NGI Zero Core

0WM — Measure and visualize Wi-Fi coverage

Wi-Fi coverage is key in corporate and BYOD environments, as the mobility offered by wireless protocols often outweighs criteria such as speed and stability, offered by wired alternatives. These criteria are however critical to guarantee a suitable quality of service, and reliable options to help network operators are scarce and unaffordable to small organizations. 0WM will provide feature-rich tools to produce quality coverage maps, leveraging affordable COTS components, to quickly and efficiently identify coverage problems affecting end users.

>> Read more about 0WM

Hardware 2D graphics engine — Additional functionality and better performance for FPGA-based 2D video controller

This project is to develop hardware accelerated 2D display controller boards for easily adding interactive user interfaces to single-purpose industrial and commercial machines.

Traditionally, to make stand-alone machines and systems (i.e. not based on PCs but on custom computing boards), if developers need to provide a high resolution graphical user interfaces (GUI) they are offered only two inconvenient options: use a complex system like a Linux-capable single board computer, or limit performance to low resolutions that are unsuitable for medium to large displays. The latter case simply prevents successfully marketing those products, while the former requires a high degree of qualifications in embedded systems development, where the requirements are simple products like signage systems or vending machines.

The controller boards (CPU and FPGA based, released as open hardware) are capable of loading previously stored images (lossy or lossless), plus movies, fonts and other resources required. The drawing commands are implemented with hardware acceleration on the FPGA board, using a custom C-to-hardware tool: CflexHDL, making it possible to use a fully open-source toolchain. Interactivity is achieved by the use of a USB host capable of handling mouse, keyboards and touchscreens. Displays of multiple kinds are supported by the use of PCB adapters, including: Analog VGA, DVI protocol (compatible with HDMI monitors), LVDS for direct connection to laptop replacement displays, among other options. The controllers can be used stand-alone (like a development platform) or be controlled by other systems like Arduino or similar boards.

>> Read more about Hardware 2D graphics engine

Firmwire full-system 5G baseband emulation — Easier testing of 5G baseband modems with FirmWire

FirmWire is an open source full-system baseband firmware emulation framework for emulating, fuzzing, debugging, and root-cause analysis of smartphone baseband firmware. This project builds upon the framework to support newer, 5G capable, smartphones. Baseband processors are used in all modern smartphones for cellular network connectivity and are a remote attack surface. As such, baseband security is of utmost importance. Baseband firmware is complex, proprietary, and lacks public scrutiny. Emulation and reverse engineering are one of the few public ways to analyze baseband processors. These efforts will provide more transparency in baseband firmware and improve the community’s ability to analyze 5G security through emulation and fuzzing. Additionally, the reverse engineering efforts could aid in developing better open source drivers in the future.

>> Read more about Firmwire full-system 5G baseband emulation

AI Horde — Collaborative infrastructure for running generative AI models

The AI Horde is a crowdsourced, free, libre and open sourced service with the aim to truly democratise access to Generative AI. It supports both generating text via Large Language Models and images via Stable Diffusion via a simple REST API, allowing everyone to integrate this technology to any product.

One of the biggest challenges with Generative AI is the amount of resources required to run even simple models, leaving the vast majority of humanity without access to this technology. The AI Horde delivers a groundbreaking smart-queuing clearing house where enthusiasts can volunteer their idle compute for everyone in the world to generate images or text without any further commitments or budget.

>> Read more about AI Horde

AlekSIS: Integration and Communication — SCIM, timetabes and other features for AlekSIS

AlekSIS is a free school information system that helps with school organisation as an interactive web application. It is a central platform for students, teachers, and parents to manage any information related to everyday school life. The software's functions include lesson planning, creating timetables, managing absences and substitution planning, the digital class register, inventory management, payment systems, and student ID cards.

AlekSIS is completely modular and can therefore be flexibly adapted to individual needs. Within this grant, the goals is to improve and add integrations with other software, make the timetable and substitution planning easier by providing assistance tools, integrate parents in daily school workflows and provide advanced attendance tracking. Additionally the aim is to get rid of several legacy technologies and update all AlekSIS apps to a more modern technology stack, and improve documentation and demo data accordingly.

>> Read more about AlekSIS: Integration and Communication

Alive2 — Translation validation for LLVM

Modern compilers, such as LLVM, perform advanced optimizations to improve performance and reduce binary size of programs. However, getting these optimizations correct is very challenging: there are many corner cases, tricky issues with undefined behavior, modular arithmetic, and so on. On the other hand, programs rely on compilers being correct. A single bug in the compiler may introduce security vulnerabilities in the compiled programs. Alive2 aims to solve this issue by verifying that LLVM is correct. It is an indispensable tool for compiler developers and for anyone that wishes to validate the compilation of their program.

>> Read more about Alive2

Arcan-A12 Directory — Server side scripting API for Arcan's directory server

A12 is an explorative p2p protocol for fast and secure remote application interactions. Current desktop protocols are locked inside the constraints of their origins, and most of these have significant security and privacy issues. As a result, we've come to depend heavily on web frontends as the universal desktop application corset - which in return has caused a massive complication and overloading of the browser.

A12 establish a secure and interconnected network of personal compute devices, includes peer-to-peer channels and cryptography components. This project add a directory server that can be used as a trusted 3rd party rendezvous to establish such channels. It will expand the scripting API towards writing assistive 'apps' that can complement or split the workload handled on client devices; provide state synchronization and indexing/search between dynamic mesh networks created by linking directory servers together; dynamically launch and attach controlled sources.

>> Read more about Arcan-A12 Directory

Arcan-A12 Tools — A12 clients for different platforms and devices such as drawing tablets

The interaction patterns with our compute devices have switched from "one device - multiple users" over to "one user - multiple devices" and this new reality requires shift in how user personal data is shared and synchronised between their devices.

A12 is a network protocol designed to establish a secure and highly interconnected network of personal compute devices that has been developed as part of a larger Arcan umbrella project. The protocol includes peer-to-peer channels and cryptography components.

This follow-up project sets out to implement lightweight applications that will be capable of networking over A12 protocol to enable remote control, sensor and screen sharing, file sharing, notification sharing and enable other personal data flows. The end goal is convenience of having interconnected devices without sacrificing privacy and performance.

>> Read more about Arcan-A12 Tools

Automerge — Add Merkle Search Tree support to Automerge

Automerge is a CRDT library for building local-first collaboration software, allowing several users to concurrently edit a file, both in real-time and offline. It is currently optimized for working on a single document; this project aims to improve Automerge's support for synchronizing large collections of documents across multiple devices (for example, all of a user's notes in a note-taking app). The challenges here are efficiently determining which documents need to be synced, syncing multiple documents in parallel, giving users a progress indicator during large data transfers, and making the protocol efficient in terms of computation, memory, and bandwidth. Our protocol will be compatible with both client-server and peer-to-peer synchronization.

>> Read more about Automerge

Interpretation feature for Big Blue Button — Adding translator streams for live interpretation to BBB conference software

BigBlueButton is one of the leading open source videoconference solutions. The project will add support for simultaneous interpretation to BigBlueButton. Participants of a meeting will be able to choose the language they would like to listen to. Interpreters can choose which language they listen to and into which language they interpret. The solution can be combined with classical radio setups for interpretation already used in grassroot events to enable interpretation in hybrid situations.

>> Read more about Interpretation feature for Big Blue Button

Detecting Forged-Origin BGP hijacks — Probabilistic detection of BGP hijacking

Hackers often exploit vulnerabilities in BGP, the primary inter-domain routing protocol (essentially the “glue” that connects all networks on the Internet), to hijack Internet traffic. Our project builds on our work in detecting forged-origin BGP hijacks, a specific type of BGP hijack that remains unaddressed by recent cryptographic efforts aimed at securing BGP. Our objective is to enhance the accuracy of our detection system, which relies on a probabilistic model to compensate for the lack of cryptographic tools, ensuring that no attack goes unnoticed. Additionally, we plan to share our data and improve access to our inferences by developing APIs. This will enable both network operators and the research community to benefit from our findings and apply them to improve the security of their networks.

>> Read more about Detecting Forged-Origin BGP hijacks

BIDS: Binary Identification of Dependencies with Search — Identify known open source elements present in binaries

Embedded device firmware is assembled from many FOSS package dependencies. Knowing which dependencies have been used is essential for security and licence compliance. However this is a complex task for native ELF binaries built from languages such as C/C++ that do not have package managers for metadata and simpler conventions for bytecode like Java or Python. The BIDS (Binary Identification of Dependencies with Search) project will build a tool (in Python) to analyse ELF binaries and find dependencies contained and built in these binaries. The BIDS project will deliver tooling to analyse ELF binaries and extract key features and store these for indexing, tooling to index these binary features in a search engine using inverted indexing, and a query tool and library to process large binaries to query this inverted index. The latter will return results as lists of ranked FOSS packages and files found to be present in the analysed binary. The data and tools will also be packaged to allow for further integration and reuse by other FOSS tools and analysis pipelines.

>> Read more about BIDS: Binary Identification of Dependencies with Search

Back2Source next — Better matching of binaries with source code

Sometimes, the released binaries of an open source package do not match its source code. Or the source code does not match the code in a version control repository. There are many reasons for this discrepancy, but in all cases, this is a potential serious issue as the binary cannot be trusted. Additional (or different) code in the binary could be malware or a vector for unknown software vulnerabilities, or create FOSS license compliance issues.

"Back to source" creates analysis pipelines in ScanCode.io to systematically map and cross-reference the binaries of a FOSS package to its source code and source repository and report discrepancies. We call this the deployment to development analysis (d2d) to map deployed code (binaries) to the development code (the sources) and we enable applying this "trust but verify" approach to all the binaries.

>> Read more about Back2Source next

Blitz - a modular web renderer — Rust-based browser engine

Blitz is a new independent web engine implemented in Rust. It’s flexible low-level APIs make it suitable for a wide variety of use cases web browsers, an application runtimes, ebook rendering, email rendering, rendering HTML to image, etc. And its uniquely modular architecture allows it to share much of its code with other projects which it is hoped will lead to a more sustainable development model.

This project aims to bring Blitz “up to scratch” for the use-case of being an HTML/CSS browser (JavaScript support is not in scope). Use cases that are being targeted include: browsing wikipedia, viewing news websites, and searching using a search engine. The work to be completed includes improvements to the layout engine, implementation of form controls, adding WPT testing infrastructure, and the creation of an initial browser UI.

>> Read more about Blitz - a modular web renderer

BrowserAudit — Test common security standards and features in browsers

The web depends on security standards to safeguard your data as you navigate online. The effectiveness of your browser in protecting this data depends on how well it implements these standards. BrowserAudit is a free, open-source tool designed to assess your browser’s compliance with common security protocols. By running hundreds of tests, it generates a detailed report highlighting the strengths and weaknesses of your browser's security. This report can help you select a more secure browser, notify developers of potential issues, or, if you’re a developer, address these vulnerabilities directly.

>> Read more about BrowserAudit

Tracing and rebuilding packages — Improved metadata/provenance for build artifacts

For many end users the smallest unit of software is the "package": a collection of programs and configuration files bundled in a single file, typically shipped as a single archive. Examples are "util-linux", "glibc", "bash", "ffmpeg" and so on.

Open source distributions install packages using their package management systems. The package management system writes the contents of a package to disk when the package is installed or updated and removes the contents if the package is removed. The packages themselves contain metadata maintained by the distribution maintainers. This information includes the name of the package, project URL, description, dependency information and license information, etc.

This granularity can be too coarse. For example, the license information is aggregated at the package level. If there are separate files that are under different licenses, then this will not always be clear from the license information at the package level.

This project will make it more easy to understand by looking at what goes into each individual binary in a package, and assign metadata to the individual binaries instead of to a package. It will do so by tracing the build of a package and recording which files are actually used. By building packages in a minimal (container) environment, capturing the build trace, processing the build trace to see exactly what goes into which binary it becomes much easier to zoom in and answer specific questions such as "what license does this binary have" or "which binaries use vulnerable file X" and combining it with efforts like VulnerableCode and PurlDB.

>> Read more about Tracing and rebuilding packages

CAKE-MAINT — Improve network queue management algorithms on Linux

With the wider and wider adoption of the fq_codel (RFC8290) and cake codebases in shipping products, many issues in the field have been discovered, and features to address them proposed but not mainlined into Linux (or the BSDs). This project intends to tighten up the corner cases, fix up multiple observed problems, and add some needed new features if possible, as well as take a stab at addressing the biggest observed problem in the field for cake - not scaling shaping well to ever more popular multi-core routers.

In addition the project will work on a new release of babeld, the reference implementation of RFC 8966 (Babel Routing Protocol) and on standardisation of Sroam, a protocol for WiFi roaming.

>> Read more about CAKE-MAINT

CRAVEX integration — Integrated vulnerability exploitability management

CRAVEX makes it easier for any organization to efficiently comply with the emerging CRA. The solution is based on the AboutCode stack of open source tools, but no solution is an island.

This project integrates CRAVEX with other tools to better orchestrate software supply chain and compliance automation, including: packaging for Linux distributions to maximize the ease of deployment, business systems to create tailored SBOMs and VEX, other FOSS SCA tools to accommodate different software stacks, CI/CD pipelines with scripts and workflows to improve usability, and container cluster analysis to allow users to point to a Kubernetes cluster to collect and scan all the images, and then detect vulnerabilities.

The CRAVEX Integration project orchestrates the different tools critical for practical and efficient software supply chain management and compliance automation processes.

>> Read more about CRAVEX integration

CRAVEX 2 Code Reachability — Do vulnerable dependencies actually impacts security or not?

CRAVEX makes it easier for any organization to efficiently comply with the emerging CRA. CRAVEX collects, tracks, and triages FOSS package vulnerabilities, determines their exploitability in a portfolio of software products and projects, and provides reporting with SBOMs and VEX statements to share with stakeholders.

CRAVEX 2 enables CRAVEX users to triage vulnerabilities faster and more efficiently with automation and more accurate vulnerability data. An integrated, rule-based system automatically filters or reranks the vulnerabilities in the context of the managed application, system or device. This will integrate the emerging SSVC scoring for decision trees-driven automation. Vulnerable code "reachability" determines if the code impacted by a CVE is present, used, and exploitable. It will integrate and extend the features of NGI0-funded and FOSS projects, such as BANG.

With increased automation and more accurate data, CRAVEX 2 further facilitates CRAVEX users' ability to efficiently manage vulnerabilities towards CRA compliance.

>> Read more about CRAVEX 2 Code Reachability

Cartes — Modern web map application with transit support

Cartes.app is a modern web map application. Cartes (which means maps in French) provides a universal interface for mobile and desktop: a simple URL lets the user open or share the map of a place with friends. This fills the gap of the "online" experience of proprietary offerings such as Google and Apple Maps.

It levers state of the art open-source libraries to offer a rich feature set including transit and itinerary plans, address search and place categories, to name a few. In addition to data from OpenStreetMap (OSM) Cartes also draws from other public data sources to deliver a complete experience: transit data sets, Panoramax street level imagery, Wikimedia, etc. Cartes runs its own hosted tile layers.

In the scope of this grant, the project will tackle internationalisation of the user interface, enable editing and reviewing places, add satellite tiles, live transit data, low-carbon itineraries as well as perform a variety of other performance and feature improvements.

>> Read more about Cartes

COCOLIGHT — Lightweight version of Communecter

COmmunecter is an open source social and societal platform. COCOLIGHT is an low tech light weight client able to connects to any COmmunecter server, allowing both read and contribution modes. Easy to Install, fully Activity Pub compliant, federating organizations, events, projects and open badges. It allows to create networks of many COPI instances interconnected together and exchanging information and data.

>> Read more about COCOLIGHT

Cross-root ARIA — Standardisation for Accessibility when using Shadow DOM

ARIA is a technology used by developers to add accessibility attributes to web-based user interfaces. Web Components are a set of tools which allow developers to create components which can be used in a framework-independent way across different websites. Due to the way Web Components provide encapsulation, using Shadow DOM, some parts of ARIA have become incompatible with Web Components. This project will contribute to ongoing efforts to provide web developers with mechanisms to make these technologies work together. Our goal is to contribute to the relevant specifications, as well as implementing and shipping the proposed solution in one additional browser.

>> Read more about Cross-root ARIA

CryptoLyzer IKE — Add IKE protocol to CryptoLyzer protocol analyser

The project summary for this project is not yet available. Please come back soon!

>> Read more about CryptoLyzer IKE

Darkstar — Open source vulnerability management solution

Build an open source, self hostable, commercial grade attack surface management/vulnerability management solution, for web, network, agent based and cloud security. Our idea is to build a self hostable (container based) vulnerability management solution, which allows companies and people worldwide to monitor their security trough finding vulnerabilities. The main focus lies on creating the basic features that are required for a functional vulnerability management solution: on demand scanning, reporting, prioritization, scanning internal networks via container appliances you can place on your network, scanning external attack surface (web security scanning/DAST), network based external security scanning and g and agent-based vulnerability management.

>> Read more about Darkstar

DataLab — Scientific platform for signal and image processing + visualisation

DataLab is an open-source scientific platform for processing and visualizing 1D signals and 2D images for research, education and industry. It provides powerful, validated computing capabilities with a focus on extensibility, automation, and interoperability. The project aims to refactor DataLab’s core architecture by decoupling its computational engine from the graphical interface, creating a new standalone, reusable library. This modular approach will improve scalability, facilitate integration with third-party tools, and lay the foundation for future expansions, such as a web-based frontend. By enhancing flexibility and sustainability, DataLab seeks to serve a broader research and engineering community.

>> Read more about DataLab

Diesel — Safe and performant query builder and ORM written in Rust

Diesel is a safe and performant query builder and ORM written in Rust. It aims to eliminate security issues like SQL injections by providing a type safe domain specific language to express your SQL query as Rust code. This enables checking the query at compile time to turn insecure or otherwise invalid SQL queries into compile time errors. As part of this project we want to extend Diesel to provide built-in support for `WINDOW` functions, to enable the usage of secure and type safe queries in more places.

>> Read more about Diesel

Draupnir — Moderation bot for Matrix servers

Draupnir is a comprehensive moderation bot for room moderators using Matrix (the open source decentralized instant messaging protocol). Draupnir assists room moderators in managing their community and provides continuous protection from spam and harmful content. This is done by utilising sharable and interoperable policy lists that allow different communities to work together to combat new threats. Draupnir also provides a plugin system that can adapt Draupnir to the different needs of every community. Our ongoing efforts to further modularise Draupnir's code base in the interests of maintainability should provide groundwork for future Trust & Safety related projects in the Matrix ecosystem.

>> Read more about Draupnir

Open source ESP32 802.11 MAC — Open source wifi drivers for ESP32

The ESP32 is a low-cost microcontroller with Wi-Fi connectivity. Currently, the Wi-Fi MAC layer of the ESP32 is closed-source. This project aims to change that: by reverse engineering the hardware registers and software, we can build a networking stack that is open-source up to the hardware, instead of having to use the proprietary MAC layer. This will improve security auditability, open up the possibility for features not supported in the proprietary implementation (for example, standards-compliant mesh networking), improve interoperability and make research into Wi-Fi networks with lots of nodes more affordable.

>> Read more about Open source ESP32 802.11 MAC

Email <=> XMPP gateway — Bridge instant messaging with email

Libervia is a versatile communication ecosystem offering features like instant messaging, blogging, event planning, photo albums, file sharing, audio/video calls, and more. It can additionally function as an XMPP component, providing server-side features. This initiative focuses on creating an Email <=> XMPP gateway, enhancing file management for attachments, transforming mailing list threads into interactive, forum-style discussions with modern elements such as tags and mentions, and ensuring support for end-to-end encryption. The Libervia interface will also see improvements for a better user experience, with clear indicators of message origins and security status. This gateway is a move toward unifying various communication methods within single clients, following Libervia's philosophy as seen with its ActivityPub <=> XMPP gateway and is in harmony with other projects like Slidge, Spectrum 2, or Biboumi. With the introduction of this component, not only will Libervia's functionality be elevated, but it will also equip other XMPP ecosystem projects with the ability to connect their users with the email world, fostering deeper integration of XMPP across the spectrum of communication tools.

>> Read more about Email <=> XMPP gateway

Encaya — TLS interop with alternative/decentralised CA mechanisms

Public certificate authorities as used by the TLS ecosystem play a critical role, but the fact that there are many such authorities forms a security liability. DANE (DNS-Based Authentication of Named Entities) provides a complementary mechanism that provides an additional check on top of the public CA's through DNS; it is yet to see meaningful adoption by major TLS implementations.

Encaya is a compatibility layer that provides DANE-like functionality in TLS implementations that don't support DANE. It is used in production by Namecoin, an alternative decentralized naming system. By only replacing the root CA list rather than the entire TLS stack, Encaya achieves considerably smaller attack surface than other similar compatibility layers. This grant covers efforts to improve Encaya's scalability, standardize its behavior, and extend its usage beyond Namecoin.

>> Read more about Encaya

Ethersync — Real-time co-editing of local text files

Ethersync aims to enable real-time collaborative editing of local text files. Similar to Etherpads, it facilitates multiple users to work on content simultaneously, enabling applications such as shared notes or pair programming. However, following a "local-first" approach, all files reside on the users' computers, allowing them to use their familiar editors and workflows, and to retain user control. This design enables a kind of collaboration that is simple and direct, stable and flexible, and preserves privacy. Ethersync will be a supplement to tools that track larger changes on text files, like Git, and can be used in combination with it. The project will leverage CRDTs, and consists of a server component, a cross-platform local synchronization daemon, and editor plugins.

