Send in your ideas. Deadline February 1, 2025

NGI Zero Core

Moving the internet forward

This page contains a concise overview of projects funded by NLnet foundation that belong to NGI Zero Core (see the thematic index). There is more information available on each of the projects listed on this page - all you need to do is click on the title or the link at the bottom of the section on each project to read more. If a description on this page is a bit technical and terse, don't despair — the dedicated page will have a more user-friendly description that should be intelligible for 'normal' people as well. If you cannot find a specific project you are looking for, please check the alphabetic index or just search for it (or search for a specific keyword).

The internet was never designed with our modern usage in mind. Important decisions that shaped how the internet works today were made in the distant past, and we continue to run into the consequences — cascading effects and limited resilience, scalability issues, lack of strong privacy and security and a blind spot for energy efficiency. These may have seemed less important at the time, but currently they certainly are not, and we need to act.

NGI Zero Core is an ambitious grant programme led by NLnet as part of the Next Generation Internet initiative, which focuses on moving the internet forward according to the vision of a resilient and trustworthy technology stack that empowers users, and grants everyone full autonomy.

All projects become available under a free and open source license so you will be able to study, use, modify and share everything with anyone you want! The programme is no longer accepting new application, but you can propose a project within one of our other funds!

Logo NLnet: abstract logo of four people seen from aboveLogo NGI Zero Core: letterlogo shaped like a tag

Interesting in applying for a grant yourself? Check our active theme funds, such as NGI Zero Commons Fund, NGI Mobifree, NGI Fediversity or NGI TALER. Applications to this particular fund are currently closed and no new projects are accepted for now. Donate to help us fund more projects like these.

0WM — Measure and visualize Wi-Fi coverage

Wi-Fi coverage is key in corporate and BYOD environments, as the mobility offered by wireless protocols often outweighs criteria such as speed and stability, offered by wired alternatives. These criteria are however critical to guarantee a suitable quality of service, and reliable options to help network operators are scarce and unaffordable to small organizations. 0WM will provide feature-rich tools to produce quality coverage maps, leveraging affordable COTS components, to quickly and efficiently identify coverage problems affecting end users.

>> Read more about 0WM

Firmwire full-system 5G baseband emulation — Easier testing of 5G baseband modems with FirmWire

FirmWire is an open source full-system baseband firmware emulation framework for emulating, fuzzing, debugging, and root-cause analysis of smartphone baseband firmware. This project builds upon the framework to support newer, 5G capable, smartphones. Baseband processors are used in all modern smartphones for cellular network connectivity and are a remote attack surface. As such, baseband security is of utmost importance. Baseband firmware is complex, proprietary, and lacks public scrutiny. Emulation and reverse engineering are one of the few public ways to analyze baseband processors. These efforts will provide more transparency in baseband firmware and improve the community’s ability to analyze 5G security through emulation and fuzzing. Additionally, the reverse engineering efforts could aid in developing better open source drivers in the future.

>> Read more about Firmwire full-system 5G baseband emulation

AI Horde — Collaborative infrastructure for running generative AI models

The AI Horde is a crowdsourced, free, libre and open sourced service with the aim to truly democratise access to Generative AI. It supports both generating text via Large Language Models and images via Stable Diffusion via a simple REST API, allowing everyone to integrate this technology to any product.

One of the biggest challenges with Generative AI is the amount of resources required to run even simple models, leaving the vast majority of humanity without access to this technology. The AI Horde delivers a groundbreaking smart-queuing clearing house where enthusiasts can volunteer their idle compute for everyone in the world to generate images or text without any further commitments or budget.

>> Read more about AI Horde

Alive2 — Translation validation for LLVM

Modern compilers, such as LLVM, perform advanced optimizations to improve performance and reduce binary size of programs. However, getting these optimizations correct is very challenging: there are many corner cases, tricky issues with undefined behavior, modular arithmetic, and so on. On the other hand, programs rely on compilers being correct. A single bug in the compiler may introduce security vulnerabilities in the compiled programs. Alive2 aims to solve this issue by verifying that LLVM is correct. It is an indispensable tool for compiler developers and for anyone that wishes to validate the compilation of their program.

>> Read more about Alive2

Arcan-A12 Directory — Server side scripting API for Arcan's directory server

A12 is an explorative p2p protocol for fast and secure remote application interactions. Current desktop protocols are locked inside the constraints of their origins, and most of these have significant security and privacy issues. As a result, we've come to depend heavily on web frontends as the universal desktop application corset - which in return has caused a massive complication and overloading of the browser.

A12 establish a secure and interconnected network of personal compute devices, includes peer-to-peer channels and cryptography components. This project add a directory server that can be used as a trusted 3rd party rendezvous to establish such channels. It will expand the scripting API towards writing assistive 'apps' that can complement or split the workload handled on client devices; provide state synchronization and indexing/search between dynamic mesh networks created by linking directory servers together; dynamically launch and attach controlled sources.

>> Read more about Arcan-A12 Directory

Arcan-A12 Tools — A12 clients for different platforms and devices such as drawing tablets

The interaction patterns with our compute devices have switched from "one device - multiple users" over to "one user - multiple devices" and this new reality requires shift in how user personal data is shared and synchronised between their devices.

A12 is a network protocol designed to establish a secure and highly interconnected network of personal compute devices that has been developed as part of a larger Arcan umbrella project. The protocol includes peer-to-peer channels and cryptography components.

This follow-up project sets out to implement lightweight applications that will be capable of networking over A12 protocol to enable remote control, sensor and screen sharing, file sharing, notification sharing and enable other personal data flows. The end goal is convenience of having interconnected devices without sacrificing privacy and performance.

>> Read more about Arcan-A12 Tools

Automerge — Add Merkle Search Tree support to Automerge

Automerge is a CRDT library for building local-first collaboration software, allowing several users to concurrently edit a file, both in real-time and offline. It is currently optimized for working on a single document; this project aims to improve Automerge's support for synchronizing large collections of documents across multiple devices (for example, all of a user's notes in a note-taking app). The challenges here are efficiently determining which documents need to be synced, syncing multiple documents in parallel, giving users a progress indicator during large data transfers, and making the protocol efficient in terms of computation, memory, and bandwidth. Our protocol will be compatible with both client-server and peer-to-peer synchronization.

>> Read more about Automerge

Interpretation feature for Big Blue Button — Adding translator streams for live interpretation to BBB conference software

BigBlueButton is one of the leading open source videoconference solutions. The project will add support for simultaneous interpretation to BigBlueButton. Participants of a meeting will be able to choose the language they would like to listen to. Interpreters can choose which language they listen to and into which language they interpret. The solution can be combined with classical radio setups for interpretation already used in grassroot events to enable interpretation in hybrid situations.

>> Read more about Interpretation feature for Big Blue Button

Detecting Forged-Origin BGP hijacks — Probabilistic detection of BGP hijacking

Hackers often exploit vulnerabilities in BGP, the primary inter-domain routing protocol (essentially the “glue” that connects all networks on the Internet), to hijack Internet traffic. Our project builds on our work in detecting forged-origin BGP hijacks, a specific type of BGP hijack that remains unaddressed by recent cryptographic efforts aimed at securing BGP. Our objective is to enhance the accuracy of our detection system, which relies on a probabilistic model to compensate for the lack of cryptographic tools, ensuring that no attack goes unnoticed. Additionally, we plan to share our data and improve access to our inferences by developing APIs. This will enable both network operators and the research community to benefit from our findings and apply them to improve the security of their networks.

>> Read more about Detecting Forged-Origin BGP hijacks

BIDS: Binary Identification of Dependencies with Search — Identify known open source elements present in binaries

Embedded device firmware is assembled from many FOSS package dependencies. Knowing which dependencies have been used is essential for security and licence compliance. However this is a complex task for native ELF binaries built from languages such as C/C++ that do not have package managers for metadata and simpler conventions for bytecode like Java or Python. The BIDS (Binary Identification of Dependencies with Search) project will build a tool (in Python) to analyse ELF binaries and find dependencies contained and built in these binaries. The BIDS project will deliver tooling to analyse ELF binaries and extract key features and store these for indexing, tooling to index these binary features in a search engine using inverted indexing, and a query tool and library to process large binaries to query this inverted index. The latter will return results as lists of ranked FOSS packages and files found to be present in the analysed binary. The data and tools will also be packaged to allow for further integration and reuse by other FOSS tools and analysis pipelines.

>> Read more about BIDS: Binary Identification of Dependencies with Search

Back2Source next — Better matching of binaries with source code

Sometimes, the released binaries of an open source package do not match its source code. Or the source code does not match the code in a version control repository. There are many reasons for this discrepancy, but in all cases, this is a potential serious issue as the binary cannot be trusted. Additional (or different) code in the binary could be malware or a vector for unknown software vulnerabilities, or create FOSS license compliance issues.

"Back to source" creates analysis pipelines in ScanCode.io to systematically map and cross-reference the binaries of a FOSS package to its source code and source repository and report discrepancies. We call this the deployment to development analysis (d2d) to map deployed code (binaries) to the development code (the sources) and we enable applying this "trust but verify" approach to all the binaries.

>> Read more about Back2Source next

BrowserAudit — Test common security standards and features in browsers

The web depends on security standards to safeguard your data as you navigate online. The effectiveness of your browser in protecting this data depends on how well it implements these standards. BrowserAudit is a free, open-source tool designed to assess your browser’s compliance with common security protocols. By running hundreds of tests, it generates a detailed report highlighting the strengths and weaknesses of your browser's security. This report can help you select a more secure browser, notify developers of potential issues, or, if you’re a developer, address these vulnerabilities directly.

>> Read more about BrowserAudit

Tracing and rebuilding packages — Improved metadata/provenance for build artifacts

For many end users the smallest unit of software is the "package": a collection of programs and configuration files bundled in a single file, typically shipped as a single archive. Examples are "util-linux", "glibc", "bash", "ffmpeg" and so on.

Open source distributions install packages using their package management systems. The package management system writes the contents of a package to disk when the package is installed or updated and removes the contents if the package is removed. The packages themselves contain metadata maintained by the distribution maintainers. This information includes the name of the package, project URL, description, dependency information and license information, etc.

This granularity can be too coarse. For example, the license information is aggregated at the package level. If there are separate files that are under different licenses, then this will not always be clear from the license information at the package level.

This project will make it more easy to understand by looking at what goes into each individual binary in a package, and assign metadata to the individual binaries instead of to a package. It will do so by tracing the build of a package and recording which files are actually used. By building packages in a minimal (container) environment, capturing the build trace, processing the build trace to see exactly what goes into which binary it becomes much easier to zoom in and answer specific questions such as "what license does this binary have" or "which binaries use vulnerable file X" and combining it with efforts like VulnerableCode and PurlDB.

>> Read more about Tracing and rebuilding packages

CAKE-MAINT — Improve network queue management algorithms on Linux

With the wider and wider adoption of the fq_codel (RFC8290) and cake codebases in shipping products, many issues in the field have been discovered, and features to address them proposed but not mainlined into Linux (or the BSDs). This project intends to tighten up the corner cases, fix up multiple observed problems, and add some needed new features if possible, as well as take a stab at addressing the biggest observed problem in the field for cake - not scaling shaping well to ever more popular multi-core routers.

In addition the project will work on a new release of babeld, the reference implementation of RFC 8966 (Babel Routing Protocol) and on standardisation of Sroam, a protocol for WiFi roaming.

>> Read more about CAKE-MAINT

COCOLIGHT — Lightweight version of Communecter

COmmunecter is an open source social and societal platform. COCOLIGHT is an low tech light weight client able to connects to any COmmunecter server, allowing both read and contribution modes. Easy to Install, fully Activity Pub compliant, federating organizations, events, projects and open badges. It allows to create networks of many COPI instances interconnected together and exchanging information and data.

>> Read more about COCOLIGHT

Cross-root ARIA — Standardisation for Accessibility when using Shadow DOM

ARIA is a technology used by developers to add accessibility attributes to web-based user interfaces. Web Components are a set of tools which allow developers to create components which can be used in a framework-independent way across different websites. Due to the way Web Components provide encapsulation, using Shadow DOM, some parts of ARIA have become incompatible with Web Components. This project will contribute to ongoing efforts to provide web developers with mechanisms to make these technologies work together. Our goal is to contribute to the relevant specifications, as well as implementing and shipping the proposed solution in one additional browser.

>> Read more about Cross-root ARIA

Diesel — Safe and performant query builder and ORM written in Rust

Diesel is a safe and performant query builder and ORM written in Rust. It aims to eliminate security issues like SQL injections by providing a type safe domain specific language to express your SQL query as Rust code. This enables checking the query at compile time to turn insecure or otherwise invalid SQL queries into compile time errors. As part of this project we want to extend Diesel to provide built-in support for `WINDOW` functions, to enable the usage of secure and type safe queries in more places.

>> Read more about Diesel

Draupnir — Moderation bot for Matrix servers

Draupnir is a comprehensive moderation bot for room moderators using Matrix (the open source decentralized instant messaging protocol). Draupnir assists room moderators in managing their community and provides continuous protection from spam and harmful content. This is done by utilising sharable and interoperable policy lists that allow different communities to work together to combat new threats. Draupnir also provides a plugin system that can adapt Draupnir to the different needs of every community. Our ongoing efforts to further modularise Draupnir's code base in the interests of maintainability should provide groundwork for future Trust & Safety related projects in the Matrix ecosystem.

>> Read more about Draupnir

Open source ESP32 802.11 MAC — Open source wifi drivers for ESP32

The ESP32 is a low-cost microcontroller with Wi-Fi connectivity. Currently, the Wi-Fi MAC layer of the ESP32 is closed-source. This project aims to change that: by reverse engineering the hardware registers and software, we can build a networking stack that is open-source up to the hardware, instead of having to use the proprietary MAC layer. This will improve security auditability, open up the possibility for features not supported in the proprietary implementation (for example, standards-compliant mesh networking), improve interoperability and make research into Wi-Fi networks with lots of nodes more affordable.

