Open Source Working Group Minutes RIPE 92
Wednesday, 20 May 2026, 09:00–10:30 (UTC+1)
Chairs: Marcos Sanz, Marco d’Itri, Sasha Romijn
Scribe: Tim Bruijnzeels, Hans Bakker
Status: Draft
View the stenography transcript
A. Administrative Matters
Sasha Romijn (WG Co-chair)
Sasha opened the Open Source WG with a welcome and housekeeping - Meetecho and stream info, a reminder of the Code of Conduct, a reminder to please rate the talks. Sasha also informed the working group that the chairs are working on a new working group chair selection procedure and will share this with the working group in the coming weeks. After this, she handed over to the first speaker.
B. Web Application Security - an IXP Manager Perspective
Barry O'Donovan, INEX
Barry O’Donovan presented a security-focused update on the long-running Open Source project IXP Manager and its recent independent penetration test under ENISA’s Cybersecurity Support Action Programme. He explained how IXP Manager, a critical platform used by hundreds of Internet Exchange Points worldwide, has evolved over two decades and now underpins production systems and automation, increasing the importance of robust web application security. A grey-box penetration test conducted in 2026 found no critical vulnerabilities but identified issues such as cross-site scripting, missing security headers, and legacy design risks, most of which were quickly addressed. The talk highlighted the importance of continuous security testing and layered defences.
Pieter Lexis, PowerDNS, commented, also to the rest of the room, that if you have a small project and don't have the money for penetration tests, you could contact the sovereign tech fund to get funding, which is something he highly recommended. Maria Matejka, BIRD, commented that rewriting is always painful and underestimated. She asked how much time goes into updating dependencies. Barry answered that indeed, this is challenging, but Githubs. Dependabot helps.
Maximillan Emig (online) asked how many bug reports are real versus invalid LLM hallucinated generated reports. Barry answered that they have been very lucky so far to be able to avoid these so far.
Marcos Sanz (co-chair) wondered whether David would recommend participating in the ENISA cybersecurity program. Barry absolutely would support that and added for potential participants to not be embarrassed by the results, because you will learn a lot.
C. Nominet DNS Fund - how are we adapting to what we have learnt?
Amy O'Donnell, Nominet; Dave Knight, Nominet
Amy O’Donnell and Dave Knight presented the Nominet DNS Fund, an initiative supporting underfunded open source DNS infrastructure projects to improve internet security and resilience. They explained that the fund was created after research by Demos highlighted systemic funding gaps in core DNS maintenance, and it aims to provide more flexible, accessible, and longer-term support. The first funding round supported projects such as OpenSSL, Quad9, and Cascade, focusing on reducing technical debt and improving DNS tooling. Speakers from funded projects entered the stage and highlighted the simplicity of the application process, quick turnaround, and value of funding maintenance work. The session concluded with plans to refine eligibility and expand multi-year support.
Jim Reid thanked Nominet for putting this together.
D. Developing Containerlab - an open-source success story
Gordon Gidofalvy, Containerlab, Nokia
Gordon Gidofalvy presented on Containerlab, now six years old with over half a million installs, which has grown into a widely used tool for building virtual network topologies using container-based environments. His talk focused on the project’s development rather than its features, highlighting design choices such as multi-vendor support, reproducible YAML-based topologies, and strong CI/CD practices. It also covered challenges in maintaining a multi-language ecosystem and supporting closed-source network OS images. Community engagement via Discord, documentation, and early examples proved key to adoption and feedback-driven evolution of the tool.
Pieter Lexis, PowerDNS, asked how Containerlab deals with the visibility of Discord discussions and whether comments are ported to documentation? Gordon answered that yes, they do take suggestions from Discord into Github issues or even into documentation if something is unclearly documented.
Maximilian Emig (online) gave a shout out to Arista cEOS, which he feels like is made for Containerlab or vice versa.
E. How much of BIRD is vibecoded
Maria Matejka, BIRD | CZ.NIC
Maria Matejka’s talk explored early experiments with using LLMs for assisting development in the BIRD project and the broader rise of “vibe coding.” While LLMs can produce plausible code, text, and even commit messages, the speaker found they quickly break down on complex or low-level tasks such as concurrent C code and bug fixing. A key issue is confirmation bias, where seemingly correct outputs hide subtle errors. Overall, LLMs were seen as useful for glue code and drafts, but unreliable for complex systems like BIRD, reinforcing that careful human review remains essential in critical infrastructure development.
There was no time for questions.
F. Netiscope - a local network environment debugging tool
Robert Kisteleki, RIPE NCC
Robert Kisteleki introduced Netiscope, his hobby open source tool designed to help users diagnose “something is wrong” local network issues in a single, easy-to-run binary. Inspired by the discontinued Netalyzer, it performs automated checks for IPv4/IPv6 connectivity, DNS resolution, reachability of public resolvers and root servers, firewall or port filtering behavior, and potential man-in-the-middle attacks via SSH host key validation. It is modular, allowing new diagnostic tests to be added easily, and provides both CLI and optional GUI output. The project currently runs locally without data collection, aiming to simplify network troubleshooting for non-experts.
There was no time for questions.