make XWiki's activity and content available from these other services too. A specific but crucial use case, is to allow content collaboration between different XWiki servers, sharing content and activity. The project's own website: http://www.xwiki.org/xwiki/bin/view/Main/WebHome Why does this actually matter to end users? There are all sorts of places on the web where people come together to share knowledge and store information for others to benefit from. Whether you are documenting the internals of vintage cars, collect knowledge of procedures within an organisation or project, or gather technical specifics of software - a very common way of empowering everyone to collaborate is a wiki. A wiki is a website users can edit themselves. You will surely know the free community-backed encyclopedia Wikipedia, but there are many other instances that bring together a wealth of communities. On a wiki, people can effectively organize their own knowledge base, decide how their information is organized and linked, making it easily findable. Wiki's are used by organizations, governments and businesses everywhere, sometimes storing data essential for everyday operations, or with sensitive credentials. Some cities have their own wiki's, containing rich localized content useful for inhabitants, shop owners and tourists. To make a wiki work, you need active and involved users. Xwiki is a mature free and open source platform that allows organizations to create their own knowledge base, extending and modifying how their wiki works as they please. Extensibility is essential, which is why Xwiki in this project wants to connect itself to the larger federation of decentralized social networks, also known as the federated universe or fediverse. Connecting to content and interacting with users of for example Mastodon, Nextcloud and PeerTube makes Xwiki an even richer wiki platform, allowing all sorts of useful extensions of your knowledge base, website, or collaborative intranet using Xwiki. And because the project is built on open source software and protocols, other communities can learn from these efforts to tie all sorts of public and hidden treasure troves of knowledge together precisely how they want to, while staying in control over their social data and the information they want to share online. Run by XWiki SAS This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" XR Fragments Teamware Design, deploy, federate and integrate portable XR experiences XR Teamware will develop a publishing platform/forge for XR content, and a Blender plugin with direct import export capabilities to said forge and to Icosa gallery. This would allow 3D creators to easily publish and share their ideas, and preview metadata in Blender before exporting. XR Fragments itself is a simple public protocol for networked 3D content to discover, reference, navigate and query 3D online assets (read-only), making it part of the web and thus liberating 3D content creation and content from only existing inside gated products. Within the scope of this project, XR Fragments will streamline the design, deployment, hosting, and integration of portable XR experiences - and thus further simplify embedding, cross-platform support and hosting, as well as add vendor specific support. The project's own website: https://xrfragment.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/XR-Teamware/","title":"XR Fragments Teamware"},{"description":" XR Fragments Discover, reference, navigate and query 3D online content After the hype of early (and proprietary) virtual reality technologies like Second Life cooled down, there is recently a renewed push towards the “3D” web which uses virtual reality technologies (also marketed under new brand names like \"Metaverse\"). While many technological building blocks are meanwhile available, seamlessly surfing the 3D web however seems quite far away still for a simple reason — browsers exit fullscreen/WebXR mode when switching web addresses, essentially removing the immersive experience when navigating. While such a limitation comes from obvious security considerations, it also pushes VR/AR-Headset owners into walled gardens for a more pleasant experience. XR Fragments is developing a simple public protocol for networked 3D webrings to discover, reference, navigate and query 3D online content (read-only). This allows to enable immersive 3D navigation, liberate 3D content from being locked away inside games / walled gardens and to query objects inside a 3D asset files, without the need of serverside backends. The project's own website: https://xrfragment.org This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/XR-Fragments/","title":"XR Fragments"},{"description":" XMPP Interoperability + Conformance Testing Development of an XMPP Test Suite XMPP is the Extensible Messaging and Presence Protocol. XMPP offers an open, extensible, standardised and mature set of open technologies designed for decentralised communication. With its flexible design and rich history, its utilisation is widespread. To advance interoperability in its diverse ecosystem of developers and implementations of server software, this project will create an implementation-agnostic test suite for XMPP servers, testing for conformance with the XMPP protocol standards. The suite will be designed to be integrated with various third-party CI components to minimise the complexity of including the suite in development processes of the various and varied parties that are developing XMPP server implementations. The project's own website: https://xmpp-interop-testing.github.io This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/XMPP-interop-conformance/","title":"XMPP Interoperability + Conformance Testing"},{"description":" MLS for XMPP Add Message Layer Security to XMPP XMPP (Extensible Messaging and Presence Protocol) is an IETF- standardized (RFC 6120/6121) communication protocol designed for instant messaging and other near-real-time exchange of structured data between two or more network entities. MLS (Messaging Layer Security) is an emerging, IETF-standardized (RFC 9420) protocol for end-to-end encryption of messages and a central part of the IETF MIMI (More Instant Messaging Interoperability) effort to allow communication across messaging apps, for example in the context of the EU Digital Markets Act. This project adds support for MLS encrypted messaging to XMPP group chats. This includes creating a prototype implementation, standardizing an XMPP Extension Protocol (XEP) and introducing support in two existing XMPP clients. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"MLS for XMPP","url":"https://nlnet.nl/project/XMPP-MLS/"},{"url":"https://nlnet.nl/project/Wordpress-ActivityPub/","title":"WordPress ActivityPub","description":" WordPress ActivityPub Bring ActivityPub social networking to the widely used Wordpress WordPress ActivityPub is a plugin that allows your site users to interact with other users in the fediverse. Currently the plugin supports Follows by remote users, sending out pubilc posts to followers, and receiving remote users public Comments on local posts. This project will develop features allowing for a more rich and typical social experience with Direct messages, Followers only posts, and Threaded comments to and from the fediverse. Moderation tools will be included and user privacy features will also be developed. The project's own website: https://wordpress.org/plugins/activitypub/ Why does this actually matter to end users? A lot of the people we talk to, the media we watch and the services we search for are found in or through using social media. For users these platforms offer easy and usually free services to send public and private messages, stay updated on relevant news and promote your business or product. But the services these social media offer do actually come at a personal and societal cost. The platforms are not neutral exchange platforms like the rest of the internet. They do not just deal with all messages they receive in the same way. Part of the corporate social network model is to give some messages preferential treatment over others, i.e. there is a noticeable bias towards those that pay. People only have so much attention they can spare every day, and the companies decide what you cannot skip based on what they get paid. This would be equivalent to you always seeing the newsletter from Coca Cola at the top of your email client, but only half of the emails from your father or local charity because they are automatically put in a folder out of sight. This \"pay to play\" creates a knockout race for attention fueled by commerce, not by arguments, emotions, ethics or societal considerations. This exposure is worsened by the fact that the platforms monetize your data and behaviour. Social media companies create fine-grained personal profiles, that even include attributed political, relational and other deeply personal matters. By clustering people, profiles becomes more crisp and valuable. But they tend to push people step by step to more extreme options. You liked marijuana. You like drugs. Maybe you like cocaine? You visited a site with conspiracy theories. Well, here is another one which is even more incredible. When these profiles are made available to advertisers at a premium price, psychometrics such as used by Cambridge Analytica (and others), these allow to influence subsets of the population in both subtle and crude ways. These selfish business practices continuously raise fundamental societal questions: how do we feel about social media being used by foreign state actors to influence democratic elections through very personalized (and misguided) political campaigns? And how do we contain the algorithmic pressure towards global extremes, rather than brings people together as one would expect from a social network? Another problematic issue to address is monoculture. Social networks do not allow to cross the boundary of their service in an easy way, leading to social lock in and a \"winner takes all\" scenario. This limits choice, but also exposes users to legal dangers. Confidential discussions through \"private\" messages for instance turn out to be not so private, such as the case where a United States got the social network Twitter to hand over the personal communication from European human rights activists and a member of the Icelandic parliament over a severe human rights violation by the USA military. The European Court of Human Rights would certainly not have allowed this, but it happened outside of our jurisdiction - even if all the actors never left Europe. The federated universe, abbreviated to fediverse, wants to offer social media users a more transparent, ethical and decentralized environment to talk, find and connect. This is done through a plethora of completely independent servers hosted by organisations and individuals around the world. Each has their own policy, each has their own community and reputation. But they can all interoperate. If you don't like any of the existing options, or want to do something different or innovative, you download some open source software and start your own. If you feel some server is toxic, or misbehaves, it just takes one click to stop listening to what is being said. And there is no need to share data with anyone, if you want to. Every node can essentially be a complete social network in itself. The fediverse is not confined to what a single company wants to do - in every way. That means a broader offering in terms of design, usability and user experience, in terms of technology, ethics and culture. Essentially every server is a full-fledged social network in itself, able to talk to other social networks when it wants. People can use the fediverse for traditional social networking, but they can also integrate it with other services such as online video sharing, all without the fear of having their data being monetized or their activity profiled. Switching from closed social networks to the fediverse contributes to privacy and trust, by enabling users to understand and control who sees their data. The fediverse as a network of social networks, is also more resilient than a single network could ever be. Next to your social media account, you would like to socialize on your own private place on the web: your website. Wordpress is one of the most popular open source content management systems used by millions to design and update their website. This project will add a plugin to Wordpress that supports ActivityPub and suddenly turns your website into your personal town square, where people can respond to your posts, you can let everyone know you have a wonderful new article they definitely should read, etcetera. And to make sure the square is place you feel safe, moderation and user privacy features will be provided. Plugging in to such a widely popular website tool can help launch ActivityPub and the fediverse to the forefront, making people curious about a more user-friendly and actually social kind of online social networking. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"title":"Event Federation Plugin for WordPress","url":"https://nlnet.nl/project/WordPress-EventFederation/","description":" Event Federation Plugin for WordPress Add ActivityPub to events created with most common WordPress event plugins Freedom in announcing events. The WordPress Event Federation plugin allows events created in WordPress with the most popular event plugins to be seamlessly published to Fediverse via ActivityPub. The core problem is that events need to be discoverable, listable and subscribable by potential visitors. Since organisers' personal websites do not meet this requirement, most of them publish their events on multiple (commercial) platforms, which results in people searching for events being tied to these platforms. Currently, many to most event organisers use WordPress to run their own website. With this plugin, they can make their events even more visible without changing their workflow. At the same time, they gain data sovereignty and independence from traditional search engines and platforms that give less control over how content can be filtered. The goal is to realise typical use cases, such as server-to-server federation with Mobilizon instances, or another example: to allow Fediverse users, such as those of Mastodon, to follow events directly from the organisers. The project's own website: https://event-federation.eu Run by An association is being founded at the moment. This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"title":"Wolvic","url":"https://nlnet.nl/project/Wolvic/","description":" Wolvic Web browser designed for use in XR devices Everybody will meanwhile have come across people wearing strange glasses, immersed in a world beyond the here and now. But what are they looking at, and how does the web fit in there? Wolvic is a web browser dedicated to work with virtual reality (VR) and enhanced reality (XR). The goal of this project is to add a number of important features such as VR peripheral awareness (placing contextual information on the edge of the user's vision) and spatial reasoning (3D representation of navigation-related information) to the Wolvic browser. Wolvic is the only open source browser available in the XR space, and as such any device maker or other third party can create their own version of Wolvic to explore the burgeoning XR space. The project's own website: https://wolvic.org Run by Igalia SL This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" Wolvic User Interface Flexible windows, tabs, zooming and web rendering in Wolvic Wolvic is an Open Source Web browser developed for XR (Extended Reality) devices, focusing on delivering both traditional web browsing and immersive experiences across multiple platforms. Led by Igalia, with its significant expertise in browser engine development and standards organizations, Wolvic aims to broaden the accessibility and functionality of web browsing in the XR space. This project will further the development of Wolvic by improving its user experience and adding support for more content, standards, and platforms. We will enhance the flexibility of window management, improve browsing functionality like tabs and zoom, and refine hand tracking and related features in the 3D space. Although Wolvic currently uses the Gecko browser engine, its architecture is designed to be independent of any particular engine; for improved support and performance, we will integrate the Chromium engine and make available a Chromium-based version of Wolvic alongside the existing Gecko-based one. Furthermore, we will extend compatibility to new device formats, such as lightweight Augmented Reality (AR) glasses. Finally, we are enhancing our support of AR experiences on the Web and implementing the WebPayments standard for secure online transactions. The project's own website: https://wolvic.org Run by Igalia SL This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Wolvic User Interface","url":"https://nlnet.nl/project/Wolvic-UI/"},{"description":" Wobble Web Hybrid graphics editor and coding environment WobbleWeb is a hybrid graphics editor and coding environment for making and sharing small-scale websites. It provides a gentle and playful introduction to coding in javascript and html, where dragging something on the page changes the code, and editing the code changes what is on the screen. The project is built upon a set of open-source web components that can be used with the editor as well as independently. The web components serve as a direct wrapper to html, adding gesture-based and direct in-browser editing capabilities to existing HTML and Web APIs. The extensible custom elements allow the open-source community to build more advanced features, such as incorporating canvas elements, WebGL, or integration with backend APIs. WobbleWeb differs from existing graphical webpage builders, with its emphasis on writing javascript for beginners, as well as its modular and extensible ecosystem. The project's own website: https://wwwobble.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/WobbleWeb/","title":"Wobble Web"},{"description":" Wispwot Implement generalized scalable protection against disruptive behavior in content discovery Spam and intentional disruption are a major problem in the clearnet. They make it infeasible to have comments on websites without moderation teams, privacy invading humanity checking, and access-restrictions, and they force social networks to decide between invasive censorship and exposing their community to abuse, propaganda and targeted harassment. The core of the problem is that spam scales better than spam-blocking. This project brings the spam-defense from the Hyphanet Project to the fediverse. It replaces instant global visibility with incremental local visibility, fueled by positive social interaction and transitive blocking, so spammers quickly become invisible to most. To scale for groups of arbitrary size, it extends the system from Hyphanet by adding pruning of inactive accounts and efficient rediscovery. With this project, spam-protection scales better than spamming, reducing the work needed to cope with hostile communication, so group-communication won’t require the outsourced, underpaid moderation teams that are prevalent in most centralized social networks. The project's own website: https://hg.sr.ht/~arnebab/wispwot This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/Wispwot/","title":"Wispwot"},{"description":" Wishbone Streaming Add Streaming capabilities to Wishbone On System-on-Chips (SoC) the commercial grade bus infrastructure is covered by patents and at best available \"royalty-free\" (but with no ability to change). A serious alternative with significant adoption is the Wishbone SoC Bus, which is an Open Standard but does not yet have a \"streaming\" capability. That capability is needed for high-throughput data paths and interfaces. This project will provide an enhancement to the current Wishbone SoC Bus specification, provide Reference Implementations and Bus Function Models (BFM) to easily allows unit tests for all Wishbone BFM users. For demonstration purposes the project will implement an example peripheral to prove the overall concept. The project's own website: https://libre-riscv.org/nlnet_2019_wishbone_streaming Why does this actually matter to end users? When you go to a store to buy a laptop or mobile phone, you may see different brands on the outside but choice in terms of what is inside the box (in particular the most expensive component, the processor technology) is pretty much limited to the same core technologies and large vendors that have been in the market for decades. This has a much bigger effect on the users than just the hefty price tag of the hardware, because the technologies at that level impact all other technologies and insecurity at that level break security across the board. In the field of software, open source has already become the default option in the market for any new setup. In hardware, the situation is different. Users - even very big users such as governments - have very little control over the actual hardware security of the technology they critically depend on every day. Security experts continue to uncover major security issues, and users are rightly concerned about the security of their private data as well as the continuity of their operations. But in a locked-down market there is little anyone can do, because the lack of alternatives. European companies are locked out of the possibility to contribute solutions and start new businesses that can change the status quo. This ambitious project wants to deliver the first completely open computer processor in history - one you don' t have to merely trust, because you can verify and modify everything about it. All of the technology included, from top to bottom, will become available for inspection, and can be tuned by anyone technically capable enough. This will significantly contribute to the creation a new generation of computer technologies, as well as more energy efficient and cheaper devices. NGI Zero funds several important building blocks of this project, like this effort to improve an existing open source hardware component that will let parts of the open processor share data with each other. Ultimately these building blocks will come together in a transparent computer processor that can make our computing devices more trustworthy. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/WishboneStreaming/","title":"Wishbone Streaming"},{"description":" Wireguard Rust Implementation Implementation of WireGuard in a type safe language WireGuard is an emerging open VPN protocol, WireGuard stands out from similar solutions, notably OpenVPN and IPSec, by being significantly simpler and hence easier to analyze and implement. WireGuard is currently available on Linux, Windows, MacOS,iOS, Android and BSD variants. WireGuard-rs will be an implementation of WireGuard in the Rust systems programming language. The WireGuard projects desire for a Rust userspace implementation, stems from the improved speed, memory consumption and safety guarantees offered by the Rust language, all of which are essential to the nature of the WireGuard project: a high performance, high security VPN. This implementation will be targeting userspace for Linux, Windows, MacOS and BSD variants. The project's own website: https://www.wireguard.com/ Why does this actually matter to end users? VPNs (Virtual Private Networks) are common every-day tools, used by businesses, governments and private citizens alike to create secure overlay networks protected against adversaries controlling the underlying network architecture. Private citizens primarily use VPNs to enhance their privacy, by routing their traffic through a trusted intermediary they can hide their origin from any service they access on the internet and hide the contents of their traffic from any eavesdropper between them and their provider; whether it be the shady hotel wifi or an oppressive government. Businesses primarily use VPNs to connect remote sites as if they were situated on the same LAN (Local Area Network), enabling secure remote sharing of internal resources (e.g. printers) without exposing these directly to the internet. Additionally large internet service providers often emulate a secure local network between a number of physically decentralized \"cloud nodes\" by connecting them using a VPN. WireGuard is a new VPN protocol, which aims for security and speed by dramatically simplifying its design and configuration. WireGuard has traditionally been implemented as a Linux kernel module, however a userspace implementation in the Go programming language also brings WireGuard to Windows, Android, MacOS, iOS, and BSD variants. While working with the Go implementation we identified a number of points for improvement: improved control of memory consumption, control of sensitive data in memory, easier integration into other applications, as well as speed. All of these problems stems from language design of Go, notably the garbage collected nature of the language and the extensive runtime. This also prohibits any future effort to run the same code in userspace and Linux kernel space. The users should expect improved speed, memory consumption, security (better control of secrets for \"forward secrecy\") and stability, wherever the userspace implementation is used. We also expect that the switch from Go to Rust might bring improved battery life on mobile platforms. For developers and potential contributes to the WireGuard project, the Rust implementation is also intended to ease integration into other software (notably the iOS and Android applications), as well as provide better compartmentalization of the different WireGuard components. Run by WireGuard This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"Wireguard Rust Implementation","url":"https://nlnet.nl/project/Wireguard-Rust/"},{"title":"Wireguard Windows client","url":"https://nlnet.nl/project/WireGuardonWindows/","description":" Wireguard Windows client Native Wireguard protocol client for Windows WireGuard is a next generation VPN protocol that uses state of the art cryptography. WireGuard allows to safely tunnel traffic across the internet. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. While still under heavy development, it is regarded by many as the most secure, easiest to use, and simplest VPN solution in the industry. Initially released for the Linux kernel, it is now cross-platform and the open source technology is ready for wide deployment. Unfortunately, WireGuard support on the widely used Microsoft Windows operating system is still immature and experimental. This makes the technology unavailable to many desktop and notebook users. This project will deliver the first stable Windows version. The project's own website: https://www.wireguard.com/ Why does this actually matter to end users? The internet is unfortunately not only populated just by kind and careful people. And it wasn't designed to be secure either. This is a dangerous and rather unfortunate combination of circumstances, and one you should take into account when you use the internet. When you go online outside of your house or office, chances are you use whatever wireless network you can find to get online. Mobile internet subscriptions are still expensive, so it is logical people seize every opportunity to connect for free. While this is a daily habit for many millions of people, and often nothing bad happens, it does expose you to serious risks. This is because your computer doesn't really know a lot about the world. It depend on information it gets from the networks it connects to. If the network happens to cheat, the computer often has very little defenses. If you use an untrustworthy network to connect you to the internet, you move yourself into the middle of enemy territory. While you happily enjoy your free bits it provides as a way to buy money, it has ample opportunity to exploit all kinds of security weaknesses against you. Essentially, if you got away scot free with connecting to an unsafe network, it probably wasn't your security that held anyone back. You were just lucky that no-one serious tried to do anything - this time. So it is recommended to not connect over wifi networks you don't know. Unless of course you've arranged for a secure tunnel that allows you to teleport your internet traffic across the unsafe local network to the real internet unscathed. The concept is surprisingly simple: individual messages sent through the Internet, called packets, are encrypted using some mechanism, and this encrypted message then substitutes the original one, making all communications sent through the tunnel unreadable to eavesdroppers and unalterable to attackers. Proven cryptography protects the integrity of the traffic flowing through the tunnel. And once the packets reach the other end of the tunnel, they can be unpacked. From that point onwards they may continue their life as normal internet traffic. Travelling the path in reverse path is of course also possible: packets sent from the internet to your computer are protected in exactly the same way. In anticipation of better technologies that should arrive with the next generation internet, such tunnels are a key technology to guarantee consumer safety. They play a major role in protecting users both from snooping and malicious traffic injection. Sadly, the tools to create these secure tunnels is rather cumbersome (if not plain hard) to work with. This has prevented mass adoption. WireGuard is a completely new entrant to the field, and it is praised widely by technologists for its very high quality. Its goal is to be the most secure and easiest to use VPN solution available. Wireguard has many attractive traits: it is fast, simple and lean. It can run on embedded interfaces and super computers alike, and is fit for many different circumstances. Wireguard makes it very easy to set up a secure tunnel with modern technologies. It employs formally verified cryptographic constructions and has best in class performance. So you can more safely browse the web without annoying delay, even from potentially unsafe networks. WireGuard starts from scratch with modern cryptography and best-practice defense-in-depth implementation strategies. It is suitable and easily deployable for both end users and in data centers across the world, and provides an essential core building block for making the Internet safer. Within the project the team will develop a fast and secure WireGuard client for the still widely used Microsoft Windows operating system, for which support is still immature and experimental. Run by Amebis This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"url":"https://nlnet.nl/project/WireGuard-upscale/","title":"WireGuard","description":" WireGuard Scale up WireGuard WireGuard is a next generation VPN protocol that uses state of the art cryptography. This project aims to deliver various tasks: put WireGuard into the OpenBSD kernel and userspace tooling (tcpdump, ifconfig, wg, etc), rewrite Android client UI in Kotlin and make use of Kotlin coroutines, make the Android code into a library consumable by third-party apps, support more complex DNS and networking management in Windows client, improve performance and stability of cross-platform userspace implementation library, integrate more closely with various Linux netdev semantics and backport to Linux 5.4 and 4.19. The project's own website: https://wireguard.com Why does this actually matter to end users? The internet is unfortunately not only populated just by kind and careful people. And it wasn't designed to be secure either. This is a dangerous and rather unfortunate combination of circumstances, and one you should take into account when you use the internet. When you go online outside of your house or office, chances are you use whatever wireless network you can find to get online. Mobile internet subscriptions are still expensive, so it is logical people seize every opportunity to connect for free. While this is a daily habit for many millions of people, and often nothing bad happens, it does expose you to serious risks. This is because your computer doesn't really know a lot about the world. It depend on information it gets from the networks it connects to. If the network happens to cheat, the computer often has very little defenses. If you use an untrustworthy network to connect you to the internet, you move yourself into the middle of enemy territory. While you happily enjoy your free bits it provides as a way to buy money, it has ample opportunity to exploit all kinds of security weaknesses against you. Essentially, if you got away scot free with connecting to an unsafe network, it probably wasn't your security that held anyone back. You were just lucky that no-one serious tried to do anything - this time. So it is recommended to not connect over wifi networks you don't know. Unless of course you've arranged for a secure tunnel that allows you to teleport your internet traffic across the unsafe local network to the real internet unscathed. The concept is surprisingly simple: individual messages sent through the Internet, called packets, are encrypted using some mechanism, and this encrypted message then substitutes the original one, making all communications sent through the tunnel unreadable to eavesdroppers and unalterable to attackers. Proven cryptography protects the integrity of the traffic flowing through the tunnel. And once the packets reach the other end of the tunnel, they can be unpacked. From that point onwards they may continue their life as normal internet traffic. Travelling the path in reverse path is of course also possible: packets sent from the internet to your computer are protected in exactly the same way. In anticipation of better technologies that should arrive with the next generation internet, such tunnels are a key technology to guarantee consumer safety. They play a major role in protecting users both from snooping and malicious traffic injection. Sadly, the tools to create these secure tunnels is rather cumbersome (if not plain hard) to work with. This has prevented mass adoption. WireGuard is a completely new entrant to the field, and it is praised widely by technologists for its very high quality. Its goal is to be the most secure and easiest to use VPN solution available. Wireguard has many attractive traits: it is fast, simple and lean. It can run on embedded interfaces and super computers alike, and is fit for many different circumstances. Wireguard makes it very easy to set up a secure tunnel with modern technologies. It employs formally verified cryptographic constructions and has best in class performance. So you can more safely browse the web without annoying delay, even from potentially unsafe networks. WireGuard starts from scratch with modern cryptography and best-practice defense-in-depth implementation strategies. It is suitable and easily deployable for both end users and in data centers across the world, and provides an essential core building block for making the Internet safer. NGI has supported this project before and now that WireGuard is included into the most popular and widely used open source operating systems, Linux, new work needs to be done to expand its usefulness, usability and reliability to provide users around the world an actually safe, private and trustworthy online experience. Run by WireGuard This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" WireGuard on FPGA FPGA implementation of Wireguard protocol written in SpinalHDL This project will do an open hardware implementation of the WireGuard VPN protocol. The data plane with symmetric cryptography is implemented in HDL and should be able to handle 100 Gbit/s IP/Ethernet, whereas the asymmetric handshake is implemented on VexRiscv with accelerators and will be capable of maintaining thousands of concurrent connections. An off-the-shelf FPGA card handles the full protocol transparently: Ethernet/Ethernet or Ethernet/PCIe with one side ciphered and the other side plaintext. The project's own website: https://github.com/likewise/BlackwireOverview This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"WireGuard on FPGA","url":"https://nlnet.nl/project/WireGuard-SpinalHDL/"},{"title":"Winden/Magic Wormhole dilation","url":"https://nlnet.nl/project/Winden-MWH-Dilation/","description":" Winden/Magic Wormhole dilation Improving Magic-Wormhole by implementing dilation and multiple file support for the web Winden is an open-source web app built on the Magic-Wormhole protocol, which allows two devices to connect and exchange data without requiring identity information. We are building Winden to make file-transfers for the web secure and private. With Winden, we are giving users control over their data without them needing to trust us. This project adds support for reconnection (referred to as the ‘Dilation’ protocol) and multiple file-transfers into both Winden and wormhole-william, the Go implementation of Magic-Wormhole used by Winden and other projects. Magic-Wormhole file-transfers require both parties to be online at the same time. Dilation allows for reconnection and changing networks during a transfer. This reduces the risks of connection interruptions during these synchronous transfers. Multiple file support is a much sought after need for transferring data, which requires Dilation (and Dilation’s sub-channels). The project's own website: https://winden.app Run by Least Authority TFA GmbH This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" Willow Sync General Sync Protocol for Willow written in Rust Willow is a protocol for syncable data stores, forming resilient data networks which can endure indefinite connectivity outages. This protocol brings qualitative advances to data deletion in distributed networks, supports completely decentralised fine-grained permission schemes, and has been designed to use memory, bandwidth (and consequently energy) efficiently. In this project, the Willow protocol will be implemented using the Rust programming language. This new implementation will be able to take advantage of Rust’s efficiency and safety guarantees, and make the protocol accessible to embedded devices, as well as provide a more efficient solution for smartphones, computers, and servers alike. The project's own website: https://willowprotocol.org Run by Earthstar Project This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/WillowSync/","title":"Willow Sync"},{"url":"https://nlnet.nl/project/Wiktionary-QA/","title":"Wiktionary QA tools","description":" Wiktionary QA tools QA tools to improve the quality, reliability, and consistency of Wiktionary Part of the Wikimedia family, Wiktionary offers a global open data set pertaining to many languages. This project will create QA infrastructure and tools to further improve the quality, reliability, and consistency of Wiktionary. Expected outcomes include higher quality data, data that is easier to process and consume, and more collaboration among different language editions of Wiktionary. The project's own website: https://wiktionary.org Run by Martin Michlmayr, a Wiktionary contributor This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" WikiRate Insights 2 Dedicated text search architecture for environmental, social and corporate governance platform The project summary for this project is not yet available. Please come back soon! The project's own website: https://wikirate.org Run by The WikiRate Project e.V. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"WikiRate Insights 2","url":"https://nlnet.nl/project/WikirateInsights2/"},{"description":" WikiRate Insights Transforming WikiRate ESG Platform User Experience to Maximise Reliable Data Insights For too long actionable data about the behavior of companies has been hidden behind the paywalls of commercial data providers. As a result only those with sufficient resources were able to advocate and shape improvements in corporate practice. Since launching in 2016, WikiRate.org has become the world’s largest open source registry of ESG (Environmental, Social, and Governance) data with nearly 1 million data points for over 55,000 companies. Through the open data platform anyone can systematically gather, analyze and discuss publicly available information on company practices, joining current debates on corporate responsibility and accountability. By bringing this information together in one place, and making it accessible, comparable and free for all, we aim to provide society with the tools and evidence it needs to spur corporations to respond to the world's social and environmental challenges. Homing in on the usability of the platform, this project will tackle some of the most crucial barriers for users when it comes to gathering and extracting the data, whilst boosting reuse of the open source platform for other purposes. The project's own website: https://wikirate.org Why does this actually matter to end users? Online search and discovery reaches further than the search bar in your browser. There are all sorts of places where people can come together to share knowledge and store information for others to sift through, looking for a particular name, email address or useful snippet. One of these places is a wiki, of which the free community-backed encyclopedia Wikipedia is the most prominent example. On a wiki, people can effectively organize their own knowledge base, decide how their information is organized and linked, making it easily findable. Wiki's are used by organizations, governments and businesses everywhere, sometimes storing data essential for everyday operations, or with sensitive credentials. Some cities have their own wiki's, containing rich localized content useful for inhabitants, shop owners and tourists. Wikis are also a perfect place to crowdsource information that was previously scattered and hard to comprehend. That is what WikiRate.org has been doing for environmental, social and governance data about companies. Collecting and organizing this data in a meaningful way enables researchers, activists and journalists to better understand the impact of businesses on our society and environment. Through this project Wikirate will make it easier to gather and extract this information and also allow others to leverage the technology behind Wikirate and start a wiki of their own. Run by WikiRate This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"WikiRate Insights","url":"https://nlnet.nl/project/WikirateInsights/"},{"title":"WikiRate: More Sites, More Cites","url":"https://nlnet.nl/project/Wikirate-Cite/","description":" WikiRate: More Sites, More Cites Persistent citation for Dekko-based open source data collections WikiRate.org is the largest open source registry of ESG data in the world with more than 3.5 million data points for over 100,000 companies. By bringing this information together in one place and making it accessible, comparable and free for all, we aim to provide society with the tools and evidence needed to help and encourage companies to respond to the world's social and environmental challenges. To achieve this systemic change we need corporate accountability at scale. Focusing on the top 10, 100, or even 1000 companies, is not sufficient. Rather we need to monitor and understand impacts at industry and value chain levels, whilst leveraging individual corporate accountability to transform companies into positive agents of change. This follow-up project is focused on adding functionality to the underlying tool (Decko) which will allow in a fine-grained way to point at specific data slices, as well as a history of any updates and corrections to such data. The project's own website: https://wikirate.org Run by WikiRate This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" XWiki Bring wiki capabilities into the Fediverse XWiki is a modern and extensible open source wiki platform. Up until now, XWiki had been focusing on providing the best collaboration experience and features to its users. We're now taking this to the next level by having XWiki be part of the larger federation of collaboration and social software (a.k.a. fediverse), thus allowing users to collaborate externally. XWiki is embracing the W3C ActivityPub specification. Specifically we're implementing the server part of the specification, to be able to both view activity and content happening in external services inside XWiki itself and to make XWiki's activity and content available from these other services too. A specific but crucial use case, is to allow content collaboration between different XWiki servers, sharing content and activity. The project's own website: http://www.xwiki.org Why does this actually matter to end users? Online search and discovery reaches further than the search bar in your browser. There are all sorts of places where people can come together to share knowledge and store information for others to sift through, looking for a particular name, email address or useful snippet. One of these places is a wiki, of which the free community-backed encyclopedia Wikipedia is the most prominent example. On a wiki, people can effectively organize their own knowledge base, decide how their information is organized and linked, making it easily findable. Wiki's are used by organizations, governments and businesses everywhere, sometimes storing data essential for everyday operations, or with sensitive credentials. Some cities have their own wiki's, containing rich localized content useful for inhabitants, shop owners and tourists. To make a wiki work, you need active and involved users. Xwiki is a platform offering free and open source wiki software for organizations to create their own knowledge base, extending and modifying how the wiki works as they please. Extensibility is essential, which is why Xwiki in this project wants to connect itself to the larger federation of decentralized social networks, also known as the federated universe or fediverse. Connecting to content and interacting with users of for example Mastodon, Nextcloud and PeerTube makes Xwiki an even richer wiki platform, allowing all sorts of useful extensions of your knowledge base, website, or collaborative intranet using Xwiki. And because the project is built on open source software and protocols, other communities can learn from these efforts to tie all sorts of public and hidden treasure troves of knowledge together precisely how they want to, while staying in control over their social data and the information they want to share online. Run by XWiki SAS This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"XWiki","url":"https://nlnet.nl/project/WikiActivityPub/"},{"description":" Whisperfish Cross-platform mobile client for Signal and derivatives Whisperfish is a third-party open source client for the popular Signal instant messaging network. Whisperfish is an advanced beta stage, and is available for SailfishOS. In collaboration with the Axolotl project, within this project we aim for implementing full-fledged clients for various mobile operating systems. The project's own website: https://gitlab.com/whisperfish/whisperfish/ This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Whisperfish","url":"https://nlnet.nl/project/Whisperfish/"},{"title":"Whippet","url":"https://nlnet.nl/project/Whippet/","description":" Whippet A new local maximum in safe, managed memory Whippet is a new automatic memory manager (garbage collector) which is designed to be incorporated into the Guile Scheme programming language implementation. Switching to Whippet should improve the speed and scalability of Guix and other Guile-based software while also lowering total system memory usage. This project aims to push Whippet over the finish line, filling in missing functionality and doing the last-mile work to incorporate Whippet into Guile. The anticipated results should also give confidence to other language run-times looking for a state-of-the-art, embeddable, minimal, no-dependency garbage collector. The project's own website: https://github.com/wingo/whippet Run by Igalia, S.L. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"WgMath","url":"https://nlnet.nl/project/WgMath/","description":" WgMath Open GPU scientific computing for every platform Today’s GPU scientific computing ecosystem is still strongly dominated by CUDA, a closed, proprietary technology tied to a specific hardware vendor. The WgMath project aims to empower the scientific computing community, including the web community, with a collection of foundational GPU mathematical libraries that are fully cross-platform (hence not tied to a specific hardware vendor) by leveraging the open WebGPU standard, as well as WebAssembly for browser support. WgMath will provide mathematical compute shaders for linear algebra, geometry, and rigid-body physics simulation; as well as some utilities for easily combining WGSL shaders through Rust libraries and its popular Cargo dependencies management tool. With the creation of these foundational libraries, we aim to promote the development of a scientific computing community building highly performant, reusable, cross-platform, scientific computing projects, while relying on open standards, and preserving freedom of GPU hardware selection. The project's own website: https://wgmath.rs This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Webxdc evolve Comparative analysis of HTML5 app containers Webxdc.org is an evolving standard which defines a format for portable HTML5 applications and an API for local-first, peer-to-peer, end-to-end encrypted applications. For this project we will perform a comprehensive survey of historical and contemporary efforts with similar goals, including those by W3C working groups, independent open-source developers, and noteworthy proprietary platforms. We'll produce reference documents providing developers with a comprehensive overview of the space, summarizing their options for packaging portable HTML5 applications for different platforms, and highlighting affinities between closely aligned projects. As a follow-up, we'll propose additions to the webxdc API based on patterns observed in other projects, aiming to reduce the complexity of common designs and facilitate portability between or interoperability with existing platform implementations. The project's own website: https://webxdc.org Run by cryptography.dog OÜ This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Webxdc-Evolve/","title":"Webxdc evolve"},{"description":" Web Shell Desktop and security environment for web apps The WebShell project aims to define and implement a new secure dataflow and the accompanying APIs for allowing users to use their files in Web apps without authorizing the apps to access the user's file storage. At its core, WebShell consists of a container single-page application which can open remote components (primarily apps and file-system adapters) in sandboxed iframes and communicate with them through HTML5 message channels using the defined APIs. WebShell provides for file operations and the required UI (file menus, toolbars, dialogs) to support the familiar file operations (new, open, save, etc.) while apps merely implement serialization and deserialization of an individual file's content, after the user's explicit request. The project will build a fully-featured WebShell Desktop container, as well as a minimal WebShell container for testing and easy deployment of single apps. In addition, we will integrate a starter set of editor apps for common file types and a starter set of file system adapters, concentrating primarily on self-hosting and non-commercial web storage solutions like remotestorage.io and Solid storage. The project's own website: http://websh.org Why does this actually matter to end users? As soon as you sign up with a free email provider or install an operating system, you usually get some cloud storage space. Accessing your data through an online environment has become commonplace, both for business as for individuals. You can share everything from a grocery list with your significant other or even store sensitive documents in the cloud so you can access them from work or on the road. But to be able to have users upload, edit or create files online and pass them around, many cloud services require full access to users data. Like the extensive (and sometimes unreadable) privacy policies you already had to wade through to open your 'free' account, users do not have many options. Either you click yes and the cloud is yours, or you deny the apps all access and are left to your own devices. The fact that you want to access your data online, does not mean you need to store it in a place where the provider requires you to hand over the keys. Especially when it is unclear who can use the keys to look around in your documents, or analyze sensitive documents simply for the sake of personally profiled advertising, which quite certainly is not what you signed up for. You would want to know where your data is, lock the doors to it yourself yourself and keep the keys somewhere safe (without any intricate key management or cryptographic busywork). WebShell combines these features of complete data control and user-friendly data access in an environment you are already familiar with: an online version of your desktop. Just like when you start up your laptop or home computer, you start up WebShell and go through your files, open an application to edit something, and switch it off again. Instead of these apps requiring full access to your data that is hosted somewhere in the world, you can self-host your data vault (or choose a hosting service you know and trust) and apps never operate on your files directly. The web desktop securely opens and saves your files and only with your express permission. Run by Ljudmila Art And Science Laboratory This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/Webshell/","title":"Web Shell"},{"description":" Weblate Android SDK Live localisation updates for Android apps Weblate is a free and open-source localisation platform. Thanks to Weblate, thousands of projects including applications, websites or even comic art pieces are easily translated into any language desired. Weblate removes the hurdle of understanding a programming language from the translation process, thus enabling anyone to join the efforts, and building active user communities with truly democratic spirit around the projects involved. The aim of the Android SDK project is to support streamlining community driven localisation efforts directly into android application without the additional step of releasing a new version. This will further ease the process of translating and will enable developers to allow translations into a wider range of languages, including those with smaller communities. The project's own website: https://github.com/WeblateOrg/weblate Run by Weblate This project was funded through the NGI Mobifree Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. The NGI Mobifree R&D programme is part of Horizon Europe research and innovation programme under grant agreement No. 101135795. ","url":"https://nlnet.nl/project/Weblate-Android-SDK/","title":"Weblate Android SDK"},{"title":"","url":"https://nlnet.nl/project/WebZero/","description":""},{"description":" WebXray Discovery Expose tracking mechanism in search hubs WebXray intends to build a filter extension for the popular and privacy-friendly meta-search Searx that will show users what third party trackers are used on the sites in their results pages. Full transparency of what tracker is operated by what company is provided to users, who will be able to filter out sites that use particular trackers. This filter tool will be built on the unique ownership database WebXray maintains of tracking companies that collect personal data of website visitors. Mapping the ownership of tracking companies which sell behavioural profiles of individuals, is critical for all privacy and trust-enhancing technologies. Considerable scrutiny is given to the large players who conduct third party tracking and advertising whilst little scrutiny is given to large numbers of smaller companies who collect and sell unknown volumes of personal data. Such collection is unsolicited, with invisible beneficiaries. The ease and speed of corporate registration provides the opportunity for data brokers to mitigate their liability when collecting data profiles. We must therefore establish a systematic database of data broker domain ownership. The filter extension that will be the output of the project will make this ownership database visible and actionable to end users, and to curate the crowdsourced data and add it to the current database of ownership (which is already comprehensive, containing detailed information on more than 1,000 ad tech tracking domains). The project's own website: https://webXray.org Why does this actually matter to end users? It is a scenario you probably run through several times a day on autopilot, without even noticing you are doing it: you are looking for some specific information, and submit some related key words to an online search engine. The search provider gets a large list of results, applies a set of ranking algorithms to it (pushing back potentially millions of results in favour of a handful of things it decides to push forward) , and you are given a single webpage that holds a shortlist of results together with some adds. Each of these results has a short description and a link to visit the page. A quick glance tells you that a couple of these results seem relevant to what you are looking for. Normally, you would just click, find what you need or browse around. But what do you actually know about these sites, other than that they contain the same words that you were looking for? Once you've decided to click on a link, you have to reveal yourself to a significant extent to the website operator or its providers - but also to anyone they allow to be present on the website you visit. Your browser by default sends all kinds of fingerprintable information, some of which is unavoidable without active intervention and can be extremely telling (like ones current IP address). This can be combined with the context you are visiting: medical problem A, gossip B, professional interest C. Many crucial internet and web standards were not designed with user privacy in mind, let alone giving users any sense of control over who can see what they do online. This opportunity for evel has been seized by all sorts of tracking and tracing schemes that make detailed profiles of people, which can then be (mis)used for commercial or even criminal gain. Another thing is to note is that trackers get to run software on your computer. So the minute you enter a web premise, you automatically start downloading all kinds of potentially risky things from around the internet, including payloads from other sites that you never actively chose to interact with. These downloads often include known attack vectors like javascript, which (unless you actively take precautions) are even automatically executed. Once you are on the web page you could probably search for and read the Terms of Service of the site. This may inform you that these third parties exist and are feasting away on your data, and that each has their own separate Terms of Service you could start looking for yourself. Note also that some sites contain dozens or even hundreds of trackers, which they combine with your context - and depending on what you were looking for, this can be quite telling. So at that point it is already too late. Through regulations like the GPDR you may have the right to request what information is being captured from you, but in practical terms this is infeasible for normal people to do for every web page they come across looking for something. You just wanted to quickly search for something, remember. You can perhaps accept a company to do some analytics for its own purposes. You did not ask for an exponential exposure to a swarm of tracking companies that sell your data to the internet. In other words, you unknowingly opened a can of worms. What you really want to know is: are the pages you are about to visit stuffed from top to bottom with hidden trackers, each of them with an unhealthy interest in as much of your online behaviour as you are unable to shield off? Who is actually behind these domain names (a single tracker company may have different web domains it hides under, and these can be changed within minutes. The data they collect remains piled up on a single mountain of observations, though. Who are the companies behind these shady business practices that index detailed information, where are the owners located and what law are they subject to? How come that we can look through billions of pages of content in fractions of a second looking for any combination of words, but get no clue about what privacy or security we can expect there? And this despite the rather obvious nature of allowing other domains to take a peek on its visitors? A major step to taking back control of our online presence is to map out how our privacy is violated on a website by website basis, and by whom. If you ever used a tracker blocking app or browser extension, you will have seen tens or hundreds of unrecognizable titles and unfamiliar organization names. What if we can show you which of these 'parasitic' actors are where? This is what the WebXRay Search project aims to do. It continuously runs across the web looking not for content, but for trackers. And it will make this information directly visible to you as you search, so before harm is done. If your current search engine operates trackers itself, it may not have a business interest to deploy this. This is why WebXRay Search will be made available through an extension for the privacy-friendly and customizable Searx meta search engine. This is a privacy-enhancing search proxy you can install yourself and share with others. You get the combined search results from many different sources, and for each of these results you can see what kind of tracking situation you will experience. And you will even be able to just automatically block results that feature the worst offenders. These ethical filters help inform and protect users and their privacy, because who wholly avoiding trackers is even better than using a tracking blockers. In addition to being a very practical solution for the general audience, the results of the project will also be useful to institutions that enforce privacy legislation like the GDPR. These organisations will be able to visually check which organizations operate outside the law. Journalists or NGO's that research personal data collection can use the tool for their studies. Lets halt unsolicited and unlawful tracking and profiling, so people can just enjoy the web again without too much fear of their privacy. Run by Webxray This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/WebXRay/","title":"WebXray Discovery"},{"title":"DeltaChat/WebXDC","url":"https://nlnet.nl/project/WebXDC/","description":" DeltaChat/WebXDC Portable private apps that can be shared in e.g. chat Webxdc is a fresh and still evolving effort to explore \"private apps\", essentially 'portable' web apps through which users can interact in any number of ways outside of the traditional client-server paradigm, e.g. over E2EE chat. These mini-apps offer interesting interaction patterns -- without any dependency on centralised infrastructure, additional logins etc. It grew from Delta Chat, a highly innovative solution that uses secure email-based communication technology for social networking, protected with OpenPGP/Autocrypt. The project will further develop the concept of Webxdc apps, and make it for instance possible for users to make data portable (which is currently not possible due to missing security controls for that). The project's own website: https://webxdc.org Run by merlinux GmbH This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"url":"https://nlnet.nl/project/WebXDC-XMPP/","title":"WebXDC XMPP","description":" WebXDC XMPP Standardisation effort for WebXDC integration in XMPP WebXDC is a fresh and still evolving effort to explore \"private apps\", essentially 'portable' web apps through which users can interact in any number of ways outside of the traditional client-server paradigm, e.g. over E2EE chat. Originally developed for Delta Chat over SMTP, we will bring the latest version of this experience to the XMPP ecosystem, including a standardized interchange format for other XMPP clients to use, and a gateway for communication with existing Delta Chat WebXDC users. The project's own website: https://cheogram.com Run by MBOA Technology Co-operative, Inc This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" webxdc PUSH Towards an usable, interoperable and trustworthy web app ecosystem Webxdc PUSH advances a new paradigm for writing and distributing web apps, majorly improving interoperability, usability, reliability, trustworthiness and and interactivity of chat-shared web apps (webxdc) across messengers and platforms. PUSH enables webxdc app developers to use new P2P real-time messaging facilities, new notification, deeplinking and context APIs, majorly leveling up the cross-messenger webxdc effort and specifications. The project's own website: https://webxdc.org Run by merlinux GmbH This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"webxdc PUSH","url":"https://nlnet.nl/project/WebXDC-Push/"},{"title":"Improving WebKit on Windows","url":"https://nlnet.nl/project/WebKit-on-Windows/","description":" Improving WebKit on Windows Improve Windows support for the WebKit browser engine This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. WebKit is an open source browser engine, used by Safari and others. Such a browser engine is used to lay out web pages, graphically render the content and perform all other kinds of tasks under the hood of a browser or WebView. In recent years, one engine (Google's Blink engine, which forked from Webkit in 2013) has started to become nearly pervasive due to the market share of Google. Having a global dependency on a single piece of code maintained by a single entity is a significant liability, and isn't good for the open web either. It is important that applications on all platforms are able to choose from different engines like WebKit, Gecko or Servo. One weak part of Webkit in recent years has been its limited support for the Windows platform. This project will focus on enabling more features in WebKit’s Windows port, to make WebKit a more viable alternative choice when building a cross-platform web browser. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Web Annotation","url":"https://nlnet.nl/project/WebAnnotation/","description":" Web Annotation Building blocks for interoperable annotation systems The idea of web annotation is to support the creation and exchange of annotations on any visited page; thereby enabling people to make, share, and discover corrections, rebuttals, side-notes, or other contextually relevant resources. Using the W3C’s Web Annotation standard, and contributing to the incubating Apache Annotator project, this project works on modules and tools that facilitate a diverse ecosystem of interoperable annotation systems. The project's own website: https://annotator.apache.org Why does this actually matter to end users? Undoubtedly you have come across some article, wiki entry, video or comment that made you want to react immediately. Maybe someone was looking for some obscure artist you know everything about, a question was answered incorrectly, or an article left out some essential bit of information. Or you simply did not have the time to go through everything and wanted to leave a reminder for yourself, 'must watch this when home'. But to leave a comment or pin a note to a page, you need to login to some service you don't know, fill in your name and email address, and instead of all the hassle you simply leave it alone and close the page. What if creating and exchanging annotations on the web would be as simple as writing down a note on a piece of paper? Instead of using all sorts of different tools and apps that do not interoperate, there is an organized effort of standardization communities and open source developers to make open, flexible and extendable annotation technology. This project will use a new standard format for annotations for new tools and solutions that can recognize and enrich each other, ultimately creating a fluid and friction-less environment for web annotation. Users will be able to easily add comments or notes to a web page, read other people's annotations of their choice and search through useful items, all from the comfort of their browser. Web annotation can make search and discovery richer and more intuitive, but only when the technology used is sufficiently interoperable and open that for a user, it is as simple as browsing, or as scribbling their thoughts on a page. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"title":"WeasyPrint","url":"https://nlnet.nl/project/Weasyprint/","description":" WeasyPrint Print rendering engine for HTML and CSS WeasyPrint helps web developers create high quality print documents. It turns simple HTML pages into gorgeous statistical reports, invoices, tickets… From a technical point of view, WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF - independent from rendering engine like WebKit or Gecko. It aims to support web standards for printing. WeasyPrint is free software made available under a BSD license. The CSS layout engine is written in Python, designed for pagination, and meant to be easy to hack on. The project's own website: https://weasyprint.org Run by CourtBouillon This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Wayland input method support","url":"https://nlnet.nl/project/WaylandInput/","description":" Wayland input method support Better specification for Wayland input methods As Linux distributions switch to Wayland, some functionality is still incomplete. One of them is being able to input non-Latin scripts. It is a necessity for a large portion of the world, yet it's not standardized across Wayland environments. The same text input functionality is needed for typing on mobile Linux, which, considering how many people use smartphones rather than laptops, might be even more important for Linux adoption. This project wants to bridge that gap, by continuing the effort of standardizing input-method protocols started for Phosh in Squeekboard, gtk, and wlroots. The project's own website: https://gitlab.freedesktop.org/wayland/wayland-protocols/-/issues/39 This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/Waydroid-linuxmobile/","title":"Integration of Waydroid on mobile GNU/Linux","description":" Integration of Waydroid on mobile GNU/Linux Run Android apps in Linux containers on mobile devices Waydroid lets the user run Android within a container on a regular GNU/Linux system, bringing access to countless existing Android applications. This particular project aims to research and implement tighter integration between the Waydroid container and its host system in terms of hardware access (sensors, location, telephony, cameras) and desktop environment (notifications, media controls), while keeping the user in control of what and when is shared with the Android container. The project's own website: https://waydro.id This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/Wax/","title":"Wax","description":" Wax Add ODF, legacy office and PDF capabilities to Wax Wax (formerly known as CokoDocs) is an open-source, web-based Word Processor that is collaborative by design. In this project we're actively extending CokoDocs' use cases to include paging support (through PagedJS), OpenDocument Format import/export as well as support for some legacy file formats. In addition we will add backend system configuration, asset management, text chat and more. CokoDocs aiming to become a best in breed, highly customizable, and innovative word processor with strong privacy and security properties and elegant accessible design. The project's own website: https://wax.is This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Waterfall","url":"https://nlnet.nl/project/Waterfall/","description":" Waterfall Agile framework for the development and deployment of watermarking schemes Traffic watermarking is a powerful but underutilized technique for network traffic analysis, primarily applied today in evaluating the security of anonymity systems like Tor. This project aims to develop Waterfall, a system designed to provide a unified, flexible framework for the development and deployment of a variety of traffic watermarking schemes. Waterfall operates by intercepting network traffic, embedding and detecting watermarks at multiple points in the network. The goal of Waterfall is to be versatile enough to replicate representative watermarking schemes from the research literature, while adapting them to be more effective and creating new versions. In addition, Waterfall allows the analysis of new protocols such as Tor's Conflux protocol, a recent improvement in Tor's performance that may also increase its susceptibility to watermarking attacks. Run by Ruhr University Bochum This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/Wagtail/","title":"Waytale","description":" Waytale Spatially organized interactive 2D social space The space around us impacts us. Different spaces (like your living room, the office, or a café) influences how we perceive others (like dear ones, work colleagues, or strangers) or which behaviours we engage in (like studying, relaxing, or chatting). What if online spaces would better support what we want to do and how we interact with others? Waytale provides spatially organised online spaces that can be flexibly designed, customised, and extended. Navigate your avatar intuitively through 2D spaces and discover the interlinked spaces of your friends' friends. Meet people, feel their presence of others in different ways, and engage with the world. Create your personal space and express your creativity with tools matching your skill level. Link your space to others and extend it with functionality like video calling, productivity tools, or games. Self-host your personal instance only requiring minimal technical knowledge and without cost. Stay in control of your data and who you federate with using modern peer-to-peer technology. Share what you know, empower others, and form communities. Are you there? The project's own website: https://waytale.codeberg.page This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"Independent captions and transcript augmentation","url":"https://nlnet.nl/project/WaasabiCaptions/","description":" Independent captions and transcript augmentation Speech-to-text integration for Waasabi This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. Waasabi is a highly customizable platform for self-hosted video streaming (live broadcast) events. It is provided as a flexible open source web framework that anyone can host and integrate directly into their existing website. By focusing on quick setup, ease of use and customizability Waasabi aims to lower the barrier of entry for hosting custom live streaming events on one's own website, side-stepping the cost, compromises and limitations stemming from using various \"batteries-included\" offerings, but also removing the hassle of having to build everything from scratch. In this project the team seeks to integrate tools for transcript augmentation, augmented human captioning and automatic machine-generated captions using open-source software based on machine learning and royalty-free training data and models. The primary use case is live captioning for live internet broadcasts (primarily video streaming). With such tools online event organizers will be able to create interactive transcripts and better live captions for their events anytime everywhere - and without external dependencies. The project's own website: https://waasabi.org/projects/waasabi-captions.html This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"url":"https://nlnet.nl/project/Waasabi/","title":"Waasabi Framework","description":" Waasabi Framework P2P Live Streaming for events Waasabi is a highly customizable platform for self-hosted video streaming (live broadcast) events. It is provided as a flexible open source web framework that anyone can host and integrate directly into their existing website. By focusing on quick setup, ease of use and customizability Waasabi aims to lower the barrier of entry for hosting custom live streaming events on one's own website, side-stepping the cost, compromises and limitations stemming from using various \"batteries-included\" offerings, but also removing the hassle of having to build everything from scratch. Active research into the creation of a peer-to-peer streaming backend seeks to advance the project's long-term goal of promoting the adoption of owned experiences through the use of decentralized technology. By further cutting down on dependencies, cost and infrastructure complexity this effort aims to enable broadcasts to scale as the audience size grows, which in turn will support Waasabi's continued adoption. The project's own website: https://waasabi.org Why does this actually matter to end users? One of the things people enjoy the most about the internet, is that it enables them to talk to others remotely almost without limit. Internet allows anyone to keep closely connected with friends and family, and help their kids solve a math problem while they are at work. People collaborate with their colleagues from the couch of their living room, the cafe where they enjoy lunch or on their cell phone on the bus to the gym. Businesses can easily service their customers where this is most convenient to them, without having to travel themselves. This is so convenient, that some businesses have already moved entirely online. Internet communication has become the nerve center of whole neighbourhoods, where people watch over the possessions of their neighbours while these are away for work or leisure. However, users have a hard time to understand how privacy is impacted if they use the wrong technology. Because internet works almost everywhere, the natural privacy protection of the walls of a house, a school or an office is gone. Unlike the traditional phone companies, many of the large technology providers run their business not on delivering an honest service but on secretly eavesdropping on their users and selling information to others. It is mostly not about what you say, so it is relatively easy for providers to allow some form of privacy by encrypting messages. The more interesting parts are who talks to whom, when, and where they are in the real world while they meet on the internet. if you want to be reachable across the internet, you have to constantly let the communication provider follow you wherever you go. This makes the private and professional lives of citizens an open book to companies that with the help of AI and other technologies make billions from selling 'hidden data' normal people are completely unaware of even exists. And of course in societies that are not so democratic, this type of information is critical to bring down opposition and stifle human rights. These risks of surveillance and profiling also exist for videoconferencing, which can be very useful to reach a worldwide audience, but is not so democratic when that audience is continuously tracked. Especially public institutions like schools, universities and local governments should not rely on proprietary hardware and software for videoconferencing, as they risk having their viewers logged and their videos stored and monetized. Instead public conferencing can be done with publicly developed and transparent devices and tools. Luckily the range of open source alternatives are growing with easy-to-set-up, self-hostable solutions for video streaming like Waasabi. Run by MTÜ Bay Area Tech Club This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Wsdr Cloud-based Cellular Network in a Browser While several open-source cellular network implementations have emerged over the past decade, most remain complex and inaccessible to non-experts—limiting broader exploration and innovation in the field. This project aims to change that by introducing a browser-based cellular network powered by WebUSB and WebAssembly. By connecting a USB software-defined radio (SDR), users can deploy cellular networks without requiring deep engineering knowledge or complex setups. The WebSDR architecture runs a full BTS (Base Transceiver Station) directly in the browser, while BSC/MSC components operate in the backend - either locally or in the cloud. This allows rapid, plug-and-play deployment of 2G networks for a wide range of use cases, including emergency response, off-grid expeditions, temporary installations, and prototyping. By making cellular technology more accessible, the project fosters openness, hands-on experimentation, and inclusive innovation in wireless communications - establishing 2G as a practical starting point for building and understanding more advanced 4G and 5G networks. The project's own website: https://wavelet-lab.com/ Run by Wavelet Lab This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/WSDR/","title":"Wsdr"},{"description":" WPT automatic testing for platform accessibility mappings Improve testing of platform a10y support in Web Platform Tests In order to support assistive technology (AT), web browsers must provide information about web pages' contents via OS-specific accessibility APIs. The Accessible Rich Internet Applications (ARIA) suite of standards includes specifications concerning how browsers should translate the web page contents into each supported API. To date, these Accessibility API Mapping (AAM) specifications have not been tested in a standard way across browsers. This project will help extend the primary test suite for web standards (https://web-platform-tests.org/) to allow for testing of accessibility APIs. The project also includes writing tests for the Linux accessibility API mappings. With these addition to the test suite, we will be able to find interop bugs between browsers and web developers will be able to understand the status of browser support for accessibility features they want to use on the Linux platform. The project's own website: https://github.com/web-platform-tests/ Run by Igalia This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/WPT-PlatformAccessibility/","title":"WPT automatic testing for platform accessibility mappings"},{"title":"WPE Android","url":"https://nlnet.nl/project/WPE-Android/","description":" WPE Android Embedded-friendly Webview based on WebKit WPE (Web Platform for Embedded) is a WebKit port for Linux-based embedded devices with a focus on flexibility, security and performance on lower-powered devices. Albeit less known than Chromium, Firefox or Safari, WPE is currently deployed in millions of embedded devices (e.g. set-top-boxes, smart home devices, kitchen appliances, infotainment, etc), but it hasn't yet reached those based on the Android Operating System, which has become an important actor for certain types of devices, such as phones, tablets, set-top-boxes and even IoT devices. In such environments, the only option currently available to leverage the power of the Web Platform is to use Android's WebView, which is based on Chromium and therefore problematic in cases where using that is not an option. By bringing WPE to Android in the form of an Android WebView-compatible component, we aim not just to make WPE available in more platforms but also to expand the options Android developers currently have so that they can choose between a Chromium-based WebView and a WebKit-based WebView for their applications. This would be great to cover Web rendering needs in general on Android, and particularly beneficial for multimedia-intensive use cases (e.g. set-top-boxes, digital signage...), as well as for other less conventional use cases such as QA & testing (e.g. testing WebKit-based browsers on Android based systems). Last but not least, as a side effect of widening the reach of WPE to Android-based devices, we believe that we would also be bringing more balance and diversity to the Web, by making sure that developers have a realistic alternative to the Chromium-based Web rendering engine they can use to develop their products. The project's own website: https://wpewebkit.org Run by Igalia This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" ActivityPub Polls for WordPress WordPress plugin for social polls This project will develop an ActivityPub-based poll plugin for WordPress that integrates with the WordPress ActivityPub plugin. The plugin will feature a modern editor interface using Gutenberg blocks, a public-facing view for displaying polls and results, and robust ActivityPub-based vote handling. While the WordPress ActivityPub plugin originally focused on broadcasting content to the Fediverse, it is increasingly becoming a foundation for interactive features. This project will contribute to this evolution by enhancing internal APIs where necessary to support third-party extensions. The goal is to strengthen WordPress as a sovereign platform for online identity, enabling to host polls natively without having to create additional identities/accounts on other platforms to carry out common Fediverse activities. The project's own website: https://graz.social/@linos This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"ActivityPub Polls for WordPress","url":"https://nlnet.nl/project/WP-ActivityPub-polls/"},{"description":" CanIWebView Contributing to standardisation of WebView in W3C Web technologies like HTML, CSS and JavaScript are also used very much outside of a  Web browser, because they are well standardized, openly available and many developers know how to build for the web. WebViews are software components used to render Web content inside native apps. They are integral to the mobile web experience, as in-app web content display for social media and serving as a foundation for entire applications and games built with web technologies. WebViews are, however, very much overlooked by web developers, web standards developers, and browser engine vendors in terms of compatibility and feature availability. As part of the W3C WebView Community Group, this project addresses a critical gap in the web platform by establishing comprehensive testing infrastructure and resources for WebView compatibility. The initiative will deliver three key components: open-source testing applications for Android and iOS distributed through app stores, automated testing infrastructure using WebDriver-like tools for continuous compatibility monitoring, and the caniwebview.com website as resource for WebView compatibility data and documentation. Through regular meetings and conference sessions with stakeholders in the WebView space this project aims to improve the user experience, address common issues and lay foundations to future standards. The project's own website: https://caniwebview.com Run by Members of the W3C WebView Community Group This project was funded through the NGI Mobifree Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. The NGI Mobifree R&D programme is part of Horizon Europe research and innovation programme under grant agreement No. 101135795. ","url":"https://nlnet.nl/project/W3CWebview-tooling/","title":"CanIWebView"},{"url":"https://nlnet.nl/project/VulnerableCode/","title":"Free Software Vulnerability Database","description":" Free Software Vulnerability Database A resource to aggregate software updates \"Using Components with Known Vulnerabilities\" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (from US Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage over the last decade we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools. The goal of this project is create new FOSS tools to aggregate software component vulnerability data from multiple sources, organize that data with a new standard package identifier (Package URL or PURL) and automate the search for FOSS component security vulnerabilities. The expected benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source or a few foreign commercial data providers. The project's own website: https://public.vulnerablecode.io Why does this actually matter to end users? Software security for many users is a given, an assumption, something you do not and should not have to think about too hard. If you open an app on your phone, install new software on your laptop or boot up your tablet, you assume the software you use is safe, secure and that the developers have done their job right. With the amount of software coming out and the tangled web of inter-dependencies that exist today, this assumption of trust is hard to live up to. Especially since software vulnerabilities are constantly hunted for by malicious parties that want to get into our data and devices for blackmail, theft or on a larger and more dangerous scale, disruption of vital processes like power grids. Search and discovery of software vulnerabilities is an issue of oversight. There are various databases that record critical risks and issues, but the tools that developers can use to go through these databases tend to focus only on a few sources. Software security should be a collective effort and developers need a complete view of any insecurities they need to deal with. This project wants to create new free and open source (FOSS) tools that aggregate software vulnerabilities from all possible sources and organize them in a standardized way. This makes secure software development more transparent and ultimately contribute to more solid tools and services for endusers. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"title":"Enhance the vulnerability database","url":"https://nlnet.nl/project/VulnerableCode-enhancements/","description":" Enhance the vulnerability database Enhance the VulnerableCode vulnerability database Using Components with Known Vulnerabilities\" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (funded by the US CISA and Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage, we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools. This project delivers unique FOSS tools to aggregate software component vulnerability data from multiple sources, privileging upstream data directly from project maintainers. VulnerableCode organizes that data with a de-facto industry standard Package URL identifier (Package URL or PURL) enabling efficient and straightforward automation for the search for FOSS component security vulnerabilities. The benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source, or a few foreign commercial data providers. In the new context of the upcoming Cyber Resilience Act (CRA), the access to an open, free and curated FOSS package vulnerability data source is now an imperative. And the organization of vulnerability data by Package URL or PURL identifiers in VulnerableCode enables easy frictionless integration with Software Composition Analysis (SCA) code analysis tool chains, direct enrichment of SBOMs (Software Bill of Materials) to find if SBOM-listed packages have known vulnerabilities, and creation of VEX (Vulnerability Exploitability Exchange) document to communicate the impact of known vulnerabilities The project's own website: https://aboutcode.org Why does this actually matter to end users? Software security for many users is a given, an assumption, something you do not and should not have to think about too hard. If you open an app on your phone, install new software on your laptop or boot up your tablet, you assume the software you use is safe, secure and that the developers have done their job right. But with the amount of software coming out and the tangled web of inter-dependencies that exist today, this assumption of trust is hard to live up to. Especially since software vulnerabilities are constantly either hunted for by malicious parties that want to get into our data and devices for blackmail, theft or on a larger and more dangerous scale, disruption of vital processes like power grids, or collected for by commercial parties that want to monetize securing our data and devices for profit. Search and discovery of software vulnerabilities is an issue of oversight. There are various databases that record critical risks and issues, but the tools that developers can use to go through these databases tend to focus only on a few sources, missing important insight from upstream project maintainers, and using arcane identifiers that make finding if a software package is vulnerable more like a byzantine art than data science. Software security should be a collective effort and developers need a complete view of any insecurities they need to deal with. This project creates the free and open source (FOSS) tools that aggregate software vulnerabilities from all possible sources and organize them in a standardized way as open data shared in the commons. This makes secure software development more transparent and ultimately contributes to more secure and solid tools and services for end users of all types. This project enhances VulnerableCode and addresses multiple enhancement requests, such as mining the CVEs body to extract further details, adding new data sources, creating improvers to make the data better to improve the quality, depth and breadth of the data collected and more. Run by AboutCode Europe ASBL This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/Vula/","title":"Vula","description":" Vula Encrypted ad hoc local-area networking With zero configuration, Vula automatically encrypts IP (v4) communication between hosts on a local area network (LAN) in a forward-secret and transitionally post-quantum manner to protect against passive eavesdropping. When the local gateway to the internet is a Vula peer, internet-destined traffic will also be encrypted on the LAN. With simple verification using QR codes, Vula is also able to disrupt active surveillance adversaries. Vula combines WireGuard for forward-secret point-to-point tunnels with cryptographically enhanced mDNS and DNS-SD for local peer discovery. Vula enhances the confidentiality of WireGuard tunnels by using CSIDH, a post-quantum non-interactive key exchange primitive, to generate a peer-wise pre-shared key for each tunnel configuration. Vula avoids the need for any Single Point of Failure (SPOF) such as a trusted third party. Vula is equally functional on otherwise air-gapped networks. The project's own website: https://vula.link This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" Enhancing vula with IPv6 and REUNION rendezvous IPv6, hybrid post-quantum improvements & REUNION support for Vula With zero configuration, Vula automatically encrypts IP (v4) communication between hosts on a local area network (LAN) in a forward-secret and transitionally post-quantum manner to protect against passive eavesdropping. When the local gateway to the internet is a Vula peer, internet-destined traffic will also be encrypted on the LAN. With simple verification using QR codes or other peer verification methods, Vula is also able to disrupt active surveillance adversaries. Vula combines WireGuard for forward-secret point-to-point tunnels with cryptographically enhanced mDNS and DNS-SD for local peer discovery. Vula enhances the confidentiality of WireGuard tunnels by using CSIDH as provided by highctidh, a post-quantum non-interactive key exchange primitive, to generate a peer-wise pre-shared key for each tunnel configuration. Vula avoids the need for any Single Point of Failure (SPOF) such as a trusted third party. Vula is equally functional on otherwise air-gapped networks. The project's own website: https://vula.link This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Enhancing vula with IPv6 and REUNION rendezvous","url":"https://nlnet.nl/project/Vula-IPV6-Reunion/"},{"description":" Enhancing vula and related libraries Automatic local network encryption for IPv4/IPv6 with PQC With zero configuration, Vula automatically encrypts IP (v4) communication between hosts on a local area network (LAN) in a forward-secret and transitionally post-quantum manner to protect against passive eavesdropping. Improvements within the scope of this project include enhancing highctidh with autoconf and to provide a pkg-config enabled shared C library with additional language bindings. The project will also enhance privacy preserving peer discovery with REUNION, and increase implementation diversity of the protocol with a Golang version to enhance mobile device support. Initial Bluetooth integration will be added, and IPv6 support will be enhanced. As a final result, a network traffic enforcement library will be created (Guardrail) which can be used by vula and similar projects with IP traffic routing security needs. The project's own website: https://www.vula.link This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Enhancing vula and related libraries","url":"https://nlnet.nl/project/Vula-Guardrail/"},{"description":" Vouivre A dependent type system for machine learning in Lisp Current machine learning frameworks are built around relatively weak type systems. This is a problem because, at scale, machine learning applications are exceedingly intricate and computationally expensive, therefore making costly runtime errors unavoidable. This is where Vouivre comes into play. Using a dependent-type system, the project aims at enabling users to write machine-learning applications that solve real-world problems with compile-time validation of their correctness, thus preventing runtime errors at a reasonable computational cost. The project's own website: https://vouivredigital.com This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Vouivre/","title":"Vouivre"},{"description":" VoWiFi Watchdog Identify blocks and misconfigurations for VoWiFi VoWiFi (Voice over WiFi, also WiFi-calling) is the preferred channel for voice calls and messages for 4G/5G for most operators and operating systems (i.e., Android, iOS). However, there is a lack of transparency regarding existing operator practices and the security of everyday voice calls and messages. There are shocking security weaknesses such as default and static private keys, insecure configurations, as well as anti-consumer practices (geoblocking) at live operators. Operators still use shared private keys to encrypt their customers' communication, allowing adversaries to eavesdrop on calls and messages. Due to the lack of transparency, customers have no way of evaluating the settings for their current operator and operators have little incentive for improvements. The VoWiFi Watchdog project will regularly probe operator's VoWiFi configurations to detect deployed geoblocking measures and expose deprecated security settings. The scan results will be automatically published at our project platform, allowing customers to check their current (or future) operator, motivating operators to upgrade insecure setups. This will help to bring transparency to the VoWiFi ecosystem. Run by SBA Research gGmbH This project was funded through the NGI Mobifree Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. The NGI Mobifree R&D programme is part of Horizon Europe research and innovation programme under grant agreement No. 101135795. ","url":"https://nlnet.nl/project/VoWiFi-watchdog/","title":"VoWiFi Watchdog"},{"description":" OpenIMSd 4G/VoiceOverLTE support for open source mobile OSes The OpenIMSd project aims to bring VoLTE (4G voice calls) to Qualcomm based phones (like the PinePhone) running Free Software Mobile Operating Systems including postmarketOS, Mobian, … We will create a daemon which runs in parallel to the Modem Manager, which configures the baseband via QMI and brings up all the required services to be able to place VoLTE calls. The project's own website: https://www.openimsd.de/ Run by OpenIMSD team This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"OpenIMSd","url":"https://nlnet.nl/project/VoLTE-Qualcom/"},{"title":"Vivliostyle","url":"https://nlnet.nl/project/Vivliostyle/","description":" Vivliostyle Typesetting system leveraging web technologies Vivliostyle is an open-source typesetting system that uses web technologies to create print and digital publications. It extends the layout capabilities of modern web browsers to support advanced CSS features for paged media, such as page floats, footnotes, and cross-references. The project includes Vivliostyle.js, the core library that runs on all modern browsers and enables advanced page layout, and Vivliostyle CLI, a command-line tool for generating PDFs and EPUBs from HTML or Markdown files with specified themes and stylesheets. Lastly there is Vivliostyle Pub, a web application that simplifies the creation and editing of publications, with content and style editors and real-time preview. The goal is to empower people to create beautiful publications without relying on proprietary software and leverage the power of web standards and ecosystems. The project's own website: https://vivliostyle.org Run by Vivliostyle Foundation This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/VirtuAndroid/","title":"VirtuAndroid","description":" VirtuAndroid Application-layer virtualization for Android apps VirtuAndroid builds a fully open-source application-layer virtualization framework for the Android OS, designed to guarantee the main security and privacy principles. Unlike existing solutions, which break the Android permission and sandbox models, this framework provides per-app isolation, a permission system, and robust storage isolation within the virtual environment. It supports recent and upcoming Android versions through modular interception layers and offers hooking capabilities at both the Java and native levels, enabling advanced analysis, instrumentation, and security experimentation within a controlled environment. Run by Università degli Studi di Padova - Dipartimento di Matematica \"Tullio Levi-Civita\" This project was funded through the NGI Mobifree Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. The NGI Mobifree R&D programme is part of Horizon Europe research and innovation programme under grant agreement No. 101135795. "},{"description":" Video chat privacy Add privacy features to video chats Making video calls can be very invasive to privacy: the camera does not only capture the face and posture of the person talking, but will in fact capture the entire environment in glorious high definition - from the books in your bookshelf to family members or laundry rack behind you. This information is of no interest to the other end, but with a camera you have little choice: once you slide open the camera cover, it takes everything within the field of view and broadcasts it to the other side. This project aims to use advanced AI technology to edit the video feed in real-time, and apply various privacy enhancements such as removal of backgrounds. Why does this actually matter to end users? One of the things people enjoy the most about the internet, is that it enables them to talk to others remotely almost without limit. Internet allows anyone to keep closely connected with friends and family, and help their kids solve a math problem while they are at work. People collaborate with their colleagues from the couch of their living room, the cafe where they enjoy lunch or on their cell phone on the bus to the gym. Businesses can easily service their customers where this is most convenient to them, without having to travel themselves. This is so convenient, that some businesses have already moved entirely online. Internet communication has become the nerve center of whole neighbourhoods, where people watch over the possessions of their neighbours while these are away for work or leisure. However, users have a hard time to understand how privacy is impacted if they use the wrong technology. Because internet works almost everywhere, the natural privacy protection of the walls of a house, a school or an office is gone. For example, when you make a video call, your webcam or phone camera captures a lot more than just you talking, for example the people around you, the books on your shelf or the street outside. A lot of this information can be used to uniquely identify you or to find your location, which you may not always be aware of. Because high definition cameras are embedded in more and more devices everywhere around us, we need more control over what these digital eyes actually record about us. Instead of only being able to switch your webcam on or off, this project will develop technology that lets you remove or anonymize the background while you are actually making a video call. This will give users more tools to protect their visual privacy and fight back against all sorts of sophisticated tracking schemes. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/VideoChatPrivacy/","title":"Video chat privacy"},{"description":" video box Affordable open hardware video-to-network The goal of the FOSDEM video box project is to develop a cheap, compact, open hardware & free software video-to-network solution. Initial motivation came from scratching our own itch: replacing 60 bulky, costly, not entirely free boxes currently used at the https://fosdem.org conference. Several other conferences have already used the current setup successfully. We expect this number to grow in the future. The solution being free software and open hardware should make it flexible to adapt to different environments, like education. Being cheap and compact encourages experimental use in areas difficult to foresee. On the hardware side, we use the open hardware Olimex Lime2 board (EU built!) as a base. We plan an open hardware hdmi input daughterboard, iterating on a simplified prototype that helped us verify feasibility. On the software side, the core Allwinner A20 chip has attracted a lot of free and open source development already. That enables us to focus our efforts on optimising video encoding on this platform from a hdmi signal to a compact network stream. The project's own website: https://fosdem.org Why does this actually matter to end users? One of the things people enjoy the most about the internet, is that it enables them to talk to others remotely almost without limit. Internet allows anyone to keep closely connected with friends and family, and help their kids solve a math problem while they are at work. People collaborate with their colleagues from the couch of their living room, the cafe where they enjoy lunch or on their cell phone on the bus to the gym. Businesses can easily service their customers where this is most convenient to them, without having to travel themselves. This is so convenient, that some businesses have already moved entirely online. Internet communication has become the nerve center of whole neighbourhoods, where people watch over the possessions of their neighbours while these are away for work or leisure. However, users have a hard time to understand how privacy is impacted if they use the wrong technology. Because internet works almost everywhere, the natural privacy protection of the walls of a house, a school or an office is gone. Unlike the traditional phone companies, many of the large technology providers run their business not on delivering an honest service but on secretly eavesdropping on their users and selling information to others. It is mostly not about what you say, so it is relatively easy for providers to allow some form of privacy by encrypting messages. The more interesting parts are who talks to whom, when, and where they are in the real world while they meet on the internet. if you want to be reachable across the internet, you have to constantly let the communication provider follow you wherever you go. This makes the private and professional lives of citizens an open book to companies that with the help of AI and other technologies make billions from selling 'hidden data' normal people are completely unaware of even exists. And of course in societies that are not so democratic, this type of information is critical to bring down opposition and stifle human rights. These risks of surveillance and profiling also exist for videoconferencing, which can be very useful to reach a worldwide audience, but is not so democratic when that audience is continuously tracked. Especially public institutions like schools, universities and local governments should not rely on proprietary hardware and software for videoconferencing, as they risk having their viewers logged and their videos stored and monetized. Instead public conferencing can be done with publicly developed and transparent devices and tools. This project aims to develop open videoconferencing hardware and software for FOSDEM, the largest European gathering on free and open source software. In the main campus of the Belgian ULB-university, thousands of developers gather from all over the world to discuss and promote free and open source software. The conference is non-commercial and entrance is free for all. At times over 50 parallel sessions are organized and every talk is recorded and streamed, currently using hardware that is not entirely transparent. This project aims to develop open videoconferencing devices that are not only free, but also less costly and sizable. FOSDEM will then be available for everyone using the same open hardware and open source software promoted at the conference. And other organizations using the FOSDEM-setup will benefit just the same from trustworthy, transparent videoconferencing, built solely to spread ideas and knowledge. Run by FOSDEM vzw This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/VideoBox/","title":"video box"},{"description":" VFRAME: Visual Defense Tools Use computer-vision to shield privacy in video Visible data shares many of the same risks as wireless data yet visual privacy is often overlooked in the field of information security studies as separate and less relevant. As computer vision becomes increasingly adept at understanding the visual domain, differences between existing protocols for processing wireless data and emerging protocols for processing visible data (computer vision) become less apparent. Ultimately, images and video are wireless data too, and they are exposed to an increasing number of attacks on visual information privacy with less technologies for protection. Visual Defense Tools will explore and prototype computer vision methods for visual privacy through visual obfuscation and minimization techniques, mostly related to biometrics. The goal will be to build a conceptual road map and functional open-source prototypes to stimulate future development of more accessible visual privacy technologies. The project's own website: https://vframe.io Why does this actually matter to end users? We live in an time where it seems there are video camera's everywhere. Not just on a payment terminal, a traffic sign or at the entrance of an office building either. Every day hundreds of millions of people take their phone from their pocket and start filming themselves and others. And they do not just record it for their personal use, they tend to put it online. But in many instances you are not the only one captured on screen. The person next to you might not want to be put online, for whatever reason. They might be underage. They might have their credit card out. In the \"selfie\" mindset, those concerns may not matter much. After all, what can they do? All they want is to capture the moment, and you just happened to be in the wrong place at the wrong time. Now combine this with the ever increasing power of computers to process video. Todays capabilities go far beyond face recognition in pictures. Computers can now almost realtime process video recordings and live streams. Connect that in your mind with the insane amount of information about people already available online, for instance through social media. This could end up as the 'coup de grace' for privacy in the public sphere: point your camera to a girl in a bar, and their name, income, hobbies and past sex life automatically pop up. The creep factor of this is enormous, and so is the potential for abuse. That is probably the reason why some of the largest privacy violators on the planet have invested literally billions of dollars in building technical capabilities to that effect. All of a sudden, you end up with a spillover from the digital world into the real world. If we want to protect privacy in the public sphere, we will need to create technologies that can counter this trend of crowd-sourced public surveillance. It is probably infeasible and not desirable to ban camera's. There are many beneficial uses for them too, after all. So the next best thing is to create technologies that can protect the privacy of people that would be captured on video against their will. We can use video recognition technology the reverse way: wipe out everything concerning the people you did not explicitly get permission from. It doesn't really matter to your vlog viewers if you cannot see the faces of the people walking behind you - or randomise their clothes. All we need it the technology to do this automatically. This is the goal of the VFRAME project: it aims to build a first, exploratory tool as a first step to restore visual privacy. In the end, this is probablyu something that should be turned into legislation so that all consumer devices behave like this by default. So that next time that first kiss on a bench in the park, will not be part of internet history. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/Vframe/","title":"VFRAME: Visual Defense Tools"},{"description":" VexiiRiscv Next generation of the VexRiscv in-order FPGA softcore VexiiRiscv (Vex2Risc5) is a hardware project which aim at providing an free/open-source RISC-V in-order CPU which could scale from a simple microcontroller up to a multi-issue/debian capable cluster. While the project already surpasses VexRiscv in multiple domains (performances, 64 bits, debian), it still needs work and testing to reach feature parity (tightly coupled RAM, JTAG debug, optimization, ...), aswell to extend its scope (lightweight FPU, vector unit, ...). This grant would aim at filling those gaps aswell as improving its documentation. The project's own website: https://github.com/SpinalHDL/VexiiRiscv This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/VexiiRiscv/","title":"VexiiRiscv"},{"description":" SWD Debug support in VexRiscv Functional SWD debugging support for VexRiscv/VexiiRiscv The VexRiscv-Debug project aims to extend the popular open-source VexRiscv RISC-V soft CPU core with functional debugging support enabling essential development and bring-up capabilities for developers building debuggable RISC-V SoCs on custom ASIC or FPGA platforms. This includes making Vexriscv fully Riscv Debug specification compliant and additionally adding support for Serial Wire Debug (SWD), which is a widely used industry specification set forth by ARM. The project's own website: https://saketsinha.de/VexRiscv-Debug This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/VexRiscV-debug/","title":"SWD Debug support in VexRiscv"},{"description":" Servo improvements for Tauri Verso offscreen + multiview Verso is a new browser initiative that is based on the Servo browser engine - a cross-platform, open source web engine written in Rust managed by Linux Foundation Europe. The project originates from an earlier effort to integrate Servo in Tauri, a widely used open source system for distributing cross-platform applications capable of running content and applications using web technology outside of the browser. The web ecosystem currently lacks a cross-platform, non-corporate controlled system for doing so, meaning that solutions like Tauri need to rely on the platform engines controlled by Apple, Google, and Microsoft. Obviously, this add complexity, has security and stability implications, lacks consistency, and involves limited levels of user agency. Integrating a portable browser engine would be a major step towards being able to run applications in a consistent, open source web runtime on major desktop and mobile platforms. As part of that work, it became clear that several improvements to Servo are urgently needed. In order to speed up the development of those improvement, it turned out to be more efficient to transpose these requirements to a new standalone browser: Verso. The key tasks beyond improving developer efficiency and workflow (also for Mozjs and Spidermonkey) tackled in this project are offscreen rendering and multiwebview support. The project's own website: https://versotile.org/verso Run by Tauri Programme within the Commons Conservancy This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/Verso/","title":"Servo improvements for Tauri"},{"description":" Webview library with Verso for Tauri Refactor parts of Verso into a WebView library We aim to publish the Verso browser as a library in addition to the current application approach. This way other projects could use it as a dependency in their software, and render their content with it. The distribution of a shared library is a challenging set of problems (including, but not limited to bundle format, code signing, dependency linking, etc.) that we intend to solve. We also aim to find the best possible solutions to help developers use this library with ease. One of these approaches will be to integrate with Tauri as a webview backend. The project's own website: https://versotile.org/verso This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Webview library with Verso for Tauri","url":"https://nlnet.nl/project/Verso-WebView/"},{"description":" Verso Views A Functional Browser Based on Servo Verso is a web browser based on Servo web engine. While Servo hasn’t been treated as a fully functioning browser, it is possible to build one based on it already. We plan to expand this into a formal and stable application release, eventually implementing the features, making it not just a general browser application but also a webview library for embedding purposes. There are some missing features we still need to push into Servo. And there are also other works that require time and resources to make a barebone web engine into a stable application. We hope to take this project as a chance to finally make an individual repository using Servo as a dependency. In this way, Servo can focus on issues and features of the web engine itself. In the meantime, other chores related to the application itself can be off-loaded to other repositories and organizations. The project's own website: https://versotile.org/verso This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Verso Views","url":"https://nlnet.nl/project/Verso-Views/"},{"url":"https://nlnet.nl/project/Verso-Profile/","title":"Next Generation Browser Profile Workflow","description":" Next Generation Browser Profile Workflow A profile system for the Verso browser Users currently do not have much ownership over their browser data, including bookmarks, history, which extensions are activated, etc… Current web browsers do not really facilitate user agency, let alone in a standardised way. And we are not even mentioning the fact that synchronisation between devices is only possible through third parties, because there is no real transit between browsers (just imports). Even worse: despite this data being rather private, data is not really encrypted. The solution is complex, and it starts with the rework of browser profiles and browser workflows conceptually. This project aims to define the standards of encapsulation of these profiles separately from the browser while keeping privacy and security in focus. The prototype would be integrated in the Verso browser, but along the way the underlying Servo engine also gets some improvements for accommodating these endeavours properly. The project's own website: https://versotile.org/verso This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"url":"https://nlnet.nl/project/VersatAI/","title":"VersatAI","description":" VersatAI Automation of ML/AI algorithm support in computational accellerators Versat is a Coarse-Grained Reconfigurable Array (CGRA) compiler and programming framework to accelerate AI and ML workloads on open-source RISC-V-based systems. The VersatAI project will enhance Versat to automate AI/ML accelerator generation by translating standard representations of these algorithms such as ONNX into optimized RISC-V programs accelerated by a CGRA. Leveraging prior work in cryptographic acceleration and SoC integration, the project will focus on key AI/ML tasks like convolutional neural networks and transformers. The development will be fully open-source, ensuring compatibility with industry-standard AI frameworks and improving CGRA accessibility for AI applications. The project's own website: https://github.com/IObundle/iob-versat Run by IObundle This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/VersaTiles/","title":"VersaTiles","description":" VersaTiles Simplify vector map tile creation, hosting, and interaction VersaTiles provides vital digital infrastructure for web maps, offering a free, flexible alternative to commercial services. Web maps are essential in fields like data journalism, research, and emergency response, but current commercial solutions are often costly, proprietary, and pose privacy concerns. VersaTiles addresses this by dividing the complex process of map creation, distribution, and visualization into manageable layers, ensuring interoperability and scalability. With its open, transparent approach, VersaTiles promotes digital sovereignty in Europe, empowering public institutions, media, and developers with an accessible, high-quality map infrastructure that avoids vendor lock-in and supports free access to geospatial data. The project's own website: https://versatiles.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Verilog-A distiller Automated porting of models from C to Verilog-A Analog circuit simulators require compact device models in order to be able to simulate circuits. The de-facto standard language for compact device model dissemination is Verilog-A. Many legacy models exist that are coded for the SPICE3 circuit simulator in the C programming language. Manual conversion from C to Verilog-A is resource-intensive, time-consuming, and error-prone. This reduces the accessibility of legacy models and limits innovation. The Verilog-A Distiller project aims to automate conversion of SPICE3 device models from C to Verilog-A. By automating this conversion, we aim to streamline model implementation, reduce development time, and enhance compatibility across different simulators. Verilog-A Distiller is a converter written in Python that utilizes the pycparser library for reading the C code of SPICE3 models. The parsed models are pruned of unnecessary SPICE3-specific parts, upon which Verilog-A code is emitted. Projects like Ngspice put a lot of effort into cleaning up and improving legacy SPICE3 models. Verilog-A Distiller makes these models available across a wide range of simulators that support Verilog-A. The project's own website: https://codeberg.org/arpadbuermen/VADistiller Run by University of Ljubljana, Faculty of Electrical Engineering This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Verilog-A distiller","url":"https://nlnet.nl/project/Verilog-A-distiller/"},{"title":"Verified Reowolf","url":"https://nlnet.nl/project/VerifiedReowolf/","description":" Verified Reowolf Formal protocol verification with Reowolf This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. Using formal methods, we rigorously validate and verify functionality and security properties of essential Internet protocols. In this project, we unambiguously specify Internet protocols using Reowolf's Protocol Description Language (PDL). We research and develop validation tools for certifying the compliance of software/hardware implementations of essential Internet protocols with respect to PDL specifications; and, we research and develop a mathematical formalism, using the state-of-the-art theorem prover Coq, for the verification of properties of protocols specified in PDL that identify precisely under what conditions important properties, such as network integrity and service availability, remain to hold or when they break. The results are important for long-term stability of the Internet, and will be published open access & open source. The project's own website: https://www.reowolf.net This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" Toward a Fully-Verified SCION Router Formal verification of the reference open source SCION Router SCION is a next-generation Internet architecture that addresses many of the security vulnerabilities of today’s Internet. Its clean-slate design provides, among other properties, route control, failure isolation, and multi-path communication. This project will demonstrate the feasibility of verifying the core component of the SCION inter-domain routing architecture - the SCION router. Prior work has proved that the SCION data plane protocols are secure. The focus of this project is on verifying that SCION’s open-source router is memory-safe and implements those protocols correctly and, thus, provides the intended security and correctness guarantees. The project's own website: https://www.pm.inf.ethz.ch/research/verifiedscion.html Run by ETH Zurich This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Verified-SCION-router/","title":"Toward a Fully-Verified SCION Router"},{"description":" Noise Explorer-VerifPal Automated proofs and code generation for secure protocols Noise Explorer is an online engine for reasoning about Noise Protocol Framework (revision 34) Handshake Patterns. Noise Explorer allows you to design Noise Handshake Patterns, and immediately obtain validity checks that verify if your design conforms to the specification. For visually oriented people, it provides a convenient visualisation in your browser. Noise Explorer can also generate Formal Verification Models and Software Implementations. This allows to instantly generate full symbolic models in the applied pi calculus for any Noise Handshake Pattern that you enter. Using ProVerif, these models can be analyzed against passive and active attackers with malicious principals. The model's top-level process and sophisticated queries are specifically generated to be relevant to your Noise Handshake Pattern, including tests for strong vs. weak forward secrecy and resistance to key compromise impersonation Noise Explorer also automatically generates a secure implementation of your chosen Noise Handshake Pattern design, written in Go. In addition the users can explore a Compendium of Formal Verification Results. Since formal verification for complex Noise Handshake Patterns can take time and require fast CPU hardware, Noise Explorer comes with a compendium detailing the full results of all Noise Handshake Patterns described in the original specification. These results are presented with a security model that is even more comprehensive than the original specification, since it includes the participation of a malicious principal. The project's own website: https://noiseexplorer.com Why does this actually matter to end users? Secure communication over the internet is critical. Humans however are not infallible, and the same holds for the humans that design the protocols that should make our internet traffic safe. Internet engineers and software developers need to handle a lot of complexity, and even a small oversight or a very improbable scenario or combination of factors can mean breaking part or whole of the protection required The secure technologies we depend on to keep internet communications secure are frequently found to suffer from fundamental design vulnerabilities as well as implementation errors. Truth is, while trust is a fundamental human trait, we should not just trust human intuition to get everything right. This is where computers can come to help us out, to see if we can underpin that trust in a systematic way. Computers have no problem to exhaustively try out all options, even if it takes them millions and millions of tries. When instructed in the right way, that means their endless combinatorial capabilities can be used to simulate even the most unlikely of events. Again and again, if necessary. A lot of awesome computer science brain power has gone into so called formal proofs. Formal proofs use very strict mathematical modelling to take everything that could possibly happen into account, and prove that the software or protocol at hand does what it is assumed to do. However, as you may imagine, this modelling can get pretty complex and as such is an art in itself - restricting the usage to a very limited set of experts. However, once you have the models right you can actually go a lot further than just prove the protocol: from the model you can automatically generate secure software libraries that you can be sure implement the protocols involved exactly right. This is a guarantee that no human programmer can give. Noise Explorer is the first of a new generation of open source tool that is helping to democratise these proofs, and bring together community knowledge about protocols and proofs at the same time. It conveniently assists those designing secure channels based on the so called Noise Protocol Framework, which is used in some of the largest messaging tools in the market to protect the confidentiality of the messages sent around. The creators of Noise Explorer have precomputed many different options, and so developers can just take the proofs instead of having to model their protocol and spend a lot of time on setup and computation. Verifpal is the logical next step. It expands the scope of Noise Explorer to make it applicable for many more protocols that need to be secure. Whether you successfully connect to a wireless network, or see the little green padlock next to a website address - we all want to trust the security behind that. VerifPal is creating a unique tool specifically designed to make it easier to make protocols that will not let us users down. Run by Symbolic Software This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"Noise Explorer-VerifPal","url":"https://nlnet.nl/project/VerifPal/"},{"description":" Verifpal Prove soundness of verification in Verifpal Verifpal is new software for verifying the security of cryptographic protocols. Building upon contemporary research in symbolic formal verification, Verifpal’s main aim is to appeal more to real-world practitioners, students and engineers without sacrificing comprehensive formal verification features. In order to achieve this, Verifpal introduces a new, intuitive language for modeling protocols that is much easier to write and understand than the languages employed by existing tools. At the same time, Verifpal is able to model protocols under an active attacker with unbounded sessions and fresh values, and supports queries for advanced security properties such as forward secrecy or key compromise impersonation. Verifpal has already been used to verify security properties for Signal, Scuttlebutt, TLS 1.3, Telegram and other protocols. It is a community-focused project, and available under a GPLv3 license. The project's own website: https://verifpal.com Why does this actually matter to end users? Secure communication over the internet is critical. Humans however are not infallible, and the same holds for the humans that design the protocols that should make our internet traffic safe. Internet engineers and software developers need to handle a lot of complexity, and even a small oversight or a very improbable scenario or combination of factors can mean breaking part or whole of the protection required The secure technologies we depend on to keep internet communications secure are frequently found to suffer from fundamental design vulnerabilities as well as implementation errors. Truth is, while trust is a fundamental human trait, we should not just trust human intuition to get everything right. This is where computers can come to help us out, to see if we can underpin that trust in a systematic way. Computers have no problem to exhaustively try out all options, even if it takes them millions and millions of tries. When instructed in the right way, that means their endless combinatorial capabilities can be used to simulate even the most unlikely of events. Again and again, if necessary. A lot of awesome computer science brain power has gone into so called formal proofs. Formal proofs use very strict mathematical modelling to take everything that could possibly happen into account, and prove that the software or protocol at hand does what it is assumed to do. However, as you may imagine, this modelling can get pretty complex and as such is an art in itself - restricting the usage to a very limited set of experts. However, once you have the models right you can actually go a lot further than just prove the protocol: from the model you can automatically generate secure software libraries that you can be sure implement the protocols involved exactly right. This is a guarantee that no human programmer can give. VerifPal is new software that makes formal verification of cryptographic protocols more accessible and intuitive. It is a breakthrough that regular users and software engineers can easily write out (or model) protocols to verify whether they are secure, and then immediately them against all sorts of possible attacks. VerifPal is one of the first technology projects funded by the NGI and has already been used to verify the security of widely used protocols that for example protect Whatsapp and Signal-messages. Through this new project VerifPal will further prove that its verification of these protocols is sound, create extra implementations of the modeling language for a larger user base and integrate other protocol verification software to add additional layers of security checks. This way software developers, engineers and students around the world can benefit from formal verification software that is both secure and accessible, which can ultimately help make the internet a safer and more trustworthy place. Run by Symbolic Software This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/VerifPal-Proven/","title":"Verifpal"},{"description":" VeriBench Verilog-AMS Testbench Framework for Open EDA Verification Verilog-AMS is a hardware description language developed to standardise the description of device models and circuits in analog and mixed-signal design. It is widely used across both proprietary and open-source Electronic Design Automation (EDA) toolchains. While Verilog-AMS standardises hardware descriptions, the behaviour and numerical accuracy of simulators and model compilers remain tool-dependent and require systematic verification. VeriBench will provide automated Verilog-AMS testbenches that enable systematic verification of semiconductor device models and representative analog and logic circuits. The testbenches will support realistic simulation contexts using open Process Design Kits (PDKs). They will enable cross-validation, regression testing, and benchmarking across open-source simulators such as Gnucap and ngspice, as well as Verilog-A/AMS model compilers, including OpenVAF and Gnucap’s modelgen-verilog. By providing documented benchmarks, reference results, and ready-to-run examples, VeriBench will validate open-source simulation toolchains, build trust in their results, improve reproducibility, and lower the barrier to entry for users and contributors. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/VeriBench/","title":"VeriBench"},{"title":"variation graph (vgteam)","url":"https://nlnet.nl/project/VariationGraph/","description":" variation graph (vgteam) Privacy enhanced search within e.g. genome data sets Vgteam is pioneering privacy-preserving variation graphs, that allow to capture complex models and aggregate data resources with formal guarantees about the privacy of the individual data sources from which they were constructed. Variation graphs relate collections of sequences together as walks through a graph. They are traditionally applied to genomic data, where they support the compression and query of very large collections of genomes. But there are many types of sensitive data that can be represented in a variation graph form, including geolocation trajectory data - the trajectories of individuals and vehicles through transportation networks. Epidemiologists can use a public database of personal movement trajectories to for instance do geophylogenetic modeling of a pandemic like SARS-CoV2. The idea is that one cannot see individual movements, but rather large scale flows of people across space that would be essential for understanding the likely places where a outbreak might spread. This is essential information to understand at scientific and political level how to best act in case of a pandemic, now and in the future. The project will apply formal models of differential privacy to build variation graphs which do not leak information about the individuals whose data was used to construct them. For genomes, the techniques allow us to extend the traditional models to include phenotype and health information, maximizing their utility for biological research and clinical practice without risking the privacy of participants who shared their data to build them. For geolocation trajectory data, people can share data in the knowledge that their social graph is not exposed. The tools themselves are not limited to the above use cases, and open the doors to many other types of applications both online (web browsing histories, social media usage) and offline. . The project's own website: https://github.com/vgteam/vg Why does this actually matter to end users? Worries over our health and safety will in many cases take precedence over the perceived value of our privacy. When it comes to our physical health and well-being, we are often in a strongly dependent position. Especially in times of great mental stress (like when a medical doctor breaks bad news to us) or fear (my daughter is late from school, a deadly virus is going round) we often lack the time and knowledge to really consider what data we actually want to make available and under which conditions. Many people in such situations reach a point of detachment and panic, where they hand out whatever data requested from them by whomever promises to resolve the stress. And once data is out there, it is hard to trace back. But what if we do not have to give up our privacy for the sake of better, and more personalized health care, fighting the spread of a pandemic or other safety measures? What if we can have both? The classic example is genetic research, which can be extremely effective in identifying hereditary diseases and ultimately creating a type of personal health care that perfectly fits your unique needs. It also involves extremely personal and uniquely identifying data (literally the DNA that made us the individuals we are), the wider availability of which has a potential impact on the privacy and physical security of your children and their children and their children's children etcetera. Who know what future generations will have to endure, in good times and in bad times? With the technology easily available to them, would insurance companies, employers or governments be tempted to test for yet undiscovered heart conditions or expensive and rare diseases - or worse? And yet we make important decisions about this in times of stress. The same caution should go for a pandemic situation like SARS-CoV2. We all want a solution to help those most vulnerable, but as a society we are not prepared at all for the large security implications of exposing geolocation trajectory data seized from for instance telecom networks. And we cannot assume that lack of preparation will not be abused. And despite that we want to have a deep understanding how a virus actually spreads in a fine-grained way from person to person, meaning we need to gain insight in how people move around with actual data. For that purpose epidemiologists really could use access to a public database of personal movement trajectories, so they can do so called geophylogenetic modeling. SARS-CoV2 is not the first virus to cause a pandemic, and it will not be the last - and policy measures like a lockdown have an immense cost in terms of our economy and societal disruption. So we had better test our assumptions and create data sets with privacy preserving variation graphs that allow a wide community of researchers access without risk of security fallout afterwards. Things do not have to be black and white. Doctors do not need to have access to all of our DNA in order to help us, so we don't have to share everything. Epidemiologists do not need to know Gabriel visited Mary, and how many times Mary met Elisabeth and when and where. As it turns out, there are clever ways to aggregate data in a privacy preserving way, preserve the characteristics needed and removing the rest. This project will build on these so called \"variation graphs\" to further explore and develop these technologies. There are applications throughout many other use cases as well - variation graphs can be used to produce privacy-preserving representations of collections of other sensitive data, including collections of personal writing, web browsing histories, or even quantified self. The general tenet is always to only share the relevant information, while preventing the identification of individuals. Variation graphs have huge potential. The project is contributing to various very ambitious goals, such as assisting with the SARS-CoV2 situation and enabling the creation of searchable DNA databases that protect the individuals contributing in a provable way. Input data from healthy and non-healthy people, from sinners and saints, can be transformed in such a way that the privacy of all involved is protected while intensive study of DNA data or human movement patters remains possible. This will greatly help to convince people that they can contribute to the associated research. Of course success in such a critical application breaks the ice for all other use cases, where we see the benefit of big data but also the threats. Such a solution, if it becomes widely available, might be nothing short of revolutionary. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" ValOS Cryptographic Content Security project Cryptographic Content Security for ValOS ValOS (Valaa Open System) is a project pushing programming to become a civic skill. It’s a decentralized software development architecture that empowers beginners with little training or prior experience to create practical web applications. ValOS applications and data are created, stored and distributed as event streams. ValOS Gateway is a JavaScript library that acts like a browser: it connects to event streams, reduces them into applications and provides means to induce new events. ValOS Cryptographic Content Security project focuses on enhancing the infrastructure level security of ValOS through event log hash chaining, end-to-end encryption and other features. The project's own website: https://valospace.org/ Why does this actually matter to end users? Internet technology is perceived as rather complex, more than is probably necessary. That is why people tend to let other people be in control of the technology they use, even though noone knows what they need better than they do themselves. While there are millions of professional and amateur developers capable of creating applications on the web, that leaves billions that cannot. There is no technology currently well suited to bring development to the average person in the street. ValOS (Valaa Open System) aims to simplifies software development and makes web apps inherently more secure by default with no or little effort from developer,. It does so by creating a much simpler model to work with. The content that the users create, and the application that enables them to do so, are brought together from different sources inside the browser - not before. The architecture of the system assumes the worst possible environment, because creating security and resilience when everybody is honest and connections are perfect is just unrealistic. No one should need to trust anyone else by default. Clients can and will crash at any moment, but the user expects her data back. Sessions can get lost and devices can lose connectivity, go offline without crashing, keep creating new commands into an outgoing queue and expect to survive coming back online. ValOS aims to enable a new paradigm ecosystem where applications are secure by default with no or little effort from developer, further enabling the creativity of everyone. By design data can remain located securely in someones phone, under the direct control of the user. It aims to make the system robust in most imaginable scenarios and to allow it to fail securely in outlier cases. This is a highly experimental but visionary project with a lot of potential. Run by Valaa Technologies Ltd This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"ValOS Cryptographic Content Security project","url":"https://nlnet.nl/project/ValOS-crypto/"},{"description":" VPN Vulnerability Testing Suite Test VPN implementations for network based attacks Recent publications have brought attention to vulnerabilities in most VPN implementations when faced with a network-based attacker levering attacks such as TunnelVision and TunnelCrack, among others. In light of these publications, this project develops a testing suite that covers every known edge case, allowing for a one-stop straightforward yet complete evaluation of whether a particular VPN client implementation is susceptible to said vulnerabilities. The testing framework will be delivered as an open-source software component, free to be used and altered. The framework will also be extended with various attack variants that are not directly covered under the original TunnelCrack and TunnelVision research, such as behavior when operating on hostile IPv6 networks, and the recovery behavior after being subject to service interruption by an attacker. By integrating these tests into e.g. continuous integration and delivery infrastructure, developers of VPN applications can sustainably harden their software against these attacks. Run by Midnight Blue ","title":"VPN Vulnerability Testing Suite","url":"https://nlnet.nl/project/VPN-vulnerabilitytesting/"},{"title":"Jean-Paul Chaput - Coriolis Open EDA","url":"https://nlnet.nl/project/VLSI-tools/interview.html","description":" Jean-Paul Chaput - Coriolis Open EDA Logical validation of ASIC layouts Trustworthy hardware and manufacturing Can you introduce yourself and your project? I am Jean-Paul Chaput, lead architect of the Coriolis Open EDA project. In the late 90s, I developed the router of the Alliance toolchain, Nero, and then, since 2000, the detailed router of Coriolis, Katana, which uses innovative algorithms and data structures. Alongside this work, I have also contributed to almost every part of the Coriolis toolchain. Since 2019, we have reached a sufficient point to start making chips in mature technologies (above 90nm). I am deeply committed to the FOSS philosophy and want to enable as many people and companies as possible to make their chips. What are the key issues you see with the state of the internet today? In fact, what I see is a deeper problem. The whole of the internet, whether the infrastructure or the algorithms, relies on chips, most of which are black boxes. For instance, take the encryption algorithms: if the chip they run on, that is, the hardware itself, is flawed (as a defect or on purpose), then they can be bypassed entirely, and the user is left utterly exposed. How does your project contribute to correcting some of those issues? The open hardware movement, especially the RISC-V endeavour, started to address those issues. Still, they need an Open EDA (Electronics Design Automation) to guarantee that what you get on silicon is what you specified. So, we should have chips we can trust to run the internet. We need not only processors but also a wide variety of hardware blocks. An important one is the ethmac. This block is at the core of an ethernet card; it is the one that gets the octets composing the IP packets at the link clock speed and assembles them, making them available to the rest of the chip. As a building block, it can be used to build individual cards and router chips. At the heart of the ethmac are SRAMs (static memories). These components are highly specific to technology and costly. We developed a generator using standard cells, which are always available. We allow a tradeoff: bigger than a custom but smaller than a purely synthesised one. On top of that, it’s easily portable (we did it on three different technologies). What do you like most about (working on) your project? There was much algorithmic exploration of how to organise the placement to optimise the SRAM generator's results. It was very gratifying to find and see the progressive improvements. The various experimentations and their results, along with the comparisons with the directly synthesised ones, also provided us with a lot of valuable insights, which can lead to improvements in other domains. Where will you take your project next? We are pursuing three directions: This experiment showed us further ways to improve the SRAM generator and make an even more compact block. The SRAM generator will be modified to offer more varied features for use in many more contexts. We'll build the complete ethmac block now that we have its most important component. How did NGI Assure help you reach your goals for your project? It is obvious that many open source projects are underfunded, especially when they are at an intermediary stage and can only produce partially usable results. The ability to fund that non-final stage is extremely helpful. As a side effect, it also introduces deadlines and forces us to improve and focus our planning. Do you have advice for people who are considering applying for NGI funding? Don’t censor yourself in your proposal, whether you feel it is slightly off-topic or only a partial step that you are submitting for funding. Do you have any recommendations to improve future NGI programmes or the wider NGI initiative? As I said previously, open source projects are notably underfunded. To ensure more stable development, grants over a more extended period that can fully fund developers’ activity may be extremely helpful. Acknowledgements Image: courtesy of Jean-Paul Chaput. Published on November 6, 2024 LIP6 VLSI Tools received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. .speaker-photo { width: 33%; margin-right: 10px; margin-left: 20px; margin-bottom: 20px; } .speaker-photo-border { border-radius: 10%; border-top-left-radius: 10; border-top-right-radius: 10%; border-bottom-right-radius: 10%; border-bottom-left-radius: 10%; } .img_icon_small { max-width: 40px; max-height: 40px; margin-right: 10px; /* Make icons small and create a little space on the right */ } .up { position: relative; top: -15px; /* Adjust the value to move the text up by the desired amount. Text moved up a bit to align with icon.*/ } div.interlude-small { font-size: 2em; line-height: 1.5em; margin: 0 15px; padding: 0 15px; border-left: 4px solid #3333FF; } "},{"description":" LIP6 VLSI Tools Logical validation of ASIC layouts The software we run critically depends on the trustworthiness of the chips we use. LIP6's VLSI tools are one of the few user-operated toolchains for creating ASIC layouts where the full source code is available for inspection by anyone. This provides a significant contrast to commodity chips from vendors like Intel and AMD, where anything beyond coarse technical detail is shielded away by NDA's. This project will improve Coriolis2, HITAS/YAGLE and extend the whole toolchain so that it can perform Logical Validation. It will also upgrade the code to make it faster, able to handle larger ASIC designs, and add support for lower geometries (starting with 130nm) which are more energy-friendly. The project's own website: https://coriolis.lip6.fr Run by LIP6 Laboratoires Informatique Paris 6 This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/VLSI-tools/","title":"LIP6 VLSI Tools"},{"url":"https://nlnet.nl/project/VC-SPARQL-ZKP/","title":"Verified Credentials with zero-knowledge SPARQL queries","description":" Verified Credentials with zero-knowledge SPARQL queries Enabling derived W3C Verifiable Credentials with Zero Knowledge Proof (ZKP) The project summary for this project is not yet available. Please come back soon! Run by The Open Data Institute This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" VACASK High-performance Analog Simulation VACASK (Verilog-A Circuit Analysis Kernel) is an open, high-performance analog circuit simulation platform designed to modernize the foundations of electronic design automation. By cleanly separating device modeling from numerical analysis and embracing a modular, Verilog-A centric architecture, VACASK enables efficient, extensible, and maintainable simulation workflows optimized for modern CPUs. The project introduces into VACASK essential core analyses, including AC stability, S-parameter characterization, transient noise simulation, and adjoint-based small-signal transfer function and noise evaluation, while improving numerical robustness through integration with established linear algebra libraries. Tight integration with the Python-based PyOPUS design automation library enables reproducible circuit sizing, sensitivity and yield analysis, Monte Carlo evaluation, and yield optimization workflows using VACASK as the underlying simulator. The project's own website: https://codeberg.org/arpadbuermen/VACASK Run by University of Ljubljana, Faculty of Electrical Engineering This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/VACASK/","title":"VACASK"},{"url":"https://nlnet.nl/project/UniversalDID/","title":"Universal DID Resolver and Registrar","description":" Universal DID Resolver and Registrar Tooling for decentralized identifiers The Universal DID Resolver and Registrar are open-source software components that implement Decentralized Identifiers (DIDs). DIDs lie at the heart of an emerging technical and social paradigm known as \"self-sovereign identity\" (SSI), which allows individuals, organizations, and things to create and manage their digital identities without dependence on any central authority or intermediary. This technology is highly aligned with Next Generation Internet values such as human-centricity, openness, trust, and reliability. DIDs as a building block for protocols are of similar importance to Internet infrastructure as other identifiers such as domain names or e-mail addresses. The Universal DID Resolver and Registrar are aligned with corresponding W3C community group specification efforts. Development and maintainance of the code takes place in close collaboration with relevant community and industry stakeholders such as the Decentralized Identity Foundation, uPort, Jolocom, Sovrin, Civic, Veres One, Blockstack, ERC725 Alliance, etc. The project's own website: https://uniresolver.io Why does this actually matter to end users? One of the oldest questions on the internet is: how do you adequately prove you are you? Or perhaps the reverse formulation offers a better mental model: how do you prevent others from succeeding in pretending they are you? Now lets flip this question around once more: how would you like to see this managed yourself, if you could? How heavy-weight or convenient do you want to be proven that you are you, to allow you to get into your own environment or have something done on your behalf? And what is it worth to you in terms of effort? Would you be willing to spend a minute to have some clever secure device you have in your pocket involved? Authenticate via your mobile phone? And what if you are in a rush, or on the go? Are you happy with some company like your email provider or a large social network having the ability to make that judgement, based on a user login a few hours ago? And what if that company is based in some other jurisdiction, and could be forced to let others in as well? Or would you rather choose your own identity, and formulate direct rules to have complete control at any given point? As could be guessed, individual people have a need for different levels of confidence and security in different contexts. A security breach matters perhaps less if you just want to login to a music service to change a playlist. After all, the worst that can happen is that someone messes things up and you have to create a new one. It matters a great deal more if you want to do a significant financial transaction at work, or open the door of your house remotely to let the babysitter in while you are delayed in traffic. Perhaps you can think of scenarios where you want even more control. So what proof to use as the basis of your trust, and the subsequent actions taken? Historically people rely on some authority they collectively trust. Such an authority has typically taken high tech countermeasures to make the channel through which that trust is conveyed hard to fraud. A passport or banknote are quite tricky to fabricate due to the use of special techniques. Online we have only a very limited amount of trust \"anchors\" of varying quality. The domain name system is such an anchor, digital certificates or customer relationships are another. Today, having access to a certain mail account or phone which is known to be yours is the most common proof used. Email is often called the \"poor man's solution\" to identity management, and it is what most organisations and businesses fall back on. Can't log in? We will send you an email to reset your login. Just click on the link. And of course, email was never designed to be safe. It kind of works, but really we can do better. Perhaps your use cases require more strict proof than that of normal consumers, or less strict proof. Even for a single large service provider, it would hard to figure this out satisfactorily for all users. For the same reason people write their own testament to document what should happen with things they own or control after they die, you want to document what should happen with things you own or control what happens when you are physically absent. There is no universal will that is acceptable to all, nor is there a universal policy that satisfies all use cases. So what if you yourself would be able to create and control your own identity, and determine your own proofs and methods? In order to function in a global internet, you would need to be able to convey your requirements and demands in a portable way. There would be no central authority dictating you what to do here. That would mean you you yourself would have to make things explicit upfront in a foolproof way - so that elsewhere on the internet people and services would know what you expect them to do to distinguish the real you from fraudsters. This is the starting point of the DID Resolver and Registrar project. These two applications are being designed to help you create a machine processable travel document for identity management tied to your data and the services you use or provide. They are part of an initiative within the web standards community to create suitable standards for handling decentralised identities. The software will help to tell others exactly how you want to see things handled. The outcome is expected to contribute both to the standard, and to an actually working solution where users can design and manage their own decentralised identities. The project is led by one of the authors of the W3C specification. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Universal EInk Solutions Consistent API for e-paper Electrophoretic displays (aka EPD, Eink, E-Paper) are reflective display devices which use colored granules suspended in clear oil to display text and graphics. Their unique property is that they can maintain their state without power. They've become ubiquitous as e-book readers, digital signage and as dynamic price displays in retail. Small, low cost displays are also desirable to use in personal and small maker projects. The challenge in using these displays compared to more traditional displays such as LCDs (liquid crystal displays) is that their unique properties require unique software, hardware and knowledge. Adding to this challenge are the lack of availability of all of the above. The manufacturers and resellers provide minimal software and documentation, so users are usually left frustrated. This project aims to greatly reduce these barriers to use through software, hardware and documentation. On the software side, are two new portable C/C++ (embedded + Linux) software libraries which can generate text and graphics on the vast majority of these displays, using a common API. For the hardware side, the goal is to make the hardware available at a reasonable cost to individual users through open source hardware definition files and the ability to buy finished PCBs through worldwide retail channels. The documentation will come in the form of detailed info about the physical displays, their controllers and ample example code to show their use. There are two main types of EPDs, one has a controller built into the glass of the display and needs a few external components for a DC-DC boost circuit. The other type requires an external CPU and multiple external power rails to control all aspects of the display updates. Both will be supported by this project. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Universal EInk Solutions","url":"https://nlnet.nl/project/Universal-EInk/"},{"url":"https://nlnet.nl/project/UnifiedPush/","title":"UnifiedPush","description":" UnifiedPush Decentralized and open-source push notification protocol Push notifications are essential to the modern mobile experience, as they enable applications to communicate with users in real time, even when not in active use. Major mobile operating systems provide a centralized service that they control, but depending on a centralized push notification system controlled by one company raises issues of privacy and independence. UnifiedPush is a decentralized and open-source push notification protocol. It is a set of specifications and libraries that allow the user to choose how push notifications are delivered. It is compatible with WebPush, the standard for web applications. The project's own website: https://unifiedpush.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"UnifiedPush","url":"https://nlnet.nl/project/UnifiedPush-LinuxMobile/","description":" UnifiedPush Decentralized push notification protocol with libre implementations Push notifications are essential to the modern mobile experience, as they enable applications to communicate with users in real time, even when not in active use. Major mobile operating systems provide a centralized service that they control, but depending on a centralized push notification system controlled by one company raises issues of privacy and independence. UnifiedPush is a decentralized push notification system that lets the users choose the service they want to use. It’s designed to be privacy-friendly, flexible, and open. It is compatible with WebPush, the standard for web applications. The project's own website: https://unifiedpush.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/UnexpectedKeyboard/","title":"Unexpected Keyboard Autocomplete/Correct","description":" Unexpected Keyboard Autocomplete/Correct Input correction for popular alternative Android keyboard Unexpected Keyboard is a lightweight and privacy-conscious virtual keyboard for Android-based mobile operating systems. Its distinguishing feature is that you can type different characters by swiping your finger towards the corner of the key, a feature was originally designed for programmers using Termux. This allows to fit much more characters on screen than a regular keyboard layout, and prevents users from having to continuously switch just to input content containing characters spread across layouts. This project will add (offline) word suggestion and correction to Unexpected Keyboard, which well help to make the app even more user-friendly. The project's own website: https://github.com/Julow/Unexpected-Keyboard/ This project was funded through the NGI Mobifree Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. The NGI Mobifree R&D programme is part of Horizon Europe research and innovation programme under grant agreement No. 101135795. "},{"description":" Reverse Engineering Toolkit Reducing e-waste through Reverse Engineering According to the Global E-waste Statistics Partnership (GESP), electronic waste is estimated to increase to 74.4 Million Tonnes by 2030. A strong factor in the continuing increase of e-waste is the electronic industry artificially shortening the lifespan of their devices. Planned obsolescence, the inability to repair and abandoned software support all contribute to devices prematurely ending up in a waste stream. Older high-end consumer electronics devices have powerful components that, once open schematics, firmware and documentation has been created for them through reverse engineering, can be repurposed to create new and different devices. To meet this aim, Unbinare is creating an open hardware reverse engineering toolkit consisting of the OI!STER (a tool for debugging and glitching MCUs), the UNBProbe (a passive, spring-loaded needle probe for probing PCBs), the UNBProbebase (a magnetic base with a prototyping area) and a breakout board - which allow to repurpose components salvaged from e.g. discarded mobile phones. The project's own website: https://www.unbina.re Run by Unbinare This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Reverse Engineering Toolkit","url":"https://nlnet.nl/project/Unbinare-RET/"},{"url":"https://nlnet.nl/project/UberDDR4/","title":"uberDDR4","description":" uberDDR4 High-performance, standalone DDR4 memory controller. UberDDR4 aims to deliver a high-performance, standalone, fully open-source DDR4 memory controller. Building on the proven success of UberDDR3, which remains the fastest and most capable open-source DDR3 controller available today and is already supported on all AMD/Xilinx 7-series FPGAs as well as the Lattice ECP5. As DDR3 phases out, this project helps maintain high-performance memory solutions for the open hardware community. The work includes developing a new DDR4 controller for next-generation FPGA families such as AMD/Xilinx UltraScale Plus using an architecture designed for easy portability to future tape-out silicon projects, porting UberDDR3 to additional platforms, and improving its performance when used with open FPGA toolchains including openXC7 and scalePnR. The project's own website: https://github.com/AngeloJacobo/DDR3_Controller This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/UberDDR3/","title":"UberDDR3","description":" UberDDR3 Open Hardware DDR3 memory controller UberDDR3 is set to transform the landscape of open-source technology as this will be above and beyond any previous opensourced DDR3 controller gatewares. This aims to unlock the full potential of DDR3 memory, aligning with the latest technological needs. We are dedicated to enhancing compatibility across diverse memory types and reaching higher speed. By integrating innovative features such as on-the-fly configuration, thermal management, ECC integration, and self-refresh mode, our goal is to elevate this open-source gateware to rival the performance of proprietary DDR3 controllers. This endeavor will empower the open-source community, ensuring that dependence on proprietary DDR3 controllers becomes a thing of the past, and setting a new benchmark for open-source hardware capabilities. The project's own website: https://www.openiphub.com This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" URL Frontier Develop a API between web crawler and frontier Discovering content on the web is possible thanks to web crawlers, luckily there are many excellent open source solutions for this; however, most of them have their own way of storing and accessing the information about the URLs. The aim of the URL Frontier project is to develop a crawler-neutral API for the operations that a web crawler when communicating with a web frontier e.g. get the next URLs to crawl, update the information about URLs already processed, change the crawl rate for a particular hostname, get the list of active hosts, get statistics, etcetera. It aims to serve a variety of open source web crawlers, such as StormCrawler, Heritrix and Apache Nutch. The outcomes of the project are to design a gRPC schema then provide a set of client stubs from the schema as well as a robust reference implementation and a validation suite to check that implementations behave as expected. The code and resources will be made available under Apache License as a sub-project of crawler-commons, a community that focuses on sharing code between crawlers. One of the objectives of URL Frontier is to involve as many actors in the web crawling community as possible and get real users to give continuous feedback on our proposals. The project's own website: https://github.com/crawler-commons/url-frontier Why does this actually matter to end users? Search and discovery are some of the most important and essential use cases of the internet. When you are in school and need to give a presentation or write a paper, when you are looking for a job, trying to promote your business or finding relevant commercial or public services you need, most of the time you will turn to the internet and more importantly the search bar in your browser to find answers. Searching information and making sure your name, company or idea can be discovered is crucial for users, but they actually have little control over this. Search engines decide what results you see, how your website can be discovered and what information is logged about your searches. What filters and algorithms are are used remains opaque for users. They can only follow the rules laid out for them, instead of deciding on their own what, where and how to find the information they are looking for. Centralizing online search around just a few search engines creates a host of problems, ranging from user privacy and nontransparent filtering to misinformation and fake news. The algorithms of search engines can be misused to show millions of users incorrect and discrediting information and stories about the topic or person they were looking up. This is done to influence elections or to shape the public opinion around specific topics, like refugees and climate change. The reach of these search engines (and the social media networks that are exploited for the same goal) is enormous and once a story goes viral, it is hard if not impossible to take it offline, let alone combat the misinformation with correct reports. At their core, search engines focus on a website's popularity when they filter search results, not information accuracy. All of this creates a perfect storm for fake news to spread incredibly quickly online. Luckily there are alternative web search solutions that provide a more clear and neutral look on the world. Some of these are powered by open source essential components, like a web crawler, that does what you would think it does: it crawls the web and copy pages for a search engine to process and index. This project will make it easier for search engines to use various web crawlers for specific purposes in a uniform way. This useful building block can help pave the way for a wider diversity of search engines to combat misinformation, echo chambers and monopolies. Run by DigitalPebble This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/URLFrontier/","title":"URL Frontier"},{"title":"URL Frontier 2.0","url":"https://nlnet.nl/project/URL-Frontier-2/","description":" URL Frontier 2.0 Enterprise features for URLFrontier URLFrontier provides a crawler-neutral API and service implementation for a crawl frontier, which can power various web crawlers independently from their implementation language and scalability. This API defines the operations that a web crawler typically does when communicating with a web frontier e.g. get the next N URLs to crawl, update the information about URLs already processed, change the crawl rate for a particular hostname, get the list of active hosts, get stats, etc… The aim of this project is to turn what is currently a working piece of software (the result of an earlier grant from NGI Zero Discovery) into an enterprise-grade solution. The improvements will mainly concern the service implementation, eg. monitoring/reporting, clustering/discovery and robustness/resilience. The project will improve the usability of the system by adding configurable logging and metrics reporting, improve the performance of the service for very large volumes of data by adding efficient parallelization across multiple nodes; and improve the overall robustness through more graceful failure modes and more efficient restarts . The project's own website: https://github.com/crawler-commons/url-frontier Run by DigitalPebble Ltd This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"title":"","url":"https://nlnet.nl/project/ULX3S/","description":""},{"title":"ULX4M","url":"https://nlnet.nl/project/ULX3M/","description":" ULX4M A modular open hardware FPGA platform Embedded systems are everywhere, including in trusted environments. But what is really inside them? ULX3M is a modular version of the popular open hardware project ULX3S. ULX3M delivers a versatile programmable (FPGA) modular mainboard that can be used a wide choice of peripherals. The main board is \"vendor neutral\" and can be used with different FPGA vendors daughter boards. As the community continues to grow, lots of FPGA modules are written, and one goal of our boards would be that we can easily switch and check other vendor chips, and work more on vendor neutral code where possible. The project also improves SERDES availability. Some cheaper FPGA chips do not have lots of SERDES lines and when someone makes a board it needs to choose what peripheral will be using those SERDES lines. A daughter board that can be rotated in any position will allow more flexible usage. In that way, cheaper FPGA could be used to write all the code. With an open source design, users are not dependent on anyone to make boards and can run independent production. The project's own website: https://intergalaktik.eu/projects/ulx4m Why does this actually matter to end users? Consumers and businesses overpay for computer hardware, because the market is not working well. When you go to a store to buy a laptop or mobile phone, you may see different brands on the outside but choice in terms of what is inside the box (in particular the most expensive component, the processor technology) is pretty much limited to the same core technologies and large vendors that have been in the market for decades. This has a much bigger effect on the users than just the hefty price tag of the hardware, because the technologies at that level impact all other technologies and insecurity at that level break security across the board. In the field of software, open source has already become the default option in the market for any new setup. In hardware, the situation is different. Users - even very big users such as governments - have very little control over the actual hardware security of the technology they critically depend on every day. Security experts continue to uncover major security issues, and users are rightly concerned about the security of their private data as well as the continuity of their operations. But in a locked-down market there is little anyone can do, because the lack of alternatives. European companies are locked out of the possibility to contribute solutions and start new businesses that can change the status quo. Fortunately there are efforts underway to make hardware that, like open source software, is free to be reimagined and reassembled without restriction. Hardware that is transparently created, from the design up to the actual physical creation. As these projects grow and connect, they can lay the foundations for a technological commons of trustworthy hardware that is accessible for everyone to learn from and build upon. This project develops development tools to make it easier to work with field-programmable gate arrays, or FPGA's. FPGA's are chips that can be customized for a specific task ('programmable in the field') for image processing in digital cameras, portable electronics in smartphones and tablets, networking in 'harsh' industrial environments. Unlike a generic chip, an FPGA chip can be restricted in what it does - meaning that it can be made more secure while still using less energy. In this project, the ULX3S team will develop an affordable \"vendor neutral\" development board using open source tools, to stimulate bottom-up innovation, research and study of this flexible type of computing. Through a modular approach the same board can be used with different FPGA vendors daughter boards, lowering cost and making better use of natural resources. Run by RadionaOrg This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" UEFI Capsule Update for coreboot with EDK II Implement more robust firmware updates in coreboot UEFI capsule update is an industry-standard approach widely supported by hardware vendors, providing a secure method for delivering firmware updates. By adopting capsule update methods, the project aims to simplify the update process and enhance the user experience, providing a more reliable approach compared to complex flashrom-based updates, which are still common in the open-source firmware distributions based on coreboot. Due to security measures, OS-level access to firmware is intentionally restricted, which in turn makes it increasingly challenging to apply firmware updates from the operating system. This limitation poses difficulties in utilizing traditional flashrom-based methods for firmware updates. The expected outcomes of the project include enhanced firmware update capabilities, a simplified user experience, heightened security, and enhanced compatibility, all achieved by seamlessly integrating with fwupd, a popular firmware update management tool for Linux systems. The project's own website: https://docs.dasharo.com/projects/capsule-updates/ Run by 3mdeb Sp. z o.o. This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/UEFICapsuleUpdate/","title":"UEFI Capsule Update for coreboot with EDK II"},{"description":" Advanced UEFI Capsule Update for coreboot with EDK II Secure firmware updates, also via fwupd The project summary for this project is not yet available. Please come back soon! The project's own website: https://docs.dasharo.com/projects/capsule-updates/ Run by 3mdeb Sp. z o.o. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/UEFICapsuleAdvUpdate/","title":"Advanced UEFI Capsule Update for coreboot with EDK II"},{"url":"https://nlnet.nl/project/UEFI-isolation/","title":"UEFI isolation in VM from non UEFI firmware","description":" UEFI isolation in VM from non UEFI firmware Safer booting into UEFI-compliant operating system UEFI is the successor to BIOS, which initialises the bare hardware of a computer before handing over to a bootloader. The UEFI specification defines the architecture of platform firmware used for booting and its interface for run-time interaction with operating systems. As such, UEFI is responsible for bootstrapping pretty much every modern computer. In the majority of cases this is done with very little transparency for users - essentially relegating this enormously responsible position to a \"black box\" that just blips on the screen. Unfortunately trust in vendors to live up to their huge responsibility to make this safe and robust is not always justified: quite a few issues and security vulnerabilities in the (mostly proprietary) UEFI implementations have come to the surface via real-world exploits. The key open source booting mechanisms (like coreboot and Linuxboot/u-root) are not UEFI compliant. This project aims to close the gap in a pragmatic way: through virtualization - booting into a stripped down Linux and using the Kernel Virtual Machine (which is generally considered mature) to run the reference open source reference implentation of UEFI until it can hand over to a UEFI compliant boot loader. This is of course a security tradeoff (the early stage Linux used for virtualisation would not be able to use UEFI just yet itself in bootstrapping) , but it allows a single intervention to bridge to all different boot loaders and wholly avoid opaque proprietary ones by switching to open source ones. This also helsp to debug and assist in finding new solutions to cope with the shortcomings of native UEFI implementations. The project's own website: https://github.com/9elements/VMBoot This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"url":"https://nlnet.nl/project/Typst-HTML/","title":"HTML export for Typst","description":" HTML export for Typst Markup based typesetting for multichannel publishing Typst is a markup-based typesetting system that is designed to be as powerful as LaTeX while being much easier to learn and use. Currently, Typst outputs documents only as PDF, yet there is strong demand for generating HTML. We want to extend Typst such that it can create high-quality HTML and PDF versions from the same document, which is currently not possible with comparable programs. As a result, Typst could be used in a variety of new scenarios, such as the generation of websites and e-books. Furthermore, this will improve the accessibility of the output documents. The project's own website: https://typst.app This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/Typst-Accessibility/","title":"Typst PDF Accessibility","description":" Typst PDF Accessibility Increase a11y of Typst's output PDF files are often the only venue through which vital information is shared in business, education, and government. Even so, these files more often than not inaccessible to those of low or no vision. This not only prevents compliance with the European Accessibility Act and similar legislation in other countries, but prevents equal participation. This project proposes to implement all the features and tools needed for accessible PDF creation into Typst, a growing open-source automated writing platform. With this project, Typst will implement technical standards for accessibility and give authors tools to accommodate human factors of accessible documents. The project's own website: https://typst.app Run by Typst GmbH This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"Typed Nix","url":"https://nlnet.nl/project/TypedNix/","description":" Typed Nix Static type system for Nix programming language. Nix is a tool that takes a unique approach to package management and system configuration, enabling developers to build reproducible, declarative, and reliable systems. This project introduces a typed layer for the Nix language, adding optional static typing, type inference, and structural type checking for Nix expressions while compiling down to standard Nix so existing tooling continues to work. Its primary goal is to improve the developer experience through straightforward yet flexible tooling, addressing long-standing ecosystem challenges such as dated documentation, opaque error messages, inconsistent formatting conventions, unreliable language server support, and a lack of interactive, extensible development tools. By improving clarity, tooling, and developer ergonomics, the project aims to do for the Nix ecosystem what TypeScript did for the JavaScript community: make large codebases easier to understand, maintain, and collaborate on. The project's own website: https://github.com/numtide Run by Numtide This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"TypeCell","url":"https://nlnet.nl/project/TypeCell/","description":" TypeCell CRDT-based collaborative block-based editor TypeCell aims to make software development more open, simple and accessible. TypeCell integrates a live-programming environment as a first-class citizen in an end-user block-based document editor, forming an open source application platform where users can instantly inspect, edit and collaborate on the software they’re using. TypeCell spans a number of different projects improving and building on top of Matrix, Yjs and Prosemirror to advance local-first, distributed and collaborative software for the web. The project's own website: https://www.typecell.org Run by TypeCell This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" TwPM Open hardware implementation of Trusted Platform Module The Trusted Platform Module or TPM is a dedicated hardware component designed for providing additional security features for computing platforms. Currently, the market is dominated by the TPMs based on chips from large silicon vendors. The common characteristic of these modules is the proprietary firmware implementation. TwPM project aims to increase the trustworthiness of the TPM module (hence the TwPM), by providing the open-source firmware implementation for the TPM device, compliant to the TCG PC Client Specification. The main goal of the project is an attempt to create open-source firmware stack, implementing the TCG PC Client Platform TPM Profile specification. Project aims to use already available open-source software components whenever possible (such as TPM simulators for TPM commands handling), while developing new code when necessary (such as LPC FPGA module, or low-level TPM FIFO interface handling). Another challenge is to overcome hardware restrictions and allow users to use the open-source TPM implementation on generally-accessible development boards. The project's own website: https://twpm.dasharo.com Run by 3mdeb This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/TwPM/","title":"TwPM"},{"description":" Tvix Alternative Rust-based software build transparency Tvix is a modern design and implementation of the Nix package manager (GPLv3). It brings a modular architecture in which components such as the build environment or package store are replaceable, which enables new use-cases and platforms. A graph-reduction evaluation model will make it possible to use Nix for package definitions and entire system configurations, its proven and tested use case, as well as for granular build definitions for individual components of software. Tvix will be fully compatible with nixpkgs, the existing package definition set for Nix, letting its users leverage more than a decade of community contributions and making it useful right out-of-the-box. The project's own website: https://tvix.dev This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/Tvix/","title":"Tvix"},{"description":"","url":"https://nlnet.nl/project/Tvix-Store_Builder/","title":""},{"url":"https://nlnet.nl/project/Tusky/","title":"Tusky","description":" Tusky Android client for ActivityPub Tusky is an Andoid client for the popular social media server Mastodon. It also unofficially supports other platforms levering the same standard (W3C ActivityPub), such as Pleroma, Pixelfed and GotoSocial. This project will add official support of GotoSocial to Tusky, as well as update the codebase and improve accessibility. The project's own website: https://tusky.app This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/Trustix/","title":"Build Transparency (Trustix)","description":" Build Transparency (Trustix) Towards a decentralized supply chain for software When we install a program, we usually trust downloaded software binaries. But how do we know that we aren't installing something malicious? Typically, we have confidence in those binaries because we get them from a trusted provider. But if the provider itself is compromised, the binaries can be anything. This makes individual providers a single point of failure in a software supply chain. Trustix is a tool that compares build outputs across a group of providers - it decentralized trust. Multiple providers independently build the software, each in their own isolated environment, and then can vouch for the content of binaries that are the outcome of reproducible builds - while non-reproducible builds can be automatically detected. This is the first step towards an entirely decentralized software supply chain that can securely distribute software without any central corruptible entity. The project's own website: https://nix-community.github.io/trustix Why does this actually matter to end users? When you start up your computer, you will probably think twice before you download some random piece of software from the internet and run it. You know that doing so could allow unwelcome guests to your computer and your data. Your computer might even end up in a bot net. So when you see some nice piece of software, you will ask yourself the question: can I really trust the software? Perhaps you will check the origin it comes from. Better safe than sorry. But even when you are sure you download a program from a trusted source, can you really trust the files themselves? To install something, usually you need to rely on binary files, like the executable installer you click to get things started. These are files that your computer understand, but are practically impossible for people to read and understand, let alone verify or audit. This project will develop a tool that compares software binaries across different providers and check whether they all work the same, identifying any binary that does something unexpected as compromised. Without any central point of trust (and failure), this way anyone can actually trust the software they run in their workspace or at home. Run by Tweag IO This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Trustix Make build logs available as publicly verifiable, tamper-proof Merkle trees Software build infrastructure is vastly underestimated in terms of its potential security impact. When we install a computer program, we usually trust downloaded software binaries. But even in the case of open source software: how do we know that we aren't installing something malicious which is different from the source code we are looking at - for instance to put us in a botnet or siphon away cryptocurrencies? Typically, we have confidence in the binaries we install because we get them from a trusted provider. But once the provider itself is compromised, the binaries can be anything. This makes depending on individual providers a single point of failure in a software supply chain. Trustix is a tool that compares build outputs across a group of providers - it decentralizes trust. Multiple providers independently build the software, each in their own isolated environment, and then can vouch for the content of binaries that are the outcome of reproducible builds - while non-reproducible builds can be automatically detected. In this project the team will work on further enabling trust delegation, by offloading log verification to trusted third parties - heavily inspired by the Delegated Proof of Stake consensus algorithm. It will bring Trustix into the Nix and the Guix ecosystems that are most amenable to Trustix' approach. The ultimate goal is for Trustix to integrate seamlessly into the entirely decentralized software supply chain so we can securely distribute software without any central corruptible entity. The project's own website: https://nix-community.github.io/trustix This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/Trustix-Nix/","title":"Trustix"},{"title":"Mark Burgess - Promise Theory","url":"https://nlnet.nl/project/TrustSemanticLearning/interview.html","description":" Mark Burgess - Promise Theory Measure on-going trust between interacting agents .speaker-photo { width: 33%; margin-right: 10px; margin-left: 20px; margin-bottom: 20px; } .speaker-photo-border { border-radius: 10%; border-top-left-radius: 10; border-top-right-radius: 10%; border-bottom-right-radius: 10%; border-bottom-left-radius: 10%; } .img_icon_small { max-width: 40px; max-height: 40px; margin-right: 10px; /* Make icons small and create a little space on the right */ } .up { position: relative; top: -15px; /* Adjust the value to move the text up by the desired amount. Text moved up a bit to align with icon.*/ } div.interlude-small { font-size: 2em; line-height: 1.5em; margin: 0 15px; padding: 0 15px; border-left: 4px solid #3333FF; } Middleware and identity Can you introduce yourself and your project? My name is Mark (Burgess). I'm not related to the famous spy. I've been a theoretical physicist and a Professor of Computer Science, and latterly a startup entrepreneur in the area of network and system management for the past 30 or so years, and now I advise and consult as a sort of odd job man in technology. I've written a few books on various topics related to that too. Over the years, I've been fortunate to be involved with some of the major challenges in cloud computing, from configuration to networking and edge computing. As Troy McClure would say, you may know me from such movies as \"CFEngine for Home Improvements\" and \"The Return of Promise Theory\". I try to maintain a sense of humour about it and I've been involved both in fundamental research as well as Free and Open Source Software development for all of that time. Quite a mess really! (Laughs) What are the key issues you see with the state of the internet today? The Internet is an incredible phenomenon, isn't it? We know a lot about certain aspects of it - mostly the technology - but almost nothing about others. In particular, I think we tend to focus just on building whatever we feel like, pressing ahead with technical issues and being generally disparaging of attempts to understand the impact of what we make on human society. People want to make money, get rich or famous, and so on and social impact gets swept aside in the gold rush. This has been a kind of hobby horse for me since the millennium. I wrote a book back then called Slogans which predicted the rise of social media and how instantanous access to information would undermine democracy and law and order in society on a basic level. I don't like to be right about that, but I think we see it happening before our eyes. The race to develop what we're currently calling \"AI\" is a similar story. There are too few of those who make technology who care to think about its impact on the world. For instance, money is basically a network technology from ancient times. The Internet is basically an extension of the money network. If we want to understand the Internet, we need to look at things like the history of money too. How does your project contribute to correcting some of those issues? The project Trust semantic learning and monitoring is part of a wide ranging effort to understand trust in network socio-technical systems. For many years now I've been - at least trying - to develop an understanding about how individual \"agents\" behave when they get together in numbers, building from the bottom up, and the implications of how it all works. It's more or less what's called Promise Theory today. It started out by me wanting to understand computer networks, but I quickly realized that it's also the way to put social science on a more theoretical basis too. One of the issues that pops up in both cases is the role of trust and how trust and promises relate to one another. Some years ago I wrote a kind of position paper suggesting that trust might work as a kind of common currency for social systems, just as energy is a currency for physical phenomena. I've seen how the concept of trust is used and abused in Computer Security, for instance. Technologists realize that too much trust could lead to risk and so they invoke that old binary ploy of saying - okay, it's either yes or no, one or zero, let's get rid of trust and have zero. So Zero Trust became a marketing slogan. But that's nonsense obviously. First of all, it's just saying don't trust them, trust me instead. Without trust, nothing could work. So what I wanted to do was to see if we could apply Promise Theory to the issue of trust. What could we learn from it, and how could we test the ideas it brings up? I realized we could use Wikipedia as a data source for answering (at least a few) questions about trust, because it's an open platform that traces the human interactions around editing pages. It's a great opportunity to learn something important from an idealistic project that's already been of huge benefit to humanity. What do you like most about (working on) your project? I like understanding how things really work. You know, when I started I imagined I might find something like the usual sort of feel-good story we like to tell about human cooperation. You know, we come together to help each other if we trust one another, Kumbayah. It's rosy and idealistic and very politically correct. But interestingly, that wasn't the picture that came out of the study. It showed that people basically come back to something because they mistrust it, which sounds upside down, but it makes a lot of sense if you think about what grabs our attention. If you trust something too much, you're not paying attention. If you're not sure, you invest effort to watch over everything more carefully and that's costly. But then there are also people we avoid completely because we don't trust them at all. So how can that work? It turns out that trust isn't one thing, it has two components. You can call them trustworthiness, which is our on going assessment of how reliable things are. And if we overcome a basic theshold of this probable reliability, which is informed by how well people and things keep promises we're interested in, then the attention part of trust comes into play and its driven by residual mistrust. So there has to be some kind of `seed' that attracts our attention first, an alignment of interests. Then we figure out how carefully we want to keep watch over that ongoing relationship. There's a scale of semantics from attentiveness from basic curiosity to invasive body searches. Mistrust is the prerequisite for learning. So, when people talk about zero trust, they really mean the second part of it, about paying greater attention to detail. There's clearly a role for trusting less or investing greater attention in the sense of quality inspection and so on. The implications of this are important for the bigger picture, not only the Internet. It's a bit like H.G. Wells' Time Machine. In the future, their society has become these two groups of beings. The Morlocks who do all the work underground, and the Eloi who trust everything to be provided for them and are pretty indolent. Given our reliance on smartphones to give us more and more at the push of a button, we could easily fall into that trap. The Internet of Finance already tends to push us even deeper into the divide between `have' and `have not'. The changing demographics and the challenges around the future of human employment are all a big destabilising force on society around the globe - we don't feel we can trust enough. It makes people shut out the less familiar, and become more tribal in their thinking. I think we could easily underestimate the dangers of that. I hope we'll look back on it all with some circumspection and, apart from a few mistakes, we'll find a way to come back from to something more open and stable. What trust and Promise Theory ultimately suggest is that our limited human faculties are the bottleneck. Trying to supplement ourselves with AI or machinery is an obvious answer to that, but it will only work for a few specialized purposes. The core of what keeps us together has to be constrained by our human capacity for relating to the world. Trust isn't a transitive thing. You have to trust technology if it's going to take over the job of mistrusting or monitoring something else. So you don't escape trust. It's trust all the way down. Where will you take your project next? Something interesting popped out of the study unexpectedly. That was that editing was bursty. It wasn't a continuous marathon, but more like a number of episodes. These episodes involved about the same number of people regardless of what they were working on. People would come, tussle a bit over some details and then get tired of it and leave. That suggests there is something intrinsic to all humans limiting their tolerance of mistrust. It's draining - expensive after all to argue with others. This reminded me of Robin Dunbar's work on social group sizes and our cognitive capacity, and it gave the same numbers that he and his colleagues had found for conversational groups elsewhere. I realized that the key to understanding human social group numbers must lie in the dynamics of how people pay attention - meaning trust. I actually ended up contacting Robin and we've since written a couple of papers together showing how this argument predicts the group sizes in Wikipedia extremely well. This work I've been doing on Promise Theory has been slow going partly because it's hard to find time to do research unless someone is sponsoring it. Over the years, it's taken me in all kinds of unexpected directions. One of the things I enjoyed the most was to be invited into the Agile Leadership community to apply promises to the issues of leadership: trust, authority, services, and so on. It turns out that we can put these loose ideas into a more formal framework and understand them quantitatively. For example, why do certain figures end up becoming leaders. Where does authority come from? My colleague Jan Bergstra who helped to develop Promise Theory has also applied it to study accusations -something that's a growing issue in social media and politics. Accusation is something that immediately reduces trust, so it's a weaponised form of communication that we're seeing amplified by social media. As long as people did it in small circles, it was manageable. Now we're broadcasting accusations across the planet and the consequences are enormous and on a global political scale. We probably thought social media would be harmless gossip. I think David Bowie actually put his finger on it years ago when he told a disbelieving interviewer that it would change everything. (Editors note: The Bowie interview can be found either on the geoblocking BBC archive or Youtube.) How did NGI Assure help you reach your goals for your project? I find it very hard to ask for money from people, but a friend of mine who had already applied and gotten funding recommended NLnet to me. What impressed me straight away was actually two things. First how smart and genuinely interested Michiel [Leenaars] was, and secondly (perhaps ironically) how much trust I was afforded to get on with the work without a lot of nonsense report writing and micromanagement which you get in EU funding and so on. Along the way, I tried to document everything and I always got good feedback and encouragement. That's quite unusual. So there's a sense of the organization wanting to help more than trying to bind you in some kind of project management straitjacket. Do you have advice for people who are considering to apply for NGI funding? Have a go. I don't know what else to say. I'm still a novice here, but it seems like a great opportunity in safe hands. Do you have any recommendations to improve future NGI programmes or the wider NGI initiative? You mean apart from funding more of my work? (Laughs) It seems to me that they've got this covered. I don't know what I could possibly add to what they do. They're professionals, specialists. We need to respect that. Acknowledgements Image: courtesy of Mark Burgess. Published on September 12, 2024 The project Trust Semantic Learning and Monitoring received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"title":"Trust semantic learning and monitoring","url":"https://nlnet.nl/project/TrustSemanticLearning/","description":" Trust semantic learning and monitoring Measure on-going trust between interacting agents Trust semantic learning and monitoring is part of a wide ranging effort to understand trust in network socio-technical systems. The expected outcome of this part is a methodology and proof of concept code library for qualifying and quantifying trust between agents in a network. In IT, trust is often treated as a binary \"crypto token\", based on some validation test, and developers naively speak of zero trust systems without understanding the depth of what trust really is. But, trust is a deeply social phenomenon, which changes in real time based on social and technical interactions. By applying learning algorithms and data analytics to streamed interactions, this project attempts to qualify and quantify a measure of trust as a way of making realtime risk estimates. The project's own website: http://markburgess.org/trustproject.html Run by ChiTek-i AS This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" TrustING Ultrafast AS-level Public-Key Infrastructure TrustING is a human-transparent and agile Trust Infrastructure for a Next-Generation Internet. This infrastructure enables any two entities to establish secret keys that can be used to encrypt and authenticate data. The foundation of TrustING is the AS-level Public-Key Infrastructure (PKI) of the SCION Internet Architecture that provides sovereignty (ensuring absence of global kill switches), trust transparency, and algorithm agility, among others. The TrustING service establishes symmetric keys with other domains in advance, and then relies on those keys to derive keys for local hosts. The core novelty of this approach is the ability to derive keys purely locally on both sides of the communication, without even requiring key transport. By making TrustING a control-plane mechanism offered by the network infrastructure, higher-level applications can make use of it without having to worry about complexities such as exchanging key material or establishing trust. To show the viability of TrustING, we will implement TLS trust bootstrapping using TrustING and additionally demonstrate the efficiency of TrustING by using it to authenticate SCMP (SCION's equivalent of ICMP) messages. The project's own website: https://scion-architecture.net Run by Anapaya Systems This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","title":"TrustING","url":"https://nlnet.nl/project/TrustING/"},{"url":"https://nlnet.nl/project/Trussed-FIDO2.2/","title":"FIDO 2.2","description":" FIDO 2.2 Open hardware implementation of FIDO CTAP 2.2 WebAuthn in conjunction with FIDO2 is the latest standard for secure and convenient authentication in the Web. The Trussed framework's fido-authenticator is the main open source implementation of a FIDO2 security key and used by Solokeys and Nitrokey. It currently supports FIDO 2.0 and partially 2.1. This project will bring the fido-authenticator to its next stage by fully implementing the upcoming 2.2 standard among appropriate software tests, a hardware-in-loop test suite. The implementation will be confirmed by an official FIDO L1 certification. The project's own website: https://github.com/Nitrokey/fido-authenticator Run by Nitrokey GmbH This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" TrenchBoot - DRTM launch between coreboot and UEFI payload Protect coreboot payload with dynamic Roots of Trust The project summary for this project is not yet available. Please come back soon! The project's own website: https://3mdeb.com/ Run by 3mdeb Sp. z o.o. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Trenchboot-DRTM-launch/","title":"TrenchBoot - DRTM launch between coreboot and UEFI payload"},{"description":" Trenchboot as Anti Evil Maid Integrate Trenchboot into Qubes OS as defense mechanism against physical compromise Enhancing the security measures of Qubes OS is the primary objective of this initiative, which involves integrating the TrenchBoot Project into the Anti-Evil Maid (AEM) implementation. Traditional firmware security measures, such as UEFI Secure Boot and measured boot, have limitations that can be overcome by leveraging Dynamic Root of Trust (DRT) technologies and TPM 2.0. TrenchBoot provides a secure environment for operating system launch and integrity measurements, ensuring greater protection. The project aims to extend support to both Intel and AMD hardware, addressing the current lack of TPM 2.0 support and AMD compatibility in the AEM implementation. Key objectives include implementing TPM 2.0 support in Xen, updating AEM scripts, and ensuring seamless integration with AMD hardware. The successful execution of this initiative will significantly enhance the security of Qubes OS and promote the adoption of DRT technologies in open-source and security-oriented operating systems. Thorough testing on various hardware configurations will validate the solution's effectiveness and reliability. The project's own website: https://trenchboot.org Run by 3mdeb Sp. z o.o. This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Trenchboot as Anti Evil Maid","url":"https://nlnet.nl/project/Trenchboot-AEM/"},{"description":" TrenchBoot for AMD platform in Linux kernel Upstream TrenchBoot AMD support to the Linux kernel TrenchBoot is a framework that allows individuals and projects to build security engines to perform launch integrity actions for their systems. Trenchboot is a unified framework to verify if bugs or vulnerabilities have compromised a system, based on dynamic RTM (DRTM). The framework builds upon Boot Integrity Technologies (BITs) that establish one or more Roots of Trust (RoT) from which a degree of confidence that integrity actions were not subverted is derived. A previous effort successfully developed support for DRT technologies for AMD platforms in the Linux kernel. This project intends to upstream TrenchBoot support to the mainline Linux kernel and to the widely used GRUB boot manager. The project's own website: https://trenchboot.org/ Run by 3mdeb SP. z o.o. This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/TrenchBoot-AMD/","title":"TrenchBoot for AMD platform in Linux kernel"},{"url":"https://nlnet.nl/project/TrenchBoot-AEM-UEFI/","title":"TrenchBoot as Anti Evil Maid - UEFI boot mode support","description":" TrenchBoot as Anti Evil Maid - UEFI boot mode support Add UEFI to the Qubes integration of Trenchboot with AEM Qubes OS is a free and open source operating system uniquely designed to protect the security and privacy of the user. Its architecture is built to enable the user to define different security environments (\"qubes\") on their computer and visually manage their interaction with each other and the world. TrenchBoot provides a secure environment for operating system launch and integrity measurements, ensuring greater protection. The main objective of the TrenchBoot as Anti Evil Maid project is to enhance the security of Qubes OS by integrating the TrenchBoot Project with the Anti Evil Maid (AEM) implementation. Through comprehensive hardware testing, the successful execution of this initiative will promote the adoption of DRT technology in open-source and security-oriented operating systems, ensuring enhanced security for Qubes OS. This project will prioritize stability, testing, and ensuring the reproducibility of results for broader community adoption. The project's own website: https://docs.dasharo.com/projects/trenchboot-aem-v2 Run by 3mdeb Sp. z o.o. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Transparency Toolkit","url":"https://nlnet.nl/project/TransparencyToolkit/","description":" Transparency Toolkit A decentralized hosted archiving service with search This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. Transparency Toolkit is building a decentralized hosted archiving service that allows journalists, researchers, and activists to create censorship-resistant searchable document archives from their browser. Users can upload documents in many different file formats, run web crawlers to collect data, and manually contribute research notes from a usable interface. The documents are then OCRed (when needed) and indexed in a searchable database. Transparency Toolkit provides a variety of tools to help analyze and understand the documents with text mining, searching/filtering, and manual collaborative analysis. Once users are ready, they can make some or all of the documents available in a public searchable archive. These archives will be automatically mirrored across multiple instances of the software and the raw data will be stored in a distributed fashion. The project's own website: https://transparencytoolkit.org Why does this actually matter to end users? When you get up in the morning, and read a fine piece of investigative news about a financial scandal, you don' t really stop to think much about how news is produced and what the human cost of its production is. Every year, dozens of journalists around the world get killed, because of what they write and who they talk to. Even in democratic countries, people can run the risk of intimidation and retribution. If you happen to be a courageous journalist writing about corruption, gangs or some other social wrong, protecting your sources is more than a matter of principle - it can be a matter of life and death for all parties concerned. So journalists and other vulnerable groups like civil society groups need to be very careful. But at the same time they of course need to collaborate. Investigative reporting it is often the combined intelligence and data gathering of many that allows them to see otherwise invisible or indiscernible patterns. That means people will have to deal with significant if not massive amounts of documents and data. As a collective, they need to find their way inside these materials to discover the information they need. But of course no conventional search engine can help them, because the resources they have are not all public and could actually cause real trouble to for instance whistleblowers inside corrupt institutions should they leak to the wrong people. Transparency Toolkit provides journalists, activists and other actors that need to control their communication with a closed off searchable database within their browser. Users can setup their own database and fill it with various documents and file formats which contents can be further analyzed and searched. To make these databases even more resistant to censorship, the archived documents will be stored across various locations to avoid central points of failure. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"title":"TrailBase","url":"https://nlnet.nl/project/Trailbase/","description":" TrailBase Backend-as-a-Service for building networked applications TrailBase is an open, fast and easy to self-host Firebase-like application platform, i.e. it provides solutions for common application needs out of the box, such as: storage for relational data and files, an admin UI, auth, type-safe APIs, sync via change subscriptions, plugins for custom logic, etcetera. Its open, portable and single-executable nature helps developers to reduce their supply chain dependence, e.g. cloud or infrastructure lock-in, and in-turn provides more control over data sovereignty. The server is built on Rust and SQLite. Integrations are provided for many popular client environments: JavaScript/TypeScript, Dart, Swift, Kotlin, C#, Rust, Go and Python. A TanStack/DB integration greatly simplifies sync for web applications. This project will add a slew of improvements, ranging from schema management, API/traffic routing, tenant management, guest and email-less accounts and an audit-trail for admin-API interaction. The project's own website: https://trailbase.io This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"Tracking weasel","url":"https://nlnet.nl/project/TrackingWeasel/","description":" Tracking weasel Detect privacy violations in mobile apps Privacy and data protection are fundamental rights and already well protected by legal frameworks in the EU. Yet, tracking—often without consent—is ubiquitous and often unavoidable. While tech-savvy users can defend themselves against that to a certain degree with tools like tracking blockers, we want to attack the problem at its root to make the web safe for everyone, regardless of expertise. With this project, we want to build infrastructure to detect privacy violations in apps on Android and iOS and crowdsource complaints against this behaviour with the data protection authorities. The result will be a web app where users can select an app from the app stores, which we will then download and run in an emulator or on an actual device. We will analyse the apps’ network traffic and detect privacy violations not just based on server connections but the actual data being transmitted. We will also check any consent dialogs. The website will then show a report to the user and, depending on the results, give them the option to generate a complaint under the GDPR and ePrivacy Directive, complete with the collected evidence from the analysis in the form of screenshots and traffic dumps. The project's own website: https://tweasel.org Run by Lorenz Sieben und Benjamin Altpeter GbR This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" TouchUp Enhance the GNOME Shell User Experience on Touch Devices GNOME Shell is a widely used Linux desktop environment, but it was not designed to be used on touch devices in everyday life. TouchUp helps improve the Shell’s usability on touchscreen devices and makes it a viable, free alternative: users no longer need to compromise on user experience for freedom, control and privacy. Being a Shell extension, TouchUp enables users to use their well-known and stable upstream GNOME Shell (with their favorite extensions) and still have a decent touch interaction with their device. The project already provides essential features such as a gesture and button navigation bar or notification swipe gestures, and has first-class support for devices with removable keyboards or convertibles. The next big step is to expand TouchUp’s scope to higher-level features, with the goal of making the choice to daily-drive Linux on a touch device easier and more rewarding. TouchUp is primarily targeted towards the tablet form factor (since this is where FOSS options are scarcest), though most features also benefit mobile phones. Most importantly – just like GNOME Shell itself – TouchUp stays out of your way. The project's own website: https://github.com/mityax/gnome-extension-touchup This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"TouchUp","url":"https://nlnet.nl/project/TouchUp/"},{"title":"Torch Lens Maker","url":"https://nlnet.nl/project/Torch-LensMaker/","description":" Torch Lens Maker Open-source optical systems engineering Torch Lens Maker is an open-source Python library for modeling and designing optical systems. It can be used to design simple mirrors and lenses, all the way to compound optical systems made of a sequence of optical surfaces, such as camera lenses. Torch Lens Maker is based on PyTorch and implements differentiable geometric optics. This gives access to the full power of modern GPU-based numerical optimization methods. Designing an optical system with Torch Lens Maker is a new approach to optical engineering based on explicit description of the system design parameters with Python and powerful numerical optimization. The project also focuses on interactive visualization and exploration of optical systems with a web-based viewer called tlmviewer. This offers deep integration with the Jupyter Notebook environment which has become a standard in the open source numerical computing community. Torch Lens Maker aims at becoming a complete solution for code-based open-source optical systems engineering. The project's own website: https://victorpoughon.github.io/torchlensmaker/ This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/TorPaddingMachines/","title":"Padding Machines for Tor","description":" Padding Machines for Tor Protect metadata in the Tor onion routing network Tor is the worlds largest anonymity network with about eight million daily users around the world who use Tor to browse the web anonymously, access onion services, and circumvent censorship. The project Padding Machines for Tor will design and implement padding machines---as part of a new framework in Tor for generating fake padding traffic---to defend against website fingerprinting attacks. A website fingerprinting attack is a type of traffic analysis attack where an attacker attempts to determine websites visited by a target Tor user by analysing encrypted traffic. The results of the project will be both open source and open access, with the goal of contributing to effective and efficient defenses deployed by default in Tor against website fingerprinting attacks. Why does this actually matter to end users? On the internet, every computer by design gets a unique number - a so called internet protocol address (or for short IP address). This address is used to send information from your computer to the other computer you want to communicate with, and of course back. Unlike a traditional radio, you often need to send messages to receive messages on the internet. Computers are a great engineering achievement but they are certainly not magic, and thus they need to be able to somehow find each other. The IP address makes this possible. Unfortunately, the fact that every computer has a unique number opens up the possibility of abuse by dishonest actors. Because even though it is none of their business, breaking privacy is a profitable business. If they link what you do on the left side of the internet to what you do on the right side of the internet, they can create a profile and sell this to the highest bidder - with any bad luck to people that want to use it for nefarious purposes. While work is under way to replace the design of the internet within the Next Generation Internet initiative, there are multiple ways to avoid your IP address being tracked on the current internet. A popular method to attempt to anonymise ones internet presence is to use the Tor network. Tor is a network of millions of computers and users that send messages among each other to confuse someone watching internet traffic. Of course, this is an arms race between those that want to be anonymous when they visit some webpages and those that want to achieve the opposite goal. Researchers found out that while the actual content can be well obscured with lots of intricate math operations, no activity is still observably different from some activity. That means sometimes the patterns of usage would still put users at risk. This is the background of this project. It will attempt to create fake network activity that is realistic and plausible, in such a way that an attacker will not be able to infer much anymore about Tor users. Tor is used a lot by ordinary people but also by journalists, whisteblowers, dissidents, diplomats and others for who the loss of their anonymity while using the internet can have very dramatic consequences. The project therefore contributes to both privacy and security of internet users. Run by Karlstad University This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Topola Topological (rubberband) router for printed circuit boards Topola is an open-source topological (rubberband) router for printed circuit boards (PCBs). Unlike traditional maze routers, topological routers like Topola are not constrained by a grid or 45° angles, allowing for more efficient circuit board layouts (denser arrangement of components and traces, lower crosstalk, reflection, and electromagnetic interference). The goal of the project is to develop a dutifully maintained engine for interactive and automatic routing that can be used both as a standalone application and reusable software library integrated in popular open-source PCB electronic design automation (EDA) packages, giving designers a tool for developing high-quality open hardware designs without having to pay for expensive proprietary software. The project's own website: https://topola.dev This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Topola","url":"https://nlnet.nl/project/Topola/"},{"description":" Automatic component and via placement for Topola Complete PCB schematic-to-layout flow The first step in designing a printed circuit board (PCB) layout is choosing where to place the components. This task is tedious and time-consuming, often requiring just as much effort as the process of routing the traces that comes afterwards. Fortunately, component placement can be automated with software called an autoplacer, just as routing traces can be automated with a program known as an autorouter. The goal of this project is to develop a component autoplacer for the PCB autorouting system Topola, turning it into a complete PCB schematic-to-layout flow. To find the best locations for components, the autoplacer will use a probabilistic optimization algorithm known as simulated annealing. The project's own website: https://topola.dev Run by Topola This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Topola-autoplacer/","title":"Automatic component and via placement for Topola"},{"description":" Titanic Database server to synchronize vast collections of CRDT documents Yjs is a Conflict-free Replicated Data Type (CRDT) which enables developers to build collaborative applications, just like Google Docs and Figma. Most CRDT implementations work just like any other data type, but they automatically sync with other peers without conflicts. Today, Yjs is among the most used technologies for building collaborative applications. The developers observed the development of competing CRDTs, and recognize the need for more specialized CRDTs for specific use-cases. Syncing many CRDT instances with different permissions is still an unsolved problem. Syncing documents individually quickly becomes infeasible with an increasing number of documents in a local-first app. This project will therefore develop Titanic, an isomorphic database (works in the browser, Node.js, Deno, Bun, ..) that can host different CRDT implementations. It will sync many CRDT instances efficiently in a network-agnostic manner. While it will support custom authentication approaches, Titanic will ship with a role-based document-level permission system that prevents unauthorized users from reading or writing documents. The project's own website: https://github.com/yjs/titanic This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Titanic","url":"https://nlnet.nl/project/Titanic/"},{"url":"https://nlnet.nl/project/Tinkerflow/","title":"TinkerFlow","description":" TinkerFlow Graph based editor for VR/XR process‑authoring TinkerFlow is a process-building system for the open-source Godot Engine that enables non-programmers to build 2D, 3D, and XR/VR applications. By lowering the technical barrier to app development within a 3D engine, it empowers educators, students, independent researchers, and industrial engineers to create educational trainings, object viewers, and showcases. At the same time, it provides software developers with a robust, pre-built system to jumpstart new projects, skipping the boilerplate like VR setup and bootstrapping usually required when starting from scratch. Unlike visual scripting tools that focus on low-level operations, TinkerFlow uses high level actions such as 'grab object', 'highlight element', and 'move object'. It structures application logic into chapters of sequential steps. Each step triggers predefined behaviours (such as playing audio, highlighting objects, or spawning visual effects) and has specific conditions (such as an object being grabbed, a hardware button being pressed, or a timeout occurring). Objects can easily be added to the scene, modified by behaviours, and evaluated by conditions. This workflow-first approach delivers immediate, stable results that can be easily tested and refined. It allows users to effortlessly reuse workflows from previous applications or scenes in new processes, while advanced developers retain the flexibility to write their own code, create custom behaviours and conditions, or integrate TinkerFlow into their own systems. The project's own website: https://tinkerflow.eu This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"Tin Snipe DAQ","url":"https://nlnet.nl/project/TinSnipe-DAQ/","description":" Tin Snipe DAQ Digital Aquisition module The Tin Snipe DAQ is a digital acquisition (DAQ) module targeting diverse professional measurement applications typically found in mid to high end hand-held Multimeters. It focuses on digital mixed signal systems while offering an upgrade over traditional Multimeters in terms of sample rate, giving usable time series data for signal integrity analysis of low speed signals. It's designed as a compact fully integrated module that comes with the necessary AFE, ADC and Signal Processor. It exposes a digital control interface over various buses (UART, I2C, USB and potentially more) to be controlled and read out via an external system processor, thus making it easy to integrate into other systems. It is targeting battery operation like traditional handheld Multimeters and will be heavily optimized for low power consumption but can also be used for bench top applications. Run by Diodes Delight This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Tiliqua Open audio DSP for FPGAs Tiliqua is an open-hardware DSP library and reference hardware design which aims to make it easier for musicians and engineers to get started in the world of audio DSP in the context of FPGAs. The Tiliqua DSP library is a suite of commonly-used audio DSP components, written in Amaranth HDL, that can be easily composed in Python to construct a custom FPGA-based DSP pipeline. The Tiliqua reference platform is fully compatible with open-source FPGA toolchains and designed to the Eurorack standard (the most popular hardware synthesizer format) lowering the barrier to entry for those with low/no hardware development experience. The project's own website: https://apf.audio/modules/current/tiliqua Run by apfelaudio UG (haftungsbeschränkt) This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Tiliqua/","title":"Tiliqua"},{"description":" Threshold OPRFs Bringing the power of Threshold OPRFs to the people \"Bringing the power of Threshold OPRFs to the people\" is a project trying to jump the gap between academic research and robust free software implementations. Oblivious Pseudo-random Functions (OPRFs) and Threshold constructions bring some very interesting and strong security properties that go beyond the state-of-the-art. Besides low-level implementations, reusable libraries, servers, and command-line clients, also concrete applications will be delivered, such as password and secret storages, encrypted data-at-rest, authentication, and secure channel setup. The project's own website: https://github.com/stef/liboprf This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Threshold OPRFs","url":"https://nlnet.nl/project/ThresholdOPRF/"},{"description":" Threadiverse Reproducible Deployment Reproducible deployment for Threadiverse servers Fediverse is more than short form microblogging. The ActivityPub protocol connects all kinds of software for various communication needs. Some of those are concentrated on long blogs and threaded discussion forums. A common understanding of conversations in ActivityPub and their secure and safe-from-spam implementation is being developed in several fediverse projects. This project focuses on stable and documented automated deployment for two of them - Hubzilla and Streams, including interoperability tests. This will support threadiverse standardization efforts, and help to bring features like group photoalbums and full channel portability between instances. The project's own website: https://codeberg.org/streams/streams Run by node9.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Threadiverse-ReproducibleDeployment/","title":"Threadiverse Reproducible Deployment"},{"description":" TeXlyre Local-first typesetting editor for LaTeX and Typst with real-time collaboration TeXlyre is a browser-based editor for LaTeX and Typst designed for academic institutions and researchers seeking alternatives to proprietary platforms, particularly in environments with limited connectivity or strict data governance requirements. It enables real-time collaboration without vendor lock-in, while keeping all user data in browser storage for complete data sovereignty and privacy. Documents compile directly in the browser using WebAssembly engines, supporting full offline editing and professional typesetting. Real-time collaboration is implemented via peer-to-peer connections that synchronize edits directly between participants, removing the need for centralized servers and reducing platform reliance. This funding will modernize TeXlyre’s compilation infrastructure by upgrading its WebAssembly-based LaTeX engines to support contemporary packages and LuaLaTeX. It will also develop Chelys, a companion local application providing access to Language Server Protocol integrations, local typesetting engines, and distributed storage. The project's own website: https://texlyre.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Texlyre/","title":"TeXlyre"},{"description":" Carlos A. Ruiz Naranjo - TerosHDL Assisting hardware developers to deliver safer designs Trustworthy hardware and manufacturing Can you introduce yourself and your project? TerosHDL is an open source toolbox designed for FPGA and ASIC developers. Its primary aim is to simplify and enhance the reliability of ASIC/FPGA development. It achieves this by reducing the learning curve for new users of hardware description languages and by providing robust support for professionals. The toolbox comprises various tools, with VSCodium/VSCode as the primary interface. The Teros Technology organization develops some tools, while others are sourced from existing open source projects. These tools are organized into different backends and accessible through the GUI provided by the plugin. I am Carlos Alberto, an expert in open hardware design with extensive experience in designing FPGA-based solutions. I am also the founder and lead developer of TerosHDL. My primary focus is on advancing open source solutions for FPGA development. What are the key issues you see with the state of the internet today? The chip design industry is dominated by proprietary tools with costly licenses, making access difficult for small companies or students. Additionally, most open source tools have a steep learning curve, causing many digital designers to abandon their efforts or face significant barriers to getting started. This situation creates an environment where innovation is stifled, and only those with substantial resources can fully participate in advancing chip design technology. How does your project contribute to correcting some of those issues? To overcome this dependency on proprietary actors and create a virtuous cycle of transparency and improvement, the open hardware movement is trying to design a fully open workflow for creating low-level hardware. Thus, it is lowering the barrier to entry (by making it easy for anybody to design their own chips) and introducing full inspection from top to bottom. TerosHDL offers a unified interface for over 25 open source tools, including simulators and HDL synthesis tools. This common interface makes overcoming the entry barriers associated with using open source digital design tools easier. As a result, users can seamlessly transition from commercial tools to open-source alternatives, making adopting open source solutions much more accessible and straightforward. What do you like most about (working on) your project? One of the most gratifying aspects of this journey has been meeting many people in the industry who are enthusiastic about using open source tools in chip development. This community of like-minded individuals brings a wealth of knowledge and passion, fostering collaboration and innovation. Additionally, it has been advantageous to see the tangible impact of our work and how it empowers smaller companies and students to participate in chip design. It’s inspiring to be part of a movement that promotes accessibility, inclusivity, and technological advancement in the field. Moreover, witnessing our tools being used in real, innovative projects validates the effort we put into development and underscores the significance of our contributions. Where will you take your project next? We plan to increase our support for open source EDA (Electronic Design Automation) tools and stabilize TerosHDL. How did NGI Assure help you reach your goals for your project? Most of the development for TerosHDL is done during the developers’ free time, making it very challenging to undertake major refactoring or add complex support for open source tools. Therefore, the NGI Assure programs have been vital. They have enabled a complete code refactor, the addition of tests, and the integration of multiple open source tools. Do you have advice for people who are considering applying for NGI funding? Don’t hesitate, just go for it. And if your project gets rejected, don’t give up. Try again in the next call. Do you have any recommendations to improve future NGI programmes or the wider NGI initiative? I believe it would be beneficial to facilitate more frequent and structured interactions between projects with similar objectives participating in the NGI programmes. This increased contact could foster synergies and collaborative efforts, which would help avoid the duplication of work. Such coordination is particularly crucial in open source software, where shared resources and collaborative development can significantly enhance the quality and impact of the projects. Acknowledgements Image: courtesy of Carlos A. Ruiz Naranjo. Published on November 6, 2024 TerosHDL received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. .speaker-photo { width: 33%; margin-right: 10px; margin-left: 20px; margin-bottom: 20px; } .speaker-photo-border { border-radius: 10%; border-top-left-radius: 10; border-top-right-radius: 10%; border-bottom-right-radius: 10%; border-bottom-left-radius: 10%; } .img_icon_small { max-width: 40px; max-height: 40px; margin-right: 10px; /* Make icons small and create a little space on the right */ } .up { position: relative; top: -15px; /* Adjust the value to move the text up by the desired amount. Text moved up a bit to align with icon.*/ } div.interlude-small { font-size: 2em; line-height: 1.5em; margin: 0 15px; padding: 0 15px; border-left: 4px solid #3333FF; } ","title":"Carlos A. Ruiz Naranjo - TerosHDL","url":"https://nlnet.nl/project/TerosHDL/interview.html"},{"description":" TerosHDL Assisting hardware developers to deliver safer designs TerosHDL is an open source IDE for FPGA/ASIC development. It includes a backend, a front-end built on VSCodium/VSCode and a command line interface. The goal of TerosHDL is make the ASIC/FPGA development easier and reliable: to reduce the adaptation time for new users of HW languages and help professionals. TerosHDL is multi-platform (Linux, Windows, MacOS), multi language (VHDL, Verilog, SystemVerilog) and it takes advantages of a lot of open hardware projects (such as Edalize, WaveDrom, VUnit…), integrating them in a common graphical user interface. The IDE tries to be as much self-contained as possible and simplify the installation process. Some of the features are: linter, go to definition, syntax highlighting, code formatting, snippets, automatic documentation, dependencies viewer, simulators support... The project's own website: https://terostechnology.github.io/ Run by Teros Technology This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","title":"TerosHDL","url":"https://nlnet.nl/project/TerosHDL/"},{"description":" TerosHDL: OSS, GHDL, NVC IDE with support for Open SYthesis Suite and GHDL/NVC simulators TerosHDL is an open-source graphical IDE tailored to FPGA/ASIC development. The goal is to empower engineers, hobbyists, and students to easily engage in RTL design, fostering innovation and growth in the field. TerosHDL serves as a comprehensive platform, supporting RTL design, synthesis, simulation and common code edition (linting, formatting, etc). In this project, TerosHDL will incorporate support for a number of additional powerful RTL design tools: Yosys, GHDL, and NVC. This will give users an interface which is friendly to first time users, equipped with real-time feedback and debugging capabilities. This further streamlines the chip design process, enhancing efficiency and making RTL design more accessible and productive. The project's own website: https://terostechnology.github.io/terosHDLdoc/docs/intro Run by TerosHDL This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/TerosHDL-Yosys-GHDL-NVC/","title":"TerosHDL: OSS, GHDL, NVC"},{"url":"https://nlnet.nl/project/TerosHDL-UX/","title":"TerosHDL usability","description":" TerosHDL usability Open source IDE for FPGA/ASIC development TerosHDL improves the accessibility and usability of digital design workflows by providing a modern, vendor-neutral environment for working with HDL languages. It streamlines editing, simulation, FPGA interaction and project management, enabling students, researchers and professionals to work more confidently and efficiently while strengthening the broader open-hardware ecosystem. This project will deliver substantial usability and infrastructure improvements: a place-and-route manager, an FPGA loader interface based on OpenFPGALoader, and a binary manager for NVC; enhanced drag-and-drop capabilities within the project manager; frontend testing through ExTester; structured triage and resolution of existing issues; and targeted improvements to documentation, accessibility and security. The work also includes onboarding and supporting new contributors to ensure long-term sustainability and reduce the dependency on a single maintainer. The project's own website: https://terostechnology.github.io/terosHDLdoc/ Run by TerosHDL This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Termux Android terminal app and software distro/run-time Termux is an Android app that provides a terminal emulator and a GNU/Linux distribution environment with 2000+ packages and executes programs natively on Android host OS/kernel, without any emulation or containerisation. It allows users to locally do most things that can be done on a Linux PC, like program in many languages, use text editors/IDEs, backup files, host websites and servers, and even run a full linux desktop interface. Under the NGI Mobifree grant the following three improvements to Termux are planned to be implemented: 1) A termux-core library will be created which allows external projects to use Termux execution environment in their own apps. 2) A new APK Library File (APKLF) execution/packaging design will be implemented so that Termux can comply with security restrictions in Android 10 and newer that prevents apps from executing downloaded code. Currently Termux works by being compiled in backward compatibility mode. 3) Package sources will be patched to read paths from environment variables exported by the app, or compiled package files will be patched at install time, rather than relying on hardcoded paths in the package files to Termux rootfs. The project's own website: https://termux.dev Run by Termux This project was funded through the NGI Mobifree Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. The NGI Mobifree R&D programme is part of Horizon Europe research and innovation programme under grant agreement No. 101135795. ","url":"https://nlnet.nl/project/Termux/","title":"Termux"},{"title":"Tenzu","url":"https://nlnet.nl/project/Tenzu/","description":" Tenzu Lightweight project management tool for agile teams Tenzu is a lightweight project management tool for agile teams. It is the official successor to Taiga. Tenzu aims to provide a modern experience for healthy project management practices while remaining simple to use at heart. It is an easy-to-deploy web app that uses very few resources. The first stable version was released in September 2025. Today, Tenzu offers workspaces with KANBAN boards that include rich content which can be collaboratively edited in real time. Other features include single sign-on (SSO), detailed permissions, translation into three languages, and a dark theme. The project's own website: https://tenzu.net Run by BIRU This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Teamtype Real-time co-editing of local text files Teamtype (previously Ethersync) aims to enable real-time collaborative editing of local text files. Similar to Etherpads, it facilitates multiple users to work on content simultaneously, enabling applications such as shared notes or pair programming. However, following a \"local-first\" approach, all files reside on the users' computers, allowing them to use their familiar editors and workflows, and to retain user control. This design enables a kind of collaboration that is simple and direct, stable and flexible, and preserves privacy. Teamtype is a supplement to tools that track larger changes on text files, like Git, and can be used in combination with it. The project leverages CRDTs, and consists of a server component, a cross-platform local synchronization daemon, and editor plugins. The project's own website: https://teamtype.github.io This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Teamtype/","title":"Teamtype"},{"description":" Tauri Apps A safer run-time for web technology based apps Tauri is a toolkit that helps developers make more trustworthy applications for the major desktop platforms - using virtually any frontend framework in existence. A popular use case is to create a desktop or mobile version of a web app, rather than wasting effort on creating native clients for each platform. Unlike other solutions (e.g. Microsoft's Electron), it is built in the type-safe language Rust - and the team has a focus on strong isolation, shielding the user from malicious or untrusted code downloaded \"live\" from the internet. After all, once breached, such an app can for instance siphon off cryptocurrencies or bootstrap other more persistent malware. In this project, the team works among others on a particularly innovative feature, to prevent JS injection for all application types. In this approach Rust Code Injection is used alongside dependency-free EcmaScript, Object.freeze(), and a filtering iFrame that is the only subsystem permitted to communicate with the API. This will help to create more secure applications, The project's own website: https://tauri.app Run by Tauri Programme within the Commons Conservancy This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","title":"Tauri Apps","url":"https://nlnet.nl/project/Tauri/"},{"url":"https://nlnet.nl/project/Tauri-Servo/","title":"Servo Webview for Tauri","description":" Servo Webview for Tauri Integrated portable webview based on Servo engine into Tauri The web ecosystem lacks a cross-platform, non-corporate controlled system for running web content. Tauri is a system for distributing cross-platform applications that relies on engines present on a system - effectively those owned by Apple, Google, and Microsoft. These permit varying levels of user control. The Servo project is a cross-platform, open source web engine. While Servo's support for web features such as CSS and JS is still incomplete (making it difficult to rely on it for running arbitrary web content) it is actually a great match for Tauri already. This project would incorporate Servo into the Tauri project, enabling it to run applications in a consistent, open source web runtime on major desktop and mobile platforms. In doing so, the project would also identify and address the highest priority web compatibility issues in Servo, while preparing a roadmap for significant compatibility issues that remain unaddressed. Additionally, the project would identify any opportunities for reducing the binary size, supporting broad distribution of Tauri apps to as many users as possible. The project's own website: https://github.com/versotile-org/verso Run by Tauri Programme within the Commons Conservancy This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" Tau Remote sharing of terminal sessions A common problem among people working on a command-line interface is to share their terminal session with one or many other people via the internet, ideally along with an audio stream, without viewers having to install any specific software. This project creates a solution that enables anyone with a web browser to receive such a broadcast. Unlike generic screensharing alternatives, a broadcast created by .tau will not be a stream of compressed video but rather a stream of ASCII characters with preserved timing as well as the broadcaster's terminal look & feel, and giving the ability to easily copy text. The broadcaster will have a nice and easy experience installing a piece of software which accomplishes this. Upon completing a broadcast, a single resultant file is available for later viewing on the internet and or private distribution. Simple, portable and robust. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Tau/","title":"Tau"},{"description":" Tasteweb Develop new web of trust mechanisms This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. Webs of Trust, (or networks of endorsement) are a common social technology with many useful properties; they can grow quickly, they can support a blend of shared structure and local structure, and they can incrementally self-correct with minimal labor. Despite being fairly common in the online world, we identify many still unrealized applications for webs of trust which we expect would greatly empower grass-roots organization of information, news systems, and public dialog. The main obstacle to most of these new functions turns out to be the performance scaling limits of today's graph databases. We've identified indexes and algorithms that would allow us to transcend those limits. The project aims to implement fast shortest path indexes (eg, Contraction Hierarchies, BatchHL+), and \"sparse query\" indexes (novel) (dynamic unions, or dynamic cache placement), for open source graph databases, to enable several new critical functions for webs of trust: Globally inclusive networks of endorsement, exclusive claims, news discovery, and subjective filtering. Once implemented, we plan to make this functionality available to emerging open source social network protocols and social computing frameworks. The project's own website: https://makopool.com/better_space_with_wots.html This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Tasteweb","url":"https://nlnet.nl/project/Tasteweb/"},{"title":"Tantum Search","url":"https://nlnet.nl/project/TantumSearch/","description":" Tantum Search Context-enhanced search driven by schema.org This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. Tantum Search’s goal is to present information in a fair and transparent context for the users. The platform lets users make an inventory of any information using schema.org schemas (like video, audio, paintings, ebooks, events, goods, services) and allows users to search through these entries on three axes: word, contextual and geo reference resolution. Providers of information can easily and without great effort add their information to the platform and make it available online – the platform automatically creates an interactive page which will be search engine optimized and users get free and unbiased access to search for goods and services. The ranking focuses on the search query and less on link popularity. Thus, ‘internet giants’ are not necessarily listed at the top due to their popularity and in addition, the ranking algorithm will be transparently released as open source so the community can optimize it. Why does this actually matter to end users? Search and discovery are some of the most important and essential use cases of the internet. When you are in school and need to give a presentation or write a paper, when you are looking for a job, trying to promote your business or finding relevant commercial or public services you need, most of the time you will turn to the internet and more importantly the search bar in your browser to find answers. Searching information and making sure your name, company or idea can be discovered is crucial for users, but they actually have little control over this. Search engines decide what results you see, how your website can be discovered and what information is logged about your searches. What filters and algorithms are used is unclear for users. They can only follow the rules laid out for them, instead of deciding on their own what, where and how to find the information they are looking for. One of the ways most commercial search engines decide what results you see, is something called link popularity. This is ma metric that indicates how many other other links point toward a particular website. Sites and domains that everyone refers to, usually end up at the top of your search results. Of course this does not mean that this website best answers your question, has the most informative content, or is even correct at all. And because this process of higher link popularity, higher search results ranking reinforces itself, all this mechanism does is narrow your search results and give you less useful or insightful information over time. This project gives users and information providers back the control they deserve over online search and discovery, putting quality over popularity. Instead of counting the number of links, search is focused on the actual question of a user, querying on the words themselves, their context and location-based relevance. Extra ranking options allow you to search for things like eco-friendliness, giving you a broader range of search tools and perhaps a whole new look on the services and products you were looking for. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" TalerPHP PHP SDK for GNU Taler REST API Integration The TalerPHP project will develop an open-source PHP library to interact with GNU Taler’s REST APIs, enabling PHP-based applications to more easily support privacy-preserving payments. The project will deliver a framework-agnostic core SDK, followed by dedicated packages for Laravel, Symfony, and Yii - lowering the technical barrier for adoption. Given PHP’s dominant presence on the web, this SDK will provide essential building blocks for secure payment integration across a wide range of industries including e-commerce, healthcare, and not-for-profit donations. The project's own website: https://github.com/mirrorps/taler-php This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/TalerPHP/","title":"TalerPHP"},{"url":"https://nlnet.nl/project/Taler-on-BSD/","title":"xBSD porting and packaging","description":" xBSD porting and packaging Porting and packaging of Taler components for xBSD systems GNU Taler is a privacy-preserving microtransaction and electronic payment system. This project will make sure that the entire Taler software stack is natively available on a number of operating systems beyond the already available (and obviously popular) Linux operating system. This will allow sellers (\"merchants\") to use their operating system of choice when integrating and deploying Taler. More specifically, the main target is the BSD family of UNIX-like operating systems - such as NetBSD, OpenBSD, FreeBSD and Apple's MacOS X. The work includes porting and packaging as well as developing appropriate documentation on how exactly to create a properly working set-up. This allows merchants wanting to use Taler to get started quickly without having to engage in time-consuming and error-prone steps like building the software from source. The project's own website: https://taler.net/ This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" GNU Taler wallet app for iOS Mobile GNU Taler payments for portable Apple devices GNU Taler (Taxable Anonymous Libre Electronic Reserves) is a privacy-preserving electronic instant payment system that is fully free software. It uses electronic coins stored in wallets on customer’s device. Coins are like cash. Users can use Taler to pay in existing currencies (i.e. EUR, USD, BTC), or use it to for instance create new regional currencies. The Taler wallet is currently available as a browser-based WebExtension and as Android app, but not yet as iOS app. This project will develop a user-friendly and accessible iOS wallet app for the GNU Taler payment system. With the iOS Taler wallet app, users will be able to make payments with their iPhone -- similar to how they would use proprietary payments systems like Apple Pay. The project's own website: https://taler.net/en/wallet.html This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"GNU Taler wallet app for iOS","url":"https://nlnet.nl/project/Taler-iOS-wallet/"},{"url":"https://nlnet.nl/project/Taler-Dolibarr/","title":"Taler-Dolibarr Integration","description":" Taler-Dolibarr Integration Taler payment handling for Dolibarr ERP software This project will provide a comprehensive module to integrate the privacy-preserving payment system GNU Taler with Dolibarr, an open-source Enterprise Resource Planning used by many small businesses around the world. Integration involves core workflows such as secure online payment processing, refunds, inventory and order management, and payment reconciliation—offering a single solution to costly proprietary solutions such as Stripe or PayPal. A LibEuFin-oriented module will also provide seamless bank account integration, with merchants able to automatically reconcile bank transactions in Dolibarr's easy-to-use interface. Merging Taler's privacy-centric design and low-fee paradigm into a popular ERP platform supports small business financial independence and encourages broader adoption of ethical digital payment systems. The project's own website: https://www.dolibarr.org/ This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/TahoeLAFS-GBS/","title":"Great Black Swamp","description":" Great Black Swamp Decentralized cloud storage with provider-independent security Tahoe-LAFS is a well-known open source distributed storage solution based on DHT, suited for sharing critical data in production. Currently, Tahoe-LAFS uses the Foolscap protocol for communication between client nodes and storage nodes. Foolscap has a small developer community, is only implemented in Python, and Tahoe-LAFS only uses a small subset of its features. This project will implement an HTTP-based storage node protocol for Tahoe-LAFS (Great Black Swamp, or GBS in short) which will help to eliminate unnecessary complexity, increase the pool of potential contributors, open the door to new implementations and improve runtime performance. The project's own website: https://tahoe-lafs.org Run by Least Authority This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"title":"The Ultimate Bookkeeping System","url":"https://nlnet.nl/project/TUBS/","description":" The Ultimate Bookkeeping System Bookkeeping but in a portable, offline-first and privacy-friendly way Bookkeeping systems, databases, and computer systems in general, tend to act as a \"System of Record\" (SOR) in which only one truth can exist. This project will develop tools for interconnecting such \"Systems of Record\", for instance to copy data from one API to another), and a schema transformation library. It will develop a set of domain-specific data set containers called \"tubs\", between which reflectors can form the tubing that make sure the data state in one tub is eventually converging to the data state in each connected tub - in particular aimed at the domain of bookkeeping and business documents (invoices). Apart from providing these generic data-portability tools and domain-specific tubs, a start will be made with an actual live network of SORs, where data is continuously mirrored through reflectors, even over multi-hop routes, with schema translations, and over various transports. Just like the World Wide Web was started with a single HTML page, this first live dataset of invoices, transactions, tasks and timesheets will be the start of TUBS - a network of computer systems that feels like a single system when a user interacts with it through one of the connected SORs. The project's own website: https://www.tubsproject.org Why does this actually matter to end users? Recent trends in local-first software development, as well as traditional distributed computation theory study networks in which \"Systems of Record\" act as nodes that send each other updates. Data in such a network of SORs is fundamentally multi-homed: it does not live \"at\" a URL in the way Linked Data does, but in multiple places at the same time. If we were to design such a distributed system, we would probably use a content-addressable data storage architecture, such as git, tahoe-lafs, IPFS, etc. But the real world consists of SORs that generally offer REST and Webhook APIs. Furthermore, each SOR has technical sovereignty in that it can define its own data model and schema. So schema transformations are also necessary when moving data between SORs. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"TSCH-rs","url":"https://nlnet.nl/project/TSCH-rs/","description":" TSCH-rs Time Slotted Channel Hopping implement in Rust Time Slotted Channel Hopping (TSCH) is a Medium Access Control (MAC) layer protocol described in IEEE 802.15.4e designed for low-power and lossy networks. Devices are allocated time slots in which they can transmit and/or receive frames. The rest of the time the radio is turned off, reducing energy consumption. Consecutive transmissions are done on different frequencies to tackle interference. Implementations of TSCH can be found in Contiki-NG and OpenWSN, both written in C. TSCH-rs is a TSCH implementation written in Rust, providing ease-of-maintanance, security and reliability. Furthermore, the implementation aims to be hardware-agnostic, making it easy to port to different IEEE 802.15.4 based radios. The Rust network stack for IEEE 802.15.4 radios already contains an implementation for 6LoWPAN and RPL. TSCH-rs will be a valuable addition to the Rust based low-power IEEE 802.15.4 network stack. The project's own website: https://github.com/jeremydub/TSCH-rs-milestones/ This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" TOS;DR OTA backend Integrate Terms of Service;Didn't Read with Open Terms Archive Open Terms Archive is a digital common that produces (since 2020) datasets of the evolution of contractual documents (Terms of Service, Privacy Policy…) over time, enabling analysis and comparison. It aims at shifting the power balance from big tech actors towards researchers, end users and regulators. The “Terms of Service; Didn't Read” (ToS;DR) project enables (since 2011) crowd-reading and rating of these same contractual documents. These documents are obtained from the web with a dedicated engine that stores them in a private database and suffers from lack of maintenance. The goal of the effort is to replace the historical ToS;DR crawler with the public Open Terms Archive datasets, thus increasing the reliability and auditability of the source data, since the annotations will be based on public datasets produced by replicable instances instead of being based on a one-off database used only by ToS;DR itself. This will also enable establishing a common data format for annotating documents. The project's own website: https://tosdr.org/ Run by Open Terms Archive + ToS;DR This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"TOS;DR OTA backend","url":"https://nlnet.nl/project/TOSDR-OTA/"},{"url":"https://nlnet.nl/project/TLS-KDH-mbed/","title":"TLS-KDH mbed","description":" TLS-KDH mbed Implement TLS-KDH into mbed TLS-KDH (http://tls-kdh.arpa2.net/) is a mechanism that adds Kerberos authentication to the Transport Layer Security (TLS) network protocol. TLS-KDH is developed under the flag of ARPA2 (www.arpa2.net) and is formalized in the form of a draft Internet specification. Furthermore, a successful prototype implementation has been built and integrated into GnuTLS. Making this prototype code production ready is well underway and in its final stage. In order for TLS-KDH to become an Internet Standard the IETF requires at least two working implementations. To provide the IETF with two TLS-KDH implementations and to address the embedded world with a TLS-KDH capable TLS library we chose MbedTLS as our second library. The TLS-KDH mbed project's goal is to implement the TLS-KDH functionality in the MbedTLS library. But why do we want to implement Kerberos authentication in the first place? Well first of all, the Kerberos protocol is quantum computer proof. That means that we can use this mechanism in the (future) presence of quantum computers. Since TLS is one of the most widely used security protocols on the present Internet having such mechanism would be a welcome addition. Secondly, Kerberos employs a centralized architecture as opposed to X.509 which is distributed. Adding TLS-KDH gives the user a choice which architecture (and implied pros and cons) to use. For a more extensive overview of advantages of TLS-KDH we refer to the project's homepage (http://tls-kdh.arpa2.net/). The project's own website: http://tls-kdh.arpa2.net/ Why does this actually matter to end users? Imagine you would work in an organisation with thousands of employees, like a government. It would be important to properly manage who gets to access which computer systems. A large part of this would need to happen automatically: if you want to print out a document on an printer in the hallway, or visit the intranet to view the menu, you do not want users to have to log in every time. Luckily, people have worked out powerful mechanisms that allow you to log in when you get in the office in the morning, and which will negotiate everything else automatically without bothering the user. Now think about the internet. That is much much larger and way complex than a single organisation. And yet it does not have any mechanism to manage who gets to access which computer systems. So we do have to log in every time. And users are very bothered by this. The ARPA2 project has successfully produced a working solution (called TLS-KDH, hence the name of the project). This is a very creative and for some unexpected combination of a number of robust proven technologies that can together deliver a highly secure and extremely fast mechanism to authenticate users. It also offers anonymous encryption of a connection before revealing identities of clients and servers. The ARPA2 community is now aiming for IETF standardisation of this technology. In order to make this possible, it needs an independent second implementation of the new protocol. The project will deliver this implementation, in a popular open source library aimed at embedded systems. Combined with work on peer-to-peer mechanisms, this will potentially allow devices to securely discover and connect to each other. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"url":"https://nlnet.nl/project/TLS-Client-PoW/","title":"Client Proof-of-Work in TLS","description":" Client Proof-of-Work in TLS Mitigation against DoS amplification on the TLS handshake The computationally expensive nature of asymmetric crypto in TLS makes it vulnerable to denial-of-service attacks. We propose an extension to TLS that mitigates this attack vector, shifting the advantage from the attacker to the defender. The project will deliver a draft spec, mergeable patches for leading TLS libraries, and a measurement report explaining the results. The project's own website: https://github.com/tweedegolf Run by Tweede Golf This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/TISG/","title":"TISG trustable image sensor gateware","description":" TISG trustable image sensor gateware FPGA based camera providing encrypted video streams The TISG project is set to develop a groundbreaking open-source, FPGA-based camera system, focusing on the implementation of the MIPI-CSI2 standard for connecting a wide range of image sensors to FPGAs. The development process involves leveraging open-source FPGA tools and formal verification methods to ensure robust security and functionality. The primary purpose is to create a secure, versatile, and accessible video processing platform that addresses current security vulnerabilities in video-based systems. By eliminating reliance on proprietary software and enabling formal hardware verification, the project aims to significantly reduce the risk of backdoors and cyber threats. The general public will benefit from enhanced security in areas like home surveillance, public safety, and infrastructure monitoring. Additionally, the open-source nature of the project promotes innovation and inclusivity, allowing developers worldwide to contribute and extend the technology. This democratization of advanced video processing technology not only fosters global collaboration but also paves the way for further advancements in various fields reliant on reliable and secure video technology. The project's own website: https://github.com/StereoNinja/StereoNinjaFPGA This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" RETETRA Security Analysis of Proprietary Cryptography in Terrestrial Trunked Radio Terrestrial Trunked Radio (TETRA) is a European standard for trunked radio used globally by government agencies, emergency services and critical infrastructure. Apart from most European police agencies (such as BOSNET in Germany or RAKEL in Sweden), military operators and emergency services, TETRA is also widely used for SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities. TETRA authentication and encryption are handled by secret, proprietary cryptographic cipher-suites known as TAA1 and TEA which are only available to select parties under strict NDAs which runs counter to both the spirit of open technologies and Kerckhoffs's principle. The latter's potential consequences are illustrated by the fate of A5/1, A5/2 and their GMR variants in cellular and satellite communications, allowing ciphers that can be broken in practice to fester in public and critical infrastructure for far too long. This project aims to reverse-engineer and subsequently perform cryptanalysis on these cipher-suites and finally formulate a hardening roadmap in order to provide a research-oriented FOSS implementation of the cipher-suites and aid affected parties in moving away from unexamined, proprietary security mechanisms towards open standards. The project's own website: https://tetraburst.com Why does this actually matter to end users? Cryptography is everywhere in modern communication: when you pick up your mobile phone to answer a call, enter a site URL in your browser bar or send a chat message, there is a complex series of mathematical operations happening behind the scenes to guarantee that no one can spy on your conversation, that the site you visit is legitimate and that your messages can only be seen by the friends you sent it to. These cryptographic solutions need to be secure for communication to be trustworthy or even function in general. This becomes even more important when considering emergency services and governmental telecommunication channels: a faulty or leaking connection could potentially cost lives. To make sure that the cryptographic algorithms at the core of emergency communication channels work as intended, they should be open to verification and auditing. In case of the European TETRA-standard, unfortunately, this is not possible due to proprietary cryptographic suites that are sealed off to the public. Reverse engineering has shown that the cryptographic algorithms, also known as cipers, are flawed. As TETRA is widely used by governmental agencies, emergency services and critical infrastructure like remote control of oil rigs, transportation and electric and water utilities, these vulnerabilities should be addressed. This project will reverse-engineer the proprietary cipher suites and instead provide a secure, transparent open source alternative, so this critical infrastructure can rely on trustworthy technology that anyone can inspect and audit to guarantee safe communications. Update: the outcomes of the project have been made public and are available on tetraburst.com. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/TETRA-crypto/","title":"RETETRA"},{"description":" Timing-Driven Place-and-Route (TDPR)  Open hardware tool to synthesize digital silicon circuits This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. The lack of an open-source timing-driven place-and-route tool is one of the major barriers to creating technically fully transparent digital integrated circuits such as microprocessors. The most popular open-source place-and-route tools available today are not timing-driven, hence the generated layouts are generally not guaranteed to satisfy the timing constraints. This requires tedious and time-consuming manual interventions. This project will combine published algorithms with existing open-source projects to fill this gap. The tool will be released with the free/libre AGPLv3 licence together with extensive documentation and tutorials. Why does this actually matter to end users? Consumers and businesses overpay for computer hardware, because the market is not working well. When you go to a store to buy a laptop or mobile phone, you may see different brands on the outside but choice in terms of what is inside the box (in particular the most expensive component, the processor technology) is pretty much limited to the same core technologies and large vendors that have been in the market for decades. This has a much bigger effect on the users than just the hefty price tag of the hardware, because the technologies at that level impact all other technologies and insecurity at that level break security across the board. In the field of software, open source has already become the default option in the market for any new setup. In hardware, the situation is different. Users - even very big users such as governments - have very little control over the actual hardware security of the technology they critically depend on every day. Security experts continue to uncover major security issues, and users are rightly concerned about the security of their private data as well as the continuity of their operations. But in a locked-down market there is little anyone can do, because the lack of alternatives. European companies are locked out of the possibility to contribute solutions and start new businesses that can change the status quo. Fortunately there are efforts underway to make hardware that, like open source software, is free to be re-imagined and reassembled without restriction and that is transparently created, from the design down to the silicone. As these projects grow and connect, they can lay the foundations for a technological commons of trustworthy hardware that is accessible for everyone to learn from and build upon. But to make open hardware a reality, first it needs to meet critical performance and functional requirements. For example, the tools you use to route and place components and circuitry need to be timing-aware, meaning that the resulting layout is not guaranteed to satisfy timing constraints of the eventual physical implementation. This project aims to fill the gap of a timing-driven place-and-route tool to make open hardware more mature and functional. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/TDPR/","title":"Timing-Driven Place-and-Route (TDPR) "},{"description":" TBD DSP toolkit Open hardware audio processing module TBD DSP Toolkit is an open-source platform for audio DSP for experimentation, learning, and audio research. It brings together more than 50 high-quality generators and effects within a modular, easily extensible architecture. TBD has a flexible approach to embedded audio processing, and tries to deliver an accessible, musician-friendly environment, both in software and hardware. A key new component is a standalone desktop version of the hardware, including standard MIDI connectivity, designed to welcome users beyond the Eurorack community and make the platform easier to adopt for education, prototyping, and instrument design. This includes a redesigned, intuitive web user interface and UX guidelines to help developers build playable, musician-centered DSP modules, clear documentation and example use-cases and reference workflows. By uniting developer flexibility with musician usability, TBD aims to offer a resilient, open-source alternative in a landscape dominated by proprietary platforms. All software is released under GPL 3.0, and updated open hardware designs will be published in KiCad. The project's own website: https://dadamachines.com/products/tbd-toolkit Run by dadamachines / musical instrument design This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/TBD-DSP-Toolkit/","title":"TBD DSP toolkit"},{"url":"https://nlnet.nl/project/TALER-kivitendo/","title":"Taler-Kivitendo Integration","description":" Taler-Kivitendo Integration Integrate Taler with the Kivitendo ERP platform Kivitendo is Enterprise Resource Planning (ERP) software mainly in use in small businesses and organisations. It is often adapted to the specific needs of individual companies in a wide range of use cases. The Taler integration will offer the possibility for merchants creating invoices with Kivitendo for secure online payment processing with Taler respecting the privacy of the customers. The integration will be ERP-centric: information regarding inventory and orders remains in the ERP system, the GNU Taler system only handles payment processing. The project will also produce a Perl module with perldoc documentation ready to be used in other FOSS projects. Run by revamp-it This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Payment Module for Nuxt/Vue.js Module to add GNU Taler support in Nuxt/Vue.js Nuxt is a widely used JavaScript library for building web interfaces based on the lightweight Vue.js framework. This project will create a dedicated GNU Taler module for Nuxt, allowing developers the same convenience when supporting a privacy-friendly option they would have using Nuxt modules for proprietary services like Stripe and PayPal. It includes Vue.js components for donation and order payment, documentation and examples such as a file-based webshop. Run by intheory GmbH This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/TALER-integration-Nuxt/","title":"Payment Module for Nuxt/Vue.js"},{"description":" TALER integration in flohmarkt Secure payments for P2P classified adds federating with ActivityPub Flohmarkt is a decentral federated small advertisement platform, sorted by category (hence the name \"classified ads\"). The name flohmarkt comes from the German word for \"flea market\". Flohmarkt allows to federate local platforms by using the web-based federation protocol ActivityPub, make up one big place for small advertisements about exchange of goods and services. This project will integrate Taler payments into Flohmarkt - allow individuals to informally sell goods to each other in a privacy preserving manner. The project's own website: https://codeberg.org/flohmarkt/flohmarkt Run by Rohner Solutions This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"TALER integration in flohmarkt","url":"https://nlnet.nl/project/TALER-flohmarkt/"},{"description":" GNU Taler Payment Provider for be-BOP Integrate Taler payments into be-BOP shopping cart/POS software be-BOP is a free and open-source, peer-to-peer monetisation platform built for communities and creators. It combines e-commerce, point-of-sale (PoS), subscriptions, crowdfunding/peerfunding, ticketing, donations, and pay-what-you-want models — in a single package. be-BOP provides a toolbox for financing your work and managing your activity in complete autonomy. Developed under a free, copyleft license, it gives you full independence from intermediaries. This project will add GNU Taler as an additional payment provider to be-BOP. Run by Thimoo Sàrl This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/TALER-be-BOP/","title":"GNU Taler Payment Provider for be-BOP"},{"description":" GNU Taler Tryton/GNUHealth integration GNU Taler module for Tryton ERP/GNU Health This project will develop a Tryton module which would allow users to integrate payments with GNU Taler into their financial workflow, whether from a webshop, a factory or a hospital. Tryton is a popular libre business management system used for e-commerce and enterprise resource planning. There are many modules for financial accounting, sales, inventory and stock, CRM, shipping, subscription management, etc. Existing payment provider integrations within Tryton are limited to specific proprietary payment providers, having a Taler based option would allow organisations to handle Taler based payments (incoming as well as outgoing). GNU Health (which is built on Tryton) provides a suite of libre alternatives for Hospital Management software, health information systems and electronic health records. Integration of privacy preserving payments with TALER in GNU Health will deliver a much needed contribution to medical privacy, providing the first digital alternative (next to cash payment) which allows patients to pay for their personal medical treatment and medication directly and with full discretion - keeping the doctor-patient privilege intact. The project's own website: https://taler.net/ This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"GNU Taler Tryton/GNUHealth integration","url":"https://nlnet.nl/project/TALER-Tryton/"},{"url":"https://nlnet.nl/project/TALER-Ruby-OFN/","title":"Libre Payments in Ruby","description":" Libre Payments in Ruby GNU Taler Integration for ethical trade The project aims at developing and publishing an open-source Ruby gem for integrating GNU Taler into Ruby-based e-commerce applications—starting with Open Food Network (OFN). OFN is a global, nonprofit platform that supports food co-ops, local producers, and community food hubs with open-source tools for ethical trade. Currently, OFN supports Stripe and PayPal. Adding Taler introduces a low-fee, non-extractive payment option aligned with user values. The gem will be released on rubygems.org and designed for reuse in other Ruby apps such as Spree and Solidus. The project includes testing with pilot users, full documentation, and developer engagement.  The project's own website: https://openfoodnetwork.org/ Run by CoopCircuits This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Open Banking Gateway Taler Wallet Top-Up/Merchant Verification Add GNU Taler support to Open Banking Gateway Transferring Euro to the Taler wallet should be quick, easy and flawless. Taler Open Banking Gateway (TOBG) will provide the technology to top-up a Taler wallet in a regulatory compliant, instant and user-friendly way. TOBG will use the Payment Initiation Services mechanism introduced and regulated under the revised European Payment Services Directive (PSD2). A German bank will support and run the platform, providing technical and regulatory alignment. The project will help to improve adoption and usage of the Taler system significantly. It will also extend the existing Open Banking Gateway software with additional functionality, improved user experience and additional adaptors for European banks. The outcome will be a full functional solution with a focused scope of supported banks users can top-up from. Both the operators and the free and open source community will able to further extend the reach, functionality, supported channels and use cases. One of these use cases is to use Payment Initiation Services in merchant apps for account verification. The project's own website: https://adorsys.github.io/open-banking-gateway Run by adorsys GmbH & Co. KG This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Open Banking Gateway Taler Wallet Top-Up/Merchant Verification","url":"https://nlnet.nl/project/TALER-OpenBankingGateway/"},{"description":" Taler-Odoo Payment System Integration module for TALER in Odoo The Taler-Odoo Payment System will integrate the GNU Taler payment system within Odoo, a business management software suite that includes customer relationship management, e-commerce, billing, accounting, manufacturing, warehouse, project management, and inventory management. With Odoo, merchants can create invoices for products they sell, websites to display them and much more. This project will produce an Odoo module written in Javascript and Python, which allows users to pay with Taler. Similar to any other payment integration within the Odoo Framework, the module integrates into the functionality of other existing Odoo modules (ticket sale, online shopping, invoices, etc). It will allows merchants to offer a customer to choose a payment system that fully respects their privacy. This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/TALER-Odoo-module/","title":"Taler-Odoo Payment System"},{"title":"Road Signs for Digital Payments","url":"https://nlnet.nl/project/TALER-OIM/","description":" Road Signs for Digital Payments Safe, usable financial interfaces for poorly-schooled adults. GNU Taler is a digital payment protocol for privacy-preserving cash-like transactions. It improves usability by avoiding the need for the payer to authenticate to third parties. Oral Information Management (OIM) is an emerging approach of design for creating safe, usable financial interfaces for poorly-schooled adults. Worldwide UNESCO estimates over 750 million adults to be unable to read or write in any language, and hundreds of millions of more have extremely limited ability. Due to unequal schooling opportunities, most are women. In Europe millions of migrants, refugees and marginalized people cannot confidently use digital payments. Digital OIM features carefully user-tested cash scrollbars and counting tables, iconographic navigation, mnemonic cues, user-reversible transaction processes, a 0-9 (not 1-0) numeric keypad and more. Poorly-schooled app users learn how to decode place value notation, arithmetic graphs and other schooled, formal sector protocols from repetitive use. The project's own website: https://www.myoralvillage.org Run by My Oral Village, Inc This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" GNU Taler Wallet ID Lookup Service Optional discovery of TALER wallet addresses linked to digital identities GNU Taler is a payment system that makes privacy-friendly online transactions fast and easy. This project will facilitate the support of peer-to-peer payments (P2P) for the GNU Taler payment system between users by implementing a privacy- friendly directory service and lightweight inbox service (TALer DIRectory). The services will allow users to securely associate their online identities (such as email addresses, phone numbers, X/Twitter/Mastodon handles or other suitable verifiable addresses and accounts) with their wallet public keys and the URL of an inbox service and use it for P2P payments. Storage and retrieval may also be offloaded to distributed directory services such as DNS or GNS (RFC 9498) instead of a database and web service while maintaining the respective privacy guarantees. The project's own website: https://taler.net Run by GNUnet e.V. This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/TALER-LookupService/","title":"GNU Taler Wallet ID Lookup Service"},{"description":" Taler in Liberapay Implementation of Taler as payment provider in Liberapay Liberapay is a recurrent donations platform, that allows users to financially support people who contribute to the commons. Building free software, spreading free knowledge, these things take time and cost money, not only to do the initial work, but also to maintain over time. Liberapay's recurrent donations system is intended to provide crowdfunded income to creators and maintainers, enabling them to keep doing great work that benefits everyone. This project will add GNU Taler as a payment provider in Liberapay. This will enable users with a Taler wallet to support projects and people in a privacy preserving manner. The project's own website: https://www.liberapay.com Run by Liberapay This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/TALER-Liberapay/","title":"Taler in Liberapay"},{"title":"Interledger interoperability inquiry","url":"https://nlnet.nl/project/TALER-Interledger-study/","description":" Interledger interoperability inquiry Investigate synergy between Interledger and GNU Taler The Interledger Protocol and Open Payments API specification are the payment protocols used for an online tipping specification being proposed in the W3C Web Platform Incubator Community Group called Web Monetization. The Web Monetization specification allows for automatic streaming micropayments and low-friction on-demand tipping to online creators who specify an Open Payments wallet address in their HTML or respective metadata of the online experience (e.g. JSON-LD in Activity Streams/ActivityPub, XML attribute in podcast RSS). This project proposal will investigate the technical feasibility of using Taler as a payment method on the Interledger payment network to support Web Monetization. The outcome will be a an overview of potential approaches for integrating Taler using the Interledger Protocol or as a payment method in Interledger’s Open Payments API reference implementation (Rafiki). This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/TALER-Fastify/","title":"Taler plugin for Fastify","description":" Taler plugin for Fastify Add low-code zero-config Taler plugin for the Fastify web server framework Fastify is a popular high-performance, lightweight web server for Node.js, designed for speed, low overhead, extensibility and developer experience with a formidable plugin ecosystem. This project contributes a GNU Taler plugin for Donations and Payments to this ecosystem, following that very philosophy. It will not only provide the scalable Open/REST API's one would expect to build production ready webshops but furthermore focus on a low-code, zero-config simplicity for the architecture. This enables even plain vanilla javascript-free HTML form pages to post Taler payments and supply credentials in a web admin interface. All this can be easily explored in a one page vanilla HTML webshop example - and executed at the touch of a single shell command. Run by intheory GmbH, Emanuel Florakis This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/TALER-F-Droid/","title":"Taler Integration into F-Droid Ecosystem","description":" Taler Integration into F-Droid Ecosystem Secure, Streamlined and Integrated Payment Processing for F-Droid F-Droid is a privacy-respecting app ecosystem and distribution platform for Android. We propose to research how we might integrate GNU Taler into the F-Droid user experience to support adoption of privacy-preserving payments. This will allow Taler to be used for processing donations to F-Droid itself and for FOSS developers whose apps are hosted in our main repository. Our goal is to enhance Taler adoption and provide a frictionless, privacy-preserving donation experience for F-Droid developers and users to help make the FOSS ecosystem more sustainable long term. The project's own website: https://f-droid.org Run by F-Droid This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/TALER-ERPnext/","title":"ERPnext TALER payment gateway","description":" ERPnext TALER payment gateway Refactor ERPnext payment module and integrate Taler This project integrates GNU TALER payments into ERPnext, a feature rich, open source enterprise resource planning system built with the open source frappe framework. The work involves finalizing a refactor of ERPnext's payments module to support multiple gateways, followed by developing and testing the full TALER integration, including API handlers for payments, transactions, sales orders and a user interface for configuration. By combining ERPnext's widespread use in the Global South with TALER's focus on privacy and financial inclusion, this project shall deliver a production-ready tool for a low-fee digital cash system with online shop, ledger, stock management and more. The project's own website: https://fairkom.eu Run by fairkom Gesellschaft This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"TALER Bullion","url":"https://nlnet.nl/project/TALER-Bullion/","description":" TALER Bullion Infrastructure for GNU Taler Payments with non-fiat Currencies Depending on how you design a money system, its properties can be quite different. Regular currencies are typically steered towards (slight) inflation by the public bodies that steward them, by means of a gradual influx of money. This benefits \"active money\" (investors) which yields economic growth. Of course this also makes prices for consumers continually rise, and savings de-valuate over time in terms of purchasing power. The rate at which this devaluation takes place is a policy instrument, and of course one that should be used wisely. When these systems were first designed, money was backed up by physical assets such as gold and silver which offered more predictable long term purchasing power. Some users still prefer for their savings to be backed up by something of concrete value they own. GNU Taler is a well-designed system for (online) payments, and it is eminently suitable to trade (the ownership safely of) stored gold, silver and similar systems based on real value. Besides its obvious use case as a payment system for regular currencies, the system can also be used to revitalise gold and silver for storage and payment systems; they still exist today but are decoupled. The purpose of this project is to solve problems with trust relations, such as passing (the ownership of) gold or silver between vault operators, or between gold storage and payment systems so it can become practically useful money on an international scale, in service of people outside the financial industry. This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Taler OpenAPI specification JSON/YAML OpenAPI for key GNU Taler API's The OpenAPI specification is an industry standard that simplifies application integration through code generation tools and basic test support. It is highly appreciated by developers who are confronted with the task of establishing a connection to new APIs. This project adds automatic OpenAPI specification generation to GNU Taler's bank APIs and the wallet-core API. These additions should prove beneficial for the introduction of GNU Taler, in banks and elsewhere. Run by Maki Bytes UG This project was funded through the NGI TALER Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. NGI TALER is part of NGI TALER, an R&D pilot programme under Horizon Europe research and innovation programme under grant agreement No. 101135475. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Taler OpenAPI specification","url":"https://nlnet.nl/project/TALER-APIs/"},{"description":" T-Rust - In Rust we Trust Scan, review, curate and fix metadata of Rust crates crates.io hosts over 160 thousand Rust packages that have been downloaded over 90 billion times. The origin metadata and licensing documentation for Rust crates is declared by the authors as part of the metadata, but can be misleading or incorrect. Accurate origin and license metadata for Rust crates is essential to safely automate the friction-free consumption of Rust packages in the software supply chain of safety-critical applications. T-Rust intends to fix this problem in multiple steps: it will scan, review, curate and fix the metadata of the most popular crates. This data will be released as open data, working with the Rust community to provide the data as part of the crates.io API, cross-check and report code borrowing and reuse between crates. Subsequently an AboutCode toolchain will be deployed as a service for all crates authors to review, validate and enrich metadata. The outcome should be be that crates.io packages are shared with better, more accurate origin and license metadata at creation time. And that the increased level of trust in Rust crates will make it easier to consume more Rust packages safely. Run by AboutCode This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/T-Rust/","title":"T-Rust - In Rust we Trust"},{"description":" Sylk Mobile Secure real-time mobile communications Internet communications privacy is important to users, and there is a limited set of encrypted multiparty audio and videoconferencing solutions available to consumers and businesses today. The market, predominantly occupied by proprietary services that often require risky plugins, lack introspection and transparency, proved to expose users to significant security and privacy issues. This trend must be counteracted by better open source equivalents. Sylk Mobile provides a multi-party video encrypted conferencing solution mean to run on an end user computer or a mobile device. It is based on the WebRTC standard, and has a focus on user privacy and easy of use. The project's own website: http://sylkserver.com Why does this actually matter to end users? One of the things people enjoy the most about the internet, is that it enables them to talk to others remotely almost without limit. Internet allows anyone to keep closely connected with friends and family, and help their kids solve a math problem while they are at work. People collaborate with their colleagues from the couch of their living room, the cafe where they enjoy lunch or on their cell phone on the bus to the gym. Businesses can easily service their customers where this is most convenient to them, without having to travel themselves. This is so convenient, that some businesses have already moved entirely online. Internet communication has become the nerve center of whole neighbourhoods, where people watch over the possessions of their neighbours while these are away for work or leisure. However, users have a hard time to understand how privacy is impacted if they use the wrong technology. Because internet works almost everywhere, the natural privacy protection of the walls of a house, a school or an office is gone. Unlike the traditional phone companies, many of the large technology providers run their business not on delivering an honest service but on secretly eavesdropping on their users and selling information to others. It is mostly not about what you say, so it is relatively easy for providers to allow some form of privacy by encrypting messages. The more interesting parts are who talks to whom, when, and where they are in the real world while they meet on the internet. if you want to be reachable across the internet, you have to constantly let the communication provider follow you wherever you go. This makes the private and professional lives of citizens an open book to companies that with the help of AI and other technologies make billions from selling 'hidden data' normal people are completely unaware of even exists. And of course in societies that are not so democratic, this type of information is critical to bring down opposition and stifle human rights. Users assume the confidentiality and privacy when they communicate, and they are morally justified to do so. There is nothing natural or final about internet communication providers having access to all this very personal information - or going down the dark path of selling data about customers. The cost of this in terms of internet usage and computer power needed is actually negligible, and so all it takes it the availability of open alternatives that people can use. Sylk is clearly one part of the puzzle: it is a mature open source videoconferencing tool that anyone can install anywhere for free. Businesses like the internet provider or the IT company around the corner can run it for their customers, and individuals can run it themselves from their home. And by switching, people can regain their privacy and make communicating via the internet as secure and confidential as we all need it to be. This project extends the unique and user-centric features of Sylk to smartphones and other mobile devices, offering an important private and trustworthy alternative to other videochat and instant messaging apps. Run by AG Projects B.V. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"Sylk Mobile","url":"https://nlnet.nl/project/SylkMobile/"},{"title":"Sylk Contacts","url":"https://nlnet.nl/project/SylkContact/","description":" Sylk Contacts Cross-protocol real-time communications client The connection between the end-user experience of communication applications and the open standards that power them has long been sought, yet often remains unresolved. Sylk Contacts provides this missing link—a crucial building block that makes SIP and WebRTC protocols more user-friendly in terms of interface and overall customer experience. It offers a solid foundation for developing applications that start from an existing or newly created contact list, and automatically synchronize those contacts across multiple devices, whether desktop or mobile, when using the same SIP account. This, in turn, enables a clean and reliable way to handle calls and chat messages seamlessly across devices, significantly improving the usability of SIP-based applications. The project's own website: https://sylkserver.com Run by AG Projects B.V. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Sylk Client Secure multiparty videoconferencing application Internet communications privacy is important to users, and there is a limited set of encrypted multiparty audio and videoconferencing solutions available to consumers and businesses today. The market, predominantly occupied by proprietary services that often require risky plugins, lack introspection and transparency, proved to expose users to significant security and privacy issues. This trend must be counteracted by better open source equivalents. SylkSuite, composed by SylkServer and SylkClient is a clean and elegant open source multiparty conferencing solution for both the client and a server written in Python. SylkSuite allows groups of users to communicate privately with rich multimedia, accessed through different protocol stacks. SylkSuite allows bridging SIP clients, XMPP endpoints and WebRTC applications by using Janus backend. The developers have a focus on strong interoperability based on the use of open standards. The project's own website: https://sylkserver.com Why does this actually matter to end users? One of the things people enjoy the most about the internet, is that it enables them to talk to others remotely almost without limit. Internet allows anyone to keep closely connected with friends and family, and help their kids solve a math problem while they are at work. People collaborate with their colleagues from the couch of their living room, the cafe where they enjoy lunch or on their cell phone on the bus to the gym. Businesses can easily service their customers where this is most convenient to them, without having to travel themselves. This is so convenient, that some businesses have already moved entirely online. Internet communication has become the nerve center of whole neighbourhoods, where people watch over the possessions of their neighbours while these are away for work or leisure. However, users have a hard time to understand how privacy is impacted if they use the wrong technology. Because internet works almost everywhere, the natural privacy protection of the walls of a house, a school or an office is gone. Unlike the traditional phone companies, many of the large technology providers run their business not on delivering an honest service but on secretly eavesdropping on their users and selling information to others. It is mostly not about what you say, so it is relatively easy for providers to allow some form of privacy by encrypting messages. The more interesting parts are who talks to whom, when, and where they are in the real world while they meet on the internet. if you want to be reachable across the internet, you have to constantly let the communication provider follow you wherever you go. This makes the private and professional lives of citizens an open book to companies that with the help of AI and other technologies make billions from selling 'hidden data' normal people are completely unaware of even exists. And of course in societies that are not so democratic, this type of information is critical to bring down opposition and stifle human rights. Users assume the confidentiality and privacy when they communicate, and they are morally justified to do so. There is nothing natural or final about internet communication providers having access to all this very personal information - or going down the dark path of selling data about customers. The cost of this in terms of internet usage and computer power needed is actually negligible, and so all it takes it the availability of open alternatives that people can use. Sylk is clearly one part of the puzzle: it is a mature open source videoconferencing tool that anyone can install anywhere for free. Businesses like the internet provider or the IT company around the corner can run it for their customers, and individuals can run it themselves from their home. Among other things, the project will add the last missing critical component, encrypted group chat, to Sylk. It will not force a new standard, but instead uses internet standards to do so. This means it contributes to a richer ecosystem, where people do not have to use a single piece of software to communicate with others - and anyone can innovate. And by switching, people can regain their privacy and make communicating via the internet as secure and confidential as we all need it to be. Run by AG Projects This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/SylkClient/","title":"Sylk Client"},{"url":"https://nlnet.nl/project/SylkClient/howto.html","title":"How to work with Sylk Server","description":" How to work with Sylk Server Secure multiparty videoconferencing application Guest use of a conference server As part of the Next Generation Internet programme NLnet is funding the open source-project Sylk Server (we have more useful free tools to work and socialise from home safely). This is an online tool that allows you to make unlimited free video calls with multiple people without logins or accounts. So it is very simple to get started with. There is a free server you can use, hosted by the project. Just take a minute to read the how-to below, and you will be on your first video call in no time! Note: The Sylk video chat room is designed for up to 10 people, more participants can join with audio only. Please use Firefox, Brave, Chromium, Opera or another browser. For the time being avoid using Safari browser from Apple, as it currently lacks some necessary features. You can also use the Sylk Client you can download free of charge from sylkserver.com. The basics The address for a meetup room on that server looks like this: https://webrtc.sipthor.net/conference/PickYourOwnName All you need is a web address (a link) like that. You see the last part of the web address, that says PickYourOwnName? Well, that really is all you have to \"customise\": pick your own unique name and add it there. In this case your own meeting room called PickYourOwnName (or whatever you choose) would automatically open as soon as someone visits the corresponding page — no configuration required. A meeting room is defined by the unique link to it, and you can customise that name yourself to your liking. The room is created whenever it is needed (\"on the fly\"). You do not have to activate a link or configure a meetup space before you want to use it. Make up a unique meetup name - and it will just work. Customising the web address to your liking is all that is required. For example (and you can click on the examples, because they automatically work): https://webrtc.sipthor.net/conference/JustARandomName opens a room JustARandomName. All you need to do to have your own room is edit the last part of that link to your liking and send the result around. Most software immediately recognises that it is a web address. With one click others automatically join the conversation. If it is not automatically recognised, just copy and paste the web address into the address bar of your web browser. Before you enter a meetup, you are asked for your name. Just fill out whatever you feel like, it is only visible to your conversation partners. Your browser should also ask you if you permit the use of your camera and microphone (and if you have multiple of either, it might ask which one). The use of the camera is optional if you are okay with an audio call only, but you need to allow the use of the microphone. During the call you can turn the microphone off, if you only want to listen. For that you click on the little icon with the microphone on it. Ending the call If you want to end the video call (\"hang up\"), just close the browser window or press the red icon with the phone. This hides itself after a while, to get it back move the cursor to the top of the screen - or if you are on a mobile phone, touch the conference screen at the top and it should reveal itself again. More features With Sylk you can also do text chat (click on the conversation balloon top left), share files share with the other folks participating and share your screen or a specific window with them (e.g. to show a presentation, share some photos you have on your computer or to have people read a document you are working on). Pro tipYou should also be able to connect to your meetup with an instant messaging client should you have one. The address to connect to is shown when you click on the conversation balloon in the top right corner, it is typically something like: pickyourownname@conference.sip2sip.info.Manually Choose a unique name (without spaces or strange characters) and place that behind https://webrtc.sipthor.net/conference/ - so for instance with PickYourOwnMeetupName that would be https://webrtc.sipthor.net/conference/PickYourOwnMeetupName Do pick something unique, so not \"meeting\" or \"team_meeting\", because other people might be using that. So opt for something more specific, for example: https://webrtc.sipthor.net/conference/Have_A_Chat_With_Bert_and_Ernie or https://webrtc.sipthor.net/conference/ACME.com-team-meetup or just a random string like OzewiezewozewallaWalhallah https://webrtc.sipthor.net/conference/OzewiezewozewiezewallaWalhallah You can, of course, reuse the meeting place for your next meetup with the same people - that's easy. The addresses are stable, so you can bookmark them in your browser. Alternatively keep a text file open with times and conference addresses of your appointment, or put the address in your digital calendar in the field Location! Automatically You can also go to https://webrtc.sipthor.net/conference, which will automatically generate a long and unique name for your meetup. It will then automatically take you to that empty room. Once you are there, you copy the address from your address bar or click on the left-most icon (with a little person and a +), and send the meeting room address to the person(s) with whom you want to meet up. Now just be sure to hang out at the meetup web address when your appointment is due. Sylk Server can do a lot more. You can register for a free account on the home page. It is fully open source, so you can run your own server too. But for now that will not be necessary. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. Applications are still open, you can apply today. Frequently Asked Questions What happens if the name I choose is not unique? Well, there might be someone else in the room, or someone else might walk into your. Do not panic or get angry, apologise for the interruption and just find a slightly longer (and less predictable) name that is not so obvious - no-one should be visiting a room TheKingOfFranceIsWearingAPurpleToupetWithOnions. If you find it difficult, please use the automatic method if you are okay with some automatically generated unique name. Can I claim a room beforehand? Your imagination can claim it. See above. If the name you pick is unique, noone else is likely to visit the room. If you want to be absolutely 100% sure, run your own server - it is free, and you are guaranteed the only user. I'm not happy about the privacy aspects of Zoom.us, Webex or Google Hangouts. Is Sylk a suitable alternative for Zoom.us or Google Hangouts? Depends on your situation. If you want to just have a convenient one-off video call with a group of people, obviously it is. The fact that you can run this on your own machine or in your own organisation - and customise it in whatever you want - puts it in a different class as well. It is an open source building block, too. "},{"title":"Sylk chat","url":"https://nlnet.nl/project/SylkChat/","description":" Sylk chat Add instant messaging features to Sylk Internet communications privacy is important to users, and there is a limited set of encrypted multiparty audio and videoconferencing solutions available to consumers and businesses today. The market, predominantly occupied by proprietary services that often require risky plugins, lack introspection and transparency, proved to expose users to significant security and privacy issues. This trend must be counteracted by better open source equivalents. Sylk provides a multi-party video encrypted conferencing solution meant to run on an end user computer or a mobile device. It is based on the WebRTC standard, and has a focus on user privacy and easy of use. This project will add one-to-one and group chat capabilities, allowing users to for example have end-to-end encryption or maintain long term group chats like other messaging apps do. The project's own website: http://sylkserver.com Why does this actually matter to end users? One of the things people enjoy the most about the internet, is that it enables them to talk to others remotely almost without limit. Internet allows anyone to keep closely connected with friends and family, and help their kids solve a math problem while they are at work. People collaborate with their colleagues from the couch of their living room, the cafe where they enjoy lunch or on their cell phone on the bus to the gym. Businesses can easily service their customers where this is most convenient to them, without having to travel themselves. And sometimes, like when there is a large global pandemic requiring everyone to stay home as much as possible, there is no alternative to moving entirely online. It still sometimes feels magical to hear the voices and see the faces of the people we talk to across the internet. However, not every way we connect is equally clean and honest under the hood. Users have a hard time to understand how for instance privacy and security is impacted if they use the wrong technology. Because internet works almost everywhere, the natural privacy protection of the walls of a house, a school or an office is gone. Unlike the traditional phone companies, many of the large technology providers run their business not on delivering a fair and transparent service but on secretly extracting data from their users and selling that (together with other derived information) to others. Ever wonder why advertising companies have paid tens of billions of dollars for buying messaging apps they give away for free, without ads? A lot of interesting behavioral information can be learned without knowing what you say, so the problem is not solved by just encrypting messages. The app itself is the issue: if you want to be reachable across the internet, you have to constantly let the communication provider follow you wherever you go. Other interesting parts are who talks to whom, when, and where they are in the real world while they meet on the internet. Exposure of this data through centralised messaging networks makes the private and professional lives of citizens an open book to companies that with the help of AI and other technologies make billions from selling 'hidden data' normal people are completely unaware of even exists. And of course in societies that are not so democratic, this type of information is critical to bring down opposition and stifle human rights. Users assume confidentiality and privacy when they communicate, and who can blame them? There is nothing natural or final about internet communication providers having access to all this very personal information - or going down the dark path of selling data about customers. The cost of this in terms of internet usage and computer power needed is actually negligible, and so all it takes it the availability of open alternatives that people can use. Sylk is one such alternative, supported by NGI Zero: it is a mature private and secure system for video and audio calling that grew from an open source videoconferencing tool. You can install Sylk on your own infrastructure, completely free of charge - and with the ability to make it do whatever you need it to do, on your own terms. Businesses like the internet provider or the IT company around the corner can run it for their customers, or you can run it for your family yourself. You can use Sylk in the browser, or download one of the open source apps for mobile phones, tablets or desktop computers. In this project Sylk will add privacy-friendly group chat features, that will allow it to become a full-fledged alternative to proprietary solutions like WeChat, Whatsapp and Telegram. Run by AG Projects B.V. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"url":"https://nlnet.nl/project/SustainableWebApps/","title":"Sustainable web apps with m-ld","description":" Sustainable web apps with m-ld Empower users and developers with distributed interlinked data using local-first principles Our hypothesis in this project is that web app data securely stored in reactive, replicated Linked Data sets can make it possible for app developers to meet today's and tomorrow's feature expectations without the high costs and limitations of today's distributed data architectures. This foundational design principle combines ideas from the semantic web (machine-readable publishable interlinked data), personal data stores (user control of user data) and local-first software (collaboration without obligatory third parties). We believe the high costs of web app development have gone hand-in-hand with unwanted side-effects like user lock-in, attention theft, and abdication of control over personal data. Our core principle, like the ideas behind them, is designed to expedite the development of more sustainable apps: those without dependencies on specific service providers, with user empowerment in terms of service and data portability, and with linking of data between apps – including apps developed against similar technologies having these principles, such as those of the Solid ecosystem. We will produce a set of concrete software components which demonstrate that such an approach is practical, and indeed offers a great experience for app developers, making it simple to create collaborative applications over Linked Data resources with compelling, responsive user interfaces. The project's own website: https://m-ld.org This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"url":"https://nlnet.nl/project/Surfer/","title":"Surfer Waveform Viewer","description":" Surfer Waveform Viewer Analyse signal levels in simulated circuits Surfer is an open source waveform viewer, primarily aimed at debugging digital designs. It is built for flexibility, extensibility, and speed to operate on most platforms. Although fully operational for many tasks, there are features to be added to improve the usability further. This project aims to implement the most requested missing features and pave a way for additional extensibility. The project's own website: https://surfer-project.org Run by Linköping University This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Suhosin-NG","url":"https://nlnet.nl/project/Suhosin-NG/","description":" Suhosin-NG Harden PHP 7 and PHP 8 applications The PHP programming language was invented by Danish programmer Rasmus Lerdorf in 1994. The language is actively used by millions of websites through popular tools such as WordPress, Owncloud and Wikimedia. Suhosin-NG (next generation) will significantly improve the security of web applications running with PHP 7, and help thwart popular web attack vectors aimed at PHP based websites. Already existing ideas from the Suhosin project for PHP 5 will be gathered in addition to implementing a number of new ideas to improve the overall security stature of PHP 7. This concerns harnessing new features of the language, mitigating security risks in the default configuration and improvements to the runtime behaviour. In practical terms the project will implement these by extending the PHP extension Snuffleupagus, that already provides a good basis for hardening PHP 7. The project's goal is to provide software and documentation for setting up a PHP 7 environment in the most secure way possible. The project's own website: https://github.com/sektioneins/suhosin-ng Why does this actually matter to end users? When you think of programming, you probably do not think of the websites and online services you use and login to everyday. Still, to make a social networking site like Facebook or a popular web content management tool like Wordpress work, users need to interact with a server that in turn should correctly access databases that hold the information needed. That is what the PHP web programming language can do and currently does for the millions of websites that use tools like Wordpress and Wikimedia. The fact that PHP is a popular web programming language does not mean however that it entirely secure, or that it is always used with attention to security. Through the years, many web vulnerabilities have been found and attributed to bad PHP implementations or insecure default settings. Advancing the state of art in a massively used web programming language is of course non-trivial: if we want to trust some of the most visited websites and services, we should be sure that the technical backend is built securely. Suhosin is a continuous effort to update and secure new versions of PHP and guarantee that implementations leave no loose ends. Suhosin NG, which stands for Next Generation, aims to connect the work already done with a new project created from scratch to best protect PHP 7, the latest version of the web programming language. Run by SektionEins GmbH This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Structured Email for Roundcube Add schema.org metadata awareness to open source email Email is probably the only open and widespread technology bridging our private information space (Mobile, Desktop) and the public Internet. It can in fact be considered our \"personal API\". Structured Email for Roundcube develops a plugin for the popular Roundcube Webmail software, which extracts Schema.org data embedded in email messages. Based on that, it allows for new ways of presenting emails and interacting with them. The project's own website: https://structured.email Run by audriga GmbH This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/StructuredEmail/","title":"Structured Email for Roundcube"},{"description":" StreetComplete UX Improve usability of StreetComplete OpenStreetMap is the best source of information for general purpose search engines that need a geographic data about locations and properties of various objects. The objects vary from cities and other settlements to shops, parks, roads, schools, railways, motorways, forests, beaches etc etc etc. The search engine can use the data to answer queries such as \"route to nearest wheelchair accessible greengrocer\", \"list of national parks near motorways\" or \"London weather\". Full OpenStreetMap dataset is publicly available on an open license and already used for many purposes. The project will make collecting open data for OpenStreetMap easier and more efficient, and lower the threshold for contribution by improving usability and accessibility. Any user should be able to help improve OpenStreetMap data, simply by downloading the app from F-droid or Google store and map as they walk. The project's own website: https://streetcomplete.app This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"StreetComplete UX","url":"https://nlnet.nl/project/StreetCompleteUX/"},{"url":"https://nlnet.nl/project/StreetComplete/","title":"StreetComplete","description":" StreetComplete Fix open geodata with OpenStreetMap The project will make collecting data for OpenStreetMap easier and more efficient. OpenStreetMap is the best source of information for general purpose search engines that need a geographic data about locations and properties of various objects. The objects vary from cities and other settlements to shops, parks, roads, schools, railways, motorways, forests, beaches etc etc etc. The search engine can use the data to answer queries such as \"route to nearest wheelchair accessible greengrocer\", \"list of national parks near motorways\" or \"London weather\". Full OpenStreetMap dataset is publicly available on an open license and already used for many purposes. Improving OSM increases quality of services using open data rather than proprietary datasets kept as a trade secret by established companies. The project's own website: https://github.com/westnordost/StreetComplete/ Why does this actually matter to end users? Everyone needs to find their way around the world, be it traveling for work, taking a vacation or going to the doctor, dentist, your local municipality and other important (public) services. How we move around and where we go is very personal information: imagine following someone for a week and what this can teach you about their life, their loved ones and what is important to them. Now think about the apps or devices you use for navigation and what they can and probably do log about you. Where does this information go, who has access to it, how does this feed into your data profile that is created and sold by tech platforms to businesses (and sometimes governments)? Navigation shouldn't be yet another underhanded means for tracking and profiling, it should help you get to where you need to be and inform you about your travel, nothing else. OpenStreetMap is a collective effort to build a tool that brings geographic data and navigation into the public space, as an alternative to commercial services. Users help map areas, roads, buildings and other points of interest and keep this information up to date and enrich it. All data is open and free to use. Navigation works best when you can efficiently search and find exactly where you need to go, even with limited information. StreetComplete is a project that makes it easier for users of OpenStreetMap to optimize, correct and enrich geographical data without the need for technical knowledge or skills. Simply walk around an area and answer survey style questions like \"What is the name of this road, what are the opening hours of this shop, is there a cycleway here?\" This way users can help keep the geographic data of OpenStreetMap up to date and enrich it with valuable information, for example on the wheelchair accessibility of a street or building. This makes OpenStreetMap a more valuable and more inclusive source for geographic search and navigation. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" StreetComplete Multiplatform OpenStreetMap editing beyond Android The goal of this project is to migrate StreetComplete from an Android app to a multiplatform app, making use of Kotlin Multiplatform and Compose Multiplatform for the UI, thus, allowing the app to be released on other platforms, such as iOS and eventually Linux. This will allow for a significantly larger audience that is able to casually contribute missing data to OpenStreetMap on the go, as StreetComplete is the go-to app for this purpose, aimed at non-tech-savvy people and presented in a slightly gamified fashion. OpenStreetMap, in turn, is the free wiki worldmap. The project's own website: https://streetcomplete.app This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"StreetComplete Multiplatform","url":"https://nlnet.nl/project/StreetComplete-multiplatform/"},{"title":"StreetComplete","url":"https://nlnet.nl/project/StreetComplete-Together/","description":" StreetComplete Collaborative editing in OpenStreetMap StreetComplete is a mobile app that makes it easy and fun to contribute to OpenStreetMap while on and about. OpenStreetMap is the largest open data community about maps, and the go-to source for free geographic data when doing a location-based search. This project focuses on making the collection of data to be used in a search more powerful and efficient. More specifically, the main goals are to add the possibility to collect more data with an easy interface and to add a new view in which it shall be more efficient to complete and keep up-to-date certain types of data, such as housenumbers or cycleways. The project's own website: https://github.com/streetcomplete/StreetComplete This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" StreetComplete/AllThePlaces Ingest data from AllThePlaces into StreetComplete This project will contribute to more accurate data about shops and other businesses in OpenStreetMap, by suggesting mappers at which places shops might be missing. The detection of places where a shop may exist but nothing is mapped in OpenStreetMap will be powered by the All The Places project, which crawls store location webpages across of many businesses. Mappers will thus be able to quickly add a shop to OpenStreetMap, after adjusting location as needed. The project's own website: https://streetcomplete.app/ This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/StreetComplete-ATP/","title":"StreetComplete/AllThePlaces"},{"description":" Stract Explorative search engine Search has become an intrinsic part of the way we explore the web. Sadly as of late, most of the current search engines fail to live up to this responsibility. Stract is a fully open source, independent and user-centric search engine for the web. In short, our goal is to do web search right. The funding from NLnet will be used to improve the performance of our index, improve the performance of our web graph, adding a live index for news articles and blog posts and finally improving our currently insufficient documentation. The project's own website: https://stract.com Run by Stract This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Stract","url":"https://nlnet.nl/project/Stract/"},{"url":"https://nlnet.nl/project/Stencila/","title":"Stencila v2 for ERA and EPP","description":" Stencila v2 for ERA and EPP Add editable, runnable code to scientific publications Stencila offers a platform for collaborating on, and publishing, dynamic, data-driven content with the aim of lowering the barriers for creating data-driven documents and making it easier to create beautiful, interactive, and semantically rich, articles, web pages and applications from them. The latest version, a rewrite in Rust, is aimed at leveraging two relatively recent and impactful innovations: conflict-free replicated data types (CRDTs), for de-centralized collaboration and version control, and large language models (LLMs) for assisting in writing and editing prose and code. These technologies used together provide an advance in scholarly communication of research findings by powering the Enhanced Preprint Platform and Executable Research Articles at publishing venues such as eLife and GigaScience. The project's own website: https://stencila.io Run by Stencila, Ltd This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/Steamworks/","title":"ARPA2 Steamworks","description":" ARPA2 Steamworks ARPA2 Steamworks Computer systems nowadays are entangled with networks, and a simple server may in fact depend on other systems to be online to be able to fulfill its services. This constitutes a degree of fragility that is not always desirable; for instance, where security policies or system access is concerned. To make things worse, there is a growing tendency to combine information sources from various parties, and crossing the technical and political boundaries of organisations can introduce many new issues that complicate normal system management. So what we need is a system that can share (configuration) information across such parties, and reduce their cross-dependency. This is where SteamWorks steps in; it enables a central site to configure settings for a large conglomeration or a distributed enterprise, and each of the sites can clone this information and spread it internally. Updates are automatically spread out as soon as possible, but in case of network failure the old information is retained and used until the downtime is resolved. The project's own website: http://steamworks.arpa2.net/ Why does this actually matter to end users? ARPA2 SteamWorks is a set of tools that co-operate to transmit more-or-less centrally controlled configuration settings over any network, and make these settings available to individual programs. Updates are passed around instantaneously when network connections are good, but the last version of the information can be used when the network temporarily degrades. The project is part of the ARPA2 project, which is engineering towards an overall architecture scalable to run a future internet that is secure by design. Configuring and provisioning TLS — trusted (root) certificates, intermediates, end-user certificates, and public keys — can be a complicated business. The ARPA2 TLS Pool project makes it simpler for third-party applications (e.g. a web browser, or a web server) to use TLS and identity information. Configuration of TLS Pool itself however is still somewhat complicated: it provides a number of databases for configuring its behavior -- that is, the way it provides TLS and identity support to applications and the parameters of its outgoing TLS connections -- but filling those databases needs an API and a user interface. ARPA2 SteamWorks is about creating machinery for distributing configuration information through LDAP and using that for local provisioning through the Pulley (a local daemon) and Pulley Plug-ins (used to configure specific applications, e.g. TLS Pool). The configuration of the Pulley is done through a Pulley Script (which can, in turn, be distributed through LDAP). The Pulley Plug-in mechanism is generic and in the longer term will evolve more plug-ins for configuring other (sub)systems, e.g. writing ISC DHCPd configuration or Local Unbound configuration files. The project will make it possible to connect the complete configuration of TLS Pool to the SteamWorks machinery by building a SteamWorks Pulley Plug-In and Pulley Scripts that can fully configure TLS Pool. This includes defining all of the configuration elements for TLS Pool in LDAP schemata. SteamWorks also provides a framework for writing web-based front-ends to the LDAP configuration though the Crank component of SteamWorks. In order to provide the user interface for TLS Pool provisioning, we will construct that front-end (web application). This gives us a mechanism for filling the TLS Pool configuration in LDAP, distributing it to the Pulley through LDAP, and then locally turning it into configuration for provisioning TLS for applications. (An extension of this mechanism would involve generically associating Some parts of this system are already built as proofs-of-concept: there is a stub Pulley Plug-in for configuring the trusted root certificates in TLS Pool, as well as a rudimentary web-interface for filling those in in LDAP. This project aims to turn those proofs-of-concept into fully functional configuration tools. Earlier work on ARPA2 Steamworks was funded with a joint subsidy from NLnet and the programme \"[veilig] door innovatie\" from the Netherlands government. Run by ARPA2 This project was funded through the Internet Hardening Fund, a fund established by NLnet with financial support from the Netherlands Ministry of Economic Affairs and Climate Policy. "},{"title":"Statime PTP Master","url":"https://nlnet.nl/project/Statime-PTP-Master/","description":" Statime PTP Master Statime - Zero-allocation cross-platform Precision Time Protocol High-precision clock synchronization is becoming increasingly important in application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. The Precision Time Protocol (PTP) is widely used for these critical applications and it is therefore important for it to be as secure and reliable as possible. We have previously developed the first iteration of Statime, an implementation of a PTP slave in the Rust programming language. The outcome of that project is a secure-by-design implementation, leveraging the Rust borrow checker to guarantee memory-safety. With this project, we will expand our implementation in two ways. Firstly, we will expand the feature set to include a PTP master, conforming to the IEEE standard for PTP (the 2019 version, IEEE1588-2019), so we can run a full PTP instance with the memory-safety guarantees that our implementation provides. Secondly, our implementation will be able to run without an operating system or system allocator. Those properties make the implementation inherently portable and more reliable. Our concrete goal for this second phase is that it runs on the stm32f7 microcontroller, a device with built-in PTP Ethernet support, but otherwise limited capabilities. The project's own website: https://github.com/pendulum-project/statime Run by Tweede golf This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"title":"Standards Grammar Catalog/Toolchain","url":"https://nlnet.nl/project/StandardsGrammarCatalog/","description":" Standards Grammar Catalog/Toolchain Open Standards Grammar Catalog/Toolchain The Open Standards Grammar Catalog/Toolchain makes it easier to implement a format or protocol by translating its machine-readable definition, usually in a language such as ABNF, into forms readily compatible with popular programming languages, like regular expressions, YACC, ANTLR, and native code. By providing a toolchain for making these translations, assembling a catalog of commonly used formats & protocols, and publishing a developer-friendly website for browsing the grammars and generating translations, these tools will reduce the need to manually write a parser, ultimately reducing errors due to hand-written code, and enhancing interoperability. The project's own website: http://grammars.wiki/ This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Transitioning SMM Ownership to Linuxboot More robust defense Against Firmware Vulnerabilities In an era marked by escalating cybersecurity threats, firmware security is one of biggest blind spots. One pervasive weakness lies in an architectural design called System Management Mode (SMM). Sometimes referred to as “Ring -2”, SMM is used by device manufacturers to interact with hardware like NVRAM, emulate hardware functionality, handle hardware interrupts or errata, and perform other functions. The unrestricted, non-standardized control inherent to SMM implies significant security vulnerabilities. There is no shortage of Day-0 and Day-1 Firmware vulnerabilities related to SMM. Current industry practices open a wide door for cyber attacks, and the attacker can even bypass the secured OS kernel with the SMM loopholes. This proposal introduces a novel SMM architectural design, by transitioning SMM ownership from core firmware (e.g. coreboot) to payload - in this case Linuxboot. This will leverage the robust, open-source nature of Linux’s SMM drivers, as its drivers that has been proven working very well over decades, and its open source nature made it easier for security reviews. This initiative aims to develop and universalize a secure architectural design in collaboration with chip vendors, and thus elevating the resilience and integrity of our digital ecosystem. The project's own website: https://github.com/linuxboot/linuxboot Run by 9elements GmbH This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Standalone-SSM/","title":"Transitioning SMM Ownership to Linuxboot"},{"url":"https://nlnet.nl/project/Stalwart/","title":"Stalwart Mail Server","description":" Stalwart Mail Server Robust full featured mail infrastructure in Rust Self-hosting an e-mail server is notoriously difficult. While privacy is a top concern for many individuals and businesses, the complexities of self-hosting a mail server often outweigh the benefits, leading many to choose to sacrifice some privacy and pay a third-party provider to manage their email instead. One of the key challenges of self-hosting an email server is the outdated and complex nature of most available open-source mail server software. Stalwart Mail Server is an open-source email server written in Rust that aims to help modernize, democratize, and promote decentralization of email. The server offers a robust and privacy-focused solution that is easy for individuals and businesses to set up and maintain on their own. Stalwart Mail Server consists of three components: a JMAP server, an IMAP4 server with support for ManageSieve as well as many extensions, and an SMTP server with support for DMARC, DKIM, ARC, and SPF. The server does not require any external software or databases to run and can easily scale to multiple servers thanks to its native Raft support. Furthermore, the use of Rust in Stalwart Mail Server allows it to offer improved performance, safety, and concurrency compared to other solutions, making it a versatile and robust choice for those looking to self-host their own email server. The project's own website: https://stalw.art Run by Stalwart Labs Ltd. This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" Stalwart Collaboration Server Integrated solution for email, calendaring and file management Stalwart Mail Server was created to address the challenges of email self-hosting by offering a modern, secure, and easy-to-maintain solution. With support for JMAP, IMAP4, POP3, and SMTP, it provides individuals and businesses with a powerful, privacy-focused alternative to third-party email providers. Now Stalwart is expanding beyond email with the introduction of Stalwart Collaboration Server, a new component that will complement Stalwart Mail Server and transform the platform into a complete, self-hosted collaboration suite. Stalwart Collaboration Server will provide built-in support for calendars using CalDAV and JMAP for Calendars, contacts management through CardDAV and JMAP for Contacts, and file storage and sharing via WebDAV and JMAP for File Management. By combining email, calendaring, contact management, and file storage in one open-source solution, Stalwart will offer a powerful alternative to proprietary platforms like Microsoft Exchange. Organizations will be able to self-host their entire collaboration stack while maintaining full control over their data, ensuring privacy, security, and scalability. Stalwart Collaboration Server will extend the project’s mission to modernize, democratize, and decentralize essential communication and collaboration tools. With this expansion, businesses and individuals will no longer need to rely on closed-source, vendor-locked solutions. Instead, they will have access to a fully integrated, scalable, and privacy-focused platform that empowers them to communicate and collaborate on their own terms. The project's own website: https://stalw.art Run by Stalwart Labs LLC This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Stalwart-Collaboration/","title":"Stalwart Collaboration Server"},{"description":" Squishy SCSI multi tool and gateware library Squishy is a SCSI multi-tool aimed at long term access to computer systems and equipment. It accomplishes this by having capable hardware combined with an extremely flexible software ecosystem, allowing Squishy to act not only as nearly any device under the sun, but also as a SCSI bus initiator with high flexibility. Enabling it to be used for archival work to interact with obscure or arcane hardware to read magnetic tapes, or allowing modern systems to interface with and control older, but still reliable and used lab and scientific equipment. Squishy is currently in it's second prototyping phase, after lessons were learned from the first revision of the hardware. This involves a full redesign to grant it more capabilities and serve as a more solid foundation. The end goal is a relatively  small fully compliant device for multiple SCSI standards along with a robust software ecosystem, allowing for it to speak to any equipment be it a SCSI-1 tape drive, or an ULTRA-320 SCSI-based data acquisition system. The project's own website: https://github.com/squishy-scsi/squishy This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Squishy","url":"https://nlnet.nl/project/Squishy/"},{"description":" Spritely Oaken Secure 3rd party extensibility with capability-based Scheme Spritely Oaken is a new programming system in the Scheme family, designed to provide strong security with a capability-based architecture. It will make it possible to safely add untrusted third-party code to programs without the usual risks of malicious code. Oaken builds on established ideas from the Scheme implementation ‘Scheme 48’, and will both extend this functionality and bring it to an actively maintained platform, Guile. This will eventually provide simple integration with Spritely’s Goblins system for distributed applications, which is also built on Guile. Oaken will play an important role towards enabling distributed and democratic internet platforms. The project's own website: https://spritelyproject.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Spritely Oaken","url":"https://nlnet.nl/project/SpritelyOaken/"},{"url":"https://nlnet.nl/project/SpritelyOCapN/","title":"Spritely (and OCapN)","description":" Spritely (and OCapN) Enable secure P2P applications with Object Capabilities OCapN (the Object Capability Network, and featuring CapTP, the Capability Transport Protocol) simplifies building otherwise complicated security-oriented peer to peer systems as a natural extension of ordinary programming patterns. OCapN/CapTP features intentional collaboration amongst networked objects, distributed garbage collection, networked promise pipelining for efficient distributed communication, a peer introduction and consensual resource sharing system, and an abstract networking layer compatible with Tor Onion Services, I2P, libp2p, and even more traditional DNS + TLS. While multiple implementations exist within Spritely and elsewhere, these are all incompatible. The project will produce specifications, documentation, and test suites to encourage consistency, interoperability, and smooth adoption of the technology. The project's own website: https://spritelyproject.org Run by Jessica Tallon and The Spritely Institute This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"url":"https://nlnet.nl/project/SpritelyOCCapN/","title":"","description":""},{"description":" Secure User Interfaces (Spritely) Usability of decentralised social media Spritely is a project to advance the federated social network by adding richer communication and privacy/security features to the network. This particular sub-project aims to demonstrate how user interfaces can and should play an important role in user security. The core elements necessary for secure interaction are shown through a simple chat interface which integrates a contact list as an easy-to-use implementation of a \"petname interface\". Information from this contact list is integrated throughout the implementation in such a way that helps reduce phishing risk, aids discovery of meeting other users, and requires no centralized naming authority. As an additional benefit, this project will demonstrate some of the asynchronous network programming features of the Spritely development stack. The project's own website: https://spritelyproject.org/ Why does this actually matter to end users? Online deception and social engineering, better known as phishing, is becoming a bigger threat everyday as we store and share more of our (sensitive) data online. Because the risk of getting caught is low and the payoff potentially high, fraud and theft on the internet is running rampant. Through fake emails, websites and instant messages, users and businesses are tricked into sharing sensitive data like passwords and credit card details. People can end up with all of their money stolen, their lives ruined or their personal sensitive data spread all across the internet. Social media are one of the channels used by cybercriminals to extort and pressure users into handing over their credentials. Because phishing attempts become more believable and pervasive everyday, social media networks need to protect their users. Commercial networks like Twitter and Facebook can organize protective measures on their own, while decentralized networks like Mastodon and Pleroma rely on the hosts of individual instances to protect users against spam, trolls and phishing attempts. While decentralized social media offer users more privacy, less ads and data governance, they are more vulnerable to all sorts of cybercrime that can turn users away. This project will improve privacy and security in decentralized social networks by showing users how they can best protect themselves against phishing, using the Mastodon web interface. Decentralized networks by design give users more governance over their personal data and anonymity, but to win users over should provide the same security as centralized, commercial social media. This project will help create decentralized networks that are just as privacy-friendly as they are secure, putting the user first. Run by Libre Labs This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/Spritely/","title":"Secure User Interfaces (Spritely)"},{"url":"https://nlnet.nl/project/Spritely-Petnames/","title":"Spritely","description":" Spritely Capability based petname system Users are currently caught between two worlds of identity solutions: prepackaged centralized identity silos (which also tend to be very phishing-vulnerable) and more decentralized naming systems that awkwardly separate the experience of secure connections from identity. What if instead users could have an experience where decentralized naming was a natural outgrowth of using the application? Spritely is a laboratory project to advance the decentralized social web founded by authors of the popular ActivityPub federated social web protocol. Spritely's approach to decentralized naming systems is to implement a \"petnames system\", where local meaning is given to \"petnames\" to otherwise non-human-meaningful decentralized identifiers (such as a hash of cryptographic key material). An important part of this design is that decentralized naming flows should be a natural part of use of the program. Petnames tend to resemble local contacts in a \"contact list\", but petnames on their own do not provide a sufficient way to discover, meet, and come to trust new contacts. A complete petname system also provides \"edge names\": for example \"CWebber=>JessicaTallon\" would show JessicaTallon as an \"edge name\" proposed by the petname CWebber. Our system also provides support for contacts introduced in a context with no existing relationships; these are called \"self-proposed names\" and are rendered in a way distinct from petnames and edge names. This has been under-implemented in existing petname systems; since Spritely is implementing decentralized communication systems, this will be a full implementation of a petname system (including edge names and self-proposed names) in an ergonomic manner that can also be applied to other decentralized systems. In addition to a specification, the project will delivered a usable chat application plus contact list. The project's own website: https://spritelyproject.org This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"title":"SpinalWaves & SpinalTrace","url":"https://nlnet.nl/project/SpinalWaves/","description":" SpinalWaves & SpinalTrace Typed waveform viewing and error source tracing for SpinalHDL This project will develop two open-source debugging tools — SpinalWaves and SpinalTrace — to simplify the debugging of hardware designs written in SpinalHDL, a high-level hardware generator language (HGL) used to design various computing hardware systems. HGLs like SpinalHDL compile down to industry-standard hardware descriptions such as VHDL and Verilog. Debugging HGL designs is challenging because errors observed in signal values at the compiled low-level hardware are often difficult to trace back to the high-level code that generated them. SpinalWaves will extend waveform visualization by preserving and displaying high-level type information for hardware signals, while SpinalTrace will enable tracing faulty signal transitions back to their source in the original SpinalHDL code. The tools will build on prior work from the Tydi ecosystem, which includes Tywaves and ChiselTrace for the Chisel hardware design language. However, adapting these concepts to SpinalHDL requires new techniques due to differences in the compilation flow, particularly the absence of an intermediate representation such as FIRRTL. The project will therefore develop new mechanisms for extracting program dependency information and inserting instrumentation within the SpinalHDL compilation process. The expected outcome is an integrated, open-source debugging toolkit for SpinalHDL that improves developer productivity, lowers the barrier to hardware design, and strengthens the broader open-source hardware development ecosystem. Run by Delft University of Technology This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Spectrum A security through compartmentalization based operating system Spectrum is an implementation of a security through compartmentalization based operating system, built on top of the Linux kernel. Unlike other such implementations, user data and application state will be managed centrally, while remaining isolated, meaning that the system can be backed up and managed as a whole, rather than mixed up in several dozen virtual machines. The host system and isolated environments will all be managed declaratively and reproducibly using Nix, the purely functional package manager. This will save the user the burden of maintaining many different virtual computers, allowing finer-grained resource access controls and making it possible to verify the software running across all environments. The Linux base, and a variety of isolation technologies from containers to virtual machines, will bring security through compartmentalization to a much wider range of hardware than previous implementations, and therefore make it accessible to many more people. The project's own website: https://spectrum-os.org Why does this actually matter to end users? How can you understand and trust a complex system, like the operating system managing the hardware and software on your computer? You can make the complexity simpler by cutting it up into parts, compartmentalizing what does what, where information is stored, which processes talk to each other. This way users can be sure their system only does what it is supposed to do and know precisely what goes in and what comes out. This can be done through virtual machines, which are isolated simulations of operating systems or programs on a computer. Simply put, you create virtual rooms where only one thing happens and only you have the keys to each door. This can give users complete control over what happens on their computer and ensures that if some malicious software finds a way in, it cannot get to the other rooms. This can be very important if your device contains sensitive information, if some ill-meaning third party tries to listen in, or when the device is part of some crucial infrastructure and is targeted for attacks. Security by isolation sounds simple enough, but in actuality requires a lot of work and maintenance. Operating systems that can compartmentalize programs and processes are very hardware-specific and the virtual machines they run require regular and complicated upkeep. The Spectrum operating system takes a different and simpler approach: all data on the system is stored in one place and applications that need access to that data are isolated and specifically told what information they can and cannot access, even within the same application. For example, when you want your word processor to access certain files when you are working and other documents when you are at home, you can create two versions or simulations (called instances in Spectrum) with specific access rights. Users can keep a clear overview of their system and applications, as well as the various instances they create, by simply writing all this down in a configuration text. A system called Nix takes this text and creates all the software that the user has written down. Each program can be updated separately, without worries that other parts will break or become incompatible. Users always have a clear overview on what is happening on their computer, instead of getting lost in a maze of virtual rooms. Security by isolation becomes more manageable and transparent, making it accessible for a larger audience. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"Spectrum","url":"https://nlnet.nl/project/Spectrum/"},{"description":" Spectrum: Virtualisation Platform A secure OS with app isolation Spectrum is an implementation of a security through compartmentalization based operating system, built on top of the Linux kernel. Unlike other such implementations, user data and application state will be managed centrally, while remaining isolated, meaning that the system can be backed up and managed as a whole, rather than mixed up in several dozen virtual machines. This project will continue the implementation of important features in Spectrum. In most cases, this work will also include the implementation of new primitives in Spectrum's underlying technologies — in particular the rust-vmm ecosystem — to enable those features. In addition, we aim to grow the ecosystem further in response to clear demand from developers, by extracting more reusable components from the monolithic Spectrum system, and by providing comprehensive documentation to teach developers how to create their own virtualization solutions from the growing universe of available components. By investing in growth of the free virtualization ecosystem, we expect we will expand the pool of potential future contributors to Spectrum and its components, increasing the speed at which the project can move in the future. The project's own website: https://spectrum-os.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Spectrum: Virtualisation Platform","url":"https://nlnet.nl/project/Spectrum-virt/"},{"description":" Spectrum Applications Add running graphical applications to the compartmentalized desktop OS Spectrum Spectrum is a project that aims to develop a secure, compartmentalized desktop operating system with security and usability improvements over other existing implementations. This project will improve Spectrum's support for running graphical applications. Currently, users have to manually create virtual machines by laying out a configuration directory themselves (or using a helper Nix function). Running a new application often requires some customisation work on the VM to set up the environment suitably for the application to run and defining access controls - and there is no facility to create a VM on the fly. After this project is done, the system will be able to automatically start VMs on the fly for applications packaged as AppImages, and applications will be able to dynamically request access to files using the existing XDG Desktop Portals interface that is already implemented by major toolkits (so File→Open… will just work in unmodified applications, with the user able to select from all their files without the application being able to see them). The foundations will have been laid to go on to support applications packaged in other ways, such as Flatpak (which could be follow-up work, should this initial stage be successful). The project's own website: https://spectrum-os.org/ This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Spectrum Applications","url":"https://nlnet.nl/project/Spectrum-Applications/"},{"description":" Dual-level Specification Inference Make formal verification more practical with dual-level Specification Inference While formal verification of smart contracts gains traction, writing formal specifications can be equally if not more costly than writing code. Spec^2 is a specification inference framework that aims to automatically deduce a high-quality set of specs based on the code only. The inferred specs include both per-transaction pre-post conditions (low-level specs) and invariants on the blockchain-backed storage (high-level specs). Furthermore, the inferred specs should be similar to what experts might develop manually and can be easily examined by people without formal verification training. The funding from NLnet and NGI Assure will be used to prototype Spec^2 against the Move language and infer specifications for Move-based smart contracts. Run by CISPA Helmholtz Center for Information Security This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/Spec2/","title":"Dual-level Specification Inference"},{"title":"Spade","url":"https://nlnet.nl/project/Spade/","description":" Spade Standalone Hardware Description Language Spade is a hardware description language that draws inspiration from modern software languages to make hardware development more productive, more fun, and less error-prone. A big part of what makes this possible is the type system which helps prevent bugs and makes the code more maintainable. A common source of errors in hardware designs is clock domain crossing: signals should never cross domains accidentally, and when they do cross, it must be done correctly. Failures to correctly cross domains leads to intermittent problems that can take significant effort to find and fix. By making the language and compiler aware of clock domains through the type system, we will be able to detect and warn programmers about accidental clock domain crossings at compile time. We will to do this in an ergonomic way, where the user only has to specify clock domains on module inputs and outputs with the compiler being able to infer the rest. In addition, the default case of a module that only spans a single domain should not require any explicit domain information form the user to avoid unnecessary verbosity. The project's own website: https://spade-lang.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/Spacylyze/","title":"Spacylize","description":" Spacylize Use LLMs to train more efficient and reliable NLP models Small, task-specific language models remain essential for efficient, interpretable and privacy-preserving NLP, even as large language models dominate the field. Spacylize enables the distillation of LLM capabilities into compact spaCy models by generating, validating, and iteratively refining training data to improve model performance. The software can be used both through a simple command-line interface and as a Python library, allowing seamless integration into diverse workflows. By automating LLM-based data creation for tasks such as named entity recognition and text classification, Spacylize strengthens the spaCy ecosystem and supports sustainable, open-source NLP development. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Space Tube Group-to-group instant messaging Space Tube is a service utilising the Matrix protocol to allow groups to communicate with other groups. A group member adds the Space Tube bot to their shared chat platform e.g. discord server, slack organisation, element space etc, then they can create a channel (or tube) that sends messages to and from another group's chat platform. This allows groups to form relationships as groups that don't rely on individual people within those groups connecting them together. These group relationships can then scale to much larger directly participatory structures. This project will automate the process of creating tubes so that it can be done in a few seconds by a non-technical user. It will also expand tube functionality by allowing tubes to connect more than two groups at once and providing links to a graphical interface to support more complex group interactions such as agreeing to proposals or sharing resources. The project's own website: http://spacetu.be This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/SpaceTube/","title":"Space Tube"},{"description":" sourcehut Graph query support for software development platform SourceHut is a free-software platform providing infrastructure for free-software projects, providing hosted repositories, mailing lists, bug trackers, real-time chat tools, and continuous integration infrastructure, among other services, and facilitating collaboration and project discovery via a federated project index. SourceHut focuses on performance, accessibility, and robustness, and since 2018 has provided a reliable platform supporting the thousands of FOSS projects that depend on its services. The NLnet project will expand the integration between SourceHut services, and between SourceHut and independently operated third-party services, primarily through the development of a comprehensive federation of GraphQL APIs. The project's own website: https://sourcehut.org This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"sourcehut","url":"https://nlnet.nl/project/SourcehutGraphQL/"},{"description":" Sortix os-test POSIX test suite os-test measures interoperability and differences between every POSIX operating system (Linux, BSD, macOS, and many more). This project expands os-test with full coverage for the POSIX standard library for the C programming language. This new test coverage will check that each C header properly provides all the mandated definitions, and that each function succeeds on basic inputs. Detailed new suites will be written for the areas where defects or deviation from the standard are likely, or where edge cases otherwise might not be correctly implemented or even standardized. os-test continuously publishes test results for every POSIX OS as open data. os-test improves interoperability, since application vendors are able to know what behaviors they can actually use to write portable applications for all operating systems, operating system vendors can identify and fix their conformance issues, and the POSIX standard authors can measure adoption/rejection of the new POSIX.1 2024 standard. os-test is developed as a side project to fully implement POSIX in the new Sortix operating system. The project's own website: https://sortix.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Sortix/","title":"Sortix os-test"},{"description":" Sonar: a modular peer-to-peer search engine Modular peer-to-peer search engine Sonar is a project to research and build a toolkit for decentralized search. Currently, most open-source search engines are designed to work on centralized infrastructure. This proves to be problematic when working within a decentralized environment. Sonar will try to solve some of these problems by making a search engine share its indexes incrementally over a P2P network. Thereby, Sonar will provide a base layer for the integration of full-text search into peer to peer/decentralized applications. Initially, Sonar will focus on integration with a peer-to-peer network (Dat) to expose search indexes securely in a decentralized structure. Sonar will provide a library that allows to create, share, and query search indexes. An user interface and content ingestion pipeline will be provided through integration with the peer to peer archiving tool Archipel. The project's own website: https://sonar.arso.xyz Why does this actually matter to end users? Search and discovery are some of the most important and essential use cases of the internet. When you are in school and need to give a presentation or write a paper, when you are looking for a job, trying to promote your business or finding relevant commercial or public services you need, most of the time you will turn to the internet and more importantly the search bar in your browser to find answers. Searching information and making sure your name, company or idea can be discovered is crucial for users, but they actually have little control over this. Search engines decide what results you see, how your website can be discovered and what information is logged about your searches. What filters and algorithms are are used remains opaque for users. They can only follow the rules laid out for them, instead of deciding on their own what, where and how to find the information they are looking for. This project takes a radically different approach to privacy-friendly and decentralized search and discovery by ensuring that the search engine is decentralized by design. Even the current search engines don't run the work on a single machine - the web is way to big for that. So it is already a distributed task. By harnessing the combined power of many small systems made available by their users, such a collective approach can measure up to the services traditionally delivered by monolithic search companies. The reverse also holds: without enough participants working together and contributing, the use will likely be limited. For now, the first concern is the availability of the essential technical building blocks. Of course, a decentralized search engine should still provide users with relevant results that are at least on par with what proprietary search algorithms can offer, which this project aims to do with machine learning. The P2P nature has attractive features. It ensures users that there can be no central point of control, not now nor in the future. It is also potentially extremely robust and resilient: the computers contributing capacity are potentially widely spread across the internet. If for some reason like a major disaster, the European internet is cut off from the rest, P2P search may still work. Run by arso project This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"Sonar: a modular peer-to-peer search engine","url":"https://nlnet.nl/project/Sonar/"},{"description":" solidtime Privacy-friendly time tracking for teams and individuals Solidtime is a powerful open-source time tracking application built for both teams and individuals. It supports multi-organization setups, offers a flexible role- and permission-based user system, and includes comprehensive tools for managing projects, tasks, and clients. With both web and desktop applications, solidtime ensures a seamless and consistent experience across devices and work environments. Our mission is to provide an open, extensible, and self-hostable time tracking platform that gives users full control over their sensitive, business-critical, or personal data, helping organizations stay compliant with data privacy regulations such as GDPR. The project's own website: https://www.solidtime.io/ Run by solidtime This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"solidtime","url":"https://nlnet.nl/project/Solidtime/"},{"description":" Solid Wallet Authorization reasoning, rule-based controls and fluid integration for Solid Solid Apps display information collected by following linked data across the World Wide Web, writing changes to Solid Personal Online Data Stores (PODs). Following links can land an App on a protected resource somewhere on the Web, accessible only to a select group of actors specified in an associated Web Access Control Resource. Solid Wallet aims to build core libraries to reason over Solid Access Control Rules, limit access to what clients can request, publish keys and sign transactions. The same libraries will also be useable by servers to verify such claims. Finally, we will use these libraries to build a flexible prototype Wallet for Solid apps that run in the browser or server. The project's own website: https://github.com/co-operating-systems/solid-control Run by Co-Operating Systems UG (haftungsbeschränkt) This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/SolidWallet/","title":"Solid Wallet"},{"description":" Solid Usable App Tools Project Improve developer experience for W3C Solid The Solid project is one of the best known efforts promising to bring individual data ownership to the people of Europe and the world. While Solid has many use cases, a common example is an alternative to Facebook, Instagram, and Twitter where a user can own their own social media data. But, Solid's current specification, implementations, and developer tools are not yet able to support a full-fledged social media alternative. This project will aide the ongoing specification and developer tool development for Solid by filling in the gaps that are currently preventing a \"home-run\" app from being created on Solid. Particular areas of concern for this project are: Authentication for Mobile Apps and Bots, Real-Time Notifications, and Easier Devtools (which caters also for developer that lack much prior knowledge of linked data). In addition, the project will produce a tutorial series to make developing apps on Solid as easy as learning how to use more mainstream technologies like React. The project's own website: https://ldo.js.org Run by O.team This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/SolidUsableApps/","title":"Solid Usable App Tools Project"},{"url":"https://nlnet.nl/project/SolidOS/","title":"SolidOS","description":" SolidOS Data management tool and browser for Solid SolidOS is envisioned as a full-featured web-based operating system for any Solid-compliant personal data store, offering a window into Sir Tim Berners-Lee’s vision for a decentralized web. It serves as the default frontend for the community server, like solidcommunity.net. This project will deliver a modern, modularized SolidOS frontend with a streamlined CSS theme and clearly defined user-friendly \"happy paths\". The project's own website: https://solidos.solidcommunity.net This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"Solid Application Interoperability","url":"https://nlnet.nl/project/SolidInterop4/","description":" Solid Application Interoperability Easy to deploy authorization for Solid Applications Solid Application Interoperability specification details how Agents in the Solid ecosystem can read, write, and manage data stored in a Solid pod using disparate Applications, individually or in collaboration with other Agents. Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. When data is stored in someone's Pod, they control which people and applications can access it. Solid Application Interoperability provides a clear way to create intuitive data boundaries and higher-level patterns to manage access to that data following the principle of least privilege. This project focuses on finalizing the enforcement of user-defined access policies and improving related user experience (UX), development experience (DX), and deployability. Solid Project was founded by Tim Berners-Lee and is currently stewarded by the Open Data Institute (ODI). Incubation of technical reports happens in the W3C Solid Community Group. Some drafts have already been provided as inputs to the W3C Linked Web Storage Working Group which is chartered to publish final specifications. The project's own website: https://sai.js.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Solid Application Interoperability","url":"https://nlnet.nl/project/SolidInterop3/","description":" Solid Application Interoperability Interoperable Data sharing flows and discovery for Solid Solid Application Interoperability specification details how Agents in the Solid ecosystem can read, write, and manage data stored in a Solid pod using disparate Applications, either individually or in collaboration with other Agents. Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. When data is stored in someone's Pod, they control which people and applications can access it. Solid Application Interoperability provides clear way to create intuitive data boundaries and higher level patterns to manage access to that data following the principle of least privilege. The focus of this project is on three parts: i18n for the Authorization Agent, data sharing flows and verifying WebID of social peers. This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" Solid Application Interoperability Solid Application Interoperability specification details how Agents in the Solid ecosystem can read, write, and manage data stored in a Solid pod using disparate Applications, either individually or in collaboration with other Agents. Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. When data is stored in someone's Pod, they control which people and applications can access it. Solid was initiated and is currently led by the inventor of the World Wide Web, sir Tim Berners-Lee. Solid Application Interoperability provides clear way to create intuitive data boundaries and higher level patterns to manage access to that data following the principle of least privilege. In this follow up project there is a focus on implementing the Authorization Agent service in TypeScript. It will also work on the SAI specification, which needs to provide more details on how the agent who receives access grant gets updated when the access grant is replaced by a new one. The Authorization Agent service will also implement server to server subscription type developed in the Solid Authentication panel. The project's own website: https://solid.github.io/data-interoperability-panel/specification/ This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/SolidInterop2/","title":"Solid Application Interoperability"},{"description":" Solid Data Modules Improve data accessibility and prevent data corruption in Solid Pods The Solid Project enables a \"Bring your own Data\" architecture, but this is only useful if apps understand the data they find on the pod. Client-client specs are the crucial but underdeveloped core part of the Solid project which needs urgent attention now. Solid Data Modules will build on the existing remoteStorage modules work and the Solid Application Interoperability spec. They will support the data types already documented in the PDS Interop (https://pdsinterop.org/conventions/overview) and Shaperepo (https://shaperepo.com) initiatives. Apart from making data more easily accessible, reliably updating index files, and preventing data corruption, the Solid Data Modules will also automatically show the app developer which fine-grained Data Grants to request. That way, we hope to finally stop the bad practice of even demo apps that request root access to your pod. The project's own website: https://solidproject.org Run by The Solid Project This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Solid Data Modules","url":"https://nlnet.nl/project/SolidDataModules/"},{"title":"Solid Control","url":"https://nlnet.nl/project/SolidControl/","description":" Solid Control Access Control mechanism for data and services within Solid Solid-Control aims to enhance Tim Berners-Lee's Social Linked Data Project (Solid) with Attribute-Based Access Control. By extending the Linked Data Platform (LDP) with WebID based authentication and Access Control Lists (ACL), Solid has enabled the emergence of new forms of Hyper-Apps. These apps can follow data from server to server, authenticate when needed and write to the user's Personal Online Data storage (Pod), creating a decentralised social web. With relation-based access control (friend of a friend, business network, etc.), Solid can be a full alternative to centralised social networks. We also want to allow authentication based on Verifiable Claims such as age. Solid-Control will work on developing the needed logic, verify protocols, write prototype implementations and contribute to the Solid Auth Community groups, which are developing specs for standardisation. The project's own website: https://github.com/co-operating-systems/solid-control Why does this actually matter to end users? In the 'real world', you instinctively know what information you should keep behind locked doors and what is safe to share. Your bank statements are stored in a folder somewhere in the attic instead of leaving them laying around on your kitchen table. You do not tell random people on the street what your phone number is, or where your children go to school. In the virtual world, this type of common sense can work differently. Users are quicker to trust service providers to keep their personal data safe from theft and prying eyes, and do not always see the dangers of storing passwords in an online text file, or sharing sensitive financial documents via email. The dangers are unmistakably there, but until someone close to you suffers the consequences of a hack or a privacy breach, the risks of online data storage are vague and its convenience is too tempting to pass up. People are accustomed to easy, accessible and convenient online tools and services. More private and secure open-source alternatives should not exclude users because of an overly technical setup or incompatibility with existing proprietary solutions. Solid (or Social Linked Data) is a new approach to protecting personal data initiated by Tim Berners-Lee, the inventor of the world wide web and developed in collaboration with the Massachusetts Institute of Technology (MIT). The project aims to give users back full control over their personal data, which they can store in personal online data stores (or pods) and then give applications that run on the Solid platform access rights as they see fit. Users always retain ownership over their data, decide for themselves where it is stored and can change the permissions of any application that can access the data. Eventually the Solid ecosystem should offer decentralized and user-centric alternatives to centralized social media like Facebook, Twitter, LinkedIn etcetera. Detailed management over who can access data in your Solid-pod is what this project is contributing to with relation-based access control and verifiable claims. A friend of a friend or a known and reputable business network would be able to access your information, but someone you do not know might not. And to make sure someone is old enough to access certain content, they can provide claims that verify they are of a certain age. All this can be done without a central point of authority (and failure), to allow for internet-scale user-centric authentication and data management. Run by Cooperating Systems UG (haftungsbeschränkt) This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Solid Compound A software library/framework to simplify designing for W3C Solid Solid Compound is an innovative library designed to streamline the integration of web applications into the Solid ecosystem. It provides functionality to Solid App developers to make their Solid Apps usable without end-users needing a Solid Pod or a WebID. This lowers the barrier of entry for new end-users and allows everyone to use newly crafted and innovative Solid applications. Solid Compound offers a hybrid data storage approach, allowing for data to be stored either in the application's datastore (but Solid-ready) or in the user's Solid pod. It also enables user authentication (either done by the application or Solid-OIDC). This merging of traditional web development with Solid-compatible systems also extends the functionality to include a feature that enables data and identity migration from an application's datastore to a user's pod when they are ready. The hybrid approach ensures a smooth transition towards a more decentralized web, while simultaneously broadening the reach of Solid developers to users who may not yet be familiar with the Solid ecosystem. This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/SolidCompound/","title":"Solid Compound"},{"description":" Solid Share Digital Mobile Wallet for W3C Solid This project works on a native app for the Android operating system, allowing citizens to use their solid pod as data and digital wallet. It allows users to login into their Solid pod with different accounts, manage their data (for instance also travel ticket and passes), share private files by means of a QR code, s and sync other Solid data modules (such as Contacts) within the Android ecosystem without needing extra apps. The app is designed offline-first. The goal of this project is to bring Solid into the hands of regular people, making them aware of the existence of the Solid project and allowing them to have a smooth and easy experience. It should be a base platform for using Solid pods as a daily usage storage as well. This project was funded through the NGI Mobifree Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. The NGI Mobifree R&D programme is part of Horizon Europe research and innovation programme under grant agreement No. 101135795. ","title":"Solid Share","url":"https://nlnet.nl/project/SolidAndroidWallet/"},{"url":"https://nlnet.nl/project/Solid-Search/","title":"Solid-Search","description":" Solid-Search Queries in a pod Solid-Search aims to provide an open source module that adds full-text search functionality to Solid pods. Solid is an emergent specification initiated by the inventor of the World Wide Web, sir Tim Berners-Lee. Solid aims to decentralize the web by decoupling applications from databases by introducing Solid Pods (personal online datastores that are in full control of the data owner). Having a way to search through your personal data on your Solid Pod is a must-have for the project to become truly successful. However, this requires technology that does not exist yet: a full-text search interface that works with schema-less RDF data. In order to maximize adoption and retain a modular, open approach, we will standardize the way in which data changes are described. By doing so, it will be relatively easy to introduce new search / query systems (such as search by location). The project will will create the open source search back-end, improve linked data synchronisation specs, link the module to two solid implementations, create a front-end for end-users, and write a tutorial for adding data sources. The project's own website: https://ontola.io Why does this actually matter to end users? In the 'real world', you instinctively know what information you should keep behind locked doors and what is safe to share. Your bank statements are stored in a folder somewhere in the attic instead of leaving them laying around on your kitchen table. You do not tell random people on the street what your phone number is, or where your children go to school. In the virtual world, this type of common sense can work differently. Users are quicker to trust service providers to keep their personal data safe from theft and prying eyes, and do not always see the dangers of storing passwords in an online text file, or sharing sensitive financial documents via email. The dangers are unmistakably there, but until someone close to you suffers the consequences of a hack or a privacy breach, the risks of online data storage are vague and its convenience is too tempting to pass up. People are accustomed to easy, accessible and convenient online tools and services. More private and secure open-source alternatives should not exclude users because of an overly technical setup or incompatibility with existing proprietary solutions. Solid (or Social Linked Data) is a new approach to protecting personal data initiated by Tim Berners-Lee, the inventor of the world wide web and developed in collaboration with the Massachusetts Institute of Technology (MIT). The project aims to give users back full control over their personal data, which they can store in personal online data stores (or pods) and then give applications that run on the Solid platform access rights as they see fit. Users always retain ownership over their data, decide for themselves where it is stored and can change the permissions of any application that can access the data. Eventually the Solid ecosystem should offer decentralized and user-centric alternatives to centralized social media like Facebook, Twitter, LinkedIn etcetera. Convincing people to switch to Solid will take more than just telling them privacy horror stories. You cannot (and should not) scare someone into using your product, no matter how good your intentions might be. The alternative should be as good or even better than the original and switching should be easy and painless. Search and discovery is an important if not vital part of this: you need to be able to easily look for and find your data on a whim when you need it. Solid-Search will lay the groundwork for intuitive search that matches the unique set up of Solid. New search tools and interfaces can then be easily made and put on top of Solid Pods, making this the preferred way of storing and managing your data securely and accessibly. Run by Ontola This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"title":"Solid-NextCloud app","url":"https://nlnet.nl/project/Solid-NextCloud/","description":" Solid-NextCloud app Bridge Nextcloud to Solid This project connects the world of Solid with the world of Nextcloud. The aim is to develop an open source Nextcloud app that turns a Nextcloud server into a spec-compliant Solid server. It gives every user a WebID profile and allows Solid apps to store data on the user's Nextcloud account. It also exposes some of the user's existing Nextcloud data like contacts and calendar events as Solid user data, so that Solid apps can interact with the user's Nextcloud data, and allow the user to manage which Solid apps can access which specific aspects of the user's personal data. We will make our implementation compatible with the latest version of the Solid spec (including DPop tokens and the WebSockets AUTH command), and contribute the surface tests we create for this as a well-documented independent test-suite, for other Solid server implementers to benefit from. We will also publish a stand-alone version of our PHP components, which can run independently of Nextcloud. The project's own website: https://pdsinterop.org/solid-nextcloud/ Why does this actually matter to end users? In the 'real world', you instinctively know what information you should keep behind locked doors and what is safe to share. Your bank statements are stored in a folder somewhere in the attic instead of leaving them laying around on your kitchen table. You do not tell random people on the street what your phone number is, or where your children go to school. In the virtual world, this type of common sense can work differently. Users are quicker to trust service providers to keep their personal data safe from theft and prying eyes, and do not always see the dangers of storing passwords in an online text file, or sharing sensitive financial documents via email. The dangers are unmistakably there, but until someone close to you suffers the consequences of a hack or a privacy breach, the risks of online data storage are vague and its convenience is too tempting to pass up. People are accustomed to easy, accessible and convenient online tools and services. More private and secure open-source alternatives should not exclude users because of an overly technical setup or incompatibility with existing proprietary solutions. Solid (or Social Linked Data) is a new approach to protecting personal data initiated by Tim Berners-Lee, the inventor of the world wide web and developed in collaboration with the Massachusetts Institute of Technology (MIT). The project aims to give users back full control over their personal data, which they can store in personal online data stores (or pods) and then give applications that run on the Solid platform access rights as they see fit. Users always retain ownership over their data, decide for themselves where it is stored and can change the permissions of any application that can access the data. Eventually the Solid ecosystem should offer decentralized and user-centric alternatives to centralized social media like Facebook, Twitter, LinkedIn etcetera. Nextcloud is an open source file hosting (cloud) solution that follows the same principles as the Solid project: users are in control over their data, where it is stored, and who can access it. This project will draw a bridge these two efforts and create a Nextcloud app that converts a Nextcloud-account to a Solid-identity. This combines the strengths of both projects, allowing users even more precise control over which people and organizations can access their private data. Run by Unhosted This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" Solid NC 2024 Add more Solid capabilities to Nextcloud The Solid Nextcloud project implemented a server component with the Solid specification for Nextcloud, which makes ones Nextcloud server a Solid server as well. This allows user to user their existing server for identity and storage within the Solid eco-system. To enhance security and to enable easier cooperation and release of new versions we need to improve a number of things. The CI/CD of the project will be improved. Based on an earlier audit, we will implement a number of security enhancing features and we will release a PHP Solid Server next to the Solid Nextcloud module. These servers share a lot of code, which makes maintenance easier. The advantage is that PHP has a security maintenance cycle of three years, making it easier for users to stay secure when using a Solid server. The project's own website: https://pdsinterop.org/solid-nextcloud/ This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Solid NC 2024","url":"https://nlnet.nl/project/Solid-NC/"},{"url":"https://nlnet.nl/project/Solid-Interop/","title":"Solid Application Interoperability","description":" Solid Application Interoperability Solid Application Interoperability specification details how Agents in the Solid ecosystem can read, write, and manage data stored in a Solid pod using disparate Applications, either individually or in collaboration with other Agents. Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. When data is stored in someone's Pod, they control which people and applications can access it. Solid was initiated and is currently led by the inventor of the World Wide Web, sir Tim Berners-Lee. Solid Application Interoperability provides clear way to create intuitive data boundaries and higher level patterns to manage access to that data following the principle of least privilege. Specification is accompanied by a primer and sample implementations. The project's own website: https://solid.github.io/data-interoperability-panel/specification/ This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" FedCM for Solid User-friendly Federated logins for Solid Community Server \"FedCM for Solid\" bridges the gap between the emerging Federated Credential Management API and the Solid ecosystem. By implementing an extension for the Community Solid Server, this project enables Solid-OIDC identity providers to become compatible with FedCM. This makes it possible for users to log into Solid apps without needing to remember and manually enter their Identity Provider URL, significantly improving user experience. In parallel, the project will deliver a FedCM test suite, helping others to integrate FedCM in their own decentralized systems. Together, these efforts will promote a more user-friendly authentication flow for Solid, and help ensure that the development of FedCM accommodates decentralized web architectures. Why does this actually matter to end users? \"FedCM for Solid\" bridges the gap between the emerging Federated Credential Management API and the Solid ecosystem. By implementing an extension for the Community Solid Server, this project enables Solid-OIDC identity providers to become compatible with FedCM. This makes it possible for users to log into Solid apps without needing to remember and manually enter their Identity Provider URL, significantly improving user experience. In parallel, the project will deliver a FedCM test suite, helping others to integrate FedCM in their own decentralized systems. Together, these efforts will promote a more user-friendly authentication flow for Solid, and help ensure that the development of FedCM accommodates decentralized web architectures. Run by liquid.surf This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Solid-FedCM/","title":"FedCM for Solid"},{"description":" Solid-ActivityPub Interop Bridge W3C Solid and ActivityPub The project summary for this project is not yet available. Please come back soon! The project's own website: https://github.com/solid/activitypub-interop Run by Liquid.surf This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Solid-ActivityPub-Interop/","title":"Solid-ActivityPub Interop"},{"title":"Solar FemtoTX motherboard","url":"https://nlnet.nl/project/Solar-FemtoTX/","description":" Solar FemtoTX motherboard Low-power motherboard that can run on solar power Solar FemtoTX motherboard is an open, collaborative effort towards designing an ultra-low power motherboard in a mobile device-sized form factor. It aims to enable seamless integration into an open-source hardware laptop for easy repair/replacement/upgrade, and focusses on low power consumption, faclitating solar-powered devices and quick recharging. Furthermore, the project aims to make the open-hardware framework extensible by supporting socket-based or embedded processors and peripheral devices that meet a defined size and TDP limit. This interoperability allows newer, ultra low power microprocessors to work within the FemtoTX specification, and is optimized for solar power. The current project focusses on the initial design and validation of a System-on-Chip to be used in this low-power single board computer. The project's own website: https://ei2030.github.io/FemtoTX/ This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Software Heritage Collect, preserve and share the source code of all software ever written Software Heritage is a non profit, multi-stakeholder initiative with the stated goal to collect, preserve and share the source code of all software ever written, ensuring that current and future generations may discover its precious embedded knowledge. This ambitious mission requires to proactively harvest from a myriad source code hosting platforms over the internet, each one having its own protocol, and coping with a variety of version control systems, each one having its own data model. This project will amongst other help ingest the content of over 250000 open source software projects that use the Mercurial version control system that will be removed from the Bitbucket code hosting platform in June 2020. The project's own website: https://www.softwareheritage.org Why does this actually matter to end users? How do you preserve a piece of software for prosperity? You might have a box of floppy disks in your attic somewhere, a treasure trove of games and programs you fired up daily in your childhood. Physical memory can be a great way to store digital data, but do you know anyone that still has a computer with a floppy drive? Better yet, does your laptop or computer even have a CD drive? The internet can provide a better data archive, but this still requires maintenance: everything that is online needs to be physically stored somewhere and once data is lost, it is lost forever. So how do you organize archiving data and software? Software Heritage is an organized effort to preserve all the software ever written. The programs we use everyday say something about how we interact with our devices and connect with each other through technology. What can our software do, how can we use it, understand it, make it work for us? Preserving these programs is a constant and challenging mission, as software hosting never is a given. For this project the software preserving community will focus on making sure certain open source software is saved from the digital black hole, as a particular code version control system will be discontinued soon. Software Heritage will make sure these programs are preserved so we can learn from them, to make even better and more human software in the future. Run by Software Heritage This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"Software Heritage","url":"https://nlnet.nl/project/SoftwareHeritage/"},{"description":" Peer-to-Peer Access to Our Software Heritage Access Software Heritage data via IPFS DHT Peer-to-Peer Access to Our Software Heritage (SWH × IPFS) is a project aimed at supporting Software Heritage’s mission to build a universal source code archive and preserve it for future generations by leveraging IPFS’s capabilities to share and replicate the archive inadecentralized, peer-to-peer manner. The project will build a bridge between the existing Software Heritage (SWH) API and the IPFS network to transparently serve native IPFS requests for SWH data. In the short term, this allows users using IPFS to form their own Content Distribution Network for SWH data. Longer term, we hope this will serve as a foundation fora decentralized network of copies that, together, ensure that the loss of no one repository, however large, results in the permanent destruction of any part of our heritage. The end product would be a perfect application of IPFS’s tools and a step in the direction of a decentralized internet services infrastructure. The project's own website: https://github.com/obsidiansystems/go-ipfs-swh-plugin/ Run by Software Heritage Foundation This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/SoftwareHeritage-P2P/","title":"Peer-to-Peer Access to Our Software Heritage"},{"description":" SocksTrace Ptrace based proxy leak detector Proxy leaks are a class of software vulnerability in which network traffic intended for a proxy (e.g. Tor) is instead sent without a proxy, risking the deanonymization of the user. Auditing software for proxy leaks is presently nontrivial, e.g. tools like tcpdump and Corridor generally require invasive privileges, cannot audit for stream isolation leaks, and provide limited diagnostic capabilities. SocksTrace is a proxy leak detection tool, suitable for CI testing or manual QA testing, that utilizes the ptrace feature of Linux to detect socket syscalls that would bypass a proxy. If a proxy leak is detected, SocksTrace can respond by (among other things) denying the syscall, redirecting the connection to a proxy, or logging a stack trace. SocksTrace is written in Go, making it memory-safe and securely bootstrappable. The project's own website: https://github.com/namecoin/sockstrace Run by The Namecoin Project This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/SocksTrace/","title":"SocksTrace"},{"url":"https://nlnet.nl/project/SoCLinux/","title":"SoCLinux","description":" SoCLinux Easier driver development for Py2HWSW framework SoCLinux is an open-source project that aims to configure and generate a Linux system for RISC-V processors, focusing on creating a robust and maintainable environment for designing and testing IP cores. The project builds upon the existing open-source Py2HWSW framework powering the IOb-SoC platform, enhancing the functionality and portability of IP cores, by using as examples the key IOb-Cache, IOb-Eth, and IOb-UART16550 open-source cores. By providing a Linux IP core testbed, SoCLinux enables developers to build and test Linux drivers for new IP cores quickly, accelerating the production of high-quality IP cores, open-source or otherwise. The project aims to establish a widely adopted and maintainable ecosystem for IP core development, benefiting the broader community of IP core providers and users. SoCLinux will leverage the IP-XACT standard (IEEE 1685) for IP core packaging, and seamlessly exchange IP cores with FuseSoC, a well-known open-source IP core package manager. The project's own website: https://github.com/IObundle/iob-linux Run by IObundle This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/Snix-Store_Builder/","title":"Snix-{Store/Build}","description":" Snix-{Store/Build} Improve store and builder component of Snix Snix is a modern design and implementation of the Nix package manager (GPLv3). It brings a modular architecture in which components such as the build environment or package store are replaceable, which enables new use-cases and platforms. A graph-reduction evaluation model will make it possible to use Nix for package definitions and entire system configurations, its proven and tested use case, as well as for granular build definitions for individual components of software. Snix will be fully compatible with nixpkgs, the existing package definition set for Nix, letting its users leverage more than a decade of community contributions and making it useful right out-of-the-box. This particular project focuses on the Store and Builder components of Snix, upgrading the store protocol, improving the Builder API as well as providing more interop with Nix. The project's own website: https://snix.dev Run by FLOKLI OÜ This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/Sniffnet/","title":"Sniffnet","description":" Sniffnet User-friendly network monitoring application Sniffnet is a cross-platform, Rust-based, fully open-source network monitoring application to help everyone keep an eye on their Internet traffic. Sniffnet is a technical tool, but at the same time it strongly focuses on the overall user experience: most of the network analyzers out there are cumbersome to use, while one of Sniffnet's cornerstones is to be usable with ease by virtually anyone. In an era dominated by network traffic encryption, Sniffnet doesn’t follow the standard monitoring approach that included reporting full packets’ payloads, but rather it provides flow-level details such as the country, the organization, the domain name, the upper-layer service, and other parameters that enable a more immediate understanding about the nature of the network traffic. The project's own website: https://sniffnet.net This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/Sniffnet-remote/","title":"Remote Sniffnet","description":" Remote Sniffnet Network monitoring tool + traffic analyser Sniffnet is a cross-platform, Rust-based, fully open-source network monitoring application to help everyone keep an eye on their Internet traffic. Sniffnet is a technical tool, but at the same time it strongly focuses on the overall user experience: most of the network analyzers out there are cumbersome to use, while one of Sniffnet's cornerstones is to be usable with ease by virtually anyone. Sniffnet plans to grow a lot in terms of functionalities in the coming period, implementing the most desired features raised directly users. This includes the ability to identify the process/application responsible for a given network connection in a cross-platform way, the development of a Sniffnet agent and server capable of sending/receiving traffic from devices that don't support running a UI (such as routers or headless machines). Other interesting additions include support for the Linux SLL link type that will allow monitoring the 'any' interface, configuration of complex network filters following the Berkeley Packet Filter syntax, the ability to send remote notifications via POST webhooks, support for custom IP blacklists to warn users about suspicious traffic. A whole new application page will display more insights about the saved favorites, which will be extended to also support services and processes in addition to network hosts. The project's own website: https://sniffnet.net This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" smoltcp RPL Implement Routing Protocol for Low-Power and Lossy networks Smoltcp is a TCP/IP library written in the Rust programming language. The Rust language offers many advantages, such as memory safety. The smoltcp library recently gained support for the 6LoWPAN protocol, enabling IPv6 for IEEE802.15.4 devices. However, a routing protocol tailored for low power devices is still missing in the library (or even one written in the Rust programming language). In this project, an implementation of the Routing Protocol for Low-Power and Lossy Networks (RPL) will be added to the smoltcp library. This protocol is designed for Low-Power wireless networks that are generally susceptible to packet loss. By adding this protocol to smoltcp, we get closer to a network stack that is safer to use for the Internet of Things (IoT). The project's own website: https://thvdveld.be/smoltcp-rpl-docs/introduction.html Run by Vrije Universiteit Brussel This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","title":"smoltcp RPL","url":"https://nlnet.nl/project/Smoltcp/"},{"title":"Smart lookup & inference for Semantic Data","url":"https://nlnet.nl/project/SmartSemanticDataLookup/","description":" Smart lookup & inference for Semantic Data Knowledge mapping within a postgresql database Semantic knowledge representations have not evolved since the Semantic Web was proposed during the 1990s. Modern graph databases offer new possibilities for knowledge representation, but the methods are poorly developed and require the use of specialized query languages and clumsy outdated formats. This project aims to make semantic maps easy for general use, using standard SQL databases and modern lightweight data formats. A user workflow starts from a simple note-taking language, then ingesting into a database using a graph model based on the causal semantic spacetime model, to the use of a simple web application for supporting graph searches and data presentation. The aim is to make a generally useful library for incorporating into other applications, or running as a standalone notebook service. The project's own website: http://markburgess.org/spacetime.html Run by ChiTek-i This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Slixfeed News feed delivery through standard-based instant messaging Slixfeed is a vigorous syndicated news aggregator which runs as a chat client and also as an HTTP server. It can concurrently manage and serve multiple contacts (news sources), schedule update interval, customize the amount of items per update, and filter items by keywords; in addition, it can also create new pages from syndicated news sources in a chronological order, either from HTML over HTTP or PubSub over XMPP. Slixfeed has a special niche for XMPP as it utilizes Ad-Hoc Commands and Data Forms which, intertwined, form a visual and interactive interface which allows to seamlessly manage your sources, as if your chat client was a news reader. The project's own website: https://schapps.woodpeckersnest.eu/slixfeed This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Slixfeed/","title":"Slixfeed"},{"url":"https://nlnet.nl/project/Slipshow/","title":"Slipshow","description":" Slipshow A different paradigm for presentations including flipchart style annotations Slipshow is an innovative presentation tool that moves away from the traditional slide-based approach. Instead, it provides a dynamic experience similar to using a blackboard, while leveraging the advantages of digital technology. Presentations are created from Markdown files with specific annotations, and users can interact with the content during presentations by drawing directly on it using a mouse or tablet. With the scope of this project, Slipshow will be enhanced by introducing the ability to record annotations, seamlessly integrating them into the presentation for future use. The project's own website: https://github.com/panglesd/slipshow This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Slips Immune I Active IDP using ARP poisoning The \"Slips Immune I\" proposal marks the initial step in building an \"Immune System for the Internet,\" aimed at enhancing cybersecurity by fostering collaboration among computers using local and global decentralized P2P technology. The project focuses on improving the Slips Intrusion Detection System on local networks using Raspberry Pi devices, incorporating advanced detection ML models, isolation capabilities, and blocking techniques to mitigate cyberattacks. Key goals include implementing defense mechanisms, such as ARP poisoning for isolation and firewall-based protection, as well as training a Large Language Model (LLM) assistant to support security orchestration and decision-making. By leveraging machine learning and a collaborative architecture, Slips aims to evolve into a comprehensive, resilient Internet Immune System, where interconnected devices collectively detect, share information, and defend against cyber threats, enhancing protection through shared knowledge and adaptive responses. The project's own website: https://www.stratosphereips.