>> Read more about Open source ESP32 802.11 MAC

Email <=> XMPP gateway — Bridge instant messaging with email

Libervia is a versatile communication ecosystem offering features like instant messaging, blogging, event planning, photo albums, file sharing, audio/video calls, and more. It can additionally function as an XMPP component, providing server-side features. This initiative focuses on creating an Email <=> XMPP gateway, enhancing file management for attachments, transforming mailing list threads into interactive, forum-style discussions with modern elements such as tags and mentions, and ensuring support for end-to-end encryption. The Libervia interface will also see improvements for a better user experience, with clear indicators of message origins and security status. This gateway is a move toward unifying various communication methods within single clients, following Libervia's philosophy as seen with its ActivityPub <=> XMPP gateway and is in harmony with other projects like Slidge, Spectrum 2, or Biboumi. With the introduction of this component, not only will Libervia's functionality be elevated, but it will also equip other XMPP ecosystem projects with the ability to connect their users with the email world, fostering deeper integration of XMPP across the spectrum of communication tools.

>> Read more about Email <=> XMPP gateway

Ethersync — Real-time co-editing of local text files

Ethersync aims to enable real-time collaborative editing of local text files. Similar to Etherpads, it facilitates multiple users to work on content simultaneously, enabling applications such as shared notes or pair programming. However, following a "local-first" approach, all files reside on the users' computers, allowing them to use their familiar editors and workflows, and to retain user control. This design enables a kind of collaboration that is simple and direct, stable and flexible, and preserves privacy. Ethersync will be a supplement to tools that track larger changes on text files, like Git, and can be used in combination with it. The project will leverage CRDTs, and consists of a server component, a cross-platform local synchronization daemon, and editor plugins.

>> Read more about Ethersync

Exter — Proxy-based external browser extensions

Exter is a web based plugin platform which allows addons to alter websites behavior/style/functionality. Instead of trusting the browsers' plugin ecosystem, let's modify the websites before browsers receive them! The goal of this project is to provide a stable and free website-extension-platform to allow future proof and flexible addon development.

As a web application, Exter opens URLs, rewrites the static content and injects client scripts to wrap default javascript functions, applies addons, then sends the sanitized/modified website to the browser. This way we have the ability to write plugins that can intercept/modify not only HTTP requests, but even client side functionalities, such as sanitizing 3rd party content or appending new DOM elements to the website or altering cookie handling from javascript and much more.

>> Read more about Exter

FOSS Warn — Aggregate source of emergency alerts

The FOSS Public Alert Server lets clients receive Push Notification (via UnifiedPush) about official emergency alerts worldwide. Besides infrastructure like sirens, radio, and Cell-Broadcast, CAP (Common Alerting Protocol) alerts are another way of alerting the public. CAP alerts are used for a wide variety of emergencies. From alerts about extreme weather to alerts about contaminated drinking water to pandemics. Our server bundles over 280 official CAP alert publishers worldwide and can easily extend to more sources. This project aims to bundle the underlying alerting infrastructure into a single trustworthy source of information, not to replace it.

Having a shared global public source of information reduces the user's dependency on local emergency apps - which are often only available for the two largest mobile platforms. Furthermore such a converged effort makes it much simpler to develop clients for devices other than cell phones (like desktop PCs or smart speakers). Thirdly it can make traveling safer. Finding and installing the right local emergency apps to receive emergency alerts when traveling is quite the hurdle. With our solution, it would suffice to install one app for the world. One such app is FOSS Warn, an Android app that for now receives alerts for Germany and Switzerland. Within this project, FOSS Warn will be extended to work worldwide with the new server infrastructure.

>> Read more about FOSS Warn

FPGA-ISP-UVC-USB2 — Open hardware FPGA-based USB webcam

The USB UVC project is designed to create an innovative and adaptable webcam that easily connects to any laptop, providing high-quality video without the need for special drivers. Unlike ordinary USB webcams that often come with proprietary software and limited functionality, this project aims to deliver a flexible, open-source solution that can be tailored and improved by anyone. The webcam will offer superior video quality with features like automatic brightness adjustment, color correction, and real-time video compression, making it ideal for video calls, streaming, and other visual applications. By focusing on open-source principles, this project ensures that the technology is accessible, modifiable, and transparent, allowing for continuous community-driven enhancements.

This project stands out because it is not locked into proprietary ecosystems, offering users greater control and flexibility over their hardware. It can work with a wide range of computer models, providing a versatile tool for both personal and professional use. Additionally, the open-source nature of the project means that it can be continuously improved and customized by developers around the world, fostering innovation and collaboration.

>> Read more about FPGA-ISP-UVC-USB2

FastScan — Performance improvements for ScanCode Toolkit/ScanCode.io

The project summary for this project is not yet available. Please come back soon!

>> Read more about FastScan

Feather UI — Declarative cross-platform UI toolkit

Feather is a universal UI library that applies user inputs to application state, and maps application state to an interactive visualization using a custom graphics rendering language capable of compiling to arbitrary GPU code or vectorized CPU code. By building on top of a well-typed graphics abstraction, it is possible to make custom shaders "write once, run anywhere" with confidence and no overhead. This allows the creation of UI Fragments, which no longer need to be built on top of a library of UI widget elements, allowing the creation of arbitrarily complex UI elements that are no longer bound to traditional widget designs. This level of abstraction allows targeting anything from embedded devices to webpages, or even mixed-reality devices.

>> Read more about Feather UI

Fediverse Test Framework — Test bench for ActivityPub implementations

The Fediverse consists of individual servers, possibly running different software, that talk to each other. One of the challenges in developing for the Fediverse is to stay interoperable with all the different deployed software. As the message format standard, ActivityStreams, is extensible through JSON-LD, judging how a message is parsed, can be a hard task.

By using ideas from automated testing, we provide an application that determines a baseline how messages are processed and rendered. The process being simply: run end to end tests and record their result. From the test results a webpage is generated that provides developers the information how a message is rendered in different applications. We aim to make the framework extensible so new applications can be included.

>> Read more about Fediverse Test Framework

Fediverse Test Suite — Interoperability effort for W3C ActivityPub

The Fediverse is a global, standards-based, decentralized social network accessible to all and not subject to algorithmic manipulation or platform surveillance. While best known for Mastodon, an open-source alternative to X/Twitter, it already successfully connects dozens of independently developed software applications running on tens of thousands of independently operated servers and implementing feature sets that go far beyond traditional social networking.

To enable even more innovative developers to successfully connect their applications to the Fediverse, and their users to successfully interoperate with users using different software, it needs to become much simpler and cost-effective for developers to 1) know that they have implemented the relevant standards (notably ActivityPub) correctly, that their implementation is not regressing and that 2) their software indeed delivers the experience users expect from interoperability with other software developed independently by other developers.

This project brings together a group of fediverse developers to set up an automated test framework and initial test cases in an open-source project that will systematically test standards conformance, ensure meeting user expectations for interoperability of Fediverse apps, and enable a new wave of innovation based on more trustworthy infrastructure.

>> Read more about Fediverse Test Suite

Enhancing Firefox for Linux on Mobile — Mobile native feature-complete Firefox

Enhancing Firefox for Linux on Mobile aims to offer a privacy respecting alternative to Chromium-based browsers by improving the user experience (UX) of Firefox on small form factor devices (mobile, tablet) running Linux. We will update the Firefox codebase, primarily the user interface (UI) and the rendering engine. Additionally, we will collaborate with Mozilla to ensure that our modifications are included in Firefox to reduce the maintenance burden by sharing a common codebase across the different projects. As a side effect, our modifications will benefit all Firefox Desktop users including Windows when the Firefox application window is not maximized.

>> Read more about Enhancing Firefox for Linux on Mobile

Flashkeeper — Write Protection on SOIC-8 flash chips without soldering

Firmware security projects such as Heads assume the firmware itself to be protected against tampering. Outside of proprietary solutions Boot Guard, partial write protection (WP) of the SPI flash chip (recently implemented by 3mdeb) is one solution. However, WP requires grounding the chip's WP pin, something that currently requires users to solder to the chip. As many users find this difficult, this has limited "retrofit" adoption of WP.

This project is developing Flashkeeper, a device that can be permanently installed on a common SOIC-8 flash chip. It attaches to the chip with a peel-and-stick layer and spring-loaded contacts or low-profile solder-down flex cable, interfacing with the SPI flash pins for easy write protection and external reprogramming (unbricking). For users concerned with physical attacks on their systems, for whom easy access to SPI flash pins may be seen as a risk, a variant including a microcontroller (MCU) is also being developed, allowing authenticated external reprogramming and WP control, and independently verifying the SPI flash image against a user-controlled signature each boot.

>> Read more about Flashkeeper

ForgeFed Frontend — Improved UI for federated version control repositories

Software developers often use websites called forges, where they collaborate on software projects. But these forge platforms are centralized, leading to the community flocking into big privately- controlled forges. The ForgeFed project is creating a protocol specification and a reference implementation for forge communication, allowing forge websites to form a decentralized network, putting the power and freedom of choice back in the hands of the community.

>> Read more about ForgeFed Frontend

GPGPU Playground — A virtual GPU to learn GPU programming

GPUs are an extremely effective and widely deployed vector co-processor, and yet those interested in adapting their capabilities are faced with a very high barrier to entry. Tools like OpenCL, CUDA, and WebGL all require a broad background to get started solving even simple problems, and mistakes in larger programs can be nearly impossible to identify without an even deeper level of experience. This project takes advantage of WebAssembly and Vulkan's SPIR-V format to deliver a safe, on-demand toolkit for exploring the potential of GPUs, focused on applications outside the bounds of traditional graphics acceleration.

>> Read more about GPGPU Playground

Galene — High quality libre videoconferencing server

Galene is a complete self-hosted videoconferencing system that has been designed to be easy to install and to manage, to preserve the users' privacy, and that uses very moderate server resources. Galene has been continuously used in production to host university lectures and staff meetings since September 2020, as well as to host a number of international conferences during the COVID pandemic. The goal of this project is to improve Galene to make it use state-of-the-art networking and video algorithms, to improve its management features, and to add a number of user-visible features, such as background blur and automatic subtitling.

>> Read more about Galene

Gancio — Shared agenda for local communities that supports Activity Pub

Gancio is a shared agenda for local communities, and was the first one to support Activity Pub. Gancio focuses on cross-cutting collaboration through its decentralized instances that allow to connect communities. This enabling users to easily discover and engage in events in their neighborhood, as well as elsewhere - while avoiding attention-based business models and intrusive advertisements.

The focus of this project are a numberof new features such as implementing HTTP Signatures, moderation and onion routing, as well as improving compatibility with other Fediverse event tools. In addition, the team seeks to establish a common agreed upon event format to make the interaction with such tools more streamlined.

>> Read more about Gancio

Collection of Verified multi-platform Gatewares — Comprehensive repository of open source gateware designs

The "Verified Multi-Platform Gatewares" project will create a comprehensive repository of gateware designs that are compatible with various FPGA development environments and boards. The goal is to reduce the barriers to FPGA development by providing designs that are rigorously tested and maintained for compatibility. The project will host these open source designs on a dedicated website, ensuring they work seamlessly across multiple toolchains and boards. The collection will range from beginner to advanced designs, serving as educational resources and benchmarking tools, continually updated to prevent bitrot.

>> Read more about Collection of Verified multi-platform Gatewares

Goupile — Secure forms including Clinical Report Forms (eCRF)

Goupile is an open-source form editor designed for data collection in research, particularly in health, replacing traditional paper case report forms (CRF) with electronic versions (eCRF) accessible on computers and mobile devices. Developed by the InterHop.org association, it allows users to easily create customized forms with a programming approach using JavaScript, which enables the creation of highly dynamic and interactive forms with ease. Goupile also provides user management, data recording, synchronization, and options for online and offline data collection. Users can choose to self-host Goupile or utilize a turnkey service on certified HDS servers (Sofware As A Service SAAS), all while benefiting from InterHop's support for the development of new features.

>> Read more about Goupile

Guix-Daemon — Transition to a Guile implementation of the guix-daemon

GNU Guix is a transactional package manager and a distribution of the GNU system that respects user freedom. A key component in Guix is the guix-daemon, currently implemented in C++. Much of the power and flexibility of Guix comes from all of the package definitions and surrounding tooling being implemented in GNU Guile, however this doesn't extend to the guix-daemon. This difference has been a limiting factor in making changes and improvements to the way the guix-daemon works and is interacted with. The expected outcome of this project is to have a Guile implementation of the guix-daemon, and to transition to this being the default guix-daemon used. This will improve the maintainability and portability of the guix-daemon and Guix overall, as well as unlocking future improvements to the guix-daemon and connected tools.

>> Read more about Guix-Daemon

Open Hardware Manuals — Automatically generate user-friendly documentation for open hardware elements

This project will create a tool that automatically generates Computer-Aided Design (CAD) models, assembly documentation, graphics, and user guides based on user provided configurations. These documents can be continuously updated, localized, and are shareable - akin to an always up-to-date Ikea-style assembly guide. The tools developed during this project will also be applicable to other open hardware projects, empowering designers to produce hardware that is more adapted to specific contexts, without creating fragile documentation that always goes out of date when a change is made to the design.

>> Read more about Open Hardware Manuals

SCE, DelTiC and Antler — High-Fidelity Congestion Control

Some Congestion Experienced (SCE) is a project in high-fidelity congestion control (HFCC) that aims to stabilize transport congestion windows, thereby reducing queueing delay and jitter, and increasing link utilization. Our goals under NGI Zero are to complete the DelTiC (Delay Time Control) AQM algorithm, implement a new MIMD transport response aiming for max-min-fair flow competition at shared bottlenecks, and release a purpose-built congestion control testing tool, Antler v1.0. We will inform the CC community about our work, and update our Internet Drafts to keep the door open for future standardization, should the opportunity arise.