>> Read more about Ethersync

EventFahrplan — User-friendly mobile event app

The project summary for this project is not yet available. Please come back soon!

>> Read more about EventFahrplan

Exter — Proxy-based external browser extensions

Exter is a web based plugin platform which allows addons to alter websites behavior/style/functionality. Instead of trusting the browsers' plugin ecosystem, let's modify the websites before browsers receive them! The goal of this project is to provide a stable and free website-extension-platform to allow future proof and flexible addon development.

As a web application, Exter opens URLs, rewrites the static content and injects client scripts to wrap default javascript functions, applies addons, then sends the sanitized/modified website to the browser. This way we have the ability to write plugins that can intercept/modify not only HTTP requests, but even client side functionalities, such as sanitizing 3rd party content or appending new DOM elements to the website or altering cookie handling from javascript and much more.

>> Read more about Exter

FOSS Warn — Aggregate source of emergency alerts

The FOSS Public Alert Server lets clients receive Push Notification (via UnifiedPush) about official emergency alerts worldwide. Besides infrastructure like sirens, radio, and Cell-Broadcast, CAP (Common Alerting Protocol) alerts are another way of alerting the public. CAP alerts are used for a wide variety of emergencies. From alerts about extreme weather to alerts about contaminated drinking water to pandemics. Our server bundles over 280 official CAP alert publishers worldwide and can easily extend to more sources. This project aims to bundle the underlying alerting infrastructure into a single trustworthy source of information, not to replace it.

Having a shared global public source of information reduces the user's dependency on local emergency apps - which are often only available for the two largest mobile platforms. Furthermore such a converged effort makes it much simpler to develop clients for devices other than cell phones (like desktop PCs or smart speakers). Thirdly it can make traveling safer. Finding and installing the right local emergency apps to receive emergency alerts when traveling is quite the hurdle. With our solution, it would suffice to install one app for the world. One such app is FOSS Warn, an Android app that for now receives alerts for Germany and Switzerland. Within this project, FOSS Warn will be extended to work worldwide with the new server infrastructure.

>> Read more about FOSS Warn

FPGA-ISP-UVC-USB2 — Open hardware FPGA-based USB webcam

The USB UVC project is designed to create an innovative and adaptable webcam that easily connects to any laptop, providing high-quality video without the need for special drivers. Unlike ordinary USB webcams that often come with proprietary software and limited functionality, this project aims to deliver a flexible, open-source solution that can be tailored and improved by anyone. The webcam will offer superior video quality with features like automatic brightness adjustment, color correction, and real-time video compression, making it ideal for video calls, streaming, and other visual applications. By focusing on open-source principles, this project ensures that the technology is accessible, modifiable, and transparent, allowing for continuous community-driven enhancements.

This project stands out because it is not locked into proprietary ecosystems, offering users greater control and flexibility over their hardware. It can work with a wide range of computer models, providing a versatile tool for both personal and professional use. Additionally, the open-source nature of the project means that it can be continuously improved and customized by developers around the world, fostering innovation and collaboration.

>> Read more about FPGA-ISP-UVC-USB2

FastScan — Performance improvements for ScanCode Toolkit/ScanCode.io

The project summary for this project is not yet available. Please come back soon!

>> Read more about FastScan

Feather UI — Declarative cross-platform UI toolkit

Feather is a universal UI library that applies user inputs to application state, and maps application state to an interactive visualization using a custom graphics rendering language capable of compiling to arbitrary GPU code or vectorized CPU code. By building on top of a well-typed graphics abstraction, it is possible to make custom shaders "write once, run anywhere" with confidence and no overhead. This allows the creation of UI Fragments, which no longer need to be built on top of a library of UI widget elements, allowing the creation of arbitrarily complex UI elements that are no longer bound to traditional widget designs. This level of abstraction allows targeting anything from embedded devices to webpages, or even mixed-reality devices.

>> Read more about Feather UI

Fediverse Test Framework — Test bench for ActivityPub implementations

The Fediverse consists of individual servers, possibly running different software, that talk to each other. One of the challenges in developing for the Fediverse is to stay interoperable with all the different deployed software. As the message format standard, ActivityStreams, is extensible through JSON-LD, judging how a message is parsed, can be a hard task.

By using ideas from automated testing, we provide an application that determines a baseline how messages are processed and rendered. The process being simply: run end to end tests and record their result. From the test results a webpage is generated that provides developers the information how a message is rendered in different applications. We aim to make the framework extensible so new applications can be included.

>> Read more about Fediverse Test Framework

Fediverse Test Suite — Interoperability effort for W3C ActivityPub

The Fediverse is a global, standards-based, decentralized social network accessible to all and not subject to algorithmic manipulation or platform surveillance. While best known for Mastodon, an open-source alternative to X/Twitter, it already successfully connects dozens of independently developed software applications running on tens of thousands of independently operated servers and implementing feature sets that go far beyond traditional social networking.

To enable even more innovative developers to successfully connect their applications to the Fediverse, and their users to successfully interoperate with users using different software, it needs to become much simpler and cost-effective for developers to 1) know that they have implemented the relevant standards (notably ActivityPub) correctly, that their implementation is not regressing and that 2) their software indeed delivers the experience users expect from interoperability with other software developed independently by other developers.

This project brings together a group of fediverse developers to set up an automated test framework and initial test cases in an open-source project that will systematically test standards conformance, ensure meeting user expectations for interoperability of Fediverse apps, and enable a new wave of innovation based on more trustworthy infrastructure.

>> Read more about Fediverse Test Suite

Enhancing Firefox for Linux on Mobile — Mobile native feature-complete Firefox

Enhancing Firefox for Linux on Mobile aims to offer a privacy respecting alternative to Chromium-based browsers by improving the user experience (UX) of Firefox on small form factor devices (mobile, tablet) running Linux. We will update the Firefox codebase, primarily the user interface (UI) and the rendering engine. Additionally, we will collaborate with Mozilla to ensure that our modifications are included in Firefox to reduce the maintenance burden by sharing a common codebase across the different projects. As a side effect, our modifications will benefit all Firefox Desktop users including Windows when the Firefox application window is not maximized.

>> Read more about Enhancing Firefox for Linux on Mobile

Flashkeeper — Write Protection on SOIC-8 flash chips without soldering

Firmware security projects such as Heads assume the firmware itself to be protected against tampering. Outside of proprietary solutions Boot Guard, partial write protection (WP) of the SPI flash chip (recently implemented by 3mdeb) is one solution. However, WP requires grounding the chip's WP pin, something that currently requires users to solder to the chip. As many users find this difficult, this has limited "retrofit" adoption of WP.

This project is developing Flashkeeper, a device that can be permanently installed on a common SOIC-8 flash chip. It attaches to the chip with a peel-and-stick layer and spring-loaded contacts or low-profile solder-down flex cable, interfacing with the SPI flash pins for easy write protection and external reprogramming (unbricking). For users concerned with physical attacks on their systems, for whom easy access to SPI flash pins may be seen as a risk, a variant including a microcontroller (MCU) is also being developed, allowing authenticated external reprogramming and WP control, and independently verifying the SPI flash image against a user-controlled signature each boot.

>> Read more about Flashkeeper

ForgeFed Frontend — Improved UI for federated version controlrepositories

Software developers often use websites called forges, where they collaborate on software projects. But these forge platforms are centralized, leading to the community flocking into big privately- controlled forges. The ForgeFed project is creating a protocol specification and a reference implementation for forge communication, allowing forge websites to form a decentralized network, putting the power and freedom of choice back in the hands of the community.

>> Read more about ForgeFed Frontend

Frugal EDA — Energy-efficient circuits and systems through quantum superconductivity

FRUGAL EDA is an open-source user-friendly software design suite dedicated to energy-frugal electronics based on the amazing quantum physical properties of superconductivity. Its objective is to enable the design of energy-efficient ultra-high-speed (up to clock frequencies of several hundreds GHz) quantum-based circuits and systems for the widest possible audience. FRUGAL will emulate the development of new circuits and functionalities so that disruptive quantum electronics can take its place in the current highly-competitive emerging technology landscape. One goal is to increase the number of students and newcomers interested to design quantum-based circuits without the need of unaffordable tools, proprietary technologies or steep learning curves.FRUGAL embeds a set of open-source software tools comprising a schematic editor(LibrePCB), a SPICE netlist converter (L2SPICE), quantum time-domain simulators (JSIM and JoSIM) and a layout editor (KLayout). More designer-oriented features will be added along the course of development.

>> Read more about Frugal EDA

Namespace-specified imports in GHC — Fine-grained namespace control in Haskell

Haskell is a purely functional programming language with a free and open-source compiler (GHC), as well as a mature ecosystem of open-source libraries for server-side programming (warp, wai, servant, scotty, etc), client-side programming (http-client), and blog generation (hakyll). By making use of Haskell's features, especially its support for concurrent and parallel programming, it is possible to develop efficient, secure and scalable web servers.

"Namespace-specified imports" is a proposed feature for the Haskell programming language that further enhances its capabilities. By implementing "Namespace-specified imports" in the Glasgow Haskell Compiler, we will enable Haskell programmers to exercise fine-grained control over the namespaces of imported and exported entities. This is important when combining the use of existing libraries with the use of type-level programming features (techniques to ensure software correctness).

This project should result in a complete implementation of this feature and its inclusion in the next compiler release.

>> Read more about Namespace-specified imports in GHC

GNU Mes interpreter speedup effort — Increase performance of full source bootstrap

GNU Mes is a Scheme interpreter (mes), C compiler (mescc) and a minimal C standard library (meslibc) for bootstrapping the GNU System. The Scheme interpreter is written in a few thousands lines of simple C, and the C compiler is written in Scheme, and these are mutually-hosted. GNU Mes has a key role in the Full Source Bootstrap chain as it is the first fully featured C compiler that also ships a C standard library.

This project aims to improve the performance of GNU Mes' scheme interpreter, rewriting it as a bytecode interpreter, while keeping it as simple and readable as it is. This would enable faster execution of the Mes C Compiler (mescc) for faster build times, making the bootstrapping chain more accessible, specially in small single-board computers where memory access is more expensive. This speedup could also lead to a reduction of steps in the bootstrapping chain, making it simpler and easier to maintain.

>> Read more about GNU Mes interpreter speedup effort

GNUnet on Android — Port GNUnet protocol stack to Android mobile OS

This project is about making GNUnet, a network protocol stack for developing secure, distributed and privacy-preserving applications, available on Android. To achieve this, we are developing an Android application that runs the basic GNUnet services and make them available to other applications that want to use these services. As a blueprint for an application that uses GNUnet services, we will port the GTK-based GUI for the GNUnet's messenger service to Android. To get GNUnet running on Android, we need to make sure that GNUnet works behind NAT boxes in the mobile environment, and make changes to the GNUnet architecture so that it runs as a monolithic single-threaded app. Additionally, we have to take care of the resource consumption on mobile devices. Of course, tests and benchmarks need to be written and integrated into a new CI/CD worker that builds and verifies GNUnet on Android.

>> Read more about GNUnet on Android

GPGPU Playground — A virtual GPU to learn GPU programming

GPUs are an extremely effective and widely deployed vector co-processor, and yet those interested in adapting their capabilities are faced with a very high barrier to entry. Tools like OpenCL, CUDA, and WebGL all require a broad background to get started solving even simple problems, and mistakes in larger programs can be nearly impossible to identify without an even deeper level of experience. This project takes advantage of WebAssembly and Vulkan's SPIR-V format to deliver a safe, on-demand toolkit for exploring the potential of GPUs, focused on applications outside the bounds of traditional graphics acceleration.

>> Read more about GPGPU Playground

Galene — High quality libre videoconferencing server

Galene is a complete self-hosted videoconferencing system that has been designed to be easy to install and to manage, to preserve the users' privacy, and that uses very moderate server resources. Galene has been continuously used in production to host university lectures and staff meetings since September 2020, as well as to host a number of international conferences during the COVID pandemic. The goal of this project is to improve Galene to make it use state-of-the-art networking and video algorithms, to improve its management features, and to add a number of user-visible features, such as background blur and automatic subtitling.

>> Read more about Galene

Gancio — Shared agenda for local communities that supports Activity Pub

Gancio is a shared agenda for local communities, and was the first one to support Activity Pub. Gancio focuses on cross-cutting collaboration through its decentralized instances that allow to connect communities. This enabling users to easily discover and engage in events in their neighborhood, as well as elsewhere - while avoiding attention-based business models and intrusive advertisements.

The focus of this project are a numberof new features such as implementing HTTP Signatures, moderation and onion routing, as well as improving compatibility with other Fediverse event tools. In addition, the team seeks to establish a common agreed upon event format to make the interaction with such tools more streamlined.

>> Read more about Gancio

Collection of Verified multi-platform Gatewares — Comprehensive repository of open source gateware designs

The "Verified Multi-Platform Gatewares" project will create a comprehensive repository of gateware designs that are compatible with various FPGA development environments and boards. The goal is to reduce the barriers to FPGA development by providing designs that are rigorously tested and maintained for compatibility. The project will host these open source designs on a dedicated website, ensuring they work seamlessly across multiple toolchains and boards. The collection will range from beginner to advanced designs, serving as educational resources and benchmarking tools, continually updated to prevent bitrot.

>> Read more about Collection of Verified multi-platform Gatewares

Persistent Storage for Goblins — Integrate ERIS content-addressable encrypted storage to Goblins

Goblins is a distributed object programming environment that is being developed by the Spritely Institute for building secure peer-to-peer applications. It is intended to be used for building fully-decentralized, healthy social community networks. This project aims at adding persistent storage to Goblins, allowing arbitrary content such as text files, images or music to be referenced and used from within Goblins with a large-degree of network transparency. For this we will use an encrypted content-addressed storage network based on ERIS (Encoding for Robust Immutable Storage).

>> Read more about Persistent Storage for Goblins

Goupile — Secure forms including Clinical Report Forms (eCRF)

Goupile is an open-source form editor designed for data collection in research, particularly in health, replacing traditional paper case report forms (CRF) with electronic versions (eCRF) accessible on computers and mobile devices. Developed by the InterHop.org association, it allows users to easily create customized forms with a programming approach using JavaScript, which enables the creation of highly dynamic and interactive forms with ease. Goupile also provides user management, data recording, synchronization, and options for online and offline data collection. Users can choose to self-host Goupile or utilize a turnkey service on certified HDS servers (Sofware As A Service SAAS), all while benefiting from InterHop's support for the development of new features.

>> Read more about Goupile

Grate project — Linux support for Tegra 2/3/4 devices

GRATE driver started as an attempt to create a open source re-implementation of proprietary software for Nvidia’s older Tegra system-on-chips (Tegra 2, Tegra 3 and Tegra 4). Although this goal is still yet to be achieved, progress is being made and GRATE project provides a strong support for a wide variety of various devices: smartphones, tablets, convertibles, all-in-one computers — all of which based on older Tegra SoCs. Decent devices that were considered an e-waste, not even by the users, but by the vendors themselves, gain a second life with strong Linux kernel support and open source bootloader substitution.

>> Read more about Grate project

Guix-Daemon — Transition to a Guile implementation of the guix-daemon

GNU Guix is a transactional package manager and a distribution of the GNU system that respects user freedom. A key component in Guix is the guix-daemon, currently implemented in C++. Much of the power and flexibility of Guix comes from all of the package definitions and surrounding tooling being implemented in GNU Guile, however this doesn't extend to the guix-daemon. This difference has been a limiting factor in making changes and improvements to the way the guix-daemon works and is interacted with. The expected outcome of this project is to have a Guile implementation of the guix-daemon, and to transition to this being the default guix-daemon used. This will improve the maintainability and portability of the guix-daemon and Guix overall, as well as unlocking future improvements to the guix-daemon and connected tools.

>> Read more about Guix-Daemon

Hardware Bill-of-Materials (HBOM) generator — Create CycloneDX HBoM compliant inventory of hardware

cdxgen is a CLI tool, library, REPL, and server for creating valid and compliant CycloneDX Bills of Materials (BOMs) in JSON format, containing an aggregate of all project dependencies. CycloneDX is a full-stack BOM specification that is easily created, human- and machine-readable, and simple to parse. The proposed project aims to extend cdxgen by adding support for generating hardware bills of materials (HBOM) in CycloneDX format, while remaining fully compatible with the existing tool ecosystem.

>> Read more about Hardware Bill-of-Materials (HBOM) generator

Hyper Hyper Space Sync Engine and adapters — Secure P2P data synchronisation

The way authority is coded into software platforms impacts the health of the communities they serve. The goal of this project is to provide an information sync engine that can provide an application back-end with as little authority delegation as possible, thus enabling applications that are truly user-controlled.

By using a formulation based on monotonicity, Hyper Hyper Space is able to simulate a transactional engine over a cryptographically secure event log. This yields a versatile data model, that is usable in a coordination-free setting and in the presence of Byzantine faults.

This modelling flexibility can be leveraged by using bi-directional adapters, that are able to ingest and export synchronized data into a variety of local storage systems, including relational databases, document stores, and files. Application builders can choose the storage system that better suits their use-case, and rely on an adapter to synchronize its contents. This should lower the barriers of entry for creating p2p applications, and hopefully significantly boosts quality while reducing complexity.

>> Read more about Hyper Hyper Space Sync Engine and adapters

Open Hardware Manuals — Automatically generate user-friendly documentation for open hardware elements

This project will create a tool that automatically generates Computer-Aided Design (CAD) models, assembly documentation, graphics, and user guides based on user provided configurations. These documents can be continuously updated, localized, and are shareable - akin to an always up-to-date Ikea-style assembly guide. The tools developed during this project will also be applicable to other open hardware projects, empowering designers to produce hardware that is more adapted to specific contexts, without creating fragile documentation that always goes out of date when a change is made to the design.

>> Read more about Open Hardware Manuals

SCE, DelTiC and Antler — High-Fidelity Congestion Control

Some Congestion Experienced (SCE) is a project in high-fidelity congestion control (HFCC) that aims to stabilize transport congestion windows, thereby reducing queueing delay and jitter, and increasing link utilization. Our goals under NGI Zero are to complete the DelTiC (Delay Time Control) AQM algorithm, implement a new MIMD transport response aiming for max-min-fair flow competition at shared bottlenecks, and release a purpose-built congestion control testing tool, Antler v1.0. We will inform the CC community about our work, and update our Internet Drafts to keep the door open for future standardization, should the opportunity arise.

>> Read more about SCE, DelTiC and Antler

Hockeypuck — Next generation OpenPGP keyserver

Cryptography is often said to be a method of converting security problems into key management problems. In OpenPGP, the reliable distribution of public keys has traditionally been done using public keyservers. While there are alternative methods of public key distribution, keyservers still perform a key role in the OpenPGP ecosystem.

Hockeypuck is a modern synchronising OpenPGP keyserver application written in Go and licensed under the AGPL. It powers the OpenPGP synchronising keyserver network, which is a fully decentralised caching database run collaboratively by dozens of independent operators, but can also be deployed on a private or individual basis. Hockeypuck is currently being updated to support RFC9580, the latest iteration of the OpenPGP specification, and the upcoming HKPv1 keyserver API specification.

>> Read more about Hockeypuck

Holo Routing — A novel routing stack in Rust, including IS-IS routing

Holo is a suite of routing protocols designed to address the needs of modern networks. Holo was started in response to the increasing trend in the networking field towards automation, where network devices are expected to be managed programatically using a variety of standard interfaces. Written in Rust, a memory-safe language, Holo prioritizes reliability, ease of maintenance, and security.

This project aims to extend Holo by incorporating support for the IS-IS protocol, one of the most widely used interior routing protocols. The IS-IS implementation will encompass both IPv4 and IPv6 support, cryptographic authentication, and extensions for traffic engineering. Rigorous testing against multiple vendors and comprehensive conformance tests will ensure the interoperability and robustness of the implementation.

>> Read more about Holo Routing

IPDL II — A new process logic aimed at formal proofs for cryptographic algorithm

Our project IPDL aims to increase the trustworthiness of large cryptographic systems by designing and implementing a natural and principled way of thinking about them. IPDL, short for Interactive Probabilistic Dependency Logic, is a process calculus and software implementation for formally verifying message-passing cryptographic protocols. Our goal is to use IPDL to develop cryptographic foundations that are both composable and concurrent. Concurrency means that our model of computation natively allows processes to run at the same time; composability allows us to prove the system secure by verifying the security of its subparts. In this setting, formal proofs closely resemble the thinking of a cryptographer.

>> Read more about IPDL II

IPv6-monostack - upstream Linux SIIT/NAT64 — Commoditizing NAT64 and IP/ICMP translation to accelerate IPv6 deployment

NAT64/SIIT technology is critical in enabling networks to transition away from the legacy internet protocol IPv4, yet this network function is currently expensive and hard to deploy, seriously hampering adoption. We believe we can remedy this situation by getting this translation technology accepted into the upstream Linux kernel thus paving the way to rapid and widespread adoption, accelerating IPv6 adoption overall.

>> Read more about IPv6-monostack - upstream Linux SIIT/NAT64

ISCC-CORE typescript implementation library — Decentralised content identifiers through ISO 24138.

The goal of this project is to implement core functions of the new ISCC standard ISO 24138:2024 (“International Standard Content Code”) in Typescript, resulting in a library will be useful for the javascript ecosystem and developers to use and work with this new standard in their project.

