Redazione RHC : 25 September 2025 07:47
An open letter signed by major open source foundations has raised the alarm about the future of the infrastructure that supports modern software development. The Open Source Security Foundation (OpenSSF), along with eight other organizations , including the Eclipse Foundation, the Rust Foundation, Sonatype, and the Python Software Foundation , declared that ” open infrastructure is not free.”
The document draws attention to key package registries like Maven Central, PyPI, crates.io, npm, and Packagist. These tools handle billions of downloads per month but rely primarily on donations, grants, and sponsorships. This model is fragile, given the growing costs of bandwidth, storage, staffing, and compliance.
Workloads are also increasing due to automated continuous integration systems, mass scanning, and artificial intelligence agents. This pressure generates “wasteful use,” supported by a few nonprofits and a limited number of companies that find themselves having to cover ever-increasing expenses.
The authors of the letter denounce the impossibility of maintaining the current equilibrium : the industry demands zero downtime, immediate dependency resolution, signed packages, and timely responses to supply chain attacks, as well as compliance with regulations such as the European Cyber Resilience Act. But the costs remain borne by those who act as guardians of the global ecosystem.
The foundations propose concrete solutions: partnerships with commercial users, priority access for large consumers, value-added paid services, and greater transparency on spending. The guiding principle is that those who benefit from open source on an industrial scale should contribute proportionally to its maintenance.
Other players had already sent similar signals. In July, GitHub suggested establishing a public open-source digital infrastructure and a €350 million European fund. At the same time, developers are becoming increasingly tired and abandoning projects, while activists and veterans like Bruce Perens are proposing licensing arrangements that require mandatory payments from commercial users.
OpenSSF’s final message is clear: the era of “free” is over . If large consumers continue to take open source support for granted, they will soon have to face the real price of interruptions and downtime.
Redazione