Leading stewards of several major open source projects today issued a joint open letter calling for major changes to be made to the way the IT infrastructure used to support these initiatives is funded, operated and maintained.
Posted on the Open Source Security Foundation (OpenSSF) website, the open letter signed by representatives from open source projects such as Maven Central/Sonatype, OpenJS, The Python Software Foundation and The Rust Foundation called for fundamental reforms to be made in terms of both how IT infrastructure is funded and the way open source software is being consumed.
At the core of the issue is vendors and non-profit entities that launched and support these projects are shouldering the cost of maintaining the underlying IT infrastructure required to support package repositories and managers with no way to recoup that investment.
Specifically, the open letter identifies automated continuous integration (CI) platforms, large-scale dependency scanners, and ephemeral container builds as IT tools and platforms that are putting an enormous strain on infrastructure. These commercial-scale workloads often run without caching, throttling, or even awareness of the strain they impose. The rise of generative and agentic artificial intelligence (AI) coding tools is only going to drive a further explosion of wasteful automated usage that compounds those existing challenges, according to the signers of the letter.
As a result, the letter notes “a small number of organizations absorb the majority of infrastructure costs, while the overwhelming majority of large-scale users, including commercial entities that extract economic value, consume these services without contributing to their sustainability.”
Rectifying the economic imbalance will require commercial and institutional partnerships that help fund infrastructure in ways that are aligned to usage and/or adoption of tiered access models through which fees might be charged for organizations that consume large amounts of IT infrastructure resources.
According to the letter, the maintainers of open source projects might also attempt to monetize analytics, such as usage statistics, in ways other providers of service might value.
Sonatype CTO Brian Fox said hopefully as more enterprise IT organizations as they become aware of the cost issues will adopt best practices, such as caching, that reduce the load on IT infrastructure by cutting the number of downloads but even then there is still going to be a chronic need for additional funding.
Mike Milinkovich, executive director of the Eclipse Foundation, added that while cloud service providers have been in many cases subsidizing the funding of IT infrastructure the business model is fundamentally broken. The open letter is the first step toward raising awareness of an issue that will eventually need to be addressed, for example, by throttling and rate limiting to moderate usage of package managers that were never supposed to become critical elements of a software development process.
It’s not precisely clear how much is being spent on IT infrastructure to support these projects but costs are in the tens of millions with no sign of abatement. In effect, open source projects are becoming economic victims of their own success. The issue now is determining how best to fund these projects in a way that is economically sustainable both now and, just as importantly, in the forthcoming era of AI.