ISCC is a similarity preserving fingerprint and identifier for digital media assets. ISCCs are generated algorithmically from digital content, just like cryptographic hashes. However, instead of using a single cryptographic hash function to identify data only, the ISCC uses various algorithms to create a composite identifier that exhibits similarity-preserving properties (soft hash). This supports content deduplication, database synchronization, indexing, integrity verification, timestamping, versioning, data provenance, similarity clustering, anomaly detection, usage tracking, allocation of royalties, fact-checking and other use-cases.

>> Read more about ISCC-CORE typescript implementation library

Optimized Image Codecs — More efficient image handling for embedded systems

The Optimized Image Codecs project aims to bring portable, efficient image and video codecs to all platforms. It is primarily focused on enabling them on devices that previously were assumed to be incapable of using standard compressed images or video due to their limited memory and speed. The efficiency of the code also means that energy usage is reduced on systems large and small. This code represents state of the art efficiency combined with a careful design to minimize the memory requirements. This enables their use on the widest possible set of devices. This project started with the release of a JPEG decoder and now consists of mature JPEG, PNG, GIF and TIFF G4 codecs used by thousands of developers in projects large and small. Within the scope of this project, the aim is to release software MPEG-1 and H.263 video decoders which will run well on low cost microcontrollers. This should dramatically improve the efficiency of products which had to settle for MJPEG (Motion-JPEG) as a substitute for a true video codec.

>> Read more about Optimized Image Codecs

Micro25519 — Lightweight Elliptic Curve Cryptography for microcontrollers

This project is building an open-source software library for modern Elliptic Curve Cryptography (ECC). To achieve this, the project aims for a unique trade-off between three different (and partly conflicting) goals that is currently not offered by any of the existing ECC libraries for small 8/16/32-bit microcontrollers. The first goal is efficiency, which includes not only fast execution times, but also small code size and low RAM usage. Equally important as efficiency is the second goal, namely security, and this includes not only the absence of subtle bugs that could leak secret information, but also robustness against timing-based side-channel attacks. The third goal is usability, which is achieved by a simple and intuitive API, an easily readable and well-commented source code, and a rich documentation with examples for common use cases.

Micro25519 will come with highly-optimized Assembly functions for the low-level field-arithmetic for 8-bit AVR, 16-bit MSP430, as well as 32-bit ARM Cortex-M3 and RISC-V microcontrollers. The higher-level functions are written in C and shared among the different platforms to minimize the code base and reduce complexity.

>> Read more about Micro25519

Irdest IP Traffic Proxy — Route existing IP-network traffic through an Irdest network

An Irdest network allows users to easily create locally focused mesh networks amongst their communities and friend circles. To allow applications not written for this mesh network (using IP traffic routing) to route traffic through the Irdest network a proxy is required. This proxy is responsible for managing routes on entry and exit nodes, announcing routes, and allowing users control over which exit nodes they want to use for different target IP addresses. The goal of this proxy is to provide a better out-of-the box experience for new users, and expanding the scope of usable scenarios.

>> Read more about Irdest IP Traffic Proxy

IronCalc — Embeddable spreadsheet engine written in Rust

IronCalc is a versatile open-source spreadsheet engine written in Rust from the ground up, employing modern programming best practices. It can be used from any programming language or from end-user products like Web IronCalc. Around the world, millions of spreadsheets are used for accounting, data analysis, processing, educational purposes, collaboration, sharing, etc. IronCalc aims to be an all-purpose alternative to Excel or Google Sheets, filling an important gap in the democratisation of spreadsheets. Suited for companies, individuals, and schools alike, the project aims to be feature-rich, international, fast, and lightweight.

>> Read more about IronCalc

Ironclad — Hard real-time capable kernel written in SPARK/Ada

Ironclad is a partially formally verified, hard real-time capable kernel for general-purpose and embedded uses, written in SPARK and Ada. It is comprised of 100% free software, free in the sense that it respects the user's freedom. By providing a UNIX-like interface which ensures an easy porting process from Linux and BSD distributions, Ironclad aims to be a solution for developers searching for a security-first, resilient platform with the smallest barrier to entry.

This project will work on expanding hardware support for x86_64 Intel and AMD based systems, bringing Ironclad to RISC-V 64 bit based platforms, expanding several areas of the kernel, and work on Ironclad-based distributions.

>> Read more about Ironclad

JSON-Joy Peritext — Rich-text CRDT implementations for json-joy CRDT

json-joy is an open source library for building distributed collaborative web applications, its major focus is on implementing performant state-of-the-art CRDT algorithms. This project aims to implement a Peritext-like rich-text CRDT on top of the JSON CRDT Specification as part of the json-joy library. The goal of the project is to implement a production-ready collaborative rich-text editing algorithm, Peritext, and supporting modules for the json-joy library. The project will also improve on the originally proposed Peritext algorithm by leveraging JSON CRDT data structures to make various rich-text annotations mutable and block elements nestable.

>> Read more about JSON-Joy Peritext

AppBundler — Package (graphical) Julia apps for all platforms

While Julia provides excellent support for GUI frameworks across all major desktop operating systems, deploying these applications traditionally requires users to install Julia, instantiate projects, and run them from the command line. AppBundler addresses this challenge by creating self-contained, native installers for Julia GUI applications regardless of framework. It employs a flexible recipe system with sensible defaults, allowing developers to easily configure resulting bundles. This project will integrate open-source bundling tools for macOS and Windows to replace proprietary SDKs, enabling distribution as binary dependencies without cumbersome host setup and facilitating cross-platform deployment from Linux hosts. AppBundler will support various Julia compilation methods, including pkgimages, sysimages, and Julia 1.12+ static compilation features, while developing Flatpak integration and addressing sandboxing to ensure applications run securely without compromising user systems.

>> Read more about AppBundler

KDE Plasma Wayland — Accessibility and advanced graphics input support for KDE Plasma Wayland

Plasma is the desktop provided by the KDE project, one of the largest and most successful open source initiatives in the world. Wayland is the successor of X11 for Unix desktops and the future for many reasons, including security and privacy. However there are some user groups that currently do not have their requirements satisfied. Some people have motor impairments of their arms/hands (such as restricted movement, tremors, or missing fingers) that make it hard or impossible to operate a traditional computer keyboard. Operating systems provide a number of options like sticky keys, slow keys, or bounce keys to accommodate for such disabilities. Another pain point is configuration of graphics tablet input devices. This includes things like mapping the tablet area to an output area, binding tablet/stylus buttons to actions, or configuring pen pressure curves. This project will implement support for these special user groups in KDE Plasma on Wayland.

>> Read more about KDE Plasma Wayland

Knowledge Graph Portal Generator — Automatically generate custom web interfaces for structured data

The Knowledge Graph Portal Generator is a toolkit designed to create user-friendly web portals for Knowledge Graph (KG) datasets, making data from public SPARQL endpoints accessible to users without expertise in semantic technologies. Built on the LinkedDataHub framework, our solution will feature paginated collections, faceted search, and detailed entity views. It will extract RDF ontologies from datasets, generate content configurations, and use these to extend the default LinkedDataHub into a dataset-specific web application.

>> Read more about Knowledge Graph Portal Generator

Kami — Choreography programming language integrated with the Rust ecosystem

Kami is a new programming language, based on the Rust ecosystem, designed from the ground up for correct-by-construction distributed systems. In its core it is pure and functional, thus ideal for building complex concurrent systems. It takes cues from multiparty session types and choreographic programming language research: The behaviour of all roles in a distributed application can be implemented at once from a global point of view. This high-level description is compiled to rust code for all participating roles, with the guarantee that the system will be deadlock-free. Developers can seamlessly drop down to using rust, and all of its ecosystem, for writing local code, while using Kami for composing the local computations into a coherent distributed system. In this project we implement the type-checker, compiler and other developer tools for Kami, to provide for a similarly friendly developer experience as Rust.

>> Read more about Kami

Keyhive — Edge Names, invites and group key agreement for local first data

Keyhive is a synchronization engine for end-to-end encrypted group collaboration. It is designed to support scalable operation in peer-to-peer, federated, and centralized deployments and to support both real-time and asynchronous collaboration. Keyhive is intended to allow efficient decentralized collaboration on collections as large as millions of documents, hundreds of thousands of words / points per document, and thousands of contributors. Keyhive takes advantage of recent advances in algorithms including breakthroughs in set reconciliation, and in some cases advances the state of the art, such as by extending existing group key management systems to eliminate the requirement for a central server. Our aim is to deliver a high performance, useful, and secure open source system to production users around the world.

>> Read more about Keyhive

KiCad-IPC — Add RPC API, multichannel designs and schematic variant system to FOSS EDA suite

KiCad is an open source electronics design application (EDA) suite. The program includes schematic capture, printed circuit board (PCB) layout, circuit simulation, 3D viewer, and many other tools to provide the best possible user experience for professional electronics designers while still remaining approachable for new and inexperienced users. It is available for Windows, macOS, and Linux and is released under the GPL3+ license.

>> Read more about KiCad-IPC

LDAP Synchronization Connector — Synchronize data from/to various data sources with LDAP

LSC (LDAP Synchronization Connector) is a community open source software designed to get rid of all customized scripts developed by system admistrators to sync their files or databases to maintain accounts and groups in an LDAP directory. LSC works with one configuration file and can connect to any database, LDAP directory (including Active Directory) or REST API. It solves use cases like "create an account for every new people hired in the company", "lock this account in Active Directory because it was locked in OpenLDAP", "create a group for all people of this department" or "push accounts to this application API". The project will refresh all the dependencies, and add new features such as allowing javascript in LDAP filters.

>> Read more about LDAP Synchronization Connector

LO/CODE Book project — Professional typography inside LibreOffice

The project enhances readability of text documents by adding highly customizable paragraph-level line breaking and microtypography to the LibreOffice/Collabora Online Writer word processors. It creates a new type of software, with the print quality of proprietary DTP programs and with productivity of word processors. It saves paper and screen area with a compact paragraph layout and readable multi-column pagination. It should result in proposals to enhance the OpenDocument format standard (ISO/IEC 26300) which will be submitted for standardization, encouraging future standards to support enhanced readability, especially for people with reading difficulties.

>> Read more about LO/CODE Book project

LabPlot — Scientific and engineering data analysis and visualisation

LabPlot is a free, open source and cross-platform data visualisation and analysis software. It focuses on ease of use and performance. It provides high quality data visualisation and plotting capabilities, as well as reliable and easy data analysis, without requiring any programming skills from the user. Data import and export to and from a variety of formats is supported. LabPlot also allows calculations to be performed in various open source computer algebra systems and languages via an interactive notebook interface.

In this project the team will work on extending the current feature set of the application to reach a wider audience. This includes scripting capabilities (in Python only in the initial implementation) to script and automate repetitive data visualisation and analysis workflows and to allow control of LabPlot from external applications via a public interface. The second feature that will be worked on is the ability to apply analysis functions such as FFT, smoothing, etc. to live/streaming data (data imported into LabPlot and modified externally). And thirdly, statistical analysis including common hypothesis tests, correlations, regressions and data panning.

>> Read more about LabPlot

Lemmy Scale — ActivityPub-powered social link aggregation and discussion

Lemmy is an open-source, easily self-hostable link aggregator that is used to share, discover and discuss whatever comes to mind. Unlinke proprietary services that welcome users only on their own terms, Lemmy instances can each determine their own course. Lemmy implements the W3C ActivityPub standard, and federates with other ActivityPub services such as Mastodon, Funkwhale and Peertube. Users registered on one server from one of these services are able to subscribe to communities on other servers where they can have discussions with users registered elsewhere.

In this project, a number of noteworthy features are worked on, ranging from improving UX, federation, APIs, storage optimisation, tagging, polls, and more.

>> Read more about Lemmy Scale

Libre Diagnostic — Open hardware car diagnostics

Car diagnostic has evolved from the early OBD-I systems of the 1980s to today’s OBD-II standard. While some commercial scanners provide real-time vehicle data and trouble code readings, they are proprietary, limiting transparency and customisation. An open-source alternative will offer greater control, community-driven improvements, and long-term affordability.

This project aims to develop a cost-effective and user-friendly diagnostic tool that connects to a vehicle’s OBD-II system via Bluetooth using the ELM327 adapter. It will allow users to read and clear diagnostic trouble codes (DTCs), monitor real-time performance data, and analyse key systems like ABS, airbags, and engine health. The project will provide a transparent, accessible, and reliable diagnostic solution for both car owners and professionals.

>> Read more about Libre Diagnostic

LibreQoS 2.1 — Transactional Move System and improved APIs for LibreQoS

LibreQoS is a Quality of Experience (QoE) open source platform that leverages the state of the art (and IETF standardized) Flow Queueing (FQ) and Active Queue Management (AQM) algorithm CAKE to help Internet Service Providers (ISPs) enhance their customers' internet connections. It effectively manages latency and bufferbloat over existing infrastructure. LibreQos ensures fair sharing of bandwidth, prioritizes critical real-time applications and promotes connection quality, equity and access.

This project adds API functionality, which will make scaling LibreQoS to multiple servers much easier, allowing ISP operators to break the current 70 Gbps per server barrier. In addition, this project allows for a new Transactional Move System, which prevents any packet loss upon reload/refresh of shaper rules - allowing LibreQoS to scale to much larger ISP networks, improving internet connectivity for millions more end-users worldwide.

>> Read more about LibreQoS 2.1

Librecast Overlay Multicast — Privacy-preserving, energy efficient data replication and verification

The original design goals of the Internet do not match today's privacy and security needs, and this is evident in the technologies in use today.

The Librecast project contributes to decentralizing the Internet by enabling multicast. Multicast is an important network capability for a secure, decentralized and private by default Next Generation Internet. Multicast is networking with consent. Unfortunately, today's infrastructure does not fully support end to end multicast. In order to reap the benefits of multicast in the applications we build now, we need a transitional mechanism which enables overlay multicast via peer to peer tunnels so that multicast applications - using the Librecast libraries - can work everywhere, regardless of underlying network support.

The Librecast project is building the transitional protocols and software required to extend the reach of multicast and enable easy deployment by software developers, to make end to end encrypted multicast a reality.

>> Read more about Librecast Overlay Multicast

Automate FOSS license compatibility determination — Check software projects for license (in)compatibility + compliance

By classifying license clauses, rather than only the licenses themselves, and the way components are used and provided, we reduce the complexity of license compliance and compatibility and will provide useful resources for humans and computers. The result of this project can be used to simplify choosing a license for your project, assisting in complying when providing FOSS components to your users, checking compatibility between the licenses in your project.

>> Read more about Automate FOSS license compatibility determination

LANShield — Constrain local network access for mobile devices

LANShield is a tool that will give users control over which apps and programs are allowed to access devices in the local network. This is done to defend against malicious apps that may try to scan the user's local network and subsequently leak sensitive information. For instance, when an app tries to access the local network for the first time, the user is asked whether this app should be allowed to access local devices. The project will also investigate models and protocols to safely enable an app to communicate with local devices, with the idea that apps can use this protocol to access local devices without requiring explicit user permission. The project will also investigate how to integrate this defence into Android.

>> Read more about LANShield

Loops — ActivityPub based sharing of short video clips

Loops is an innovative Fediverse platform inspired by TikTok and powered by the decentralized ActivityPub protocol. It aims to deliver personalized short-form video content through a "For You" recommendation algorithm, enhancing user engagement and discovery. The platform supports interactive features like comments and video remixes, fostering a creative and collaborative community. By connecting with the Fediverse, Loops gives users more control over their data, better privacy, and the ability to interact with other platforms—making it an exciting new way to experience social media in our ever-changing world.

>> Read more about Loops

MEGA65 Phone Modular MVP — OSHW mobile device with form-factor of hand-held game consoles

The previous MEGAphone project laid the groundwork for creating personal communications devices that are secure through simplicity. This project extends that work by making the hardware modular, at some cost of minimum size, so that it becomes much more feasible for small communities to produce and maintain their own units, even in the face of supply chain challenges and other contributors to the "digital winter", i.e., the situation where open innovation becomes more difficult due to number of factors. This will also make it easier to include diverse resilient communications options, whether RF, optical or acoustic, so that peer-to-peer communications networks can be sustained even in environments that are hostile to freedom of communications. For this reason energy sovereignty will also be part of the design, so that even if all civil infrastructure is denied, that basic communications and computing functions can be sustained, with a single device whose security can be much more easily reasoned about.

>> Read more about MEGA65 Phone Modular MVP

MNT Reform QCS6490 Module — MNT Reform compatible open Hardware processor module

The project summary for this project is not yet available. Please come back soon!

>> Read more about MNT Reform QCS6490 Module

Improving the deployability of Multipath TCP — Improve MPTCP support in the Linux kernel

Multipath TCP (MPTCP) is a standardised technology extending TCP and invented in Europe. TCP is one of the key protocols of the TCP/IP protocol stack, designed in the 1970s when hosts were attached to the network through a single cable. Today's hosts have several network interfaces, but TCP only uses one of them for a given connection. Multipath TCP solves this problem by enabling TCP connections to exchange packets over different network interfaces. With the current version of MPTCP in the Linux kernel, most of the features listed in the RFC8684 are implemented. Basic use-cases are supported but still it doesn't mean the solution is covering all needs and is easy enough to use. In short, MPTCP works well in some controlled environments but not as good in too heterogeneous ones like it is common to see on the Internet. Also its configuration is sometimes seen as difficult and/or confusing for the moment. Some work is then still needed to cover more use-cases plus to improve the usability and performances in order to have Multipath TCP adopted by a broader audience.

>> Read more about Improving the deployability of Multipath TCP

Improving the deployability of Multipath TCP, part 2 — Improve MPTCP support in the Linux kernel

Multipath TCP (MPTCP) is a standardised technology extending TCP and invented in Europe. TCP is one of the key protocols of the TCP/IP protocol stack, designed in the 1970s when hosts were attached to the network through a single cable. Today's hosts have several network interfaces, but TCP only uses one of them for a given connection. Multipath TCP solves this problem by enabling TCP connections to exchange packets over different network interfaces. With the current version of MPTCP in the Linux kernel, most of the features listed in the RFC8684 are implemented. Basic use-cases are supported but still it doesn't mean the solution is covering all needs and is easy enough to use. In short, MPTCP works well in controlled environments but there is room for improvement in heterogeneous ones. Some work is then still needed to cover more use-cases plus to improve the usability and performances in order to have Multipath TCP adopted by a broader audience.

>> Read more about Improving the deployability of Multipath TCP, part 2

Mainline Linux on ARM Chromebooks — Open firmware and standards-based boot for Mediatek MT818x/MT819x based devices

The project summary for this project is not yet available. Please come back soon!

>> Read more about Mainline Linux on ARM Chromebooks

MWoffliner — Software to make Wikipedia and other Mediawiki content available offline

Wikipedia aims to make the Sum of All Human Knowledge available to all and for free. But with three to four billion people around the world lacking connectivity (because of cost, infrastructure or censorship) we need a solution to bridge the digital divide and bring this great tool to everyone.

Mediawiki offliner packages and compresses any wiki into a portable ZIM archive that can then be browsed offline and on any device, no matter where their users are located. In short, this allows everyone and everyone to carry the largest encyclopaedia ever on their phone and in their pocket.

>> Read more about MWoffliner

MailBox renewal — Performance upgrade of MailBox mail modules

Email is still the workhorse of the internet, and behind the screens some of the heavy lifting is by applications like the Mailbox modules. Under the hood, this software is processing billions of emails every day at some of the largest players in the industry.

The project will deliver a major update of the code after two decades. This is not only long overdue, but actually offers interesting opportunities to take into account new email related RFCs, investigate new possibilities for code optimisation as well as tackling new threats like SMTP smuggling.

As a bonus, the project will work on a standalone tool to be able to once more properly forward emails in the SPF/DMARC era - a very welcome capability, the lack of which is currently causing a lot of headache and lost email for users.

>> Read more about MailBox renewal

Mapterhorn — Open terrain tile sets and data catalog

Mapterhorn is an open-source alternative to proprietary terrain data platforms that addresses the fragmentation of global high-resolution terrain data. While many European countries like Austria and the Netherlands have released open terrain datasets, users currently rely predominantly on proprietary intermediaries such as Google Maps or Esri to consume these. This is due to inconsistencies in formats, projections, licenses, and access methods. Mapterhorn solves this through three components: a global low-resolution terrain tileset based on ESA's Copernicus model, regional high-resolution tilesets from national LIDAR surveys, and a comprehensive data catalog using the open STAC specification. By distributing terrain tiles in Web Mercator projection in standard formats such as GeoTiff and PMTiles, Mapterhorn will enhance disaster response capabilities, improve solar energy planning, boost tourism promotion, and enable numerous other applications across the public sector in Europe and beyond.

>> Read more about Mapterhorn

Multilingual Marginalia — Search engine focused on quality discovery

The project summary for this project is not yet available. Please come back soon!

>> Read more about Multilingual Marginalia

Miru — Multi-track video editing and real-time AR effects

Miru is a new set of modular, extensible Web platform tools and components for still image and multi-track video editing and state-of-the-art, real-time AR. Using WebGL, WebAssembly, and open source, mobile-optimized machine learning models, Miru will give people on the social web the tools to edit images and apply interactive effects to recorded video without compromising on privacy and transparency. Miru aims to provide intuitive and user-friendly UIs which developers can easily integrate into their Web apps regardless of the frontend frameworks they use.