>> Read more about SCE, DelTiC and Antler

Holo Routing — A novel routing stack in Rust, including IS-IS routing

Holo is a suite of routing protocols designed to address the needs of modern networks. Holo was started in response to the increasing trend in the networking field towards automation, where network devices are expected to be managed programatically using a variety of standard interfaces. Written in Rust, a memory-safe language, Holo prioritizes reliability, ease of maintenance, and security.

This project aims to extend Holo by incorporating support for the IS-IS protocol, one of the most widely used interior routing protocols. The IS-IS implementation will encompass both IPv4 and IPv6 support, cryptographic authentication, and extensions for traffic engineering. Rigorous testing against multiple vendors and comprehensive conformance tests will ensure the interoperability and robustness of the implementation.

>> Read more about Holo Routing

IPDL II — A new process logic aimed at formal proofs for cryptographic algorithm

Our project IPDL aims to increase the trustworthiness of large cryptographic systems by designing and implementing a natural and principled way of thinking about them. IPDL, short for Interactive Probabilistic Dependency Logic, is a process calculus and software implementation for formally verifying message-passing cryptographic protocols. Our goal is to use IPDL to develop cryptographic foundations that are both composable and concurrent. Concurrency means that our model of computation natively allows processes to run at the same time; composability allows us to prove the system secure by verifying the security of its subparts. In this setting, formal proofs closely resemble the thinking of a cryptographer.

>> Read more about IPDL II

IPv6-monostack - upstream Linux SIIT/NAT64 — Commoditizing NAT64 and IP/ICMP translation to accelerate IPv6 deployment

NAT64/SIIT technology is critical in enabling networks to transition away from the legacy internet protocol IPv4, yet this network function is currently expensive and hard to deploy, seriously hampering adoption. We believe we can remedy this situation by getting this translation technology accepted into the upstream Linux kernel thus paving the way to rapid and widespread adoption, accelerating IPv6 adoption overall.

>> Read more about IPv6-monostack - upstream Linux SIIT/NAT64

ISCC-CORE typescript implementation library — Decentralised content identifiers through ISO 24138.

The goal of this project is to implement core functions of the new ISCC standard ISO 24138:2024 (“International Standard Content Code”) in Typescript, resulting in a library will be useful for the javascript ecosystem and developers to use and work with this new standard in their project.

ISCC is a similarity preserving fingerprint and identifier for digital media assets. ISCCs are generated algorithmically from digital content, just like cryptographic hashes. However, instead of using a single cryptographic hash function to identify data only, the ISCC uses various algorithms to create a composite identifier that exhibits similarity-preserving properties (soft hash). This supports content deduplication, database synchronization, indexing, integrity verification, timestamping, versioning, data provenance, similarity clustering, anomaly detection, usage tracking, allocation of royalties, fact-checking and other use-cases.

>> Read more about ISCC-CORE typescript implementation library

IotECC — Lightweight Elliptic Curve Cryptography for small chips

This project is building an open-source software library for modern Elliptic Curve Cryptography (ECC). To achieve this, the project aims for a unique trade-off between three different (and partly conflicting) goals that is currently not offered by any of the existing ECC libraries for small 8/16/32-bit microcontrollers. The first goal is efficiency, which includes not only fast execution times, but also small code size and low RAM usage. Equally important as efficiency is the second goal, namely security, and this includes not only the absence of subtle bugs that could leak secret information, but also robustness against timing-based side-channel attacks. The third goal is usability, which is achieved by a simple and intuitive API, an easily readable and well-commented source code, and a rich documentation with examples for common use cases.

IoTECC will come with highly-optimized Assembly functions for the low-level field-arithmetic for 8-bit AVR, 16-bit MSP430, as well as 32-bit ARM Cortex-M3 and RISC-V microcontrollers. The higher-level functions are written in C and shared among the different platforms to minimize the code base and reduce complexity.

>> Read more about IotECC

Irdest IP Traffic Proxy — Route existing IP-network traffic through an Irdest network

An Irdest network allows users to easily create locally focused mesh networks amongst their communities and friend circles. To allow applications not written for this mesh network (using IP traffic routing) to route traffic through the Irdest network a proxy is required. This proxy is responsible for managing routes on entry and exit nodes, announcing routes, and allowing users control over which exit nodes they want to use for different target IP addresses. The goal of this proxy is to provide a better out-of-the box experience for new users, and expanding the scope of usable scenarios.

>> Read more about Irdest IP Traffic Proxy

IronCalc — Embeddable spreadsheet engine written in Rust

IronCalc is a versatile open-source spreadsheet engine written in Rust from the ground up, employing modern programming best practices. It can be used from any programming language or from end-user products like Web IronCalc. Around the world, millions of spreadsheets are used for accounting, data analysis, processing, educational purposes, collaboration, sharing, etc. IronCalc aims to be an all-purpose alternative to Excel or Google Sheets, filling an important gap in the democratisation of spreadsheets. Suited for companies, individuals, and schools alike, the project aims to be feature-rich, international, fast, and lightweight.

>> Read more about IronCalc

Ironclad — Hard real-time capable kernel written in SPARK/Ada

Ironclad is a partially formally verified, hard real-time capable kernel for general-purpose and embedded uses, written in SPARK and Ada. It is comprised of 100% free software, free in the sense that it respects the user's freedom. By providing a UNIX-like interface which ensures an easy porting process from Linux and BSD distributions, Ironclad aims to be a solution for developers searching for a security-first, resilient platform with the smallest barrier to entry.

This project will work on expanding hardware support for x86_64 Intel and AMD based systems, bringing Ironclad to RISC-V 64 bit based platforms, expanding several areas of the kernel, and work on Ironclad-based distributions.

>> Read more about Ironclad

JSON-Joy Peritext — Rich-text CRDT implementations for json-joy CRDT

json-joy is an open source library for building distributed collaborative web applications, its major focus is on implementing performant state-of-the-art CRDT algorithms. This project aims to implement a Peritext-like rich-text CRDT on top of the JSON CRDT Specification as part of the json-joy library. The goal of the project is to implement a production-ready collaborative rich-text editing algorithm, Peritext, and supporting modules for the json-joy library. The project will also improve on the originally proposed Peritext algorithm by leveraging JSON CRDT data structures to make various rich-text annotations mutable and block elements nestable.

>> Read more about JSON-Joy Peritext

KDE Plasma Wayland — Accessibility and advanced graphics input support for KDE Plasma Wayland

Plasma is the desktop provided by the KDE project, one of the largest and most successful open source initiatives in the world. Wayland is the successor of X11 for Unix desktops and the future for many reasons, including security and privacy. However there are some user groups that currently do not have their requirements satisfied. Some people have motor impairments of their arms/hands (such as restricted movement, tremors, or missing fingers) that make it hard or impossible to operate a traditional computer keyboard. Operating systems provide a number of options like sticky keys, slow keys, or bounce keys to accommodate for such disabilities. Another pain point is configuration of graphics tablet input devices. This includes things like mapping the tablet area to an output area, binding tablet/stylus buttons to actions, or configuring pen pressure curves. This project will implement support for these special user groups in KDE Plasma on Wayland.

>> Read more about KDE Plasma Wayland

Knowledge Graph Portal Generator — Automatically generate custom web interfaces for structured data

The Knowledge Graph Portal Generator is a toolkit designed to create user-friendly web portals for Knowledge Graph (KG) datasets, making data from public SPARQL endpoints accessible to users without expertise in semantic technologies. Built on the LinkedDataHub framework, our solution will feature paginated collections, faceted search, and detailed entity views. It will extract RDF ontologies from datasets, generate content configurations, and use these to extend the default LinkedDataHub into a dataset-specific web application.

>> Read more about Knowledge Graph Portal Generator

Kami — Choreography programming language integrated with the Rust ecosystem

Kami is a new programming language, based on the Rust ecosystem, designed from the ground up for correct-by-construction distributed systems. In its core it is pure and functional, thus ideal for building complex concurrent systems. It takes cues from multiparty session types and choreographic programming language research: The behaviour of all roles in a distributed application can be implemented at once from a global point of view. This high-level description is compiled to rust code for all participating roles, with the guarantee that the system will be deadlock-free. Developers can seamlessly drop down to using rust, and all of its ecosystem, for writing local code, while using Kami for composing the local computations into a coherent distributed system. In this project we implement the type-checker, compiler and other developer tools for Kami, to provide for a similarly friendly developer experience as Rust.

>> Read more about Kami

KiCad-IPC — Add RPC API, multichannel designs and schematic variant system to FOSS EDA suite

KiCad is an open source electronics design application (EDA) suite. The program includes schematic capture, printed circuit board (PCB) layout, circuit simulation, 3D viewer, and many other tools to provide the best possible user experience for professional electronics designers while still remaining approachable for new and inexperienced users. It is available for Windows, macOS, and Linux and is released under the GPL3+ license.

>> Read more about KiCad-IPC

LDAP Synchronization Connector — Synchronize data from/to various data sources with LDAP

LSC (LDAP Synchronization Connector) is a community open source software designed to get rid of all customized scripts developed by system admistrators to sync their files or databases to maintain accounts and groups in an LDAP directory. LSC works with one configuration file and can connect to any database, LDAP directory (including Active Directory) or REST API. It solves use cases like "create an account for every new people hired in the company", "lock this account in Active Directory because it was locked in OpenLDAP", "create a group for all people of this department" or "push accounts to this application API". The project will refresh all the dependencies, and add new features such as allowing javascript in LDAP filters.

>> Read more about LDAP Synchronization Connector

LO/CODE Book project — Professional typography inside LibreOffice

The project enhances readability of text documents by adding highly customizable paragraph-level line breaking and microtypography to the LibreOffice/Collabora Online Writer word processors. It creates a new type of software, with the print quality of proprietary DTP programs and with productivity of word processors. It saves paper and screen area with a compact paragraph layout and readable multi-column pagination. It should result in proposals to enhance the OpenDocument format standard (ISO/IEC 26300) which will be submitted for standardization, encouraging future standards to support enhanced readability, especially for people with reading difficulties.

>> Read more about LO/CODE Book project

LabPlot — Scientific and engineering data analysis and visualisation

LabPlot is a free, open source and cross-platform data visualisation and analysis software. It focuses on ease of use and performance. It provides high quality data visualisation and plotting capabilities, as well as reliable and easy data analysis, without requiring any programming skills from the user. Data import and export to and from a variety of formats is supported. LabPlot also allows calculations to be performed in various open source computer algebra systems and languages via an interactive notebook interface.

In this project the team will work on extending the current feature set of the application to reach a wider audience. This includes scripting capabilities (in Python only in the initial implementation) to script and automate repetitive data visualisation and analysis workflows and to allow control of LabPlot from external applications via a public interface. The second feature that will be worked on is the ability to apply analysis functions such as FFT, smoothing, etc. to live/streaming data (data imported into LabPlot and modified externally). And thirdly, statistical analysis including common hypothesis tests, correlations, regressions and data panning.

>> Read more about LabPlot

Lemmy Scale — ActivityPub-powered social link aggregation and discussion

Lemmy is an open-source, easily self-hostable link aggregator that is used to share, discover and discuss whatever comes to mind. Unlinke proprietary services that welcome users only on their own terms, Lemmy instances can each determine their own course. Lemmy implements the W3C ActivityPub standard, and federates with other ActivityPub services such as Mastodon, Funkwhale and Peertube. Users registered on one server from one of these services are able to subscribe to communities on other servers where they can have discussions with users registered elsewhere.

In this project, a number of noteworthy features are worked on, ranging from improving UX, federation, APIs, storage optimisation, tagging, polls, and more.

>> Read more about Lemmy Scale

LibreQoS 2.1 — Transactional Move System and improved APIs for LibreQoS

LibreQoS is a Quality of Experience (QoE) open source platform that leverages the state of the art (and IETF standardized) Flow Queueing (FQ) and Active Queue Management (AQM) algorithm CAKE to help Internet Service Providers (ISPs) enhance their customers' internet connections. It effectively manages latency and bufferbloat over existing infrastructure. LibreQos ensures fair sharing of bandwidth, prioritizes critical real-time applications and promotes connection quality, equity and access.

This project adds API functionality, which will make scaling LibreQoS to multiple servers much easier, allowing ISP operators to break the current 70 Gbps per server barrier. In addition, this project allows for a new Transactional Move System, which prevents any packet loss upon reload/refresh of shaper rules - allowing LibreQoS to scale to much larger ISP networks, improving internet connectivity for millions more end-users worldwide.

>> Read more about LibreQoS 2.1

Librecast Overlay Multicast — Privacy-preserving, energy efficient data replication and verification

The original design goals of the Internet do not match today's privacy and security needs, and this is evident in the technologies in use today.

The Librecast project contributes to decentralizing the Internet by enabling multicast. Multicast is an important network capability for a secure, decentralized and private by default Next Generation Internet. Multicast is networking with consent. Unfortunately, today's infrastructure does not fully support end to end multicast. In order to reap the benefits of multicast in the applications we build now, we need a transitional mechanism which enables overlay multicast via peer to peer tunnels so that multicast applications - using the Librecast libraries - can work everywhere, regardless of underlying network support.

The Librecast project is building the transitional protocols and software required to extend the reach of multicast and enable easy deployment by software developers, to make end to end encrypted multicast a reality.

>> Read more about Librecast Overlay Multicast

LANShield — Constrain local network access for mobile devices

LANShield is a tool that will give users control over which apps and programs are allowed to access devices in the local network. This is done to defend against malicious apps that may try to scan the user's local network and subsequently leak sensitive information. For instance, when an app tries to access the local network for the first time, the user is asked whether this app should be allowed to access local devices. The project will also investigate models and protocols to safely enable an app to communicate with local devices, with the idea that apps can use this protocol to access local devices without requiring explicit user permission. The project will also investigate how to integrate this defence into Android.