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Slips Immune I","url":"https://nlnet.nl/project/Slips-Immune/"},{"title":"Slintify LibrePCB 2.0","url":"https://nlnet.nl/project/Slintify-LibrePCB/","description":" Slintify LibrePCB 2.0 Add missing features to Slint UI toolkit to accommodate demanding applications The project summary for this project is not yet available. Please come back soon! The project's own website: https://librepcb.org/blog/2024-10-17_roadmap_2.0/#_completely_new_ui Run by SixtyFPS GmbH This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"Slint on iOS","url":"https://nlnet.nl/project/SlintiOS/","description":" Slint on iOS iOS support for typed declarative UI toolkit Slint is a next generation declarative GUI toolkit that supports multiple programming languages such as Rust, C++, Python and JavaScript. Implemented in Rust, a language known for its memory safety and performance, Slint can run on platforms such as Windows, Linux, Mac, Android, QNX, and microcontrollers. This project will add iOS as a fully supported platform to enable developers create their cross-platform applications with Slint. Slint will be the first native (non-web based technology) Rust based toolkit for creating applications on iOS, allowing designers and developers an alternative open source option to build the user interface for their applications. The project's own website: https://slint.dev Run by SixtyFPS GmbH This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Slint port for Android Port the Rust-based Slint UI toolkit to Android Slint is a next generation declarative GUI toolkit that supports multiple programming languages such as Rust, C++, and JavaScript. Implemented in Rust, a language known for its memory safety and performance, Slint can run on platforms such as Windows, Linux, Mac, QNX, and microcontrollers. The popularity of Android as a mobile phone operating system has influenced the standardisation of drivers on embedded systems to the extent that its possible to easily procure off-of-the-shelf embedded hardware that can run Android. Slint will be the first native (non-web based technology) Rust based toolkit for creating applications on Android and will allow designers and developers an alternative open source option to build the user interface for their applications. The project's own website: https://slint.dev Run by SixtyFPS GmbH This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/SlintAndroid/","title":"Slint port for Android"},{"title":"Slint Visual Editor","url":"https://nlnet.nl/project/Slint-VisualEditor/","description":" Slint Visual Editor User-friendly design of graphical user interfaces The project summary for this project is not yet available. Please come back soon! The project's own website: https://slint.dev Run by SixtyFPS GmbH This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/Slint-FunctionalSafety/","title":"FuSa proven Slint","description":" FuSa proven Slint Certifiable functional safety for Slint UI toolkit Functional safety (FuSa) is a core requirement in domains like automotive industry, the medical sector, and aerospace. For safety-critical systems often certifications for entire solutions are part of the regulatory requirements before a solution may be deployed, including all free and open source components which are part of such a solution. The entire solution often also includes graphical user interface elements as well, meaning of course that any underlying frameworks for developing GUIs need to be functional-safety-proven to even be considered. Slint is a versatile declarative UI solution written in Rust. Rust's strong guarantees of memory safety and thread safety make it a suitable language for developing applications that require Functional Safety (FuSa) certification. The goal of this project is to make Slint compliant with the requirements for certification, making it into a compelling option for building robust graphical user interfaces requiring functional safety. Having FOSS solutions opens up the door for trustworthy and user friendly tools within industry - open for scrutiny and wide reuse. The project's own website: https://slint.dev Run by SixtyFPS GmbH This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"title":"Herbees","url":"https://nlnet.nl/project/SimpleX-relay/","description":" Herbees Scalable intermediated P2P messaging based on Simplex Messaging protocol Herbees is an independent, unofficial, community-focused, open-source Rust implementation of the Simplex Messaging Protocol (SMP). It's designed as a robust and scalable foundation for relay-intermediated communication applications (intermediated p2p). Built upon the protocol’s elegant threat model and design principles established by the ingenious creators of SMP, Herbees provides middleware libraries and a high-performance SMP relay server. It also includes a reference, minimalistic CLI client to inform client developers how to construct user-centric clients and decentralized applications that leverage the protocol and its features – secure, authenticated, end-to-end encrypted (E2EE), private message exchanges – without requiring direct peer-to-peer connectivity or metadata exposure. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" SimpleSAMLphp 2.6 Extendable Authentication + Identity Provider SimpleSAMLphp is an application written in native PHP that deals with authentication. It provides Single Sign-On, Federated identity, and uses Web services and other industry standards. SimpleSAMLphp can be used as a SAML Service Provider and SAML Identity Provider, but also also supports many other identity protocols and frameworks, such as CAS, OpenID Connect, WS-Federation and OAuth. SimpleSAMLphp allows for scalable authentication, from only a few users to hundreds of thousands. Through Single Sign On (SSO) it removes the burden of authentication and identity management - and allows for more secure environments where service providers can focus on what they want to do, provide a service, delegation authentication and identity management to others. The project's own website: https://simplesamlphp.org/ ","title":"SimpleSAMLphp 2.6","url":"https://nlnet.nl/project/SimpleSAMLphp2.6/"},{"url":"https://nlnet.nl/project/SimpleSAMLphp/","title":"SimpleSAMLphp","description":" SimpleSAMLphp SAML 2.0 Service + Identity Provider SimpleSAMLphp is an application written in native PHP that deals with authentication. It provides Single Sign-On, Federated identity, and uses Web services and other industry standards. SimpleSAMLphp can be used as both a SAML Service Provider and a SAML Identity Provider. SimpleSAMLphp allows for scalable authentication, from only a few users to hundreds of thousands. SimpleSAMLphp allows Single Sign On (SSO), removing the burden of authentication and identity management - and allowing for more secure environments where service providers can focus on what they want to do, provide a service, delegation authentication and identity management to others. The project's own website: https://simplesamlphp.org "},{"description":" Simmel A wearable contact tracing beacon/scanner Simmel is a platform that enables COVID-19 contact tracing while preserving user privacy. It is a wearable hardware beacon and scanner which can broadcast and record randomized user IDs. Contacts are stored within the wearable device, so you retain full control of your trace history until you choose to share it. The Simmel design is open source, so you are empowered to audit the code. Furthermore, once the pandemic is over, you are able to recycle, re-use, or securely destroy the device, thanks to the availability of hardware and firmware design source. The contact tracing algorithm is programmed using CircuitPython, to facilitate ease of code audit and community participation. The Simmel project does not endorse a specific contact tracing platform, but it is inherently not compatible with contact tracing proposals that rely on the constant upload of data to the cloud. The project's own website: https://simmel.betrusted.io Why does this actually matter to end users? The SARS-CoV2 pandemic has triggered many different government measures across the world, including unprecedented lock-downs of various degrees of many millions of people. These measures buy time to get ourselves better organised. Because of the immense effects on societies, economies and individuals, such measures can only be temporary in nature, after which societies will have to reboot into a new operational mode as long as there are no effective vaccins. In such situations of societal crisis, a large array of technologies will be proposed as immediate ad hoc interventions. There is after all significant pressure to just do something, while there is limited oversight whether these technologies would actually help. At the same time, impact on society can be high - when moving fast, things could go horribly wrong too. Move fast, break things, may hold for companies but not for whole societies. We also need to recognise the significant reserve from the side of citizens that such a situation will somehow be abused. We have seen such a similar fallout after the 9/11 attacks. An old political paradigm dating back to Machiavelli is after all: \"Never waste the opportunity offered by a good crisis.\". The same holds for cybercrime: new crises will eventually happen, and the opportunistic ability to improvise is also present in those meaning less well. Organisations and individuals in panic mode tend to not make properly weighted decisions, which can result in serious cybersecurity risks but also the disruption of democratic order. One of the solutions that has emerged - and provoked a lot of discussion - is \"contact tracing\". Contact tracing means that you use close distance sensing as an approximation of physical proximity, and thus potential risk of infection. There are a number of ways by which this can be done, and most people think of so called \"corona apps\". But what if the privacy offered by a mobile phone application are not good enough? What if you have an older type of phone incompatible with the features required? What if you do not even have a phone? Simmel is a small portable contact scanning device, that is crafted specifically to serve this use case. It can do the same thing or more than a phone can do, but in a much more controlled way. It is open hardware, so one can transparently tweak every aspect of the device from top to bottom - in hardware, in firmware and in software. This meaning that (unlike for instance with third party mobile phones) you do not need permission from a platform provider or operator to tweak any features to satisfy the highest security and privacy criteria. The Simmel project does not endorse any specific contact tracing design, and its designs are free to be used by any initiative. By purpose it is not compatible with proposed technologies that rely on the constant upload of data to the cloud. The owner of the device should always be in control, because trustworthiness is critical to large scale adoption. Simmel is designed for citizens and for science, not for anything else. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"Simmel","url":"https://nlnet.nl/project/Simmel/"},{"title":"Silicon verification","url":"https://nlnet.nl/project/SiliconVerification/","description":" Silicon verification Non-destructive, in-situ inspection of physical chips The global nature of supply chains presents an existential question for the trustworthiness of hardware: how do I know the chips in my device are genuine and pristine? Trusted domestic fabs only solve a facet of the problem: after a silicon wafer leaves the fab, it criss-crosses the globe multiple times as it is packaged, tested, and assembled into an end user product, presenting a huge attack surface for post-fab substitutions and alterations. The \"Silicon Verification\" project lays foundations for high resolution end-user, direct, and non-destructive optical inspection of chips. Our research aims to create a set of techniques for hardware packages that fill the analogous role of \"digital signature verification\" for software packages: a ubiquitous method to establish trust in a package, after it has been delivered to the user. The project's own website: https://www.bunniestudios.com/blog/?p=6712 This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" Internationalization (i18n) for Silex Add i18n to GraphQL-aware static site generator This project develops a local-first, fully open infrastructure for web publishing. Building on Silex free/libre website builder, it introduces a git-native, forge-agnostic architecture that removes dependency on centralized platforms and allows users to work and publish entirely locally. Because it implements GraphQL, it allows to for instance synchronise content from a dynamic CMS like Wordpress - and publish it as a fast and secure static site. This project will build a cross-platform desktop client, that can be used by anyone to develop and maintain performant websites. The project's own website: https://www.silex.me/ Run by Internet 2000 This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Silex-i18n/","title":"Internationalization (i18n) for Silex"},{"description":" Andrea D'Intino - Signroom Zenroom based signature and credential platform .speaker-photo { width: 33%; margin-right: 10px; margin-left: 20px; margin-bottom: 20px; } .speaker-photo-border { border-radius: 10%; border-top-left-radius: 10; border-top-right-radius: 10%; border-bottom-right-radius: 10%; border-bottom-left-radius: 10%; } .img_icon_small { max-width: 40px; max-height: 40px; margin-right: 10px; /* Make icons small and create a little space on the right */ } .up { position: relative; top: -15px; /* Adjust the value to move the text up by the desired amount. Text moved up a bit to align with icon.*/ } Middleware and identity Can you introduce yourself and your project? I’m Andrea, CEO and Co-Founder of Forkbomb B.V. Our project is Signroom an open-source document signature solution. What are the key issues you see with the state of the internet today? Privacy and security, more than ever! We’re mainly involved with EUDI-ARF development, whose privacy assessment has been poised since the beginning, and the signature of documents is deeply connected to this issue. Document signatures work with 30-year-old standards (X.509). Most of the software available is closed source, and the few open-source software are written in Java, limiting the solutions’ extendability and portability. How does your project contribute to correcting some of those issues? We strive every day to make the internet a safer and privacy-enabled place. With Signroom, we implemented: A web-based, mobile-friendly (and extendable to mobile native) solution to offer signatures and verification of documents, following the industry standard recognized by the EU (PaDES/CaDES/XaDES/JaDES). The secret keys and identities can be connected to modern digital identities (W3C-DID) and will later support the EUDI-ARF identity format (the PIDs). The identity solution follows the end-to-end encryption principles by executing all the signatures in the client (in the browser). At the same time, the PaDES/CaDES files are packaged using the server designated and developed by the European Commission. What do you like most about (working on) your project? The collaborations we set up with multiple actors working with EUDI-ARF standardization and implementation, including the team on the Italian digital wallet, the author of the OpenID standards, and the EWC consortium, helped us make our application future-proof. Where will you take your project next? We’re bringing the solution to market, aiming to help organizations implement a digital identity strategy using our ultra-low-code microservice-powered solution. How did NGI Assure help you reach your goals for your project? NGI provided valuable feedback and contacts with other developers who became our partners on the way. Do you have advice for people who are considering to apply for NGI funding? Be aware that you’re not pitching a VC: read the guidelines carefully and check the projects that previously got funding. If your application gets rejected, make the best out of the rejection motivation and use it to improve your application… then re-apply! Do you have any recommendations to improve future NGI programs or the wider NGI initiative? As Dyne.org, we did run the first cascade funding ever, the Ledger Project. We’re happy to see that a lot of the setup we came up with back then is still used by several NGI projects, including those operated by NLNet. I would like to see more investment in marketing: I believe it would be highly beneficial for NGI projects to reserve a part of the budget for commercial events such as trade shows and conferences. Acknowledgements Images: courtesy of Andrea D'Intino. Published on September 10, 2024 Signroom received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/Signroom/interview.html","title":"Andrea D'Intino - Signroom "},{"url":"https://nlnet.nl/project/Signroom/","title":"SignRoom","description":" SignRoom Zenroom based signature and credential platform Leveraging the quantum-proof cryptographic implementation done in Zenroom (along with Zenroom's other cryptographic flows) we are developing a simple to use web-based platform, allowing users to sign and verify messages and documents (PDF, Office files, pictures etc) using quantum proof signature, ecdsa signature and schnorr signature and multi-signatures. Document signatures are stored inside the document using the PADES and XADES protocols. The tool will also produce and verify zero-knowledge proof credentials, W3C-VC credentials for signature and verification. The platform is built as a PWA, is mobile friendly, has APIs for third party integration a library to integrate into mobile applications along with bindings for multiple programming languages. The project's own website: https://forkbomb.solutions/solution/signroom/ Run by The Dyne Team This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"title":"Signature PDF","url":"https://nlnet.nl/project/SignaturePDF/","description":" Signature PDF Self-hosted tool to add signature to PDFs PDF Signature is a free software (FLOSS) for online signing of PDF. Users can add signature, stamp, text or check marks individually, or collectively with the shared mode. The tool aims to be a free alternative to existing proprietary web services, in order to offer users more control and guarantee of what happens to the PDF processed by the software. It is easily deployable on a server, a personal machine, a nano-computer , a container image or a Yunohost instance. The future developments of this project will improve the confidentiality by encrypting the pdf stored on the server, study and improve the compatibility with the electronic signature standards (XAdEs, PAdES), internationalize the interface and add integration with Nextcloud. The project's own website: https://pdf.24eme.fr Run by 24eme This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" Signature PDF PDF editing and server-based digital signing workflow Signature PDF allows users to sign PDFs online, individually or with others. The project offers as well the possibilities to reorganize pages (merge, sort, rotate, delete, extract pages, etc.), edit metadata, and compress PDFs. This tool aims to be a free alternative to existing proprietary web services, offering users more control and guarantee of what happens to the PDF processed by the software. Signature PDF is easily deployable on a server of any size, a laptop, a container image or a Yunohost instance. Scope of the project is to implement verification of signed PDFs, integration into third-party software, improve smartphone ergonomy and accessibility, and other improvementes to meet the requests/needs identified by users. The project's own website: https://pdf.24eme.fr Run by 24eme This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Signature PDF","url":"https://nlnet.nl/project/SignaturePDF-UX/"},{"description":" SiCl4 Tool for interactive reverse engineering of digital logic. SiCl4 (silicon tetrachloride) is a tool for reverse-engineering digital logic designs. Starting from an FPGA bitstream or other types of netlists, this tool will assist users in interactively recovering higher-level structures. Algorithms will help with tasks such as finding shared subcircuits or identifying known patterns such as adders, counters, comparators, state machines, etc., so that the user can focus on understanding the higher-level functions of the target design. SiCl4 will be scriptable in order to allow for easy extension, and it will also integrate with the existing open-source EDA ecosystem. The project's own website: https://github.com/ArcaneNibble/SiCl4 This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"SiCl4","url":"https://nlnet.nl/project/SiCl4/"},{"description":" Shinobi An incremental AOSP build tool using Nix dynamic derivations Starting with AOSP (Android Open Source Project) and other ninja-based projects, Shinobi aims to offer a common platform - standalone or as a part of wider ecosystem collaboration - for Nix tools looking to provide granular, incremental, reproducible and distributed builds for their respective language ecosystems, by leveraging the up and coming dynamic derivations feature and aiming to prove it at scale. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Shinobi","url":"https://nlnet.nl/project/Shinobi/"},{"description":" ShapeThing SHACL renderer View, edit and filter semantic data Linked data (RDF) is very good on a data storage level to enable interoperability and standardization. However user interfaces on top of linked data are often complex and not user friendly. This project is a developer library which generates user interfaces from SHACL shapes or RDF data itself. These user interfaces are forms to create and edit data, displays of data and facets to search through the data. Alongside the visual user interfaces it can generate, it can also generate TypeScript types from SHACL shapes and it can transform linked data to Javascript objects. All of these functionalities help a developer easily create applications on top of Linked data. This library uses the SHACL W3C standard and will integrate with the upcoming SHACL UI 1.2 standard. The project's own website: https://shacl-renderer.shapething.com/?path=/docs/readme--docs This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/ShapeThing/","title":"ShapeThing SHACL renderer"},{"description":" Servo Independent Rust-based browser engine Servo aims to provide an independent, modular, embeddable web rendering engine, allowing developers to deliver content and applications using web standards. Servo is written in Rust, taking advantage of the memory safety properties and concurrency features of the language. As part of this project we'll add support for more CSS features to the Servo layout. The main areas of work on this project would be support for floats, writing modes and tables; which will increase the number of web pages and applications render properly in Servo. The project's own website: https://servo.org Run by Igalia This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Servo","url":"https://nlnet.nl/project/Servo/"},{"title":"Servo WebAPIs for Service Worker","url":"https://nlnet.nl/project/Servo-ServiceWorker-WebAPI/","description":" Servo WebAPIs for Service Worker Non-blocking, async Service Workers for Servo browser engine The project summary for this project is not yet available. Please come back soon! The project's own website: https://servo.org/ Run by Servo This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Servo Script Improvement Refactoring Servo’s script crate The Servo web browser engine is back to its pace of development, but many improvements are still needed in Servo's script crate, which needs to adequately implement every Web API. Several DOM structures have become slightly outdated because of the lack of maintenance. Some basic script types are missing, and patches from Spidermonkey still need work. Within the scope of this project we will address the most needed fixes and improvements for the script crate. The project's own website: https://servo.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Servo-Script/","title":"Servo Script Improvement"},{"description":" Multiprocess Mode in Servo Speed up Servo with parallelisation While Servo already has multi-process mode, it’s not enabled by default. The main reason is that it isn’t completely supported on every platform yet. Only Linux and macOS have full support. It also isn't tested in the WPT suite. In this project, we want to complete the feature set of multi-process mode in Servo, set it to default, and encourage other projects based on Servo (like the Verso browser) to use it, as they could massively benefit from this multi-process architecture. The project's own website: https://versotile.org/verso This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Multiprocess Mode in Servo","url":"https://nlnet.nl/project/Servo-Multiprocess/"},{"title":"Multi browsing context support in Servo","url":"https://nlnet.nl/project/Servo-Multibrowsing/","description":" Multi browsing context support in Servo Allow Servo browser engine to render beyond atomic pages Verso is a browser application based on the Servo web engine. We want to build a new web browser using a different set of technical stacks than existing browsers. Hope it can improve the codebase of browser programming and grow the ecosystem along with it. In order to build an application around Servo, we need to implement several key features with it since Servo is merely a web engine and it doesn’t control anything else outside of its own context. One of the challenges is supporting multiple browsing contexts all at the same time. So we can composite all web views into one single window to make it present as an ordinary application. We will need to improve the compositor of Servo to make it support multiview, and also implement the ergonomic interface in Verso for different purposes. It will be able to render not only web pages, but also UI panels, context menus, prompts, and more. The project's own website: https://github.com/versotile-org/verso This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" Servo Editability and Interactivity Enhancements Keyboard interaction within the Servo browser The Servo Editability and Interactivity Enhancements project is about making Servo more responsive to user input. The project will greatly improve interacting with form controls in Servo as well as allowing for selecting page content. In addition, the keyboard will become much more useful as users will be able to navigate with the keyboard via arrow keys, page up, page down, home, end as well as using the tab key to cycle through page content. All of these capabilities are essential for using the Servo engine to build a fully functional browser. The project's own website: https://servo.org Run by Igalia SL This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Servo-Editability/","title":"Servo Editability and Interactivity Enhancements"},{"description":" Servo Developer Experience Improvements Improve productivity for Servo developers Servo is a cross-platform, open-source browser engine that next-generation browsers can be built on, including the Verso browser project. However, the current developer experience is lacking in some ways, including CI/CD, benchmarks, and documentation for integration in downstream projects. While the Servo project these things currently, ongoing maintenance to keep them up to date, as well as creation of new documentation and tutorials to aid newcomers to the project, is a task that always needs work. In order to make integration with Servo easier for both the Verso project, as well as new projects that want to use it, this project aims to bring modern enhancements and new content to these areas. The project's own website: https://versotile.org/verso This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","title":"Servo Developer Experience Improvements","url":"https://nlnet.nl/project/Servo-DX/"},{"title":"Servo CSS","url":"https://nlnet.nl/project/Servo-CSS/","description":" Servo CSS CSS feature parity for Servo browser engine Servo is a web rendering engine written in Rust, with WebGL and WebGPU support, and adaptable to desktop, mobile, and embedded applications. Built with safety, speed, and concurrency in mind, Servo showcases the potential of Rust for modern web development. Servo's modular design allows for easy adaptation to various use cases. As part of this project we'll continue the work on adding support for more CSS features to the Servo layout. The main areas of work would be to finish Tables and Flexbox support; which will increase the number of web pages and applications render properly in Servo. The project's own website: https://servo.org Run by Igalia This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" Servo: Benchmarking and Statistics Infrastructure for benchmarking and testing Servo Servo is a web engine written in Rust that already provides results from the Web Platform Test Suite. However, these results may be difficult for newcomers to understand, as they lack a clear indication of the progress in supporting modern web standards. This creates challenges for the community in assessing the current state of development. When the community inquires about the support for specific features, these capabilities can often only be verified through manual testing. Moreover, finding information about Servo's performance can be equally challenging. To address these issues, this project aims to develop an infrastructure to benchmark and report on the current state of Servo, monitor performance differences between commits, and present these metrics and supported features in a more comprehensible way. This will give the community a clearer understanding of the state of the Servo project, leading to a more active and engaged contribution environment. The project's own website: https://servo.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Servo: Benchmarking and Statistics","url":"https://nlnet.nl/project/Servo-Benchmark/"},{"description":" Project SERVFAIL Tools for DNS hosting SERVFAIL is a globally distributed, community-run authoritative DNS service. It is based on PowerDNS with a custom web frontend to support multi-tenancy on the different primary servers. Ther is also a proxy provide for the PowerDNS API — existing tooling should integrate nicely! The goal of this project is to challenge and improve upon existing DNS management solutions by taking different UI and UX choices which are not hiding the internals of DNS. For this to work, we are also providing documentation on DNS apart from running and developing the OSS infrastructure. Our main goal is to promote more decentralization of the internet by providing general resources on DNS, helping people get started and to encourage them to ultimately maybe run their own nameservers. The project's own website: https://beta.servfail.network/ This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Servfail/","title":"Project SERVFAIL"},{"description":" Serverless and Metadata Reduction for XMPP Enable XMPP on local networks, and reduce medata exposure This project will enhance XMPP’s privacy and resilience by reducing metadata exposure and enabling decentralized, serverless communication. Work will focus on developing new protocol specifications to minimize metadata, particularly by encrypting roster (contact list) information, and implementing these changes in the Libervia ecosystem through Tor integration to anonymize connections and reduce IP tracking, as well as roster end-to-end encryption. A second focus area is advancing serverless communication by implementing the RELOAD protocol (XEP-0415) and leveraging end-to-end authentication via XEP-0416 and XEP-0417. By reducing reliance on centralized servers and minimizing metadata, this project strengthens XMPP and Libervia’s privacy and availability, enabling their use in environments where servers may be unavailable or inaccessible. The project's own website: https://libervia.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Serverless and Metadata Reduction for XMPP","url":"https://nlnet.nl/project/ServerlessXMPP/"},{"description":" Sequoia GPG Chameleon Implement well-known API's for using OpenPGP Sequoia's GnuPG Chameleon is a drop-in replacement for the widely-used encryption software GnuPG. It offers the same interface, while at the same time replacing the underlying OpenPGP implementation. This approach brings security benefits to everyone directly or indirectly using GnuPG before, while providing a smooth migration path that does not require changes to existing software. The project's own website: https://sequoia-pgp.org Run by SequoiaPGP at the pEp foundtation This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","title":"Sequoia GPG Chameleon","url":"https://nlnet.nl/project/SequoiaChameleon/"},{"description":" Sequoia PGP Improve interface of Sequoia PGP commandline Sequoia PGP is a new OpenPGP implementation, which is written in Rust and focuses on ease of use. To date, the main product is a library. This project will focus on sq, Sequoia's command line tool. The project consists of three parts. First, useful functionality will be added to sq making sq comparable to gpg. Second, the human-readable interface will be augmented with a JSON interface. This will make it easier and robuster to use sq from scripts. Finally, this project will add an acceptance test suite to sq thereby strengthen the foundation for future changes. The project's own website: https://sequoia-pgp.org This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/Sequoia-commandline/","title":"Sequoia PGP"},{"description":" Adding TPM Support to Sequoia PGP Implement use of TPM 2.0 crypto hardware for OpenPGP Protecting cryptographic keys is hard. If they are stored in a file, an attacker can exfiltrate them - even if the harddrive is encrypted at rest. A good practical solution is a hardware token like a Nitrokey, which stores keys and exposes a limited API to the host. For most end users, a token is a hassle: one needs to carry it around, it needs to be inserted, and it is not possible to work if it is left at home. And, it needs to be purchased. There is a better solution, which doesn't cost anything. A trusted computing module (TPM) is like an always-connected hardware token only more powerful (the keys can be bound to a particular OS installation, it can store nearly an unlimited number of keys, not just three) and TPMs are already present in most computers. This project will add support for TPMs to Sequoia PGP including comprehensive test suites and in-depth documentation for both software engineers: as an API and end-users as a way to use TPM bound keys through Sequoia's command-line interface (sq) for decryption and signing. The project's own website: https://wiktor.gitlab.io/tpm-openpgp/ This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/Sequoia-TPM/","title":"Adding TPM Support to Sequoia PGP"},{"description":" Quantum-Safe Cryptography in Sequoia PGP Implement draft-ietf-openpgp-pqc in Sequoia PGP Sequoia is a complete implementation of OpenPGP (as defined by IETF RFC 9580), and various related standards. To address the challenges of quantum computing, cryptographic standards are incorporating new algorithms. For OpenPGP, the new algorithms are specified in a draft which is close to being finalized. This project will add support for post-quantum cryptography to Sequoia when using the Botan cryptographic library as backend, the RustCrypto backend, and the Windows CNG backend. Another closely related effort involves using symmetric cryptography in places where traditionally asymmetric cryptography is used in OpenPGP. Symmetric cryptography is less susceptible to attacks from quantum computing, and provides performance benefits, enabling novel workflows that improve the user experience and alleviate some of the challenges that post-quantum cryptography brings. This project will therefore also add support for the new symmetric cryptography mechanisms in Sequoia using a number of backends. The project's own website: https://sequoia-pgp.org Run by Sequoia PGP This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Sequoia-PQC/","title":"Quantum-Safe Cryptography in Sequoia PGP"},{"url":"https://nlnet.nl/project/Sequoia-Keystore/interview.html","title":"Neal H. Walfield - Sequoia PGP","description":" Neal H. Walfield - Sequoia PGP Standards-compliant private key store for OpenPGP Software engineering, protocols, cryptography Can you introduce yourself and your project? Sequoia PGP is a project that aims to expand and vitalize the OpenPGP ecosystem. Justus Winter, Kai Michaelis, and I started the project in 2017. The three of us had previously worked on GnuPG, the most common OpenPGP implementation at the time. In addition to working with GnuPG’s code, we interacted with developers integrating GnuPG into their programs, and spoke to end users. The message that we heard was consistently twofold: First, there was a lot of excitement around GnuPG. People valued its goals of protecting privacy, and providing security, and its decentralized architecture. At the same time, there was a lot of frustration. GnuPG was brittle and too opinionated. These opinions about how to correctly use GnuPG were acceptable as long as they solved the problem. But often, they only mostly solved the problem. The practical result was that the developer had to write hundreds of lines of code to bend GnuPG to their will. This is time-consuming and error-prone. Unable and not wanting to usurp the project, but convinced that OpenPGP is pretty good, we decided to start a new project, Sequoia PGP. A few fundamental design goals drive Sequoia PGP: Our first design goal is that low-level interfaces should impose as little policy as possible. High-level interfaces that introduce policy should be built on top of the low-level interfaces. Wherever possible, the high-level interfaces should use the same data structures as the low-level interfaces so that it is easy to tweak the behavior of the high-level interfaces when necessary. As an example of this design philosophy, our core library does not implement a certificate store. Instead, it deals with certificates, and we have a separate library that implements a certificate store. Many programs use our certificate store, but stateless programs don’t want a persistent store, and server programs, which already have a database, don’t want a second one. This separation of concerns means that programs don’t have to work around functionality they don’t want, and can easily integrate OpenPGP into their existing architecture. For instance, a server program that wants to associate a certificate with a user just needs to add a column to an existing database table; no fancy acrobatics are required. Another important design goal is to make interfaces safe by default. We expose as much mechanism as reasonable but are careful to ensure that the simple solution is a safe solution. For instance, when serialising a certificate secret key material is stripped by default. Developers must explicitly opt-in if they want to export secret key material. This makes it harder to accidentally leak secret key material. In Sequoia PGP, we are revisiting higher-level paradigms, and rethinking them when appropriate. For instance, historically, the web of trust was hard to use. We think this is because the available tools focused on high-risk threat models, which require a lot of input from the user. Yet, the web of trust can support a variety of threat models. Using the web of trust’s mechanisms, it’s straightforward to use certification authorities (CAs). This means it is easy to use global CAs as are used in the web PKI. But it is also easy to use organization-specific CAs. Further, with the web of trust it is possible to partially trust CAs. For instance, Alice can say that she is willing to rely on a CA run by her bank to authenticate user IDs with a bank.com email address but no one else. These mechanisms can be used to create a federated CA system in which a person can delegate authentication judgments in such a way that the CA’s interests and their interests are mostly aligned. We think that this will make strong authentication accessible to less technical people. What are the key issues you see with the state of the internet today? There are three key issues that I see with the state of the internet today: commercialization, government overreach, and centralization. I don’t think commercialization in the sense of commerce on the internet is fundamentally problematic. What is problematic is the degree to which business models are built on violating privacy. There is a saying that if you aren’t paying for a product, you are the product. But this hasn’t been true for a few years: companies increasingly make people pay for a product and sell their personal data. A horrible example is how car companies harvest and monetize driver data, as uncovered by the Mozilla Foundation. Data harvesting exposes everyone to danger but is terrible for vulnerable people. For instance, noyb has filed a complaint against Microsoft, saying that Microsoft 365 Education tracks children for advertising purposes. A well-known example of government overreach is mass surveillance. This is a human rights violation and, as such, is non-negotiable. However, government overreach is not limited to that. Instead of patching vulnerabilities, governments are hoarding them, and coercing companies to add backdoors into their products. A poignant case is the backdoored Dual EC DRBG standard, which the US government convinced RSA, a large, influential American security company, to make the default in many of their products. These problems are further exasperated by overtly authoritarian governments that make no pretence of respecting individuals’ human rights. By centralization, I mean not only that there are large providers of a service but that the services are closed gardens designed to trap their users. We saw this with XMPP, a messaging protocol that supports federation. Google and Facebook both supported the XMPP messaging protocol and then removed it. Interoperability is essential. In this regard, I’m happy to see the recent success of the Fediverse. We still have a long way to go, and the walled gardens make it hard to convince users to move. How does your project contribute to correcting some of those issues? Sequoia PGP is a set of tools for encryption and authentication based on interoperable standards. Sequoia PGP can help protect personal data from surveillance capitalism and government overreach when integrated into applications. It can also protect data integrity, including supply chain security, which can protect individuals from attacks. Sequoia PGP is not the solution to these problems. Indeed, I reject the notion that there is a single solution or that the most important solutions will be technical. Instead, we need to build and nurture social movements. I hope that Sequoia PGP can, on the one hand, help mitigate some of the technical problems and, on the other hand, help, in a small way, facilitate social movements. What do you like most about (working on) your project? Like most programmers, I enjoy solving a tricky technical problem or implementing a cool new feature. But what I like most about working on Sequoia PGP is a sense of doing something meaningful. I’m deeply concerned about human rights like privacy, free speech, and personal security and how they are threatened by government overreach and surveillance capitalism. My primary goal with Sequoia PGP is to provide tools to help protect individuals. This extends not only to personal communication but also things like decentralized supply-chain security in the form of Sequoia git. Where will you take your project next? In December 2020, we released version 1.0 of our low-level library. Since then, we’ve worked on the next layer of infrastructure—a certificate store, a key store, and a web of trust engine—and our CLI tool, sq. We’ve invested a lot of time in sq to ensure that the CLI is usable. By usable, I mean that the mechanisms are understandable and the interface is internally consistent. In the coming months, we plan to release version 1.0 of sq. Our next project is to revisit our low-level library. We will implement the upcoming OpenPGP and post-quantum cryptography standards, and clean up a bunch of mostly minor issues we’ve discovered in the API over the past few years. We have two goals for 2025. We plan to add machine-readable output to sq so that it is easier to use from scripts. And, we will use our experience developing sq to create a user-friendly high-level library. Along the way, we plan to continue helping projects integrate Sequoia PGP, as we are have done with the Swiss Government’s Sett program, the whistleblowing platform Secure Drop, and the RPM package manager, among others. How did NGI Assure help you reach your goals for your project? Sequoia PGP and some closely related projects received grants from NLnet between 2020 and 2022. This was a significant help; we would not have come as far as we have without it. Do you have advice for people who are considering applying for NGI funding? I advise people applying for NLnet funding that it is not without risk. In particular, because NLnet funds projects, you must be careful with what you promise to deliver. Unfortunately, there is an incentive to promise more for your application to be more competitive. Try to resist this; you risk burning yourself out. Do you have any recommendations to improve future NGI programmes or the wider NGI initiative? NLnet is doing fantastic work supporting the FOSS ecosystem, and I am grateful that NGI supports them. Keep it up! My biggest hope for FOSS funders is that they will provide more sustainable funding. Currently, grants from NLnet are limited to 50k euro. Although this is non-trivial, it doesn’t provide the long-term financial stability many people need to work on FOSS as their day job. As a project, we were lucky that the pEp Foundation provided us with a good and reliable financial base. This enabled us to use the money from NLnet to accelerate our work. In particular, we could use the pEp Foundation’s money to absorb the risk of a project failing (it happened) or taking longer than planned (they almost all did). Unfortunately, most FOSS projects don’t have a significant financial sponsor. I think the FOSS ecosystem needs long-term, time-based funding, not project-based funding. This would enable not only risk-tolerant people to finance their work but also the vast majority of the population who are reliant on a stable income, because they have a family, a mortgage, etc. The Sovereign Tech Fund recently started exploring the idea of an Open Source Maintainer Fellowship. I think this is a great idea, and I hope we see many such programs in the future. Given that FOSS plays such a large role in our everyday lives, there is no reason that governments shouldn’t be sponsoring these fellowships and building physical FOSS centers to improve collaboration, as they finance academia and universities. This isn’t a big ask. Whereas the German government paid over 1.3 billion euro in software licensing fees last year, the Sovereign Tech Fund, Germany’s most significant funder of FOSS projects, only received 17 million euro in 2024. My second wish is that more funding would be explicitly oriented towards maintenance, documentation, and community building, and not only developing new features. New features are great, but if we agree that FOSS is providing the basis of much of our infrastructure, then we need to focus on making our infrastructure robust in both a technical and a social sense. Finally, I am deeply disappointed in the European Commision. In the current draft of the Horizon Europe 2025 Work Program, the EC will cut the funding for FOSS projects despite an impact study showing how effective the money has been. This decision will put even more pressure on FOSS projects. Based on my discussions with various companies about financially supporting Sequoia PGP, I’m doubtful that the industry will step up. Acknowledgements Image: courtesy of Neal H. Walfield. Published on November 21, 2024 Sequoia PGP received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. .speaker-photo { width: 33%; margin-right: 10px; margin-left: 20px; margin-bottom: 20px; } .speaker-photo-border { border-radius: 10%; border-top-left-radius: 10; border-top-right-radius: 10%; border-bottom-right-radius: 10%; border-bottom-left-radius: 10%; } .img_icon_small { max-width: 40px; max-height: 40px; margin-right: 10px; /* Make icons small and create a little space on the right */ } .up { position: relative; top: -15px; /* Adjust the value to move the text up by the desired amount. Text moved up a bit to align with icon.*/ } div.interlude-small { font-size: 2em; line-height: 1.5em; margin: 0 15px; padding: 0 15px; border-left: 4px solid #3333FF; } "},{"url":"https://nlnet.nl/project/Sequoia-Keystore/","title":"A Secret Key Store for Sequoia PGP","description":" A Secret Key Store for Sequoia PGP Standards-compliant private key store for OpenPGP This project implements a private key store for Sequoia, a new OpenPGP implementation. Currently, Sequoia-using programs use private keys directly. A private key store mediates applications' access to private keys, and offers three major advantages relative to the status quo. First, a private key store is in a separate address space. This means that private keys that are in memory are in a different address space from the application. This was underlying cause of the Heartbleed vulnerability. Second, a private key store can provide a uniform interface for accessing keys stored on different backends, e.g., an in-memory key, a key on a smart card, or a key on a remote computer, which is accessed via ssh. This simplifies applications. Third, this architecture simplifies sharing private key material among multiple applications. Only the private key store needs to worry about managing the private key material, which improves security. And, when a user unlocks a key in one application, it is potentially unlocked in all applications, which improves usability. The project's own website: https://sequoia-pgp.org/ This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"title":"#Seppo!","url":"https://nlnet.nl/project/Seppo/","description":" #Seppo! Portable ActivityPub implementation Posting and liking self reliantly and still have a life. #Seppo! empowers you to publish short texts and images to the internet as easily as using an online service but retain full agency and responsibility. What you publish is solely subject to public law. No 3rd parties hold a stake, nobody else imposes any rules on you. This is because you publish on your own property. Which is possible because housekeeping is no more than the known follow/unfollow/block/unblock content moderation of your own single account. You do that by yourself. There are no scripting engines or databases, no technical updates required. You can focus solely on the message to deliver. You build an online presence on your own digital property, robust for decades if you decide so. #Seppo! is built on mature web standards (e.g. ActivityPub), a european technology stack, inspectable plain-text storage, is security aware and decentralised. It is made for but not limited to off-the-shelf static webspace as offered by numerous vendors all over the EU. #Seppo! targets individuals and small organisations joining the #Fediverse with max. 10k followers, optionally cross-posting to the closed platforms. The project's own website: https://seppo.social This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"title":"SensifAI","url":"https://nlnet.nl/project/SensifAI/","description":" SensifAI AI driven image tagging Billions of users manually upload their captured videos and images to cloud storages such as Dropbox, Google Drive and Apple iCloud straight from their camera or phone. Their private pictures and video material are subsequently stored unprotected somewhere else on some remote computer, in many cases in another country with quite different legislation. Users depend on the tools from these service providers to browse their archives of often thousands and thousands of videos and photo's in search of some specific image or video of interest. The direct result of this is continuous exposure to cyber threats like extortion and an intrinsic loss of privacy towards the service providers. There is a perfectly valid user-centric approach possible in dealing with such confidential materials, which is to encrypt everything before uploading anything to the internet. At that point the user may be a lot more safe, but from now on would have a hard time locating any specific videos or images in their often very large collection. What if smart algorithms could describe the pictures for you, recognise who is in it and you can store this information and use it to conveniently search and share? This project develops an open source smart-gallery app which uses machine learning to recognize and tag all visual material automatically - and on the device itself. After that, the user can do what she or he wants with the additional information and the original source material. They can save them to local storage, using the tags for easy search and navigation. Or offload the content to the internet in encrypted form, and use the descriptions and tags to navigate this remote content. Either option makes images and videos searchable while fully preserving user privacy. The project's own website: https://sensifai.com Why does this actually matter to end users? Our smartphones and tablets are filled to the brim with photographs and videos we take of everything we see around us, so when we reach the memory limit of our devices, we need to put our vacation pictures, baby photos and nature videos somewhere we can easily access and sift through all of it. Many users rely on cloud storage to safely store these memories in our own personal vault, secured by a password (or two), handily synchronized across devices and easily accessible. But in practice, that is not always what cloud storage really is. What users in fact do, is store their own pictures and videos in some undefined location, as the cloud service provider rarely explains where data is kept (and under what local legislation), with little to no explanation about what access that service provider actually has to your private images. One of the ways to keep your online pictures and videos safe and private, is to encrypt them before you save them online. But how then can you find that one picture of you and your friends out on the town that you want to put on the wall, or delete and select badly taken photos from your cloud space? Encryption in general is a proven technology to protect your privacy and strengthen your security, but can be hard to manage and maintain for users. The same thing goes for encrypting and storing photos and videos: users do not want to end up with a massive vault of unrecognizable data that they cannot search through or interact with in any meaningful way. This project combines privacy protection and searchability of photos and videos in a user-friendly way. Visual recognition software is increasingly capable of accurately recognizing who and what can be seen in pictures and videos, which can be automatically tagged to the files as they are saved on your phone or tablet. The user can then decide where they want to store this content and whether they want to keep it safe and encrypted, all the while keeping the content searchable. Users do not have to give up agency over their own (very personal) photos and videos to any service provider that indexes and categorizes files: now they can do that themselves. Run by SensifAI bvba This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"url":"https://nlnet.nl/project/Selva/","title":"Dynamic indexing for real time graph database","description":" Dynamic indexing for real time graph database Provide faster query results through algorithmic preprocessing Based is an open source real time data platform with a suite of features that help developers build more performant applications faster and with more flexibility. It’s built on a self-developed real time graph database and the WebSocket protocol to ensure performance and scaling. One of the features is an automatic indexing system that keeps track of frequently performed queries by monitoring a set of (real time) parameters and assigning values to queries, that in turn inform which parts of the graph to index. This index has to work with the Based real time graph database and optimise its performance, which means the index also has to be aware of any changes in schema structure or updates in indexed data. This is achieved through the existing subscription engine in Based. Our hope is that this project can lay the groundwork for more efficient indexing systems for all graph databases. The project's own website: https://github.com/atelier-saulx/selva This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"url":"https://nlnet.nl/project/SelfPrivacy/","title":"SelfPrivacy","description":" SelfPrivacy Reproducible self-hosting stack based on NixOS Self-hosting can be a challenge even for a professional, let alone an unprepared user. SelfPrivacy is a free application that helps you set up and manage your self-hosted services. The goal of the project is to create an accessible tool that gives everyone an opportunity to create their own self-hosted infrastructure. Selfprivacy supports multiple platforms and to use it, all you need is to register with a provider and copy the access token into the application. SelfPrivacy will set up the system, domain, DNS and install open source services such as E-Mail, Nextcloud, Jitsi, etc. SelfPrivacy automates the entire lifecycle: provisioning, updates, configuration changes, monitoring, backups and space management. The project's own website: https://selfprivacy.org Run by SelfPrivacy This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"title":"SelfPrivacy Catalog","url":"https://nlnet.nl/project/SelfPrivacy-Catalog/","description":" SelfPrivacy Catalog SelfPrivacy Self-hosting can be a challenge even for a professional, let alone an unprepared user. SelfPrivacy is a free application that helps you set up and manage your self-hosted services. The goal of the project is to create an accessible tool that gives everyone an opportunity to create their own self-hosted infrastructure. Selfprivacy supports multiple platforms and to use it, all you need is to register with a provider and copy the access token into the application. SelfPrivacy will set up the system, domain, DNS and install open source services such as E-Mail, Nextcloud, Jitsi, etc. SelfPrivacy automates the entire lifecycle: provisioning, updates, configuration changes, monitoring, backups and space management. The project's own website: https://selfprivacy.org Run by Selfprivacy.org This project was funded through the NGI Fediversity Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, as a pilot programme under the aegis of DG Communications Networks, Content and Technology. NGI Fediversity is part of the Horizon Europe research and innovation programme under grant agreement No. 101136078. "},{"title":"SelfHostBlocks","url":"https://nlnet.nl/project/SelfHostBlocks/","description":" SelfHostBlocks NixOS based server management for self-hosting It is obvious by now that a deep dependency on proprietary service providers - \"the cloud\" - is a significant liability. One aspect often talked about is privacy which is inherently not guaranteed when using a proprietary service and is a valid concern. A more punishing issue is having your account closed or locked without prior warning. When that happens, you get an instantaneous sinking feeling in your stomach at the realization you lost access to your data, possibly without recourse. Hosting services yourself is the obvious alternative to alleviate those concerns but it tends to require a lot of technical skills and time. SelfHostBlocks (together with its sibling project Skarabox) aims to lower the bar to self-hosting, and provides an opinionated server management system based on NixOS modules embedding best practices. Contrary to other server management projects, its main focus is ease of long term maintenance before ease of installation. To achieve this, it provides building blocks to setup services. Some are already provided out of the box, and customising or adding additional ones is done easily. The building blocks fit nicely together thanks to contracts which SelfHostBlocks sets out to introduce into nixpkgs. This will increase modularity, code reuse and empower end users to assemble components that fit together to build their server. The project's own website: https://github.com/ibizaman/selfhostblocks This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/SelectCast/","title":"SelectCast: Anycast in Path Aware Networks","description":" SelectCast: Anycast in Path Aware Networks Anycast for SCION and other path-aware networks The project summary for this project is not yet available. Please come back soon! The project's own website: https://www.netsys.ovgu.de/ Run by OVGU Magdeburg This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/Seedvault/","title":"SeedVault","description":" SeedVault Private backups of mobile applications SeedVault is an independent open-source data backup and restore application for Android and derived mobile operating systems. By storing Android users' data in a place the user chooses, and by using client-side encryption to protect backed-up data, SeedVault offers users maximum data privacy and resilience with minimal hassle. SeedVault uses Android's Storage Access Framework (SAF) to read and write encrypted app data. This allows it to backup and restore application data on a wide range of platforms and even USB flash drives. The first part of this project is to improve the current implementation and optimize it to work with widely used self-hosted storage solutions like Nextcloud. The second part of this project is to allow SeedVault to also back up data beyond the installed apps and their data, including the user's photos, videos and music as well as their call logs and SMS. The project's own website: https://seedvault.app Why does this actually matter to end users? The devices many of us have in their pocket half of the day have grown from simply mobile phones to full-fledged computers. You can do most if not all things that your laptop or home station used to do on your mobile phone of choice: there is an increasing amount of people who do not have any secondary computers anymore (and do not even miss them). Unfortunately, as the capabilities and possibilities of what we have come to call smartphones grew and grew, they also became more and more complex, closed off and privacy-unfriendly. As soon as you turn it on, you start sharing location about where you are, who you are in touch with and what you do online with manufactures, service providers, online ad sellers, the list goes on. And a lot of the apps you can install leave you open to further tracking, sometimes even scamming and phishing, which has become quite dangerous now most of our sensitive information is handled on these mobile devices. The same problems exist for the technical solutions smartphones give you to back up your data and apps. Usually this means handing over everything you have to a single service provider, where you have no control over where your data goes, and can only read quite hard to understand terms of condition or privacy notices to know what happens as soon as you tap yes. Instead SeedVault is an independent and transparent tool that lets you choose exactly where you want to backup your phone data. This project aims to improve the capabilities of SeedVault and make it work with widely used open source, self-hosted cloud solutions, like Nextcloud. Also SeedVault will be able to backup not only apps and their data, but also all the pictures, videos, music and text messages you usually lose as soon as something happens to your device. Run by The Calyx Institute This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" SeedVault Integrity Add integrity checking and WebDAV support to SeedVault Android backups SeedVault Backup is an independent open-source app data backup application for Android and derived mobile operating systems. By storing Android users' data and files in a place the user chooses, and by using client-side encryption to protect backed-up data, SeedVault offers users maximum data privacy and resilience with minimal hassle. SeedVault uses Android's storage access framework (SAF) to read and write encrypted app data. This allows it to backup and restore application data on a wide range of platforms (such as Nextcloud) and even USB flash drives. The project will improve the current implementation to allow storing files also on generic WebDAV-based storage without the SAF abstraction layer for improved performance and reliability. It will be possible to decide what apps and files should be restored and to verify the integrity of the backups made. The project's own website: https://seedvault.app Run by The Calyx Institute This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"SeedVault Integrity","url":"https://nlnet.nl/project/SeedVault-Integrity/"},{"url":"https://nlnet.nl/project/SecureWebTokens/","title":"Secure Web Tokens for Linux","description":" Secure Web Tokens for Linux TPM 2.0 backed FIDO2/U2F tokens on Linux This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. This project aims to develop a systemd daemon that utilizes the TPM 2.0 security chip to provide FIDO2/U2F tokens for web browsers and operating system applications on Linux. Leveraging the ubiquitous presence of TPM2 in modern PCs, the daemon will enhance security and usability for Linux users. It will allow the integration of security chips as access tokens with web extensions, secure local passwords and HOTP/TOTP managers, and enable hardware-based lock screen authentication mechanisms. The daemon will interface with the TPM2 chip to manage FIDO2 token generation. It includes support for the \"uhid\" kernel driver for button press emulation when no fingerprint reader is available for authentication. The project involves developing the daemon, ensuring seamless integration with systemd, and conducting extensive testing for functionality and security. Comprehensive documentation will be provided for setup and use, along with user guides for web extension integration. The outcome will be a robust, secure, and user-friendly solution for Linux users, elevating the baseline security and leveraging existing hardware capabilities to the fullest. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Subliminal Messaging Embedded secure channels within traditional and internet telephony Most of todays telephony consists of digital transmissions, so given a codec without mangling or added noise, it becomes possible to treat (part of) that as a data channel, and pass meaningful data through it while maintaining an acceptable noise floor to the sound being transmitted. That data channel can give rise to information exchange, including key material and alternative contact options. The project will work on various improvements that connect telephony and digital communication: (1) VPN setup with telephony protocols, (2) data communication over the PSTN backbone and its extensions into VoIP, (3) digital security for PSTN and VoIP calls. The project's own website: https://gitlab.com/0cpm/subliminal Run by OpenFortress BV This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/SecureDataChannel/","title":"Subliminal Messaging"},{"title":"SecurEAP: Secure Enterprise Wi-Fi on Linux","url":"https://nlnet.nl/project/SecurEAP/","description":" SecurEAP: Secure Enterprise Wi-Fi on Linux Improve Wi-Fi security and privacy SecurEAP will improve Enterprise Wi-Fi security and privacy on Linux by adding modern protections such as Trust on First Use (TOFU) and automatic anonymous identities. The project will extend open-source components such as wpa_supplicant, iwd and popular network managers like “NetworkManager”. As a result, SecurEAP will make it much harder to carry out rogue access point attacks against Linux, which recent research has shown is still a problem in practice. Additionally, the project will study and prototype improvements of TOFU to mitigate “first use” attacks. Taken together, this finally adds modern protections to Linux that other platforms already offer, but Linux has still lacked. Run by KU Leuven University This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" searx A privacy-respecting, hackable metasearch engine Searx (/sɜːrks/) is a free metasearch engine, available under the GNU Affero General Public License version 3, with the aim of protecting the privacy of its users. Across all categories, Searx can fetch and combine search results from more than 80 different engines. This includes major commercial search engines like Bing, Google, Qwant, DuckDuckGo and Reddit, as well as site-specific searches such as Wikipedia and Archive.is. Searx is a self hosted web application, meaning that every user can run it for themselves and others - and add or remove any features they want. Meanwhile, numerous publicly accessible instances are hosted by volunteer organizations and individuals alike. The project will consolidate the many suggestions and feature requests from users and operators into the first full-blown release (1.0) for Searx, as well as spend the necessary engineering effort in making the technology ready for even wider deployment. The project's own website: https://searx.info/ Why does this actually matter to end users? Search and discovery is one of the most important and essential use cases of the internet. When you are in school and need to give a presentation, when you are looking for a job, trying to promote your business or finding relevant commercial or public services you need, most of the time you will turn to the internet and more importantly the search bar in your browser to find answers. Searching information and making sure your name, company or idea can be discovered is crucial for users, but they actually have little control over this. Search engines set the terms for what results you see, how your website can be discovered and what information is logged about your searches. What terms are set remains obscure for users and they can only follow the rules laid out for them, instead of deciding on their own what, where and how to find the information they are looking for. More transparent, customizable and privacy-friendly search puts the user in the driver seat and can provide them with more meaningful results. Searx does this by aggregating results from more than 70 search services while avoiding any user tracking or profiling. With every search users can decide what engines they want to use and which they don't, what search language must be used and other options that are saved on the device and can therefore not be tracked. Users are also free to run their own instance of Searx, giving them complete control over the source code that makes that version of Searx tick (and alter it however they like) and ensure additional privacy protection. This project can make Searx an even more customizable transparent search alternative by working towards its first 1.0 release while addressing user suggestions and feature requests. There will also be effort put into preparing Searx for wider deployment to show users they have more options and agency when searching for what they need online. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"searx","url":"https://nlnet.nl/project/SearxRelease/"},{"description":" SEARXR Virtual reality for web search SearXR brings a beautiful, privacy-respecting search to 2D and 3D devices. Why? Because searching on alternative devices (VR headsets, conference-presentation) is not always easy nor private. SearXR aims to provide alternative search interfaces which are more appropriate for VR, AR and big screens. SearXR aims to progressively enhance these search experiences: better screen-layout, privacy, and WebXR compatibility. All features are based on user preferences and available hardware. Built upon SearX and W3C's WebXR technology, it will enable everybody to search, or add XR-features to their SearX instance. Whether it be state of the art headsets, or a 65” screen: pointing the browser to an SearXR-instance will immediately launch a wonderful, privacy-respecting search experience. The project's own website: https://blog.searxr.me Why does this actually matter to end users? Virtual, augmented or 'enhanced' reality are all terms for a range of technologies that have been long in the making, but now seem to become more commonplace with the rise of smartphones and video screens. Combining digital experiences with the real world open up a lot of possibilities, from new gaming experiences (remember the Pokemon Go craze?) to industrial design, healthcare, education, the list goes on. The problem is however, that like most consumer technology, the tools and devices you end up using are usually not transparently designed and essentially black boxes that give you a shiny user experience, but little control over how it actually works. This can raise issues of security and privacy which becomes especially problematic when this technology is used in for example healthcare. Innovation should not come at the cost of privacy, safety or data governance. The same goes for augmented and virtual reality, which does not need to be a tool for surveillance to offer useful and imaginative experiences. This project wants to make online search on augmented reality devices like VR headsets more privacy- and user-friendly. As search is an important starting point for any online device, this can be a first step to building augmented and virtual reality experiences more reliable and trustworthy. Run by 2WA This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/SearXR/","title":"SEARXR"},{"description":" An OpenScience flavour of Bonfire on NixOS for preprints Discuss preprints based on W3C ActivityPub federation Preprints have revolutionised scholarly publishing, offering a rapid and open way to share research findings, establishing priority, receiving early feedback, and accelerating scientific discovery. Online discussions around preprints regularly take place on social media, but there still exists a gap in encouraging fluid discourse around science and making it a recognised academic activity. This project aims to address the gap by facilitating and integrating these conversations into the scholarly framework using FOSS tooling. Outcomes include; establishing a Bonfire network tailored for preprints, with reproducible deployment made possible via NixOS, bringing existing communities into the Fediverse, amplifying contributions using existing scholarly infrastructure, exploring new models of peer evaluation, and supporting recognition of this crucial scholarly activity. The project's own website: https://sciety.org Run by eLife Sciences Publications Ltd. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"An OpenScience flavour of Bonfire on NixOS for preprints","url":"https://nlnet.nl/project/Sciety-ActivityPub/"},{"url":"https://nlnet.nl/project/ScientificResults/","title":"Adera","description":" Adera Relevant scientific research results The project summary for this project is not yet available. Please come back soon! Run by PM This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" Scheme Testing Framework Modernise testing for Scheme This project addresses a critical gap in the Scheme ecosystem by delivering a comprehensive and extensible testing framework that will serve as foundational infrastructure for current and future development. The Scheme family of languages powers numerous important projects in reproducible builds, decentralized systems, and security-critical applications, yet lacks a modern, well-designed testing solution compatible with today's development practices. Our library bridges this gap, enables interactive testing workflows with immediate feedback for REPLs and IDEs while supporting automated CI/CD pipelines through standardized interfaces. By creating SRFI specification with an implementation-agnostic design, proper test isolation, and metadata-driven test runners, we will empower developers to build more reliable software across the entire Scheme ecosystem. This contribution in core development infrastructure will strengthen existing projects, lower barriers to entry for newcomers, and enable the next generation of Scheme applications. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Scheme Testing Framework","url":"https://nlnet.nl/project/SchemeTestingFramework/"},{"url":"https://nlnet.nl/project/SaxonSoc/","title":"SpinalHDL, VexRiscv, SaxonSoc","description":" SpinalHDL, VexRiscv, SaxonSoc Open Hardware System-on-Chip design framework based on SpinalHDL The goal of SaxonSoc is to design a fully open source SoC, based on RISC-V, capable of running linux and optimized for FPGA to allow its efficient deployment on cheap and already purchasable chips and development boards. This would provide a very accessible platform for individuals and industrials to use directly or to extend with their own specific hardware/software requirements, while providing an answer to hardware trust. Its hardware technology stack is based on 3 projects. SpinalHDL (which provides an advanced hardware description language), VexRiscv (providing the CPU design) and SaxonSoC (providing the facilities to assemble the SoC). In this project, we will extend SpinalHDL, VexRiscv and SaxonSoc with USB, I2S audio, AES and Floating point hardware capabilities to extend the SoC applications to new horizons while keeping the hardware and software stack open. The project's own website: https://github.com/SpinalHDL Why does this actually matter to end users? Consumers and businesses overpay for computer hardware, because the market is not working well. When you go to a store to buy a laptop or mobile phone, you may see different brands on the outside but choice in terms of what is inside the box (in particular the most expensive component, the processor technology) is pretty much limited to the same core technologies and large vendors that have been in the market for decades. This has a much bigger effect on the users than just the hefty price tag of the hardware, because the technologies at that level impact all other technologies and insecurity at that level break security across the board. In the field of software, open source has already become the default option in the market for any new setup. In hardware, the situation is different. Users - even very big users such as governments - have very little control over the actual hardware security of the technology they critically depend on every day. Security experts continue to uncover major security issues, and users are rightly concerned about the security of their private data as well as the continuity of their operations. But in a locked-down market there is little anyone can do, because the lack of alternatives. European companies are locked out of the possibility to contribute solutions and start new businesses that can change the status quo. Fortunately there are efforts underway to make hardware that, like open source software, is free to be reimagined and reassembled without restriction and that is transparently created, from the design down to the silicone. As these projects grow and connect, they can lay the foundations for a technological commons of trustworthy hardware that is accessible for everyone to learn from and build upon. This project is one of these efforts and will contribute a open source system-on-chip using a publicly available development and design stack. It will be able to run the widely used Linux-system and be deployed on affordable chips and development boards, allowing anyone to quickly create a device that does precisely what you want it to and that you can trust with your information or online service. Run by SpinalHDL This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Security audit of Sailfish FOSS components Analyse security of secrets, Sailfish ofono and Sailjail Sailfish is a European mobile operating system developed by the Finnish company Jolla. This project will conduct independent security research into the Sailfish FOSS components, with a focus on its cryptography, 5G support and sandboxing of the SailfishOS operating system. The project will also compare Android and SailfishOS on their app permissions, encryption and isolation mechanisms. The researchers are not affiliated with the company behind the development of SailfishOS. The project's own website: https://sailmates.net Run by Sailmates This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Security audit of Sailfish FOSS components","url":"https://nlnet.nl/project/Sailfish-FOSS-audit/"},{"description":" Storing Efficiently Our Software Heritage Faster retrieval within Software Heritage Software Heritage (https://www.softwareheritage.org) is the single largest collection of software artifacts in existence. But how do you store this in a way that you can find something fast enough, taking into account that these are billions of files with a huge spread in file sizes? \"Storing Efficiently Our Software Heritage\" will build a web service that provides APIs to efficiently store and retrieve the 10 billions small objects that today comprise the Software Heritage corpus. It will be the first implementation of the innovative object storage design that was designed early 2021. It has the ability to ingest the SWH corpus in bulk: it makes building search indexes an order of magnitude faster, helps with mirroring etc. The project is the first step to a more ambitious and general purpose undertaking allowing to store, search and mirror hundreds of billions of small objects. The project's own website: https://wiki.softwareheritage.org/wiki/A_practical_approach_to_efficiently_store_100_billions_small_objects_in_Ceph Run by Eeaster-Eggs This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/SWH-Retrieval/","title":"Storing Efficiently Our Software Heritage"},{"url":"https://nlnet.nl/project/SWH-PackageManagers/","title":"SWH package manager Data Ingestion","description":" SWH package manager Data Ingestion Add Package managers to Software Heritage Software Heritage's ambition is to collect, preserve, and share all software that is publicly available in source code form. In this project we improve the SWH scanner tool which compares any set of files with the SWH archive. This is very useful for detecting license violations or security issues. The goal of the project is to take the scanner from a research prototype to a widely available and usable tool. This involves work around its packaging, user interface, robustness and performance. We will be re-purposing the advanced graph-comparison algorithm from the Mercurial DVCS to minimize the load to the SWH archive. We will also expand the list of existing source code origins we will create new listers and loaders for Maven, Go, Packagist, RubyGems, Bower, CPAN and pub.dev/Dart package managers. The project's own website: https://www.softwareheritage.org/ Run by Octobus This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" Software Heritage listers + tooling Performance improvements and new listers/tooling for Software Heritage Software Heritage's ambition is to collect, preserve, and share all software that is publicly available in source code form. The platform currently list and load more than 200 million free and open source projects. One of the bottlenecks for collecting sources is the speed at which these can be collected. We want to address performance improvements on data discovery and ingestion through the usage of the PyPy interpreter, which should help in reducing CPU bound in highly repetitive area of the Python code responsible for data analysis and validation. To expand the list of existing source code origins we will create new listers and loaders for Dlang, Julia and Elm package managers. The project's own website: https://www.softwareheritage.org/ Run by Octobus This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/SWH-Enhancements/","title":"Software Heritage listers + tooling"},{"url":"https://nlnet.nl/project/SSH-Stamp/","title":"SSH Stamp","description":" SSH Stamp Secure SSH-to-UART bridge for devices with a serial port. SSH Stamp is a secure wireless-to-UART bridge implemented in Rust (no_std, no_alloc and no_unsafe whenever possible) with simplicity and robustness as its main design tenets. The firmware runs on a microcontroller running Secure SHell Protocol (RFC 4253 and related IETF standards series). This firmware can be used for multiple purposes, conveniently avoiding physical tethering and securely tunneling traffic via SSH by default: easily add telemetry to a (moving) robot, monitor and operate any (domestic) appliance remotely, conduct remote cybersecurity audits on network gear of a company, reverse engineer hardware and software for right to repair purposes, just to name a few examples -a \"low level-to-SSH Swiss army knife\". The project's own website: https://github.com/brainstorm/ssh-stamp This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/SOLIDdataworkers/","title":"SOLID Data Workers","description":" SOLID Data Workers Toolkit to ingest data into SOLID This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. Solid Data Workers is a toolkit to leverage the Solid platform (an open source project led byTim Berners-Lee) into a viable, convenient, open and interoperable alternative to privacy-hungry data silos. The aim is to use Solid as a general purpose storage for all of the user's private information, giving them a linked-data meaning to enrich the personal graph and provide a first-class semantic web experience. The project involves a PHP and a NodeJS implementation of the \"Data Workers\" toolkit to easy the \"semantification\" of the data collected from external services (SPARQL queries build, metadata retrieval and storage, relationships creation...), some sample software component to import existing data into the semantic graph and keep it synchronized with back-end sources (primarily: emails and calendars), and a proof-of-concept application to showcase the potentials of the semantic web applied to personal linked data. As Solid may be self-hosted or hosted by third-party providers, Solid Data Workers may be attached to any of those instances and to different back-end services. The project's own website: https://semantic.builders Why does this actually matter to end users? In the 'real world', you instinctively know what information you should keep behind locked doors and what is safe to share. Your bank statements are stored in a folder somewhere in the attic instead of leaving them laying around on your kitchen table. You do not tell random people on the street what your phone number is, or where your children go to school. In the virtual world, this type of common sense can work differently. Users are quicker to trust service providers to keep their personal data safe from theft and prying eyes, and do not always see the dangers of storing passwords in an online text file, or sharing sensitive financial documents via email. The dangers are unmistakably there, but until someone close to you suffers the consequences of a hack or a privacy breach, the risks of online data storage are vague and its convenience is too tempting to pass up. People are accustomed to easy, accessible and convenient online tools and services. More private and secure open-source alternatives should not exclude users because of an overly technical setup or incompatibility with existing proprietary solutions. Solid (or Social Linked Data) is a new approach to protecting personal data initiated by Tim Berners-Lee, the inventor of the world wide web and developed in collaboration with the Massachusetts Institute of Technology (MIT). The project aims to give users back full control over their personal data, which they can store in personal online data stores (or pods) and then give applications that run on the Solid platform access rights as they see fit. Users always retain ownership over their data, decide for themselves where it is stored and can change the permissions of any application that can access the data. Eventually the Solid ecosystem should offer decentralized and user-centric alternatives to centralized social media like Facebook, Twitter, LinkedIn etcetera. Convincing people to switch to Solid will take more than just telling them privacy horror stories. You cannot (and should not) scare someone into using your product, no matter how good your intentions might be. The alternative should be as good or even better than the original and switching should be easy and painless. That is what Solid Data Workers will provide: a toolkit that can bridge the gap between the online services you use now (email and calendars for example) and the Solid platform, keep data synchronized and allow you to import existing data to work flawlessly with the Solid technology and approach to data. Privacy is far from dead, but people usually lack the tools or technical knowledge to protect their personal data online. New and promising privacy-friendly platforms like Solid should be as inclusive as possible to actually make a difference and change the status quo of online personal data. This project can help make that change. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Cell broadcast support for the Linux Mobile Stack Implement SMS-CB for emergency messages on Linux Cell broadcast is the capability of the mobile network to send messages to multiple mobile devices in an area. It is the common way to alert users about disasters and emergencies. Phosh is a user friendly, graphical interface for Linux based mobile phones using GTK, GNOME and the wlroots compositor library. It uses ModemManager for it's mobile broadband connections. ModemManager is used on Linux systems to control mobile broadband devices and connections. The aim of this project is to add cell broadcast support to ModemManager and the necessary UI elements to Phosh so cell broadcast messages sent to devices running this platform can be properly received and displayed. The project's own website: https://phosh.mobi/ Run by Phosh This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Cell broadcast support for the Linux Mobile Stack","url":"https://nlnet.nl/project/SMS-CB/"},{"url":"https://nlnet.nl/project/SMAesH-Mode/","title":"SMAesH-Mode","description":" SMAesH-Mode Side-channel protected hardware implementation of AES The security of internet devices relies on cryptography for many features such as secure communications, secure boot or user authentication. In many cases, the underlying cryptographic building blocks are implemented in hardware for efficiency and/or security reasons. Further, many devices can be attacked through physical side-channel leakage such as power consumption or electromagnetic emanations (EM). Critically, these attacks do not strictly require direct physical access to the device, and attack based only on remote physical access have been demonstrated (e.g. EM a few meters way). Nowadays, AES remains a fundamental block cipher in most security solutions. In this context, SMAesH is a open-source side-channel protected hardware implementation of the AES that could be used in secure micro-controllers for direct use in protocols that rely on AES, or as a building block for secure storage. However, a block cipher is rarely used alone, and is instead integrated in a mode of operation that provides confidentiality and/or integrity, which are currently not supported by the existing SMAesH IP. This project mainly aims at extending SMAesH to include support for common modes of operation (GCM, CBC and CTR). Besides, our goal is to make SMAesH easy to integrate with open-source hardware designs by implementing a standard TileLink bus interface. The project's own website: https://github.com/simple-crypto/SMAesH Run by SIMPLE-Crypto This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"SIP RELOAD","url":"https://nlnet.nl/project/SIP-RELOAD/","description":" SIP RELOAD REsource LOcation And Discovery, a peer-to-peer (P2P) signaling protocol SIP is a mature internet technology to establish sessions of any type across the internet. RELOAD stands for REsource LOcation And Discovery and is a peer-to-peer (P2P) signaling protocol standardised in IETF that provides its clients with an abstract storage and messaging service between a set of cooperating peers that form an overlay network. RELOAD defines a security model based on a certificate enrollment service that provides unique identities. NAT traversal is a fundamental service of the protocol. The goal is to implement a P2P communications network based on IETF standards that allows people to communicate securely without the traditional interposed third parties like SIP service providers. This is done both by establishing direct encrypted channels between the participants as well as using digital identities based on X509 certificates to identify the participants in a conversation, which will prevent third parties from inserting themselves into the conversation by attempting to impersonate one of the participants. The outcome would be a working RELOAD implementation, with a functional backend for connecting and discovering peers based on their identity which is backed by an email address that will then also function as a working SIP address. The project's own website: https://datatracker.ietf.org/doc/rfc6940/ This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" SIMcurity: Tools for Securing the SIM interface Protect phones and users against SIM vulnerabilities and hostility The SIMcurity project will develop new software and hardware tools to secure mobile devices against attacks from hostile SIMs. Often considered as root-of-trust in mobile communication networks, SIMs and eSIMs authenticate users and their equipment, including smartphones, cars, smart devices, and even trains. However, SIMs cannot always be trustworthy: rogue operators can update them remotely over the air, their communication interface is susceptible to machine-in-the-middle attacks, and the software running on them may itself have vulnerabilities. SIMcurity will shine light on this often overlooked attack surface, provide tooling to find and mitigate security flaws, and create strong defenses to protect users and their mobile communication. The project's own website: https://github.com/tomasz-lisowski/simurai This project was funded through the NGI Mobifree Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. The NGI Mobifree R&D programme is part of Horizon Europe research and innovation programme under grant agreement No. 101135795. ","title":"SIMcurity: Tools for Securing the SIM interface","url":"https://nlnet.nl/project/SIMcurity/"},{"url":"https://nlnet.nl/project/SES/","title":"SES - SimplyEdit Spaces","description":" SES - SimplyEdit Spaces SimplyEdit Spaces - collaborative presentations SimplyPresent allows users to collaboratively create and deliver good looking presentation using CRDT's through Hyper Hyper Space - another project supported by NGI Assure. SimplyPresent is itself based on top of the open source SimplyEdit tool, adding advanced user-friendly presentation features. SimplyPresent allows team members to live edit a presentation and the presenter notes while the presentation is being given, control the presentation from any phone without complicated setup: all that is needed on the presenting system or with remote viewers is a URL which will sync through Hyper Hyper Space. The project's own website: https://github.com/SimplyEdit/SimplyPresent This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"title":"SDCC","url":"https://nlnet.nl/project/SDCC/","description":" SDCC Small Device C Compiler compiler for 8-bit microcontrollers The Small Device C Compiler (SDCC) is free and open source software for 8-bit microcontrollers. While such 8-bit microcontrollers might seem like outdated technology (most of the popular chips sold today use 32 bit or 64 bit solutions), the fact that there are less transistors to fire up with every cycle means there are quite a few basic use cases where 8-bit systems might very well remain the most energy-efficient option despite . SDCC is competing head to head with various proprietary compilers - such as Keil, IAR, Comsic, Raisonance. The tasks in this project will significantly boosts the capabilities of SDCC and allow developers a more mature tool to design for e.g. eco-friendliness. The project will deliver various improvements in SDCC, in order to make it more complete and competitive in terms of features and workflow. The project's own website: http://sdcc.sourceforge.net This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" SDCC Modern compiler for 8-bit microcontrollers The Small Device C Compiler is the free (apart from GCC having an AVR port) compiler for 8-bit microcontrollers (µC). It is competing with various non-free compilers. 