>> Read more about Miru

postmarketOS/phosh-mobile-settings integration — Consolidate functionality of FOSS mobile settings applications

Currently, there is no easy way for applications to install settings that then show up in the system's settings app on desktop Linux systems. As part of bringing desktop Linux to mobile phones in postmarketOS, we have created a "tweaks" app for phone-specific configuration options. With this project, the options in this tweaks app will be converted to a format described by a specification which settings apps then can implement. This in turn is part of a broader effort to make desktop Linux suitable for running on mobile phones as a means to create an operating system for phones without excessive user tracking or built-in ads, with a focus on the user instead of money.

>> Read more about postmarketOS/phosh-mobile-settings integration

Mobilizon UX — Share events on the fediverse

Mobilizon enables the creation of community venues for organising and promoting local and topical events, activities, and groups. These instances can share information using the ActivityPub protocol, allowing users to publish their events on one Mobilizon server and propagate these elsewhere. Mobilizon is designed to be user-friendly and empowering.

In order to reach a wider audience with Mobilizon, we need to make sure we serve the needs of users well - whether they are instance administrators, event organisers, or end users. We will conduct workshops to study how each of these interacts with Mobilizon and understand their expectations, so that we can develop Mobilizon accordingly. Additionally, we will test, document and improve interoperability with other Mobilizon instances, other fediverse applications, and other websites in general. This can be achieved through plugins, APIs, and aligning on standard formats such as Ical. Ultimately, communicating about local activities will become more efficient and finding local activities easier.

>> Read more about Mobilizon UX

Mollymawk — Mollymawk - orchestration and management of MirageOS unikernels

Mollymawk is a deployment and orchestration tool designed to simplify the management of MirageOS unikernels and other virtual machines. In this project, we will focus on optimizing deployment, ochestration and scaling (up and down). Key enhancements we are looking at include implementing websockets, streaming services when deploying unikernel images, automated configurations (DHCP, DNS etc), support for virtual machines that are not MirageOS unikernels, mechanisms for autoupgrading unikernels with rollback options, notification of available updates, unattended updates, and managing multiple physical machines with a single mollymawk.

>> Read more about Mollymawk

Mosaic Simulation — EDA tool for analog chip design

Today, the chip design industry is deeply proprietary with NDAs at every level, which means it is not possible to share design files at all. This in turn stifles learning, innovation and transparency in chip design. In order to create a chip design industry that can be trusted with our digital lives, and which is accessible to educational institutions and small business, it is essential to develop powerful open source tools for chip design. Anyone should be able to use these tools, allowing for unhindered collaboration.

Mosaic is a tool that attacks the first design phase of an analog chip, or analog peripherals for a digital one: design and simulation of the schematic. In this follow-up grant the team will focus on simplification, distribution, and polish - making Mosaic easier to install and use as well as maintain.

>> Read more about Mosaic Simulation

Movedata — Privacy-preserving, energy efficient data replication and verification

MOVEDATA is an efficient and privacy-preserving tool to distribute large blocks of data, such as the contents of a whole storage device (or a device image), with zero knowledge of the structure or meaning of the data to enhance the privacy aspect, and using multicast and other technologies for efficiency, both in terms of network bandwidth and of energy usage. Ease of use is also of particular concern, providing different interfaces adapted to different use cases.

>> Read more about Movedata

Movim — Add end-to-end encrypted videocalls to Movim XMPP

Movim is a web-based social and chat platform that acts as a frontend for the XMPP network. The goal of this project is to modernize and extend the long-existing audio and video conferencing features in three major steps. First, the existing UI will be completely refactored and redesigned to better integrate the conferencing features into the existing pages and flows. Secondly, Movim will support one-to-many call features and offer full compatibility with other XMPP clients building upon the step-one features but without relying on a central server to handle the media streams. And finally, to handle conference calls with a large number of participants, Movim will standardize and integrate SFU (Selective Forwarding Unit) support that will then lift the streams network bottlenecks offering a complete and scalable experience to its users. With those three steps fulfilled Movim will then be able to greatly simplify fully standard XMPP audio and video conferencing calls on the web.

>> Read more about Movim

Mox management and automation — Automated email server management and administration

Mox is a modern email server implementation that makes it easy for people and organizations to run their own mail server, allowing them to stay in control of their own email communication, and keeping email decentralized. While high-quality open source mail server software components exist, their code bases are growing old, and getting a working setup involves configuring at least half a dozen of them to work together. That complexity has turned people to a few (centralized) email providers. Within this grant the team will add a number of missing key features such as server-side email filtering (Sieve) and encrypted storage, among others.

>> Read more about Mox management and automation

Collation + i18n support in musl libc — Complete POSIX internationalised functions in musl libc

musl libc is a lean C standard library implementation for Linux. It strongly focuses on correctness, compliance with standards, and reduced footprint, both in terms of binary size and memory usage. Its initial release dates to 2011, making it a considerably modern implementation compared to alternatives like glibc. As default in e.g. Alpine Linux (which is widely used in containers but also is the basis for end user facing efforts like postmarketOS) it can be found in many unexpected places.

This project will implement two features still missing: collation and internationalization support. The first one allows set ordering based on locales, and follows a certain set of established rules and standards. The second one provides basic functionality in the language of choice for the user like dates, times, numbers, and monetary symbols. Contributors from the postmarketOS community will validate the work, to make sure that everything actually works out as intended.

>> Read more about Collation + i18n support in musl libc

Control plane for Nix-based systems — Dynamic system management and orchestration with Nix

The project summary for this project is not yet available. Please come back soon!

>> Read more about Control plane for Nix-based systems

NixBox — Nix integration with netbox

NixBox is a modern approach to network deployments, it combines the configuration management powers of nix with the documentation capabilities provided by NetBox. It focuses on testability, reliability and automation while making your network documentation your configuration. Our goals are to reduce downtime and improve network visibility. Utilizing virtual machine tests we can ensure that your deployment will actually work before you ship it to production.

>> Read more about NixBox

NodeBB — ActivityPub support and accessibility improvements for forum software

NodeBB is a Node.js based community forum software utilizes web sockets for instant interactions and real-time notifications. NodeBB benefits from modern features like real-time streaming discussions, mobile responsiveness, and rich RESTful read/write APIs, while staying true to the original bulletin board/forum format — categorical hierarchies, local user accounts, and asynchronous messaging.

In this project, the team will be working on bringing ActivityPub integration to NodeBB, in order to allow forums to become truly interconnected with other ActivityPub-enabled applications throughout the wider Fediverse (of course including other NodeBB forums). The absolute hardest part of starting a community — forum or otherwise — is gaining a critical mass of adoption in order to sustain interest and content. What if we could bypass this hurdle altogether?

>> Read more about NodeBB

Nova JavaScript engine — Independent JavaScript engine written in Rust

Nova is a JavaScript engine exploring a different, data-oriented design inspired JavaScript engine design. This design allows greatly reduced memory usage, optimal data cache locality for algorithms on happy paths, memory safety by construction, and various other technical optimisations that together form a compelling and interesting whole. The design involves tradeoffs, paying extra indirection for its gains, and the implementation treads mostly unfamiliar territory: the technical choices are nothing new, but they have not seen wide usage in production JavaScript engines to date. If the upsides overshadow the downsides, as they seem to do, the result will be a JavaScript engine that reduces memory usage by 30 to 50 percentage points, while improving performance under real-world loads.

>> Read more about Nova JavaScript engine

NovyWave — Waveform visualizer for gateware development

NovyWave is an open-source waveform viewer designed as a modern alternative to GTKWave. This cross-platform desktop application is suitable for both professionals and beginners, offering simple installation and a strong focus on user experience. Its goal is to boost productivity and satisfaction among current hardware developers while also attracting new developers and students to the hardware design ecosystem. NovyWave is built on fast and reliable Rust libraries and leverages well-proven web technologies to ensure a consistent look, accessibility, design flexibility, and safe user extensibility via WebAssembly plugins.

>> Read more about NovyWave

O-ESD — Open-hardware for ElectroStatic Discharge testing

The goals of the Open-hardware for ElectroStatic Discharge testing (O-ESD) is to design, produce and verify an open-hardware and accompanying open-software for a device for electrostatic discharge testing. Electrostatic discharge is a phenomenon that occurs daily between humans and electronics and can irreversibly damage the electronics. All consumer electronics sold in EU, including all internet hardware, must satisfy Electromagnetic Compatibility (EMC) Directive. One of the most hardest tests within EMC directive deals with electrostatic discharge as defined by IEC/EN 61000-4-2 standard. Standardized tests are typically done with special equipment in accredited EMC laboratories and are costly. The O-ESD tester will minimize the costs of pre-compliance testing and make it publicly available.

>> Read more about O-ESD

OCaml direct style transition — Helping with the transition of OCaml programs from Lwt to Eio

OCaml traditionally uses monadic style for concurrent programming, offering advantages like reduced data races and efficiency but requiring all code to be written in this style and leading to frequent allocations. OCaml 5 is one of the first languages to implement algebraic effects, enabling direct-style concurrency with multiple stacks, addressing these drawbacks. However, the transition to effects-based concurrency can lead to incompatibility between libraries written in different styles, putting the whole OCaml ecosystem at risk. This project aims to mitigate these risks by developing tools to automatically rewrite code and identify potential issues during the transition from monadic to direct-style concurrency, specifically focusing on the complex case of the Ocsigen Web framework.

>> Read more about OCaml direct style transition

OCaml-QUIC — Implement QUIC/QUIC-TLS/QPACK and HTTP/3 in OCAML

HTTP/3 is the most recent version of the Hypertext Transfer Protocol used to exchange information on the World Wide Web. Like the QUIC transport layer protocol it uses, it is standardized by the Internet Engineering Task Force (IETF). OCaml-QUIC is an implementation of QUIC (RFC9000), QPACK (RFC9204), HTTP/3 (RFC9114) and associated protocols in OCaml, an industrial, functional, memory safe programming language, used in sectors ranging from finance and research to social media and web application.

The project aims to provide an open, complete implementation of the aforementioned protocols to be used and deployed in embedded devices, POSIX/UNIX operating systems and unikernels (self-contained, library operating systems).

>> Read more about OCaml-QUIC

OPERA-DSP — Open hardware FMCW Radar signal processing in FPGA

Frequency Modulated Continuous Wave (FMCW) radar is essential for applications such as autonomous vehicles, industrial automation, environmental monitoring, and security, enabling high-resolution object detection and speed estimation. However, to fully leverage FMCW radar data, digital signal processing (DSP) techniques must be applied in real time to extract meaningful information. The OPERA-DSP project aims to develop an open-source FMCW radar DSP hardware library, making radar signal processing more accessible to researchers and developers. It will provide essential IP cores, including windowing functions, Fast Fourier Transform (FFT), magnitude computation, and Constant False Alarm Rate (CFAR) detection. To simplify adoption, OPERA-DSP will integrate these DSP libraries with a RISC-V core and develop an FPGA-based design, complemented by scripts for automated bitstream generation.

>> Read more about OPERA-DSP

OWASP dep-scan — Security and risk audit tool

OWASP dep-scan is a next-generation Software Composition Analysis (SCA) tool based on known vulnerabilities, advisories, and license limitations for applications, container images, and Linux virtual machines. Powered by abc - AppThreat atom, OWASP blint, and CycloneDX Generator (cdxgen) - dep-scan performs a range of advanced code hierarchy and lifecycle analysis (for example, reachability analysis) to improve precision and reduce false positives, thus helping developers and AppSec people focus on supply chain vulnerabilities and risks that needs real attention.

Dep-scan is purpose-built to be integrated in CI, Vulnerability Management platforms, and air-gapped environments. Dep-scan can perform all the analysis offline, with no code or SBOM leaving your environment. The tool supports generating reports in CycloneDX VDR, OASIS CSAF VEX, HTML, PDF, and Markdown formats.

>> Read more about OWASP dep-scan

owi — Symbolic evaluator and fuzzing of WASM software

WebAssembly (Wasm) is a post-JavaScript code format for the web, enabling efficient computing, with built-in sandboxed execution. Its usage is expanding: it is now used in online services, in embedded systems and to create portable binaries.

Owi is a toolkit tailored for Wasm. In particular it can perform efficient symbolic program execution. That is to say, for a given program, it is able to find input values leading to a crash. Many languages are compiling to Wasm, e.g. C/C++/Rust. Owi can thus be used as a bug-finding tool working on any of these languages. We're currently improving the usability of the tool as a part of the testing workflow for developers, the first step of this work is to provide an interface making Owi a drop-in replacement for AFL.

>> Read more about owi

Omnom — Add social layer to personal bookmarking

Omnom is a web-based, self-hosted bookmarking and snapshotting platform that can create identical snapshots of any opened webpage to what it looks like in the browser at the time of creating the snapshot. It consists of a browser addon compatible with Firefox and Chrome based browsers and a multi-user web based application. The goal of this project is to add social features and improve user experience.

>> Read more about Omnom

OpenCarLink — Security tooling for vehicle ODB2 ports

OpenCarLink is an initiative aimed at revolutionizing vehicle diagnostics and security through the development of an open hardware device for vehicle OBD2 ports. By supporting communication protocols such as DOIP, CAN, Kline, and Single-Wire CAN, OpenCarLink enables users to perform remote diagnostics, real-time emissions tracking, enhanced vehicle security through penetration testing, and increased driver safety via behavioral data tracking. This project promotes an open and innovative future for the European mobility sector by help circumventing manufacturer limitations. By releasing the hardware design under an open-source license, OpenCarLink fosters a environment where enthusiasts, researchers, and professionals can contribute to and benefit from the advancements in vehicle diagnostics and control. With a focus on democratizing access to the DOIP protocol, OpenCarLink challenges the restrictive policies and secrecy that currently dominate the automotive industry, help paving the way for a more open and informed society.

>> Read more about OpenCarLink

Open Cloud Mesh — Improved specs and test suite for Open Cloud Mesh protocol

The Open Cloud Mesh protocol, at its core, defines a wonderfully simple JSON payload to notify another server when a user wants to share a folder or file with a user on that server. It is implemented by some major Enterprise File Sync and Share (EFSS) vendors, and used in production by several serious organisations - including major National Research and Education Networks (NRENs). But its specification and test suite are still lacking in substance and quality. In this project we will improve the specification text, flesh it out to a more strictly defined (RFC-style) text that addresses all aspects and considerations of the protocol. In addition we improve the test suite so that it can be run in Continuous Integration (CI) instead of requiring frequent manual intervention, and clarify any incompatibilities we find between implementations.

>> Read more about Open Cloud Mesh

OpenEMSH — Automatic mesher for FDTD simulation

OpenEMS is arguably the only free and open source FDTD solver out there that is usable out of the box for RF (Radio Frequency electromagnetics) design. Its main competitive disadvantage is that FDTD requires simulated models to be meshed according to specific rules, yet it does not provide an automatic mesher to create such meshes. Some facilities already do exist but meshing by hand is time-consuming and error-prone - enough to stand in the way of broader adoption. OpenEMSH aims to be a mesher for OpenEMS that makes it as simple to use as any proprietary solution.

>> Read more about OpenEMSH

OpenHarbors — Dynamic Tunneling of WPA over IP/L2TP

OpenHarbors wants to establish a novel approach for secure communication over an untrusted Wifi network - and beyond: Dynamic tunneling of WPA over IP/L2TP. Why? Because current, secure solutions are not satisfactory: They are either hard to set up, require extra software in advance or are not applicable on an open wireless community mesh network like Freifunk.

OpenHarbors will utilize and implement WPA Enterprise with an extra twist: Instead of providing an encryption channel only between your mobile device and the direct WLAN access point you will be able to securely dial-out at any location on the internet you trust and choose and are granted access to. Without the hassle of installing and setting up an extra VPN software on your phone. Without the need of a trusted WLAN access point operator model or closed source firmware, in contrast to current approaches with Passpoint/Hotspot 2.0/eduroam/WBA OpenRoaming and similar - which all are conceptually not applicable on open wireless community mesh networks.

>> Read more about OpenHarbors

Open Web Calendar Stack — Aggregate public and private web calendars

The Open Web Calendar stack is an open-source set of Python libraries and programs which read and write calendars based on the iCalendar standard. The Open Web Calendar displays a highly configurable website that can be embedded to show a calendar. Currently, ICS URLs are supported and a goal is to also support CalDAV.

Amongst the used libraries is the popular icalendar library to parse and write iCalendar (RFC5545) information. This cornerstone of Python's ecosystem requires some work to be up-to-date with common practice such as updating the timezone implementation. The updates to the icalendar library will be tested and also pushed up the stack to the Open Web Calendar.

The recurrence calculation of events is done by the python-recurring-ical-events library. Changes to icalendar will be tested against this library to find compatibility issues. As the iCalendar standard has been updated, recurrence calculation is affected, too. These updates need to be evaluated and possibly implemented for both icalendar and the recurrence calculation.

By implementing changes at the base, the whole stack is improved. We can use the Open Web Calendar project to make sure that possible transitions and updates are mapped out and communicated to other projects in the ecosystem. Improving a FOSS solution thus spreads the accessibility of iCalendar.

>> Read more about Open Web Calendar Stack

Open Web Calendar Stack II — Recurring events and calendar merging

The Open Web Calendar creates a highly configurable calendar what can be integrate into existing websites. Its stack is composed of various libraries working with a variety of internet standards/RFCs. This project will amongst others improve the support for recurring events. Various widely used Python libraries such as icalendar, mergecal, caldav and dateutil will also receive improvements as well as better documentation to aid developers. Their compliance with the underlying standards will be better tested to cope with the wide range of applications and use cases in the 'wild' - and should improve software quality and stability in millions of installations.

>> Read more about Open Web Calendar Stack II

Extensive openwifi support for OpenWRT — Software Defined Radio Wifi for OpenWRT routers

The internet service provider and the IT department are often responsible for setting up your Wi-Fi network at home and work, respectively. As a result, many people take Wi-Fi routers and APs for granted and do not realize that these devices are complex and vulnerable closed black boxes of software, firmware and hardware. The often-outdated software and firmware on these devices, combined with their hardware and overall black box nature, raise serious security concerns. For example, the US is considering a ban on TP-Link devices. The software community addresses this issue through projects such as OpenWRT. However, these OpenWRT devices still route their wireless traffic through a closed Wi-Fi chip.

This project (from the creators of openwifi, the first full-stack open-source IEEE 802.11a/g/n Wi-Fi chip) aims to provide a transparent alternative. Tje project will deliver fully featured openwifi-on-OpenWRT support for all openwifi-enabled boards. To achieve this, the dependency of openwifi on ADI Kuiper Linux is broken and its hardware description is modularized, allowing us to port openwifi to OpenWRT in a maintainable manner. The result is an openwifi package within OpenWRT, allowing users to choose for both open-source software and Wi-Fi chip, thereby enhancing the security and openness of Wi-Fi routers/APs. With this work, we lay the foundation for future developments, including potential partnerships with open-source Wi-Fi router vendors.

>> Read more about Extensive openwifi support for OpenWRT

openwifi: 802.11a/g/n maturity — Improved stability, data rate and reach of openwifi

Wi-Fi has become ubiquitous in modern society. While many people might assume that the Wi-Fi chip in AP, mobile devices, and computers is a dumb device that merely sends and receives packets over the air, the reality is far more complex. Even the most affordable Wi-Fi chips are sophisticated heterogeneous computing systems, as highlighted by many researchers and hackers. These chips contain multiple types of firmware and silicon fabric working together. The lack of open-source Wi-Fi chips and the transparency of commercial Wi-Fi chips have raised many security concerns: The security threats over Wi-Fi have emerged for years. Openwifi (https://github.com/open-sdr) aims to address this issue. It is the first open-source soft-MAC Wi-Fi chip/FPGA design, initially released at the end of 2019, with 802.11n added in 2020. As more users, researchers, and hackers engage with the project, they have identified issues related to stability, data rate, and communication distance. This maturity-elevating project aims to tackle these issues through improvements in the Linux driver, FPGA, and RF control. The enhanced version will be comparable to commercial Wi-Fi4 chips, such as the ath9k series, and will be capable of operating in more realistic electromagnetic environments rather than just short-range, controlled environments. These advancements will facilitate broader adoption of the project and lay a solid foundation for future developments, including the creation of a real chip.

>> Read more about openwifi: 802.11a/g/n maturity

Openfire Next-Gen Connectivity — Authentication/SASL improvements to Openfire XMPP server

Openfire is a mature, open-source, cross-platform real-time collaboration server based on the XMPP protocol, known for its flexibility and widespread use in decentralized communication. Over the past two decades, the XMPP protocol has evolved, introducing new standards that significantly enhance connection setup speed, security, and flexibility. These advancements improve the establishment of authenticated connections, ensuring better overall performance and more robust functionality for real-time communication systems.

>> Read more about Openfire Next-Gen Connectivity

Openfire IPv6 support — Add IPv6 support to the Openfire XMPP server

Openfire is an open-source, mature, cross-platform, real-time collaboration server based on the XMPP protocol. Originating around the turn of the century, IPv6 was not explicitly supported when it was originally created. As shown by anecdotal evidence, some IPv6 functionality already ‘works’ in Openfire. This, however, is accidental, and not by design. This project intends to add explicit IPv6 support to Openfire.