>> Read more about LANShield

Loops — ActivityPub based sharing of short video clips

Loops is an innovative Fediverse platform inspired by TikTok and powered by the decentralized ActivityPub protocol. It aims to deliver personalized short-form video content through a "For You" recommendation algorithm, enhancing user engagement and discovery. The platform supports interactive features like comments and video remixes, fostering a creative and collaborative community. By connecting with the Fediverse, Loops gives users more control over their data, better privacy, and the ability to interact with other platforms—making it an exciting new way to experience social media in our ever-changing world.

>> Read more about Loops

MEGA65 Phone Modular MVP — OSHW mobile device with form-factor of hand-held game consoles

The previous MEGAphone project laid the groundwork for creating personal communications devices that are secure through simplicity. This project extends that work by making the hardware modular, at some cost of minimum size, so that it becomes much more feasible for small communities to produce and maintain their own units, even in the face of supply chain challenges and other contributors to the "digital winter", i.e., the situation where open innovation becomes more difficult due to number of factors. This will also make it easier to include diverse resilient communications options, whether RF, optical or acoustic, so that peer-to-peer communications networks can be sustained even in environments that are hostile to freedom of communications. For this reason energy sovereignty will also be part of the design, so that even if all civil infrastructure is denied, that basic communications and computing functions can be sustained, with a single device whose security can be much more easily reasoned about.

>> Read more about MEGA65 Phone Modular MVP

Improving the deployability of Multipath TCP — Improve MPTCP support in the Linux kernel

Multipath TCP (MPTCP) is a standardised technology extending TCP and invented in Europe. TCP is one of the key protocols of the TCP/IP protocol stack, designed in the 1970s when hosts were attached to the network through a single cable. Today's hosts have several network interfaces, but TCP only uses one of them for a given connection. Multipath TCP solves this problem by enabling TCP connections to exchange packets over different network interfaces. With the current version of MPTCP in the Linux kernel, most of the features listed in the RFC8684 are implemented. Basic use-cases are supported but still it doesn't mean the solution is covering all needs and is easy enough to use. In short, MPTCP works well in some controlled environments but not as good in too heterogeneous ones like it is common to see on the Internet. Also its configuration is sometimes seen as difficult and/or confusing for the moment. Some work is then still needed to cover more use-cases plus to improve the usability and performances in order to have Multipath TCP adopted by a broader audience.

>> Read more about Improving the deployability of Multipath TCP

Improving the deployability of Multipath TCP, part 2 — Improve MPTCP support in the Linux kernel

Multipath TCP (MPTCP) is a standardised technology extending TCP and invented in Europe. TCP is one of the key protocols of the TCP/IP protocol stack, designed in the 1970s when hosts were attached to the network through a single cable. Today's hosts have several network interfaces, but TCP only uses one of them for a given connection. Multipath TCP solves this problem by enabling TCP connections to exchange packets over different network interfaces. With the current version of MPTCP in the Linux kernel, most of the features listed in the RFC8684 are implemented. Basic use-cases are supported but still it doesn't mean the solution is covering all needs and is easy enough to use. In short, MPTCP works well in controlled environments but there is room for improvement in heterogeneous ones. Some work is then still needed to cover more use-cases plus to improve the usability and performances in order to have Multipath TCP adopted by a broader audience.

>> Read more about Improving the deployability of Multipath TCP, part 2

MailBox renewal — Performance upgrade of MailBox mail modules

Email is still the workhorse of the internet, and behind the screens some of the heavy lifting is by applications like the Mailbox modules. Under the hood, this software is processing billions of emails every day at some of the largest players in the industry.

The project will deliver a major update of the code after two decades. This is not only long overdue, but actually offers interesting opportunities to take into account new email related RFCs, investigate new possibilities for code optimisation as well as tackling new threats like SMTP smuggling.

As a bonus, the project will work on a standalone tool to be able to once more properly forward emails in the SPF/DMARC era - a very welcome capability, the lack of which is currently causing a lot of headache and lost email for users.

>> Read more about MailBox renewal

Miru — Multi-track video editing and real-time AR effects

Miru is a new set of modular, extensible Web platform tools and components for still image and multi-track video editing and state-of-the-art, real-time AR. Using WebGL, WebAssembly, and open source, mobile-optimized machine learning models, Miru will give people on the social web the tools to edit images and apply interactive effects to recorded video without compromising on privacy and transparency. Miru aims to provide intuitive and user-friendly UIs which developers can easily integrate into their Web apps regardless of the frontend frameworks they use.

>> Read more about Miru

postmarketOS/phosh-mobile-settings integration — Consolidate functionality of FOSS mobile settings applications

Currently, there is no easy way for applications to install settings that then show up in the system's settings app on desktop Linux systems. As part of bringing desktop Linux to mobile phones in postmarketOS, we have created a "tweaks" app for phone-specific configuration options. With this project, the options in this tweaks app will be converted to a format described by a specification which settings apps then can implement. This in turn is part of a broader effort to make desktop Linux suitable for running on mobile phones as a means to create an operating system for phones without excessive user tracking or built-in ads, with a focus on the user instead of money.

>> Read more about postmarketOS/phosh-mobile-settings integration

Mobilizon UX — Share events on the fediverse

Mobilizon enables the creation of community venues for organising and promoting local and topical events, activities, and groups. These instances can share information using the ActivityPub protocol, allowing users to publish their events on one Mobilizon server and propagate these elsewhere. Mobilizon is designed to be user-friendly and empowering.

In order to reach a wider audience with Mobilizon, we need to make sure we serve the needs of users well - whether they are instance administrators, event organisers, or end users. We will conduct workshops to study how each of these interacts with Mobilizon and understand their expectations, so that we can develop Mobilizon accordingly. Additionally, we will test, document and improve interoperability with other Mobilizon instances, other fediverse applications, and other websites in general. This can be achieved through plugins, APIs, and aligning on standard formats such as Ical. Ultimately, communicating about local activities will become more efficient and finding local activities easier.

>> Read more about Mobilizon UX

Movedata — Privacy-preserving, energy efficient data replication and verification

MOVEDATA is an efficient and privacy-preserving tool to distribute large blocks of data, such as the contents of a whole storage device (or a device image), with zero knowledge of the structure or meaning of the data to enhance the privacy aspect, and using multicast and other technologies for efficiency, both in terms of network bandwidth and of energy usage. Ease of use is also of particular concern, providing different interfaces adapted to different use cases.

>> Read more about Movedata

Movim — Add end-to-end encrypted videocalls to Movim XMPP

Movim is a web-based social and chat platform that acts as a frontend for the XMPP network. The goal of this project is to modernize and extend the long-existing audio and video conferencing features in three major steps. First, the existing UI will be completely refactored and redesigned to better integrate the conferencing features into the existing pages and flows. Secondly, Movim will support one-to-many call features and offer full compatibility with other XMPP clients building upon the step-one features but without relying on a central server to handle the media streams. And finally, to handle conference calls with a large number of participants, Movim will standardize and integrate SFU (Selective Forwarding Unit) support that will then lift the streams network bottlenecks offering a complete and scalable experience to its users. With those three steps fulfilled Movim will then be able to greatly simplify fully standard XMPP audio and video conferencing calls on the web.

>> Read more about Movim

NixBox — Nix integration with netbox

NixBox is a modern approach to network deployments, it combines the configuration management powers of nix with the documentation capabilities provided by NetBox. It focuses on testability, reliability and automation while making your network documentation your configuration. Our goals are to reduce downtime and improve network visibility. Utilizing virtual machine tests we can ensure that your deployment will actually work before you ship it to production.

>> Read more about NixBox

NodeBB — ActivityPub support and accessibility improvements for forum software

NodeBB is a Node.js based community forum software utilizes web sockets for instant interactions and real-time notifications. NodeBB benefits from modern features like real-time streaming discussions, mobile responsiveness, and rich RESTful read/write APIs, while staying true to the original bulletin board/forum format — categorical hierarchies, local user accounts, and asynchronous messaging.

In this project, the team will be working on bringing ActivityPub integration to NodeBB, in order to allow forums to become truly interconnected with other ActivityPub-enabled applications throughout the wider Fediverse (of course including other NodeBB forums). The absolute hardest part of starting a community — forum or otherwise — is gaining a critical mass of adoption in order to sustain interest and content. What if we could bypass this hurdle altogether?

>> Read more about NodeBB

O-ESD: Open-hardware for ElectroStatic Discharge testing — Open-hardware for ElectroStatic Discharge testing

The goals of the Open-hardware for ElectroStatic Discharge testing (O-ESD) is to design, produce and verify an open-hardware and accompanying open-software for a device for electrostatic discharge testing. Electrostatic discharge is a phenomenon that occurs daily between humans and electronics and can irreversibly damage the electronics. All consumer electronics sold in EU, including all internet hardware, must satisfy Electromagnetic Compatibility (EMC) Directive. One of the most hardest tests within EMC directive deals with electrostatic discharge as defined by IEC/EN 61000-4-2 standard. Standardized tests are typically done with special equipment in accredited EMC laboratories and are costly. The O-ESD tester will minimize the costs of pre-compliance testing and make it publicly available.

>> Read more about O-ESD: Open-hardware for ElectroStatic Discharge testing

OCaml-QUIC — Implement QUIC/QUIC-TLS/QPACK and HTTP/3 in OCAML

HTTP/3 is the most recent version of the Hypertext Transfer Protocol used to exchange information on the World Wide Web. Like the QUIC transport layer protocol it uses, it is standardized by the Internet Engineering Task Force (IETF). OCaml-QUIC is an implementation of QUIC (RFC9000), QPACK (RFC9204), HTTP/3 (RFC9114) and associated protocols in OCaml, an industrial, functional, memory safe programming language, used in sectors ranging from finance and research to social media and web application.

The project aims to provide an open, complete implementation of the aforementioned protocols to be used and deployed in embedded devices, POSIX/UNIX operating systems and unikernels (self-contained, library operating systems).

>> Read more about OCaml-QUIC

OWASP dep-scan — Security and risk audit tool

OWASP dep-scan is a next-generation Software Composition Analysis (SCA) tool based on known vulnerabilities, advisories, and license limitations for applications, container images, and Linux virtual machines. Powered by abc - AppThreat atom, OWASP blint, and CycloneDX Generator (cdxgen) - dep-scan performs a range of advanced code hierarchy and lifecycle analysis (for example, reachability analysis) to improve precision and reduce false positives, thus helping developers and AppSec people focus on supply chain vulnerabilities and risks that needs real attention.

Dep-scan is purpose-built to be integrated in CI, Vulnerability Management platforms, and air-gapped environments. Dep-scan can perform all the analysis offline, with no code or SBOM leaving your environment. The tool supports generating reports in CycloneDX VDR, OASIS CSAF VEX, HTML, PDF, and Markdown formats.

>> Read more about OWASP dep-scan

owi — Symbolic evaluator and fuzzing of WASM software

WebAssembly (Wasm) is a post-JavaScript code format for the web, enabling efficient computing, with built-in sandboxed execution. Its usage is expanding: it is now used in online services, in embedded systems and to create portable binaries.

Owi is a toolkit tailored for Wasm. In particular it can perform efficient symbolic program execution. That is to say, for a given program, it is able to find input values leading to a crash. Many languages are compiling to Wasm, e.g. C/C++/Rust. Owi can thus be used as a bug-finding tool working on any of these languages. We're currently improving the usability of the tool as a part of the testing workflow for developers, the first step of this work is to provide an interface making Owi a drop-in replacement for AFL.

>> Read more about owi

Omnom — Add social layer to personal bookmarking

Omnom is a web-based, self-hosted bookmarking and snapshotting platform that can create identical snapshots of any opened webpage to what it looks like in the browser at the time of creating the snapshot. It consists of a browser addon compatible with Firefox and Chrome based browsers and a multi-user web based application. The goal of this project is to add social features and improve user experience.

>> Read more about Omnom

OpenCarLink — Security tooling for vehicle ODB2 ports

OpenCarLink is an initiative aimed at revolutionizing vehicle diagnostics and security through the development of an open hardware device for vehicle OBD2 ports. By supporting communication protocols such as DOIP, CAN, Kline, and Single-Wire CAN, OpenCarLink enables users to perform remote diagnostics, real-time emissions tracking, enhanced vehicle security through penetration testing, and increased driver safety via behavioral data tracking. This project promotes an open and innovative future for the European mobility sector by help circumventing manufacturer limitations. By releasing the hardware design under an open-source license, OpenCarLink fosters a environment where enthusiasts, researchers, and professionals can contribute to and benefit from the advancements in vehicle diagnostics and control. With a focus on democratizing access to the DOIP protocol, OpenCarLink challenges the restrictive policies and secrecy that currently dominate the automotive industry, help paving the way for a more open and informed society.

>> Read more about OpenCarLink

Open Cloud Mesh — Improved specs and test suite for Open Cloud Mesh protocol

The Open Cloud Mesh protocol, at its core, defines a wonderfully simple JSON payload to notify another server when a user wants to share a folder or file with a user on that server. It is implemented by some major Enterprise File Sync and Share (EFSS) vendors, and used in production by several serious organisations - including major National Research and Education Networks (NRENs). But its specification and test suite are still lacking in substance and quality. In this project we will improve the specification text, flesh it out to a more strictly defined (RFC-style) text that addresses all aspects and considerations of the protocol. In addition we improve the test suite so that it can be run in Continuous Integration (CI) instead of requiring frequent manual intervention, and clarify any incompatibilities we find between implementations.

>> Read more about Open Cloud Mesh

OpenEMSH — Automatic mesher for FDTD simulation

OpenEMS is arguably the only free and open source FDTD solver out there that is usable out of the box for RF (Radio Frequency electromagnetics) design. Its main competitive disadvantage is that FDTD requires simulated models to be meshed according to specific rules, yet it does not provide an automatic mesher to create such meshes. Some facilities already do exist but meshing by hand is time-consuming and error-prone - enough to stand in the way of broader adoption. OpenEMSH aims to be a mesher for OpenEMS that makes it as simple to use as any proprietary solution.