8-bit µC are common in peripheral devices of larger systems, SDCC is an essential part of the free software ecosystem, in particular for developing firmware. We aim to both improve SDCC support for various target hardware, as well as implement machine-independent improvements to make SDCC more competitive vs. non-free compilers. Hardware-specific improvements planned include improving support for Padauk's popular low-cost microcontrollers, improving support for the Rabbit microcontrollers common in older IoT devices, improving code generation for the f8 port, and improving support for Toshiba TLCS microcontrollers. The focus for machine-independent improvements will be in enhancing support for recent ISO C standards, an optimization to reduce memory usage for local variables, and implementing a link-time optimization to optimize out unused functions and objects. The latter is the one feature most-requested by SDCC users in recent years. The project's own website: https://sdcc.sourceforge.net This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/SDCC-C23/","title":"SDCC"},{"description":" Toward a Fully-Verified SCION Router II Align router code with formal verification tooling SCION is a next-generation Internet architecture that addresses many of the security vulnerabilities of today’s Internet. Its clean-slate design provides, among other properties, route control, failure isolation, and multi-path communication. This project is concerns the implementation part of a larger effort that is verifying the core component of the SCION inter-domain routing architecture - the SCION router. SCION’s open-source router should not only be memory-safe but should implement the SCION protocols correctly in order to provide the intended security and correctness guarantees. The project's own website: https://www.pm.inf.ethz.ch/research/verifiedscion.html Run by Anapaya Systems AG This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/SCION-router-codealignment/","title":"Toward a Fully-Verified SCION Router II"},{"description":" WWW SCION Path-aware web server/proxy deployment and browsing The WWW SCION project aims to bring innovation to web applications by enabling seamless SCION support to the web ecosystem. SCION is a clean-slate, more secure, and robust path-aware Internet architecture designed to provide route control, fault isolation, and explicit trust information for end-to-end communication. The main outcome of this project will be a full software suite for path-aware web browsing that can be easily adopted by network operators to make their web resources available on the SCION network. To do so, this project will develop (1) a production-grade reverse proxy, which enables web resources to be accessed via SCION, and (2) much improved client-side support. This will have an immediate impact on thousands of users who are already connected to the SCION infrastructure, allowing them to access next-generation network features such as expressing path-selection policies that implement their preferences. For instance, a web user could avoid traversing ASes (Autonomous systems) in certain regions when accessing their e-banking website. Another example from which users may benefit is using distinct paths depending on the web resources. In this case, the server could make use of a high-bandwidth path to increase the throughput when loading a large resource, while it could use a low-latency path for a latency-sensitive resource, e.g., a server control message. The project's own website: https://github.com/scionproto/scion Run by ETH Zürich This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/SCION-proxy/","title":"WWW SCION"},{"description":" Geographic tagging of Routing and Forwarding Geographic tagging and discovery of Internet Routing and Forwarding SCION is the first clean-slate Internet architecture designed to provide route control, failure isolation, and explicit trust information for end-to-end communication. As a path-based architecture, SCION end-hosts learn about available network path segments, and combine them into end-to-end paths, which are carried in packet headers. By design, SCION offers transparency to end hosts with respect to the path a packet travels through the network. This has numerous applications related to trust, compliance, and also privacy. By better understanding of the geographic and legislative context of a path, users can for instance choose trustworthy paths that best protect their privacy. Or avoid the need for privacy intrusive and expensive CDN's by selecting resources closer to them. SCION is the first to have such a decentralised system offer this kind of transparency and control to users of the network. The project's own website: https://scion-architecture.net Why does this actually matter to end users? More and more commercial and public services are digitized and even completely replaced by online platforms and communication channels. For users, businesses and governments, this raises important questions regarding privacy and security. The data created and shared in or between hospitals, banks, companies or municipalities can be sensitive, deeply personal and potentially harmful when it ends up in the wrong hands. All manners of security and privacy protection walls are put in place to prevent this from happening, which nevertheless do not prevent regular and large scale data leaks that sometimes cause real damage to people. Instead of creating workarounds and improvising defenses for vulnerable points in the route information travels on the internet, SCION instead wipes the slate clean and designs an internet that is secure and private by design. This alternative internet architecture offers users (as well as internet service providers or ISPs) overview and control of their online communication. SCION can ensure path-aware communication where only senders, receivers and ISPs are allowed to set the rules for precisely how internet traffic should be routed across networks and servers, protecting the privacy of everyone involved and ensuring users and hosts have high availability, bandwidth and little to know vulnerabilities to for example DDoS attacks. This project wants to give users and network administrators even more control over how data and communication travels by adding specific geographic data to the road traveled. For example, where is the datacenter or internet exchange point that this particular internet route uses located? This is especially relevant for data and information that is commercially, politically or technically sensitive and that should not end up in a particular country or be forwarded by a party that is known to snoop or censor. In these cases it may not be enough to construct the most optimal or available route, but also the best protected and trustworthy one. Run by Anapaya Systems This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/SCION-geo/","title":"Geographic tagging of Routing and Forwarding"},{"description":" SCION-Pathdiscovery Secure and reliable decentralized storage platform With the amount of downloadable resources such as content and software updates available over the Internet increasing year over year, it turns out not all content has someone willing to serve all of it up eternally for free for everyone. And in other cases, the resources concerned are not meant to be public, but do need to be available in a controlled environment. In such situations users and other stakeholders themselves need to provide the necessary capacity and infrastructure in another, collective way. This of course creates new challenges. Unlike a website you can follow a link to or find through a standard search engine and which you typically only have to vet once for security and trustworthiness, the distributed nature of such a system makes it difficult for users to find the relevant information in a fast and trustworthy manner. One of the essential challenges of information management and retrieval in such a system is the location of data items in a way that the communication complexity remains scalable and a high reliability can be achieved even in case of adversaries. More specifically, if a provider has a particular data item to offer, where shall the information be stored such that a requester can easily find it? Moreover, if a user is interested in a particular information, how does he discover it and how can he quickly find the actual location of the corresponding data item? The project aims to develop a secure and reliable decentralized storage platform enabling fast and scalable content search and lookup going beyond existing approaches. The goal is to leverage the path-awareness features of the SCION Internet architecture to use network resources efficiently in order to achieve a low search and lookup delay while increasing the overall throughput. The challenge is to select suitable paths considering those performance requirements, and potentially combining them into a multi-path connection. To this end, we aim to design and implement optimal path selection and data placement strategies for a decentralized storage system. The project's own website: https://www.netsys.ovgu.de/ Why does this actually matter to end users? It has been several decades since the first internet connection was made and we still have not solved the issue of free, safe and controlled file sharing. Common channels like email set strict file size limits and leave possibly sensitive data strewn about inboxes and servers. File hosting and sharing services keep users in the dark about what happens to their uploads and do not keep files up for long. Torrent environments are fraught with illegally uploaded or malicious content that may be harmful for users, who have no tools to verify or authenticate anything or anyone. To solve this issue, users should be able to transparently host and share files, control access to uploaded content and know precisely where there files are online. The alternative internet architecture SCION, short for (Scalability, Control, and Isolation on Next-Generation Networks), offers users (as well as internet service providers or ISPs) the overview and control this requires. SCION can ensure path-aware communication where only senders, receivers and ISPs are allowed to set the rules for how internet traffic should be routed across networks and servers. The goal of this project is to use this transparency of internet traffic for hosts and users through SCION for decentralized data storage and retrieval. Combining the level of control, privacy protection and overview of path awareness and construction with hosting and sharing files that are decentralized and not held or maintained by a single party gives the user full agency over their data and access to it. Run by OVGU Magdeburg This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"SCION-Pathdiscovery","url":"https://nlnet.nl/project/SCION-Swarm/"},{"title":"SCION-RAINS","url":"https://nlnet.nl/project/SCION-Rains/","description":" SCION-RAINS RAINS, Another Internet Naming Service (or, a DNS alternative) RAINS (which recursively stands for RAINS, Another Internet Naming Service) is an alternative name resolution protocol that has been designed with the aim to provide an ideal naming service for the SCION Internet architecture. SCION is one of the most ambitious and realistic alternative Internet architectures currently in play, and has interesting traits such as route control, failure isolation, multipath capabilities and explicit trust information for end-to-end communication. The RAINS architecture is simple but effective, while it resembles the architecture of DNS it also benefits from being a clean-slate design and provides security across all TLD's - where DNS with DNSSEC fails to provide such capabilities across the board. RAINS, unlike DNS, has no relative clocks: the DNS TTL is replaced by the absolute validity timestamps on the signature. All records are signed. The project's own website: https://www.netsys.ovgu.de/ Run by OVGU Magdeburg This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" SCION-enabled IPFS and libp2p Enhancing IPFS Performance and Resilience through SCION's Path-Aware Networking SCION is a clean-slate Next-Generation Internet (NGI) architecture which offers a.o. multi-path and path-awareness capabilities by design. Moreover, SCION was designed to provide route control, failure isolation, and explicit trust information for end-to-end communication. As a result, the SCION architecture provides strong resilience and security properties as an intrinsic consequence of its design. The goal in this project is to leverage the path-awareness in SCION to align the storage and lookup in IPFS with the underlying network in an optimal manner, while at the same time using SCION to establish trust between the entities. The project's own website: https://www.netsys.ovgu.de/ Why does this actually matter to end users? The vast amount of content on the Internet has made it increasingly challenging for users to quickly and reliably access relevant information. A key issue in managing and retrieving information in distributed systems is locating data items in a manner that ensures scalability, minimal communication complexity, and high reliability, even in the presence of adversaries. Specifically, determining where to store information so that requesters can easily find it, as well as enabling users to discover and efficiently locate desired data items, are critical challenges. Centralized approaches offer fast data lookup and constant search complexity but may suffer from scalability issues, single points of failure, and trust concerns. As a result, decentralized approaches are more desirable, although they often come with increased communication overhead. Recent solutions, such as the IPFS, address some of these problems but still have limitations in their performance, as discussed in the related efforts section below. In this project, our objective is to create a secure, reliable, and decentralized storage platform based on IPFS, that outperforms existing approaches in terms of fast, scalable content search and lookup. By leveraging path-awareness, we aim to utilize network resources efficiently to reduce search and lookup delays while enhancing overall throughput. Run by OVGU Magdeburg This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/SCION-IPFS/","title":"SCION-enabled IPFS and libp2p"},{"description":" SCION Open Source Implementation Performance improvements for SCION reference Implementation SCION Open Source is an implementation of the SCION architecture that allows trusted, highly resilient, and path-aware routing infrastructure to be built by ISPs, CDN/cloud providers and enterprises. It supports inter-domain multipath routing by discovering paths between participating Autonomous Systems that can be combined into selectable cryptographically validated end-to-end paths. This provides higher assurances that packets will follow particular paths which can prevent route leaks and hijacks, and allow data to be geofenced thereby ensuring compliance with legislation such as GDPR and NIS2. SCION also supports fast multi-path discovery and fast failover as its path discovery process does not rely on BGP iterative convergence or forwarding table updates. Having a performant and robust open source implementation ensures there’s a viable alternative to commercial and closed source implementations which is pre-requisite for some large potential adopters. The project's own website: https://www.scion.org/development Run by SCION Association This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"SCION Open Source Implementation","url":"https://nlnet.nl/project/SCION-1M/"},{"description":" SASL Works for the InternetWide Architecture Integrate new authentication mechanisms into SASL The SASL Works allow clients to use authentication mechanism that meet their requirements, and use it in virtually all protocols, which includes but is not limited to the web. Servers on the other hand, can flexibly adapt to clients from any domain, by backporting authentication inquiries to the client's own realm for the desired level of approval. Once configured, this process frees service providers from the need to manage user accounts and secure storage of credentials. Clients finally get a choice to use strong cryptographic authentication mechanisms instead of being forced to use a site programmer's poor approach to security. This in turn is helpful for setting higher levels of security policies in formal bodies such as organisations and governments, while generally simplifying the user interaction. The project's own website: http://internetwide.org Why does this actually matter to end users? Privacy is a matter of control. When you want to protect your privacy, it does not mean you never tell anyone anything, it means you want to be in control of who you share your personal information with. On the internet a lot of control is taken away from you. The technology that lets you connect to networks all around the world and find information anywhere it is stored is built around identification, both of its users and the virtual places they visit. Unfortunately, many crucial networking standards and protocols were not designed with user privacy in mind, let alone giving them any sense of control over how they can safely identify and authenticate themselves and whoever they want to communicate with on the internet. Secure identification and authentication should be the starting point for your online journey, instead of relying on workarounds and patches that may not cover all the exits. Remaking the internet to be secure and private by design is what the ARPA2 project has been doing for several years by using and extending existing security standards and developing flexible, simple and reliable identity management solutions for users. Technology developed in the ARPA2 project simplifies and centralizes encryption and integrates state of art authentication and security standards, among other things. These tools help build an internet that \"treats its end users as full-blown citizens, and not as milking cows\", as the ARPA2 developers explain on their website. Just like other ARPA2 initiatives this project makes existing and proven internet technology more interoperable and usable to better protect users online data and identity on the internet. Users can identify and authenticate themselves more easily (instead of handling different passwords for every site) and securely ( instead of relying on possibly broken identity management tools of third parties) regardless of the service they use, which puts the user back in the driver seat where they belong. Run by OpenFortress.nl / InternetWide.org This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/SASLworks/","title":"SASL Works for the InternetWide Architecture"},{"url":"https://nlnet.nl/project/SASL-XMSS/","title":"SASL XMSS","description":" SASL XMSS Make SASL work with XMSS protocol Simple Authentication and Security Layer (SASL) is an authentication and data security framework. The framework defines a structured interface to which SASL mechanisms must comply. These mechanisms can then be used by application protocols in a uniform manner. XMSS provides cryptographic digital signatures without relying on the conjectured hardness of mathematical problems. Instead, it is proven that it only relies on the properties of cryptographic hash functions. XMSS provides strong security guarantees and is even secure when the collision resistance of the underlying hash function is broken. It is suitable for compact implementations, is relatively simple to implement, and naturally resists side-channel attacks. Unlike most other signature systems, hash-based signatures can so far withstand known attacks using quantum computers. The SASL XMSS project's goal is to implement the XMSS system as a SASL mechanism in one of the publicly available open source SASL libraries. Why does this actually matter to end users? Digital signatures are very convenient, for consumers, governments and businesses alike. Most documents that need to be signed these days are 'digitally born': they first exist inside a computer. Signing in the conventional way (on a piece of paper) is both very time-consuming and eco-unfriendly. Each document has to be sent to a printer, someone needs to collect the printout and get it back to their desk, find a pen that works (sigh) and sign it. And in many cases the document at hand will need to be rescanned shortly after, in order to be sent by mail. Digital signatures are also more secure. Signatures are basically just a few lines of ink from a pen. When you look close, no two signatures from the same person are the same. The natural variance means the origin and history (and thus the authenticity) of those \"ink proofs\" can be really hard to technically verify properly. With a little practise, a fake signature is easy to create - in fact, in most cases any signature will do. What can people use to verify? While the actual proof is not so good, in a lot of practical cases we have other reasons why we trust a document. For instance because we got it in person, or know the document has been securely locked away by a trusted party. The common practise to scan a \"real\" signature and cut and past it as an image inside a document, operates on that same premise: we get the document from a trusted source, and so we can trust it - making the addition of the signature more of a ritual. However, on the internet we do not have such guarantees. As countless phishing mails from banks and credit card companies will show, cloning some existing legitimate document is trivial. On the internet trust and trustworthiness is low, while speed of acting is high. That is why we need digital signatures as a basis to delegate trust: to sign software, documents, etc.. A digital signature is often used at points where you hand over some control to other, so it is really important to get this right. Digital signatures use advanced math to guarantee authenticity. We are considering trusting something, but we need to make sure the person or organisation that has supposedly signed something, in fact did so. Conventional computers as we use today in our offices and homes would need many thousands of years to break most digital signatures. This is more than orders of magnitude of a human lifetime, as well as the lifetime of most of human dealings. So digital signatures have been recognised as a practical and convenient way to work, with much better security than their ink predecessors. It is no wonder that digital signatures continue to increase in adoption everywhere. One urgent problem with todays digital signatures however, is that a new type of computer technology is threatening some of the assumptions we made above. These new devices (so called \"quantum computers\") are assumed to be capable of performing some common types of calculations in parallel at such a speed, that it would be possible to fake current types of digital signatures much faster. So much faster in fact, that people rightfully worry about important things they sign today. It would not be the first time that the pace of development of computers takes people by surprise. The answer is of course to recognise the threat and innovate, by making the digital signatures smarter. Not all calculations can be sped up by the new quantum computers as well, as least that is the common assumption with computer scientists. So the strategy devised is often called shifting to \"quantum-proof\" of \"post-quantum\" solutions, though the latter name is a bit weird given that the quantum computers will continue to exist in parallel with normal computers. The project SASL XMSS will take an innovative new digital signature type from top European scholars that is \"quantum-proof\". The math in XMSS works in such a different way, that the quantum computers are not supposed to be able to crack them. And the size of the digital signature is reduced to less than 25% compared to the best alternative we have today. The project connects this new digital signature to an existing standard called SASL, which is the most prevalent internet framework for authentication and security. And it aims to implement this solution in a popular open source libary. That means when people install the latest version of that library, along with the update they will automatically get the exciting new capabilities that this project brings. That double pronged strategy will make the new digital signature type become available to many applications at once. This should help tremendously with adoption. The expected end result is a great degree of trustworthiness, meaning that users can continue to trust others on the internet with confidence - and without additional hassle. Run by ARPA2 This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Great OCR for SANE Integrate OCR capabilities into open source scanning tools We have become dependent on search engines, allowing us to locate a document using some specific words across billions of webpages. However, not every document is born digital - or may reach the web via an indirect way. And users with for instance visual disabilities cannot read documents that are 'just' pixels. The SANE project is a collection of open-source scanner drivers and related software. SANE tools allow the users to convert their documents, photos and any other similar material from a completely unsearchable and non-discoverable analog form into a digital representation, which can be easily shared and distributed. The SANE-OCR project enables users to close the gap right at the stage when physical documents are converted from their incoming \"analog\" form to a searchable digital form - using a completely open-source stack. While the traditional result of scanning is just the visual image (essentially a photo), but in addition contains the recognized text using optical character recognition (OCR). This outputs documents which are searchable and discoverable. The project's own website: https://gitlab.com/sane-project/frontend/sanescan Run by Kodo Baitas, MB This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"Great OCR for SANE","url":"https://nlnet.nl/project/SANE-OCR/"},{"description":" Rusted Platform Module (RPM) Programming TPMs in pure Rust The Rusted Platform Module (RPM) project strives to improve and advance Trusted Platform Module (TPM) v2 support and ease of use for the Rust programming language. This includes programming the TPM in pure Rust, without C-based libraries in the background, as well as (commandline) tools for common tasks, etc. This project strives to increase adoption of memory-safe languages for programming of security components like the TPM. Run by Institut of IT-Security Research, St.Pölten University of Applied Sciences This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Rusted Platform Module (RPM)","url":"https://nlnet.nl/project/RustedPlatformModule/"},{"description":" Rust Threadpool Improve privacy of Rust threading library ThreadPool is a free and open-source library that provides a simple and intuitive interface for programmers to multi-threaded programming. ThreadPool aims to make parallel programming accessible to the general public. Running tasks in parallel is a vital building block for building efficient solutions on modern hardware. Combined with Rust's type-system this library allows programmers to parallelize their applications without introducing unsafe behaviour while managing the administrative tasks of interacting with the operating system. The project's own website: https://github.com/rust-threadpool/rust-threadpool Why does this actually matter to end users? Software security today can be a matter of life and death, because we rely on all sorts of applications and programs to keep our lights on, our vehicles moving and our money available. Backdoors in software leave room for attackers to steal data or disrupt important processes. To make this less abstract: hackers have already managed to get inside the control rooms of power plants to potentially cause blackouts. One of the ways to make software more secure is by addressing security at the most basic level: the code that makes up the software itself. More precisely, the programming language software developers use to create their programs and that runs important parts of a process. Rust is a programming language focused on security that protects against software bugs and vulnerabilities attackers may try to exploit. This project improves a specific Rust tool that gives developers more control over how they design technology, ultimately making the software we use and trust more stable and secure. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"Rust Threadpool","url":"https://nlnet.nl/project/RustThreadpool/"},{"title":"Rust crate auditing and source correspondence checks","url":"https://nlnet.nl/project/Rust-auditinfo/","description":" Rust crate auditing and source correspondence checks Better supply chain security for Rust crates + packages in distributions This project aims to harden the flow from upstream project sources (in version control), via published tarballs (on crates.io), to Linux distributions (RPM packages), by checking published sources for unexpected differences from version control, and other changes - including metadata changes - between released versions. An additional goal is for issues that are uncovered by this process - or during review for their inclusion in Linux distributions - to be made available to the broader Rust ecosystem. The project's own website: https://pagure.io/fedora-rust/rust2rpm This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Rotonda Secure Extensions Implement BGPSec in Rust and integrate into Rotonda Rotonda is a modular routing project that brings BGP observability and easy BGP provisioning to networks. Its aim is to improve the safety and security of the inter-domain routing system. In this particular effort we will build two features that will help us further the goal of security and safety. First, we will implement BGPsec as a first-class citizen in Rotonda. BGPsec is a standardised protocol for securing routes in the inter-domain routing system. As far as we know Rotonda will be the first open source routing software that supports BGPsec out-of-the-box. Second, we will implement a run-time configurable plug-in system for Rotonda, that will not only increase its modularity and extensibility, but also its usability. The project's own website: https://www.nlnetlabs.nl/projects/routing/rotonda Run by NLnet Labs This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/Rotonda/","title":"Rotonda Secure Extensions"},{"description":" Karolin Varner - Rosenpass Post Quantum Security Add-On for WireGuard Software engineering, protocols, cryptography Can you introduce yourself and your project? I am Karolin Varner, and I lead the open source project Rosenpass. Rosenpass is a future-focused cryptography project designed to work with key exchange systems like WireGuard VPN to secure against attacks with quantum computers. Cryptography is complex, and our goal is to make cryptography easy and accessible to everyone while guarding against a future where quantum computing is the norm. If you have a WireGuard VPN and you want post-quantum Security, Rosenpass is *the* project to use. If you need a post-quantum secure internet connection for something other than WireGuard, Rosenpass is probably also a good choice, but there is more integration effort. What are the key issues you see with the state of the internet today? Security is a critical issue in computing, particularly on the internet today. Movements to ban cryptography are a huge threat to safety online, as are more visible issues like censorship, misinformation, and surveillance capitalism through online tracking. How does your project contribute to correcting some of those issues? Rosenpass, at its heart, is a future-proofing infrastructure project. We are working to ensure that existing security technology will keep working as computers get faster. Cryptography is a critical infrastructure as it helps us communicate safely from prying eyes, verify information that allows for safe interactions, and enable the flow of information on the internet. Cryptography will become even more important with the rapid adoption of things like generative AI. It is often said that the most basic security guarantees cryptography can help us provide are privacy, secrecy, confidentiality, and authenticity. Authenticity may become increasingly important as AI creates a need to validate that information is coming from a specific source. Rosenpass is not targeted at protecting against AI spam, but we specifically target authenticity even against quantum computers. What do you like most about (working on) your project? It’s as exciting as it is boring! I like to polish a piece of software until it shines. You don’t get to do that in most software engineering areas. You need to deliver a feature quickly and then move on to the next. It is never about approaching the technical debt that was amassed. Since we’re focused on providing the highest level of security and on becoming an internet infrastructure project, we get to really focus on quality and design. Also, cryptography cuts across every layer of abstraction in technology and all functions of computing. ​I also love leading the team! I get to advise and connect with many people and backgrounds, from highly technical folks to researchers to non-coders interested in the project. I pride myself on being a very community-oriented person, and as the project lead, I get to help people when they come into the project, guiding them to contribute in ways that align with our overall priorities and connect with their background and other work. Where will you take your project next? We have lots of exciting things we’re working on! From core security-focused projects like supporting more ways of establishing a secure connection with different trade-offs to supporting more ciphers to usability-focused projects and many exciting collaborations, we want to be sure we’re providing the most secure tool and improving usability so that secure computing is accessible to everyone. We’re also always working on improving how the project is managed and continuing to fund the work so that we can achieve our goals and scale and onboard contributors to the project. How did NGI Assure help you reach your goals for your project? NGI Assure was the first grant I ever applied for! I had never thought the work I was doing would qualify for a grant, but someone at Real World Crypto approached me and suggested that I apply for an NLnet grant. I spent a day or two writing the proposal, and suddenly, I had funding to turn this into a proper project. It was a bit of a shock but also really awesome. Do you have advice for people who are considering applying for NGI funding? Start on something small with people you want to work with and make sure you prioritize collaboration and management. The admin and bureaucracy are essential! When you start working with funding, remember the details, like getting a tax advisor! As you operationalize the work, establishing transparent processes and staying organized will be crucial to scaling your efforts effectively. Do you have any recommendations to improve future NGI programmes or the wider NGI initiative? Stability for the long term is really critical. It’s hard to run and manage a project, so it is vital to think about longer-term funding and support for developing the skills and infrastructure to manage a project. Some people have enough security in their lives to just pursue something like an NLnet project for half a year, but only very privileged people can do that. For open source sponsoring to be viable for marginalized people, there must be a social net and longer-term support. Acknowledgements Image: courtesy of Karolin Varner. Published on November 6, 2024 Rosenpass received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. .speaker-photo { width: 33%; margin-right: 10px; margin-left: 20px; margin-bottom: 20px; } .speaker-photo-border { border-radius: 10%; border-top-left-radius: 10; border-top-right-radius: 10%; border-bottom-right-radius: 10%; border-bottom-left-radius: 10%; } .img_icon_small { max-width: 40px; max-height: 40px; margin-right: 10px; /* Make icons small and create a little space on the right */ } .up { position: relative; top: -15px; /* Adjust the value to move the text up by the desired amount. Text moved up a bit to align with icon.*/ } div.interlude-small { font-size: 2em; line-height: 1.5em; margin: 0 15px; padding: 0 15px; border-left: 4px solid #3333FF; } ","title":"Karolin Varner - Rosenpass","url":"https://nlnet.nl/project/Rosenpass/interview.html"},{"description":" Rosenpass Post Quantum Security Add-On for WireGuard Rosenpass is a formally verified, post-quantum secure VPN that uses WireGuard to transport the actual data. The implementation does not create a VPN connection itself, instead it performs a key exchange and hands this key to WireGuard; i.e. it *enhances* WireGuard's security without replacing it. This reduces the complexity of implementing the protocol and ensures that all the performance-advantages of WireGuard are available with Rosenpass. There is some extra latency to make a connection, but after that, WireGuard and Rosenpass are as fast. The protocol used by Rosenpass is based on the handshake designed by Hülsing, Ning, Schwabe, Weber and Zimmermann and improves upon the protocol by using cookies to provide resistance against state-disruption attacks. State-disruption attacks exist against the first version of the post-quantum WireGuard protocol and against classic WireGuard when NTP is used to synchronize the system-clock. Internally, the protocol uses two post-quantum KEMs (key exchange methods) and no post-quantum signature schemes to provide ephemeral secrecy and deniability. The project's own website: https://rosenpass.eu Why does this actually matter to end users? Today, Virtual Private Networks (VPNs) are a cornerstone of the modern Internet. When you go online outside of your house or office, for instance on a public wifi spot in your favourite restaurant - your connection can be vulnerable to so called man-in-the-middle attacks. Instead of the hotspot connecting you to the internet as you would assume to be the case, someone operating the network you use to access the internet can tamper with your traffic. Obviously, that can have disastrous results in terms of security. In professional context, VPNs are therefore meanwhile everywhere. Whenever you connect to your workplace from your \"home office\", you most probably already, consciously or not, use VPN software to ensure that all data flowing from your computer at home to your employer’s office are safe from being tampered with. There are many more common, daily use cases ‒ from online research to increasing privacy to bypassing network misconfigurations and other disturbances. In recent years, we have seen the rise of “Quantum Computers”‒ a new class of specialised computers that operate in a fundamentally different way from how traditional computers operate. While practical utility of such Quantum Computers for most day to day usage would for now still be limited (this will change in the future, no doubt), and the earliest computers of this type are prohibitively expensive (so not many organisations can afford one), they are known to do at least one thing particularly well: solving the kind of mathematical challenges on which many cryptographic standards are based. The increasing availability and equally growing capabilities of Quantum Computers means traditional cryptography has to be phased out. While some of the most widely used cryptography is still considered safe on conventional computers for now, it is no longer something you can trust on for protecting confidentiality - and this will get worse and worse once Quantum Computers become more powerful and more widely available. Of course this not only impacts the safety of our online banking or the authenticity of a website pretending - it also impacts VPNs which are essentially encrypted tunnels across the internet. Rosenpass is an important practical countermeasure. You use Rosenpass in conjunction with the widely used WireGuard technology (which is a.o. part of the Linux kernel). Because it uses specific Post Quantum Secure (PQS) cryptography, based on the McEliece cryptosystem, it is expected to withstand Quantum Computer attacks. Rosenpass doesn’t change the way WireGuard works (in fact, WireGuard encryption continue to work as it used to without Rosenguard). It does provide a post-quantum-secure key exchange in the spirit of the Noise protocol used by many of todays instant messaging solutions like Matrix, Signal, WhatsApp and XMPP. This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/Rosenpass/","title":"Rosenpass"},{"description":" Rosenpass Broker Expanding the Rosenpass API's to enable easy integration in applications Rosenpass is a post-quantum secure cryptographic protocol, an implementation of that protocol in the Rust programming language, and a governance organization stewarding development of both protocol and implementation. When used with WireGuard, Rosenpass functions as a ready-to-use virtual private network with full security against quantum attackers. This project extends the current basic API in order to allow Rosenpass to double as a programming interface for other programmers to integration this functionality into their external applications. The project's own website: https://rosenpass.eu Run by Rosenpass e.V. This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Rosenpass Broker","url":"https://nlnet.nl/project/Rosenpass-integration/"},{"title":"Rosenpass API","url":"https://nlnet.nl/project/Rosenpass-API/","description":" Rosenpass API Improved API's and platform coverage for Rosenpass Rospenpass deals with post-quantum security for the open-source, linux-kernel VPN WireGuard. It is a production-ready VPN solution, with security proofs and backed up by scientific papers. This solves the problem that classic WG alone will stop being secure once quantum computers are viable. In this phase of the work, we focus on enhancements to support Rosenpass on additional platforms by providing initial support for Windows. Improvements to the Rosenpass protocol protect our key exchange against denial-of-service attacks by integrating WireGuard's cookie-based mechanism. To introduce more granularity with regard to system permissions required by the Rosenpass client, a broker-based architecture is being introduced. Achieving this goal entails creating a Unix sockets API infrastructure, API endpoints, and a special broker process to handle communication with WireGuard. Finally, the work also aims to promote scientific communication and research on post-quantum cryptography by creating scientific illustrations, and by authoring a user tutorial on using Rosenpass to secure TLS connections. The project's own website: https://rosenpass.eu This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"title":"","url":"https://nlnet.nl/project/Rosenguard/","description":""},{"title":"Element Call on Cisco Room hardware","url":"https://nlnet.nl/project/RoomKit-Element/","description":" Element Call on Cisco Room hardware E2EE Matrix video conferences on existing Cisco hardware This projects aims to develop plugins for using browser-based video conferencing software on existing Cisco Roomkit devices (Matrix/Element). This means a functional upgrade and longer utilisation for existing Cisco/Webex meeting room hardware, as found in both private companies and public institutions. The project will develop plugins for deployment and operation of Matrix/Element - a browser-based, open source video conferencing solution. This will remove the dependency on the proprietary cloud-based back-end provided by the vendor and thus allow this expensive hardware to continue to be used after Cisco stops supporting the hardware. The same equipment can even be upgraded to support end-to-end encryption for secure communication. The project's own website: https://github.com/TheArcaneBrony/cisco-element-call This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/RocketCWMP/","title":"Rocket CWMP","description":" Rocket CWMP Remote governance and configuration for internet equipment This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. CWMP (CPE WAN Management Protocol) or TR-069 is a technical specification of a Broadband Forum designed for remote governing of a CPE. CWMP is a standardized and widely-used text-based protocol enabling communication between CPE and Auto Configuration Server (ACS). Rocket CWMP is a modular CWMP-client capable of supporting TR-069, TR-181 and other technical reports. The project was started out of an industry gap regarding a production-ready, FOSS solution that meets the ISP requirements and the feature and security requirements of modern embedded devices. It is capable of integrating into existing solutions for automatic and remote software installation or provisioning of CPEs. The client is designed to be easily portable to different Linux platforms (OpenWrt and other Linux distributions such as Yocto, Debian, Ubuntu and others). Its modularity implies that developers can easily build new features based on their requirements. It would serve as a light weight glue between CWMP and embedded Linux software standards for configuration and statistics. The end goal of this project would be to create and FOSS delivering mandatory remote management features in ISP ecosystem. ISPs would finally be equipped with a CWMP client that: a) is an open and extendable replacement of the closed software alternatives, b) is designed to easily include and configure various backend systems and c) allows replacing proprietary firmware and leveraging Open Source components. The project's own website: https://www.sartura.hr/blog/sartura-collaborates-with-vodafone-and-further-extends-rocket-cwmp/ Why does this actually matter to end users? Somewhere in your house, office or library, there is a modest little box that connects you to the internet. Every connection a laptop, tablet or phone makes using your wifi goes through that box. The box is directly connected to the internet via your internet provider. If someone is able to control it, they can see all your traffic. And even worse - in subtle way manipulate it without you seeing it. When was the last time you think that box was updated? Do you know this for a fact? Who is even responsible for doing that? Do you suppose it is maintained remotely by someone? How do they do that? And can you trust that everything happens securely and is implemented flawlessly? As a user, you may be rightly concerned about keeping the devices in your house secure and up to date. The fact that this box is typically hidden away in the proverbial broom closet, doesn't make it less of a critical point of failure for your day-to-day security. But at the same time, handling 24/7 internet threats is a heavy responsibility for normal consumers to bear - even technically inclined ones. You really want to be able to let professionals service and maintain your device. Your internet service provider (that typically provides you with such a box these days) will very much agree, because when devices in your household are captured by a botnet due to bad maintenance it causes a lot of work and headache on their part. As a scoiety we really want such core technology components to use up-to-date code you can trust. Device manufacturers do not always act as responsible as they should, nor do they all have the same level of security skills and quality assurance and aftersales support. So as the device that keeps you connected to the internet ages, it becomes less and less secure over time. And in some cases, the manufacturer may have an unhealthy interest in your data - or is tempted in some other way by business models or political motivations that you may not agree on. Luckily, one can in most cases replace the so called firmware that makes the device do everything it can do. Devices mostly reuse standard components, so you can download a community vetted open source solution on it instead. But if you install something different from what the supplier put on, that actually impacts the ability to remotely maintain. There are international standards for this, but the firmware needs to implement these for standard updates to work. So far this was not something that the community had created, and so it was hard to deploy at scale. Rocket is a very welcome open source project led by a small Croatian company that offers the solution to exactly this problem. It is targeted to implement all the relevant industry standards service providers need to support users. This will allow them to switch their customers over from aged and closed vendor firmware, to something they and others can study and add new functionality to - and still perform the maintenance remotely as customers expect. Such updatability is extremely important both for security as well as for the Next Generation Internet initiative. The devices involved tend to have a very long life span, sometimes well over a decade. If old devices cannot be taught new tricks, such as adding new and more secure internet standards, progress is significantly slowed down. And of course technically inadequate devices currently operating in our homes and offices will continue to age, and make today's internet less safe for all. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Free and open source NPU Drivers Libre drivers for Neural Processing Units As of today, companies that sell components that include accelerators for machine learning workloads (NPU, TPU, DLA, etc) are generally engaged in vendor lock-in practices that interfere with the ability of their customers to freely choose their partners and adapt their software components to their own needs. This project aims to incentivize providers of accelerating hardware to move to more fair practices by reverse engineering their hardware and writing open source implementations of the corresponding software stack, for interoperability purposes. These drivers become part of projects such as the Linux kernel and the Mesa project, and will become available to users via existing distributions such as Debian, Fedora and NixOS. The project's own website: https://docs.mesa3d.org/teflon.html This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Free and open source NPU Drivers","url":"https://nlnet.nl/project/Rockchip-NPU-driver/"},{"description":" Robur private DNS resolver and DHCP server Secure network configuration and DNS resolution This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. DHCP and DNS are fundamental Internet protocols, DHCP is used for dynamic IP address configuration in a local network, DNS for resolving hostnames to IP addresses. In this project, we develop a robust DHCP server and DNS resolver as a MirageOS unikernel. MirageOS unikernels are self-contained virtual machine images which are composed of the required OCaml libraries, leading to a binary with a minimal trusted code base, and thus minimized attack surface. The choice of the memory-safe, functional, and statically typed language OCaml avoids common attack vectors, such as buffer overflows and double frees. MirageOS unikernels can be deployed on various hypervisors (Xen, KVM, BHyve), microkernels (Genode, Muen), or as Unix binary (also with seccomp rules that allow only 10 system calls) on x86-64 and arm64. Several DHCP and DNS privacy extensions, extensive testing, and documentation is worked on to allow everyone to use it on their home router or in the data center. Migration of existing configuration (e.g. dnsmasq) to Robur DNS resolver and DHCP server will be provided as well. The project's own website: https://robur.io Why does this actually matter to end users? How can you understand and trust a complex system, like the operating system managing the hardware and software on your computer? You can make the complexity (as well as the security) of a system more transparent by cutting it up into parts, compartmentalizing what does what, where information is stored, which processes talk to each other. This way users can be sure their system only does what it is supposed to do and know precisely what goes in and what comes out. This can be done through virtual machines, which are isolated simulations of operating systems or programs on a computer. Simply put, you create virtual rooms where only one thing happens and only you have the keys to each door. This can give users complete control over what happens on their computer and ensures that if some malicious software finds a way in, it cannot get to the other rooms. This can be very important if your device contains sensitive information, if some ill-meaning third party tries to listen in, or when the device is part of some crucial infrastructure and is targeted for attacks. Security by isolation can be important, for example, to keep a server or host device safe that provides crucial network services. To get anywhere on the internet, you need to have or be assigned an Internet Protocol (IP) address (which is handled by the Dynamic Host Protocol), and find out what IP address belongs to the website name you type into your browser bar (what the Domain Name System protocol helps to do, among other things through resolvers). A DHCP server and DNS resolver should be well-protected to keep your web traffic safe. This project wants to make a DHCP server and DNS resolver in an isolated virtual machine. MirageOS is an operating system that can create unikernels, isolated virtual machines that run operating systems with a single purpose. Making sure that the system running your DHCP server and DNS resolver can only do those two things limits the possibilities for an attacker to get in. Simply put, you can protect or close a back door in your system, or you can make sure that there is no back door all together. And to make extra sure that every client can rely on the server to protect its personal data, the DHCP server and DNS resolver will minimize the data it stores and encrypt all communication as much as possible. This project can show in practice how a unikernel can make your DHCP server and DNS resolver more secure and protected against anyone trying to listen in on where you go online and who you communicate with. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"Robur private DNS resolver and DHCP server","url":"https://nlnet.nl/project/Robur/"},{"url":"https://nlnet.nl/project/Robotnix/","title":"Robotnix","description":" Robotnix Reproducible Builds of Android with NIX Robotnix enables a user to easily build Android (AOSP) images using the Nix package manager. AOSP projects often contain long and complicated build instructions requiring a variety of tools for fetching source code and executing the build. This applies not only to Android itself, but also to projects which are to be included in the Android build, such as the Linux kernel, Chromium webview, and others. Robotnix orchestrates the diverse build tools across these multiple projects using Nix, inheriting its reliability and reproducibility benefits, and consequently making the build and signing process very simple for an end-user. The project's own website: https://docs.robotnix.org Why does this actually matter to end users? Consumers that go shopping for a new cell phone or tablet these days, at the surface have quite a choice. But the choice is far more limited when it comes to the software that runs on those phones. Pretty much every phone manufacturer (with one notable exception brand of luxury phones) puts Google's Android on it, and while nominally the source code of Android is published under an open source license - in practical terms vendors are very much restricted by contracts with Google and the soft lock-in of the app ecosystem that seeks compatibility with Google's version only to make any significant changes. The open source community is not tied to the same rules as phone vendors. They have not signed any contracts, and can just pursue what they feel is right - and what users need. As a result a number of 'Altdroids' exist, such as Lineage, Replicant, CalyxOS and CopperheadOS. These are paving the way for more consumer choice, more privacy, more control and configurability and more innovation - with the user's best interest at heart. To set up the infrastructure to build such operating systems is far from trivial though, and requires a variety of tools for fetching source code and executing builds. This is significant barrier to entry and an inefficient use of the time of the contributors to these alternative platforms. If we raise the bar from a security point of view, we also want to do more than just build the software. We want to be fully transparent about each adjustment we make, and make it so that we can reuse the work by others - and have others easily reuse our work too. And we want 'reproducible' builds - so that we can verify by building the software independently on different systems that the software we run is actually the software we intended to build. Not many people are aware that build infrastructure from major actors is often heavily attacked by both state actors and criminals, because it is a relatively cheap way to compromise and get access to many end user devices. This is where Robotnix fits in: it makes it easier for the community to automatically build reliable and reproducible Android and Altdroids. Every package can be followed from the source code, and every patch is visible and reusable. Robotnix is built on the declarative Nix package manager, a powerful tool that can create reliable and reproducible software regardless of the system you are using. Its unique capabilities will make the whole build process much easier and transparent, where instead of switching between a bunch of tools and tricks, you only add a few lines of text to indicate your tweaks. The rest happens automatically: Nix takes your instructions and builds precisely what you want. And if all is well, bit by bit identical, every time over and over. The operating system is of critical importance, as it forms the basis of everything running on top. The benefits from Robotnix however stretch beyond the operating systems it can build. There are orders of magnitude more people working on apps that run on top of the operating system layer, and these can also use Robotnix - once the OS is there, with the same convenience and assurances it can build any apps that one needs to have built along. Robotnix therefore also fits into a so called continuous integration pipeline, something that makes sure that new features do not break older parts of applications. With the same convenience, developers can support different versions of the OS and different version of their application to support older versions of Android or their app too. So people with an older phone model will benefit from longer and better support too, thanks to Robotnix. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Rivista Publish and consume news feeds via XMPP Rivista Journal is an open-source, minimalist journaling platform which is designed for writers who want a simple and distraction-free writing experience. It is built to support the XMPP protocol, allowing people to publish content which can be shared and discovered across different platforms, such as Blasta, Libervia, and Movim, over the decentralized network. In addition to being cost-effective and having low maintenance overhead, Rivista Journal focuses on providing a clean interface that emphasizes writing and reading without the clutter often associated with more complex content management systems. The project's own website: https://git.xmpp-it.net/sch/Rivista This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Rivista/","title":"Rivista"},{"description":" Ripple Safer and faster incremental software builds As it stands, reproducible builds are not accessible to the average developer. Existing projects tackling this problem come with significant caveats: some rebuild packages from scratch, making them practically useless for interactive development, while discouraging users from hacking on the core parts of their system due to cascading rebuilds; others are drastically more efficient, but come with fewer correctness guarantees, and require build scripts to be re-implemented in custom DSLs, making them costly to adopt. This is further exacerbated by frustrating, flaky tooling, and the proliferation of compatibility issues arising from inherent constraints of these solutions. Ripple is a hermetic, incremental, meta build system. It provides stronger purity guarantees and improved efficiency over existing solutions, while being completely ecosystem-agnostic. In effect, Ripple can memoize arbitrary programs. This lets users migrate gradually, opting into ecosystem-specific optimizations and abstractions at their own pace, and opens up a huge number of creative possibilities. Ripple aims to make reproducible builds not only easy, but fun — encouraging mainstream adoption, so we might together put to rest the ghost of bygone builds. The project's own website: https://ripple.unfathomable.blue Why does this actually matter to end users? When you start up your computer, you will probably think twice before you download some random piece of software from the internet and run it. You know that doing so could allow unwelcome guests to your computer and your data. Your computer might even end up in a bot net. So when you see some nice piece of software, you will ask yourself the question: can I really trust the software? Perhaps you will check the origin it comes from. Better safe than sorry. Did you miss checking something, though? What about the software that is already on your computer before you started? A computer is not of much use without an operating system. While most computers are sold with an operating system, actually you have the choice to remove that and install something different. Have you thought about the trustworthiness of that fundamental piece of software - your most fundamental travel companion on the wild west of the internet? Trustworthiness is essential. When an operating system has a so called 'back door' (either intentionally or not), someone could extract whatever user data - like personal pictures or home movies - from your computer. And the worse thing: without you ever finding out. The operating system guards all the other software, and warns you when you install software from the internet. But itself, it doesn't have to ask for permission. Ever. It doesn't just have \"access all areas\": in fact, it runs the whole show. With commercial software like Microsoft Windows or Mac OS X that you get delivered when you buy a computer, trust in what their closed operating system does will of course always be a leap of faith: as a user you essentially are given no choice. In proprietary systems you do not have the freedom to study the source code, or to control what really happens. So you either trust the vendor, or you'd better not use it. For an increasing amount of people, after the revelations from whistleblowers like Edward Snowden, that \"leap of faith\" is not so obvious anymore. They prefer to use free and open source operating systems like GNU Linux, FreeBSD and OpenBSD. These are technology commons: the people that wrote the software allow you to inspect the source code. Even more so, they give you the source code to do anything with it that you like. So you don't just blindly have to take their word for it and trust them, you can take matters into your own hands. One step beyond transparent source code is transparent running code. After all, most software is distributed pre-compiled with no method to confirm whether the binary code you have installed on your system is actually identical to the thoroughly vetted source code. To promote such reproducible code, Ripple helps developers and users transparently and incrementally build programs, without relying on any particular tool or ecosystem. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"Ripple","url":"https://nlnet.nl/project/Ripple/"},{"title":"pcb-rnd, sch-rnd","url":"https://nlnet.nl/project/Ringdove/","description":" pcb-rnd, sch-rnd Open source EDA suite Ringdove EDA is a modular, portable Electronics Design Automation toolkit mainly targeting the Printed Circuit Board design workflow. The two flagship projects in Ringdove are sch-rnd (schematics capture) and pcb-rnd (printed circuit board editing). Because of the modular layout of the code and the active management of dependencies, both projects are highly portable, both in time (old, present and future systems) and in workflows (interactive graphical design or interactive command line usage or headless automated processing). Ringdove also strives to support file formats of other EDA software, especially for loading proprietary formats, making existing/legacy hardware designs more accessible to the Open Source community. The project's own website: http://repo.hu/projects/sch-rnd Run by the Ringdove EDA project This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"title":"Ricochet Refresh","url":"https://nlnet.nl/project/Rico/","description":" Ricochet Refresh Anonymous, meta-data free secure messaging Ricochet Refresh, is a metadataless messenger for PCs (Windows, macOS, Unix) that provides anonymity as well as security. By using Tor, it allows people at risk making public interest disclosures to communicate in chat sessions with anonymity to journalists, members of parliament, regulators protecting the environment, financial malfeasance investigators and others who have the power in society to act as corrective mechanisms to serious wrongdoing. This project will update Ricochet, reduce known security risks, and ensure continued compatibility with Tor's onion services protocol. The possibility of anonymous communication is important for everyone, but particularly vital for those who risk reprisal in their workplace or other institutions to be able to speak up. Through anonymity, Ricochet Refresh allows the focus to be on the disclosure, not on the source or whistleblower. Thus, the project provides a tool in support of evidence-based reporting in the public interest by creating a safe on-going channel for the journalist to conduct verification as the story develops. The project's own website: https://www.ricochetrefresh.net Why does this actually matter to end users? When you get up in the morning, and read a fine piece of investigative news about a financial scandal, you don' t really stop to think much about how news is produced and what the human cost of its production is. Every year, dozens of journalists around the world get killed, because of what they write and who they talk to. Even in democratic countries, people can run the risk of intimidation and retribution. If you happen to be a courageous journalist writing about corruption, gangs or some other social wrong, protecting your sources is more than a matter of principle - it can be a matter of life and death for all parties concerned. Journalists and other vulnerable groups like civil society groups as well as minorities are starting to understand they need to forsake some of the comforts of modern connectivity, in order to avoid danger to their lives and the live of others. If they use commodity internet communication tools, they will likely put themselves at significant risk. This danger lies not just in leaking the content of what they write and what other people send to them, but more so in the ability to observe who interacts with whom, when, and where they are in the real world while they meet on the internet. if you want to be reachable across the internet, you have to constantly let the communication provider follow you wherever you go. With the help of AI and other technologies much can be derived from 'hidden data' you may not have been aware of until now. Next time you use the wifi in the public library while waiting for your informer, who knows who will be sitting behind you? Ricochet Refresh is a revisit of metadata-free communication software that people like journalists and whistleblowers can use to communicate completely anonymously. Ricochet does not reveal users' IP addresses, encrypts all message content, does not require you to sign in somewhere (and leave personal data) and any contact data is stored only on your device, making tracking of your calls and your contacts practically impossible. To do this, Ricochet uses the Tor anonymity network, which is bound for an upgrade that will make Ricochet not work as it wants to anymore. Ricochet Refresh updates the messaging software to keep it compatible with Tor and plans to implement a smartphone and document transfer feature requested by journalists and activists that use the safe communication solution. Through this project journalists, activists and whistleblowers can continue to disclose information safely and freely and keep the public informed. Run by Blueprint for Free Speech This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Ricochet Refresh UX Making privacy more user-friendly Ricochet-Refresh is a decentralised, open-source instant-messaging client that allows people to chat with each other anonymously and securely, via the Tor network. This project will strengthen Ricochet-Refresh’s privacy and anonymity guarantees by basing it on the Gosling library. The project will also improve user experience and implement various new features one expects from contemporary instant-messaging software, and prepare the way to bring Ricochet-Refresh to Android devices. The project's own website: https://Ricochetrefresh.net Run by Blueprint for Free Speech e.V. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Rico-UX/","title":"Ricochet Refresh UX"},{"url":"https://nlnet.nl/project/ReproducibleSBT/","title":"Reproducible Builds in the Scala ecosystem","description":" Reproducible Builds in the Scala ecosystem Deterministic builds for software written in Scala While open source components can be audited through their open version history, there is no guarantee that any binaries that are distributed actually correspond to those sources. The technique to validate this is known as \"Reproducible Builds\": by building the same code on independent infrastructure and verifying the results are identical, you can verify the binary artifacts have not been tampered with. This is useful both for project members who want to verify no malware was inserted via their CI system or developer build machine, and for 'external' auditors who can independently verify the project as a whole is not compromised. This project intends to improve Reproducible Builds for software written in the Scala language, which typically use the 'sbt' build tool. It will do so by making improvements to the sbt-reproducible-builds sbt plugin and other toolchain components such as sbt plugins and the Scala compiler, so that projects will be reproducible 'out of the box' as much as possible. The project's own website: https://github.com/raboof/sbt-reproducible-builds This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Reproducible-openSUSE Reproducible distribution of openSUSE rolling release The Reproducible-openSUSE project is creating a proof-of-concept of a general-purpose Linux distribution based on openSUSE-Tumbleweed. By employing reproducible-builds, it allows independent verification that all its binaries correspond to the sources. This greatly reduces the amount of trust that users need to place in the build infrastructure. It is not only a proving-ground, but also a staging-area for upstreaming changes to make them useful to millions of users. The project's own website: https://en.opensuse.org/openSUSE:Reproducible_openSUSE Run by SUSE / openSUSE This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Reproducible-openSUSE","url":"https://nlnet.nl/project/Reproducible-openSUSE/"},{"title":"NetBSD Reproducibility","url":"https://nlnet.nl/project/Reproducible-NetBSD/","description":" NetBSD Reproducibility Extend Reproducibility for CTF Debugging Infos and NetBSD Image Creation The NetBSD operating system is built from a single source code repository and supports a great variety of different hardware and CPU variants. NetBSD has a working infrastructure for being reproducible, thus you can verify eg. an install ISO to be created from an untampered repository. As NetBSD is technically always cross-compiled, it can be build on several platforms, most commonly on NetBSD itself and on Linux. This project aims to fix two issues where a Linux-based build host creates different output than a NetBSD host. Ports using the newer GCC-12 based compiler usually use the CTF debugging format, where the binary representation (probably due to different sorting) differs between Linux and NetBSD builds. The second issue is with install image creation, where symlinks permissions and owner/permission bits from the building host leak into the image, breaking reproducibility. Both of these issues affect the widely used amd64 (usual PCs and Laptops) and arm/aarch64 (Raspberry Pi) ports. The project's own website: http://toolchain.lug-owl.de/ This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Reproducible F-Droid Building a trusted app ecosystem with F-Droid F-Droid maintains a complete free software build/sign/deploy stack for securely making signed releases of Android apps in a fully automated way. This has been used since 2010 to run the f-droid.org repository of free software Android apps. Reproducible builds means it is possible to make a strong link between the actual app running on our devices, and the source code which they were built from. When the source code has been thoroughly inspected and is trusted, it is then possible to apply that same trust to the install binary. This project will make this stack much easier for other people and organizations to deploy and use on a daily basis. This allows organizations to run rebuilders to confirm that the releases available on f-droid.org or any F-Droid-compatible repository exactly match the source code. The resulting data can then be automatically consumed by the client app so it can communicate to the user that it was confirmed as a reproducible build. The project's own website: https://f-droid.org Run by F-Droid This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Reproducible F-Droid","url":"https://nlnet.nl/project/Reproducible-F-Droid/"},{"description":" Finish porting Replicant to newer Android version Alternative, free software version of Android Replicant is the only fully free operating system for smartphones and tablets. All the other operating systems for smartphones and tablets use nonfree software to make some of the hardware components work (cellular network modem, GPS, graphics, etc). Replicant avoids that, either by writing free software replacement, by tweaking the system not to depend on it, or, as the last resort by not supporting the hardware component that depends on it. However it is based on Android 6, which is not supported anymore, thus it has way too many security issues to fix, so keeping using this version is not sustainable. This project consists in finishing to port Replicant to Android 9, which now has standardised an interface for the code that makes the hardware components work. Once done, it will also make the free software replacement automatically work on future Android versions. The project's own website: https://redmine.replicant.us/projects/replicant/wiki/Porting_Replicant_to_Android_9 Why does this actually matter to end users? Consumers that go shopping for a new cell phone or tablet these days, at the surface have quite a choice. Even the cheapest of mobile phones sold today, is surprisingly powerful compared to that of a couple of years ago. All that seems left for consumers to do is to match their own sense of style and of course budget. If they are really eager, they might compare a limited set of technical specifications: How long does the battery last? How big and bright is the screen? And do games and movies run smoothly? Most users tend to not even bother about that, eager to jump straight to the app stores filled with more applications than a human could feasibly install in their life. What more could a mere user want? Somewhere in the back of our minds there may be lingering some larger, less happy thoughts. What about security and privacy? Who really is in control of our devices? It is not easy to connect the joyous occasion of our (often much anticipated) purchase of a really cool new gadget with societal resilience, our collective future well-being or any other of the larger economic effects of our individual choices... In the early GSM era, there wasn't a single dominant operating system from a single vendor. The market was competitive and rather straightforward from todays perspective. Major efforts like Symbian (which ran on the very popular phones of erstwhile market leader Nokia, but also on those of Siemens, Alcatel, Bosch, Sharp, Sony Ericsson etc) were the result of a pragmatic collaboration on more or less equal footing of many manufacturers. These had a shared development responsibility, and equal opportunities. None of them knew how their users actually used the phones they created: that was the business of the customer. The subsequent rise of the smartphone resulted in market disarray, because the dynamics of the new situation were so different. It wasn't so much a difference in technical quality that set the new masters of the universe apart, it was a complete change of the underlying business model and value proposition few people properly understood - if any. The real-world cost of developing and maintaining the first generation of mobile platforms was non-trivial, and price competition in the devices was heavy. And then suddenly a no-visible-cost and feature-rich smartphone operating system appeared on the market. It wasn't produced by any of the current competitors or by an open consortium. The source was a single company that had heavily invested into this for strategic reasons. In parallel Apple was able to launch its own effort, take its slick iPod music player and its strong media presence and market visibility in the desktop space. Their premium iPhone line addressed the most luxurious part of the market - also with the help of Google. The CEO's of both companies even sat on each others boards, so the strategy was certainly aligned. It was a perfect coup. Among the two of them they effectively levered the possibilities of the mobile smartphone platforms, media stores and restricted-access platform-owned app stores to take ownership and control of large parts of the software and content ecosystems at global scale. Traditional phone manufacturers (many of which were European due to the success of the pioneering GSM standard) had historically been just selling a phone at competitive margins (with \"no strings attached\"). The whole economy of their operations and ecosystem of collaboration was effectively pushed aside by this audacious new strategy. The new Android operating system was funded not by the sale of the product itself, but by the promise of future user data gathering without real limits or much oversight - which had elsewhere proven to be able to create giant revenues. And unlike a desktop computer, a phone is nearly always on. It moves wherever the user goes, and thus it is always near. It has a camera, a microphone and lots of sensors. When users search for something, they use the default search bar which you control. So effectively the new \"smart\" phone was primarily a vehicle for extensive data gathering about users, which could be resold and monetized later on. The manufacturers could get the operating system for free. The small margins that could be made on selling the software to they were negligible compared to the advantages later on. And of course at the time there was still a generation adoration of these \"tech darlings\" - press wrote lovingly about the \"reality distortion field\" around Apple's CEO Steve Jobs. Right from the start this conceiled play was extremely profitable for both of them, allowing lots of subsequent investment - into their platforms, into the developer tools, into marketing and into legislative lobby. The \"mobile first\" strategy actually worked out better than anyone would have imagined, especially because the mobile phone operating system produced by Google turned out to be more than just a \"loss leader\". The market funnel of the free option it provided only became visible at the end. Technically advanced and more fair platforms appeared, but were unable to counter the \"winner takes all\" development in time. At present the vast majority of the phones are sold using one of only two operating systems: Android and iOS. In the absence of effective policy and legislative efforts to curb this unfortunate situation, that market dominance is a hard problem to solve at a technical level. In our consumer bubble, we actively contributed and still contribute to this. The software stores of both platforms may offer consumers plenty of options at the application level. This seems quite healthy at first. But when you analyse the situation, it is far from how society should want this to be. This all starts with the fact that users do not have to manually install all applications. Apple has full control and puts its own software in pole position. Google is able to make the manufacturers do the same through contractual obligations. The result is the same: a strategic choice of end user applications is preinstalled alongside the platform, and effortlessly available to all users. Many of us have meanwhile become used to these omnipresent \"free\" but closed \"blockbuster\" applications that ship alongside the dominant platforms. As we know from history, for instance through the famous European anticompetition cases against dominant technology companies taking control over web browsers, media players and portable runtimes (Java/C#), preinstalled applications have a huge competitive advantage. Not all users are as technically competent, and this creates enough inertia with consumers to keep manufacturers on a leash. The huge market share of platform 'defaults' like Android's default browser have a deep impact on the market, leaving little room for web developers to follow pretty much all what Google implements - even if they disagree or would actually like to follow proper web standards as produced by W3C. Who can affort for their website or web application to look worse on an operating system with the majority of market share? Apple holds all the cards closely to its chest, and keeps full control. As long as it has Google as competitor, it feels secure of anti-competition measures. Their main strategy to even increase control is to buy suppliers, or make them sign exclusive contracts keeping others at bay. The defense strategy of Google is publishing most of Android source code. Manufacturers can and have tried to build alternative versions based on that. But in the market real-world control remains tightly with Google through the critical applications which need the \"blockbuster\" restrictively licensed apps and the larger infrastructure - both of which remain tightly closed. A certain percentage of users will always at some point demand these \"free\" applications, while others cannot withstand the social lock-in and will actively push vendors to bow down. No small time manufacturer can afford to be out. The platforms realise this powerful position very well, and are not afraid to lever it. Either a manufacturer is all-in, or all-out: it cannot selectively allow individual users to use blockbuster applications later on. This cut-throat dillema has left the companies that make the actual phones little choice but to accept unattractive licensing conditions that restrict their freedom to innovate. And even if they do comply with all the demands including a non-disclosure agreement to seal their lips, their license can be withdraw at any time. In fact this may even happen due to geo-political pressure, as a very large Chinese manufacturer of Android found out to its great dismay in May 2019 when it was banned from future upgrades to Android. That can happen to any phone vendor using Android at any time. Thhe rigid control over the platform and the app stores was originally meant as a way to secure access to consumer data. These days, it is actually making an awful lot of money on its own. Consumers are paying a huge and very direct cost for the 'free platform' deal of the manufacturers. The dominant mobile platforms both charge developers up to an incredible 30% of their revenues (more than any VAT rate around the world!). If your company wants to sell enough apps to make a living, you will want to use the default sales channel with the most users. This of course is the platform app store, which comes preinstalled on the prime spot. In fact, most users would not know how to install apps any other way, or are warned against that with scary messages. Selling through the app store means you have to pay up and at the same time obey all kinds of rules. The companies behind the mobile platforms themselves can at any time see an interesting market emerging. At that point there is a clear unequality of arms: if they want, the next update will put their own applications preinstalled on hundreds of millions of devices. This giving them a clear and unfair business advantage over anyone else in the market. Meanwhile developers ironically pay for the privilege of being allowed to exclusively develop for the platform concerned, and sell the outcome in the default (and most restrictive) app store. The platform almost certainly has a higher more profit margin from the average developer, even if it is a direct competitor. But what can developers do? Their investment into the software they wrote is hard-wired to the initial choice of platform...? Non-trivial applications that run on one mobile platform do not run on another, and require additional effort to write in a way where they can. This invisible 'cost of diversity' to the larger ecosystem of creators (which is orders of magnitude bigger) contributed significantly to the \"winner takes all\" scenario at platform level. When the European Commission orders some app to be developed for citizens to access its services, crowdsource data gathering or inform them of passenger rights, it does not care about creating someting for the users of the innovative Finnish mobile platform Sailfish from Jolla - or in fact anyone else. If you look at the apps officially published by the European Commission on the app stores, you will not find any app for any European mobile platform ever published there. The same 'selfish' short term considerations will of course be made even more frequently by smaller actors with less deeper pockets, like independent publishers. As a result the market will make the largest platforms larger, and will completely ignore the rest. In the new mobile world we live in now, control as a user is limited to the very surface of things. Significant privacy and security issues start directly below that surface. You don't really know what the platform actually does while executing apps, and more importantly, who sees your data - or if you are a business, looks at the data of your customers. When you use one of the hundreds of thousands of existing apps and games, you only see the service they provide. But you can't inspect or even see what more they take. What does an app do exactly when you click on the pretty icon? This is very much unlike for instance interacting with a web page, which is fully transparent. As it turns out, mobile apps do lots of things users do not know about, and would not agree with if they did. In some cases literally hundreds of companies have been known to get access to data on the phone. A consumer-friendly platform should empower the user to notice and take action, or even make it technically impossible. However, the companies that produce the operating systems seem to have other interests. Have you ever wondered why everyone tells you your desktop computer needs a firewall and you are allowed full control to see everything happen. Now stop and think about why your cell phone does not have the very same level of firewall capabilities, but only very much simplified and less capable? So what can we as a society do in the face of such a complex situation of market failure, anti-competitive practices, perverse incentives and general confusion? How do we give control back to the users? How do we create equal opportunities for European phone manufacturers? How do we stop the unfair \"platform tax\" on app developers, stimulating employment and startups? One reasonable direction is to try and lay the ground work for creating viable alternative platforms. Such a fundamental approach is necessary in order to end these extractive practices and the resulting lack of consumer freedom. Smart phones are really just small computers. This means we can build upon plenty of meanwhile mature building blocks and technical work done over decades. In fact, both Android and iOS followed the same path. They were not created from scratch, but based on existing open source projects for desktop and server operating systems. There is nothing magical, it is just engineering work. This is what this project contributes to: it provides an alternative to stock Android. The Replicant project has been building a variant of Android without any unknown parts, unlike the Android which is preinstalled on most phones: all the source code is available for inspection and collaborative improvement as a matter of principle. As new versions of Android emerge, their software needs to be synchronised to keep up with consumer expectations and remain compatible with new applications emerging. Otherwise the user would pay for regaining control by being locked to outdated functionality - which would not really contribute to more users making the choice for more privacy. Run by Replicant and the FSF This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/ReplicantUpdate/","title":"Finish porting Replicant to newer Android version"},{"url":"https://nlnet.nl/project/Replicant-graphics/","title":"Graphics acceleration on Replicant","description":" Graphics acceleration on Replicant Free software graphics drivers for mobile phones The project aims to create a free software graphics stack for Replicant 9 that is compatible with OpenGL ES (GLES) 2.0 and can do software rendering with a decent performance, or GPU rendering if a free software driver is available. Replicant is a fully free software Android distribution that puts emphasis on freedom, privacy and security. It is based on LineageOS and replaces or avoids every proprietary component of the system. Replicant is so far the only distribution for smartphones that is endorsed by the Free Software Foundation as meeting the Free System Distribution Guidelines. Due to its strict commitment to software freedom, Replicant does not use the proprietary GPU drivers that shipped within other Android distributions. The project aims to put together a new graphics stack for the upcoming Replicant 9 that is GLES 2.0 capable. The project will then focus on improving the performance by fine tuning its OpenGL operations and leveraging hardware features. At last, focus will swift into the integration of the Lima driver, a free software driver for ARM Mali-4xx GPUs, which will allow to offload some GLES operations to the GPU. This will greatly increase graphics performance and thus usability. The project's own website: https://redmine.replicant.us/projects/replicant/wiki/Tasks_funding#Graphics-acceleration Why does this actually matter to end users? Consumers that go shopping for a new cell phone or tablet these days, at the surface have quite a choice. Even the cheapest of mobile phones sold today, is surprisingly powerful compared to that of a couple of years ago. All that seems left for consumers to do is to match their own sense of style and of course budget. If they are really eager, they might compare a limited set of technical specifications: How long does the battery last? How big and bright is the screen? And do games and movies run smoothly? Most users tend to not even bother about that, eager to jump straight to the app stores filled with more applications than a human could feasibly install in their life. What more could a mere user want? Somewhere in the back of our minds there may be lingering some larger, less happy thoughts. What about security and privacy? Who really is in control of our devices? It is not easy to connect the joyous occasion of our (often much anticipated) purchase of a really cool new gadget with societal resilience, our collective future well-being or any other of the larger economic effects of our individual choices... In the early GSM era, there wasn't a single dominant operating system from a single vendor. The market was competitive and rather straightforward from todays perspective. Major efforts like Symbian (which ran on the very popular phones of erstwhile market leader Nokia, but also on those of Siemens, Alcatel, Bosch, Sharp, Sony Ericsson etc) were the result of a pragmatic collaboration on more or less equal footing of many manufacturers. These had a shared development responsibility, and equal opportunities. None of them knew how their users actually used the phones they created: that was the business of the customer. The subsequent rise of the smartphone resulted in market disarray, because the dynamics of the new situation were so different. It wasn't so much a difference in technical quality that set the new masters of the universe apart, it was a complete change of the underlying business model and value proposition few people properly understood - if any. The real-world cost of developing and maintaining the first generation of mobile platforms was non-trivial, and price competition in the devices was heavy. And then suddenly a no-visible-cost and feature-rich smartphone operating system appeared on the market. It wasn't produced by any of the current competitors or by an open consortium. The source was a single company that had heavily invested into this for strategic reasons. In parallel Apple was able to launch its own effort, take its slick iPod music player and its strong media presence and market visibility in the desktop space. Their premium iPhone line addressed the most luxurious part of the market - also with the help of Google. The CEO's of both companies even sat on each others boards, so the strategy was certainly aligned. It was a perfect coup. Among the two of them they effectively levered the possibilities of the mobile smartphone platforms, media stores and restricted-access platform-owned app stores to take ownership and control of large parts of the software and content ecosystems at global scale. Traditional phone manufacturers (many of which were European due to the success of the pioneering GSM standard) had historically been just selling a phone at competitive margins (with \"no strings attached\"). The whole economy of their operations and ecosystem of collaboration was effectively pushed aside by this audacious new strategy. The new Android operating system was funded not by the sale of the product itself, but by the promise of future user data gathering without real limits or much oversight - which had elsewhere proven to be able to create giant revenues. And unlike a desktop computer, a phone is nearly always on. It moves wherever the user goes, and thus it is always near. It has a camera, a microphone and lots of sensors. When users search for something, they use the default search bar which you control. So effectively the new \"smart\" phone was primarily a vehicle for extensive data gathering about users, which could be resold and monetized later on. The manufacturers could get the operating system for free. The small margins that could be made on selling the software to they were negligible compared to the advantages later on. And of course at the time there was still a generation adoration of these \"tech darlings\" - press wrote lovingly about the \"reality distortion field\" around Apple's CEO Steve Jobs. Right from the start this conceiled play was extremely profitable for both of them, allowing lots of subsequent investment - into their platforms, into the developer tools, into marketing and into legislative lobby. The \"mobile first\" strategy actually worked out better than anyone would have imagined, especially because the mobile phone operating system produced by Google turned out to be more than just a \"loss leader\". The market funnel of the free option it provided only became visible at the end. Technically advanced and more fair platforms appeared, but were unable to counter the \"winner takes all\" development in time. At present the vast majority of the phones are sold using one of only two operating systems: Android and iOS. In the absence of effective policy and legislative efforts to curb this unfortunate situation, that market dominance is a hard problem to solve at a technical level. In our consumer bubble, we actively contributed and still contribute to this. The software stores of both platforms may offer consumers plenty of options at the application level. This seems quite healthy at first. But when you analyse the situation, it is far from how society should want this to be. This all starts with the fact that users do not have to manually install all applications. Apple has full control and puts its own software in pole position. Google is able to make the manufacturers do the same through contractual obligations. The result is the same: a strategic choice of end user applications is preinstalled alongside the platform, and effortlessly available to all users. Many of us have meanwhile become used to these omnipresent \"free\" but closed \"blockbuster\" applications that ship alongside the dominant platforms. As we know from history, for instance through the famous European anticompetition cases against dominant technology companies taking control over web browsers, media players and portable runtimes (Java/C#), preinstalled applications have a huge competitive advantage. Not all users are as technically competent, and this creates enough inertia with consumers to keep manufacturers on a leash. The huge market share of platform 'defaults' like Android's default browser have a deep impact on the market, leaving little room for web developers to follow pretty much all what Google implements - even if they disagree or would actually like to follow proper web standards as produced by W3C. Who can affort for their website or web application to look worse on an operating system with the majority of market share? Apple holds all the cards closely to its chest, and keeps full control. As long as it has Google as competitor, it feels secure of anti-competition measures. Their main strategy to even increase control is to buy suppliers, or make them sign exclusive contracts keeping others at bay. The defense strategy of Google is publishing most of Android source code. Manufacturers can and have tried to build alternative versions based on that. But in the market real-world control remains tightly with Google through the critical applications which need the \"blockbuster\" restrictively licensed apps and the larger infrastructure - both of which remain tightly closed. A certain percentage of users will always at some point demand these \"free\" applications, while others cannot withstand the social lock-in and will actively push vendors to bow down. No small time manufacturer can afford to be out. The platforms realise this powerful position very well, and are not afraid to lever it. Either a manufacturer is all-in, or all-out: it cannot selectively allow individual users to use blockbuster applications later on. This cut-throat dillema has left the companies that make the actual phones little choice but to accept unattractive licensing conditions that restrict their freedom to innovate. And even if they do comply with all the demands including a non-disclosure agreement to seal their lips, their license can be withdraw at any time. In fact this may even happen due to geo-political pressure, as a very large Chinese manufacturer of Android found out to its great dismay in May 2019 when it was banned from future upgrades to Android. That can happen to any phone vendor using Android at any time. Thhe rigid control over the platform and the app stores was originally meant as a way to secure access to consumer data. These days, it is actually making an awful lot of money on its own. Consumers are paying a huge and very direct cost for the 'free platform' deal of the manufacturers. The dominant mobile platforms both charge developers up to an incredible 30% of their revenues (more than any VAT rate around the world!). If your company wants to sell enough apps to make a living, you will want to use the default sales channel with the most users. This of course is the platform app store, which comes preinstalled on the prime spot. In fact, most users would not know how to install apps any other way, or are warned against that with scary messages. Selling through the app store means you have to pay up and at the same time obey all kinds of rules. The companies behind the mobile platforms themselves can at any time see an interesting market emerging. At that point there is a clear unequality of arms: if they want, the next update will put their own applications preinstalled on hundreds of millions of devices. This giving them a clear and unfair business advantage over anyone else in the market. Meanwhile developers ironically pay for the privilege of being allowed to exclusively develop for the platform concerned, and sell the outcome in the default (and most restrictive) app store. The platform almost certainly has a higher more profit margin from the average developer, even if it is a direct competitor. But what can developers do? Their investment into the software they wrote is hard-wired to the initial choice of platform...? Non-trivial applications that run on one mobile platform do not run on another, and require additional effort to write in a way where they can. This invisible 'cost of diversity' to the larger ecosystem of creators (which is orders of magnitude bigger) contributed significantly to the \"winner takes all\" scenario at platform level. When the European Commission orders some app to be developed for citizens to access its services, crowdsource data gathering or inform them of passenger rights, it does not care about creating someting for the users of the innovative Finnish mobile platform Sailfish from Jolla - or in fact anyone else. If you look at the apps officially published by the European Commission on the app stores, you will not find any app for any European mobile platform ever published there. The same 'selfish' short term considerations will of course be made even more frequently by smaller actors with less deeper pockets, like independent publishers. As a result the market will make the largest platforms larger, and will completely ignore the rest. In the new mobile world we live in now, control as a user is limited to the very surface of things. Significant privacy and security issues start directly below that surface. You don't really know what the platform actually does while executing apps, and more importantly, who sees your data - or if you are a business, looks at the data of your customers. When you use one of the hundreds of thousands of existing apps and games, you only see the service they provide. But you can't inspect or even see what more they take. What does an app do exactly when you click on the pretty icon? This is very much unlike for instance interacting with a web page, which is fully transparent. As it turns out, mobile apps do lots of things users do not know about, and would not agree with if they did. In some cases literally hundreds of companies have been known to get access to data on the phone. A consumer-friendly platform should empower the user to notice and take action, or even make it technically impossible. However, the companies that produce the operating systems seem to have other interests. Have you ever wondered why everyone tells you your desktop computer needs a firewall and you are allowed full control to see everything happen. Now stop and think