>> Read more about Openfire IPv6 support

Organic Maps сonvergent UI with Qt Quick/Kirigami — Declarative cross-platform UI for navigation

Maps navigation software is a crucial part of computer systems today, be it on Mobile, Desktop, Automotive and so on. For quite a lot time already, we have a brilliant open-source maps application, now named Organic Maps. It's features make it strong competitor to commercial-grade software, among them are: privacy, fully offline maps, low battery consumption, navigation, points of interest (POI) and much more. Currently, the application shows it's strength on mainstream mobile operating systems only. On other systems, it's ability is quite limited, mainly because of lack of proper User Interface for them.

This project aims to create an Organic Maps convergent touch-friendly User Interface for Linux, backed by featured Qt Quick/QML application framework, perfectly suitable for this task. This would allow feature-parity for Mobile and Desktop Linux systems, and also creates solid ground for further unification of the User Interface among other platforms.

>> Read more about Organic Maps сonvergent UI with Qt Quick/Kirigami

Organic Maps bookmarks, hike and bike — Improved bookmarks, address search, map styles and driving

Organic Maps is a free, open-source offline map application available for Android and iOS. It provides a privacy-focused alternative to Google and Apple Maps, empowering individuals who value their privacy and freedom from the surveillance ecosystems created by these companies. The app offers downloadable outdoor maps of the entire world, offline multi-point navigation, offline search on the map, saved bookmarks and trails, KML/KMZ/GPX interoperability, elevation contours, track recording, and more. This project focuses on enhancing core functionality: optimizing offline search, expanding bookmark management, and introducing new features for hikers and bikers.

>> Read more about Organic Maps bookmarks, hike and bike

Overte Visual Scripting — Feature enhancements of FOSS virtual reality platform

Overte is a virtual social platform that allows its users to socialize in a more involved way than traditional digital communications, by allowing them to enter worlds using Virtual Reality. It can be used not just for recreational activities, but also education, psychotherapy, congresses, and more. The goal is to support people's need for immersive social platforms, by providing them with something that is privacy respecting and free.

As part of this project, we aim to take on bigger maintenance and development tasks that may otherwise happen slowly or remain undone. Such tasks include fixing bugs, updating to Qt 6, and overhauling the UI, as it has accumulated quite some technical debt over the years.

>> Read more about Overte Visual Scripting

PTT — Unikernel Mailing list server in OCAML

Email is still one of the main channel of communication.Setting up and maintaining something as simple as a reliable mailing list in-house is significantly more complex than it ought to be. Out of convenience, many organisations and communities outsource running their maiilng lists service to third-party agents. However, this not only creates an unnecessary dependency but also reduces confidentiality, which can be a critical aspect.

This project has the ambition to win back the means of communication, developing a new mailing list application service that is easier to maintain securely (through unikernels using MirageOS), and is efficient in terms of resource usage. The service should integrate into existing infrastructures seamlessly.

>> Read more about PTT

Patchouli — Arbitrary-sized open hardware EM pen products

Patchouli is an open-source electro-magnetic drawing tablet hardware implementation, including a coil array, an RF front end built using commercially available parts, and digital signal processing algorithms. The design is compatible with most commercial pens from different vendors, offering an ultra-low-latency pen input experience for your customized hardware projects. The hardware is released under the CERN-OHL-S license, and the firmware/simulation code is released under the GPL3+ license.

>> Read more about Patchouli

Better support for display notches and cutouts in Phosh — Better custom shape screen support for Wayland

Mobile phones often have notches or cutouts in their displays (often to accommodate the camera), rounded corners or waterfalls (lower resolution areas at the edge of the screen).

The aim of this project is to propose and implement a Wayland protocol that gives applications the necessary information about these areas. This allows them to place UI elements in a sensible and visually pleasing way, color lower resolution areas properly and avoid having important information occluded.

Besides for mobile shells like Phosh this information is also important for e.g. video players and other full screen applications and out of the box support in toolkits is desirable.

>> Read more about Better support for display notches and cutouts in Phosh

Pijul ecosystem — A modern patch-based version control system

Pijul is a modern patch-based version control system that addresses many shortcomings found in existing tools. While its foundations are already mature and well-tested, it lacks many conveniences users expect from the ecosystems of popular tools such as Git. This project aims to significantly reduce Pijul's barrier to adoption by addressing common areas of user feedback - documentation, usability, robustness, and integration into other tools such as text editors or CLI prompts. We believe this will improve the workflow of existing users, and enable many more to adopt Pijul and its benefits without sacrificing other parts of their workflow.

>> Read more about Pijul ecosystem

Pijul Hybrid — Hybrid patch-based/snapshot-based system for distributed versioning

Pijul is a modern patch-based version control system that addresses many shortcomings found in existing tools, based on a mathematical theory of collaborative work. In order to ease the transition from existing tools, and increase utility in a wider set of use cases, this project will work on a better transition story from other tools like Git and Mercurial, and improve tooling around it. In particular, it will deliver a hosting platform called Nest which has features which will be quite different from other hosting services. Pijul is able to apply patches independently from each other, meaning that (reorderable) patches can be used in place of legacy pull/merge requests everywhere. This should makes most workflows vastly simpler, as well as result in cleaner code bases.

>> Read more about Pijul Hybrid

Pimalaya PIM — Memory-safe emails, contacts, calendars, tasks and more

Pimalaya aims to improve open-source tooling related to Personal Information Management (PIM). Pimalaya has two objectives: to provide solid Rust libraries dedicated to the PIM domain, which serve as a basis for all sorts of top-level applications (meaning their developers can focus on functionality) and to develop a number of quality applications on top of these libraries.

Within the scope of this project, Pimalaya will release additional production-grade libraries and tools, expanding its scope to contacts and calendars — through contact and calendar libraries, command line interfaces and plugins. At the end of this grant, the Pimalaya project covers not just email but also contacts, events, alarm and tasks.

>> Read more about Pimalaya PIM

Plasma Mobile powermanagement improvements — Better power management on mobile Linux

Plasma Mobile is an open source user interface for mobile devices developed by the KDE Community. Plasma works on top of various free and open source operating systems such as Linux, offering an attractive open mobile stack. Built on the foundations of Plasma Desktop, Plasma Mobile brings its flexibility to a mobile form factor. To increase mass-adoption of such a free-software alternative, it is important that we offer a great experience in terms of productivity and usability of the platform. One aspect in helping to achieve broader adoption of Plasma Mobile is by extending battery-life: the longer users can use their phone without needing to recharge, the better. This project will improve the power management for Plasma Mobile, also keeping an eye on user experience.

>> Read more about Plasma Mobile powermanagement improvements

Pleroma — Scalable ActivityPub server written in Elixir

Pleroma is an extendable ActivityPub communication server. Pleroma can be as light-weight as you want it to be, fit for both running from a homeserver or from more serious infrastructure. Pleroma embraces customization. Instead of trying to dictate how users should use our software, we give them options. From the backend to the frontend, there are hundreds of configurable options to satify the different needs of everyone. We know there's no single setup that works for everyone, and are more than willing to listen to users' feedback. Being part of fediverse of course means interacting with other servers and Pleroma provides the best experience when displaying other types of content, even non-microblogging.

The Fediverse nowadays is a very big place with a lot of different people, who don't necessarily agree with each other or have good intentions. To help with the insurmountable task to moderate the stream of incoming and outgoing content, Pleroma has Message Rewrite Facility, allowing instance administrators to automatically act upon activities including modifying them and deciding whether to show them in federated timeline or not. Having more detailed and partially automated moderation helps create a network where users don't have to worry about not being able to talk to someone else because the admins didn't have the rights tools at their disposals.

>> Read more about Pleroma

Pre-Scheme — Compile Scheme directly to portable C

Pre-Scheme is a statically-typed dialect of the Scheme programming language which compiles to C, suitable for low-level systems programming. Pre-Scheme is implemented using a sophisticated general-purpose compiler, written in Scheme, with demonstrated applications to other programming languages and compilation targets. This project aims to port the compiler to R7RS, the latest Scheme standard, so that it can run on a variety of modern Scheme implementations. The Pre-Scheme language and tooling will also be updated to meet the expectations of a contemporary developer audience, and the compiler framework will be documented and exposed to support future innovations in programming language development and research.

>> Read more about Pre-Scheme

Protomaps — Self-hostable maps based on OpenStreetMap data

Protomaps is a free and open source map of the world, deployed as a single file you can host yourself. It enables interactive, zoomable mapping applications with only static storage and HTTP Range Requests. It uses the OpenStreetMap dataset as a primary source; its configurable toolchain can create maps with specific areas, custom data, and different cartographic styles. It’s used in earth science, journalism and the public sector. Protomaps has no vendor lock-in, permits end-to- end data sovereignty, and can ensure end-user privacy. 

>> Read more about Protomaps

Py2HWSW — A tool to manage embedded HW/SW project

This project aims to develop an open-source Python framework for managing files, automating project flows of embedded hardware/software codesign projects, and partially generating Verilog hardware components. The framework simplifies the project structure, addresses challenges in Hardware Design Languages like Verilog and VHDL, and automates emulation, simulation, FPGA, and ASIC flows. The proposed Verilog generator offers flexibility, user control and ease of use, producing human-readable code compatible across FPGAs and ASICs.

>> Read more about Py2HWSW

Py3DTiles - Textured Mesh tiling — OGC 3DTiles 1.1 support for 3D tile conversion tool

Py3DTiles is an OpenSource Python module and CLI to create 3DTiles from various 3D geo-referenced data types and formats. It supports point clouds, IFC (BIM) and other 3D data types. It generates datasets suitable for 3D visualization of cartographic data.

This project will add support for Textured Mesh conversion. Textured Mesh data can originate from various sources such as drone sensors, satellite imagery, and aerial photography through photogrammetry. Pointclouds can be transformed to Textured Mesh through triangulation. Textured mesh can also be created with 3D design software like Blender or Vue. Implementing 3D Tiles conversion capabilities of these data types will reinforce 3D data processing capabilities with opensource software, and increase interoperability and interconnection of software and data processing pipelines. Beyond adding these new capabilities to Py3DTiles, the project will also integrate and develop underlying algorithms and methods to process the data efficiently and handle large amounts of data.

>> Read more about Py3DTiles - Textured Mesh tiling

Proper Webcam support in Qemu — Better virtualisation of camera interfaces

QEMU is one of the most popular open source machine emulators and virtualizers. It supports a wide range of architectures and is capable of emulating many types of hardware devices. Many people rely on QEMU to run alternative operating systems or even as a secure development environment.

Sometimes it is necessary to pass camera devices to the QEMU guest and make them available to the system. While it is possible to pass cameras using the generic QEMU USB host emulator, this only works with USB cameras and only makes them available to that single QEMU guest. However, many modern systems move away from USB cameras and provide other interfaces for the camera, and thus cannot be passed through.

Our solution is to use the operating system's video API instead to make the video device available. We will focus on providing proper support for the Video4Linux API to emulate a USB video device so that it works with the already existing OS drivers. With proper integration of a camera subsystem, this opens the door to supporting more camera APIs and even extending paravirtualized VirtIO devices in the future to improve video quality for next generation video devices.

>> Read more about Proper Webcam support in Qemu

RVVM — RISC-V Virtual Machine

RVVM is a virtual machine/emulator for RISC-V guests, which emphasizes on performance, security, lean code and portability. It runs a lot of guest operating systems, including Linux, Haiku, FreeBSD, OpenBSD, etc, and has a rich device infrastructure (Network adapters, NVMe, HID, PCIe with MSI). Emulation performance is very competitive thanks to RVJIT dynamic binary translator. Portability is taken very seriosly and only requires C99 as a baseline. We also aim to run RISC-V applications on a foreign host without full OS guest (userland emulation, i.e. RISC-V containers).

To prevent theoretical VM escape vulnerabilities from being exploited, we enforce kernel-level isolation, strict codestyle and compiler warning policies, extensive static analysis and use of sanitizers/fuzzers.

The RVVM infrastructure is meant to be modular and embeddable - the whole project is contained within "librvvm" library and a reference VM manager to make use of it. GDB debug server is also available for kernel developers and alike. The goal under NGI Zero Core is to implement first-class KVM hypervisor suport for RISC-V, as well as x86_64 & ARM64 hypervisor variant (reusing the same device emulation infrastructure), shadow pagetable acceleration for guest MMU, and RISC-V Vector extension support which is gaining serious traction and is much needed for software testing. Additionally, a special deduplication image format is in the works which should give immense storage benefits in terms of space saved for build farms and cloud use, as well as atomic write consistency for reliability.

>> Read more about RVVM

Rackweaver — Design and manage physical infrastructure hosting

RackWeaver is an AGPLv3+ cross-platform desktop application for designing and managing data center infrastructure. Its describes a complete object representation of one's data centers, including physical locations, port connections, and network configurations. Further, it comprises a suite of tools (both GUI and CLI) to act upon that model and modify it intelligently. It is able to generate documentation, switch configurations, and disk images, aid in system monitoring, and more through a plugin system. RackWeaver is built as a native desktop application (using Python and Qt) so that it continues to run for decades. Additionally, it leverages version control and OpenPGP keys to reliably document all changes to one's infrastructure. RackWeaver is usable by anyone, from a solo sysadmin managing a few machines, to a team overseeing multiple autonomous systems, for those who prefer offline, scriptable, and easy-to-use free/libre software.

>> Read more about Rackweaver

Rauthy — Reliable OpenID Connect IdP and IAM solution.

Rauthy is a lightweight and easy to use OpenID Connect Identity Provider. It aims to be simple to both set up and operate, with very secure defaults and lots of config options, if you need the flexibility. It puts heavy emphasis on Passkeys and a very strong security in general. The project is written in Rust to be as memory efficient, secure and fast as possible, and it can run on basically any hardware. If you need Single Sign-On support for IoT or headless CLI tools, it's got you covered as well. You get High-Availability, client branding, UI translation, a nice Admin UI, Events and Auditing, and many more features. By default, it does not depend on an external database but runs on top of Hiqlite, an embeddable SQLite database that can form a Raft cluster to provide strong consistency and high availability - although it can use e.g. Postgres as an alternative. This makes it simple to operate, while scaling up to millions of users easily.

>> Read more about Rauthy

Reaction — Event-based system programming

A lot of bots roam the internet, scanning server ports and web endpoints, and filling out any web form they come across - continuously on the lookout for vulnerabilities to exploit. In order to maintain server security, one of the currently most common defense mechanisms is to monitor logs for repetitive behaviour, or specific patterns implying the involvement of bots. With tools like fail2ban, one can write simple rules to automatically isolate machines identified as suspect.

Reaction wants to provide a more modern and efficient approach to regex-based log scanning, allowing multiple reaction instances to communicate, sharing bans across an entire infrastructure as well as more intelligent and user-friendly soft bans. This extends the scope of this class of tooling allowing it to act as a light monitoring tool, or an orchestrator for any other event-based actions.

>> Read more about Reaction

Real Time Litex Extension — Real time capabilities for FPGA-based RISC-V core

The Core-Local Interrupt Controller (CLIC) is a RISC-V standard extension that enhances real-time performance by enabling the prioritization of interrupts based on levels and priorities. This feature allows developers to have fine-grained control over interrupt prioritization, leading to more efficient handling of real-time events. In this project, we propose to replace the original interrupt controller of the VexRiscv based processor core family with CLIC. By implementing the CLIC, VexRiscv can efficiently propagate the highest-level, highest-priority pending interrupt to the core, significantly improving real-time responsiveness. The CLIC implementation also introduces features like selective hardware vectoring and the special register (xnxti CSR), which further optimize interrupt handling.

>> Read more about Real Time Litex Extension

Redox OS Unix-style Signals — Add Unix-style signal handling to Redox Operating System

Redox OS is a Unix-like microkernel based operating system written in Rust. It is intended to provide a secure and reliable alternative to Linux. Redox is continuing to add functionality to provide source-code compatibility for most Linux software. This project will provide Redox with Linux-compatible inter-process signals, including signalling to process groups, processes and threads, and improved process management.

>> Read more about Redox OS Unix-style Signals

Renderling — Real-time rendering library on top of WebGPU

Renderling is an innovative, GPU-driven real-time renderer designed for efficient scene rendering with a focus on leveraging GPU capabilities for nearly all rendering operations. Utilizing Rust for shader development, it ensures memory safety and cross-platform compatibility, including web platforms. The project, currently in the alpha stage, aims for rapid loading of GLTF files and handling large, animated scenes with many lighting effects. Development emphasises performance, safety, observability, and the use of modern rendering techniques like forward+ rendering and physically based shading.

>> Read more about Renderling

NetBSD Reproducibility — Extend Reproducibility for CTF Debugging Infos and NetBSD Image Creation

The NetBSD operating system is built from a single source code repository and supports a great variety of different hardware and CPU variants. NetBSD has a working infrastructure for being reproducible, thus you can verify eg. an install ISO to be created from an untampered repository. As NetBSD is technically always cross-compiled, it can be build on several platforms, most commonly on NetBSD itself and on Linux. This project aims to fix two issues where a Linux-based build host creates different output than a NetBSD host.

Ports using the newer GCC-12 based compiler usually use the CTF debugging format, where the binary representation (probably due to different sorting) differs between Linux and NetBSD builds. The second issue is with install image creation, where symlinks permissions and owner/permission bits from the building host leak into the image, breaking reproducibility. Both of these issues affect the widely used amd64 (usual PCs and Laptops) and arm/aarch64 (Raspberry Pi) ports.

>> Read more about NetBSD Reproducibility

Reticulum Network Stack — Networking stack for building local and wide-area networks even with extremely low bandwidth

Reticulum is a cryptography-based networking stack that offers end-to-end connectivity and encryption, and a privacy-oriented base-layer protocol. It aims to allow anyone to operate their own sovereign communication networks, and to cover large areas with independent, interconnectable and autonomous networks without kill-switches and external control.

Reticulum is a completely decentralised networking stack, and it enables the construction of both small and large-scale networks, without any need for hierarchical or beaureucratic structures to control or manage them, while ensuring individuals and communities full sovereignty over their own network segments, addresses and applications. It allows creating truly decentralised applications and services, that can continue to operate even in adverse conditions, and with extremely limited bandwidth and resources.

>> Read more about Reticulum Network Stack

Rivista — Publish and consume news feeds via XMPP

Rivista Journal is an open-source, minimalist journaling platform which is designed for writers who want a simple and distraction-free writing experience.

It is built to support the XMPP protocol, allowing people to publish content which can be shared and discovered across different platforms, such as Blasta, Libervia, and Movim, over the decentralized network.

In addition to being cost-effective and having low maintenance overhead, Rivista Journal focuses on providing a clean interface that emphasizes writing and reading without the clutter often associated with more complex content management systems.

>> Read more about Rivista

Free and open source NPU Drivers — Libre drivers for Neural Processing Units

As of today, companies that sell components that include accelerators for machine learning workloads (NPU, TPU, DLA, etc) are generally engaged in vendor lock-in practices that interfere with the ability of their customers to freely choose their partners and adapt their software components to their own needs.

This project aims to incentivize providers of accelerating hardware to move to more fair practices by reverse engineering their hardware and writing open source implementations of the corresponding software stack, for interoperability purposes. These drivers become part of projects such as the Linux kernel and the Mesa project, and will become available to users via existing distributions such as Debian, Fedora and NixOS.

>> Read more about Free and open source NPU Drivers

Rosenpass Broker — Expanding the Rosenpass API's to enable easy integration in applications

Rosenpass is a post-quantum secure cryptographic protocol, an implementation of that protocol in the Rust programming language, and a governance organization stewarding development of both protocol and implementation. When used with WireGuard, Rosenpass functions as a ready-to-use virtual private network with full security against quantum attackers. This project extends the current basic API in order to allow Rosenpass to double as a programming interface for other programmers to integration this functionality into their external applications.

>> Read more about Rosenpass Broker

Rust crate auditing and source correspondence checks — Better supply chain security for Rust crates + packages in distributions

This project aims to harden the flow from upstream project sources (in version control), via published tarballs (on crates.io), to Linux distributions (RPM packages), by checking published sources for unexpected differences from version control, and other changes - including metadata changes - between released versions. An additional goal is for issues that are uncovered by this process - or during review for their inclusion in Linux distributions - to be made available to the broader Rust ecosystem.

>> Read more about Rust crate auditing and source correspondence checks

SCION Open Source Implementation — Performance improvements for SCION reference Implementation

SCION Open Source is an implementation of the SCION architecture that allows trusted, highly resilient, and path-aware routing infrastructure to be built by ISPs, CDN/cloud providers and enterprises. It supports inter-domain multipath routing by discovering paths between participating Autonomous Systems that can be combined into selectable cryptographically validated end-to-end paths. This provides higher assurances that packets will follow particular paths which can prevent route leaks and hijacks, and allow data to be geofenced thereby ensuring compliance with legislation such as GDPR and NIS2. SCION also supports fast multi-path discovery and fast failover as its path discovery process does not rely on BGP iterative convergence or forwarding table updates. Having a performant and robust open source implementation ensures there’s a viable alternative to commercial and closed source implementations which is pre-requisite for some large potential adopters.

>> Read more about SCION Open Source Implementation

SCION-enabled IPFS and libp2p — Enhancing IPFS Performance and Resilience through SCION's Path-Aware Networking

SCION is a clean-slate Next-Generation Internet (NGI) architecture which offers a.o. multi-path and path-awareness capabilities by design. Moreover, SCION was designed to provide route control, failure isolation, and explicit trust information for end-to-end communication. As a result, the SCION architecture provides strong resilience and security properties as an intrinsic consequence of its design. The goal in this project is to leverage the path-awareness in SCION to align the storage and lookup in IPFS with the underlying network in an optimal manner, while at the same time using SCION to establish trust between the entities.