>> Read more about OpenEMSH

OpenHarbors — Dynamic Tunneling of WPA over IP/L2TP

OpenHarbors wants to establish a novel approach for secure communication over an untrusted Wifi network - and beyond: Dynamic tunneling of WPA over IP/L2TP. Why? Because current, secure solutions are not satisfactory: They are either hard to set up, require extra software in advance or are not applicable on an open wireless community mesh network like Freifunk.

OpenHarbors will utilize and implement WPA Enterprise with an extra twist: Instead of providing an encryption channel only between your mobile device and the direct WLAN access point you will be able to securely dial-out at any location on the internet you trust and choose and are granted access to. Without the hassle of installing and setting up an extra VPN software on your phone. Without the need of a trusted WLAN access point operator model or closed source firmware, in contrast to current approaches with Passpoint/Hotspot 2.0/eduroam/WBA OpenRoaming and similar - which all are conceptually not applicable on open wireless community mesh networks.

>> Read more about OpenHarbors

Open Web Calendar Stack — Aggregate public and private web calendars

The Open Web Calendar stack is an open-source set of Python libraries and programs which read and write calendars based on the iCalendar standard. The Open Web Calendar displays a highly configurable website that can be embedded to show a calendar. Currently, ICS URLs are supported and a goal is to also support CalDAV.

Amongst the used libraries is the popular icalendar library to parse and write iCalendar (RFC5545) information. This cornerstone of Python's ecosystem requires some work to be up-to-date with common practice such as updating the timezone implementation. The updates to the icalendar library will be tested and also pushed up the stack to the Open Web Calendar.

The recurrence calculation of events is done by the python-recurring-ical-events library. Changes to icalendar will be tested against this library to find compatibility issues. As the iCalendar standard has been updated, recurrence calculation is affected, too. These updates need to be evaluated and possibly implemented for both icalendar and the recurrence calculation.

By implementing changes at the base, the whole stack is improved. We can use the Open Web Calendar project to make sure that possible transitions and updates are mapped out and communicated to other projects in the ecosystem. Improving a FOSS solution thus spreads the accessibility of iCalendar.

>> Read more about Open Web Calendar Stack

openwifi: 802.11a/g/n maturity — Improved stability, data rate and reach of openwifi

Wi-Fi has become ubiquitous in modern society. While many people might assume that the Wi-Fi chip in AP, mobile devices, and computers is a dumb device that merely sends and receives packets over the air, the reality is far more complex. Even the most affordable Wi-Fi chips are sophisticated heterogeneous computing systems, as highlighted by many researchers and hackers. These chips contain multiple types of firmware and silicon fabric working together. The lack of open-source Wi-Fi chips and the transparency of commercial Wi-Fi chips have raised many security concerns: The security threats over Wi-Fi have emerged for years. Openwifi (https://github.com/open-sdr) aims to address this issue. It is the first open-source soft-MAC Wi-Fi chip/FPGA design, initially released at the end of 2019, with 802.11n added in 2020. As more users, researchers, and hackers engage with the project, they have identified issues related to stability, data rate, and communication distance. This maturity-elevating project aims to tackle these issues through improvements in the Linux driver, FPGA, and RF control. The enhanced version will be comparable to commercial Wi-Fi4 chips, such as the ath9k series, and will be capable of operating in more realistic electromagnetic environments rather than just short-range, controlled environments. These advancements will facilitate broader adoption of the project and lay a solid foundation for future developments, including the creation of a real chip.

>> Read more about openwifi: 802.11a/g/n maturity

Openfire IPv6 support — Add IPv6 support to the Openfire XMPP server

Openfire is an open-source, mature, cross-platform, real-time collaboration server based on the XMPP protocol. Originating around the turn of the century, IPv6 was not explicitly supported when it was originally created. As shown by anecdotal evidence, some IPv6 functionality already ‘works’ in Openfire. This, however, is accidental, and not by design. This project intends to add explicit IPv6 support to Openfire.

>> Read more about Openfire IPv6 support

PTT — Unikernel Mailing list server in OCAML

Email is still one of the main channel of communication.Setting up and maintaining something as simple as a reliable mailing list in-house is significantly more complex than it ought to be. Out of convenience, many organisations and communities outsource running their maiilng lists service to third-party agents. However, this not only creates an unnecessary dependency but also reduces confidentiality, which can be a critical aspect.

This project has the ambition to win back the means of communication, developing a new mailing list application service that is easier to maintain securely (through unikernels using MirageOS), and is efficient in terms of resource usage. The service should integrate into existing infrastructures seamlessly.

>> Read more about PTT

Patchouli — Arbitrary-sized open hardware EM pen products

Patchouli is an open-source electro-magnetic drawing tablet hardware implementation, including a coil array, an RF front end built using commercially available parts, and digital signal processing algorithms. The design is compatible with most commercial pens from different vendors, offering an ultra-low-latency pen input experience for your customized hardware projects. The hardware is released under the CERN-OHL-S license, and the firmware/simulation code is released under the GPL3+ license.

>> Read more about Patchouli

Pijul ecosystem — A modern patch-based version control system

Pijul is a modern patch-based version control system that addresses many shortcomings found in existing tools. While its foundations are already mature and well-tested, it lacks many conveniences users expect from the ecosystems of popular tools such as Git. This project aims to significantly reduce Pijul's barrier to adoption by addressing common areas of user feedback - documentation, usability, robustness, and integration into other tools such as text editors or CLI prompts. We believe this will improve the workflow of existing users, and enable many more to adopt Pijul and its benefits without sacrificing other parts of their workflow.

>> Read more about Pijul ecosystem

Pijul Hybrid — Hybrid patch-based/snapshot-based system for distributed versioning

The project summary for this project is not yet available. Please come back soon!

>> Read more about Pijul Hybrid

Pimalaya PIM — Memory-safe emails, contacts, calendars, tasks and more

Pimalaya aims to improve open-source tooling related to Personal Information Management (PIM). Pimalaya has two objectives: to provide solid Rust libraries dedicated to the PIM domain, which serve as a basis for all sorts of top-level applications (meaning their developers can focus on functionality) and to develop a number of quality applications on top of these libraries.

Within the scope of this project, Pimalaya will release additional production-grade libraries and tools, expanding its scope to contacts and calendars — through contact and calendar libraries, command line interfaces and plugins. At the end of this grant, the Pimalaya project covers not just email but also contacts, events, alarm and tasks.

>> Read more about Pimalaya PIM

Pleroma — Scalable ActivityPub server written in Elixir

Pleroma is an extendable ActivityPub communication server. Pleroma can be as light-weight as you want it to be, fit for both running from a homeserver or from more serious infrastructure. Pleroma embraces customization. Instead of trying to dictate how users should use our software, we give them options. From the backend to the frontend, there are hundreds of configurable options to satify the different needs of everyone. We know there's no single setup that works for everyone, and are more than willing to listen to users' feedback. Being part of fediverse of course means interacting with other servers and Pleroma provides the best experience when displaying other types of content, even non-microblogging.

The Fediverse nowadays is a very big place with a lot of different people, who don't necessarily agree with each other or have good intentions. To help with the insurmountable task to moderate the stream of incoming and outgoing content, Pleroma has Message Rewrite Facility, allowing instance administrators to automatically act upon activities including modifying them and deciding whether to show them in federated timeline or not. Having more detailed and partially automated moderation helps create a network where users don't have to worry about not being able to talk to someone else because the admins didn't have the rights tools at their disposals.

>> Read more about Pleroma

Pre-Scheme — Compile Scheme directly to portable C

Pre-Scheme is a statically-typed dialect of the Scheme programming language which compiles to C, suitable for low-level systems programming. Pre-Scheme is implemented using a sophisticated general-purpose compiler, written in Scheme, with demonstrated applications to other programming languages and compilation targets. This project aims to port the compiler to R7RS, the latest Scheme standard, so that it can run on a variety of modern Scheme implementations. The Pre-Scheme language and tooling will also be updated to meet the expectations of a contemporary developer audience, and the compiler framework will be documented and exposed to support future innovations in programming language development and research.

>> Read more about Pre-Scheme

Protomaps — Self-hostable maps based on OpenStreetMap data

Protomaps is a free and open source map of the world, deployed as a single file you can host yourself. It enables interactive, zoomable mapping applications with only static storage and HTTP Range Requests. It uses the OpenStreetMap dataset as a primary source; its configurable toolchain can create maps with specific areas, custom data, and different cartographic styles. It’s used in earth science, journalism and the public sector. Protomaps has no vendor lock-in, permits end-to- end data sovereignty, and can ensure end-user privacy. 

>> Read more about Protomaps

Py2HWSW — A tool to manage embedded HW/SW project

This project aims to develop an open-source Python framework for managing files, automating project flows of embedded hardware/software codesign projects, and partially generating Verilog hardware components. The framework simplifies the project structure, addresses challenges in Hardware Design Languages like Verilog and VHDL, and automates emulation, simulation, FPGA, and ASIC flows. The proposed Verilog generator offers flexibility, user control and ease of use, producing human-readable code compatible across FPGAs and ASICs.

>> Read more about Py2HWSW

Proper Webcam support in Qemu — Better virtualisation of camera interfaces

QEMU is one of the most popular open source machine emulators and virtualizers. It supports a wide range of architectures and is capable of emulating many types of hardware devices. Many people rely on QEMU to run alternative operating systems or even as a secure development environment.

Sometimes it is necessary to pass camera devices to the QEMU guest and make them available to the system. While it is possible to pass cameras using the generic QEMU USB host emulator, this only works with USB cameras and only makes them available to that single QEMU guest. However, many modern systems move away from USB cameras and provide other interfaces for the camera, and thus cannot be passed through.

Our solution is to use the operating system's video API instead to make the video device available. We will focus on providing proper support for the Video4Linux API to emulate a USB video device so that it works with the already existing OS drivers. With proper integration of a camera subsystem, this opens the door to supporting more camera APIs and even extending paravirtualized VirtIO devices in the future to improve video quality for next generation video devices.

>> Read more about Proper Webcam support in Qemu

Redox OS Unix-style Signals — Add Unix-style signal handling to Redox Operating System

Redox OS is a Unix-like microkernel based operating system written in Rust. It is intended to provide a secure and reliable alternative to Linux. Redox is continuing to add functionality to provide source-code compatibility for most Linux software. This project will provide Redox with Linux-compatible inter-process signals, including signalling to process groups, processes and threads, and improved process management.

>> Read more about Redox OS Unix-style Signals

Renderling — Real-time rendering library on top of WebGPU

Renderling is an innovative, GPU-driven real-time renderer designed for efficient scene rendering with a focus on leveraging GPU capabilities for nearly all rendering operations. Utilizing Rust for shader development, it ensures memory safety and cross-platform compatibility, including web platforms. The project, currently in the alpha stage, aims for rapid loading of GLTF files and handling large, animated scenes with many lighting effects. Development emphasises performance, safety, observability, and the use of modern rendering techniques like forward+ rendering and physically based shading.

>> Read more about Renderling

Free and open source NPU Drivers — Libre drivers for Neural Processing Units

As of today, companies that sell components that include accelerators for machine learning workloads (NPU, TPU, DLA, etc) are generally engaged in vendor lock-in practices that interfere with the ability of their customers to freely choose their partners and adapt their software components to their own needs.

This project aims to incentivize providers of accelerating hardware to move to more fair practices by reverse engineering their hardware and writing open source implementations of the corresponding software stack, for interoperability purposes. These drivers become part of projects such as the Linux kernel and the Mesa project, and will become available to users via existing distributions such as Debian, Fedora and NixOS.

>> Read more about Free and open source NPU Drivers

Rosenpass Broker — Expanding the Rosenpass API's to enable easy integration in applications

Rosenpass is a post-quantum secure cryptographic protocol, an implementation of that protocol in the Rust programming language, and a governance organization stewarding development of both protocol and implementation. When used with WireGuard, Rosenpass functions as a ready-to-use virtual private network with full security against quantum attackers. This project extends the current basic API in order to allow Rosenpass to double as a programming interface for other programmers to integration this functionality into their external applications.

>> Read more about Rosenpass Broker

SCION Open Source Implementation — Performance improvements for SCION reference Implementation

SCION Open Source is an implementation of the SCION architecture that allows trusted, highly resilient, and path-aware routing infrastructure to be built by ISPs, CDN/cloud providers and enterprises. It supports inter-domain multipath routing by discovering paths between participating Autonomous Systems that can be combined into selectable cryptographically validated end-to-end paths. This provides higher assurances that packets will follow particular paths which can prevent route leaks and hijacks, and allow data to be geofenced thereby ensuring compliance with legislation such as GDPR and NIS2. SCION also supports fast multi-path discovery and fast failover as its path discovery process does not rely on BGP iterative convergence or forwarding table updates. Having a performant and robust open source implementation ensures there’s a viable alternative to commercial and closed source implementations which is pre-requisite for some large potential adopters.

>> Read more about SCION Open Source Implementation

SCION-enabled IPFS and libp2p — Enhancing IPFS Performance and Resilience through SCION's Path-Aware Networking

SCION is a clean-slate Next-Generation Internet (NGI) architecture which offers a.o. multi-path and path-awareness capabilities by design. Moreover, SCION was designed to provide route control, failure isolation, and explicit trust information for end-to-end communication. As a result, the SCION architecture provides strong resilience and security properties as an intrinsic consequence of its design. The goal in this project is to leverage the path-awareness in SCION to align the storage and lookup in IPFS with the underlying network in an optimal manner, while at the same time using SCION to establish trust between the entities.

>> Read more about SCION-enabled IPFS and libp2p

Secure Web Tokens for Linux — TPM 2.0 backed FIDO2/U2F tokens on Linux

This project aims to develop a systemd daemon that utilizes the TPM 2.0 security chip to provide FIDO2/U2F tokens for web browsers and operating system applications on Linux. Leveraging the ubiquitous presence of TPM2 in modern PCs, the daemon will enhance security and usability for Linux users. It will allow the integration of security chips as access tokens with web extensions, secure local passwords and HOTP/TOTP managers, and enable hardware-based lock screen authentication mechanisms.

