The foundations that support public open-source infrastructure say the times are a-changin’—and organizations need to pick up the slack.
In a joint statement published to the Open Source Security Foundation’s website on Sept. 23, several stewards of public open-source infrastructure were candid about the massive financial constraints they’re facing due to increased expectations and demands from organizations who rely heavily on their public package registries (like Maven Central, PyPI, and OpenVSX) for software development.
While the stewards claim to serve billions of downloads per month, they said their services are only funded by a small number of commercial vendors and nonprofits. The majority of “large-scale users” consuming their services do so in an unsustainable manner, they added.
“Most of these systems operate under a dangerously fragile premise: They are often maintained, operated, and funded in ways that rely on goodwill rather than mechanisms that align responsibility with usage,” the stewards wrote.
The letter was signed by a total of eight organizations, including the OpenJS Foundation, Python Software Foundation, and Sonatype.
At their wits’ end. In their letter, these stewards called attention to the “enormous strain” that continuous integration systems and large-scale scanners place on open-source infrastructure. They said GenAI and agentic AI are also to blame as the emerging technology continues to drive an “explosion of machine-driven, often wasteful automated usage.”
Mike Milinkovich, executive director of the Eclipse Foundation, told IT Brew that the stewards are unable to increase funding at the pace of these increased demands, adding that the business model powering their community is “broken.” He said demand for OpenVSX, for example, has seen a fourfold increase in demand (i.e., number of downloads) in the past year, with no increase in funding during that time.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“We don’t have a business model that links demand to revenue,” Milinkovich said. “And basically this letter is telling the world we have got to get there.”
Increased demand is not all that stewards are juggling. Milinkovich said some also grapple with the increased expectation of making sure repositories are protected from supply-chain attacks from users.
“There’s this steady little incremental, drip, drip, drip of, ‘You need to do more. You need to do more. You need to do more,’” Milinkovich said. “And I think we’re here to say that the camel’s back is broken and we collectively need help.”
Sharing is caring. In their letter, the eight organizations provided a short list of things organizations and individuals can do to alleviate the current operational burden. This includes staying educated on the funding models and needs of the different foundations, supporting foundations financially through memberships and sponsorships, and more conscious usage.
The stewards asserted individual players in the open source ecosystem will “adopt the approaches that make the most sense in its own context.” However, they suggested several moves in the letter that could help address the current problem within their industry, such as establishing partnerships with commercial and institutional entities and enforcing tiered access models that provide larger consumers with “scaled performance.”
“These are not radical ideas,” the stewards wrote. “They are practical, commonsense measures already used in other shared systems, such as internet bandwidth and cloud computing.”