>> Read more about SCION-enabled IPFS and libp2p

Toward a Fully-Verified SCION Router II — Align router code with formal verification tooling

SCION is a next-generation Internet architecture that addresses many of the security vulnerabilities of today’s Internet. Its clean-slate design provides, among other properties, route control, failure isolation, and multi-path communication. This project is concerns the implementation part of a larger effort that is verifying the core component of the SCION inter-domain routing architecture - the SCION router. SCION’s open-source router should not only be memory-safe but should implement the SCION protocols correctly in order to provide the intended security and correctness guarantees.

>> Read more about Toward a Fully-Verified SCION Router II

SMAesH-Mode — Side-channel protected hardware implementation of AES

The security of internet devices relies on cryptography for many features such as secure communications, secure boot or user authentication. In many cases, the underlying cryptographic building blocks are implemented in hardware for efficiency and/or security reasons. Further, many devices can be attacked through physical side-channel leakage such as power consumption or electromagnetic emanations (EM). Critically, these attacks do not strictly require direct physical access to the device, and attack based only on remote physical access have been demonstrated (e.g. EM a few meters way).

Nowadays, AES remains a fundamental block cipher in most security solutions. In this context, SMAesH is a open-source side-channel protected hardware implementation of the AES that could be used in secure micro-controllers for direct use in protocols that rely on AES, or as a building block for secure storage. However, a block cipher is rarely used alone, and is instead integrated in a mode of operation that provides confidentiality and/or integrity, which are currently not supported by the existing SMAesH IP.

This project mainly aims at extending SMAesH to include support for common modes of operation (GCM, CBC and CTR). Besides, our goal is to make SMAesH easy to integrate with open-source hardware designs by implementing a standard TileLink bus interface.

>> Read more about SMAesH-Mode

Security audit of Sailfish FOSS components — Analyse security of secrets, Sailfish ofono and Sailjail

Sailfish is a European mobile operating system developed by the Finnish company Jolla. This project will conduct independent security research into the Sailfish FOSS components, with a focus on its cryptography, 5G support and sandboxing of the SailfishOS operating system. The project will also compare Android and SailfishOS on their app permissions, encryption and isolation mechanisms. The researchers are not affiliated with the company behind the development of SailfishOS.

>> Read more about Security audit of Sailfish FOSS components

Scheme Testing Framework — Modernise testing for Scheme

This project addresses a critical gap in the Scheme ecosystem by delivering a comprehensive and extensible testing framework that will serve as foundational infrastructure for current and future development. The Scheme family of languages powers numerous important projects in reproducible builds, decentralized systems, and security-critical applications, yet lacks a modern, well-designed testing solution compatible with today's development practices. Our library bridges this gap, enables interactive testing workflows with immediate feedback for REPLs and IDEs while supporting automated CI/CD pipelines through standardized interfaces. By creating SRFI specification with an implementation-agnostic design, proper test isolation, and metadata-driven test runners, we will empower developers to build more reliable software across the entire Scheme ecosystem. This contribution in core development infrastructure will strengthen existing projects, lower barriers to entry for newcomers, and enable the next generation of Scheme applications.

>> Read more about Scheme Testing Framework

Secure Web Tokens for Linux — TPM 2.0 backed FIDO2/U2F tokens on Linux

This project aims to develop a systemd daemon that utilizes the TPM 2.0 security chip to provide FIDO2/U2F tokens for web browsers and operating system applications on Linux. Leveraging the ubiquitous presence of TPM2 in modern PCs, the daemon will enhance security and usability for Linux users. It will allow the integration of security chips as access tokens with web extensions, secure local passwords and HOTP/TOTP managers, and enable hardware-based lock screen authentication mechanisms.

The daemon will interface with the TPM2 chip to manage FIDO2 token generation. It includes support for the "uhid" kernel driver for button press emulation when no fingerprint reader is available for authentication. The project involves developing the daemon, ensuring seamless integration with systemd, and conducting extensive testing for functionality and security. Comprehensive documentation will be provided for setup and use, along with user guides for web extension integration. The outcome will be a robust, secure, and user-friendly solution for Linux users, elevating the baseline security and leveraging existing hardware capabilities to the fullest.

>> Read more about Secure Web Tokens for Linux

SelfHostBlocks — NixOS based server management for self-hosting

It is obvious by now that a deep dependency on proprietary service providers - "the cloud" - is a significant liability. One aspect often talked about is privacy which is inherently not guaranteed when using a proprietary service and is a valid concern. A more punishing issue is having your account closed or locked without prior warning. When that happens, you get an instantaneous sinking feeling in your stomach at the realization you lost access to your data, possibly without recourse.

Hosting services yourself is the obvious alternative to alleviate those concerns but it tends to require a lot of technical skills and time. SelfHostBlocks (together with its sibling project Skarabox) aims to lower the bar to self-hosting, and provides an opinionated server management system based on NixOS modules embedding best practices. Contrary to other server management projects, its main focus is ease of long term maintenance before ease of installation. To achieve this, it provides building blocks to setup services. Some are already provided out of the box, and customising or adding additional ones is done easily.

The building blocks fit nicely together thanks to contracts which SelfHostBlocks sets out to introduce into nixpkgs. This will increase modularity, code reuse and empower end users to assemble components that fit together to build their server.

>> Read more about SelfHostBlocks

Servo: Benchmarking and Statistics — Infrastructure for benchmarking and testing Servo

Servo is a web engine written in Rust that already provides results from the Web Platform Test Suite. However, these results may be difficult for newcomers to understand, as they lack a clear indication of the progress in supporting modern web standards. This creates challenges for the community in assessing the current state of development. When the community inquires about the support for specific features, these capabilities can often only be verified through manual testing. Moreover, finding information about Servo's performance can be equally challenging.

To address these issues, this project aims to develop an infrastructure to benchmark and report on the current state of Servo, monitor performance differences between commits, and present these metrics and supported features in a more comprehensible way. This will give the community a clearer understanding of the state of the Servo project, leading to a more active and engaged contribution environment.

>> Read more about Servo: Benchmarking and Statistics

Multiprocess Mode in Servo — Speed up Servo with parallelisation

While Servo already has multi-process mode, it’s not enabled by default. The main reason is that it isn’t completely supported on every platform yet. Only Linux and macOS have full support. It also isn't tested in the WPT suite. In this project, we want to complete the feature set of multi-process mode in Servo, set it to default, and encourage other projects based on Servo (like the Verso browser) to use it, as they could massively benefit from this multi-process architecture.

>> Read more about Multiprocess Mode in Servo

Servo Script Improvement — Refactoring Servo’s script crate

The Servo web browser engine is back to its pace of development, but many improvements are still needed in Servo's script crate, which needs to adequately implement every Web API. Several DOM structures have become slightly outdated because of the lack of maintenance. Some basic script types are missing, and patches from Spidermonkey still need work. Within the scope of this project we will address the most needed fixes and improvements for the script crate.

>> Read more about Servo Script Improvement

Slint port for Android — Port the Rust-based Slint UI toolkit to Android

Slint is a next generation declarative GUI toolkit that supports multiple programming languages such as Rust, C++, and JavaScript. Implemented in Rust, a language known for its memory safety and performance, Slint can run on platforms such as Windows, Linux, Mac, QNX, and microcontrollers. The popularity of Android as a mobile phone operating system has influenced the standardisation of drivers on embedded systems to the extent that its possible to easily procure off-of-the-shelf embedded hardware that can run Android. Slint will be the first native (non-web based technology) Rust based toolkit for creating applications on Android and will allow designers and developers an alternative open source option to build the user interface for their applications.

>> Read more about Slint port for Android

Slint on iOS — iOS support for typed declarative UI toolkit

Slint is a next generation declarative GUI toolkit that supports multiple programming languages such as Rust, C++, Python and JavaScript. Implemented in Rust, a language known for its memory safety and performance, Slint can run on platforms such as Windows, Linux, Mac, Android, QNX, and microcontrollers.

This project will add iOS as a fully supported platform to enable developers create their cross-platform applications with Slint. Slint will be the first native (non-web based technology) Rust based toolkit for creating applications on iOS, allowing designers and developers an alternative open source option to build the user interface for their applications.

>> Read more about Slint on iOS

Slixfeed — News feed delivery through standard-based instant messaging

Slixfeed is a vigorous syndicated news aggregator which runs as a chat client and also as an HTTP server. It can concurrently manage and serve multiple contacts (news sources), schedule update interval, customize the amount of items per update, and filter items by keywords; in addition, it can also create new pages from syndicated news sources in a chronological order, either from HTML over HTTP or PubSub over XMPP.

Slixfeed has a special niche for XMPP as it utilizes Ad-Hoc Commands and Data Forms which, intertwined, form a visual and interactive interface which allows to seamlessly manage your sources, as if your chat client was a news reader.

>> Read more about Slixfeed

SoCLinux — Easier driver development for Py2HWSW framework

SoCLinux is an open-source project that aims to configure and generate a Linux system for RISC-V processors, focusing on creating a robust and maintainable environment for designing and testing IP cores. The project builds upon the existing open-source Py2HWSW framework powering the IOb-SoC platform, enhancing the functionality and portability of IP cores, by using as examples the key IOb-Cache, IOb-Eth, and IOb-UART16550 open-source cores. By providing a Linux IP core testbed, SoCLinux enables developers to build and test Linux drivers for new IP cores quickly, accelerating the production of high-quality IP cores, open-source or otherwise. The project aims to establish a widely adopted and maintainable ecosystem for IP core development, benefiting the broader community of IP core providers and users. SoCLinux will leverage the IP-XACT standard (IEEE 1685) for IP core packaging, and seamlessly exchange IP cores with FuseSoC, a well-known open-source IP core package manager.

>> Read more about SoCLinux

SocksTrace — Ptrace based proxy leak detector

Proxy leaks are a class of software vulnerability in which network traffic intended for a proxy (e.g. Tor) is instead sent without a proxy, risking the deanonymization of the user. Auditing software for proxy leaks is presently nontrivial, e.g. tools like tcpdump and Corridor generally require invasive privileges, cannot audit for stream isolation leaks, and provide limited diagnostic capabilities. SocksTrace is a proxy leak detection tool, suitable for CI testing or manual QA testing, that utilizes the ptrace feature of Linux to detect socket syscalls that would bypass a proxy. If a proxy leak is detected, SocksTrace can respond by (among other things) denying the syscall, redirecting the connection to a proxy, or logging a stack trace. SocksTrace is written in Go, making it memory-safe and securely bootstrappable.

>> Read more about SocksTrace

Solid NC 2024 — Add more Solid capabilities to Nextcloud

The Solid Nextcloud project implemented a server component with the Solid specification for Nextcloud, which makes ones Nextcloud server a Solid server as well. This allows user to user their existing server for identity and storage within the Solid eco-system.

To enhance security and to enable easier cooperation and release of new versions we need to improve a number of things. The CI/CD of the project will be improved. Based on an earlier audit, we will implement a number of security enhancing features and we will release a PHP Solid Server next to the Solid Nextcloud module. These servers share a lot of code, which makes maintenance easier. The advantage is that PHP has a security maintenance cycle of three years, making it easier for users to stay secure when using a Solid server.

>> Read more about Solid NC 2024

Solid Application Interoperability — Easy to deploy authorization for Solid Applications

Solid Application Interoperability specification details how Agents in the Solid ecosystem can read, write, and manage data stored in a Solid pod using disparate Applications, individually or in collaboration with other Agents. Solid is a specification that lets people store their data securely in decentralized data stores called Pods. Pods are like secure personal web servers for data. When data is stored in someone's Pod, they control which people and applications can access it. Solid Application Interoperability provides a clear way to create intuitive data boundaries and higher-level patterns to manage access to that data following the principle of least privilege.

This project focuses on finalizing the enforcement of user-defined access policies and improving related user experience (UX), development experience (DX), and deployability.

Solid Project was founded by Tim Berners-Lee and is currently stewarded by the Open Data Institute (ODI). Incubation of technical reports happens in the W3C Solid Community Group. Some drafts have already been provided as inputs to the W3C Linked Web Storage Working Group which is chartered to publish final specifications.

>> Read more about Solid Application Interoperability

Spade — Standalone Hardware Description Language

Spade is a hardware description language that draws inspiration from modern software languages to make hardware development more productive, more fun, and less error-prone. A big part of what makes this possible is the type system which helps prevent bugs and makes the code more maintainable.

A common source of errors in hardware designs is clock domain crossing: signals should never cross domains accidentally, and when they do cross, it must be done correctly. Failures to correctly cross domains leads to intermittent problems that can take significant effort to find and fix. By making the language and compiler aware of clock domains through the type system, we will be able to detect and warn programmers about accidental clock domain crossings at compile time. We will to do this in an ergonomic way, where the user only has to specify clock domains on module inputs and outputs with the compiler being able to infer the rest. In addition, the default case of a module that only spans a single domain should not require any explicit domain information form the user to avoid unnecessary verbosity.

>> Read more about Spade

Spritely Oaken — Secure 3rd party extensibility with capability-based Scheme

The project summary for this project is not yet available. Please come back soon!

>> Read more about Spritely Oaken

Stalwart Collaboration Server — Integrated solution for email, calendaring and file management

Stalwart Mail Server was created to address the challenges of email self-hosting by offering a modern, secure, and easy-to-maintain solution. With support for JMAP, IMAP4, POP3, and SMTP, it provides individuals and businesses with a powerful, privacy-focused alternative to third-party email providers. Now Stalwart is expanding beyond email with the introduction of Stalwart Collaboration Server, a new component that will complement Stalwart Mail Server and transform the platform into a complete, self-hosted collaboration suite. Stalwart Collaboration Server will provide built-in support for calendars using CalDAV and JMAP for Calendars, contacts management through CardDAV and JMAP for Contacts, and file storage and sharing via WebDAV and JMAP for File Management.

By combining email, calendaring, contact management, and file storage in one open-source solution, Stalwart will offer a powerful alternative to proprietary platforms like Microsoft Exchange. Organizations will be able to self-host their entire collaboration stack while maintaining full control over their data, ensuring privacy, security, and scalability. Stalwart Collaboration Server will extend the project’s mission to modernize, democratize, and decentralize essential communication and collaboration tools. With this expansion, businesses and individuals will no longer need to rely on closed-source, vendor-locked solutions. Instead, they will have access to a fully integrated, scalable, and privacy-focused platform that empowers them to communicate and collaborate on their own terms.

>> Read more about Stalwart Collaboration Server

Transitioning SMM Ownership to Linuxboot — More robust defense Against Firmware Vulnerabilities

In an era marked by escalating cybersecurity threats, firmware security is one of biggest blind spots. One pervasive weakness lies in an architectural design called System Management Mode (SMM). Sometimes referred to as “Ring -2”, SMM is used by device manufacturers to interact with hardware like NVRAM, emulate hardware functionality, handle hardware interrupts or errata, and perform other functions.

The unrestricted, non-standardized control inherent to SMM implies significant security vulnerabilities. There is no shortage of Day-0 and Day-1 Firmware vulnerabilities related to SMM. Current industry practices open a wide door for cyber attacks, and the attacker can even bypass the secured OS kernel with the SMM loopholes.

This proposal introduces a novel SMM architectural design, by transitioning SMM ownership from core firmware (e.g. coreboot) to payload - in this case Linuxboot. This will leverage the robust, open-source nature of Linux’s SMM drivers, as its drivers that has been proven working very well over decades, and its open source nature made it easier for security reviews. This initiative aims to develop and universalize a secure architectural design in collaboration with chip vendors, and thus elevating the resilience and integrity of our digital ecosystem.

>> Read more about Transitioning SMM Ownership to Linuxboot

Standards Grammar Catalog/Toolchain — Open Standards Grammar Catalog/Toolchain

The Open Standards Grammar Catalog/Toolchain makes it easier to implement a format or protocol by translating its machine-readable definition, usually in a language such as ABNF, into forms readily compatible with popular programming languages, like regular expressions, YACC, ANTLR, and native code. By providing a toolchain for making these translations, assembling a catalog of commonly used formats & protocols, and publishing a developer-friendly website for browsing the grammars and generating translations, these tools will reduce the need to manually write a parser, ultimately reducing errors due to hand-written code, and enhancing interoperability.

>> Read more about Standards Grammar Catalog/Toolchain

Stencila v2 for ERA and EPP — Add editable, runnable code to scientific publications

Stencila offers a platform for collaborating on, and publishing, dynamic, data-driven content with the aim of lowering the barriers for creating data-driven documents and making it easier to create beautiful, interactive, and semantically rich, articles, web pages and applications from them. The latest version, a rewrite in Rust, is aimed at leveraging two relatively recent and impactful innovations: conflict-free replicated data types (CRDTs), for de-centralized collaboration and version control, and large language models (LLMs) for assisting in writing and editing prose and code. These technologies used together provide an advance in scholarly communication of research findings by powering the Enhanced Preprint Platform and Executable Research Articles at publishing venues such as eLife and GigaScience.

>> Read more about Stencila v2 for ERA and EPP

Structured Email for Roundcube — Add schema.org metadata awareness to open source email

Email is probably the only open and widespread technology bridging our private information space (Mobile, Desktop) and the public Internet. It can in fact be considered our "personal API". Structured Email for Roundcube develops a plugin for the popular Roundcube Webmail software, which extracts Schema.org data embedded in email messages. Based on that, it allows for new ways of presenting emails and interacting with them.

>> Read more about Structured Email for Roundcube

Surfer Waveform Viewer — Analyse signal levels in simulated circuits

Surfer is an open source waveform viewer, primarily aimed at debugging digital designs. It is built for flexibility, extensibility, and speed to operate on most platforms. Although fully operational for many tasks, there are features to be added to improve the usability further. This project aims to implement the most requested missing features and pave a way for additional extensibility.

>> Read more about Surfer Waveform Viewer

Client Proof-of-Work in TLS — Mitigation against DoS amplification on the TLS handshake

The computationally expensive nature of asymmetric crypto in TLS makes it vulnerable to denial-of-service attacks. We propose an extension to TLS that mitigates this attack vector, shifting the advantage from the attacker to the defender. The project will deliver a draft spec, mergeable patches for leading TLS libraries, and a measurement report explaining the results.

>> Read more about Client Proof-of-Work in TLS

TSCH-rs — Time Slotted Channel Hopping implement in Rust

Time Slotted Channel Hopping (TSCH) is a Medium Access Control (MAC) layer protocol described in IEEE 802.15.4e designed for low-power and lossy networks. Devices are allocated time slots in which they can transmit and/or receive frames. The rest of the time the radio is turned off, reducing energy consumption. Consecutive transmissions are done on different frequencies to tackle interference. Implementations of TSCH can be found in Contiki-NG and OpenWSN, both written in C.

TSCH-rs is a TSCH implementation written in Rust, providing ease-of-maintanance, security and reliability. Furthermore, the implementation aims to be hardware-agnostic, making it easy to port to different IEEE 802.15.4 based radios. The Rust network stack for IEEE 802.15.4 radios already contains an implementation for 6LoWPAN and RPL. TSCH-rs will be a valuable addition to the Rust based low-power IEEE 802.15.4 network stack.

>> Read more about TSCH-rs

Tau — Remote sharing of terminal sessions

A common problem among people working on a command-line interface is to share their terminal session with one or many other people via the internet, ideally along with an audio stream, without viewers having to install any specific software. This project creates a solution that enables anyone with a web browser to receive such a broadcast.

Unlike generic screensharing alternatives, a broadcast created by .tau will not be a stream of compressed video but rather a stream of ASCII characters with preserved timing as well as the broadcaster's terminal look & feel, and giving the ability to easily copy text. The broadcaster will have a nice and easy experience installing a piece of software which accomplishes this.

Upon completing a broadcast, a single resultant file is available for later viewing on the internet and or private distribution. Simple, portable and robust.

>> Read more about Tau

Threadiverse Reproducible Deployment — Reproducible deployment for Threadiverse servers

Fediverse is more than short form microblogging. The ActivityPub protocol connects all kinds of software for various communication needs. Some of those are concentrated on long blogs and threaded discussion forums. A common understanding of conversations in ActivityPub and their secure and safe-from-spam implementation is being developed in several fediverse projects. This project focuses on stable and documented automated deployment for two of them - Hubzilla and Streams, including interoperability tests. This will support threadiverse standardization efforts, and help to bring features like group photoalbums and full channel portability between instances.

>> Read more about Threadiverse Reproducible Deployment

Titanic — Database server to synchronize vast collections of CRDT documents

Yjs is a Conflict-free Replicated Data Type (CRDT) which enables developers to build collaborative applications, just like Google Docs and Figma. Most CRDT implementations work just like any other data type, but they automatically sync with other peers without conflicts. Today, Yjs is among the most used technologies for building collaborative applications.

The developers observed the development of competing CRDTs, and recognize the need for more specialized CRDTs for specific use-cases. Syncing many CRDT instances with different permissions is still an unsolved problem. Syncing documents individually quickly becomes infeasible with an increasing number of documents in a local-first app.

This project will therefore develop Titanic, an isomorphic database (works in the browser, Node.js, Deno, Bun, ..) that can host different CRDT implementations. It will sync many CRDT instances efficiently in a network-agnostic manner. While it will support custom authentication approaches, Titanic will ship with a role-based document-level permission system that prevents unauthorized users from reading or writing documents.

