OpenSSF warns that open source infrastructure doesn't run on thoughts and prayers
(2025/09/23)
- Reference: 1758636456
- News link: https://www.theregister.co.uk/2025/09/23/openssf_open_source_infrastructure/
- Source link:
The Open Source Security Foundation (OpenSSF) has had enough of being the unpaid janitor of the world's software supply chain.
A coalition of heavyweight open source foundations [1]issued a joint statement via the foundation on Tuesday, declaring that "open infrastructure is not free" and warning that the critical machinery behind modern software development is being stretched to breaking point.
Package registries like Maven Central, PyPI, crates.io, npm, and Packagist handle billions of downloads every month, yet the organizations running them are often scraping by on donations, grants, and the goodwill of a few sponsors.
[2]
The missive lays it out bluntly: the ecosystem has been lulled into believing it can rely on "free and infinite" infrastructure, when in reality the costs of bandwidth, storage, staffing, and compliance are accelerating.
[3]
[4]
"Commercial-scale use without commercial-scale support is unsustainable," the group writes, pointing to demands for fast dependency resolution, signed packages, zero downtime, and rapid response to supply chain attacks – not to mention looming regulatory requirements such as the [5]EU's Cyber Resilience Act .
The open letter is signed by eight organizations including the Eclipse Foundation, Rust Foundation, Sonatype, and the Python Software Foundation.
[6]
The statement goes on to directly call out bad behaviour. Continuous integration systems and large-scale scanners bombard registries with automated requests, while container builds place enormous strain on infrastructure. Furthermore, AI agents are exacerbating the problem by scraping dependencies en masse. All of this, the group warns, creates "wasteful usage" that someone else ends up paying for.
The stewards argue the current model is unsustainable. A handful of nonprofits and a few corporate benefactors foot the bill for infrastructure used by the entire global software industry. To address this, the group proposes several remedies, including formal partnerships with commercial users, tiered access models that reserve premium performance for high-volume consumers, value-added services, and increased transparency about usage and costs.
This is not the first flare fired into the sky. In July, Microsoft-owned GitHub said, without a shred of irony, that governments should treat open source as "digital public infrastructure" and bankroll it accordingly, even proposing a €350 million "Sovereign Tech Fund" in the EU's next budget. That came amid growing concern over the fragility of the ecosystem, from volunteer burnout to increasingly sophisticated supply chain attacks.
[7]How and why Linux has thrived after three decades in Kernelland
[8]Asahi Linux loses another prominent dev as GPU guru calls it quits
[9]Open source maintainers are really feeling the squeeze
[10]After clash over Rust in Linux, now Asahi lead quits distro, slams Linus' kernel leadership
Other recent flashpoints highlight the strain. Earlier this year, Hector Martin, the lead of the Asahi Linux project, quit in frustration, accusing Linus Torvalds' team of allowing politics and burnout to drive talent away. In San Francisco, [11]billboards blasted tech giants for profiting from open source without paying their dues . And free software veteran Bruce Perens [12]floated a "Post-Open Zero Cost License" designed to compel companies to contribute financially if they profit from open source code.
The OpenSSF statement is the clearest attempt yet to tell freeloaders the party's over. It doesn't advocate slamming the door shut, but it makes the case that those who rely on it must start paying proportionately to keep it standing.
[13]
The risk is that these warnings will follow the path of many before them: plenty of sympathy, but little structural change. Asking enterprises to voluntarily contribute to the plumbing they depend on is a tough sell when shareholders see free as a feature, not a flaw. But the stewards behind today's statement make it plain: someone has to pick up the tab, and soon.
Because while "open" might still be free to use, running the infrastructure behind it is very much not, OpenSSF warns. And unless the world's biggest consumers start coughing up, the software economy could soon learn what downtime really costs. ®
Get our [14]Tech Resources
[1] https://openssf.org/blog/2025/09/23/open-infrastructure-is-not-free-a-joint-statement-on-sustainable-stewardship/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aNLEFFMHti2k_EhIHBVGvgAAANI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aNLEFFMHti2k_EhIHBVGvgAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aNLEFFMHti2k_EhIHBVGvgAAANI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2023/12/04/infosec_in_brief/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aNLEFFMHti2k_EhIHBVGvgAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/09/18/three_decades_in_of_linux/
[8] https://www.theregister.com/2025/03/20/asahi_linux_asahi_lina/
[9] https://www.theregister.com/2025/02/16/open_source_maintainers_state_of_open/
[10] https://www.theregister.com/2025/02/13/ashai_linux_head_quits/
[11] https://www.theregister.com/2024/10/25/open_source_funding_ads/
[12] https://www.theregister.com/2024/04/30/bruce_perens_post_open_license/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aNLEFFMHti2k_EhIHBVGvgAAANI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
A coalition of heavyweight open source foundations [1]issued a joint statement via the foundation on Tuesday, declaring that "open infrastructure is not free" and warning that the critical machinery behind modern software development is being stretched to breaking point.
Package registries like Maven Central, PyPI, crates.io, npm, and Packagist handle billions of downloads every month, yet the organizations running them are often scraping by on donations, grants, and the goodwill of a few sponsors.
[2]
The missive lays it out bluntly: the ecosystem has been lulled into believing it can rely on "free and infinite" infrastructure, when in reality the costs of bandwidth, storage, staffing, and compliance are accelerating.