about why your cell phone does not have the very same level of firewall capabilities, but only very much simplified and less capable? So what can we as a society do in the face of such a complex situation of market failure, anti-competitive practices, perverse incentives and general confusion? How do we give control back to the users? How do we create equal opportunities for European phone manufacturers? How do we stop the unfair \"platform tax\" on app developers, stimulating employment and startups? One reasonable direction is to try and lay the ground work for creating viable alternative platforms. Such a fundamental approach is necessary in order to end these extractive practices and the resulting lack of consumer freedom. Smart phones are really just small computers. This means we can build upon plenty of meanwhile mature building blocks and technical work done over decades. In fact, both Android and iOS followed the same path. They were not created from scratch, but based on existing open source projects for desktop and server operating systems. There is nothing magical, it is just engineering work. This is what this project contributes to: it will help for alternative operating systems to use the graphics hardware inside modern phones to lower their power usage. The Replicant project has been building a variant of Android without any unknown parts, unlike the Android which is preinstalled on most phones: all the source code is available for inspection and collaborative improvement as a matter of principle. This means R&D is necessary to replace all the closed components with secure, open ones. Smooth graphics make a lot of difference to users, but they are also important to reduce energy usage: without the ability to use the dedicated graphics module of the phone, the computations will be done (rather inefficiently) by the core processor of the phone. This means the user would pay for regaining control by additional battery usage - which is obviously not really an option for most consumers, given the already problematic battery usage dependency.... Run by Replicant This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" Replicant on Pinephone 1.2 Add basic support for the Pinephone 1.2 to Replicant Replicant is the only fully free operating system for smartphones and tablets. All the other operating systems for smartphones and tablets use nonfree software to make some of the hardware components work (cellular network modem, GPS, graphics, etc). Replicant avoids that, either by writing free software replacement, by tweaking the system not to depend on it, or, as the last resort by not supporting the hardware component that depends on it. The goals is to first adapt support for the Pinephone and various other hardware (mainly from GLODroid), to make it generic and reusable by other Android distributions and smartphones to improve collaboration between Android distributions using mainline linux kernels. The project's own website: https://redmine.replicant.us/projects/replicant/wiki This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/Replicant-Pinephone/","title":"Replicant on Pinephone 1.2"},{"title":"Replicant on Guix","url":"https://nlnet.nl/project/Replicant-Guix/","description":" Replicant on Guix Reproducible build infrastructure for Replicant This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. The project summary for this project is not yet available. Please come back soon! The project's own website: https://guix.gnu.org This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"title":"Repath Studio","url":"https://nlnet.nl/project/RepathStudio/","description":" Repath Studio SVG editor written in Clojurescript Repath Studio is a cross platform vector graphics editor, that combines procedural tooling with traditional design workflows. It includes an interactive shell, which allows evaluating code to generate shapes, or even extend the editor on the fly. Supporting multiple programming languages and enriching the existing API is planned. The tool relies heavily on the SVG specification, and aims to educate users about it. Creating and editing SMIL animations - an SVG extension – is an important aspect of the project, that is yet to be fully implemented. An advanced undo/redo mechanism is used to maintain a full history tree of actions in memory, so users will never lose their redo stack. We are exploring ways to persist this history to disk. Some built-in accessibility testing tools are already included, but we want to add more. Extensibility is also something that we want to enhance, in order to allow creating and sharing custom tools and workflows. Integrations with third party tools will also be investigated. The project's own website: https://repath.studio This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"Reowolf","url":"https://nlnet.nl/project/Reowolf/","description":" Reowolf Rip and replace for BSD socket insecurity The Reowolf project aims to replace a decades-old application programming interface (BSD-style sockets) for communication on the Internet. In this project, a novel programming interface is implemented at the systems level that is interoperable with existing Internet applications. Currently, to increase quality of service (e.g. intrusion detection, latency and throughput) non-standard techniques are applied. Internet service providers resort to deep packet inspection to guess applications intent, and BSD-style socket programming is error-prone and tweaking is fragile. This project resolves these problems: it provides support to middleware to further improve quality of service without having to give up on privacy, and makes programming of Internet applications easier to do correctly and thus more reliable. The project's own website: https://reowolf.net Why does this actually matter to end users? Many of the underlying core technologies we use on computers, date from an era when the internet was in its infancy. Security wasn't a primary concern, and thus wasn't part of the design decisions. Sockets are such a technology, dating back to the early eighties. Sockets are a convention that used by all the software that needs to communicate across a network. A socket basically is a placeholder of the network connection inside the computer. Applications will send traffic to that placeholder - and the operating system will take care of the rest .The technical design was flexible enough to survive the intermittent decades, but offered users almost no control or insight as to what is happening. Essentially it functions as a software hose connecting the inside of the operating system with the outside world. The key problem we face today is the fundamental security and trust issues which that design is completely ignorant of. It doesn't understand that not every application should be allowed to do the same things. In particular, as soon as a user is allowed to use a socket because of some legitimate application, all the applications that belong to the same user can use it. Multiple applications can use the same socket at the same time, and none of them would be able to see what other applications are doing. Because data is actually being sent from your computer to the outside, that can become a critical issue real fast. This design is part of pretty much every operating system currently on the market. And worse: the technology is not just present, but is actually still heavily used. The Reowolf project is geared to providing a next generation solution to make network connections safer. Instead of a hose that bits are pumped trhough, it provides a smart connector. That connector allows to synchronise data from multiple sources from inside to outside and vice versa. The key difference between the technology developed within Reowolf and a classic socket is that Reowolf will allow to do so in a controlled way. Unlike a socket, such a connector allows for high-level verification, compilation and optimization techniques. So you can clean up, or selectively filter, the incoming and outgoing traffic. This significantly and directly improves the control the user has over the connections the computer makes across the internet, and allows for many interesting user benefits such as dynamic configuration. Reowolf thus offers a systems level solution for the next generation internet. Run by CWI This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"url":"https://nlnet.nl/project/Renderling/","title":"Renderling","description":" Renderling Real-time rendering library on top of WebGPU Renderling is an innovative, GPU-driven real-time renderer designed for efficient scene rendering with a focus on leveraging GPU capabilities for nearly all rendering operations. Utilizing Rust for shader development, it ensures memory safety and cross-platform compatibility, including web platforms. The project, currently in the alpha stage, aims for rapid loading of GLTF files and handling large, animated scenes with many lighting effects. Development emphasises performance, safety, observability, and the use of modern rendering techniques like forward+ rendering and physically based shading. The project's own website: https://renderling.xyz This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Renderling ecosystem Renderling Renderling is a state-of-the-art, GPU-driven renderer that focuses on maximizing GPU capabilities for efficient scene rendering. The project is currently in the alpha stage and aims to enhance its adoption by addressing ecosystem challenges and collaborating with insdustry leaders from Mozilla and more. Renderling's development prioritizes performance, safety, and modern rendering techniques such as forward+ rendering, physically based shading and global illumination. The project is designed to support both native and web platforms, with a particular focus on the creation of \"instant games\" that are portable across platforms. The project's own website: https://renderling.xyz This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Renderling-Ecosystem/","title":"Renderling ecosystem"},{"description":" Redwax Server Modernisation Self-hostable X509 certificate based identity management solution The Redwax Project is a set of tools and web server modules to make it easy to build and deploy secure services on the web. The Redwax modular certificate authority mod_ca provides a set of Apache http server modules that can be combined to form various types of certificate authorities, issuing certificates from a Certificate Sign Request, or with the SPKAC and SCEP protocols, servicing certificate revocation with CRLs and OCSP, and creating timestamps. The Redwax tool provides a mechanism to read certificates and keys from a wide variety of sources, automatically associating leaf, intermediate, and trusted certificates, and optionally their private keys, then showing the metadata of or writing the certificates in a wide variety of target formats. This project will update the key modules, adjust to the current Apache API's and also fully implement the meanwhile published RFC 8894. The project's own website: https://redwax.eu Why does this actually matter to end users? There is an increasing need for data sovereignty, but many security tools are too complex for people to deploy, or rely on software as a service provided in specific regions or by specific providers - forcing the administrator to trust where that is not warranted. Redwax is a modular certificate authority that provides a set of Apache http server modules which can be combined to form various types of certificate authorities. The Apache http web server has a widely understood and mature module system, and Redwax mod_ca extends that system to allow custom certificate authorities to be developed and deployed on systems as small as a Raspberry Pi. Redwax tool is an auxiliary tool that helps to automate certificate handling among different formats, to provide tab completion on inputs, to provide coherent error messages when something has gone wrong and why, and to make certificates significantly easier to use. Run by Pepperpot Media Limited This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Redwax-SCEP-LDAP/","title":"Redwax Server Modernisation"},{"description":" Redwax Standardisation of client side PKI interfaces The internet was not designed as a public infrastructure and most of the engineering trade-offs of the lower-layer technologies have generally erred on the side of accommodating fast growth and ease rather than values such as security, confidentiality and privacy. Yet today the internet is everywhere from providing a place for democratic discourse to healthcare to finance and personal communication. Redwax aims to decentralise trust management so that the values security, confidentiality and privacy can be upheld in public infrastructure and private interactions. The overarching goal of Redwax is to strengthen the existing technologies and infrastructure by providing a modular and practical set of tools to manage public key based trust infrastructures as currently used. These tools capture and hard code a lot of industry best practice and specialist PKI knowledge so that they can be put into the hands of a much wider community than currently served by a few specialist industries. With this project the Redwax team hopes to help re-establish (and/or strengthen) the support for these non-centralized trust management technologies inside web browsers and other relevant applications by working with standards organizations and industry coordination groups, and to create the initial reference implementations for their standardisation. The project's own website: https://redwax.eu Why does this actually matter to end users? One of the oldest questions on the internet is: how do you adequately prove you are you? Or perhaps the reverse formulation offers a better mental model: how do you prevent others from succeeding in pretending they are you? Now lets flip this question around once more: how would you like to see this managed yourself, if you could? How heavy-weight or convenient do you want to be proven that you are you, to allow you to get into your own environment or have something done on your behalf? And what is it worth to you in terms of effort? Would you be willing to spend a minute to have some clever secure device you have in your pocket involved? Authenticate via your mobile phone? And what if you are in a rush, or on the go? Are you happy with some company like your email provider or a large social network having the ability to make that judgement, based on a user login a few hours ago? And what if that company is based in some other jurisdiction, and could be forced to let others in as well? Or would you rather choose your own identity, and formulate direct rules to have complete control at any given point? As could be guessed, individual people have a need for different levels of confidence and security in different contexts. A security breach matters perhaps less if you just want to login to a music service to change a playlist. After all, the worst that can happen is that someone messes things up and you have to create a new one. It matters a great deal more if you want to do a significant financial transaction at work, or open the door of your house remotely to let the babysitter in while you are delayed in traffic. Perhaps you can think of scenarios where you want even more control. So what proof to use as the basis of your trust, and the subsequent actions taken? Historically people rely on some authority they collectively trust. Such an authority has typically taken high tech countermeasures to make the channel through which that trust is conveyed hard to fraud. A passport or banknote are quite tricky to fabricate due to the use of special techniques. Online we have only a very limited amount of trust \"anchors\" of varying quality. The domain name system is such an anchor, digital certificates or customer relationships are another. Today, having access to a certain mail account or phone which is known to be yours is the most common proof used. Email is often called the \"poor man's solution\" to identity management, and it is what most organisations and businesses fall back on. Can't log in? We will send you an email to reset your login. Just click on the link. And of course, email was never designed to be safe. It kind of works, but really we can do better. Perhaps your use cases require more strict proof than that of normal consumers, or less strict proof. Even for a single large service provider, it would be hard to figure this out satisfactorily for all users. For the same reason people write their own testament to document what should happen with things they own or control after they die, you want to document what should happen with things you own or control what happens when you are physically absent. There is no universal will that is acceptable to all, nor is there a universal policy that satisfies all use cases. So what if you yourself would be able to create and control your own identity, and determine your own proofs and methods? In order to function in a global internet, you would need to be able to convey your requirements and demands in a portable way. There would be no central authority dictating you what to do here. That would mean you you yourself would have to make things explicit upfront in a foolproof way - so that elsewhere on the internet people and services would know what you expect them to do to distinguish the real you from fraudsters. This project will push decentralized trust management forward and make it instantly usable for all sorts of online services. Right now there is a lack of suitable standards for decentralized trust management in browsers. Using existing software that embody best practices in the field, new standards will be developed that make decentralized trust management accessible and easy to implement. This way secure and decentralized identity management can become the default, making for a more trustworthy and less centralized internet. Run by Red Wax This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"Redwax","url":"https://nlnet.nl/project/Redwax-PKI/"},{"description":" io_uring-like IO for Redox Introduce ring buffers in Redox to increase I/O performance Redox OS is a Unix-like microkernel-based operating system written in Rust, intended for both the cloud and the desktop. The purpose of this project is to implement ring buffers for requests and data transfers between key microkernel components, and to measure the potential for performance gains. We will be examining ring buffers connecting drivers to system services, system services to the kernel, and system services to applications. We will also investigate compatibility APIs such as liburing. The project's own website: https://redox-os.org/ Run by Redox OS Nonprofit This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"io_uring-like IO for Redox","url":"https://nlnet.nl/project/RedoxOS-ringbuffer/"},{"title":"Redox OS Unix-style Signals","url":"https://nlnet.nl/project/RedoxOS-Signals/","description":" Redox OS Unix-style Signals Add Unix-style signal handling to Redox Operating System Redox OS is a Unix-like microkernel based operating system written in Rust. It is intended to provide a secure and reliable alternative to Linux. Redox is continuing to add functionality to provide source-code compatibility for most Linux software. This project will provide Redox with Linux-compatible inter-process signals, including signalling to process groups, processes and threads, and improved process management. The project's own website: https://www.redox-os.org Run by Redox OS nonprofit This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Redox Flow Battery Development Kit for Open-Source Hardware Redox Flow Battery The clean energy transition is underway, and batteries are becoming more common in everyday life. Stationary batteries can perform many roles, like reversibly storing intermittent renewable energy or providing backup power and services to the electrical grid, including internet infrastructure. Right now, lithium-ion batteries—also used in portable electronics and electric vehicles—are increasingly used for stationary applications. Lithium-ion batteries are, however, not ideal in terms of lifetime, cost, safety, and supply chain sustainability. There are viable alternatives to lithium-ion batteries for stationary storage, such as flow batteries, which are being commercialized but are not yet widespread. We plan to democratize flow battery technology by developing an open-source flow battery and starting an associated community around it. We will start with a benchtop-scale development kit, suitable for educational and research use, before progressing towards larger cells. With this NLnet funding, we plan to finish our first release of a 5 cm² kit as well as design and test the subsequent 25 cm² cell. The project's own website: https://fbrc.dev Run by Flow Battery Research Collective This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Redox Flow Battery","url":"https://nlnet.nl/project/RedoxFlowBattery/"},{"description":" Real Time Litex Extension Real time capabilities for FPGA-based RISC-V core The Core-Local Interrupt Controller (CLIC) is a RISC-V standard extension that enhances real-time performance by enabling the prioritization of interrupts based on levels and priorities. This feature allows developers to have fine-grained control over interrupt prioritization, leading to more efficient handling of real-time events. In this project, we propose to replace the original interrupt controller of the VexRiscv based processor core family with CLIC. By implementing the CLIC, VexRiscv can efficiently propagate the highest-level, highest-priority pending interrupt to the core, significantly improving real-time responsiveness. The CLIC implementation also introduces features like selective hardware vectoring and the special register (xnxti CSR), which further optimize interrupt handling. The project's own website: https://disdi.github.io/linux_RT This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/RealTime-Litex/","title":"Real Time Litex Extension"},{"url":"https://nlnet.nl/project/Reaction/","title":"Reaction","description":" Reaction Event-based system programming A lot of bots roam the internet, scanning server ports and web endpoints, and filling out any web form they come across - continuously on the lookout for vulnerabilities to exploit. In order to maintain server security, one of the currently most common defense mechanisms is to monitor logs for repetitive behaviour, or specific patterns implying the involvement of bots. With tools like fail2ban, one can write simple rules to automatically isolate machines identified as suspect. Reaction wants to provide a more modern and efficient approach to regex-based log scanning, allowing multiple reaction instances to communicate, sharing bans across an entire infrastructure as well as more intelligent and user-friendly soft bans. This extends the scope of this class of tooling allowing it to act as a light monitoring tool, or an orchestrator for any other event-based actions. The project's own website: https://reaction.ppom.me This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Reach Cryptographic Infrastructure for Anonymous Communication Reach addresses a gap in privacy-preserving communication infrastructure for scenarios involving surveillance risks, device seizure threats, and the need for safe ongoing dialogue between anonymous individuals and trusted groups. The open-source platform uses ECDH-based Oblivious Message Retrieval to enable anonymous individuals to establish first-contact and maintain bidirectional communication while preventing semi-honest infrastructure providers and third-party observers from learning communication patterns. By implementing asymmetric forward secrecy, organisations that deploy Reach maintain full forward secrecy with persistent keys, while anonymous parties achieve privacy and confidentiality without storing or outsourcing any cryptographic material. Reach delivers self-hostable infrastructure and formally verified cryptographic schemes for the broader privacy ecosystem. The project's own website: https://codeberg.org/reachable-systems/reach This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Reach/","title":"Reach"},{"url":"https://nlnet.nl/project/ReOxide/","title":"ReOxide","description":" ReOxide Improving Rust Decompilation Modern compiled languages such as Rust and Go are notorious for producing binaries that are difficult to reverse engineer by default. As these languages grow in popularity, they are increasingly being used in proprietary products and are also attracting malware developers. In order to audit binary software and analyze malware, it is therefore necessary to improve reverse engineering tools with special support for specific languages. To fill this gap, we are developing the ReOxide framework, which targets the reverse engineering of Rust programs. In the presence of extensive compile-time code generation and strong memory optimizations, existing decompilers reach their limits when trying to recreate C-like languages. The design goal of ReOxide is therefore to build on top of the Ghidra decompiler and make it extensible for custom analysis passes. This will allow us to gather information that is readily available during decompilation itself, but not through Ghidra's public plugin API. We will use this information to address Rust specific language features, but also try to keep the extensions general enough for other languages. The project's own website: https://reoxide.eu Run by SBA Research gGmbH This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"title":"Re-isearch","url":"https://nlnet.nl/project/Re-iSearch/","description":" Re-isearch Vectorise text with a flexible unit of retrieval *Project re-isearch: a novel multimodal search and retrieval engine using mathematical models and algorithms different from the all-too-common inverted index (popularized by Salton in the 1960s). The design allows it to have no limits on the frequency of words, term length, number of fields or complexity of structured data and support even overlap--- where fields or structures cross other's boundaries (common examples are quotes, line/sentences, biblical verse, annotations). Its model enables a completely flexible unit of retrieval and modes of search. Initial project outcome: a freely available and completely open-source (and multiplatform) C++ library, bindings for other languages (such as Python) and some reference sample code using the library in some of these languages. The project's own website: http://www.nonmonotonic.net/re-isearch Why does this actually matter to end users? “Re-isearch” is a project following in the spirit of the original isearch developed back in the 1990s. Like the original, it is not just about textual words but the design contains a large number of objects: numerical, range, geospatial etc. It is unique among full-text systems in that it also provides numerous object types with their own methods of search and allows these to be viewed parallel as text--- a date field (of which it will be one of the first to support some key parts of the new ISO-8601:2019 standard date semantics), for instance, can be searched as a date but also a text, searching for the words in the field. These objects don't even have to be part of any document but may be available via interface glue into other systems via ODBC, CORBA or object embedding. This allows indexing content--- for example from RSS/XML--- to be stored in and searched from other systems. This is useful in many dynamic applications in commerce and trading (keeping live counts of goods on hand, selling prices, etc.). Objects don’t even have to always be explicitly defined as various doctypes (document handlers) can automatically (if enabled, resp. not disabled) at index time detect a number of field data types(such as that something is a telephone number or a date or.. ). A radical departure from other designs is its concept of search granularity. With typical text indexers one has the concept of document or record and that is the unit of index and the unit of retrieval. Instead we can have a dynamic search time unit of retrieval: user specified or heuristically determined. The structure of of documents can be exploited to identify which document elements (such as the appropriate chapter or page) to retrieve. Retrieval granularity may be on the level of sub-structures of a given document or page such as line, paragraph but may also be as part of a larger collection. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" Re-isearch Schmate Extending re-Isearch with a flat vector datatype for embeddings Schmate is the development name for the evolving next iteration of re-Isearch adding vector datatypes for embeddings and applications like retrieval augmented generation (RAG). Schmate (pronounced \"SHMAH-teh\") is Yiddish for rag (שמאטע). In contrast to typical vector stores the proposed re-Isearch+ shall offer a full passage information retrieval system (index and retrieval) using a combination of dense and sparse vectors as well as structure. It is dense passage retrieval (DPR) and a whole lot more. It addresses the stumbling blocks of chunking, has a tight integration of ingest, tokenisation, a number of alternative vector stores and similarity algorithms and, above all, uses a novel combination of understanding document structure (implicit and explicit) to provide a better contextual passage retrieval to solve the problem of misaligned context. This builds on the observation that meaning is also communicated through structure so needs to be viewed in the context of structure. Since structure like the words are meant by the sender (writer) to be received and understood (reader) our approach is to exploit the original author's organization of content to determine appropriate passages rather than relying solely on the chunks. The project's own website: http://www.nonmonotonic.net/re-isearch Run by NONMONOTONIC Networks / ExoDAO / Zimmermann & Zimmermann Forschungs GbR This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Re-isearch Schmate","url":"https://nlnet.nl/project/Re-Isearch-Vector/"},{"description":" Rauthy Reliable OpenID Connect IdP and IAM solution. Rauthy is a lightweight and easy to use OpenID Connect Identity Provider. It aims to be simple to both set up and operate, with very secure defaults and lots of config options, if you need the flexibility. It puts heavy emphasis on Passkeys and a very strong security in general. The project is written in Rust to be as memory efficient, secure and fast as possible, and it can run on basically any hardware. If you need Single Sign-On support for IoT or headless CLI tools, it's got you covered as well. You get High-Availability, client branding, UI translation, a nice Admin UI, Events and Auditing, and many more features. By default, it does not depend on an external database but runs on top of Hiqlite, an embeddable SQLite database that can form a Raft cluster to provide strong consistency and high availability - although it can use e.g. Postgres as an alternative. This makes it simple to operate, while scaling up to millions of users easily. The project's own website: https://github.com/sebadob/rauthy This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Rauthy/","title":"Rauthy"},{"url":"https://nlnet.nl/project/Rattler-Python/","title":"Python bindings to the rattler library","description":" Python bindings to the rattler library Rattler is a Rust-based library to interact with the conda package ecosystem (which provides binary, cross-platform software packages for Windows, macOS and Linux). Rattler makes it easy to resolve package dependencies with a SAT solver, download the packages, and create virtual environments on the user’s computer. This main focus of this project are the py-rattler bindings, that give users the power to use rattler from Python, to create virtual environments programmatically. Furthermore, py-rattler will be used by other tools in the ecosystem such as the bot infrastructure that powers “conda-forge”, the largest open source repository in the conda universe. The project's own website: http://github.com/mamba-org/rattler Run by prefix.dev GmbH This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"url":"https://nlnet.nl/project/RaptorLakeDesktop/","title":"Raptor Lake Desktop","description":" Raptor Lake Desktop Implement open-source firmware for modern mainboards and chipsets The Raptor Lake Desktop project aims to deliver open-source firmware support for a modern day motherboard (the MSI PRO Z690-A WIFI DDR4/DDR5 workstation/desktop), enabling users to customize and enhance their hardware. Through open-source firmware, users will have the freedom to modify and adapt the software according to their specific requirements. Building on the success of the Alder Lake Desktop initiative, this project focuses on two key goals: adding support for 13th generation Raptor Lake-S CPUs on existing boards and implementing open-source firmware support for the MSI PRO Z790-P WIFI DDR4/DDR5 boards. The project also includes the development of additional firmware features to improve system functionality and security, such as selective Option ROM loading, ESP partition scanning, power state after power fail option, PCIe Resizable BARs, and XMP memory profile selection. Through community involvement and feedback, the project aims to provide a more personalized and flexible computing experience for board owners. The project's own website: https://docs.dasharo.com/variants/msi_z690/overview/ Run by 3mdeb Sp. z o.o. This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" RADIUSdesk Open wifi mesh deployment application RADIUSdesk and MESHdesk help to set up and manage mesh networks at scale, and are open source from top to bottom. They can be used in tandem to provide public wifi, or set up mesh networks as well as community networks. Allowing someone to flash a cheap access point and then managing it irrespective of the hardware vendor offers great opportunity for poorer communities to enable themselves in terms of providing Internet access. Existing hardware that reached end-of-life can be managed in a similar way (often much simpler) than what the vendors offer. Because there is a RADIUS server included, there is a single integrated system which is able to manage connections as well as the hardware. This enables anyone to set up an end-to-end system that can provide Internet access, with OpenStreetmap integration, alerts, and other advanced features. The project's own website: https://radiusdesk.com Run by Private This project was funded through the User-Operated Internet fund, a fund established by NLnet made possible by financial support from the PKT Community/The Network Steward and stichting Technology Commons Trust. Your donation is welcome too. ","title":"RADIUSdesk","url":"https://nlnet.nl/project/Radiusdesk/"},{"description":" Radio-Meshnet Self-sustained Community and Emergency Radio Networking This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. The project summary for this project is not yet available. Please come back soon! This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/Radio-Meshnet/","title":"Radio-Meshnet"},{"description":" Rackweaver Design and manage physical infrastructure hosting RackWeaver is an AGPLv3+ cross-platform desktop application for designing and managing data center infrastructure. Its describes a complete object representation of one's data centers, including physical locations, port connections, and network configurations. Further, it comprises a suite of tools (both GUI and CLI) to act upon that model and modify it intelligently. It is able to generate documentation, switch configurations, and disk images, aid in system monitoring, and more through a plugin system. RackWeaver is built as a native desktop application (using Python and Qt) so that it continues to run for decades. Additionally, it leverages version control and OpenPGP keys to reliably document all changes to one's infrastructure. RackWeaver is usable by anyone, from a solo sysadmin managing a few machines, to a team overseeing multiple autonomous systems, for those who prefer offline, scriptable, and easy-to-use free/libre software. The project's own website: https://rackweaver.app This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/RackWeaver/","title":"Rackweaver"},{"url":"https://nlnet.nl/project/RVVM/","title":"RVVM","description":" RVVM RISC-V Virtual Machine RVVM is a virtual machine/emulator for RISC-V guests, which emphasizes on performance, security, lean code and portability. It runs a lot of guest operating systems, including Linux, Haiku, FreeBSD, OpenBSD, etc, and has a rich device infrastructure (Network adapters, NVMe, HID, PCIe with MSI). Emulation performance is very competitive thanks to RVJIT dynamic binary translator. Portability is taken very seriosly and only requires C99 as a baseline. We also aim to run RISC-V applications on a foreign host without full OS guest (userland emulation, i.e. RISC-V containers). To prevent theoretical VM escape vulnerabilities from being exploited, we enforce kernel-level isolation, strict codestyle and compiler warning policies, extensive static analysis and use of sanitizers/fuzzers. The RVVM infrastructure is meant to be modular and embeddable - the whole project is contained within \"librvvm\" library and a reference VM manager to make use of it. GDB debug server is also available for kernel developers and alike. The goal under NGI Zero Core is to implement first-class KVM hypervisor suport for RISC-V, as well as x86_64 & ARM64 hypervisor variant (reusing the same device emulation infrastructure), shadow pagetable acceleration for guest MMU, and RISC-V Vector extension support which is gaining serious traction and is much needed for software testing. Additionally, a special deduplication image format is in the works which should give immense storage benefits in terms of space saved for build farms and cloud use, as well as atomic write consistency for reliability. The project's own website: https://github.com/LekKit/RVVM Run by LekKit This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" RTranslator 3.0 Real-time local translation app for spoken word for Android RTranslator is an open-source, free, and offline real-time translation app for Android, it allows users to translate text and audio with best in class quality. With the Conversation mode, RTranslator can also translate audio virtually in real time and hands free, by connecting to another phone and to a Bluetooth headphone. All the processing is done on device, ensuring total privacy for the user. Under the NGI Mobifree grant, the 3.0 version of the app will be released, upgrading the NLLB translation model to the Mozilla Bergamot models and Madlad 400. MLKit will be replaced, making RTranslator 100% open source. Various techniques will be added to improve translation quality, including: beam search, multi lingual dictionaries, Tatoeba integration and more. The app will be release on Play Store and F-Droid, and a self hosted web version of the app for text translation using Mozilla models will be made available. The project's own website: https://github.com/niedev/RTranslator This project was funded through the NGI Mobifree Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. The NGI Mobifree R&D programme is part of Horizon Europe research and innovation programme under grant agreement No. 101135795. ","title":"RTranslator 3.0","url":"https://nlnet.nl/project/RTranslator/"},{"description":" Fast RSA + PQ Blind Signatures Fast multiprecision integers for blind RSA and Post-Quantum signatures We observed significant performance differences between the different implementations of classic RSA signatures in various widely used Free Software cryptographic libraries. Each of the libraries takes a different approach to implementing modular exponentiation, the core operation when generating and verifying RSA signatures. Naturally, RSA signatures would also not be safe in presence of large-scale quantum computers. In this project, we improve the performance of libgcrypt, mbedTLS, GNU nettle and libgmp to ensure that they are on par with the best secure implementations available today. Furthermore, we implement one of the academic post-quantum blind signature schemes, make it available as Free Software and integrate it with GNU Taler. This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/RSA-PQ-BlindSignatures/","title":"Fast RSA + PQ Blind Signatures"},{"description":" Lix RPC RPC framework for scaling Nix Nix is becoming increasingly important in build environments and deployment systems around the world, but the communication protocols it uses internally harken back to a much simpler time and are neither easy to extend with new features nor easy to use from anything except the `nix` CLI tools (which are even harder to version and evolve without breaking things). We will tackle both of these problems by adding a modern and extensible RPC protocol to Lix, using widely supported frameworks available in many languages. The project's own website: https://lix.systems Run by Lix This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Lix RPC","url":"https://nlnet.nl/project/RPC-framework/"},{"url":"https://nlnet.nl/project/RNPConfium/","title":"RNP Confium","description":" RNP Confium Distributed trust store enabling threshold encryption Confium is an open-source distributed trust store framework that enables usage of the new paradigm of threshold encryption, powering new modes such as cryptographic secure multi-factor authentication. It aims to provide a generalized API and an extensible architecture for the usage of trust stores and future cryptographic families, to support standardization efforts of threshold cryptography, and to bridge cryptographers with the practical usage of cryptography. The current project enables implementation of the Confium framework with a 2-out-of-3 threshold RSA signature scheme. The project's own website: https://www.confium.org Why does this actually matter to end users? When you mention encryption or encoding, some are quick to think of exciting, sensational and sometimes shady things: spies exchanging secret messages and handshakes, criminals dealing drugs on the Dark Web, black hat hackers hiding in anonimity. But actually, encryption could not be more commonplace. Every time you call someone on your phone, you fire up your browser, send a chat message to friends, do some online banking, you rely on some complex mathematics behind the screen that makes sure you can talk, bank and browse securely and privately. The internet, practically all modern communication technology, could not exist without encryption we can trust to keep our data, our money, our lives, safe. Encryption, however, will never guarantee complete, 100 percent, total security. Or to put it more precisely, the encryption schemes and implementations we use today may not be a match for the computers and use cases of tomorrow. That is why this industry is always looking for the next future-proof scheme and solution to essentially prevent a global hack of all communication: a much discussed recent example would be a quantum computer breaking perhaps the most widely used cryptosystem for secure data transmission. This project aims to advance encryption through something called threshold cryptography, which means you can only prove you are who you are when you have a certain amount of secrets (reach a particular threshold). Think of multi-factor authentication, where you need for example two out of three items like a user password, a one-time password generated by your phone and your fingerprint. Even if one of these items gets lost or stolen, you are still not at risk since you have the other two. This project will provide the tools and architecture to make threshold encryption the standard for secure, private communication, so we can be sure our internet technology is safe against future threats. Run by Ribose Limited This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. "},{"description":" RIVET Cointegration of RISC-V systems with Ethernet The goal of the RIVET project is to develop and incorporate an Ethernet Media Access Controller (MAC) into an already existing organized open-source framework for agile development of RISC-V Systems-on-Chip (SoC) such as Chipyard. This work enables development engineers and researchers to equip their custom compute ASIC and FPGA prototypes with a \"plug-and-play\" Internet access feature while providing a ready testbed for next-generation networking devices. By upstreaming the results to Chipyard, the project will deliver the first fully parameterizable Chisel-based Gigabit Ethernet MAC design generator solution in that ecosystem, dramatically lowering the barrier for the global open-hardware and VLSI communities to build network-capable RISC-V systems and subsequently integrate them on a chip. Run by Department of EECS, Faculty of Engineering, University of Kragujevac This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"RIVET","url":"https://nlnet.nl/project/RIVET/"},{"description":" RISC-V Phone Open hardware RISC-V Phone The goal of the \"RISC-V Phone\" project is to develop a simple, fully featured and privacy enhanced mobile phone. It is built using off-the-shelf inexpensive components which are easy to assemble even in a home lab. The software for it is small, simple and easy to audit. Basic phone functionality is running on a secure RISC-V microcontroller (FE310 from SiFive) which controls all peripherals: microphone, speaker, display/touch controller, camera. The phone will be using esp32 for WiFi and Bluetooth, along with industry standard mPCIe modem for cellular communication. Graphics/touch panel controller FT813 enables advanced user experience. The phone will provide VOIP/messaging application using packet data protocol similar to CurveCP which features end-to-end encryption and onion routing. There is also a socket for optional ARM SoM which shares display/touch panel with the main board. The project's own website: https://mikrophone.net Why does this actually matter to end users? Consumers and businesses overpay for computer hardware, because the market is not working well. When you go to a store to buy a laptop or mobile phone, you may see different brands on the outside but choice in terms of what is inside the box (in particular the most expensive component, the processor technology) is pretty much limited to the same core technologies and large vendors that have been in the market for decades. This has a much bigger effect on the users than just the hefty price tag of the hardware, because the technologies at that level impact all other technologies and insecurity at that level break security across the board. In the field of software, open source has already become the default option in the market for any new setup. In hardware, the situation is different. Users - even very big users such as governments - have very little control over the actual hardware security of the technology they critically depend on every day. Security experts continue to uncover major security issues, and users are rightly concerned about the security of their private data as well as the continuity of their operations. But in a locked-down market there is little anyone can do, because the lack of alternatives. European companies are locked out of the possibility to contribute solutions and start new businesses that can change the status quo. The issue of insecure hardware becomes even more important when you think of fast and widespread the use of smartphones has grown. The device that we carry with us every single day and use to call each other, do our personal banking, maintain our social life and manage a host of other online services with is frustratingly opaque and riddled with security vulnerabilities and backdoors. And because most smartphones are produced by a select number of massive companies, the entry to market for more secure and private alternative smartphone hardware is practically impossible. The RISC-V Phone is an effort to break through this standstill by simply proving it can indeed be done. The project aims to build a simple privacy-enhanced mobile phone using off-the-shelf components enthusiasts and researchers can easily assemble on their own, allowing for permissionless innovation. All the hardware parts are as open as possible and the software that runs on it is a small collection of auditable components. Emphasis is put on usability and familiarity, so users interested in having a fully transparent phone can simply pick up this device and get on with their lives. This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","title":"RISC-V Phone","url":"https://nlnet.nl/project/RISC-V-Phone/"},{"description":" Reduced Feature-set Packet Filter High throughput software firewall The RFPF project aims at bridging the performance gap between the traditional software firewalls (typically choking at 10 Gbit/s line speeds or less) and the already ubiquitous 100 Gbit/s Ethernet. We are developing a user-space software firewall capable of sustaining 100 Mpps processing rates while doing multiple longest prefix matching (LPM) lookups in large datasets (such as BGP or GeoIP) on each packet. The main focus is on locally dampening large-scale packet-flooding attacks, while still being sufficiently flexible for many general-purpose firewalling application scenarios. RFPF uses a multithreaded, lockless userspace datapath, and forwards 60+ Mpps while doing multiple LPM lookups per packet with randomized traffic load, all at a fraction of max. CPU frequency. Working both on Linux and FreeBSD, RFPF currently relies on Netmap for fast packet I/O in user space, with a more efficient DPDK based datapath variant being on the near-term roadmap, along with improvements in our LPM lookup engine. The project's own website: http://www.nxlab.fer.hr/dxr This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/RFPF/","title":"Reduced Feature-set Packet Filter"},{"description":" RETETRA3 Security research into TETRA standard Terrestrial Trunked Radio (TETRA) is a European standard for trunked radio used globally by government agencies, emergency services and critical infrastructure. Apart from most European police agencies (such as BOSNET in Germany or RAKEL in Sweden), military operators and emergency services, TETRA is also widely used for SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities. Prior research extracted the secret cryptographic functions underpinning TETRA security and made them available for public scrutiny, resulting in the first public in-depth security analysis of TETRA - uncovering five vulnerabilities including a backdoor. We contributed various improvements and bugfixes to the open-source osmocom-tetra stack, as well as adding support for cryptography. This new project has two main components: developing support for uplink demodulation/decoding and message parsing and implementing a stack able to monitor both downlink and uplink traffic simultaneously, as well as working towards FOSS TETRA base station functionality. And investigate the obscure TETRA E2EE, an optional proprietary solution on top of the standard used in the most sensitive of use cases for TETRA networks, and provide a security analysis as well as a FOSS implementation. This research should shed light on its suitability for mitigating the previously uncovered security issues. Also, we will dig deeper into the security of TETRA as a whole, with a special focus on message injection vulnerabilities. We aim to provide definitive insight in to which extent adversaries are able to compromise confidentiality and integrity (particularly important when used in critical infrastructure) of traffic, and which mitigations can be considered in order to be able to use TETRA securely and safely. The project's own website: https://midnightblue.nl/retetra This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/RETETRA3/","title":"RETETRA3"},{"description":" rasn Safe ASN.1 codec framework for Rust ASN.1 is a suite of protocols and data formats first introduced nearly 40 years ago, and is used extensively throughout the industry, from SIM cards to satellites, from web certificates to 5G radios, all of these are using ASN.1 in their communication stack. However parsing ASN.1 remains a large source of security vulnerabilities due its complexity and needing to be written in traditionally memory unsafe languages for speed and portability. Rasn is a codec framework for writing safe ASN.1 code in Rust, that encodes ASN.1's data model into Rust's type system, empowering developers to write Rust code that is as safe, portable, and as easy to write as the original ASN.1 module. Rasn supports BER, CER, and DER encoding rules, and can be extended to support custom data formats. Rasn also provides a number standards out of the box including LDAP, PKIX, and SNMP. The project's own website: https://github.com/librasn/rasn This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","title":"rasn","url":"https://nlnet.nl/project/RASN/"},{"description":" RAIJIN Open Hardware brain measurements with near-infrared spectroscopy Low-cost electroencephalographic (EEG) systems have been available for over a decade, such as the open hardware OpenBCI ecosystem. While EEG has been democratized to varying degrees, blood-oxygen-level-dependent (BOLD) methodologies are constrained to medical and niche realms. While magnetic resonance imaging is impractical for a hobbyist, functional near-infrared spectroscopy (fNIRS) may offer a more practical alternative. Similarly, non-visual and non-auditory feedback from a brain-computer interface (BCI) may be streamlined with a tactile or haptic device. Transcranial temporal interference stimulation (TTIS) can be directed and integrated with the existing ecosystem. The Rank-Adjusted Infrared Juxtaposed Interferential Neuromodulation (RAIJIN) marks three components that would significantly improve tools for citizen-scientists. Given recent low-cost projects, it may be possible to bring low-cost fNIRS, non-invasive deep brain stimulation, and tactile response into the OpenBCI ecosystem. Tactile and TTIS enable closed-loop computer-brain interference (CBI). By integrating BCI and CBI, the RAIJIN system will enable mobile, low-cost, BOLD-capable, closed loop, and non-invasive brain-to-brain interface (BBI). The project's own website: https://codeberg.org/technica/pulsestream-sensor This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/RAIJIN/","title":"RAIJIN"},{"description":" RADIUSdesk Multi WAN Add Multiwan to RADIUSdesk RADIUSdesk is a complete, open source solution for the provision and management of Internet connectivity. The main component is a feature-rich RADIUS server that includes features such as vouchers, BYOD and permanent users. Permanent users have support for Private PSKs and versatile Fair Usage Policies (FUP). MESHdesk allows you to quickly roll out WLAN connectivity over a large area. APdesk can be deployed in enterprise environments and offers support for guest networks and dynamic VLAN assignment. Bandwidth and data usage can be managed via one of the following options: a captive portal, a PPPeE server or private PSKs with RADIUS. MESHdesk and APdesk can be managed via your phone or a desktop browser. The system has an intuitive API that eases integration with other systems. In this project, Multiwan support will be added, together with private Pre-Shared Key (PPSK), Multi-Dwelling Units (MDUs) and Software-defined Wide Area Network capabilities which will allow to support more VPN technologies. The project's own website: https://www.radiusdesk.com/ This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"RADIUSdesk Multi WAN","url":"https://nlnet.nl/project/RADIUSdesk-Multiwan/"},{"url":"https://nlnet.nl/project/RA-Sentinel/","title":"RA-Sentinel","description":" RA-Sentinel FPGA-based Radio Receiver for securing Wifi against hacking attacks The proposed project aims to develop a cost-effective, small, and low-power wide band radio receiver device that automatically detects various malicious attacks on Wifi access points, such as Man in the Middle and Denial of Service attacks. The RA-Sentinel project is designed to protect your home WiFi from unwanted cyber threats. Think of it as a digital watchdog for your internet connection that barks when someone from the outside tries to break in. The device will enhance internet safety for ordinary users by monitoring any Wifi cell. It will consist of low-cost receive-only chips that digitizes 40 MHz of the Wifi radio spectrum at 2.4 GHz and extracts with the FPGA relevant properties from demodulated and decoded packets in real-time without storing them. These properties are fed into a neural network also implemented on an FPGA, which determines if the traffic is genuine or an attack. Only open source FPGA tools will be used. The project's own website: https://github.com/Tobias-DG3YEV/RA-Sentinel Why does this actually matter to end users? In today's interconnected world, we all rely on WiFi to stay in touch, work, learn, and relax. But like any bustling city square, the digital realm has its share of pickpockets, stalkers and other mischief-makers. RA-Sentinel introduces a simple, yet powerful solution to this modern challenge. Picture a silent, diligent guardian standing by your home's digital gateway, ensuring that you learn about unwanted intrusions into your Wifi network. This device monitors the airwaves, constantly ensuring that your online activities — be it video calls with loved ones, online shopping sprees, or binge-watching weekends — are undisturbed by hidden threats. If anything unusual appears on the horizon, it's quick to sound the alarm, allowing you to take countermeasures and then continue your online journey with peace of mind. For the everyday individual, this translates to a more secure online experience without the need for technical expertise. It's about bringing the assurance of a safer internet directly to your living room, ensuring that each time you connect, you're protected by a vigilant digital ally. This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"title":"RA-Sentinel Code Liberation","url":"https://nlnet.nl/project/RA-Sentinel-liberation/","description":" RA-Sentinel Code Liberation Royalty free synthesizable Verilog code for signal processing RA-Sentinel is a small, low-power wide band radio receiver device that automatically detects various malicious attacks on Wifi access points, such as Man in the Middle and Denial of Service attacks. The RA-Sentinel project is designed to protect your home WiFi from unwanted cyber threats. The RA-Sentinel Code Liberation project replaces hardware-specific \"black box\" components in RA-Sentinel with fully portable, openly licensed code that anyone can use, modify, and redistribute. The project will lower entry barriers to FPGA development, ensure long-term sustainability free from vendor licensing restrictions and product deprecation, and empower the global community to innovate without costly proprietary constraints. This work directly supports digital sovereignty, inclusive access to technology, and fostering community-driven innovation. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"RA-Sentinel AoA","url":"https://nlnet.nl/project/RA-Sentinel-directional/","description":" RA-Sentinel AoA Direction aware sensing of RF-based attacks RA-Sentinel is a small, low-power wide band radio receiver device that automatically detects various malicious attacks on Wifi access points, such as Man in the Middle and Denial of Service attacks. The RA-Sentinel project is designed to protect your home WiFi from unwanted cyber threats. Think of it as a digital watchdog for your internet connection that barks when someone from the outside tries to break in. The device will enhance internet safety for ordinary users by monitoring any Wifi cell. The RA-Sentinel Multi-Channel project aims to enhance the existing RA-Sentinel system by developing a 4-channel, 2.4 GHz RF front-end. This upgrade will enable the system to determine the direction of RF-based attacks. By introducing a multi-channel, phase-coherent reception system, we can estimate the Angle of Arrival (AoA) of incoming signals. This will help identify and locate threats such as jamming, spoofing, or unauthorized transmissions. This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"R5N-DHT","url":"https://nlnet.nl/project/R5N-DHT/","description":" R5N-DHT Formalisation within IETF of R5N Distributed Hash Table design Decentralization and digital sovereignty are fundamental building blocks to strengthening European values of freedom of information and informational self-determination against particular interests of foreign state and commercial actors. Decentralization is often based on Distributed Hash Tables; DHTs are already an important component for many NGI components such as decentralized web applications (IPFS, Web3) or components in the blockchain ecosystem. The GNUnet/R5N-DHT - a Free Software distributed hash table and P2P protocol - provides additional and relevant properties like Byzantine fault tolerance and censorship resistance. The project will improve, implement and specify the R5N protocol as an IETF RFC (Informational). This supports other efforts such as the GNU Name System protocol (GNS). The project's own website: https://gnunet.org Run by GNUnet e.V. This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" Qubes OS Bring the security of Qubes OS to people with disabilities Qubes OS is a free and open source operating system uniquely designed to protect the security and privacy of the user. Its architecture is built to enable the user to define different security environments (\"qubes\") on their computer and visually manage their interaction with each other and the world. This project will improve the usability of Qubes OS by: (1) reviewing and integrating already existing community-created usability improvements, (2) implementing a localization strategy for the OS and its documentation, and (3) creating a holistic approach for improved accessibility. The project's own website: https://qubes-os.org Why does this actually matter to end users? How can you understand and trust a complex system, like the operating system managing the hardware and software on your computer? You can make the complexity simpler by cutting it up into parts, compartmentalizing what does what, where information is stored, which processes talk to each other. This way users can be sure their system only does what it is supposed to do and know precisely what goes in and what comes out. This can be done through virtual machines, which are isolated simulations of operating systems or programs on a computer. Simply put, you create virtual rooms where only one thing happens and only you have the keys to each door. This can give users complete control over what happens on their computer and ensures that if some malicious software finds a way in, it cannot get to the other rooms. This can be very important if your device contains sensitive information, if some ill-meaning third party tries to listen in, or when the device is part of some crucial infrastructure and is targeted for attacks. The Qubes operating system is a pioneer in creating an isolated yet workable desktop. Users can segment programs and data into separate cubes, based on how trust. The default cubes are 'work', 'personal' and 'untrusted', that are each run in an isolated virtual machine. If you open a phishing email in your 'untrusted' cube and malware manages to make its way into this specific environment, it cannot get to 'personal' or 'work' and therefore cannot compromise that data (or the entire operating system, which is the case with popular operating systems like Windows that have a huge attack surface). Various colors (think green, yellow, red) can be used to indicate what window and program works in what qube. Security by isolation can and should be a great way to make operating systems more secure by design. Usability is then of course an important issue: a better secured operating system should not be harder to use then a more vulnerable one. This project will pick up and implement existing efforts to make Qubes more transparent and usable. For example, to manage the qubes a user has created, this project will help to feature interfaces that make it easier to keep an overview. Also, existing work to internationalize the documentation that guides users and developers into Qubes will be updated. And to make the various qubes more accessible, users can switch from colored windows to other types of labels. Run by Qubes OS This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/QubesAccessible/","title":"Qubes OS"},{"url":"https://nlnet.nl/project/Qryptr/","title":"Qryptr","description":" Qryptr Air-gapped open hardware encryption device As a a smartphone user you might be worried about spyware, advanced actors, backdoors, zero-days or side-channel attacks? These routinely bypass end-to-end encryption through keyloggers, screen capture and compromised keys. Smartphones are part of complex ecosystems with dozens of hardware and software components and remain vulnerable despite vendor and political efforts. Qryptr is a simple, offline, airgapped device to counter such threats. Plain text messages entered via its keyboard are ECC encrypted and displayed as QR codes. These QR codes can be photographed and shared using your smartphone. This method offers additional endpoint security as plaintext and cryptographic keys are kept physically separate from your smartphone. The project's own website: https://qryptr.com This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Proper Webcam support in Qemu Better virtualisation of camera interfaces QEMU is one of the most popular open source machine emulators and virtualizers. It supports a wide range of architectures and is capable of emulating many types of hardware devices. Many people rely on QEMU to run alternative operating systems or even as a secure development environment. Sometimes it is necessary to pass camera devices to the QEMU guest and make them available to the system. While it is possible to pass cameras using the generic QEMU USB host emulator, this only works with USB cameras and only makes them available to that single QEMU guest. However, many modern systems move away from USB cameras and provide other interfaces for the camera, and thus cannot be passed through. Our solution is to use the operating system's video API instead to make the video device available. We will focus on providing proper support for the Video4Linux API to emulate a USB video device so that it works with the already existing OS drivers. With proper integration of a camera subsystem, this opens the door to supporting more camera APIs and even extending paravirtualized VirtIO devices in the future to improve video quality for next generation video devices. The project's own website: https://gitlab.com/qemu-project/qemu Run by 9elements GmbH This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Qemu-Camera/","title":"Proper Webcam support in Qemu"},{"description":" Vector based similarity search index for QLever database Improved search for scalable open-source graph database This project extends QLever, an extremely efficient and scalable open-source graph database, by implementing a generic vector-based similarity search index. By integrating this feature alongside existing support for full-text and geo-spatial search, the project creates a unified engine that efficiently combines structured graph queries with semantic vector search. This makes massive Linked Open Data datasets readily available for AI-driven Retrieval Augmented Generation (RAG), including datasets such as Wikidata, UniProt, and OpenStreetMap. The project's own website: https://github.com/ad-freiburg/qlever Run by RS WORKS EE This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/QLever-similarity/","title":"Vector based similarity search index for QLever database"},{"url":"https://nlnet.nl/project/QGIS-Panoramax/","title":"QGIS Panoramax Plugin","description":" QGIS Panoramax Plugin Extension to manage Panoramax data with QGIS Panoramax is a digital resource for sharing and using street pictures. Anyone can take photographs of places visible from the public space and add them to the Panoramax database. This data is then freely accessible and reusable. It offers a similar service to StreetView, Mapillary, KartaView... but a with a completely open-source software stack, and fully managed by a growing open community. QGIS is widely deployed geographic information system (GIS) software, allowing for geospatial data visualization, processing, dissemination, analysis and more. This project will implement an industry-grade QGIS extension to manage Panoramax data directly with QGIS : get Panoramax trajectories and display images in 2D and 3D, search, download and upload batch data. Our goal is to bridge the gap between GIS users and field surveyor to promote open data. The project's own website: https://qgis.org Run by Oslandia This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Adding 32-bit ARM support to QBE and Hare Full Arm32 support for QBE compiler Many affordable and widely used devices, ranging from older smartphones to embedded systems, rely on 32-bit ARM processors. In fact for many devices it doesn't make sense to use 64-bit CPU's. Hare is a new systems programming language, designed to be simple and reliable, that depends on QBE, a lightweight compiler backend, to generate target machine code. However programs compiled with Hare cannot currently run on these devices because its compiler backend (QBE) only supports 64-bit hardware. This project will add full ARM32 support to QBE, making Hare usable on millions of existing computers. By extending the lifetime of older hardware and opening Hare to more platforms, the project helps developers and users alike benefit from a more diverse and sustainable open source ecosystem. The project's own website: https://harelang.org/ This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Adding 32-bit ARM support to QBE and Hare","url":"https://nlnet.nl/project/QBE-32-bit-ARM-support/"},{"description":" Pythonic Slint Add a full-blown Python API to Slint Slint is a next generation declarative GUI toolkit that supports multiple programming languages such as Rust, C++, and JavaScript. Implemented in Rust, a language known for its memory safety and performance, Slint can run on platforms such as Windows, Linux, Mac, QNX, and microcontrollers. Next to JavaScript, Python is the most popular programming language. While Python developers already have a number of options when it comes to GUI frameworks, most of these are in the form of wrappers or bindings. We aim to make Python a first-class citizen with a dedicated and idiomatic API, to empower developers to create amazing user interfaces for their applications. Python developers will benefit from a modern open source GUI framework that is well-supported. The project's own website: https://slint.dev Run by SixtyFPS GmbH This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Pythonic Slint","url":"https://nlnet.nl/project/PythonicSlint/"},{"description":" PyUVM SPI Verification Component Add Serial Peripheral Interface support to PyUVM verification tool In recent years, many open source projects have emerged making chip design and verification possible without the need for the common proprietary SystemVerilog tools. The emergence of PyUVM brought the power of the Universal Verification Methodology (UVM) to the Python ecosystem. To strengthen this ecosystem, reliable and re-usable verification components are key factors to shift left and focus verification effort on functional bugs of complex designs. The PyUVM SPI verification component is a configurable agent designed for SPI protocol based on PyUVM. Tutorials, documentation and test bench examples will be available to promote its usage and ensure that the ability to deliver high-confidence, verified silicon is no longer a privilege of well-funded corporations, but a standard accessible to the entire open-source community. The project's own website: https://github.com/calonso88/pyuvm-spi This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/PyUVM-SPI-verification/","title":"PyUVM SPI Verification Component"},{"description":" Sepand Haghighi, Arash Zolanvari & Sadra Sabouri - PyCM Evaluate the performance of ML algorithms Data and AI Can you introduce yourself and your project? We are living in the machine learning era. It is important to have solid methods for evaluating trained machine-learning models. Genuine evaluating methods make comparing different machine learning models easier. The confusion matrix is a representation of a classification model’s performance. In the simplest case, it includes how many samples are correctly or wrongly labelled as true or false. Several metrics can be derived from the confusion matrix, each assessing an aspect of the model’s performance. Unfortunately, popular machine learning libraries like `scikit-learn` only support a small portion. Our project, PyCM, emerged to bridge this gap PyCM, Confusion Matrix in Python, gathered a complete list of metrics and tools for assessing and comparing machine learning classification models. Our team includes senior software developers and PhD researchers who devoted six years to software programming and research for PyCM. PyCM team includes: Sepand Haghighi is the initiator and maintainer of the project. This project was part of his master’s thesis. Not only does he have a solid theoretical background, but he is also a one-of-a-kind software architecture designer and software developer. Sepand built multiple open-source software packages in Python, some downloaded millions of times from Pip. Sepand enjoys rock music in his free time and loves swimming. Arash Zolanvari is another core developer of PyCM. He is a PhD Candidate in Optimization and Decision Systems from the University of Groningen. Arash is a valuable researcher who helped PyCM develop far further than its starting goal. Due to Arash’s efforts, PyCM is now the only Python library that fills the gap for machine learning model evaluation in the academic research community. Arash likes table tennis and cooking in his free time. Sadra Sabouri is the final core developer of PyCM. Since joining the team in 2019, he has refreshed the development process. He is now pursuing a PhD in computer science from the University of Southern California. He is a solid software developer who proposed new features and took PyCM to the next step. He likes skateboarding, gardening, and reading books as hobbies. What are the key issues you see with the state of the internet today? After the emergence of AI, the internet is on a historic edge. OpenAI and other big companies are in a crazy tournament to serve “the best” large language model (LLM) over the internet through APIs. Evaluating these LLMs is complex due to the complexity of evaluating models on different tasks and aggregation. Therefore, benchmarking LLMs will be a future direction of much research, and many funding agencies are dedicated to funding these research directions. One of the classic tasks used for evaluation is classification. In this task, an LLM model should classify given objects into classes. Existing tools that can evaluate classification results are designed naively, which leaves much room for improvement. How does your project contribute to correcting some of those issues? PyCM emerged as the first and the most complete tool for evaluating AI classification tools. PyCM filled this gap both in academia and industry. PyCM paper was cited more than 170 times by researchers from different domains as a tool for evaluating machine learning models in computer science, health care, etc. Course producers added this tool as a typical machine learning post-training evaluation tool in their course programs. Companies that integrate LLM in their workflow use PyCM to evaluate LLMs in different classification tasks, such as text summarization. What do you like most about (working on) your project? We are always super excited to see the impact of our work on society. Our project impacted lots of stakeholders in different ways. PyCM helped medical researchers build better tools for disease detection and, therefore, helped humanity. PyCM also helped many AI practitioners compare different models and tune the best model for their use case. Contributing to such an impactful project is not an everyday opportunity. ​We are truly proud of our library and its contribution to society. Where will you take your project next? We are currently working on making PyCM more accessible for less tech-savvy users. We are planning to design a website for easier interaction with the library. Plus, we are working on structural enhancements that will allow new features to be added to the project. We hope to build a sustainable environment in the library, which can increase our library’s impact even further. How did NGI Assure help you reach your goals for your project? NLnet Foundation has supported the PyCM project from version 3.6 to 4.0 through the NGI Assure Fund. Using this grant, we developed a new feature supporting multi-label classification scenarios. We also implemented a new structure for trade-off curves which is frequently used in machine learning evaluation settings. We added new metrics to the library and improved the “compare” feature, enabling users to compare the output of several machine learning models. Finally, we published a preprint literature review on raters’ agreement. Do you have advice for people who are considering applying for NGI funding? “Dream big”. After releasing each version, NGI funding and their support immensely helped us follow our mission. If you have an idea that aligns with NGI funding goals, no matter how big, go for it. You would be surprised what you can do with your dedication to the work! Do you have any recommendations to improve future NGI programmes or the wider NGI initiative? Our main recommendation for NGI programs is to increase their focus on artificial intelligence and machine learning infrastructure projects. Given that machine learning is one of the most important trends on the internet, it is a good use of effort. We were ready to apply for NGI grants for several projects in the past that might count as out of the program’s scope. There are, for sure, other vibrant teams who can benefit from NGI support on their projects. The other place that we saw room for improvement is the communication process when applying. It was a bit slow and could be faster. We applied for another round of NLnet grants for the PyCM project, and we hope to hear back from them soon. Acknowledgements Image: courtesy of Sepand Haghighi, Arash Zolanvari & Sadra Sabouri. Published on October 31, 2024 PyCM received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. .speaker-photo { width: 33%; margin-right: 10px; margin-left: 20px; margin-bottom: 20px; } .speaker-photo-border { border-radius: 10%; border-top-left-radius: 10; border-top-right-radius: 10%; border-bottom-right-radius: 10%; border-bottom-left-radius: 10%; } .img_icon_small { max-width: 40px; max-height: 40px; margin-right: 10px; /* Make icons small and create a little space on the right */ } .up { position: relative; top: -15px; /* Adjust the value to move the text up by the desired amount. Text moved up a bit to align with icon.*/ } div.interlude-small { font-size: 2em; line-height: 1.5em; margin: 0 15px; padding: 0 15px; border-left: 4px solid #3333FF; } ","title":"Sepand Haghighi, Arash Zolanvari & Sadra Sabouri - PyCM","url":"https://nlnet.nl/project/PyCM/interview.html"},{"url":"https://nlnet.nl/project/PyCM/","title":"PyCM","description":" PyCM Evaluate the performance of ML algorithms The outputs and results of machine learning algorithms are usually in the form of confusion matrices. PyCM is an open source python library for evaluating, quantifying, and reporting the results of machine learning algorithms systematically. PyCM provides a wide range of confusion matrix evaluation metrics to process and evaluate the performance of machine learning algorithms comprehensively. This open source library allows users to compare different algorithms in order to determine the optimal one based on their preferences and priorities. In addition, the evaluation can be reported in different formats. PyCM has been widely used as a standard and reliable post-processing tool in the most reputed open-source AI projects like TensorFlow similary, Google's scaaml, torchbearer, and CLaF. The project's own website: https://www.pycm.io This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" PyCM Machine learning post-processing and analysis PyCM is an open-source Python library designed to systematically evaluate, quantify, and report the performance of machine learning algorithms. It offers an extensive range of metrics to assess algorithm performance comprehensively, enabling users to compare different models and identify the optimal one based on their specific requirements and priorities. Additionally, PyCM supports generating evaluation reports in various formats. Widely recognized as a standard and reliable post-processing tool, PyCM has been adopted by leading open-source AI projects, including TensorFlow, Google’s scaaml, Torchbearer, and CLaF. In this grant, the team will implement several new features, such as data distribution analysis, dissimilarity / distance matrices and curve analysis. In addition the project will improve benchmarking and confidence, and introduce an API and GUI for wider adoption. The project's own website: https://www.pycm.io This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"PyCM","url":"https://nlnet.nl/project/PyCM-API/"},{"description":" Py3DTiles - Textured Mesh tiling OGC 3DTiles 1.1 support for 3D tile conversion tool Py3DTiles is an OpenSource Python module and CLI to create 3DTiles from various 3D geo-referenced data types and formats. It supports point clouds, IFC (BIM) and other 3D data types. It generates datasets suitable for 3D visualization of cartographic data. This project will add support for Textured Mesh conversion. Textured Mesh data can originate from various sources such as drone sensors, satellite imagery, and aerial photography through photogrammetry. Pointclouds can be transformed to Textured Mesh through triangulation. Textured mesh can also be created with 3D design software like Blender or Vue. Implementing 3D Tiles conversion capabilities of these data types will reinforce 3D data processing capabilities with opensource software, and increase interoperability and interconnection of software and data processing pipelines. Beyond adding these new capabilities to Py3DTiles, the project will also integrate and develop underlying algorithms and methods to process the data efficiently and handle large amounts of data. The project's own website: https://py3dtiles.org Run by Oslandia This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Py3DTiles/","title":"Py3DTiles - Textured Mesh tiling"},{"description":" Py2HWSW A tool to manage embedded HW/SW project This project aims to develop an open-source Python framework for managing files, automating project flows of embedded hardware/software codesign projects, and partially generating Verilog hardware components. The framework simplifies the project structure, addresses challenges in Hardware Design Languages like Verilog and VHDL, and automates emulation, simulation, FPGA, and ASIC flows. The proposed Verilog generator offers flexibility, user control and ease of use, producing human-readable code compatible across FPGAs and ASICs. The project's own website: https://github.com/IObundle/py2hwsw Run by IObundle This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Py2HWSW/","title":"Py2HWSW"},{"title":"ProveThis","url":"https://nlnet.nl/project/ProveThis/","description":" ProveThis Prove statements about authenticated API resources ProveThis allows users to prove statements from websites and APIs using TLS without revealing private information. Although efforts like TLSNotary can currently be used to prove the authenticity and origin of a full HTML page, we extend the capabilities of TLSNotary and allow users to make zk-SNARK based zero knowledge proofs about statements in complexity class NP. More concretely, this can allow users to prove statements about e.g. their banking data (how many transactions did you send in a certain period), social media data (how many friends are you away from knowing Barack Obama) or other data sources. Such proofs can generally be used to reduce fraud without compromising privacy and confidentiality. The project's own website: https://github.com/summitto/ProveThis Run by summitto This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" Provability Fabric Verifiable evidence and run-time security for AI systems Provability Fabric is an open-source infrastructure project for making AI and software systems trustworthy through evidence that can be independently verified. It integrates formal verification, runtime security, and end-to-end audit trails so that claims about what a system was allowed to do, what it actually did, and whether it remained within specification can be checked across tools and workflows instead of accepted on trust. The project provides common schemas, specifications, replay mechanisms, and reference implementations for packaging and validating proofs, attestations, and execution traces. In doing so, it aims to create a shared public infrastructure for reproducibility, interoperability, and auditability in high-stakes automated systems. The project's own website: https://sentinelops.xyz/ Run by DeepMind/Stanford This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Provability Fabric","url":"https://nlnet.nl/project/ProvabilityFabric/"},{"url":"https://nlnet.nl/project/Protomaps/","title":"Protomaps","description":" Protomaps Self-hostable maps based on OpenStreetMap data Protomaps is a free and open source map of the world, deployed as a single file you can host yourself. It enables interactive, zoomable mapping applications with only static storage and HTTP Range Requests. It uses the OpenStreetMap dataset as a primary source; its configurable toolchain can create maps with specific areas, custom data, and different cartographic styles. It’s used in earth science, journalism and the public sector. Protomaps has no vendor lock-in, permits end-to- end data sovereignty, and can ensure end-user privacy.  The project's own website: https://protomaps.com This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Prosody IM","url":"https://nlnet.nl/project/Prosody-SASL/","description":" Prosody IM Implement SASL authentication mechanism for XMPP XMPP is the most widely deployed standard protocol for real-time messaging today, and is a very popular choice among individuals and organizations who wish to manage their own internet communications, instead of submitting to other (e.g. commercial/data-driven) communication platforms. For an XMPP user to log in to their account today, two things are required: a username and a password. This has remained unchanged for many years, while other technologies have been steadily advancing to support security-enhancing features such as multi-factor authentication or even self-sovereign identities. XMPP uses an authentication umbrella standard known as SASL to authenticate all connections.The way XMPP integrates SASL is defined in RFC 6120 and assumes a very simple challenge-response flow, which has worked well in allowing us to upgrade the network from older SASL mechanisms such as DIGEST-MD5 and onto more modern mechanisms such as SCRAM-SHA-1 and SCRAM-SHA-256. To gain new authentication features beyond simple password authentication, we need to evolve XMPP’s relationship with SASL. This project will deliver just that, and will be the first complete implementation of a proposed standard (XEP-0388: Extensible SASL Profile) into the popular Prosody XMPP server. It will also implement support for per-session access control throughout Prosody, and support for XEP-0386 (Bind 2.0). The project's own website: https://prosody.im Run by Snikket CIC This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"url":"https://nlnet.nl/project/ProbabilisticNAT/","title":"Probabilistic NAT Traversal","description":" Probabilistic NAT Traversal Last resort ad hoc connections for GNUnet With the Probabilistic NAT Traversal project, we want to significantly improve the ability of users to directly connect with each other. For establishing a peer to peer (p2p) network among regular internet users, unhindered connectivity is anything but self-evident. Today consumer devices are often not directly reachable via the internet but quite often are behind a so called NAT delivering only indirect internet connectivity. There are several methods to reach peers who are behind a NAT, but there are as many reasons those existing methods might fail. Manual configuration for example, as it is possible for example with home routers, often does not work for mobile devices like mobile phones. We will implement a new way of NAT traversal that we think of being independent from the existing network configuration, and does not require a third party with a direct internet connection helping two peers to connect to each other. Existing NAT traversal methods using third parties which are permanently required for communication. Our Probabilistic NAT traversal method does require some third party only at the beginning of the communication. The selection of third parties to start the connection establishment is based on previous work from the Layer-2-Overlay project. Probabilistic NAT Traversal will greatly improve the connectivity of GNUnet and other P2P networks that adopt it. The project's own website: https://www.gnunet.org/en/probnat This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" Private Searx Add private resources to the open source Searx metasearch engine Searx is a popular meta-search engine letting people query third party services to retrieve results without giving away personal data. However, there are other sources of information stored privately, either on the computers of users themselves or on other machines in the network that are not publically accessible. To share it with others, one could upload the data to a third party hosting service. However, there are many cases in which it is unacceptable to do so, because of privacy reasons (including GPPR) or in case of sensitive or classified information. This issue can be avoided by storing and indexing data on a local server. By adding offline and private engines to searx, users can search not only on the internet, but on their local network from the same user interface. Data can be conveniently available to anyone without giving it away to untrusted services. The new offline engines would let users search in local file system, open source indexers and data bases all from the UI of searx. The project's own website: https://asciimoo.github.io/searx Why does this actually matter to end users? Search and discovery is one of the most important and essential use cases of the internet. When you are in school and need to give a presentation, when you are looking for a job, trying to promote your business or finding relevant commercial or public services you need, most of the time you will turn to the internet and more importantly the search bar in your browser to find answers. Searching information and making sure your name, company or idea can be discovered is crucial for users, but they actually have little control over this. Search engines set the terms for what results you see, how your website can be discovered and what information is logged about your searches. What terms are set remains obscure for users and they can only follow the rules laid out for them, instead of deciding on their own what, where and how to find the information they are looking for. More transparent, customizable and privacy-friendly search puts the user in the driver seat and can provide them with meaningful results. Searx does this by aggregating results from more than 70 search services while avoiding any user tracking or profiling. With every search users can decide what engines they want to use and which they don't, what search language must be used and other options that are saved on the device and can therefore not be tracked. Users are also free to run their own instance of Searx, giving them complete control over the source code that makes that version of Searx tick (and alter it however they like) and ensure additional privacy protection. This project gives Searx users even more control over what their own rules for search and discovery, in particular discoverability of sensitive or personal information. Right now Searx only searches on the internet and does not look for information on for example the computer you use. Instead of users having to upload information to makie it findable (and giving away control over where the data will end up and who gets to see and use it), Private Searx allows users to find results both online and offline on their local computer or network from the same search bar. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/PrivateSearx/","title":"Private Searx"},{"url":"https://nlnet.nl/project/PrivateRecSys/","title":"PrivateRecSys","description":" PrivateRecSys Privacy-Friendly Recommendation System The use of recommender systems has grown significantly in recent years, with users receiving personalised recommendations ranging from products to buy, news to read, movies to watch, people to follow. At the same time, recommender systems have become extremely effective revenue drivers for online business. However, producing personalised recommendations requires collecting of users’ data, which makes conventional recommenders effective at the cost of users' privacy. The PrivacyRecSys project aims to develop an open-source toolkit for delivering accurate recommendations while respecting users' privacy. The toolkit will consist of novel privacy-preserving recommender approaches, which modify the state-of-the-art recommender approaches by applying the principles of differential privacy, homomorphic encryption and federated learning. The project's own website: https://github.com/privateRecsys/privaterecsys Why does this actually matter to end users? Search and discovery is one of the most important and essential use cases of the internet. When you are in school and need to give a presentation, when you are looking for a job, trying to promote your business or finding relevant commercial or public services you need, most of the time you will turn to the internet and more importantly the search bar in your browser to find answers. Searching information and making sure your name, company or idea can be discovered is crucial for users, but they actually have little control over this. Search engines set the terms for what results you see, how your website can be discovered and what information is logged about your searches. What terms are set remains obscure for users and they can only follow the rules laid out for them, instead of deciding on their own what, where and how to find the information they are looking for. Online search basically is a black box: you enter your question and get an answer, or optimize your site to to end up in the top ten results, but no one has actual control over how it all works. Not only does this make us dependent on search providers, it can (and does) jeopardize your privacy, from the actual query itself to all sorts of sensitive metadata you might leak (other sites you visited, your IP address, other online accounts, etcetera). So how do we regain control over how we search online? One way to do this is to build transparent, user-centric and privacy-friendly alternatives to popular search solutions. That is what this project aims to do for recommender systems like you find on the bottom part of most webshops (think of 'customers have also bought'). These systems are very lucrative for online businesses, but usually take in a lot of personal data to provide accurate recommendations. This project will show that personalized search and discovery does not have to come at the cost of your privacy by making an open source toolkit for privacy-preserving recommender systems. This way websites and web shops do not have to choose privacy over functionality, but instead combine the two into a more user-friendly online space for everyone. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" pretalx Open source tooling for events and conferences When attending events like conferences, visitors are often subjected to privacy-invading proprietary apps by organisers. With printed programmes typically no longer made available, visitors are put on the spot: either they install some unknown app and allow themselves to be tracked, or they don't know which sessions to attend. Pretalx is an open source project for events and conferences. It provides a Call for Proposals interface, tools for review (including fully double-blinded ones), scheduling, speaker communication, and attendee feedback. pretalx has a variety of plugins and can be self-hosted. This gives conference organisers, speakers and attendees complete control over the data they share. This project will completely redo the writable API of pretalx, making it a strong privacy-friendly option for any event being organised. Pretalx is one of the leading open source tools capable of handling the full organisation of events from Call for Proposals to user feedback, and is used by many large open source events already (MozFest, FOSDEM, Pycon, NSEC, etc). The project's own website: https://pretalx.com Run by pretalx This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"pretalx","url":"https://nlnet.nl/project/Pretalx/"},{"description":" Pre-Scheme Compile Scheme directly to portable C Pre-Scheme is a statically-typed dialect of the Scheme programming language which compiles to C, suitable for low-level systems programming. Pre-Scheme is implemented using a sophisticated general-purpose compiler, written in Scheme, with demonstrated applications to other programming languages and compilation targets. This project aims to port the compiler to R7RS, the latest Scheme standard, so that it can run on a variety of modern Scheme implementations. The Pre-Scheme language and tooling will also be updated to meet the expectations of a contemporary developer audience, and the compiler framework will be documented and exposed to support future innovations in programming language development and research. The project's own website: https://prescheme.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Pre-Scheme","url":"https://nlnet.nl/project/Pre-Scheme/"},{"description":" Privacy Enhancements for PowerDNS and DNSdist Make it easier to deploy private DoT/DoH resolvers DNS over TLS (DoT) and DNS over HTTPS (DoH) are two recent developments in the DNS field, and currently these are dominated by US based providers. The project will enhance the availability of open, trustworthy, privacy respecting DNS Resolvers in such a way that it allows any DNS provider, operator, or user to provide encrypted DNS service. This project aims to speed up implementation, improvement and standardisation of the most important Privacy enhancing features of DNSdist and PowerDNS resolvers to allow for the entire DNS-chain (from client, to caching-resolver, to authoritative nameserver) to be encrypted. The project will add support to the (open source) PowerDNS components (dnsdist, recursor and Authoritative server) for the privacy features necessary. The project's own website: https://powerdns.com Why does this actually matter to end users? If you want to look something up online, send an email to a friend or read the morning news, your computer panics and starts asking for help. How does it know where to retrieve or send anything? Luckily, it is connected to the domain name system. This naming system has been translating names users can remember (like ngi.eu or NLnet.nl) into numbers (or with a fancy word: addresses). Your computer has such a unique number itself, but it needs the numbers of the other computers you want to interact with to connect. You probably use domain names every day, whether you type in the address of a website, listen to a podcast or send an email. It is called a domain name system for a reason, because it comprises more than just a naming convention. Getting a domain name involves talking to a lot of different computers. Your computer or phone basically doesn't know much about the world. One thing it does know, is how to ask that question to other, specialised computers. These computers actually also probably don't know themselves, unless they have recently answered the same question for another user. Names can change really fast for good reasons, so you would need to refresh this data a lot - otherwise users could end up on the wrong computer. The computers you sent your question to, thus pass the question on to other computers - and so forth. After just a few steps, some of the computers that were consulted get parts of the answer we were looking for. And at some point in time, the domain name system will have the entire answer. The magic happens so fast, most people are not even aware how complex this is. For them it \"just works\". One disadvantage: many other computers have learned something about us, about who we interact with and about our interests - in an neatly labeled way. Someone is connecting to derspiegel.de or globaleaks.com. The more unique your question, the deeper the digging inside the DNS - and the more it stands out. Domain names are at present an critical component for users, and so also a critical point of failure and a choke point. Without functioning DNS, most people will have a hard time finding basically anything on the network of networks. There have been cases where for instance a Spanish company got their domain name taken away, even though what they did inside Europe for European citizens was legitimate here. But not in the USA. And since the organisations that handle the .org, .com and .net domain names are based in the USA, these could be forced to remove these names from the DNS. When DNS was designed, neither security nor resilience was that much of a concern for most users. The internet in its early days was not yet 'open to the public'. This of course has changed dramatically. The massive use of the internet and thereby our dependency on DNS has highlighted very important privacy and security issues with the design of DNS. At present, it is is not always capable of preventing misleading users nor can it prevent some leakage of what users do, who they talk to and where they go. To make sure users can freely and privately search the web, over the years there have been numerous privacy protective additions made to DNS. Progress has definitely been made, but to actually keep users safe such technologies must be readily available to DNS providers, operators and generally everyone on the internet. This project will develop and contribute to open and trustworthy tools that can encrypt your DNS request as it leaves your computer, goes halfway around the world and comes back with the website you were looking for. Run by PowerDNS.com (part of Open Xchange) This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310. ","url":"https://nlnet.nl/project/PowerDNS-DNSdist/","title":"Privacy Enhancements for PowerDNS and DNSdist"},{"description":" PowerCommons OpenPower A2O Core Revival The PowerCommons project treats computing infrastructure as a commons—open, composable, and collectively maintained—built on the OpenPOWER architecture. It emerges from a recognition that computational infrastructure shapes society as fundamentally as roads, utilities, and communications networks. When this infrastructure is opaque and privately controlled, democratic oversight becomes impossible. We are building the alternative: infrastructure that is transparently operated and publicly auditable by design. This philosophy is backed by architectural depth: a composable platform where cores and components can be selected and combined freely for any given use case. The long-term vision is a fully sovereign, open alternative to x86 and ARM across the entire computing spectrum: from embedded and IoT devices, through mobile and laptops, to workstations, servers, and high-performance computing. The A2O Core Revival project restores full functionality to IBM's A2O processor core and lays the foundation of that composable platform. It addresses build system incompatibilities with modern toolchains, resolves critical timing and synthesis issues, and establishes a reproducible LiteX SoC integration capable of booting Linux on modern Xilinx FPGA platforms (Zynq and VCU-118). Deliverables include simulation and testbench infrastructure, initial open-toolchain synthesis flows targeting the IHP 130nm open PDK, comprehensive documentation, and a roadmap for ISA modernization toward Power ISA 3.1C compliance. The project's own website: https://powercommons.