On 30 January I was lucky to attend CHAOSScon 2025 in Brussels, which brought together open source practitioners, researchers, and community leaders to discuss the latest developments in measuring and improving open source software (OSS) health. This year’s sessions covered key topics like defining open source sustainability, tracking contributions, assessing community health, and evaluating project risks. Below is a recap of the main sessions and insights shared throughout the event.

The conference kicked off with an overview by Daniel Izquierdo of CHAOSS (Community Health Analytics for Open Source Software) and its tools for tracking OSS health. Key takeaways included:

• Metrics are essential for assessing the maturity of OSS projects.
• GrimoireLab 2.0 offers new capabilities for analyzing software development, including historical data tracking, GDPR-compliant identity management, and a business-layer integration for commercial services.
• Major OSS foundations and corporations leverage GrimoireLab for their open source health assessments.

CHAOSScon also marked the launch of the CHAOSS Education Program, designed as a structured entryway into open source. Dawn Foster and Peculiar C. Umeh presented the 3 courses developed by CHAOSS:

1. Open Source 101: Helping newcomers navigate OSS and find their contribution niche.
2. CHAOSS governance and operations: Educating users on how the organization works.
3. Practitioner guides for project managers, OSPOs, and community leaders.

The courses are hosted on Moodle and are designed for both CHAOSS community members and general OSS learners.

Ruth Ikegah then shared that Diversity, Equity, and Inclusion (DEI) remain challenges in OSS. Through her work with local chapters she observed that:

• 49%+ of OSS content is in English, creating barriers for non-English speakers.
• Cultural differences necessitate localized approaches to inclusion.
• Challenges like internet access, financial constraints, and lack of OSS education in formal curricula hinder participation from non-Western countries.
• We need better strategies for engagement. Some examples she shared are: badging systems, funding, mentorship, and recognizing future leaders.

Paul Sharratt and Cailean Osborne presented a toolkit for measuring how public funding affects OSS sustainability. Some critical points included:

• OSS is digital infrastructure, and funding models affect long-term viability.
• Different funding types lead to varying levels of impact.
• Models for assessing public investment effectiveness in open source.

If you are interested, the preprint is available: arxiv.org/abs/2411.06027.

Katie McLaughlin addressed a quite well-known problem: open source projects often struggle with recognizing contributions beyond code. She therefore highlighted the need for a standardized taxonomy for OSS contributions, as many contributions are still invisible today (e.g., documentation, community engagement).

As an attempt to explore equitable credit systems in OSS, they launched whodoesthe.dev, focused on understanding the open source ecosystems.

Daniel S. Katz then presented CORSA (Center for Open Source Research Software Advancement), an initiative aiming to support open-source research software projects through foundations and metrics in order to improve its sustainability.

Sustainability is a tricky word, because it has so many different meanings. There is a technical sustainability, but also a financial and organizational one (and of course, an environmental sustainability too). Daniel advocated for metrics as a key element to understand the status of a project, and, in the case of financial sustainability, an excellent way to showcase success and attract funding.

Financial sustainability of course affects all the other sustainabilities too, as community engagement and long-term viability require structured support mechanisms.

Security and risk analysis were big topics at CHAOSScon (and at FOSDEM too). As Georg Link explained, this is very much linked to the project health: unmaintained or poorly maintained FOSS dependencies pose security threats, and as FOSS is an integral part of any modern software (over 80 percent of the software in any technology product or service is open source, according to a Linux Foundation study from a couple of years ago!), understanding risks is crucial. The Software Bill of Materials (SBOM) helps track and manage dependencies. Key risk indicators include median response time to pull requests and issue resolution speed. One thing is clear: maintaining project activity and engaging contributors helps mitigate risks.

Another project that can help in risk analysis is OpenChain, which helps developers assess compliance in their software components, using a capability model to grow community excellence. Measuring compliance contributes to risk assessment and regulatory alignment.

The OpenChain tools are available on GitHub for developers to evaluate maturity models.

Katherine Skinner gave a keynote in which she explored the importance of defining values in open infrastructure projects and aligning community values with decision-making to strengthen resilience. Katherine introduced the FOREST framework for values-driven evaluation, emphasizing that human metrics can help reverse-engineer assessments by letting communities define the values they stand for. Additionally, she discussed the challenge of making FOSS needs visible to funders and stakeholders in a way that highlights their significance without discouraging adoption.

Conclusion

CHAOSScon 2025 reinforced the importance of defining, measuring, and sustaining OSS health. Key themes included the role of education, local empowerment, equitable contribution recognition, and risk management. As open source continues to evolve, these discussions provide a roadmap for ensuring sustainability, security, and inclusivity. For further insights, you can access all the presentation slides from CHAOSScon 2025 here, and join the CHAOSS community too!