>> Read more about Titanic

TrenchBoot as Anti Evil Maid - UEFI boot mode support — Add UEFI to the Qubes integration of Trenchboot with AEM

Qubes OS is a free and open source operating system uniquely designed to protect the security and privacy of the user. Its architecture is built to enable the user to define different security environments ("qubes") on their computer and visually manage their interaction with each other and the world. TrenchBoot provides a secure environment for operating system launch and integrity measurements, ensuring greater protection.

The main objective of the TrenchBoot as Anti Evil Maid project is to enhance the security of Qubes OS by integrating the TrenchBoot Project with the Anti Evil Maid (AEM) implementation. Through comprehensive hardware testing, the successful execution of this initiative will promote the adoption of DRT technology in open-source and security-oriented operating systems, ensuring enhanced security for Qubes OS. This project will prioritize stability, testing, and ensuring the reproducibility of results for broader community adoption.

>> Read more about TrenchBoot as Anti Evil Maid - UEFI boot mode support

Tusky — Android client for ActivityPub

Tusky is an Andoid client for the popular social media server Mastodon. It also unofficially supports other platforms levering the same standard (W3C ActivityPub), such as Pleroma, Pixelfed and GotoSocial. This project will add official support of GotoSocial to Tusky, as well as update the codebase and improve accessibility.

>> Read more about Tusky

Tvix-{Store/Build} — Improve store and builder component of Tvix

Tvix is a modern design and implementation of the Nix package manager (GPLv3). It brings a modular architecture in which components such as the build environment or package store are replaceable, which enables new use-cases and platforms. A graph-reduction evaluation model will make it possible to use Nix for package definitions and entire system configurations, its proven and tested use case, as well as for granular build definitions for individual components of software. Tvix will be fully compatible with nixpkgs, the existing package definition set for Nix, letting its users leverage more than a decade of community contributions and making it useful right out-of-the-box. This particular project focuses on the Store and Builder components of Tvix, upgrading the store protocol, improving the Builder API as well as providing more interop with Nix.

>> Read more about Tvix-{Store/Build}

HTML export for Typst — Markup based typesetting for multichannel publishing

Typst is a markup-based typesetting system that is designed to be as powerful as LaTeX while being much easier to learn and use. Currently, Typst outputs documents only as PDF, yet there is strong demand for generating HTML. We want to extend Typst such that it can create high-quality HTML and PDF versions from the same document, which is currently not possible with comparable programs. As a result, Typst could be used in a variety of new scenarios, such as the generation of websites and e-books. Furthermore, this will improve the accessibility of the output documents.

>> Read more about HTML export for Typst

UnifiedPush — Decentralized and open-source push notification protocol

Push notifications are essential to the modern mobile experience, as they enable applications to communicate with users in real time, even when not in active use. Major mobile operating systems provide a centralized service that they control, but depending on a centralized push notification system controlled by one company raises issues of privacy and independence. UnifiedPush is a decentralized and open-source push notification protocol. It is a set of specifications and libraries that allow the user to choose how push notifications are delivered. It is compatible with WebPush, the standard for web applications.

>> Read more about UnifiedPush

UnifiedPush — Decentralized push notification protocol with libre implementations

Push notifications are essential to the modern mobile experience, as they enable applications to communicate with users in real time, even when not in active use. Major mobile operating systems provide a centralized service that they control, but depending on a centralized push notification system controlled by one company raises issues of privacy and independence. UnifiedPush is a decentralized push notification system that lets the users choose the service they want to use. It’s designed to be privacy-friendly, flexible, and open. It is compatible with WebPush, the standard for web applications.

>> Read more about UnifiedPush

Toward a Fully-Verified SCION Router — Formal verification of the reference open source SCION Router

SCION is a next-generation Internet architecture that addresses many of the security vulnerabilities of today’s Internet. Its clean-slate design provides, among other properties, route control, failure isolation, and multi-path communication. This project will demonstrate the feasibility of verifying the core component of the SCION inter-domain routing architecture - the SCION router. Prior work has proved that the SCION data plane protocols are secure. The focus of this project is on verifying that SCION’s open-source router is memory-safe and implements those protocols correctly and, thus, provides the intended security and correctness guarantees.

>> Read more about Toward a Fully-Verified SCION Router

VersatAI — Automation of ML/AI algorithm support in computational accellerators

Versat is a Coarse-Grained Reconfigurable Array (CGRA) compiler and programming framework to accelerate AI and ML workloads on open-source RISC-V-based systems. The VersatAI project will enhance Versat to automate AI/ML accelerator generation by translating standard representations of these algorithms such as ONNX into optimized RISC-V programs accelerated by a CGRA. Leveraging prior work in cryptographic acceleration and SoC integration, the project will focus on key AI/ML tasks like convolutional neural networks and transformers. The development will be fully open-source, ensuring compatibility with industry-standard AI frameworks and improving CGRA accessibility for AI applications.

>> Read more about VersatAI

Verso Views — A Functional Browser Based on Servo

Verso is a web browser based on Servo web engine. While Servo hasn’t been treated as a fully functioning browser, it is possible to build one based on it already. We plan to expand this into a formal and stable application release, eventually implementing the features, making it not just a general browser application but also a webview library for embedding purposes.

There are some missing features we still need to push into Servo. And there are also other works that require time and resources to make a barebone web engine into a stable application. We hope to take this project as a chance to finally make an individual repository using Servo as a dependency. In this way, Servo can focus on issues and features of the web engine itself. In the meantime, other chores related to the application itself can be off-loaded to other repositories and organizations.

>> Read more about Verso Views

Webview library with Verso for Tauri — Refactor parts of Verso into a WebView library

We aim to publish the Verso browser as a library in addition to the current application approach. This way other projects could use it as a dependency in their software, and render their content with it. The distribution of a shared library is a challenging set of problems (including, but not limited to bundle format, code signing, dependency linking, etc.) that we intend to solve. We also aim to find the best possible solutions to help developers use this library with ease. One of these approaches will be to integrate with Tauri as a webview backend.

>> Read more about Webview library with Verso for Tauri

VexiiRiscv — Next generation of the VexRiscv in-order FPGA softcore

VexiiRiscv (Vex2Risc5) is a hardware project which aim at providing an free/open-source RISC-V in-order CPU which could scale from a simple microcontroller up to a multi-issue/debian capable cluster. While the project already surpasses VexRiscv in multiple domains (performances, 64 bits, debian), it still needs work and testing to reach feature parity (tightly coupled RAM, JTAG debug, optimization, ...), aswell to extend its scope (lightweight FPU, vector unit, ...). This grant would aim at filling those gaps aswell as improving its documentation.

>> Read more about VexiiRiscv

OpenIMSd — 4G/VoiceOverLTE support for open source mobile OSes

The OpenIMSd project aims to bring VoLTE (4G voice calls) to Qualcomm based phones (like the PinePhone) running Free Software Mobile Operating Systems including postmarketOS, Mobian, … We will create a daemon which runs in parallel to the Modem Manager, which configures the baseband via QMI and brings up all the required services to be able to place VoLTE calls.

>> Read more about OpenIMSd

Vouivre — A dependent type system for machine learning in Lisp

Current machine learning frameworks are built around relatively weak type systems. This is a problem because, at scale, machine learning applications are exceedingly intricate and computationally expensive, therefore making costly runtime errors unavoidable. This is where Vouivre comes into play. Using a dependent-type system, the project aims at enabling users to write machine-learning applications that solve real-world problems with compile-time validation of their correctness, thus preventing runtime errors at a reasonable computational cost.

>> Read more about Vouivre

Enhance the vulnerability database — Enhance the VulnerableCode vulnerability database

Using Components with Known Vulnerabilities" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (funded by the US CISA and Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage, we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools.

This project delivers unique FOSS tools to aggregate software component vulnerability data from multiple sources, privileging upstream data directly from project maintainers. VulnerableCode organizes that data with a de-facto industry standard Package URL identifier (Package URL or PURL) enabling efficient and straightforward automation for the search for FOSS component security vulnerabilities. The benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source, or a few foreign commercial data providers.

In the new context of the upcoming Cyber Resilience Act (CRA), the access to an open, free and curated FOSS package vulnerability data source is now an imperative. And the organization of vulnerability data by Package URL or PURL identifiers in VulnerableCode enables easy frictionless integration with Software Composition Analysis (SCA) code analysis tool chains, direct enrichment of SBOMs (Software Bill of Materials) to find if SBOM-listed packages have known vulnerabilities, and creation of VEX (Vulnerability Exploitability Exchange) document to communicate the impact of known vulnerabilities

>> Read more about Enhance the vulnerability database

WPE Android — Embedded-friendly Webview based on WebKit

WPE (Web Platform for Embedded) is a WebKit port for Linux-based embedded devices with a focus on flexibility, security and performance on lower-powered devices. Albeit less known than Chromium, Firefox or Safari, WPE is currently deployed in millions of embedded devices (e.g. set-top-boxes, smart home devices, kitchen appliances, infotainment, etc), but it hasn't yet reached those based on the Android Operating System, which has become an important actor for certain types of devices, such as phones, tablets, set-top-boxes and even IoT devices.

In such environments, the only option currently available to leverage the power of the Web Platform is to use Android's WebView, which is based on Chromium and therefore problematic in cases where using that is not an option. By bringing WPE to Android in the form of an Android WebView-compatible component, we aim not just to make WPE available in more platforms but also to expand the options Android developers currently have so that they can choose between a Chromium-based WebView and a WebKit-based WebView for their applications. This would be great to cover Web rendering needs in general on Android, and particularly beneficial for multimedia-intensive use cases (e.g. set-top-boxes, digital signage...), as well as for other less conventional use cases such as QA & testing (e.g. testing WebKit-based browsers on Android based systems).

Last but not least, as a side effect of widening the reach of WPE to Android-based devices, we believe that we would also be bringing more balance and diversity to the Web, by making sure that developers have a realistic alternative to the Chromium-based Web rendering engine they can use to develop their products.

>> Read more about WPE Android

WPT automatic testing for platform accessibility mappings — Improve testing of platform a10y support in Web Platform Tests

In order to support assistive technology (AT), web browsers must provide information about web pages' contents via OS-specific accessibility APIs. The Accessible Rich Internet Applications (ARIA) suite of standards includes specifications concerning how browsers should translate the web page contents into each supported API. To date, these Accessibility API Mapping (AAM) specifications have not been tested in a standard way across browsers. This project will help extend the primary test suite for web standards (https://web-platform-tests.org/) to allow for testing of accessibility APIs. The project also includes writing tests for the Linux accessibility API mappings. With these addition to the test suite, we will be able to find interop bugs between browsers and web developers will be able to understand the status of browser support for accessibility features they want to use on the Linux platform.

>> Read more about WPT automatic testing for platform accessibility mappings

Wax — Add ODF, legacy office and PDF capabilities to Wax

Wax (formerly known as CokoDocs) is an open-source, web-based Word Processor that is collaborative by design. In this project we're actively extending CokoDocs' use cases to include paging support (through PagedJS), OpenDocument Format import/export as well as support for some legacy file formats. In addition we will add backend system configuration, asset management, text chat and more. CokoDocs aiming to become a best in breed, highly customizable, and innovative word processor with strong privacy and security properties and elegant accessible design.

>> Read more about Wax

Integration of Waydroid on mobile GNU/Linux — Run Android apps in Linux containers on mobile devices

Waydroid lets the user run Android within a container on a regular GNU/Linux system, bringing access to countless existing Android applications. This particular project aims to research and implement tighter integration between the Waydroid container and its host system in terms of hardware access (sensors, location, telephony, cameras) and desktop environment (notifications, media controls), while keeping the user in control of what and when is shared with the Android container.

>> Read more about Integration of Waydroid on mobile GNU/Linux

Wayland input method support — Better specification for Wayland input methods

As Linux distributions switch to Wayland, some functionality is still incomplete. One of them is being able to input non-Latin scripts. It is a necessity for a large portion of the world, yet it's not standardized across Wayland environments. The same text input functionality is needed for typing on mobile Linux, which, considering how many people use smartphones rather than laptops, might be even more important for Linux adoption. This project wants to bridge that gap, by continuing the effort of standardizing input-method protocols started for Phosh in Squeekboard, gtk, and wlroots.

>> Read more about Wayland input method support

WeasyPrint — Print rendering engine for HTML and CSS

WeasyPrint helps web developers create high quality print documents. It turns simple HTML pages into gorgeous statistical reports, invoices, tickets… From a technical point of view, WeasyPrint is a visual rendering engine for HTML and CSS that can export to PDF - independent from rendering engine like WebKit or Gecko. It aims to support web standards for printing. WeasyPrint is free software made available under a BSD license. The CSS layout engine is written in Python, designed for pagination, and meant to be easy to hack on.

>> Read more about WeasyPrint

Webxdc evolve — Comparative analysis of HTML5 app containers

Webxdc.org is an evolving standard which defines a format for portable HTML5 applications and an API for local-first, peer-to-peer, end-to-end encrypted applications. For this project we will perform a comprehensive survey of historical and contemporary efforts with similar goals, including those by W3C working groups, independent open-source developers, and noteworthy proprietary platforms. We'll produce reference documents providing developers with a comprehensive overview of the space, summarizing their options for packaging portable HTML5 applications for different platforms, and highlighting affinities between closely aligned projects. As a follow-up, we'll propose additions to the webxdc API based on patterns observed in other projects, aiming to reduce the complexity of common designs and facilitate portability between or interoperability with existing platform implementations.

>> Read more about Webxdc evolve

WgMath — Open GPU scientific computing for every platform

Today’s GPU scientific computing ecosystem is still strongly dominated by CUDA, a closed, proprietary technology tied to a specific hardware vendor. The WgMath project aims to empower the scientific computing community, including the web community, with a collection of foundational GPU mathematical libraries that are fully cross-platform (hence not tied to a specific hardware vendor) by leveraging the open WebGPU standard, as well as WebAssembly for browser support. WgMath will provide mathematical compute shaders for linear algebra, geometry, and rigid-body physics simulation; as well as some utilities for easily combining WGSL shaders through Rust libraries and its popular Cargo dependencies management tool. With the creation of these foundational libraries, we aim to promote the development of a scientific computing community building highly performant, reusable, cross-platform, scientific computing projects, while relying on open standards, and preserving freedom of GPU hardware selection.

>> Read more about WgMath

Whippet — A new local maximum in safe, managed memory

Whippet is a new automatic memory manager (garbage collector) which is designed to be incorporated into the Guile Scheme programming language implementation. Switching to Whippet should improve the speed and scalability of Guix and other Guile-based software while also lowering total system memory usage. This project aims to push Whippet over the finish line, filling in missing functionality and doing the last-mile work to incorporate Whippet into Guile. The anticipated results should also give confidence to other language run-times looking for a state-of-the-art, embeddable, minimal, no-dependency garbage collector.

>> Read more about Whippet

Willow Sync — General Sync Protocol for Willow written in Rust

Willow is a protocol for syncable data stores, forming resilient data networks which can endure indefinite connectivity outages. This protocol brings qualitative advances to data deletion in distributed networks, supports completely decentralised fine-grained permission schemes, and has been designed to use memory, bandwidth (and consequently energy) efficiently. In this project, the Willow protocol will be implemented using the Rust programming language. This new implementation will be able to take advantage of Rust’s efficiency and safety guarantees, and make the protocol accessible to embedded devices, as well as provide a more efficient solution for smartphones, computers, and servers alike.

>> Read more about Willow Sync

Wobble Web — Hybrid graphics editor and coding environment

WobbleWeb is a hybrid graphics editor and coding environment for making and sharing small-scale websites. It provides a gentle and playful introduction to coding in javascript and html, where dragging something on the page changes the code, and editing the code changes what is on the screen. The project is built upon a set of open-source web components that can be used with the editor as well as independently. The web components serve as a direct wrapper to html, adding gesture-based and direct in-browser editing capabilities to existing HTML and Web APIs. The extensible custom elements allow the open-source community to build more advanced features, such as incorporating canvas elements, WebGL, or integration with backend APIs. WobbleWeb differs from existing graphical webpage builders, with its emphasis on writing javascript for beginners, as well as its modular and extensible ecosystem.

>> Read more about Wobble Web

MLS for XMPP — Add Message Layer Security to XMPP

XMPP (Extensible Messaging and Presence Protocol) is an IETF- standardized (RFC 6120/6121) communication protocol designed for instant messaging and other near-real-time exchange of structured data between two or more network entities. MLS (Messaging Layer Security) is an emerging, IETF-standardized (RFC 9420) protocol for end-to-end encryption of messages and a central part of the IETF MIMI (More Instant Messaging Interoperability) effort to allow communication across messaging apps, for example in the context of the EU Digital Markets Act.

This project adds support for MLS encrypted messaging to XMPP group chats. This includes creating a prototype implementation, standardizing an XMPP Extension Protocol (XEP) and introducing support in two existing XMPP clients.

>> Read more about MLS for XMPP

XMPP Interoperability + Conformance Testing — Development of an XMPP Test Suite

XMPP is the Extensible Messaging and Presence Protocol. XMPP offers an open, extensible, standardised and mature set of open technologies designed for decentralised communication. With its flexible design and rich history, its utilisation is widespread.

To advance interoperability in its diverse ecosystem of developers and implementations of server software, this project will create an implementation-agnostic test suite for XMPP servers, testing for conformance with the XMPP protocol standards.

The suite will be designed to be integrated with various third-party CI components to minimise the complexity of including the suite in development processes of the various and varied parties that are developing XMPP server implementations.

>> Read more about XMPP Interoperability + Conformance Testing

YAWS - Yet Another Web Server — Sans IO web server written in Rust

HTTP protocols are everywhere, from embedded devices to big data centers. YAWS (Yet Another Web Server) is a harmonized, environment-neutral, open source HTTP server — or, rather, a web server capability that can be used to create web servers. It can be used with modern WebAssembly, io_uring, microkernel, RISC-V or embedded runtimes; even without POSIX, standard library or operating system support. YAWS democratizes HTTP by allowing everyone to integrate a modern HTTP interface safely and securely into where ever and whatever they build.

>> Read more about YAWS - Yet Another Web Server

Zero-allocation web servers in roc — Web server framework with constant memory usage

Memory consumption in web servers is hard to predict and control. Our zero-allocation web server guarantees constant memory usage and per-request memory caps. These guarantees and capabilities make web infrastructure more reliable, because it is actually possible to calculate how much server capacity is required for a certain amount of traffic.

The vast majority of webservers are written in a language with automatic memory management. They cannot provide the guarantees that our webserver can, and often have other downsides like poor general performance and GC pauses.

The core of our webserver is written in rust, and while it works in a rust-only context, is meant to be used in combination with the roc programming language, a fast, friendly, functional language with automatic memory management, but without GC pauses. Users will be able to write web applications using roc, without having to consider how memory is allocated. At the same time, we manage the memory as efficiently as possible under the hood.

>> Read more about Zero-allocation web servers in roc

ZeroPhone Next — Hackable open hardware mobile phone

This project is building a hacker-friendly personal device platform, providing people with an assortment of building blocks that can be reused in building devices of their own. It sets out to deliver a featureful device for day-to-day use, with cellular and wireless connectivity, and bringing a powerful user interface that can easily be used in others' projects.

The platform's design prioritizes self-assembly capabilities, respect for the user's privacy, extensive documentation that makes the platform's building blocks all that more accessible, and forming a community aimed at helping other hackers build their own devices. The platform's inherent modularity also provides a testbench for designing open-source replacements for commonly closed-source parts of the DIY portable device ecosystem, as well as development of open firmware for currently-closed-source components.

>> Read more about ZeroPhone Next

Zilch — Tools for efficient granular builds and introspection

Zilch is an experimental test bed for alternative approaches to building programs, services, and full Linux distributions. Being built on top of Nix, it is entirely compatible with NixOS. The goal of this project is to research and develop a set of tools that allow a developer to write programs and patch existing upstream projects, while keeping the reproducibility and sandboxing afforded to them by Nix.

>> Read more about Zilch

Zip linting and bzip2 in Rust — More secure handling of popular archive formats

Zip is a widely used format for distributing files. It is a rather permissive file format, opening the door to various attacks such as zip bombs. The `bzip2` compression format is still used in many legacy settings. Consequently, it is part of the supply chain of many projects. To mitigate these risks, this project will deliver a) a zip linter checking for suspicious file contents in zip files and b) a memory-safe implementation of bzip2 through drop-in replacements of the libraries and a safe Rust `bzip2` binary.

>> Read more about Zip linting and bzip2 in Rust

badkeys — Detect compromised cryptographic public keys

Public key cryptography is an important building block of Internet security through protocols like TLS or SSH. Key generation vulnerabilities in cryptographic implementations can compromise the security of these mechanisms. The tool badkeys allows identifying public keys affected by known vulnerabilities. The project will implement improvements to badkeys' coverage of known-compromised keys and regular monitoring of public keys in TLS certificates, DNSSEC, and DKIM for known vulnerabilities.

>> Read more about badkeys

bluetuith — Bluetooth connection/device manager for the terminal

bluetuith is a lightweight Text User Interface (TUI) based Bluetooth manager for the terminal, which allows users to manage a multitude of different Bluetooth based functions, like pairing, connection, file transfers, handling audio playback and networking and so on seamlessly via an easy-to-use interface. The project aims to extend support to as many other platforms as possible, to achieve multiplatform support, and provide users with a familiar interface to control Bluetooth across different platforms. The project also aims to solve the issue of communication and user-friendliness of platform specific Bluetooth stacks, by creating daemons/services native to that platform, and lightly wrapping native APIs and exposing a standard set of APIs that will allow any client to be built cross-platform and to connect and control Bluetooth (Classic especially) in a much more efficient and uniform manner.