The daemon will interface with the TPM2 chip to manage FIDO2 token generation. It includes support for the "uhid" kernel driver for button press emulation when no fingerprint reader is available for authentication. The project involves developing the daemon, ensuring seamless integration with systemd, and conducting extensive testing for functionality and security. Comprehensive documentation will be provided for setup and use, along with user guides for web extension integration. The outcome will be a robust, secure, and user-friendly solution for Linux users, elevating the baseline security and leveraging existing hardware capabilities to the fullest.

>> Read more about Secure Web Tokens for Linux

Servo: Benchmarking and Statistics — Infrastructure for benchmarking and testing Servo

Servo is a web engine written in Rust that already provides results from the Web Platform Test Suite. However, these results may be difficult for newcomers to understand, as they lack a clear indication of the progress in supporting modern web standards. This creates challenges for the community in assessing the current state of development. When the community inquires about the support for specific features, these capabilities can often only be verified through manual testing. Moreover, finding information about Servo's performance can be equally challenging.

To address these issues, this project aims to develop an infrastructure to benchmark and report on the current state of Servo, monitor performance differences between commits, and present these metrics and supported features in a more comprehensible way. This will give the community a clearer understanding of the state of the Servo project, leading to a more active and engaged contribution environment.

>> Read more about Servo: Benchmarking and Statistics

Multiprocess Mode in Servo — Speed up Servo with parallelisation

While Servo already has multi-process mode, it’s not enabled by default. The main reason is that it isn’t completely supported on every platform yet. Only Linux and macOS have full support. It also isn't tested in the WPT suite. In this project, we want to complete the feature set of multi-process mode in Servo, set it to default, and encourage other projects based on Servo (like the Verso browser) to use it, as they could massively benefit from this multi-process architecture.

>> Read more about Multiprocess Mode in Servo

Servo Script Improvement — Refactoring Servo’s script crate

Servo has been back to its pace of development. The Servo TSC is also running again. The project has monthly calls to sync up the progress and bi-weekly issue triage meetings with sync. Multiple directions are pushing at the same time, and the coverage of the WPT suite is gradually increasing.

That being said, many improvements are still needed in Servo's script crate, which needs to adequately implement every Web API. Several DOM structures have become slightly outdated because of the lack of maintenance. Some basic script types are missing, and patches from Spidermonkey still need work. Within the scope of this project we will address the most needed fixes and improvements for the script crate.

>> Read more about Servo Script Improvement

Slint port for Android — Port the Rust-based Slint UI toolkit to Android

Slint is a next generation declarative GUI toolkit that supports multiple programming languages such as Rust, C++, and JavaScript. Implemented in Rust, a language known for its memory safety and performance, Slint can run on platforms such as Windows, Linux, Mac, QNX, and microcontrollers. The popularity of Android as a mobile phone operating system has influenced the standardisation of drivers on embedded systems to the extent that its possible to easily procure off-of-the-shelf embedded hardware that can run Android. Slint will be the first native (non-web based technology) Rust based toolkit for creating applications on Android and will allow designers and developers an alternative open source option to build the user interface for their applications.

>> Read more about Slint port for Android

SocksTrace — Ptrace based proxy leak detector

Proxy leaks are a class of software vulnerability in which network traffic intended for a proxy (e.g. Tor) is instead sent without a proxy, risking the deanonymization of the user. Auditing software for proxy leaks is presently nontrivial, e.g. tools like tcpdump and Corridor generally require invasive privileges, cannot audit for stream isolation leaks, and provide limited diagnostic capabilities. SocksTrace is a proxy leak detection tool, suitable for CI testing or manual QA testing, that utilizes the ptrace feature of Linux to detect socket syscalls that would bypass a proxy. If a proxy leak is detected, SocksTrace can respond by (among other things) denying the syscall, redirecting the connection to a proxy, or logging a stack trace. SocksTrace is written in Go, making it memory-safe and securely bootstrappable.

>> Read more about SocksTrace

Solid NC 2024 — Add more Solid capabilities to Nextcloud

The Solid Nextcloud project implemented a server component with the Solid specification for Nextcloud, which makes ones Nextcloud server a Solid server as well. This allows user to user their existing server for identity and storage within the Solid eco-system.

To enhance security and to enable easier cooperation and release of new versions we need to improve a number of things. The CI/CD of the project will be improved. Based on an earlier audit, we will implement a number of security enhancing features and we will release a PHP Solid Server next to the Solid Nextcloud module. These servers share a lot of code, which makes maintenance easier. The advantage is that PHP has a security maintenance cycle of three years, making it easier for users to stay secure when using a Solid server.

>> Read more about Solid NC 2024

Spade — Standalone Hardware Description Language

Spade is a hardware description language that draws inspiration from modern software languages to make hardware development more productive, more fun, and less error-prone. A big part of what makes this possible is the type system which helps prevent bugs and makes the code more maintainable.

A common source of errors in hardware designs is clock domain crossing: signals should never cross domains accidentally, and when they do cross, it must be done correctly. Failures to correctly cross domains leads to intermittent problems that can take significant effort to find and fix. By making the language and compiler aware of clock domains through the type system, we will be able to detect and warn programmers about accidental clock domain crossings at compile time. We will to do this in an ergonomic way, where the user only has to specify clock domains on module inputs and outputs with the compiler being able to infer the rest. In addition, the default case of a module that only spans a single domain should not require any explicit domain information form the user to avoid unnecessary verbosity.

>> Read more about Spade

Transitioning SMM Ownership to Linuxboot — More robust defense Against Firmware Vulnerabilities

In an era marked by escalating cybersecurity threats, firmware security is one of biggest blind spots. One pervasive weakness lies in an architectural design called System Management Mode (SMM). Sometimes referred to as “Ring -2”, SMM is used by device manufacturers to interact with hardware like NVRAM, emulate hardware functionality, handle hardware interrupts or errata, and perform other functions.

The unrestricted, non-standardized control inherent to SMM implies significant security vulnerabilities. There is no shortage of Day-0 and Day-1 Firmware vulnerabilities related to SMM. Current industry practices open a wide door for cyber attacks, and the attacker can even bypass the secured OS kernel with the SMM loopholes.

This proposal introduces a novel SMM architectural design, by transitioning SMM ownership from core firmware (e.g. coreboot) to payload - in this case Linuxboot. This will leverage the robust, open-source nature of Linux’s SMM drivers, as its drivers that has been proven working very well over decades, and its open source nature made it easier for security reviews. This initiative aims to develop and universalize a secure architectural design in collaboration with chip vendors, and thus elevating the resilience and integrity of our digital ecosystem.

>> Read more about Transitioning SMM Ownership to Linuxboot

Standards Grammar Catalog/Toolchain — Open Standards Grammar Catalog/Toolchain

The Open Standards Grammar Catalog/Toolchain makes it easier to implement a format or protocol by translating its machine-readable definition, usually in a language such as ABNF, into forms readily compatible with popular programming languages, like regular expressions, YACC, ANTLR, and native code. By providing a toolchain for making these translations, assembling a catalog of commonly used formats & protocols, and publishing a developer-friendly website for browsing the grammars and generating translations, these tools will reduce the need to manually write a parser, ultimately reducing errors due to hand-written code, and enhancing interoperability.

>> Read more about Standards Grammar Catalog/Toolchain

Stencila v2 for ERA and EPP — Add editable, runnable code to scientific publications

Stencila offers a platform for collaborating on, and publishing, dynamic, data-driven content with the aim of lowering the barriers for creating data-driven documents and making it easier to create beautiful, interactive, and semantically rich, articles, web pages and applications from them. The latest version, a rewrite in Rust, is aimed at leveraging two relatively recent and impactful innovations: conflict-free replicated data types (CRDTs), for de-centralized collaboration and version control, and large language models (LLMs) for assisting in writing and editing prose and code. These technologies used together provide an advance in scholarly communication of research findings by powering the Enhanced Preprint Platform and Executable Research Articles at publishing venues such as eLife and GigaScience.

>> Read more about Stencila v2 for ERA and EPP

Structured Email for Roundcube — Add schema.org metadata awareness to open source email

Email is probably the only open and widespread technology bridging our private information space (Mobile, Desktop) and the public Internet. It can in fact be considered our "personal API". Structured Email for Roundcube develops a plugin for the popular Roundcube Webmail software, which extracts Schema.org data embedded in email messages. Based on that, it allows for new ways of presenting emails and interacting with them.

>> Read more about Structured Email for Roundcube

Surfer Waveform Viewer — Analyse signal levels in simulated circuits

Surfer is an open source waveform viewer, primarily aimed at debugging digital designs. It is built for flexibility, extensibility, and speed to operate on most platforms. Although fully operational for many tasks, there are features to be added to improve the usability further. This project aims to implement the most requested missing features and pave a way for additional extensibility.

>> Read more about Surfer Waveform Viewer

Client Proof-of-Work in TLS — Mitigation against DoS amplification on the TLS handshake

The computationally expensive nature of asymmetric crypto in TLS makes it vulnerable to denial-of-service attacks. We propose an extension to TLS that mitigates this attack vector, shifting the advantage from the attacker to the defender. The project will deliver a draft spec, mergeable patches for leading TLS libraries, and a measurement report explaining the results.

>> Read more about Client Proof-of-Work in TLS

TSCH-rs — Time Slotted Channel Hopping implement in Rust

fTime Slotted Channel Hopping (TSCH) is a Medium Access Control (MAC) layer protocol described in IEEE 802.15.4e designed for low-power and lossy networks. Devices are allocated time slots in which they can transmit and/or receive frames. The rest of the time the radio is turned off, reducing energy consumption. Consecutive transmissions are done on different frequencies to tackle interference. Implementations of TSCH can be found in Contiki-NG and OpenWSN, both written in C.

TSCH-rs is a TSCH implementation written in Rust, providing ease-of-maintanance, security and reliability. Furthermore, the implementation aims to be hardware-agnostic, making it easy to port to different IEEE 802.15.4 based radios. The Rust network stack for IEEE 802.15.4 radios already contains an implementation for 6LoWPAN and RPL. TSCH-rs will be a valuable addition to the Rust based low-power IEEE 802.15.4 network stack.

>> Read more about TSCH-rs

Tau — Remote sharing of terminal sessions

A common problem among people working on a command-line interface is to share their terminal session with one or many other people via the internet, ideally along with an audio stream, without viewers having to install any specific software. This project creates a solution that enables anyone with a web browser to receive such a broadcast.

Unlike generic screensharing alternatives, a broadcast created by .tau will not be a stream of compressed video but rather a stream of ASCII characters with preserved timing as well as the broadcaster's terminal look & feel, and giving the ability to easily copy text. The broadcaster will have a nice and easy experience installing a piece of software which accomplishes this.

Upon completing a broadcast, a single resultant file is available for later viewing on the internet and or private distribution. Simple, portable and robust.

>> Read more about Tau

TrenchBoot as Anti Evil Maid - UEFI boot mode support — Add UEFI to the Qubes integration of Trenchboot with AEM

Qubes OS is a free and open source operating system uniquely designed to protect the security and privacy of the user. Its architecture is built to enable the user to define different security environments ("qubes") on their computer and visually manage their interaction with each other and the world. TrenchBoot provides a secure environment for operating system launch and integrity measurements, ensuring greater protection.

The main objective of the TrenchBoot as Anti Evil Maid project is to enhance the security of Qubes OS by integrating the TrenchBoot Project with the Anti Evil Maid (AEM) implementation. Through comprehensive hardware testing, the successful execution of this initiative will promote the adoption of DRT technology in open-source and security-oriented operating systems, ensuring enhanced security for Qubes OS. This project will prioritize stability, testing, and ensuring the reproducibility of results for broader community adoption.

>> Read more about TrenchBoot as Anti Evil Maid - UEFI boot mode support

Tvix-{Store/Build} — Improve store and builder component of Tvix

Tvix is a modern design and implementation of the Nix package manager (GPLv3). It brings a modular architecture in which components such as the build environment or package store are replaceable, which enables new use-cases and platforms. A graph-reduction evaluation model will make it possible to use Nix for package definitions and entire system configurations, its proven and tested use case, as well as for granular build definitions for individual components of software. Tvix will be fully compatible with nixpkgs, the existing package definition set for Nix, letting its users leverage more than a decade of community contributions and making it useful right out-of-the-box. This particular project focuses on the Store and Builder components of Tvix, upgrading the store protocol, improving the Builder API as well as providing more interop with Nix.

>> Read more about Tvix-{Store/Build}

HTML export for Typst — Markup based typesetting for multichannel publishing

Typst is a markup-based typesetting system that is designed to be as powerful as LaTeX while being much easier to learn and use. Currently, Typst outputs documents only as PDF, yet there is strong demand for generating HTML. We want to extend Typst such that it can create high-quality HTML and PDF versions from the same document, which is currently not possible with comparable programs. As a result, Typst could be used in a variety of new scenarios, such as the generation of websites and e-books. Furthermore, this will improve the accessibility of the output documents.

>> Read more about HTML export for Typst

UnifiedPush — Decentralized and open-source push notification protocol

Push notifications are essential to the modern mobile experience, as they enable applications to communicate with users in real time, even when not in active use. Major mobile operating systems provide a centralized service that they control, but depending on a centralized push notification system controlled by one company raises issues of privacy and independence. UnifiedPush is a decentralized and open-source push notification protocol. It is a set of specifications and libraries that allow the user to choose how push notifications are delivered. It is compatible with WebPush, the standard for web applications.

>> Read more about UnifiedPush

Toward a Fully-Verified SCION Router — Formal verification of the reference open source SCION Router

SCION is a next-generation Internet architecture that addresses many of the security vulnerabilities of today’s Internet. Its clean-slate design provides, among other properties, route control, failure isolation, and multi-path communication. This project will demonstrate the feasibility of verifying the core component of the SCION inter-domain routing architecture - the SCION router. Prior work has proved that the SCION data plane protocols are secure. The focus of this project is on verifying that SCION’s open-source router is memory-safe and implements those protocols correctly and, thus, provides the intended security and correctness guarantees.

