Joint statement from multiple open-source communities including Eclipse, Rust, PHP, Python, and Java: Are open-source communities going to start charging?
On 24 September, the Open Source Security Foundation (OpenSSF) issued a significant statement warning that the core open-source infrastructure underpinning modern software development faces systemic collapse risks. Jointly signed by eight internationally renowned open-source organisations including Eclipse, Rust, PHP, Python, and the Java Foundation, the statement calls upon the global technology community to confront a long-neglected reality: open-source infrastructure is not free, and its sustainable operation urgently requires systematic investment and shared responsibility.
The statement highlighted that critical package registries such as Maven Central, PyPI, crates.io, npm, and Packagist serve as the ‘digital lifeblood’ relied upon daily by millions of developers worldwide. Handling tens of billions of download requests monthly, they underpin the entire modern software supply chain—from mobile applications to enterprise systems. However, the operational teams behind these platforms largely rely on sporadic donations, limited public funding, and a handful of sponsors to maintain their work. They face severe constraints in human, technical, and financial resources, with systems operating under chronic overload.
This pressure is being amplified to unprecedented levels by the rapid advancement of artificial intelligence technology. The training of large AI models and the widespread deployment of agents have fuelled massive, high-frequency data scraping of open-source code repositories. Numerous AI systems utilise publicly accessible open-source repositories as training data, with agents automatically performing dependency resolution, code generation, and refactoring. This has resulted in a surge in traffic to registry centres. While this ‘automated consumption’ model drives technological innovation, it also presents significant issues of ‘wasteful usage’ – many requests contribute nothing to the ecosystem while intensifying consumption of bandwidth, storage, and computational resources, severely crowding out legitimate service resources for genuine developers.
Concurrently, AI-driven automated toolchains are extensively integrated into development workflows, further elevating dependency on package management systems. For instance, intelligent dependency scanning within CI/CD pipelines, real-time suggestions from AI-assisted programming tools, and frequent queries to open-source knowledge bases by RAG (Retrieval-Augmented Generation) systems collectively generate sustained high-concurrency request pressure. More critically, certain enterprises or institutions employ unthrottled automated scanning tools for compliance and vulnerability detection without considering server capacity constraints, imposing substantial operational burdens on underlying infrastructure.
The statement highlights a critical misconception within the open-source ecosystem: certain large technology enterprises continue to treat these essential infrastructures as ‘public goods’ available for unlimited, cost-free usage. However, with escalating costs for bandwidth, storage, human resources, compliance (e.g., SBOM/Software Bill of Materials), and security requirements (e.g., package signing, zero-downtime guarantees, supply chain attack defences), the expenses of maintaining stable system operations have far exceeded historical levels.
The Open Source Security Foundation explicitly states that critical security functions—such as rapid dependency resolution, package signature verification, zero-trust supply chain protection, anti-DDoS capabilities, and defence against sophisticated cyberattacks—require substantial and sustainable funding for deployment and maintenance. The proliferation of AI is accelerating these demands: the unpredictability of agent behaviour and the expansion of automated attack surfaces necessitate infrastructure with enhanced resilience and security.
Consequently, the Foundation calls upon non-profit organisations, large commercial users, and AI technology leaders to shoulder greater responsibility by providing stable, predictable funding for open-source infrastructure. It recommends establishing collaborative mechanisms with commercial users and implementing tiered access strategies—offering paid value-added services to high-frequency enterprise users to achieve reasonable cost-sharing. Simultaneously, operational cost transparency should be enhanced, promoting a shared responsibility model where ‘beneficiaries support’.
Only through the coordinated advancement of funding, technology, and governance mechanisms can open-source infrastructure remain robust, secure, and open in the AI era. This concerns not merely development efficiency but determines the future resilience of the global software supply chain. Open-source is not a free lunch, particularly as AI reshapes everything; its sustainability must become a shared mission for the entire technology ecosystem.
In this AI-dominated era, certain enterprises are amassing fortunes through open-source resources while simultaneously undermining the open-source ecosystem. Developers are compelled to contribute source code without access to other organisations' repositories, yet these entities continue to exploit open-source assets – a truly narrow-minded approach.