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"PowerCommons","url":"https://nlnet.nl/project/PowerCommons/"},{"description":" Pomme d’API Improvements around the Open Food Facts API Open Food Facts is an open and collaborative database of 3.5M food products from around the world. This project will improve the Open Food Facts API to make it easier for the 250+ apps and services that use it daily to access and contribute food products data. In particular, it will focus on providing easier means to contribute photos and data, better structured data, OpenAPI specifications, and extensive documentation. The project's own website: https://openfoodfacts.org Run by Open Food Facts This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Pomme d’API","url":"https://nlnet.nl/project/Pomme-dAPI/"},{"description":" Polyglot jaq Data wrangling tool focusing on correctness, speed, and simplicity. Data often needs to be processed going from one tool to another. Doing that is potentially a point of failure, as 'quick and dirty' solutions often fail to take into account edge cases. This project will build on top of Jaq, a Rust re-implementation of the widely popular jq syntax with rigorously defined semantics, and extend its approach to other data formats - from legible formats such as XML, YAML, TOML, CSV and Markdown to binary formats. For the latter, the project builds on the versatile parsing toolbox of Kaitai Struct. The project's own website: https://github.com/01mf02/jaq This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Polyglot jaq","url":"https://nlnet.nl/project/Polyglot-jaq/"},{"title":"Poliscoops","url":"https://nlnet.nl/project/PoliFLW/","description":" Poliscoops Make political news and online debate accessible PoliFLW is an interactive online platform that allows journalists and citizens to stay informed, and keep up to date with the growing group of political parties and politicians relevant to them - even those whose opinions they don't directly share. The prize-winning polical crowdsourcing platform makes finding hyperlocal, national and European political news relevant to the individual far easier. By aggregating the news political parties share on their websites and social media accounts, PoliFLW is a time-saving and citizen-engagement enhancing tool that brings the internet one step closer to being human-centric. In this project the platform will add the news shared by parties in the European Parliament and national parties in all EU member states. , showcasing what it can mean for access to information in Europe. There will be a built-in translation function, making it easier to read news across country borders. PoliFLW is a collaborative environment that helps to create more societal dialogue and better informed citizens, breaking down political barriers. The project's own website: https://poliscoops.eu Why does this actually matter to end users? Politics and government can be very confusing and exhausting. People with strong opinions and clashing world views debating at length about all kinds of niche topics and very broad and complex issues. And on the other side, endless formal announcements published in a bureaucratic way exhaust ones attention. It can be hard to stay connected, and in fact once you lose track of a thread you are kind of lost - because from that moment on you lack essential background knowledge while the discussion rushes on. This ´information debt' piles up, and at some point much of what is said may not mean a whole lot to the majority of people. Continuously repeating some of it may be good to allow people to reconnect, but it punishes the people that did pay attention and makes them disconnect. And lets not forget there are dishonest people too, that have no problem to exploit the fundamental inability for everyone to know it all, and try to take manipulate and use misinformation to enriching themselves. To make things worse: there are different, partially overlapping levels of politics and government, from global politics to the village or city council you live in. There are many individuals and different political parties, meetings and official publication channels to track. People come and go all the time, new parties are founded, new coalitions cemented, new people appointed doing things differently. And the internet has enabled politics to go on 24/7, even further straining ones time budget and fragmenting the discussion. Politicians probe ideas and make subsequent decisions for you based on social media feedback, while you are doing the dishes or standing next to the football field cheering the neighbour kid at her important match. How are you supposed to do your daily work, pay attention to the ones dear to you and keep up with all what is happening? Especially if the relevant messages are spread across the whole political spectrum. Tracking everything that could somehow be relevant is more than a full time job, or even more than enough to fill several lives in parallel. And yet: hidden in there are extremely important events and decisions that may directly influence your life. What if the topic of discussion is your street, budget cuts on the home for the elderly where your grandmother lives, or whether the toxicity levels in the playground where your kids play are reasonable and nothing has to be done? And if you notice something, how do you make sure others do? The internet may have contributed to some of the information overload to citizens, but it also can help. This is where PoliFLW comes in. It can use the power of the crowd to \"crowdsource\" and curate relevant information in a very user friendly and non-obtrusive way. PoliFLW is an effort to index and organize political news that affects where you live and work. The platform scrapes social media accounts and collects news that (local) political parties share on their websites and and makes it searchable through tagging and indexing. Users can for example filter on date, location, source or political entity, or scrape the articles and sources for a specific topic. Why hasn't a decision been made about that dangerous crosswalk down the road? How has the municipality handled social care over the last few years? What do local parties think about addressing sustainability in your neighborhood (rather than just the political figure you voted for)? PoliFLW is not just important to inform private individuals like yourself, but it is also a tool that greatly assists professionals like journalists. As watchdogs of democracy, journalists work hard to keep politicians honest and inform their audience about the latest political news. This is not an easy feat. They know how political parties are organized, where they get their money from, what their stances are on important topics and with the help of PoliFLW can show how the currently elected government came to decisions. Because of budget cuts local channels rarely have the time and money anymore to check up on local politics. At the same time, national and European politics becomes more connected and complex, making the political process obtuse rather than transparent. Making political data open or dumping information online does not solve this problem. Instead, such public data must be searchable, discoverable and accessible for journalists and curious citizens alike. The goal of PoliFLW is to include and organize news at all levels of politics, from hyperlocal to national parties to the European Parliament, in all member states. PoliFLW gives everyone a clearer view of local political decisions and discussions that news media now tend to overlook. It can aid journalists to counter this negative trend and keep local politicians honest. And it can help normal citizens to maintain an overview across the whole political spectrum, and break out of political silo's and social media bubbles. Run by Open State Foundation This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"url":"https://nlnet.nl/project/Podlibre/","title":"Podlibre","description":" Podlibre Dedicated, customizable podcast editor Podlibre is an all-in-one, customizable podcast editor designed to empower podcasters with a tool they can rely on daily. In the past decade, the popularity of podcasts has exploded - but so far there was no good podcast-specific workflow for creators to handle the process. Obviously one can use generic sound editors, but these are typically geared toward music production and lack features that make it easy for podcasters and journalists to produce consistent podcast content. With a customizable workflow and plugin architecture, Podlibre allows users to tailor their experience while integrating with third-party services. It provides all essential features in one place, including noise reduction, mouth noise editing, multi-channel audio editing, music insertion, local transcription with manual correction, chapter editing, metadata editing (ID3, RSS), local publishing, and publishing to hosting platforms (Castopod, Funkwale, Faircamp). The project's own website: https://podlibre.org Run by Ad Aures This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/PodOS/","title":"PodOS","description":" PodOS Personal Online Data Operating System aimed at exploring W3C Solid pods PodOS is an operating system for data on Solid Pods, designed to bridge the gap between specialized apps and raw data management. It is built from the ground up for mobile-first UX, accessibility and maintainability, on top of re-usable custom elements. In the upcoming phase, PodOS will introduce new ways for users to structure, link, and repurpose their data, allowing them to organize information beyond the constraints of individual applications. Users will be able to extract information from classic documents or notes and transform them into structured resources that could be used with other Solid Apps. New developments will emphasise modularity and interoperability by integrating existing data modules, dynamically loaded dashboards and seamless transitions between PodOS and specialized apps. These advancements will give individuals and organizations greater flexibility and control over their data, making the Solid ecosystem more practical, interactive, and user-friendly. The project's own website: http://pod-os.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Pnut Reproducible build of GCC on POSIX shell The C programming language underpins many critical components of modern infrastructure, with most programming languages relying on it, directly or indirectly, for their bootstrap. Given this pivotal role, reproducible builds for C are fundamental for the adoption of reproducible builds across the software landscape. The Pnut project aims to create a new bootstrapping path for GCC and the C ecosystem, leveraging Diverse Double-Compilation and POSIX shell instead of the usual auditable binary seed approach. This approach reduces the number of steps by starting at a higher abstraction level, in addition to not having platform specific seeds. The ultimate goal of Pnut is to deliver fully reproducible and auditable bootstrap for GCC, starting with Linux x86, requiring only a POSIX compliant shell and human-readable source files. The project's own website: https://pnut.sh Run by Université de Montréal This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Pnut/","title":"Pnut"},{"title":"Pnut everywhere","url":"https://nlnet.nl/project/Pnut-architectures/","description":" Pnut everywhere Compiles (a subset of) C to human-readable POSIX shell or binary The C programming language underpins many critical components of modern infrastructure, with most programming languages relying on it, directly or indirectly, for their bootstrap. Given this pivotal role, reproducible builds for C are fundamental for the adoption of reproducible builds across the software landscape. Previously, the Pnut project has demonstrated the viability of bootstrapping GCC and the C ecosystem from POSIX shell - offering an alternative to the \"usual\" auditable binary seed approach. The next goal for Pnut is to broaden the platforms supported by this new bootstrapping path, from x86 only to ARM and RISC-V, in addition to making the Pnut compiler easier to bootstrap from more platforms. The project's own website: https://pnut.sh Run by Semigroup Inc This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Pleroma Scalable ActivityPub server written in Elixir Pleroma is an extendable ActivityPub communication server. Pleroma can be as light-weight as you want it to be, fit for both running from a homeserver or from more serious infrastructure. Pleroma embraces customization. Instead of trying to dictate how users should use our software, we give them options. From the backend to the frontend, there are hundreds of configurable options to satify the different needs of everyone. We know there's no single setup that works for everyone, and are more than willing to listen to users' feedback. Being part of fediverse of course means interacting with other servers and Pleroma provides the best experience when displaying other types of content, even non-microblogging. The Fediverse nowadays is a very big place with a lot of different people, who don't necessarily agree with each other or have good intentions. To help with the insurmountable task to moderate the stream of incoming and outgoing content, Pleroma has Message Rewrite Facility, allowing instance administrators to automatically act upon activities including modifying them and deciding whether to show them in federated timeline or not. Having more detailed and partially automated moderation helps create a network where users don't have to worry about not being able to talk to someone else because the admins didn't have the rights tools at their disposals. The project's own website: https://pleroma.social This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","url":"https://nlnet.nl/project/Pleroma/","title":"Pleroma"},{"description":" Plaudit Make good science discoverable through endorsements Plaudit is open source software that collects endorsements of scholarly content from the academic community, and leverages those to aid the discovery and rapid dissemination of scientific knowledge. Endorsements are made available as open data. The NGI Search & Discovery Grant will be used to simplify the re-use of endorsement data by third parties by exposing them through web standards. The project's own website: https://plaudit.pub Why does this actually matter to end users? Should the findings of scientific research funded by public means be publicly available? Today we have limited access to the papers and academic articles that researchers write while working at universities supported in part by taxes we all pay. Publishers and publication platforms put most scholarly content behind (very) expensive paywall that usually only the same tax-funded universities can actually afford. The call for open access now grows louder, with scientists, journalists and activists arguing that scientific knowledge should be available for the common good and educate people, inspire innovation and be an important voice in an age of \"fake news\" and misinformation. Plaudit supports open academic access by providing a tool scientists can use to independently endorse valuable and important research. This signals readers what articles are reliable and relevant, strengthens the credibility of researchers who become less dependent on major journals and supports the platforms that actually provide open access with an authentic stamp of approval. The tool itself is easy to use and integrate in for publishers and works with identifiers for articles and researchers that are already commonplace in the academic field. This project aims to integrate the Plaudit tool into preprint servers (where work is published before formal peer review and publication in a journal) and academic journals to encourage scientists to endorse relevant work and to channel these endorsements to other researchers, journalists, funders and anyone interested in academic work that is relevant for their interests. Scientists can take back their agency to determine what scientific work is relevant and users, journalists, businesses and governments can learn from these insights and innovate. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"Plaudit","url":"https://nlnet.nl/project/Plaudit/"},{"title":"Plasma Mobile powermanagement improvements","url":"https://nlnet.nl/project/PlasmaMobile-powermanagement/","description":" Plasma Mobile powermanagement improvements Better power management on mobile Linux Plasma Mobile is an open source user interface for mobile devices developed by the KDE Community. Plasma works on top of various free and open source operating systems such as Linux, offering an attractive open mobile stack. Built on the foundations of Plasma Desktop, Plasma Mobile brings its flexibility to a mobile form factor. To increase mass-adoption of such a free-software alternative, it is important that we offer a great experience in terms of productivity and usability of the platform. One aspect in helping to achieve broader adoption of Plasma Mobile is by extending battery-life: the longer users can use their phone without needing to recharge, the better. This project will improve the power management for Plasma Mobile, also keeping an eye on user experience. The project's own website: https://www.plasma-mobile.org Run by KDE community This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Pixelfed ActivityPub driven decentralised photo sharing platform Pixelfed is an open source and decentralised photo sharing platform, in the same vein as services like Instagram. The twist is that you can yourself run the service, or pick a reliable party to run it for you. Who better to trust with your privacy and the privacy of the people that follow you? The magic behind this is the ActivityPub protocol - which means you can comment, follow, like and share from other Pixelfed servers around the world as if you were all on the same website. Timelines are in chronological order, and there is no need to track users or sell their data. The project has many features including Discover, Hashtags, Geotagging, Photo Albums, Photo Filters and a few still in development like Ephemeral Stories. The goal of the project is among others to solidify the technical base, add new features and design and build a mobile app that is compatible with Mastodon apps like Fedilab and Tusky. The project's own website: https://pixelfed.org Why does this actually matter to end users? After you take a picture of your brand new car, your smiling baby or the food you were just served, what do you do? You want to show it to everyone you know of course. But do you really know who you are actually sharing your private snapshots with when you post them online? With high grade cameras in nearly every mobile phone and numerous instant messaging apps and social media platforms available, sharing photos is just as easy (and perhaps more popular) than typing out what you want your friends and family to know about your life. Social platforms and apps make us feel like we are only sharing our images with our own social circle and maybe some faraway friends we met online. But because many so-called 'free' social sharing tools like Instagram actually monetize your data and online activity to sell you personalized ads, your online picture book may not be so private at all. And where do those snapshots, that sometimes contain very personal information about where you live, what you are doing and who you know, actually end up after you clicked that upload button? When you want to show someone your holiday pictures, you simply want to share those pictures, instead of also handing over a copy to the postal service to check where you went to and possibly send you a cheap flight deal for the coming holidays. Pixelfed is a platform that makes this possible on the internet. Users can choose to run and host the service themselves or choose someone they trust to store their pictures and private data with. No one will track what photos you share and which people you follow. The pictures your friends and family share pop up in your timeline one after the other, without ads or algorithms that decide what you can and cannot see. This project aims to give users tools and features they can use to search, find and share photos on the platform, making Pixelfed a more attractive (and ethical) alternative to for example Instagram. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"Pixelfed","url":"https://nlnet.nl/project/Pixelfed/"},{"title":"Pixelfed","url":"https://nlnet.nl/project/Pixelfed-Groups/","description":" Pixelfed Open source, federated photo sharing platform using ActivityPub Pixelfed is a free and ethical photo sharing platform, powered by ActivityPub federation. The primary scope of this project is to build a federated Groups feature which will enable people to create communities across Pixelfed instances and other fediverse software. Pixelfed Groups will support text, photo and video posts on a separate Group-only timeline feed, as well as support a powerful role based membership system where admins can easily control who can join and the other actions they can perform. The project's own website: https://pixelfed.org This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"title":"Pixelfed Live","url":"https://nlnet.nl/project/PixelFedLive/","description":" Pixelfed Live Live streaming and other Pixelfed enhancements Pixelfed is an open source and decentralised photo sharing platform, in the same vein as services like Instagram. The twist is that you can yourself run the service, or pick a reliable party to run it for you. Who better to trust with your privacy and the privacy of the people that follow you? The magic behind this is the ActivityPub protocol - which means you can comment, follow, like and share from other Pixelfed servers around the world as if you were all on the same website. Timelines are in chronological order, and there is no need to track users or sell their data. The platform has many features including Discover, Hashtags, Geotagging, Photo Albums, Photo Filters and a few still in development like Ephemeral Stories. After supporting development of social discovery and a mobile app, NGI Zero funds this project to add a much requested live streaming feature to Pixelfed. The project's own website: https://pixelfed.org Why does this actually matter to end users? After you take a picture of your brand new car, your smiling baby or the food you were just served, what do you do? You want to show it to everyone you know of course. But do you really know who you are actually sharing your private snapshots with when you post them online? With high grade cameras in nearly every mobile phone and numerous instant messaging apps and social media platforms available, sharing photos is just as easy (and perhaps more popular) than typing out what you want your friends and family to know about your life. Social platforms and apps make us feel like we are only sharing our images with our own social circle and maybe some faraway friends we met online. But because many so-called 'free' social sharing tools like Instagram actually monetize your data and online activity to sell you personalized ads, your online picture book may not be so private at all. And where do those snapshots, that sometimes contain very personal information about where you live, what you are doing and who you know, actually end up after you clicked that upload button? When you want to show someone your holiday pictures, you simply want to share those pictures, instead of also handing over a copy to the postal service to check where you went to and possibly send you a cheap flight deal for the coming holidays. Pixelfed is a platform that makes this possible on the internet. Users can choose to run and host the service themselves or choose someone they trust to store their pictures and private data with. No one will track what photos you share and which people you follow. The pictures your friends and family share pop up in your timeline one after the other, without ads or algorithms that decide what you can and cannot see. The latest much requested feature that will be added is live streaming, making Pixelfed an even more versatile privacy-friendly alternative to Instagram and the likes. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" PixelDroid Share and browse photos in the fediverse with a mobile app PixelDroid is an Android client for Pixelfed, the federated image sharing platform based on W3C ActivityPub. Our goal is to bring the Pixelfed platform to Android and provide a mobile user experience that excites. We aim to provide feature-parity with the Pixelfed web client as well as add additional features - like image and video editing, capturing and uploading directly from the app. During the project we will also make it easy to use multiple accounts, even across different instances. Additionally, we want to contribute to the Pixelfed API with testing and additional documentation. The project's own website: https://pixeldroid.org Why does this actually matter to end users? After you take a picture of your brand new car, your smiling baby or the food you were just served, what do you do? You want to show it to everyone you know of course. But do you really know who you are actually sharing your private snapshots with when you post them online? With high grade cameras in nearly every mobile phone and numerous instant messaging apps and social media platforms available, sharing photos is just as easy (and perhaps more popular) than typing out what you want your friends and family to know about your life. Social platforms and apps make us feel like we are only sharing our images with our own social circle and maybe some faraway friends we met online. But because many so-called 'free' social sharing tools like Instagram actually monetize your data and online activity to sell you personalized ads, your online picture book may not be so private at all. And where do those snapshots, that sometimes contain very personal information about where you live, what you are doing and who you know, actually end up after you clicked that upload button? When you want to show someone your holiday pictures, you simply want to share those pictures, instead of also handing over a copy to the postal service to check where you went to and possibly send you a cheap flight deal for the coming holidays. Pixelfed is a platform that makes this possible on the internet. Users can choose to run and host the service themselves or choose someone they trust to store their pictures and private data with. No one will track what photos you share and which people you follow. The pictures your friends and family share pop up in your timeline one after the other, without ads or algorithms that decide what you can and cannot see. Since smartphones have become the everyday computer for a lot of users (sometimes the only device they own), privacy-friendly social media need proper apps to offer the same kind of functionality less privacy-friendly networks offer. PixelDroid is an Android-app for Pixelfed that offers the same functionalities as the website does. This project will add features that fit with federated social networking, like using multiple accounts across different instances. This way Pixelfed is an all-round competitor for anyone who would rather share their pictures and videos with friends and family in a privacy-friendly way. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","title":"PixelDroid","url":"https://nlnet.nl/project/PixelDroid/"},{"title":"PixelDroid/Media editor","url":"https://nlnet.nl/project/PixelDroid-MediaEditor/","description":" PixelDroid/Media editor Native PixelFed/ActivityPub image sharing app PixelDroid is an Android app focused on sharing pictures and video through ActivityPub-based services such as Pixelfed and Mastodon. The scope of this project is two-fold: first to improve the application's features and make it more friendly to use for people new to the platform - we want PixelDroid to have the best onboarding experience of the fediverse. Secondly to work on photo and video editing, adding features and streamlining the editing user experience. We will also enable our work on photo and video editing to be used by others outside of the context of our app, by creating a standalone editing application and improving our 'Android media editor' library so that adding media editing to FOSS Android applications is easier than ever. The project's own website: https://pixeldroid.org This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" Pithus Free and open-source mobile threat intelligence Pithus is a free and open-source Android threat intelligence platform aimed at activists, journalists, NGOs and researchers. Its goals is to provide intelligible and relevant information aggregated from several android application analysis tools to facilitate the understanding, reverse engineering, and threat analysis of android applications. Pithus adapts to its users by providing easy to read information on application behaviors, as well as precise technical data and analysis tools to detect similar malicious samples. Functionalities to easily pivot to other malwares of a same family, create custom detection rules, and monitor, detect and analyse new emerging threats. Pithus is community driven with an ever growing database of android applications. This grant focuses on developing a number of new features and performing well overdue maintenance and necessary refactoring tasks, as well as provide adequate documentation and QoL improvements. The project's own website: https://beta.pithus.org/ This project was funded through the NGI Mobifree Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. The NGI Mobifree R&D programme is part of Horizon Europe research and innovation programme under grant agreement No. 101135795. ","url":"https://nlnet.nl/project/Pithus/","title":"Pithus"},{"description":" Pion Network congestion measurement for adaptive real-time applications Network congestion heavily impacts real-time applications such as the popular video conferencing tools based on WebRTC, which we all have come to rely on during the SARS-CoV-2 pandemic. WebRTC is an IETF protocol that allows bi-direction P2P communication. Two peers find the best route to connect, even if they are both using a browser. This allows users to host their own conferences and share files directly from their browser. WebRTC is used by projects like Tor, IPFS and Galene. Open source efforts in this space lack good congestion control which allows to adjust quality to available bandwidth, meaning that all users will have a better experience. Large companies consider their proprietary congestion controller a strategic asset, and don't readily share information on how it works. Pion is a fast and performant implementation of WebRTC, written in Go. This project will provide a way to measure the network quality, and adjust it to available bandwidth - and will document all the steps needed in order to empower other Open Source WebRTC projects. The project's own website: https://pion.ly Run by Pion This project was funded through the User-Operated Internet fund, a fund established by NLnet made possible by financial support from the PKT Community/The Network Steward and stichting Technology Commons Trust. Your donation is welcome too. ","url":"https://nlnet.nl/project/Pion-adaptive/","title":"Pion"},{"title":"Pinbot","url":"https://nlnet.nl/project/Pinbot/","description":" Pinbot Design and deploy test jigs for electronics Pinbot is an open-source platform that makes it easy to design and deploy test jigs for electronics. It brings together mechanical fixtures, control electronics, jig-level software, and a backend that stores and analyzes every test result. With Pinbot, you can achieve fast, reliable, and fully automated testing of printed circuit board assemblies (PCBAs), whether on a production line or in your garage. Think of it as CI/CD for your hardware nothing ships until it been verified by automation and every detail is logged for full traceability. The project's own website: https://github.com/Pinbot-factory This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" pimsync Reliable synchronisation for contacts and calendars Pimsync is standards-based tool to synchronise contacts and calendars, using CalDAV, CardDAV, WebCal and/or a local filesystem. It has proven a reliable and stable evolution of its predecessor vdirsyncer, but lacks some of the extended features on which some users rely. This project aims to implement all those extended features and edge cases, such that remaining users of vdirsyncer can migrate to a modern replacement. The project's own website: https://pimsync.whynothugo.nl/ This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Pimsync/","title":"pimsync"},{"description":" Pimalaya: email Open source personal information management Pimalaya aims to improve open-source tools related to Personal Information Management (PIM) which includes emails, contacts, calendars, tasks and more. Its first goal is to provide Rust libraries dedicated to the PIM domain. They serve as a basis for all sorts of top-level applications, which prevents developers to reinvent the wheel. Its second goal is to provide quality house-made applications built on top of these libraries, gathered into projects. Among others this includes Neverest, a command-line synchronisation tool. This grant will help Pimalaya to cover the email domain: improve lib structure, improve synchronization, implement autoconfiguration, implement thread view and initialize a REPL. The project's own website: https://pimalaya.org This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Pimalaya: email","url":"https://nlnet.nl/project/Pimalaya/"},{"title":"Pimalaya PIM","url":"https://nlnet.nl/project/Pimalaya-PIM/","description":" Pimalaya PIM Memory-safe emails, contacts, calendars, tasks and more Pimalaya aims to improve open-source tooling related to Personal Information Management (PIM). Pimalaya has two objectives: to provide solid Rust libraries dedicated to the PIM domain, which serve as a basis for all sorts of top-level applications (meaning their developers can focus on functionality) and to develop a number of quality applications on top of these libraries. Within the scope of this project, Pimalaya will release additional production-grade libraries and tools, expanding its scope to contacts and calendars — through contact and calendar libraries, command line interfaces and plugins. At the end of this grant, the Pimalaya project covers not just email but also contacts, events, alarm and tasks. The project's own website: https://pimalaya.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Pijul ecosystem A modern patch-based version control system Pijul is a modern patch-based version control system that addresses many shortcomings found in existing tools. While its foundations are already mature and well-tested, it lacks many conveniences users expect from the ecosystems of popular tools such as Git. This project aims to significantly reduce Pijul's barrier to adoption by addressing common areas of user feedback - documentation, usability, robustness, and integration into other tools such as text editors or CLI prompts. We believe this will improve the workflow of existing users, and enable many more to adopt Pijul and its benefits without sacrificing other parts of their workflow. The project's own website: https://pijul.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Pijul ecosystem","url":"https://nlnet.nl/project/Pijul/"},{"description":" Pijul Hybrid Hybrid patch-based/snapshot-based system for distributed versioning Pijul is a modern patch-based version control system that addresses many shortcomings found in existing tools, based on a mathematical theory of collaborative work. In order to ease the transition from existing tools, and increase utility in a wider set of use cases, this project will work on a better transition story from other tools like Git and Mercurial, and improve tooling around it. In particular, it will deliver a hosting platform called Nest which has features which will be quite different from other hosting services. Pijul is able to apply patches independently from each other, meaning that (reorderable) patches can be used in place of legacy pull/merge requests everywhere. This should makes most workflows vastly simpler, as well as result in cleaner code bases. The project's own website: https://pijul.org This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. ","title":"Pijul Hybrid","url":"https://nlnet.nl/project/Pijul-Hybrid/"},{"url":"https://nlnet.nl/project/PiRogue-toolsuite/","title":"PiRogue Tool Suite","description":" PiRogue Tool Suite Consensual mobile device forensic analysis and incident response solution The PiRogue Tool Suite (PTS) is an open source, consensual digital forensic analysis and incident response solution that empowers organizations with comprehensive tools for network traffic analysis, mobile forensics, knowledge management, and artifact handling. The tool suite includes both hardware and software components, with the PiRogue network router and Colander, a case management platform. PTS aims to be a universally accessible and cost-effective solution for digital investigations, which is comprehensive, user-friendly design and modular. This allows for instance academics, civil society, and independent media to analyze artifacts, build investigations, and generate reports and intelligence feeds. This project will add support for dynamic analysis from emulated Android devices in addition to physical devices. implement TLS decryption for Flutter-based applications The project's own website: https://pts-project.org Run by Defensive Lab Agency This project was funded through the NGI Mobifree Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme under the aegis of DG Communications Networks, Content and Technology. The NGI Mobifree R&D programme is part of Horizon Europe research and innovation programme under grant agreement No. 101135795. "},{"title":"Better support for display notches and cutouts in Phosh","url":"https://nlnet.nl/project/Phosh-Notch/","description":" Better support for display notches and cutouts in Phosh Better custom shape screen support for Wayland Mobile phones often have notches or cutouts in their displays (often to accommodate the camera), rounded corners or waterfalls (lower resolution areas at the edge of the screen). The aim of this project is to propose and implement a Wayland protocol that gives applications the necessary information about these areas. This allows them to place UI elements in a sensible and visually pleasing way, color lower resolution areas properly and avoid having important information occluded. Besides for mobile shells like Phosh this information is also important for e.g. video players and other full screen applications and out of the box support in toolkits is desirable. The project's own website: https://phosh.mobi Run by Phosh This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"description":" Port Phosh to GTK4/libadwaita Open source user interface for mobile phones The Phosh project aims to provide a daily usable, robust and easy to use graphical user environment for mobile devices running mainline Linux. The goal of this project is to move the phone shell to the current version 4 of the underlying GUI toolkit GTK. This involves implementing the needed interfaces as well as updating the code base to the changed APIs allowing us to make use of GTKs improvements like GPU rendering and smoother scrolling. The project's own website: https://phosh.mobi Run by Phosh This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Phosh-GTK4/","title":"Port Phosh to GTK4/libadwaita"},{"url":"https://nlnet.nl/project/Perspectives/","title":"A Distributed Software Stack For Co-operation","description":" A Distributed Software Stack For Co-operation Facilitating easy ad hoc cooperation Perspectives aims to be to co-operation, what ActivityPub is to social networks. It provides the conceptual building blocks for co-operation, laying the groundwork for a federated, fully distributed infrastructure that supports endless varieties of co-operation. The declarative Perspectives Language allows a model to translate instantly in an application that supports multiple users to contribute to a shared process, each with her own unique perspective. The project builds a reference implementation of the distributed stack that executes these models of co-operation, and makes the information concerned searchable. Real life is an endless affair of interlocking activities. Likewise, Perspectives models of services can overlap and build on common concepts, thus forming a federated conceptual space that allows users to move from one service to another as the need arises in a most natural way. Such an infrastructure functions as a map, promoting discovery, decreasing dependency on explicit search. However, rather than being an on-line information source to be searched, such the traditional Yellow Pages, Perspectives models allow their users (individuals and organisations alike) to interact and deal with each other on-line. Supply-demand matching in specific domains (e.g. local transport) integrates readily with such an infrastructure. Other patterns of integrating search with co-operation support form a promising area for further research. The project's own website: https://academy.perspect.it Why does this actually matter to end users? The way our information is organised, has a huge impact on how society is organised. There is a lot of human activity that falls outside of existing commercial services. Society consists of families, unions, clubs, public offices, schools, public transport, sports, art, culture - a rich blend of individuals, formal organisations and ad hoc organic structures of all sizes. This complex fabric of society of people has been categorised by Kate Raworth in \"The Doughnut Economy\" into four sectors: the households, the commons, the state and the market. The latter two in particular are know to reach huge sizes (a relatively small amount of nation states and large multinationals), while the other two (almost by design) are millions of times larger in numbers but each of them remains small in size. People perform and produce in households and the commons in all sorts of ways that are not visible from the other perpectives. People co-operate everywhere. They communicate, co-ordinate their actions and jointly achieve more then anyone could on their own. Given the superpowers of the internet, it is logical to support and improve that co-operation (including and perhaps especially ad hoc cooperation) with IT infrastructure. Due to the hyperscaling that is happening in the market and state, the tooling we use for both households and the commons is often not optimal. A family is not an office, and in fact behaves very differently. We are creative enough to support ourselves with what we have to our avail - how many people repurpose spreadsheets as a membership database, address book or an archiving system. There is a huge and ever changing variety of collaboration models and contexts, and the great variety of different tools needed to make optimal use of the technological possibilities could never be economically viable as products. Luckily, there are many similarities that allow for a vast amount of reuse - just like we have a limited set of slightly over 120 chemical elements that are the building blocks for the almost infinite amount of complex molecules that make up the universe, the amount of technology primitives we need to combine to enable a rich diversity of human collaboration is in fact limited too. The Perspectives project aims to create the infrastructure that can empower an explosion of collaboration, not just limited to households and the commons but extending its use to all of human activity. The goal is empowering people to come together to offer and exchange information, products or services with whomever they want. Perspectives is a project to build the necessary infrastructure for such online cooperation. Instead of focusing on search and keeping users in the dark about how searching actually works, Perspectives focuses on discovery and how actors in a specific domain (think of local transportation, accommodation, second hand goods, or matchmaking for that matter) organize supply and demand just the way they want to. With a flexible and federated (no central managing authority) foundation, Perspectives can accommodate diversity while maintaining a universal user experience. And because it is open technology, it can be reused, expanded and shared to accommodate any type of human activities users need support for. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"description":" Manyfold Manage private collections of 3D models This project will build a web application for managing collections of 3d models, with a focus on the needs of the 3d printing community. It is designed to be self-hosted, and lets users browse, organise, and analyse their downloaded models. With NLnet’s support, we aim to develop it into a decentralized multiuser platform for hosting and distributing 3d content. Using ActivityPub, we aim to build a kind of 'decentralized Thingiverse', allowing anyone to run their own instance to distribute content, and subscribe to content on other servers using any one of the many ActivityPub services out there such as Mastodon. We also aim to develop an innovative open format for progressive transmission of 3d mesh data, allowing both quick previewing of remote models, and low-quality previews for commercial content. The project's own website: https://manyfold.app This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"Manyfold","url":"https://nlnet.nl/project/Personal-3D-archive/"},{"url":"https://nlnet.nl/project/Persistent-Yrs/","title":"Yrs persistent documents","description":" Yrs persistent documents Yrs/Yjs compatible layer for persistent key-value stores Yrs is a local-first collaboration library widely used for real-time collaborative editing. Yrs is a a CRDT-based solution that currently works on documents fully loaded into memory, with disk storage happening through plug-ins. The primary goal of this effort is to make it more robust (and less resource-heavy) by creating an alternative implementation that works directly with the on-disk database. All of this needs should happen while remaining compatible with the existing in-memory Yrs implementation as well as the original Yjs JavaScript implementation. The project's own website: https://yjs.dev Run by y-collective This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Hassle-free Peppol bootstrapping and onboarding Open, reproducible, certification-ready e-invoicing stack for Peppol This project aims to make participation in the Peppol network genuinely accessible by providing a fully open-source, hassle-free way to deploy, operate, and validate a Peppol Access Point (AP) and Service Metadata Publisher (SMP). Building on existing, production-grade components such as Oxalis-NG and phoss SMP, we focus on eliminating the operational and deployment complexity that currently restricts Peppol infrastructure to large vendors and system integrators. The project will deliver reproducible, certification-ready deployments, automated onboarding and conformance testing workflows, and clear documentation that allows others to independently validate their setup. In addition, we will ensure interoperability with other open-source Peppol tooling, including Let’s Peppol, to demonstrate a coherent and composable free-software ecosystem. By packaging the complete solution in a reproducible environment such as NixOS, this project lowers the barrier for SMEs, public bodies, and developers to run their own Peppol infrastructure without vendor lock-in, while staying fully aligned with open standards and free-software values. The project's own website: https://www.letspeppol.org Run by Business Application Research Group Europe (BARGE) This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Peppol-Reproducible-AP-SMP/","title":"Hassle-free Peppol bootstrapping and onboarding"},{"url":"https://nlnet.nl/project/Peppol-Decentralised/interview.html","title":"Michiel de Jong - Federated Bookkeeping","description":" Michiel de Jong - Federated Bookkeeping Hybrid self-hosted e-invoicing with decentralized identities Services + Applications Can you introduce yourself and your project? My name is Michiel de Jong. I’m from the Netherlands, but I have also lived in many other countries over the years. When I was working for a social network site in Spain, we had conversations among the engineers about how big tech companies are trying to get us to upload our data to the cloud instead of keeping it on devices we control. I took three months off work to prototype an alternative web architecture. I published this prototype as the Unhosted project, and it quickly got some attention on HackerNews, and people started telling me I could quit my day job and work on this project through crowdfunding. So I did, and with 6000 euros in my bank account, I moved to Berlin and committed to living off 1000 euros per month for at least six months, plus one month for every 1000 euros people would donate to the crowdfunding campaign. We raised 4000 euros so that I could work on the project for ten months. But then someone put me in touch with NLnet, which was, at the time, already running a predecessor of the NGI program. They funded me as an independent open source engineer for about five years. The Unhosted project was a big success, and I also co-founded a few related projects, like Terms of Service, Didn’t Read, and Indie Hosters. Since then, I have intermittently worked as an employee at Mozilla, Ripple, and Inrupt, but I always return to independent open source development whenever possible. In 2020, I started Ponder Source, a non-profit software engineering company that had nine full-time team members at its height (last year). However, during the past year, I moved back from team management to software development since I love doing it. Over the years, I contributed to nine projects funded by NLnet and NGI Zero: Unhosted, remoteStorage, LibreDocs, SocketHub, ToS; DR, ToS; DR-OTA, Solid-Nextcloud, Open Cloud Mesh, and Solid Data Modules. These projects were related to open source personal data stores such as Solid and personal cloud servers such as Nextcloud. I was also part of the advisory committee for the , NGI DAPSI programme on data portability (now concluded). More recently, I developed an interest in Federated Bookkeeping and worked on four related NGI-Assure-funded projects: Peppol for the Masses, Federated Timesheets, and Federated Task Tracking with Live Data, which we just finished today! I hope to work more on inter-app interop, data portability, federated bookkeeping, and collaborative finance. What are the key issues you see with the state of the internet today? I think the internet itself (as a data network) is mostly fine. There are some worries about net neutrality, but from what I’ve heard and read, they don’t have a big impact on our human freedoms yet. What I’m more concerned about are the internet applications offered to us by big tech companies. Due to the power of capital investment, there is too much focus on building momentum around specific proprietary platforms and not enough on making these platforms interoperable. And I think this will get worse with the addition of AI: One part of that will be further gravitation towards monolithic systems, which can be better personal assistants because they know everything about you. Another aspect might be “investment” turning into an acting power that is increasingly separate from “investors” as (groups of) human beings. Our pension funds will increasingly be run by AI technology, maximizing shareholder returns more efficiently. There may even be AI viruses (autonomous artificial proprietors) that don’t pay out dividends to any group of people but just play the capitalism game on their own. But on the bright side, since proprietary technology cannot be shared, each new company must rewrite it, so this limited sharing scope limits its growth. Open source software doesn’t have this problem: each piece of code needs to be written and published only once, in theory. There is also some duplication in practice since the same software building block sometimes needs to be written in each new programming language. Still, fundamentally, whereas proprietary software creation is recurrent, open source software creation is accumulative. How does your project contribute to correcting some of those issues? My projects mostly try to build open source prototypes of a more connected and distributed vision for internet applications, accompanied by protocol specifications and test suites documenting how this new software interacts with itself and other compatible software. Such open protocols include Solid, Open Cloud Mesh, and AS4-Direct. Apart from prototype software, protocols, and test suites, I aim to develop connectors and bridges that can interoperate with existing systems. What do you like most about (working on) your project? I want the freedom to work on software I believe in without getting pushed in a user-unfriendly direction by venture capital. I also want the knowledge that I’m contributing to something idealistic and more long-term than if I were working as a software engineer at a company developing a proprietary system for commercial gain. Where will you take your project next? After the summer holidays, I will interconnect various Collaborative Finance networks, build a more open internet with open protocols and open source software, and focus on tools for projects explicitly looking for post-capitalist ways of organizing the economy. I’m looking forward to it and curious about what this future research will bring and teach me! How did NGI Assure help you reach your goals for your project? Without NGI funding, I would have had to work as an engineer in a commercial company. I would have had to work on what I think are the more important technology developments in my spare time, and most of the projects I currently work on would not even exist if it weren’t for NGI! Do you have advice for people who are considering applying for NGI funding? If you doubt whether taking a sabbatical from your professional (commercial) career as a software engineer is the right next step for you, I can only say, in 100% of cases, just do it! Especially with NGI funding, you don’t have a reason not to work full-time on your open source software project. And once you do and get noticed in the world of open protocols and give presentations at open source conferences and elsewhere, even if you just do it for a one-year career “break,” your career opportunities will be much better than they were before. Running your open source project will show recruiters that you have a vision of the state of the internet, know how to write code that works, and stand out from the crowd Do you have any recommendations to improve future NGI programmes or the wider NGI initiative? I like the two-month cycle that nlnet uses, where applying for a 50,000 euro grant for an existing open source project will probably only cost you one day of work. More NGI programs should follow this lightweight model! Acknowledgements Image: courtesy of Michiel de Jong. Published on October 28, 2024 (but written on July 6, 2024) Peppol for the masses received funding through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. .speaker-photo { width: 33%; margin-right: 10px; margin-left: 20px; margin-bottom: 20px; } .speaker-photo-border { border-radius: 10%; border-top-left-radius: 10; border-top-right-radius: 10%; border-bottom-right-radius: 10%; border-bottom-left-radius: 10%; } .img_icon_small { max-width: 40px; max-height: 40px; margin-right: 10px; /* Make icons small and create a little space on the right */ } .up { position: relative; top: -15px; /* Adjust the value to move the text up by the desired amount. Text moved up a bit to align with icon.*/ } div.interlude-small { font-size: 2em; line-height: 1.5em; margin: 0 15px; padding: 0 15px; border-left: 4px solid #3333FF; } "},{"url":"https://nlnet.nl/project/Peppol-Decentralised/","title":"Peppol for the masses","description":" Peppol for the masses Hybrid self-hosted e-invoicing with decentralized identities Peppol is an EU-backed e-Invoicing network which uses a top-down certification infrastructure to establish trust between the sender and the receiver of an invoice. In the \"Peppol for the Masses!\" project, we will implement Peppol in PHP (so far only Java and C# implementations are available), and package its core components (the AS4 sender and the AS4 receiver) as a Nextcloud app, so that users of the popular Nextcloud personal cloud server can send and receive invoices over AS4 directly into their self-hosted server. Due to the top-down nature of Peppol's trust infrastructure, it's not possible to self-host a node in the Peppol network unless you go through a reasonably heavy certification process. Therefore, we will extend our implementation with support for self-hosted identities, using the \"WebID\" identity pattern which was popularized by the Solid project. We will also develop a re-signing gateway which replaces the signature on an AS4-Direct invoice with a Peppol-certified signature. In a follow-up project, we will also host an instance of this re-signing gateway and make it available free of charge, similar to how the LetsEncrypt project has made TLS certificates available free of charge. This project will lower the (cost) barrier for machine-readable cryptographically-signed e-Invoicing messages, and at the same time increase the sovereignty of end-users, towards a human-centric internet of business documents. The project's own website: https://github.com/pondersource/peppol-php Run by Stichting Ponder Source This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. "},{"description":" PeerTube - Remote Transcoding Remote Transcoding for distributed video sharing network PeerTube is a free-libre and federated alternative to centralized video platforms such as YouTube, Twitch or Vimeo. It empowers content creators (institutions, video-makers and live streamers, communities, etc.) to self host their own collective video-platform without being isolated in the wide web. The technical choices behind PeerTube (ActivityPub Federation, peer-to-peer broadcasting) keep the source of this sugestion (the technical and financial bar to self & collective hosting: you no longer need Google's server farm and Amazon's money to host your own PeerTube servers (an instance) and synchronize it with other servers to share video catalogs! There is still one technical bottleneck: video transcoding. This step is essential for a smooth video broadcasting experience. Transcoding happens at every video upload or during live-streams, and consumes a lot of CPU power. Instances hosting lots of content creators or live streamers tend to rapidly need to upgrade the CPU power of their server, to avoid a bottleneck that only happens episodically. Allowing transcoding work to happen remotely could solve a number of important logistical problems in a more efficient, resilient, affordable and eco-friendly manner. The project's own website: https://joinpeertube.org Run by Framasoft This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","title":"PeerTube - Remote Transcoding","url":"https://nlnet.nl/project/Peertube-Transcode/"},{"description":" Peertube plugin livechat Integrated chat for Peertube live streams The Peertube project aims to offer a free, decentralized, and sovereign alternative to video-on-demand platforms. Since its 3.0.0 version it is possible to live stream. However, the Peertube team has chosen not to integrate a chat system, but rather to offer the necessary tools so that it is possible to integrate this functionality via plugins. It is in this context that the \"Peertube Livechat\" plugin was launched in 2021. This project - already installed on nearly 250 Peertube instances - has grown with time, and already provides a serious alternative to existing proprietary systems. However, there are still some steps to be done to offer the same level of service as these commercial platforms: manage the decentralization allowed by Peertube at the chat level, possibility of automatic moderation, streamer/viewer interaction tools, improve and complete the translations of the software, improve its documentation, think about the numerous requests of the community, and so on. The project's own website: https://github.com/JohnXLivingston/peertube-plugin-livechat This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. ","url":"https://nlnet.nl/project/Peertube-Livechat/","title":"Peertube plugin livechat"},{"url":"https://nlnet.nl/project/Peermaps/","title":"peermaps","description":" peermaps Peer to peer cartography Peermaps is a p2p, offline-friendly way to distribute, view, and embed map data. Instead of fetching data from a centralized tile provider, you fetch data from other peers on the network. Right now we have all of OpenStreetMap processed into a 100GB archive in our p2p spatial database and rendering formats and seeded to hyperdrive and ipfs. This data is hooked up to a proof-of-concept web map viewer. For this grant, we will build on our proof-of-concept to release a user-oriented map viewer as a web application with search functionality on peermaps.org along with a developer-oriented tool to embed web maps in an iframe. In addition to (p2p) web development, this project will involve research on peer queries for offline and online location-based search, optimizations to the spatial database and p2p layer, webgl graphics improvements in addition to web development in order to produce a usable p2p mapping alternative. The project's own website: https://peermaps.org Run by https://bits.coop/ This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"title":"Extending PeerTube","url":"https://nlnet.nl/project/PeerTubeSearch/","description":" Extending PeerTube Adding advanced search capabailities to PeerTube This project aims to extend PeerTube to support the availability, accessibility, and discoverability of large-scale public media collections on the next generation internet. Although PeerTube is technically capable to support the distribution of large public media collections, the platform currently lacks practical examples and extensive documentation to achieve this in a timely and cost-efficient way. This project will function as a proof-of-concept that will showcase several compelling improvements to the PeerTube software by [1] developing and demonstrating the means needed for this end by migrating a large corpus of open video content, [2] implementing trustworthy open licensing metadata standards for video publication through the PeerTube platform, [3] and emphasizing the importance of accompanying subtitle files by recommending ways to generate them. The project's own website: https://publicspaces.net/ Why does this actually matter to end users? In the same year when the ARPAnet (the predecessor of the internet) was invented, people tuned into their tube televisions to watch a global live broadcast of astronauts first landing on the moon. If they missed that historical moment, that would be it. There was no ability for normal people to record television broadcasts, no ability to rewind or look back programmes from the online guide. At the turn of the millennium, three decades later, everyone was still watching traditional television: quite a few people may have had a video recorder, but this needed to be programmed in advance or you would still miss your favourite tv programme. And there had better not be two programmes you would want to record at the same time. That has all changed in recent years. On demand video via the internet has meanwhile assumed an important, but also somewhat controversial role. A tiny set of dominant online video hosting platforms (most people would have trouble naming more than two) has emerged, these control how hundreds of millions of users spend many billions of hours of human lives every year. The platform's features and algorithms determine what you see, who can be discovered (whether this is called \"trending\", \"recommended\" or \"autoplay\"), who is banned and deleted, and who is just left out of the spotlight. Users can only follow the patterns laid out for them on screen. The platforms also determine what information is logged about your searches and binge viewing behaviour, and privately decide who they sell your interests and location to. That is a far cry from the privacy granted by traditional television and radio broadcasting, where literally noone outside of the room could know which programme you would pick from the aether. What data is tracked, and what filters and algorithms are used by these online video platforms, remains opaque for users. Contrary to traditional media, the platforms feel no responsibility for checking facts: they focus on commercial value to them, not social value. Relying on third party platforms is especially awkward for public services and organizations, as they have moral responsibilities to their citizens and constituencies to protect their privacy and promote democratic and social values. There is no reason for publicly funded and private content (possibly about you and me) or material in the public domain to be exclusively available through a foreign commercial service that may change their terms of data ownership and usage on the fly. As a society, we want a diversity of independent platforms and search tools to facilitate a wide cultural arena. We should keep content open and available in a sustainable way, where we as a society can interact with it in a way that no-one feels exploited by or uncomfortable with. PeerTube is such an alternative to closed-off and commercial video platforms like YouTube. PeerTube is open source and free (free as in freedom) software that uses peer-to-peer technology to easily and quickly provide and share uploaded video material. Or put differently: a turnkey video platform in a box. Anyone that owns a computer connected to the internet can in principle create their own video platform, and set their own rules for users and content. Videos are stored by each instance independently, and so there is no censorship or systemic bias. PeerTube in its current state already delivers the basic technology for federated public video hosting. But we are still a while away from industry strength deployments, needed to get public institutions, archives and other organizations to get large corpora of content online. This ambitious project will make a huge difference. It will increase the capabilities of PeerTube in terms of search technology, making it possible to even search inside the content of video. In addition, it will add to the accessibility features of PeerTube by signficantly improving subtitling support. It will make discovery of reusable content more easy, by implementing support for open licensing metadata, that communicate the legal conditions of specific content to search engines and users. This project will thus help pave the way for the massive caches of public media collections archived around the world to become first class citizens of the next generation internet. People will be handed the necessary tools to host and share any size of media collection, on a technology that is transparent from top to bottom. Run by Beeld en Geluid This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"title":"Peertube-Desktop","url":"https://nlnet.nl/project/PeerTubeDesktop/","description":" Peertube-Desktop Enjoy and share federated videos This project is archived. Due to circumstances, the project as planned did not take place. This page is left as a placeholder, for transparency reasons and to perhaps inspire others to take up this work. Cuttlefish is a client for PeerTube that will allow for searching and discovering new and interesting video's online with more privacy. PeerTube is a federated video hosting service based on the W3C ActivityPub standard. By using WebTorrent - a version of BitTorrent that runs in the browser - users help serve videos to other users. Cuttlefish is a desktop client for PeerTube, but will work on GNU/Linux-based phones (like the Librem 5 or Pinephone) as well. We want the experience of watching PeerTube videos and using PeerTube in general to be better, by making a native application that will become the best and most efficient way to hook into the federation of interconnected video hosting services. It will have improved search, and will allow people to continue sharing watched videos with other PeerTube users for longer periods of time, instead of discarding the video when done watching. It will also help bridge PeerTube's gap between the - now separated - BitTorrent and WebTorrent networks by speaking both of those protocols. The project's own website: https://framagit.org/artectrex/peertube-desktop Why does this actually matter to end users? In the same year when the ARPAnet (the predecessor of the internet) was invented, people tuned into their tube televisions to watch a global live broadcast of astronauts first landing on the moon. If they missed that historical moment, that would be it. There was no ability for normal people to record television broadcasts, no ability to rewind or look back programmes from the online guide. At the turn of the millennium, three decades later, everyone was still watching traditional television: quite a few people may have had a video recorder, but this needed to be programmed in advance or you would still miss your favourite tv programme. And there had better not be two programmes you would want to record at the same time. That has all changed in recent years. On demand video via the internet has meanwhile assumed an important, but also somewhat controversial role. A tiny set of dominant online video hosting platforms (most people would have trouble naming more than two) has emerged, these control how hundreds of millions of users spend many billions of hours of human lives every year. The platform's features and algorithms determine what you see, who can be discovered (whether this is called \"trending\", \"recommended\" or \"autoplay\"), who is banned and deleted, and who is just left out of the spotlight. Users can only follow the patterns laid out for them on screen. The platforms also determine what information is logged about your searches and binge viewing behaviour, and privately decide who they sell your interests and location to. That is a far cry from the privacy granted by traditional television and radio broadcasting, where literally noone outside of the room could know which programme you would pick from the ether. What data is tracked, and what filters and algorithms are used by these online video platforms, remains opaque for users. Contrary to traditional media, the platforms feel no responsibility for checking facts: they focus on commercial value to them, not social value. To move away from these self-serving monopolies, we need alternative infrastructures to host and share our own videos with. Something like our own private television channel where we decide what to broadcast and tune in to, without advertisements, tracking and profiling. That is what PeerTube allows you to do: peer-to-peer open source technology that lets you set up a turnkey video platform for your own content (and with your own rules). Videos Videos are stored by each instance independently, and so there is no censorship or systemic bias. There is a lively community of Peertube-instances and audiences sharing and enjoying content, from tv shows to lectures and music, and a host of clients and programs to watch it all on your phone or laptop. What Cuttlefish adds to this, is letting users support the PeerTube-instance they are watching simply by using the program. When you want a video on a PeerTube-instance, you are a peer sharing bandwidth with that instance to make sure the server can manage a lot of users streaming the same content at once. But when you are done watching and close the tab, all the downloaded video data is lost and you are no longer sharing with the peer-to-peer-network. Cuttlefish instead allows you to keep the files of watched videos as long as you want to, relieving pressure on small instances. This way the video player does not only provide a fun and seamless user experience, users are also contributing to a stable and available network for others to watch videos as well. This can help to make PeerTube more fault-resistant and attractive to new viewers and content creators who are fed up with the increasing control video platforms hold over their content. This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"title":"PeerTube","url":"https://nlnet.nl/project/PeerTube/","description":" PeerTube A decentralised streaming video platform PeerTube is a free, libre and federated video platform. Video is a very popular class of content and meanwhile accounts for a signicant share of internet traffic, but the choice of hosting has a lot of implications - if you send your viewers to some proprietary platform because you want to avoid cost, what happens after they watch your video? And who watches them watch? PeerTube allows for a federation of interconnected hosts (so more choice of videos wherever you go to see them) while containing the risk of exposing users to profiling, algorithmic pressure that favors extreme content, censorship and other negative aspects of centralised services like YouTube or Vimeo. PeerTube implements the ActivityPub standard and works with peer-to-peer distribution - and therefore viewing. This means no slowing down when a video suddenly goes viral, and much lower distribution costs thanks to shared bandwidth. PeerTube aims to make it easier to host videos on the server side, while remaining practical, ethical and fun on the Internet user side. In this project, Framasoft will work on PeerTube 4.0 with interesting new features such as better search, live streaming, channel customisation and improved accessibility. The project's own website: https://joinpeertube.org/ Why does this actually matter to end users? In the same year when the ARPAnet (the predecessor of the internet) was invented, people tuned into their tube televisions to watch a global live broadcast of astronauts first landing on the moon. If they missed that historical moment, that would be it. There was no ability for normal people to record television broadcasts, no ability to rewind or look back programmes from the online guide. At the turn of the millennium, three decades later, everyone was still watching traditional television: quite a few people may have had a video recorder, but this needed to be programmed in advance or you would still miss your favourite tv programme. And there had better not be two programmes you would want to record at the same time. That has all changed in recent years. On demand video via the internet has meanwhile assumed an important, but also somewhat controversial role. A tiny set of dominant online video hosting platforms (most people would have trouble naming more than two) has emerged, these control how hundreds of millions of users spend many billions of hours of human lives every year. The platform's features and algorithms determine what you see, who can be discovered (whether this is called \"trending\", \"recommended\" or \"autoplay\"), who is banned and deleted, and who is just left out of the spotlight. Users can only follow the patterns laid out for them on screen. The platforms also determine what information is logged about your searches and binge viewing behaviour, and privately decide who they sell your interests and location to. That is a far cry from the privacy granted by traditional television and radio broadcasting, where literally noone outside of the room could know which programme you would pick from the aether. What data is tracked, and what filters and algorithms are used by these online video platforms, remains opaque for users. Contrary to traditional media, the platforms feel no responsibility for checking facts: they focus on commercial value to them, not social value. Relying on third party platforms is especially awkward for public services and organizations, as they have moral responsibilities to their citizens and constituencies to protect their privacy and promote democratic and social values. There is no reason for publicly funded and private content (possibly about you and me) or material in the public domain to be exclusively available through a foreign commercial service that may change their terms of data ownership and usage on the fly. As a society, we want a diversity of independent platforms and search tools to facilitate a wide cultural arena. We should keep content open and available in a sustainable way, where we as a society can interact with it in a way that no-one feels exploited by or uncomfortable with. PeerTube is such an alternative to closed-off and commercial video platforms like YouTube. PeerTube is open source and free (free as in freedom) software that uses peer-to-peer technology to easily and quickly provide and share uploaded video material. Or put differently: a turnkey video platform in a box. Anyone that owns a computer connected to the internet can in principle create their own video platform, and set their own rules for users and content. Videos are stored by each instance independently, and so there is no censorship or systemic bias. Important features like live streaming, channel customisation, as well as better search and accessibility will be the topic of work for this project, making PeerTube an increasingly viable alternative to commercial and tracker-heavy video and streaming platforms. Run by Framasoft This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"title":"Popularizing PeerTube","url":"https://nlnet.nl/project/PeerTube-mobile/","description":" Popularizing PeerTube Decentralised video platform powered by ActivityPub PeerTube is a software that empowers collectives to create their own video hosting and live-streaming solution, present a federated video catalog, and emancipate themselves from proprietary centralized platforms. It is nowadays used by institutions, educators, collectives of creators and citizens. This development project is aimed toward improving on PeerTube's features and ecosystem in a way that facilitates adoption, experience and usability. Such developments include: user's data export & import, a full accessibility audit (including integrations), splitting audio & video streams, comments review & moderation tools for content creators, automated filters to facilitate moderation, streaming in \"audio only\" mode, a redesign of the video management system, a new content warning/characterization system, a whole UI/UX audit and remodel. We also want to develop the first version of an official mobile app dedicated (at first) to find and enjoy content on the PeerTube vidiverse. The project's own website: https://joinpeertube.org Run by Framasoft This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"url":"https://nlnet.nl/project/PeerTube-for-Institutions/","title":"PeerTube for Institutions","description":" PeerTube for Institutions Make PeerTube easier to manage and moderate at scale PeerTube is a free-libre and federated video platforms that empowers anyone to self host video content without being isolated in the wide web. Many institutions have started using PeerTube, to reclaim control over their video hosting. By choosing PeerTube, they offer a wider audience the opportunity to familiarize themselves with PeerTube. A significant part of this project focuses on enabling these institutional use cases, and is designed from their feedback. We plan to add ownership transfer and shared administration for video channels, quality of life features for moderation and administration, more control on an instance look and experience and a set-up wizard with relevant presets (and more). We also want to adapt the mobile app to tablet and TV devices, and add a watch offline option. The project's own website: https://joinpeertube.org/ Run by Framasoft This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Peertube plugin livechat Public and private messaging for Peertube content + live streams Peertube is a free, decentralized and sovereign alternative to video-on-demand and live-streaming platforms. The Peertube Livechat project is a popular plugin for PeerTube that adds chatting capabilities to Peertube, so the audience can interact with streamers during their live streams. The functionality goes way beyond a mere chat system: it also provides moderation tools, polls, chat integration in the live stream, TODO-list for streamers and moderation team, and more. Its ambition is to become a complete ecosystem for live streaming. The project's own website: https://livingston.frama.io/peertube-plugin-livechat/ This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/PeerTube-Livechat-UX/","title":"Peertube plugin livechat"},{"description":" PeerDB Search Search for semantic and full-text data PeerDB Search is an opinionated but flexible open source search system incorporating best practices in search and user interfaces and experience to provide intuitive, fast, and easy to use search over both full-text data and semantic data exposed as facets. The goal of the user interface is to allow users without technical knowledge to easily find results they want, without having to write queries. The system will also allow multiple data sources to be used and merged together. As a demonstration PeerDB will deploy a public instance as a search service for Wikipedia articles and Wikidata data. The project's own website: https://gitlab.com/peerdb/search Run by Layer8 This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. ","url":"https://nlnet.nl/project/PeerDB/","title":"PeerDB Search"},{"title":"The PeARS app","url":"https://nlnet.nl/project/PeARS/","description":" The PeARS app Building low-resource Web search applications from cognitive models It is widely believed that Web search engines require immense resources to operate, making it impossible for individuals to explore alternatives to the dominant information retrieval paradigms. The PeARS project aims at changing this view by providing search tools that can be used by anyone to index and share Web content on specific topics. The focus is specifically on designing algorithms that will run on entry-level hardware, producing compact but semantically rich representations of Web documents. In this project, we will use a cognitively-inspired algorithm to produce queryable representations of Web pages in a highly efficient and transparent manner. The proposed algorithm is a hashing function inspired by the olfactory system of the fruit fly, which has already been used in other computer science applications and is recognised for its simplicity and high efficiency. We will implement and evaluate the algorithm on the task of document retrieval. It will then be integrated into a Web application aimed at supporting the growing practice of 'digital gardening', allowing users to research and categorise Web content related to their interests, without requiring access to centralised search engines. The project's own website: https://pearsproject.org/ Why does this actually matter to end users? We have come to associate search and discovery of digital content with online search engines. Somewhere on the planet there is an army of all-knowing machines waiting day and night for our inquiries, ready to point us to wherever we need to be - if we ask them nicely. However, this tremendous luxury comes with quite a heavy real-time dependency for internet users: it requires us to have an active connection to the internet whenever we need to find something. As our use of the internet has become more nomadic over the years due to the rise of mobile phones, there are in fact many situations that we find ourselves in where our use of the internet is very restricted or even temporarily cut off. Like when you are on a train, in a busy city centre where the wifi is completely saturated, in a remote area with limited coverage, or when you've ran out of your monthly mobile data plan. Or something more serious, when the network is offline for a longer time due to a cascading network failure or cyberattack. All of a sudden, we are at a loss. It feels we are thrown back in time. We cannot find anything anymore outside of the files and documents we have stored on our devices. Our on-line search engines are all out of reach and of no use to us. Our many questions will have to wait: there is nothing we can do until we get back online. Such a real-time dependency on a critical resource is not only annoying for users (and sometimes downright disadvantageous when you really need to look up something like a manual or an important reference document). It is also not necessary. There are other, more efficient ways to approach web search, which may even provide you with richer results. This project takes a unique approach of searching and indexing data in documents to allow people to research and categorize in 'digital gardens': instead of having to wade through (irrelevant) data, you search only content relevant to your interests, making search a personal experience instead of a confusing and commercialized pain. Run by University of Trento This project was funded through the NGI0 Discovery Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825322. "},{"url":"https://nlnet.nl/project/PdfDing/","title":"PdfDing","description":" PdfDing Webbased selfhosted PDF manager, viewer and editor PdfDing is a web based PDF manager, viewer and editor. It offers a seamless user experience on multiple devices and functionality for sharing PDFs with external users. PDF is an omnipresent file type with users in all walks of life. This project aims to be a free all-in one solution for managing and consuming PDFs while having small resource requirements and offering users control over their data. For this reason it is designed be to be minimal, fast, and easy to set up using Docker. The project's own website: https://www.pdfding.com/ This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"title":"Patchouli","url":"https://nlnet.nl/project/Patchouli/","description":" Patchouli Arbitrary-sized open hardware EM pen products Patchouli is an open-source electro-magnetic drawing tablet hardware implementation, including a coil array, an RF front end built using commercially available parts, and digital signal processing algorithms. The design is compatible with most commercial pens from different vendors, offering an ultra-low-latency pen input experience for your customized hardware projects. The hardware is released under the CERN-OHL-S license, and the firmware/simulation code is released under the GPL3+ license. The project's own website: https://patchouli.readthedocs.io This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"title":"Passthrough Authentication","url":"https://nlnet.nl/project/PassthroughAuthentication/","description":" Passthrough Authentication Authentication proxy using Kerberos and SPNEGO Adding authentication to an application is an ungrateful part of development - users don't like to log in and there is a lot of duplication of effort. This project proposes an interesting alternative which benefits from the fact that browsers have retained built-in support for HTTP SPNEGO (with Kerberos included) for many years: by forwarding Kerberos tokens through a lightweight proxy to a \"kerberized\" authentication server that is part of the same Kerberos realm where the user logged in at the beginning of the day. The goal of this project is to make web modules, such as Apache, for the proxy and implement the authenticator using Diameter or another broker, and do the same for SASL using GSSAPI. The project's own website: https://mansoft.nl/PTA/ Run by Mansoft This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" Parley Rich text layout and editing library Parley is a Rust library for implementing rich text layout and includes utilities for text selection and editing, as well as font enumeration and fallback through the companion library Fontique. Parley depends on the production-quality text shaping engine HarfRust. This project aims to prove Parley's flexibility through modularity, allowing users to choose the high low-level APIs that are suitable to them and making it easier to implement various layout strategies. Additionally, more layout and bidirectional text features will be implemented, especially targeting web use-cases. Further goals are to improve handling of font loading and font fallback behavior, focusing on performance as well as allowing richer web-style font selectors and fallback. The project's own website: https://linebender.org Run by Linebender This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Parley/","title":"Parley"},{"description":" Parley - rich text layout library Cross-app rich text copy/paste for Parley High quality, consistent text display across applications and platforms is a fundamental part of a good user experience, yet it often depends on embedding cumbersome web browser components. Parley is an open source project building a powerful, independent alternative for rich text layout. By providing a performant library for native desktop and mobile apps, especially in modern languages like Rust, it empowers developers to create resilient, trustworthy, and good looking software without relying on the dominant web ecosystem. This grant will significantly mature Parley by expanding its international text layout capabilities, delivering cross-app rich text copy/paste, and providing performance benchmarks and documentation, making it a cornerstone for a more diverse and sovereign software landscape. The project's own website: https://github.com/linebender/parley Run by Linebender (open source community) This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","title":"Parley - rich text layout library","url":"https://nlnet.nl/project/Parley-copypaste/"},{"description":" Papis Highly extensible document and bibliography manager Researchers use Papis to search their digital libraries, manage bibliographies, organise notes, and move documents between formats. This command-line tool has become essential to many researchers' daily work. We've since added a terminal user interface (TUI) and a web interface, but the TUI remains underdeveloped -- it doesn't yet cover all of Papis's core capabilities in a way that feels intuitive or modern. This project addresses that gap. We'll build a client/server architecture that separates Papis's database logic from its interfaces, making the codebase more maintainable and enabling new features. With this foundation in place, we'll expand the TUI to handle all core functionalities. Along the way, we'll restructure our documentation to match the new architecture, making it easier to keep current as the project evolves. These changes should make Papis more powerful while lowering the barrier for newcomers. The project's own website: https://github.com/papis/papis This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/Papis/","title":"Papis"},{"url":"https://nlnet.nl/project/Panoramax/","title":"Panoramax","description":" Panoramax Digital, collaborative immersive street level imagery Panoramax is an immersive views project. It is a digital, collaborative, free and open community. Access to the photos is free. Panoramax operates as an instance or federation of instances for hosting images. Today, most contributions are made using web interfaces that are not suitable for smartphones. However, this is an important lever for increasing the number of contributions. The aim of the “A mobile app for Panoramax” project is to enable contributions from smartphones, while making them easy for everyone. The application will enable geolocated and sequenced photos to be taken and uploaded to the various community instances. The project's own website: https://panoramax.fr Run by IGN France This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/Panoramax-video/","title":"Panoramax video uploads","description":" Panoramax video uploads Add street level imagery from user-provided video Panoramax is an open-source software stack to create street level imagery open alternatives. It is an open collaborative immersive views project nurtured by an international community of contributors and users, operating as a federation of instances. Currently, Panoramax only accept uploading images whereas typical cameras used for image acquisition enable \"timelapse\" video recordings that can provide more photos (several frames per second instead of one picture every two seconds at best, which limits the acquisition for higher-speed vehicles). As of today, contributors are required to pre-process their video files using local scripts to extract compatible images before uploading them. The aim of the “Video uploading for Panoramax” project is to integrate this processing on the server side to make direct video contributions possible and much simpler. The developments will have to be adapted for at least the most common cameras available on the market (GoPro, Qoocam) and deal with the different metadata formats. The project's own website: https://panoramax.fr/ Run by IGN This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"description":" Modernizing Paged.js Web-to-Print Quality typesetting based on HTML and CSS Paged.js is a free and open source JavaScript library that paginates content in the browser to create print/PDF output from HTML and CSS content. This is necessary for instance for delivering browser-native office productivity solutions - users expect these to produce good output but don't want to have the burden of legacy formats. The proposed project will fundamentally revisit/upgrade the architecture of paged.js. to support additional layouts, add advanced layout capabilities and implement PDF/UA tagging. The project's own website: https://pagedjs.org This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). ","url":"https://nlnet.nl/project/PagedJS/","title":"Modernizing Paged.js Web-to-Print"},{"title":"Padne","url":"https://nlnet.nl/project/Padne/","description":" Padne Open source power delivery network analyser padne padne is a KiCad-native tool for power delivery network analysis using the finite element method. It simulates DC voltage drops and current density on printed circuit boards, bringing capabilities to the open-source EDA ecosystem that have traditionally required expensive proprietary software. This project focuses on validating computational accuracy through test PCB fabrication and measurement, improving performance through parallelization, and building documentation to support wider adoption. The project's own website: https://github.com/atx/padne This project was funded through the NGI0 Commons Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101135429. Additional funding is made available by the Swiss State Secretariat for Education, Research and Innovation (SERI). "},{"url":"https://nlnet.nl/project/PTT/","title":"PTT","description":" PTT Unikernel Mailing list server in OCAML Email is still one of the main channel of communication.Setting up and maintaining something as simple as a reliable mailing list in-house is significantly more complex than it ought to be. Out of convenience, many organisations and communities outsource running their maiilng lists service to third-party agents. However, this not only creates an unnecessary dependency but also reduces confidentiality, which can be a critical aspect. This project has the ambition to win back the means of communication, developing a new mailing list application service that is easier to maintain securely (through unikernels using MirageOS), and is efficient in terms of resource usage. The service should integrate into existing infrastructures seamlessly. The project's own website: https://robur.coop Run by Robur This project was funded through the NGI0 Core Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101092990. "},{"url":"https://nlnet.nl/project/PTP-timingcard-gateware/","title":"PTP gateware with openXC7","description":" PTP gateware with openXC7 PTP on FPGA timing cards and SDR cards with openXC7 This project develops open-source gateware for the Precision Time Protocol (PTP), which is essential for accurate timekeeping across servers. Implementing this technology on Xilinx ZYNQ FPGA chips, it offers a secure, reliable alternative to proprietary gateware, reducing the risk of undetected security breaches through server backdoors. This initiative not only enhances Internet security but also enables diverse applications, from 5G networks to research instruments like particle accelerators, making advanced time synchronization accessible, and safeguarding the digital ecosystem for the general public. The project's own website: https://github.com/regymm/ This project was funded through the NGI0 Entrust Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 101069594. "},{"description":" Statime Memory-safe high-precision clock synchronization Of all severe software security bugs, a big chunk (50-70%) has one single source: memory corruption. The underlying cause is that, traditionally, systems software is implemented in languages that are not memory-safe. The way forward is to replace these pieces of software with memory-safe alternatives, one by one. Doing so will not just mitigate, but eliminate this category of bugs entirely. This project picks out one piece: the Precision Time Protocol (PTP). High-precision clock synchronization plays a crucial role in networking, with application areas such as high precision localization, finance, broadcasting, security protocols, smart grids, and cellular base station transmissions. Our proof-of-concept implementation will conform to the IEEE standard for PTP and will focus on the software implementation of a slave-only PTP ordinary clock. In the future, our work is expected to become part of a wider open-source roadmap for reliable and memory-safe keeping of network time, that will seek to expand the feature set of our implementation and work towards growing its adoption. Statime is part of Project Pendulum. The project's own website: https://tweedegolf.nl/en/pendulum Run by Tweede golf B.V. This project was funded through the NGI Assure Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 957073. ","url":"https://nlnet.nl/project/PTP-Rust/","title":"Statime"},{"title":"PSYC2","url":"https://nlnet.nl/project/PSYC2/","description":" PSYC2 Next iteration of the Protocol for SYnchronous Conferencing Protocol for SYnchronous Conferencing is an efficient text-based protocol for delivery of data to a flexible amount of recipients or people, by unicast or multicast. PSYC2 represents a next iteration of the PSYC framework in conjunction with SecuShare, another NLnet supported project that aims to build a novel social messaging system as part of the GNUnet peer-to-peer system. The project's own website: https://www.psyc.eu There is a strong need for more secure alternatives for synchronous and asynchronous messaging than what the current PGP/SMTP and OTR/XMPP solutions can offer. PSYC (Protocol for SYnchronous Communication) provides an extensible RPC (Remote Procedure Call) syntax that can evolve over time without having to upgrade the software on all nodes in the network. Another key