The dust is settling from Open Source Summit week in Minneapolis, and the post-summit announcements keep landing. OpenTelemetry hit a major milestone, GitHub opened up another piece of its AI toolchain, and the OpenSSF sounded an alarm about Europe’s looming regulatory deadline. Here’s what matters.
OpenTelemetry graduates from the CNCF — now the de facto observability standard
The Cloud Native Computing Foundation announced OpenTelemetry’s graduation on May 21 at the Observability Summit in Minneapolis, marking it as production-ready by CNCF’s highest bar. The numbers back it up: over 12,000 contributors from 2,800+ companies, 1.36 billion downloads of the JavaScript API package and 1.3 billion of the Python API package in the past twelve months alone — both setting new monthly records in April. Organizations including Alibaba, Anthropic, Bloomberg, Capital One, eBay, and Heroku rely on it in production. Graduation required passing an independent third-party security audit and a formal governance review. OpenTelemetry’s significance is less about any single feature and more about what it eliminated: the fragmentation tax. Before OTel, switching observability vendors meant rewriting instrumentation across your entire stack. Now it doesn’t. That kind of boring, foundational interoperability is exactly what CNCF graduation is supposed to recognize, and OpenTelemetry earned it.
GitHub open-sources Copilot for Eclipse under the MIT license
On May 21, GitHub published the full source code for its Copilot Eclipse plugin under the MIT license. The open-sourced code includes the chat, completion, agent, prompt, and integration layers — everything that connects the Eclipse IDE to the Copilot service. To be clear: this is the client-side plugin, not Copilot’s AI backend. But the significance is real. Eclipse’s ecosystem thrives on open collaboration, and developers can now inspect exactly how context is gathered, how tool calls are orchestrated, and how agentic workflows are presented inside the IDE. Community contributions via issues and pull requests are welcome against the same codebase that ships the official experience. This follows the pattern Microsoft has established with the VS Code Copilot extension and signals a broader commitment to transparency in how AI developer tools integrate with editors — even ones Microsoft doesn’t own.
The OpenSSF, in collaboration with LF Research, published the finalized 2026 CRA Awareness and Readiness Report at Open Source Summit, and the findings are sobering. Two-thirds of respondents remain unfamiliar with the European Cyber Resilience Act — up slightly from 62% in 2025, meaning awareness is actually decreasing even as deadlines approach. In North America, nearly 72% are unfamiliar. Over half of European SMEs — the backbone of the open source supply chain — don’t know what the CRA requires of them. Here’s why this matters right now: starting September 11, 2026, manufacturers must comply with CRA vulnerability reporting requirements. Full compliance kicks in December 2027. The OpenSSF’s Christopher Robinson put it bluntly: “the runway is rapidly running out.” For open source maintainers and the companies that depend on their work, this isn’t a theoretical policy discussion anymore — it’s a compliance deadline less than four months away.
Also released at Open Source Summit, the Linux Foundation’s 2026 State of Tech Talent Report — based on 400 global IT leaders — found that the primary barrier to AI success has shifted from cost to operational maturity, with security concerns nearly tripling from 17% in 2024 to 48% in 2026. Even more striking: 43% say security concerns are actively preventing them from realizing value from AI projects they’ve already invested in. Despite this, 97% of organizations remain committed to AI implementation, creating what the report calls a “capacity gap” — 57% lack the security and risk management talent to move forward safely. The industry’s response is tilting toward upskilling over hiring: current staff offer a 7.9x advantage in business context and a 5x cost advantage over new hires. The takeaway for open source: the projects that solve AI security and governance — OpenSSF tooling, the Agentic AI Foundation’s standards, Microsoft’s OAGF — aren’t nice-to-haves. They’re the bottleneck.
OpenSSF launches Ambassador Program, welcomes FreeBSD Foundation and four new members
At OpenSSF Community Day on May 21, the foundation announced its first cohort of 13 OpenSSF Ambassadors — community leaders spanning supply chain security, policy, community building, and engineering. Notable names include Ben Cotton (Kusari, author of Program Management for Open Source Projects), Rob Kenefeck (ControlPlane), and Brandt Keller (CNCF Security & Compliance TAG maintainer). Alongside the ambassador launch, the OpenSSF welcomed five new members: ActiveState, Aikido, Minimus, and TuxCare as General Members, and the FreeBSD Foundation as an Associate Member. The FreeBSD addition is particularly noteworthy — it signals that the BSDs, historically independent in their security practices, see value in coordinating through the OpenSSF’s framework. Other Q2 milestones include the 1.0 release of the Secure Coding Guide for Python and eight mentees selected for the Summer 2026 program. The foundation’s steady institutional growth, happening quietly alongside splashier AI announcements, is building the kind of durable security infrastructure the ecosystem actually needs.
NVIDIA releases Ising — the first open-source AI models purpose-built for quantum computing
NVIDIA released Ising, an open-source family of AI models designed to accelerate quantum processor development, available on Hugging Face and GitHub. The models address two of quantum computing’s hardest practical problems: calibration (tuning processors, currently a multi-day manual process) and error correction (keeping fragile qubits stable long enough to compute). Ising’s calibration model automates processor tuning from days to hours, while its decoding models deliver real-time error correction up to 2.5x faster and 3x more accurately than legacy approaches like PyMatching. The models run on NVIDIA GPUs and integrate with CUDA-Q. What makes this notable for the open source world isn’t the quantum angle alone — it’s the strategic bet. NVIDIA is open-sourcing foundational tooling in a domain where proprietary lock-in would be easy to justify, betting that an open ecosystem accelerates the entire field (and, not coincidentally, GPU demand). It’s the same playbook that worked for CUDA in deep learning, now applied to quantum.