>> Read more about bluetuith

Federated eIDAS-compatible signing portal — Qualified digital signatures using eID cards

Existing electronic document signing platforms often lack support for advanced or qualified electronic signatures available under the EU's eIDAS standard, relying instead on simpler signatures without stronger legal validity. Our federated eIDAS-compatible signing portal addresses this gap by providing an open-source user-friendly platform for creating qualified electronic signatures using government-issued eID cards and other qualified signature creation devices. Unlike existing alternatives, our project integrates seamlessly with desktop and mobile signer applications, both open-source and commercial, enabling intuitive qualified document signing, validation, archiving, and API integration with third-party systems. Its federated manner ensures that independent portal instances can securely exchange documents, simplifying the adoption of qualified electronic signatures across Europe, reducing reliance on proprietary solutions, and improving digital administrative workflows.

>> Read more about Federated eIDAS-compatible signing portal

Federated webinars for eduMEET — Extended platform for distributed online webinars based on eduMEET

The main aim of the project is a new functional scope of eduMEET: federated webinars for big online meetings. eduMEET is a free and open-source video conferencing (VC) application that allows organisations of any size to build and deploy cost-effective on-premises web-based VC services. It is an easy-to-use solution that originated within the European Research and Education community. It is focused on security and privacy, and designed to give full control and ownership of ones own data and video streams.

A key aspect of the project is providing efficient engines for communication between distributed eduMEET instances, in order to provide support for large scale webinars. Additionally, eduMEET will add dedicated layout for webinars (speaker’s view), specific user roles and privileges (Panelist and Passive Participant) as well as a management module. The end result will be a full featured webinar platform that is an attractive low cost alternative to expensive proprietary services.

>> Read more about Federated webinars for eduMEET

f8 — Modern 8-bit instruction set

Among microcontrollers (µC), 8/16-bit µC are an important part of the embedded systems ecosystem since they tend to have substantially lower resource and energy costs than the larger, more powerful 32-bit and 64-bit µC.

However, existing 8/16-bit µC architectures tend to be either somewhat inefficient (e.g. MCS-51) or single-vendor (e.g. STM8, Rabbit). The latter are at a high risk of being discontinued when a vendor pulls out of the 8/16-bit market, and this has been announced recently for the STM8 and Rabbit architectures. One possible solution is to develop an efficient free architecture for 8/16-bit µC. The f8 is such an approach. It is based upon extensive experience from the large number of 8/16-bit architectures supported by the free Small Device C compiler (SDCC). Like RISC-V did for 32/64-bit architectures, f8 is based on lessons learned from the strengths and weaknesses of existing 8/16-bit architectures.

>> Read more about f8

fdtshim — Simplify use of Device Tree Binaries for Linux installers

The fdtshim project aims to implement a distribution-agnostic and hardware-agnostic method, and protocols, to load the correct hardware- specific DeviceTree on UEFI systems. With fdtshim, installation media for distributions can become truly generic, and support boot from different DT-incompatible kernels. Its usage is transparent to the user, and ensures the system will continue working after a major kernel update, whether booting from the current kernel, or the previously working kernel.

Using fdtshim makes it much easier for end users to boot live and install media on different devices with different architectures: mobile phones, tablets, embedded systems, laptops, servers and workstations

>> Read more about fdtshim

foaHandler — Reverse engineer the OpenAccess file format

Commercial CAE programs still dominate the community that designs electronic circuits. One of the most widely used file format here uses the OpenAccess API controlled by Si2. Unfortunately, this API is available only for members of the OpenAccess coalition. The project "foaHandler" aims at creating open-source programs for reading and writing OpenAccess files. Their internal data structure will be investigated by reverse engineering the file content of schematics, component symbols and layouts. Then, routines will be created that make it easy to import and export OpenAccess files in open-source programs like circuit simulators, layout programs etc. Example files and documentation will be published, too. This makes the data exchange between free and commercial EDA applications possible.

>> Read more about foaHandler

happyDomain — Simplify DNS zone management

happyDomain is an interface designed to make domain name management more accessible, intuitive, and efficient. By consolidating domain names from multiple providers and abstracting technical complexities that often lead to common mistakes, happyDomain empowers operational teams to handle their domain needs effortlessly, saving time and reducing friction. Its modern interface offers essential features such as history tracking, one-click rollbacks, logical groupings for services, and a REST API for automation. Built with carefully selected technologies, happyDomain provides a fast and lightweight experience, suitable for both large-scale infrastructures and personal use. Our mission is to help individuals and organizations regain independence on the Internet by simplifying domain management and fostering confidence. Whether for system administrators, agencies, freelancers, or privacy-conscious users, happyDomain transforms domain management into an accessible and seamless task for all.

>> Read more about happyDomain

iso14229 — Universal Diagnostic Services for automotive diagnostics

iso14229 is an open-source portable C implementation of Universal Diagnostic Services (ISO 14229-1:2020). UDS is a communications protocol used for diagnostics, tuning and firmware updates on embedded devices such as those in your car, tractor, robot, IoT device, or renewable energy system. Insecure UDS implementations expose software to security exploits. By providing an open source implementations including the security features of UDS, this project addresses an important gap. Within the scope of this grant, the team will work on the integration of static analysis, improve documentation and develop a number of security-focused examples.

>> Read more about iso14229

k3lp — Unicode Keyboard3 Layout Parser

k3lp (/kɛlp/) is a mobile-first library designed to support parsing and utilizing Unicode Keyboard3 files. Keyboard3 is an enhanced and rewritten standard developed by The Unicode Consortium and officially released with CLDR 45. It offers an open and interoperable standard for declaring and sharing keyboard layouts. Although the standard has been available for some time, there is currently no ready-to-use open-source library to effectively utilize these files. This is where k3lp comes into play, aiming to provide an easy-to-use, multi-platform library written in Kotlin 2.0. The library includes all the necessary business logic for layout parsing and streamlining keyboard developers' workflows, however the actual user interface implementation is left to the library consumer. Initially targeting Android and iOS developers in need of keyboard layout logic and tested in the open-source FlorisBoard keyboard, this library is capable of running on all platforms where the JVM runs on or where Kotlin compiles to.

>> Read more about k3lp

lib1305 — Microlibrary for Poly1305 hashing

In modern network protocols, every packet is authenticated using a message-authentication code (MAC). Any data modified by an attacker is immediately caught and rejected by the MAC. The most popular MAC algorithms are Poly1305, normally used with the ChaCha20 cipher as part of ChaCha20-Poly1305, and GMAC, normally used with the AES cipher as part of AES-GCM. Many applications, such as WireGuard, require specifically Poly1305. This project will develop and release a new software library, lib1305, for Poly1305. The library will provide comprehensive and well-optimized software exploiting the 64-bit assembly instructions of Intel CPUs to provide top speeds for those CPUs, while meeting the security constraint of not leaking secret information through timing.

>> Read more about lib1305

lib25519 using NEON for ARM64 — ARM64 optimisations for lib25519 microlibrary

Network protocols in today's world rely on elliptic-curve cryptography (ECC) to protect communication against espionage and sabotage. lib25519 (https://lib25519.cr.yp.to) is a software library for the Curve25519 elliptic curve (https://cr.yp.to/ecdh/curve25519-20060209.pdf), including the X25519 encryption system and the Ed25519 signature system. Curve25519 is the fastest curve in TLS 1.3, and the only curve in Wireguard, Signal, and many other applications (https://ianix.com/pub/curve25519-deployment.html). Currently the optimizations in lib25519 use serial instructions and vector instructions for Intel and AMD CPUs, and use serial instructions for ARM CPUs, but do not use vector instructions for ARM CPUs. This project aims at exploiting the NEON vector instructions of 64-bit ARM CPUs and extend lib25519 by providing top speeds for those CPUs, in particular setting new speed records for X25519 key generation and Ed25519 signing, while meeting the security constraint of not leaking secret information through timing.

>> Read more about lib25519 using NEON for ARM64

libnix — Native Nix on MS Windows

The libnix project improves the Windows support of the Nix package manager, by making nix and nix-build work natively on the Windows platform. By creating a ‘libnix’ on top of this, it will allow package managers like node, cargo, pip, and vcpkg to use Nix for building their dependencies. The effort helps bring declarative, reliable packaging systems to a wider audience.

>> Read more about libnix

libvips — Add animated PNG and enhanced JPEG XL support to libvips

libvips is an image processing meta-library, whose development the European Commission funded back in the 1990s. Applications can outsource the heavy lifting of handling a variety of image types to this library. The library has meanwhile grown very popular with web developers around the world; the node binding, for example, is downloaded more than 5 million times a week at the time of writing.

In addition to scrutinizing the security of the library, this project will implement two key improvements to libvips: animated PNG support, and enhanced JXL support. The former capability (the addition of animated PNG support) can be gained from another NGI Zero project, libspng. libvips uses libspng for PNG read and write, so by extending libvips to use these new libspng features, they will become available to a large developer community very quickly.

Second, libvips has had preliminary support for the JXL format since libjxl v0.4. Since then, the libjxl API has evolved considerably and the libvips connector needs updating, especially in the areas of large image support and HDR, both increasingly important with the steady improvement of smartphone cameras.

>> Read more about libvips

Verifying and documenting live-bootstrap — A reproducible, automatic, complete end-to-end bootstrap

The goal of the live-bootstrap project is to compile the necessary tools to compile Linux from a minimal binary footprint to avoid the possibility that a (binary) compiler could be used to introduce back-doors into the Linux kernel. As a user of the live-bootstrap project, one should be able to trace and review all steps and sources used. The goal of this project is to facilitate this.

>> Read more about Verifying and documenting live-bootstrap

Lychee — Reliable and fast link checker to combat linkrot

Links are the glue that holds the web together, but broken links undermine our collective digital knowledge. With 54% of Wikipedia references and 70% of links in legal journals now dead, link rot is a serious threat to information accessibility and makes for an unpleasant web experience.

Lychee is a fast, memory-efficient CLI tool written in Rust that detects broken links in Markdown, HTML, and plain text. Over the past 4 years, it has been adopted by tens of thousands of public repositories and organizations like Google, Microsoft, and AWS. The project will focus on three key milestones: implementing recursion support to check entire websites at once, adding per-host rate limiting to prevent server overload and sabilizing the codebase for a 1.0 release. By improving Lychee, we're helping everyone from small websites to major platforms maintain their corner of the open web and preserve our digital heritage.

>> Read more about Lychee

machine-check — Tool for formal verification for machine-code

Common bug-finding approaches like software testing do not guarantee the absence of bugs. Formal verification can prove the absence of bugs, but the added description and proving complexity means it only tends to be used for critical systems. The current state-of-the-art tools are complex to use and hard to reason around when they fail. Machine-check aims to bring scalable yet intuitive formal verification to non-experts, leveraging the Rust ecosystem for description of digital machines including processors with machine-code programs loaded into memory. Ultimately, this should lead to increased reliability, safety, and security of programs and systems.

>> Read more about machine-check

Multisoni — Modern and efficient real-time audio playback engine

Multisoni is a versatile audio engine for all creative uses. For demanding real-time uses (such as video games, VR, live installations) there is a lack of free/libre audio authoring tools to map playback and effects to trigger events and interaction parameters, suitable for industrial purposes.

Multisoni is designed to meet this need: it manages many input sources - either samples or synthesis, with support for input plugins - source and effect patching, and rendering for a variety of output systems ranging from binaural stereo to complicated multichannel setups, drawing on existing open-source solutions for audio hardware abstraction and raw audio stream management. One of its main objectives is to put creative users - sound designers, composers - on an equal footing with developer users.

>> Read more about Multisoni

nextpnr for GW-5 — Add support to nextpnr for Gowin GW-5 FPGA family

This project focuses on enhancing the open-source FPGA design toolchain (specifically nextpnr and Apicula), to support the Gowin GW-5 series of FPGAs. This initiative involves creating detailed documentation and developing tools to understand and utilize these FPGAs effectively. By extending nextpnr and Apicula to generate valid bitstreams for the GW-5 series, the project aims to make advanced FPGA technology more accessible and usable for designers and engineers around the world.

>> Read more about nextpnr for GW-5

openPCIe2 Root Complex — Open hardware implementation of gen 2 PCIexpress in OpenXC7

This project will develop an open hardware implementation of PCIexpress 2.0, the high-speed serial computer expansion bus standard used to allow computer peripherals to be slotted into a motherboard. When designing open hardware, having such a critical part of a component depend on proprietary components is obviously . The open hardware PCIe/Gen2 Root Complex developed within this project would make a big step towards developing fully open hardware components. Prior efforts only provided a partial implementation, and depended on vendor-provided 'black boxes' that would prevent such designs to be used to create a working, fully open hardware solution.

>> Read more about openPCIe2 Root Complex

p3pch4t — Decentralized chat platform built on i2p

P3pch4t is a decentralized chat platform built on i2p that aims to provide a feature-rich experience with huge privacy standards, so it will be easy for people to switch from well-known centralized/proprietary chat apps - such as Facebook Messenger, Telegram, Slack to one place that will have all features that user desire - including large file sharing, shared calendar, group chats, multiple devices and chat themes - all of that will come in a cross-platform app that will run on all major mobile and desktop platforms. Together with that, there will be a handful of libraries in different languages to interact with the network directly - to ensure that it is easy for other developers to extend the p3pch4t ecosystem, and to ensure that the standard for communication is well defined.

>> Read more about p3pch4t

postmarketOS: v23.12 and v24.06 Releases — New versions of the mobile operating system postmarketOS

postmarketOS keeps smartphones useful after they don't receive updates anymore: the original operating system gets replaced with an up-to-date lightweight open source software stack based on Alpine Linux. Oftentimes people use postmarketOS to upcycle their old smartphones to small home servers (like Raspberry Pis). While still experimental, we also work towards enabling all typical smartphone features too so postmarketOS can fully replace the original operating system. Besides extending the lifetime of smartphones, in postmarketOS we value the user's privacy, security and in general control over their own device. Unlike current mainstream smartphone operating systems, it is not needed to register an account and get tracked to use the operating system. Creating new releases allows us to keep the software stack up-to-date, to integrate important fixes, features and in general to get closer to provide a full smartphone experience.

>> Read more about postmarketOS: v23.12 and v24.06 Releases

postmarketOS daemons — Add modern service daemons to postmarketOS

postmarketOS keeps smartphones useful after they don't receive updates anymore: the original operating system gets replaced with an up-to-date lightweight open source software stack based on Alpine Linux. This project will add initial systemd support to postmarketOS, as well as making Pipewire the default audio server in postmarketOS. It will help switch the wifi backend to iwd by default, and design and prototype an immutable version of postmarketOS with an efficient A/B OTA mechanism with binary delta updates, and automatic rollback on failed updates.

>> Read more about postmarketOS daemons

Support for OpenPGP v6 in rPGP — Implement draft-ietf-openpgp-crypto-refresh in rPGP

rPGP is a high-quality implementation of OpenPGP in pure Rust (OpenPGP is a standard for encryption, digital signatures and key management). rPGP is used in production in different contexts, among them the popular "Delta Chat" decentralized and secure messenger that is used by hundreds of thousands of users, worldwide. The OpenPGP standard has recently been revised to reflect current best cryptographic practices. The revision of the standard defines "OpenPGP version 6" and is currently being finalized  for publication as RFC 9580. This project will implement the new formats and features of OpenPGP v6 for rPGP. This will bring the new features of OpenPGP v6 to users of rPGP, and ensures future interoperability with all other modern OpenPGP implementations.

>> Read more about Support for OpenPGP v6 in rPGP

reqwest — Memory safe HTTP client

reqwest is the de-facto HTTP client for the Rust language, with batteries-included. In this project we will make many of its powerful features to be composable and reusable outside of reqwest. This includes converting its connection pool, proxying and redirection into middleware, and improving integration with existing middleware, such as retries. This ultimately enables two groups of people: some so they can use only the parts of reqwest they need. And others that want to use all of reqwest while inserting new middleware or customizing its default "stack".

>> Read more about reqwest

rrdnsd — DNS based load balancing and high availability

rrdnsd implements DNS-based load balancing and failover in order to increase the reliability of geographically-distributed Internet services. It is designed to both scale up to managing hundreds of services but also scale down to small scale deployments. Written in Rust, it prioritizes resilience, ease of deployment and hands-off maintenance - without depending on 3rd-party services. It provides distributed connectivity monitoring using a quorum protocol. This allows detecting partial network outages without causing false positive alarms.

>> Read more about rrdnsd

s6-rc — Service manager for s6-based systems

The s6-rc service manager, part of the s6 ecosystem, is a correct and efficient alternative to software managing boot scripts like sysv-rc or OpenRC: it provides a bootability guarantee, a reliable logging infrastructure, parallel service start without race conditions, and the lowest resource usage of all existing service managers (which means it is very fast and will run on the smallest systems). However, it is not yet adopted by many Linux distributions, for lack of a high-level user interface and pre-provided boot scripts.

We are adding these features to s6-rc so it can be easily integrated to more distributions currently relying on OpenRC, such as Alpine Linux, and also targeted as a backend for service description languages for use with automatic deployment to containers, VMs, clusters, or embedded systems. The goal is to make s6-rc an accessible and widely known service management alternative for fast, reliable and energy-friendly system deployment.

>> Read more about s6-rc

Maintenance and portability of sudo-rs — Make sudo-rs available cross-platform

The sudo and su utilities guard a critical privilege boundary on just about every free and open-source operating system that powers the Internet. Memory safety bugs occur in the original sudo from time to time, and there is only one maintainer to fix them. For these reasons sudo-rs was written: a Rust drop-in replacement for sudo on Linux. For it to be a success, it needs to gain adoption. In this project, we will 1) address bugs and incompatibilities between sudo-rs and sudo and 2) port it to platforms other than Linux, to grow its user base and viability.

>> Read more about Maintenance and portability of sudo-rs

synit-nixos — Expand synit system layer and integrate in NixOS

Much of the software applications and services that we interact with today can only exist as dynamic compositions of many different software components. Dynamic systems can be adapted to serve different purposes, react to a changing environment, and can be self-updating or self-healing in response to failure. These systems exchange the predictability of static systems for the resilience of dynamism.

Our software operating systems achieve dynamism by what some call the "system layer". Traditional this would be the so-called "init" system which activates different software components. The system layer is the software activation and management of init combined with a communication layer, reactive behavior, and system introspection. Synit is an experimental system layer that provides these features according to a model that combines capability security, conversational actors, and eventually-consistent replicated state.

The Synit-NixOS project aims to bring init and system-layer portability to NixOS with Synit as an alternative to systemd.

>> Read more about synit-nixos

tslib — Better configuration and callibration of touchscreen devices

tslib is somewhat older but widely used software for configuring the touchscreen of (mainly) embedded Linux devices including printers, mobile phones, etc. This nimble project concerns a bundle of improvements in terms of calibration, some accessibility research (to see if people with e.g. a tremor can be better served), and addressing a backlog of feature requests. In addition the project will use the help of NGI Zero to apply additional security scrutiny.

>> Read more about tslib

uFork/FPGA — A memory-safe pure-actor processor soft-core

uFork is a novel microprocessor architecture based on dispatching immutable asynchronous message-events to reactive objects (actors) which manage private mutable state. Contention for shared mutable storage is eliminated, reducing complexity. Strong process and memory isolation prevents interference among tasks. Object-capability security (ocaps) provides fine-grained access control. The architecture has been validated by implementing a virtual-machine in software. This project will implement the design using FPGA hardware fully supported by open-source tooling.

>> Read more about uFork/FPGA

uberClock — High precision open hardware clocks using multi-mode crystal oscillators

Very precise clocks have many different use cases, but they are complex to make and expensive to buy - leaving high precision timing out of reach for many. Currently, there are no open hardware designs capable of delivering so called "Stratum 2" accuracy.

This project will design and build an open hardware clock exploiting the properties of multi-mode crystal oscillators using modern numerical methods for frequency stabilization. A Field-Programmable Gate Array (FPGA) will be used for digital signal processing functions, multiple Proportional-Integral-Derivative (PID) control loops, and executing all necessary calculations needed for dynamic, real-time frequency corrections. High-Level Synthesis (HLS) code will be developed using the CflexHDL+PipelineC toolset, in order to validate and further mature that emerging design flow for signal processing applications.

>> Read more about uberClock

vm-builder — Virtual Machine Build, Life Cycle and Integration in monolithic and microkernel platforms

As each piece of software is built using other software, it is difficult to ensure that a program is not accidentally infected through malicious code interfering anywhere in this process. An important defence is reducing the amount of code one relies upon and strictly isolating the build from any other processes that could influence it, typically by using a virtual machine.

However, the are currently no minimal, portable and final virtual machine build systems which enable effective bootstrapping of operating systems. Delegating this task to container build systems is insufficient, since they are primarily available to the Linux kernel and provide weak isolation properties. Delivering those with a high portability and even (or especially) on low TCB microkernels is key to secure bootstrapping of operating systems and applications on (to be) trusted infrastructure.

The current prototype has proven successfully applicable to nowadays general purpose OSs, templating/inheritance and reproducible builds are to be implemented. An implementation in a more robust programming language like Rust is still lacking and will be completed in the course of this project. The long term goal is to easily build and provide legacy platforms and software especially on microkernels — allowing for a migration path towards operating systems with effectively manageable complexity.

>> Read more about vm-builder