[3]
[4]
"Commercial-scale use without commercial-scale support is unsustainable," the group writes, pointing to demands for fast dependency resolution, signed packages, zero downtime, and rapid response to supply chain attacks – not to mention looming regulatory requirements such as the [5]EU's Cyber Resilience Act .
The open letter is signed by eight organizations including the Eclipse Foundation, Rust Foundation, Sonatype, and the Python Software Foundation.
[6]
The statement goes on to directly call out bad behaviour. Continuous integration systems and large-scale scanners bombard registries with automated requests, while container builds place enormous strain on infrastructure. Furthermore, AI agents are exacerbating the problem by scraping dependencies en masse. All of this, the group warns, creates "wasteful usage" that someone else ends up paying for.
The stewards argue the current model is unsustainable. A handful of nonprofits and a few corporate benefactors foot the bill for infrastructure used by the entire global software industry. To address this, the group proposes several remedies, including formal partnerships with commercial users, tiered access models that reserve premium performance for high-volume consumers, value-added services, and increased transparency about usage and costs.
This is not the first flare fired into the sky. In July, Microsoft-owned GitHub said, without a shred of irony, that governments should treat open source as "digital public infrastructure" and bankroll it accordingly, even proposing a €350 million "Sovereign Tech Fund" in the EU's next budget. That came amid growing concern over the fragility of the ecosystem, from volunteer burnout to increasingly sophisticated supply chain attacks.
[7]How and why Linux has thrived after three decades in Kernelland
[8]Asahi Linux loses another prominent dev as GPU guru calls it quits
[9]Open source maintainers are really feeling the squeeze
[10]After clash over Rust in Linux, now Asahi lead quits distro, slams Linus' kernel leadership
Other recent flashpoints highlight the strain. Earlier this year, Hector Martin, the lead of the Asahi Linux project, quit in frustration, accusing Linus Torvalds' team of allowing politics and burnout to drive talent away. In San Francisco, [11]billboards blasted tech giants for profiting from open source without paying their dues . And free software veteran Bruce Perens [12]floated a "Post-Open Zero Cost License" designed to compel companies to contribute financially if they profit from open source code.
The OpenSSF statement is the clearest attempt yet to tell freeloaders the party's over. It doesn't advocate slamming the door shut, but it makes the case that those who rely on it must start paying proportionately to keep it standing.
[13]
The risk is that these warnings will follow the path of many before them: plenty of sympathy, but little structural change. Asking enterprises to voluntarily contribute to the plumbing they depend on is a tough sell when shareholders see free as a feature, not a flaw. But the stewards behind today's statement make it plain: someone has to pick up the tab, and soon.
Because while "open" might still be free to use, running the infrastructure behind it is very much not, OpenSSF warns. And unless the world's biggest consumers start coughing up, the software economy could soon learn what downtime really costs. ®
Get our [14]Tech Resources
[1] https://openssf.org/blog/2025/09/23/open-infrastructure-is-not-free-a-joint-statement-on-sustainable-stewardship/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aNLEFFMHti2k_EhIHBVGvgAAANI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aNLEFFMHti2k_EhIHBVGvgAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aNLEFFMHti2k_EhIHBVGvgAAANI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2023/12/04/infosec_in_brief/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aNLEFFMHti2k_EhIHBVGvgAAANI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2025/09/18/three_decades_in_of_linux/
[8] https://www.theregister.com/2025/03/20/asahi_linux_asahi_lina/
[9] https://www.theregister.com/2025/02/16/open_source_maintainers_state_of_open/
[10] https://www.theregister.com/2025/02/13/ashai_linux_head_quits/
[11] https://www.theregister.com/2024/10/25/open_source_funding_ads/
[12] https://www.theregister.com/2024/04/30/bruce_perens_post_open_license/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aNLEFFMHti2k_EhIHBVGvgAAANI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
A tale as old as time...
spuck
Every scrappy new project starts out as a side project of an individual or small group, and as people start to give it a try (because it's free) it starts to feel the weight of what they've bitten off for themselves.
Maybe it's time to write [1]a letter ?
[1] https://en.wikipedia.org/wiki/An_Open_Letter_to_Hobbyists
Anonymous Coward
> Package registries like Maven Central, PyPI, crates.io, npm, and Packagist handle billions of downloads every month, yet the organizations running them are often scraping by on donations, grants, and the goodwill of a few sponsors.
These centralized language based package managers are a bad idea. Running out of money is simply the trash is taking itself out.
DarkwavePunk
Back in the day when Perl was all the rage - I thought CPAN was an attack vector. These more modern dynamic package tool chains are utterly terrifying. You'd think that everyone would run a local and vetted repository, but I've seen so much code that just spaffs off to the internet with minimum if any sanity checking.
Maybe….
Rich 2
They should call bluff on this and stick in some firewall rules to block (say) the top 20% of offenders.
It would be horrendously disruptive and would surely cost someone gazillions of your currency of choice.
But it might actually wake up the industry and they might (maybe, perhaps) see some money coming in very shortly afterwards
Stars
Wait until governments discover the exposure economy isn’t taxed. You hand your landlord a printout of your GitHub stars, they nod, bask in their exposure to exposure, and walk away with butterflies in their belly. None of it attracts a penny of tax - the only truly sovereign currency left.