A group of eight big organizations that run some of the world’s most important software package registries have issued a strong warning. They say their current funding system is “dangerously fragile” and could soon break down. This could mean major changes for how companies access the tools and data that power billions of software downloads every month.

The joint statement was posted as an open letter on the Open Source Security Foundation (OpenSSF) website. It came from leaders of groups like the Python Software Foundation, Rust Foundation, Eclipse Foundation, OpenJS Foundation, and four other major open-source stewards. This was the first time these organizations spoke together to ask for more sustainable funding. They manage registries that handle “trillions” of downloads each year, mostly for commercial software development.

They made it clear that relying on free support isn’t enough anymore. “Commercial-scale use without commercial-scale support is unsustainable,” OpenSSF wrote. The message warned of a “critical inflection point,” meaning things could soon change. Access models, prices, or service levels might need to be adjusted for the many high-volume users who depend on these services.

The Importance of These Registries

These registries include PyPI for Python, Maven Central for Java, crates.io for Rust, and npm for JavaScript. They are the backbone of modern software development. Every enterprise uses them in automated systems, dependency checkers, and build tools. Many of these systems make thousands of requests daily, often at no cost.

The foundations explained that the demand is growing fast, but funding isn’t keeping up. Automated systems like CI/CD pipelines and dependency scanners put huge pressure on these registries. Companies are building countless ephemeral containers and running large-scale automation, often without caching or throttling. This wastes resources and strains the infrastructure.

The rise of artificial intelligence has made the problem worse. The foundations pointed out that AI tools, especially generative and agentic AI, generate even more requests. These systems often hammer registries with requests, sometimes without basic efficiency practices like caching. This leads to even greater resource consumption, complicating efforts to keep systems sustainable.

The Funding Imbalance and Growing Risks

Despite serving billions, possibly trillions, of downloads each month, most of these registries rely on a small handful of benefactors for support. Meanwhile, large companies use these services extensively but contribute little or nothing to their upkeep. The foundations estimate that billions of dollars are spent annually on open source development, but most of that money goes toward internal projects and paid employees. Very little goes directly toward maintaining the public registries that distribute all this software.

This creates a serious imbalance. The cost to rebuild this infrastructure from scratch is estimated at over $4 billion. Yet, the foundations warn that the current funding model can’t sustain the growth and demand. Without changes, the risk of a breakdown increases.

The warning also highlights a surprising trend: some open-source registries are now used as distribution channels for proprietary software. Companies use these free platforms to deliver their closed-source SDKs and tools. While not inherently wrong, the foundations say this wasn’t the original purpose. These systems were meant to support open, community-driven software, not serve as free delivery platforms for commercial products.

What’s Next for Open Source Infrastructure?

The foundations say change is unavoidable. They’re exploring new models that resemble familiar pricing systems used by other infrastructure services. One idea is for companies to form partnerships that help fund the infrastructure based on how much they use. Another option is tiered access plans, where basic open access remains free, but high-volume users pay for enhanced performance or reliability.

These aren’t radical ideas. They’re practical and similar to what’s already used in internet bandwidth and cloud services. The foundations urge organizations to review their practices now. They recommend caching, reducing redundant requests, and engaging with infrastructure providers about fair contributions.

Their main message is clear: the era of free, unlimited use of these critical open-source services is coming to an end. To keep the infrastructure alive and healthy, everyone needs to step up and contribute fairly. Without action, the risk of major disruptions or failures grows, threatening the backbone of modern software development.

Inspired by

• https://www.infoworld.com/article/4062319/open-source-registries-signal-shift-toward-paid-models-as-ai-strains-infrastructure.html

Sources

• gmpg.org
• openssf.org
• csoonline.com
• opensourcefundingsurvey2024.com
• podigee.com