>> Read more about Toward a Fully-Verified SCION Router

Verso Views — A Functional Browser Based on Servo

Verso is a web browser based on Servo web engine. While Servo hasn’t been treated as a fully functioning browser, it is possible to build one based on it already. We plan to expand this into a formal and stable application release, eventually implementing the features, making it not just a general browser application but also a webview library for embedding purposes.

There are some missing features we still need to push into Servo. And there are also other works that require time and resources to make a barebone web engine into a stable application. We hope to take this project as a chance to finally make an individual repository using Servo as a dependency. In this way, Servo can focus on issues and features of the web engine itself. In the meantime, other chores related to the application itself can be off-loaded to other repositories and organizations.

>> Read more about Verso Views

Webview library with Verso for Tauri — Refactor parts of Verso into a WebView library

We aim to publish the Verso browser as a library in addition to the current application approach. This way other projects could use it as a dependency in their software, and render their content with it. The distribution of a shared library is a challenging set of problems (including, but not limited to bundle format, code signing, dependency linking, etc.) that we intend to solve. We also aim to find the best possible solutions to help developers use this library with ease. One of these approaches will be to integrate with Tauri as a webview backend.

>> Read more about Webview library with Verso for Tauri

VexiiRiscv — Next generation of the VexRiscv in-order FPGA softcore

VexiiRiscv (Vex2Risc5) is a hardware project which aim at providing an free/open-source RISC-V in-order CPU which could scale from a simple microcontroller up to a multi-issue/debian capable cluster. While the project already surpasses VexRiscv in multiple domains (performances, 64 bits, debian), it still needs work and testing to reach feature parity (tightly coupled RAM, JTAG debug, optimization, ...), aswell to extend its scope (lightweight FPU, vector unit, ...). This grant would aim at filling those gaps aswell as improving its documentation.

>> Read more about VexiiRiscv

OpenIMSd — 4G/VoiceOverLTE support for open source mobile OSes

The OpenIMSd project aims to bring VoLTE (4G voice calls) to Qualcomm based phones (like the PinePhone) running Free Software Mobile Operating Systems including postmarketOS, Mobian, … We will create a daemon which runs in parallel to the Modem Manager, which configures the baseband via QMI and brings up all the required services to be able to place VoLTE calls.

>> Read more about OpenIMSd

Vouivre — A dependent type system for machine learning in Lisp

Current machine learning frameworks are built around relatively weak type systems. This is a problem because, at scale, machine learning applications are exceedingly intricate and computationally expensive, therefore making costly runtime errors unavoidable. This is where Vouivre comes into play. Using a dependent-type system, the project aims at enabling users to write machine-learning applications that solve real-world problems with compile-time validation of their correctness, thus preventing runtime errors at a reasonable computational cost.

>> Read more about Vouivre

Enhance the vulnerability database — Enhance the VulnerableCode vulnerability database

Using Components with Known Vulnerabilities" is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is currently hindered by data structure and tools that are (1) designed primarily for commercial/proprietary software components and (2) too dependent on the National Vulnerability Database (funded by the US CISA and Dept. of Commerce). With the explosion of Free and Open Source Software (FOSS) usage, we need a new approach in order to efficiently identify security vulnerabilities in FOSS components that are the basis of every modern software system and applications. And that approach should be based on open data and FOSS tools.

This project delivers unique FOSS tools to aggregate software component vulnerability data from multiple sources, privileging upstream data directly from project maintainers. VulnerableCode organizes that data with a de-facto industry standard Package URL identifier (Package URL or PURL) enabling efficient and straightforward automation for the search for FOSS component security vulnerabilities. The benefits are to contribute to the improved security of software applications with open tools and data available freely to everyone and to lessen the dependence on a single foreign governmental data source, or a few foreign commercial data providers.

In the new context of the upcoming Cyber Resilience Act (CRA), the access to an open, free and curated FOSS package vulnerability data source is now an imperative. And the organization of vulnerability data by Package URL or PURL identifiers in VulnerableCode enables easy frictionless integration with Software Composition Analysis (SCA) code analysis tool chains, direct enrichment of SBOMs (Software Bill of Materials) to find if SBOM-listed packages have known vulnerabilities, and creation of VEX (Vulnerability Exploitability Exchange) document to communicate the impact of known vulnerabilities

>> Read more about Enhance the vulnerability database

WPE Android — Embedded-friendly Webview based on WebKit

WPE (Web Platform for Embedded) is a WebKit port for Linux-based embedded devices with a focus on flexibility, security and performance on lower-powered devices. Albeit less known than Chromium, Firefox or Safari, WPE is currently deployed in millions of embedded devices (e.g. set-top-boxes, smart home devices, kitchen appliances, infotainment, etc), but it hasn't yet reached those based on the Android Operating System, which has become an important actor for certain types of devices, such as phones, tablets, set-top-boxes and even IoT devices.

In such environments, the only option currently available to leverage the power of the Web Platform is to use Android's WebView, which is based on Chromium and therefore problematic in cases where using that is not an option. By bringing WPE to Android in the form of an Android WebView-compatible component, we aim not just to make WPE available in more platforms but also to expand the options Android developers currently have so that they can choose between a Chromium-based WebView and a WebKit-based WebView for their applications. This would be great to cover Web rendering needs in general on Android, and particularly beneficial for multimedia-intensive use cases (e.g. set-top-boxes, digital signage...), as well as for other less conventional use cases such as QA & testing (e.g. testing WebKit-based browsers on Android based systems).

Last but not least, as a side effect of widening the reach of WPE to Android-based devices, we believe that we would also be bringing more balance and diversity to the Web, by making sure that developers have a realistic alternative to the Chromium-based Web rendering engine they can use to develop their products.

>> Read more about WPE Android

Wax — Add ODF, legacy office and PDF capabilities to Wax

Wax (formerly known as CokoDocs) is an open-source, web-based Word Processor that is collaborative by design. In this project we're actively extending CokoDocs' use cases to include paging support (through PagedJS), OpenDocument Format import/export as well as support for some legacy file formats. In addition we will add backend system configuration, asset management, text chat and more. CokoDocs aiming to become a best in breed, highly customizable, and innovative word processor with strong privacy and security properties and elegant accessible design.

>> Read more about Wax

Integration of Waydroid on mobile GNU/Linux — Run Android apps in Linux containers on mobile devices

Waydroid lets the user run Android within a container on a regular GNU/Linux system, bringing access to countless existing Android applications. This particular project aims to research and implement tighter integration between the Waydroid container and its host system in terms of hardware access (sensors, location, telephony, cameras) and desktop environment (notifications, media controls), while keeping the user in control of what and when is shared with the Android container.

>> Read more about Integration of Waydroid on mobile GNU/Linux

Wayland input method support — Better specification for Wayland input methods

As Linux distributions switch to Wayland, some functionality is still incomplete. One of them is being able to input non-Latin scripts. It is a necessity for a large portion of the world, yet it's not standardized across Wayland environments. The same text input functionality is needed for typing on mobile Linux, which, considering how many people use smartphones rather than laptops, might be even more important for Linux adoption. This project wants to bridge that gap, by continuing the effort of standardizing input-method protocols started for Phosh in Squeekboard, gtk, and wlroots.

>> Read more about Wayland input method support

Webxdc evolve — Comparative analysis of HTML5 app containers

Webxdc.org is an evolving standard which defines a format for portable HTML5 applications and an API for local-first, peer-to-peer, end-to-end encrypted applications. For this project we will perform a comprehensive survey of historical and contemporary efforts with similar goals, including those by W3C working groups, independent open-source developers, and noteworthy proprietary platforms. We'll produce reference documents providing developers with a comprehensive overview of the space, summarizing their options for packaging portable HTML5 applications for different platforms, and highlighting affinities between closely aligned projects. As a follow-up, we'll propose additions to the webxdc API based on patterns observed in other projects, aiming to reduce the complexity of common designs and facilitate portability between or interoperability with existing platform implementations.

>> Read more about Webxdc evolve

Whippet — A new local maximum in safe, managed memory

Whippet is a new automatic memory manager (garbage collector) which is designed to be incorporated into the Guile Scheme programming language implementation. Switching to Whippet should improve the speed and scalability of Guix and other Guile-based software while also lowering total system memory usage. This project aims to push Whippet over the finish line, filling in missing functionality and doing the last-mile work to incorporate Whippet into Guile. The anticipated results should also give confidence to other language run-times looking for a state-of-the-art, embeddable, minimal, no-dependency garbage collector.

>> Read more about Whippet

Willow Sync — General Sync Protocol for Willow written in Rust

Willow is a protocol for syncable data stores, forming resilient data networks which can endure indefinite connectivity outages. This protocol brings qualitative advances to data deletion in distributed networks, supports completely decentralised fine-grained permission schemes, and has been designed to use memory, bandwidth (and consequently energy) efficiently. In this project, the Willow protocol will be implemented using the Rust programming language. This new implementation will be able to take advantage of Rust’s efficiency and safety guarantees, and make the protocol accessible to embedded devices, as well as provide a more efficient solution for smartphones, computers, and servers alike.

>> Read more about Willow Sync

Wobble Web — Hybrid graphics editor and coding environment

WobbleWeb is a hybrid graphics editor and coding environment for making and sharing small-scale websites. It provides a gentle and playful introduction to coding in javascript and html, where dragging something on the page changes the code, and editing the code changes what is on the screen. The project is built upon a set of open-source web components that can be used with the editor as well as independently. The web components serve as a direct wrapper to html, adding gesture-based and direct in-browser editing capabilities to existing HTML and Web APIs. The extensible custom elements allow the open-source community to build more advanced features, such as incorporating canvas elements, WebGL, or integration with backend APIs. WobbleWeb differs from existing graphical webpage builders, with its emphasis on writing javascript for beginners, as well as its modular and extensible ecosystem.

>> Read more about Wobble Web

MLS for XMPP — Add Message Layer Security to XMPP

XMPP (Extensible Messaging and Presence Protocol) is an IETF- standardized (RFC 6120/6121) communication protocol designed for instant messaging and other near-real-time exchange of structured data between two or more network entities. MLS (Messaging Layer Security) is an emerging, IETF-standardized (RFC 9420) protocol for end-to-end encryption of messages and a central part of the IETF MIMI (More Instant Messaging Interoperability) effort to allow communication across messaging apps, for example in the context of the EU Digital Markets Act.

This project adds support for MLS encrypted messaging to XMPP group chats. This includes creating a prototype implementation, standardizing an XMPP Extension Protocol (XEP) and introducing support in two existing XMPP clients.

>> Read more about MLS for XMPP

XMPP Interoperability and Protocol Standard Conformance Testing — Development of an XMPP Test Suite

XMPP is the Extensible Messaging and Presence Protocol. XMPP offers an open, extensible, standardised and mature set of open technologies designed for decentralised communication. With its flexible design and rich history, its utilisation is widespread.

To advance interoperability in its diverse ecosystem of developers and implementations of server software, this project will create an implementation-agnostic test suite for XMPP servers, testing for conformance with the XMPP protocol standards.

The suite will be designed to be integrated with various third-party CI components to minimise the complexity of including the suite in development processes of the various and varied parties that are developing XMPP server implementations.

>> Read more about XMPP Interoperability and Protocol Standard Conformance Testing

Zero-allocation web servers in roc — Web server framework with constant memory usage

Memory consumption in web servers is hard to predict and control. Our zero-allocation web server guarantees constant memory usage and per-request memory caps. These guarantees and capabilities make web infrastructure more reliable, because it is actually possible to calculate how much server capacity is required for a certain amount of traffic.

The vast majority of webservers are written in a language with automatic memory management. They cannot provide the guarantees that our webserver can, and often have other downsides like poor general performance and GC pauses.

The core of our webserver is written in rust, and while it works in a rust-only context, is meant to be used in combination with the roc programming language, a fast, friendly, functional language with automatic memory management, but without GC pauses. Users will be able to write web applications using roc, without having to consider how memory is allocated. At the same time, we manage the memory as efficiently as possible under the hood.

>> Read more about Zero-allocation web servers in roc

ZeroPhone Next — Hackable open hardware mobile phone

This project is building a hacker-friendly personal device platform, providing people with an assortment of building blocks that can be reused in building devices of their own. It sets out to deliver a featureful device for day-to-day use, with cellular and wireless connectivity, and bringing a powerful user interface that can easily be used in others' projects.

The platform's design prioritizes self-assembly capabilities, respect for the user's privacy, extensive documentation that makes the platform's building blocks all that more accessible, and forming a community aimed at helping other hackers build their own devices. The platform's inherent modularity also provides a testbench for designing open-source replacements for commonly closed-source parts of the DIY portable device ecosystem, as well as development of open firmware for currently-closed-source components.

>> Read more about ZeroPhone Next

Zilch — Tools for efficient granular builds and introspection

Zilch is an experimental test bed for alternative approaches to building programs, services, and full Linux distributions. Being built on top of Nix, it is entirely compatible with NixOS. The goal of this project is to research and develop a set of tools that allow a developer to write programs and patch existing upstream projects, while keeping the reproducibility and sandboxing afforded to them by Nix.

>> Read more about Zilch

Zip linting and bzip2 in Rust — More secure handling of popular archive formats

Zip is a widely used format for distributing files. It is a rather permissive file format, opening the door to various attacks such as zip bombs. The `bzip2` compression format is still used in many legacy settings. Consequently, it is part of the supply chain of many projects. To mitigate these risks, this project will deliver a) a zip linter checking for suspicious file contents in zip files and b) a memory-safe implementation of bzip2 through drop-in replacements of the libraries and a safe Rust `bzip2` binary.

>> Read more about Zip linting and bzip2 in Rust

badkeys — Detect compromised cryptographic public keys

Public key cryptography is an important building block of Internet security through protocols like TLS or SSH. Key generation vulnerabilities in cryptographic implementations can compromise the security of these mechanisms. The tool badkeys allows identifying public keys affected by known vulnerabilities. The project will implement improvements to badkeys' coverage of known-compromised keys and regular monitoring of public keys in TLS certificates, DNSSEC, and DKIM for known vulnerabilities.