The original statement, published on 24 September by the Open Source Security Foundation (OpenSSF), warns that the core open-source infrastructure underpinning modern software development faces systemic collapse. This declaration, jointly signed by eight internationally renowned open-source organisations including Eclipse, Rust, PHP, Python, and the Java Foundation, calls upon the global technology community to confront a long-neglected reality: open-source infrastructure is not free, and its sustainable operation urgently requires systematic investment and shared responsibility.
The statement highlighted that critical package registries such as Maven Central, PyPI, crates.io, npm, and Packagist serve as the ‘digital lifeblood’ relied upon daily by millions of developers worldwide. Handling tens of billions of download requests monthly, they underpin the entire modern software supply chain—from mobile applications to enterprise systems. However, the operational teams behind these platforms largely rely on sporadic donations, limited public funding, and a handful of sponsors to sustain their work. They face severe constraints in human, technical, and financial resources, with systems operating under chronic overload.
This pressure is being amplified to unprecedented levels by the rapid advancement of artificial intelligence technology. The training of large AI models and the widespread deployment of agents have fuelled massive, high-frequency data scraping of open-source code repositories. Numerous AI systems utilise publicly accessible open-source repositories as training data, with agents automatically performing dependency resolution, code generation, and refactoring. This has resulted in a surge in traffic to registry centres. While this “automated consumption” model drives technological innovation, it also presents significant issues of “wasteful usage” – many requests contribute nothing to the ecosystem while intensifying consumption of bandwidth, storage, and computational resources, severely crowding out legitimate service resources for genuine developers.
Concurrently, AI-driven automated toolchains are extensively integrated into development workflows, further elevating dependency on package management systems. For instance, intelligent dependency scanning within CI/CD pipelines, real-time suggestions from AI-assisted programming tools, and frequent queries to open-source knowledge bases by RAG (Retrieval-Augmented Generation) systems collectively generate sustained high-concurrency request pressure. More critically, certain enterprises or institutions employ unthrottled automated scanning tools for compliance and vulnerability detection without considering server capacity constraints, imposing substantial operational burdens on underlying infrastructure.
The statement highlights a critical misconception within the open-source ecosystem: certain large technology enterprises continue to treat these essential infrastructures as ‘public goods’ available for unlimited, cost-free usage. However, with escalating costs for bandwidth, storage, human resources, compliance (e.g., SBOM/Software Bill of Materials), and security requirements (e.g., package signing, zero-downtime guarantees, supply chain attack defences), the expenses of maintaining stable system operations have far exceeded historical levels.
The Open Source Security Foundation explicitly states that critical security functions—such as rapid dependency resolution, package signature verification, zero-trust supply chain protection, anti-DDoS capabilities, and defence against sophisticated cyberattacks—require substantial and sustainable funding for deployment and maintenance. The proliferation of AI is accelerating these imperatives: the unpredictability of agent behaviour and the expansion of automated attack surfaces demand infrastructure with heightened resilience and security.
Consequently, the Foundation calls upon non-profit organisations, large commercial users, and AI technology leaders to shoulder greater responsibility by providing stable, predictable funding for open-source infrastructure. It recommends establishing collaborative mechanisms with commercial users and implementing tiered access strategies—offering paid value-added services to high-frequency enterprise users to achieve reasonable cost-sharing. Simultaneously, operational cost transparency should be enhanced, promoting a shared responsibility model where ‘beneficiaries support’.
Only through the coordinated advancement of funding, technology, and governance mechanisms can open-source infrastructure remain robust, secure, and open in the AI era. This concerns not merely development efficiency but determines the future resilience of the global software supply chain. Open-source is not a free lunch, particularly as AI reshapes everything; its sustainability must become a shared mission for the entire technology ecosystem.
In this era of AI proliferation, certain enterprises are amassing fortunes through open-source resources while simultaneously undermining the open-source ecosystem. Developers are compelled to contribute source code to repositories hosted by rival platforms, all while these entities plunder open-source assets – a truly narrow-minded approach.
Original text link below:
https://openssf.org/blog/2025/09/23/open-infrastructure-is-not-free-a-joint-statement-on-sustainable-stewardship/