The call for funding of open-source platforms

Questions about the long-term sustainability of the open-source software (OSS) ecosystem have become pointed in the past month, after a number of high-profile attacks targeting OSS infrastructure made it clear that committed financial support from the ecosystem’s largest users — commercial software companies — will be essential to avoid a crisis. 

In a joint statement, the stewards of several major public repositories warned that large users are extracting significant value from the platforms without effectively paying for them. Representatives from Alpha-Omega, the Eclipse Foundation, the OpenJS Foundation, OpenSSF, Packagist, the Python Software Foundation, the Rust Foundation, and Sonatype wrote that this has put the long-term viability of the registries at risk.

Open source infrastructure cannot be expected to operate indefinitely on unbalanced generosity. The real challenge is creating sustainable funding models that scale with usage, rather than relying on informal and inconsistent support.

Joint statement posted by OpenSSF

Here’s what you need to know about the call to action — and why new funding will be critical to software security as software supply chain attacks consistently target the OSS ecosystem.

[ See RL co-founder's post on what's needed to protect open-source platforms ]

OSS use — and exploitation — explodes

OSS platforms have become critical infrastructure for the global software supply chain, operating alongside a broader ecosystem of build tools, testing services, content delivery networks, and donated cloud resources. With OSS usage reaching extraordinary levels, the joint statement said, major public code registries are handling what might amount to trillions of downloads every month — much of it driven by commercial-scale automation in the form of continuous integration (CI) pipelines, dependency scanners, and nonstop container builds. 

In many cases, publishers of commercial and proprietary software are using public registries as free content distribution networks for projects that are part of paid products and platforms. With automation, users of these open-source infrastructures have high expectations that they will deliver fast package distribution speed, reliability, and global availability — and that the packages themselves will be verifiable, signed, and immutable. 

CI pipelines demand deterministic builds with zero downtime, and security tooling relies on instant responses from public registries. Meanwhile, the joint statement said, governments, regulators, and enterprises want more traceability, monitoring, and auditability of open-source software, even while the registries themselves also have to contend with escalating cyberthreats.

‘Free and infinite’ infrastructure is an illusion

The statement noted that while automated systems such as CI pipelines, massive dependency scanners, and ephemeral container builds run by commercial organizations put tremendous pressure on open-source infrastructure, those commercial users have shown little regard for resource use, often running these workloads continuously, without throttling or caching. AI is only intensifying the problem, fueling an explosion of machine-driven activity. “The illusion of ‘free and infinite’ infrastructure” has encouraged wasteful usage, the signatories lamented.

Concerns about large organizations freeloading on OSS platforms aren’t new — and neither is the issue of who should foot the bill for it. For years, maintainers have warned that while billions of downloads flow from commercial and enterprise users, only a small fraction of those users contribute time, money, or infrastructure back to support the projects they rely on. It’s common, in fact, for even widely used open-source projects to be maintained by a single person or a small team of volunteers working in their free time. As the XZ-Utils backdoor and Apache Log4j vulnerability demonstrated, that lack of broad support can have disastrous consequences.

Christopher Robinson, chief technology officer and chief security architect of the Linux Foundation’s OpenSSF, said many of those using OSS infrastructure have little idea of how they operate. And while use of OSS tools and repositories has to scale to serve some of the largest ecosystems, the fact is that the tools were never designed for the current scale of consumption, Robinson said.

Broadly, we feel the issues are more attributable to ignorance and lack of insight rather than malice. However, much like public power and water utilities, developers and corporations expect these systems are always on and available, regardless of the actual real-world operating expenses these repositories incur.

Christopher Robinson

AI coding amplifies the OSS platform crisis

Mike Milinkovich, executive director of the Eclipse Foundation, which maintains the Open VSX Registry, said the joint statement was the result not of any single incident, inflection point, or trend but rather reflects a reality that cannot be deferred any longer given the rise of OSS utilization in the AI age. 

Over the past year, download traffic on Open VSX has grown fourfold, he said, most of it driven by the rapid rise of AI-native development tools. While the growth reflects the platform’s growing importance, it has also created significant infrastructure demands that need sustained support. But financial backing for Open VSX operations has remained flat, Milinkovich said.

Fundamentally, relying on sponsorship revenue to support critical infrastructure with exponentially growing demand is not sustainable. The registry needs a model that can scale alongside usage and ensure reliable service for the entire community. The path forward is a system where revenue grows with demand and the heaviest users contribute proportionally to its operation.

Mike Milinkovich

The way forward on OSS

The statement outlines three potential paths toward sustainable funding: 

1. Commercial and institutional partnerships: Organizations would contribute based on their proven usage levels or in return for strategic advantages. 
2. Tiered access: This system would preserve free, open access for standard users and provide enhanced performance for paying organizations. 
3. Premium services: Things that commercial users would find worth paying for, such as detailed usage analytics, could be offered. “Billion-dollar ecosystems cannot stand on foundations built of goodwill and unpaid weekends,” the signatories said.

The most promising future models are those that align responsibility with usage while keeping open access for the broader ecosystem, Milinkovich said. “In practice, this means encouraging large commercial and enterprise beneficiaries, whose products and revenues are directly built on open-source infrastructure, to take on a greater share of the cost.”

The goal is to get people to think differently about how they approach open source, he said. Package repositories have been offered as a free service with infinite capacity, and people are using them as such, but that cannot be sustained. “The solution is to change the economic model so that large-scale use results in at least some expense,” he said.

To encourage a change in behavior, the Eclipse Foundation will soon implement rate limiting on Open VSX — not to restrict access but to sustain access in a way that is fair and responsible, Milinkovic said. “Another example is the Eclipse Temurin Sustainer Program, where enterprises contribute financially to ensure faster releases, stronger security, and improved testing infrastructure for all,” he said.

Similar changes are planned by other repositories. Loren Crary, deputy executive director of the Python Software Foundation, which manages PyPI, said that the funding for free and OSS resources, services, and programs has remained flat or even declined as AI coding has exploded. That reality has led to a growing sense of urgency, Crary said.

Usage of Python and the Python Package Index (PyPI) has shot up in tandem with the growth of the AI industry.

Loren Crary

Why shared responsibility of OSS is essential

OpenSSF’s Robinson said the organization expects pushback to any change from at least some commercial stakeholders. But, he added, savvy enterprises will see a shared-responsibility model as an opportunity to ensure that the upstream pipelines that they depend on remain open. Legislation such as the EU’s Cyber Resilience Act (CRA) is likely to help by setting the expectation that software publishers will, at least to some extent, engage with and support the OSS that they integrate into their products. The public sector, which is one of the heaviest users of OSS, can help as well, Robinson said. He pointed to Germany’s  Sovereign Tech Agency’s mission as a good example of public funds being directly applied to improve the security of OSS projects. 

The Eclipse Foundation’s Milinkovich said the healthiest path forward is one of shared stewardship. Corporate and enterprise users should support the infrastructure they depend on, and the stewards of that infrastructure should adopt transparent governance that guarantees neutrality, openness, and resilience for everyone.

For package registries like Open VSX, our priority is to ensure that individual developers, small teams, and open-source projects continue to have free and open access to essential infrastructure. This is not about putting open source behind a paywall. It is about aligning responsibility with usage so that the community can continue to grow without compromising resilience, security, or performance.

Mike Milinkovich