>> Read more about badkeys

bluetuith — Bluetooth connection/device manager for the terminal

bluetuith is a lightweight Text User Interface (TUI) based Bluetooth manager for the terminal, which allows users to manage a multitude of different Bluetooth based functions, like pairing, connection, file transfers, handling audio playback and networking and so on seamlessly via an easy-to-use interface. The project aims to extend support to as many other platforms as possible, to achieve multiplatform support, and provide users with a familiar interface to control Bluetooth across different platforms. The project also aims to solve the issue of communication and user-friendliness of platform specific Bluetooth stacks, by creating daemons/services native to that platform, and lightly wrapping native APIs and exposing a standard set of APIs that will allow any client to be built cross-platform and to connect and control Bluetooth (Classic especially) in a much more efficient and uniform manner.

>> Read more about bluetuith

f8 — Modern 8-bit instruction set

Among microcontrollers (µC), 8/16-bit µC are an important part of the embedded systems ecosystem since they tend to have substantially lower resource and energy costs than the larger, more powerful 32-bit and 64-bit µC.

However, existing 8/16-bit µC architectures tend to be either somewhat inefficient (e.g. MCS-51) or single-vendor (e.g. STM8, Rabbit). The latter are at a high risk of being discontinued when a vendor pulls out of the 8/16-bit market, and this has been announced recently for the STM8 and Rabbit architectures. One possible solution is to develop an efficient free architecture for 8/16-bit µC. The f8 is such an approach. It is based upon extensive experience from the large number of 8/16-bit architectures supported by the free Small Device C compiler (SDCC). Like RISC-V did for 32/64-bit architectures, f8 is based on lessons learned from the strengths and weaknesses of existing 8/16-bit architectures.

>> Read more about f8

foaHandler — Reverse engineer the OpenAccess file format

Commercial CAE programs still dominate the community that designs electronic circuits. One of the most widely used file format here uses the OpenAccess API controlled by Si2. Unfortunately, this API is available only for members of the OpenAccess coalition. The project "foaHandler" aims at creating open-source programs for reading and writing OpenAccess files. Their internal data structure will be investigated by reverse engineering the file content of schematics, component symbols and layouts. Then, routines will be created that make it easy to import and export OpenAccess files in open-source programs like circuit simulators, layout programs etc. Example files and documentation will be published, too. This makes the data exchange between free and commercial EDA applications possible.

>> Read more about foaHandler

lib1305 — Microlibrary for Poly1305 hashing

In modern network protocols, every packet is authenticated using a message-authentication code (MAC). Any data modified by an attacker is immediately caught and rejected by the MAC. The most popular MAC algorithms are Poly1305, normally used with the ChaCha20 cipher as part of ChaCha20-Poly1305, and GMAC, normally used with the AES cipher as part of AES-GCM. Many applications, such as WireGuard, require specifically Poly1305. This project will develop and release a new software library, lib1305, for Poly1305. The library will provide comprehensive and well-optimized software exploiting the 64-bit assembly instructions of Intel CPUs to provide top speeds for those CPUs, while meeting the security constraint of not leaking secret information through timing.

>> Read more about lib1305

libnix — Native Nix on MS Windows

The libnix project improves the Windows support of the Nix package manager, by making nix and nix-build work natively on the Windows platform. By creating a ‘libnix’ on top of this, it will allow package managers like node, cargo, pip, and vcpkg to use Nix for building their dependencies. The effort helps bring declarative, reliable packaging systems to a wider audience.

>> Read more about libnix

libvips — Add animated PNG and enhanced JPEG XL support to libvips

libvips is an image processing meta-library, whose development the European Commission funded back in the 1990s. Applications can outsource the heavy lifting of handling a variety of image types to this library. The library has meanwhile grown very popular with web developers around the world; the node binding, for example, is downloaded more than 5 million times a week at the time of writing.

In addition to scrutinizing the security of the library, this project will implement two key improvements to libvips: animated PNG support, and enhanced JXL support. The former capability (the addition of animated PNG support) can be gained from another NGI Zero project, libspng. libvips uses libspng for PNG read and write, so by extending libvips to use these new libspng features, they will become available to a large developer community very quickly.

Second, libvips has had preliminary support for the JXL format since libjxl v0.4. Since then, the libjxl API has evolved considerably and the libvips connector needs updating, especially in the areas of large image support and HDR, both increasingly important with the steady improvement of smartphone cameras.

>> Read more about libvips

Verifying and documenting live-bootstrap — A reproducible, automatic, complete end-to-end bootstrap

The goal of the live-bootstrap project is to compile the necessary tools to compile Linux from a minimal binary footprint to avoid the possibility that a (binary) compiler could be used to introduce back-doors into the Linux kernel. As a user of the live-bootstrap project, one should be able to trace and review all steps and sources used. The goal of this project is to facilitate this.

>> Read more about Verifying and documenting live-bootstrap

Multisoni — Modern and efficient real-time audio playback engine

Multisoni is a versatile audio engine for all creative uses. For demanding real-time uses (such as video games, VR, live installations) there is a lack of free/libre audio authoring tools to map playback and effects to trigger events and interaction parameters, suitable for industrial purposes.

Multisoni is designed to meet this need: it manages many input sources - either samples or synthesis, with support for input plugins - source and effect patching, and rendering for a variety of output systems ranging from binaural stereo to complicated multichannel setups, drawing on existing open-source solutions for audio hardware abstraction and raw audio stream management. One of its main objectives is to put creative users - sound designers, composers - on an equal footing with developer users.

>> Read more about Multisoni

nextpnr for GW-5 — Add support to nextpnr for Gowin GW-5 FPGA family

This project focuses on enhancing the open-source FPGA design toolchain (specifically nextpnr and Apicula), to support the Gowin GW-5 series of FPGAs. This initiative involves creating detailed documentation and developing tools to understand and utilize these FPGAs effectively. By extending nextpnr and Apicula to generate valid bitstreams for the GW-5 series, the project aims to make advanced FPGA technology more accessible and usable for designers and engineers around the world.

>> Read more about nextpnr for GW-5

openPCIe2 Root Complex — Open hardware implementation of gen 2 PCIexpress in OpenXC7

This project will develop an open hardware implementation of PCIexpress 2.0, the high-speed serial computer expansion bus standard used to allow computer peripherals to be slotted into a motherboard. When designing open hardware, having such a critical part of a component depend on proprietary components is obviously . The open hardware PCIe/Gen2 Root Complex developed within this project would make a big step towards developing fully open hardware components. Prior efforts only provided a partial implementation, and depended on vendor-provided 'black boxes' that would prevent such designs to be used to create a working, fully open hardware solution.

>> Read more about openPCIe2 Root Complex

p3pch4t — Decentralized chat platform built on i2p

P3pch4t is a decentralized chat platform built on i2p that aims to provide a feature-rich experience with huge privacy standards, so it will be easy for people to switch from well-known centralized/proprietary chat apps - such as Facebook Messenger, Telegram, Slack to one place that will have all features that user desire - including large file sharing, shared calendar, group chats, multiple devices and chat themes - all of that will come in a cross-platform app that will run on all major mobile and desktop platforms. Together with that, there will be a handful of libraries in different languages to interact with the network directly - to ensure that it is easy for other developers to extend the p3pch4t ecosystem, and to ensure that the standard for communication is well defined.

>> Read more about p3pch4t

postmarketOS: v23.12 and v24.06 Releases — New versions of the mobile operating system postmarketOS

postmarketOS keeps smartphones useful after they don't receive updates anymore: the original operating system gets replaced with an up-to-date lightweight open source software stack based on Alpine Linux. Oftentimes people use postmarketOS to upcycle their old smartphones to small home servers (like Raspberry Pis). While still experimental, we also work towards enabling all typical smartphone features too so postmarketOS can fully replace the original operating system. Besides extending the lifetime of smartphones, in postmarketOS we value the user's privacy, security and in general control over their own device. Unlike current mainstream smartphone operating systems, it is not needed to register an account and get tracked to use the operating system. Creating new releases allows us to keep the software stack up-to-date, to integrate important fixes, features and in general to get closer to provide a full smartphone experience.

>> Read more about postmarketOS: v23.12 and v24.06 Releases

postmarketOS daemons — Add modern service daemons to postmarketOS

postmarketOS keeps smartphones useful after they don't receive updates anymore: the original operating system gets replaced with an up-to-date lightweight open source software stack based on Alpine Linux. This project will add initial systemd support to postmarketOS, as well as making Pipewire the default audio server in postmarketOS. It will help switch the wifi backend to iwd by default, and design and prototype an immutable version of postmarketOS with an efficient A/B OTA mechanism with binary delta updates, and automatic rollback on failed updates.

>> Read more about postmarketOS daemons

Support for OpenPGP v6 in rPGP — Implement draft-ietf-openpgp-crypto-refresh in rPGP

rPGP is a high-quality implementation of OpenPGP in pure Rust (OpenPGP is a standard for encryption, digital signatures and key management). rPGP is used in production in different contexts, among them the popular "Delta Chat" decentralized and secure messenger that is used by hundreds of thousands of users, worldwide. The OpenPGP standard has recently been revised to reflect current best cryptographic practices. The revision of the standard defines "OpenPGP version 6" and is currently being finalized  for publication as RFC 9580. This project will implement the new formats and features of OpenPGP v6 for rPGP. This will bring the new features of OpenPGP v6 to users of rPGP, and ensures future interoperability with all other modern OpenPGP implementations.

>> Read more about Support for OpenPGP v6 in rPGP

reqwest — Memory safe HTTP client

reqwest is the de-facto HTTP client for the Rust language, with batteries-included. In this project we will make many of its powerful features to be composable and reusable outside of reqwest. This includes converting its connection pool, proxying and redirection into middleware, and improving integration with existing middleware, such as retries. This ultimately enables two groups of people: some so they can use only the parts of reqwest they need. And others that want to use all of reqwest while inserting new middleware or customizing its default "stack".

>> Read more about reqwest

rrdnsd — DNS based load balancing and high availability

rrdnsd implements DNS-based load balancing and failover in order to increase the reliability of geographically-distributed Internet services. It is designed to both scale up to managing hundreds of services but also scale down to small scale deployments. Written in Rust, it prioritizes resilience, ease of deployment and hands-off maintenance - without depending on 3rd-party services. It provides distributed connectivity monitoring using a quorum protocol. This allows detecting partial network outages without causing false positive alarms.

>> Read more about rrdnsd

Maintenance and portability of sudo-rs — Make sudo-rs available cross-platform

The sudo and su utilities guard a critical privilege boundary on just about every free and open-source operating system that powers the Internet. Memory safety bugs occur in the original sudo from time to time, and there is only one maintainer to fix them. For these reasons sudo-rs was written: a Rust drop-in replacement for sudo on Linux. For it to be a success, it needs to gain adoption. In this project, we will 1) address bugs and incompatibilities between sudo-rs and sudo and 2) port it to platforms other than Linux, to grow its user base and viability.

>> Read more about Maintenance and portability of sudo-rs

tslib — Better configuration and callibration of touchscreen devices

tslib is somewhat older but widely used software for configuring the touchscreen of (mainly) embedded Linux devices including printers, mobile phones, etc. This nimble project concerns a bundle of improvements in terms of calibration, some accessibility research (to see if people with e.g. a tremor can be better served), and addressing a backlog of feature requests. In addition the project will use the help of NGI Zero to apply additional security scrutiny.

>> Read more about tslib

uFork/FPGA — A memory-safe pure-actor processor soft-core

uFork is a novel microprocessor architecture based on dispatching immutable asynchronous message-events to reactive objects (actors) which manage private mutable state. Contention for shared mutable storage is eliminated, reducing complexity. Strong process and memory isolation prevents interference among tasks. Object-capability security (ocaps) provides fine-grained access control. The architecture has been validated by implementing a virtual-machine in software. This project will implement the design using FPGA hardware fully supported by open-source tooling.

>> Read more about uFork/FPGA

uberClock — High precision open hardware clocks using multi-mode crystal oscillators

Very precise clocks have many different use cases, but they are complex to make and expensive to buy - leaving high precision timing out of reach for many. Currently, there are no open hardware designs capable of delivering so called "Stratum 2" accuracy.

This project will design and build an open hardware clock exploiting the properties of multi-mode crystal oscillators using modern numerical methods for frequency stabilization. A Field-Programmable Gate Array (FPGA) will be used for digital signal processing functions, multiple Proportional-Integral-Derivative (PID) control loops, and executing all necessary calculations needed for dynamic, real-time frequency corrections. High-Level Synthesis (HLS) code will be developed using the CflexHDL+PipelineC toolset, in order to validate and further mature that emerging design flow for signal processing applications.

>> Read more about uberClock

vm-builder — Virtual Machine Build, Life Cycle and Integration in monolithic and microkernel platforms

As each piece of software is built using other software, it is difficult to ensure that a program is not accidentally infected through malicious code interfering anywhere in this process. An important defence is reducing the amount of code one relies upon and strictly isolating the build from any other processes that could influence it, typically by using a virtual machine.

However, the are currently no minimal, portable and final virtual machine build systems which enable effective bootstrapping of operating systems. Delegating this task to container build systems is insufficient, since they are primarily available to the Linux kernel and provide weak isolation properties. Delivering those with a high portability and even (or especially) on low TCB microkernels is key to secure bootstrapping of operating systems and applications on (to be) trusted infrastructure.

The current prototype has proven successfully applicable to nowadays general purpose OSs, templating/inheritance and reproducible builds are to be implemented. An implementation in a more robust programming language like Rust is still lacking and will be completed in the course of this project. The long term goal is to easily build and provide legacy platforms and software especially on microkernels — allowing for a migration path towards operating systems with effectively manageable complexity.

>> Read more about vm-builder