Open source devs consider making hogs pay for every Git pull
- Reference: 1772266931
- News link: https://www.theregister.co.uk/2026/02/28/open_source_opinion/
- Source link:
Fox, who also oversees [3]Apache Maven , a popular Java build tool, explained that its repository site is at risk of being overwhelmed by constant Git pulls. The team has dug into this and found that 82 percent of the demand comes from less than 1 percent of IPs. Digging deeper, they discovered that many companies are using open source repositories as if they were content delivery networks (CDNs). So, for example, a single company might download the same code hundreds of thousands of times in a day, and the next day, and the next. This is unsustainable.
So Maven and other open source repositories are considering introducing a tiered payment system. Lone developers and small groups will still be able to download the code for free, but the hogs will have to pay for every download. In other words, open source software is still free as in speech, but you can forget about being "free as in beer" going forward.
[4]
How bad is it? Fox revealed that last year, major repositories handled 10 trillion downloads. That's double Google's annual search queries if you're counting from home and they're doing it on a shoestring. Fox described this as a "tragedy of the commons," where the assumption of "free and infinite" resources leads to structural waste amplified by CI/CD pipelines, security scanners, and AI-driven code generation.
[5]
[6]
Companies may think that they can rely on "free and infinite" infrastructure, when in reality the costs of bandwidth, storage, staffing, and compliance are accelerating.
Fox shared data showing 82 percent of Maven Central's consumption comes from less than 1 percent of worldwide IPs, with 80 percent of traffic from the big three hyperscalers. Making it even more troublesome, "IP addresses don't represent people. They're not even organizations anymore. They're ephemeral. They're kind of like weather," Fox explained in an interview, noting challenges from containers, NAT proxies, and cloud egress IPs. In one case, a department store's team of 60 developers generated more traffic than global cable modem users worldwide due to misconfigured React Native builds bypassing their Nexus repository manager.
[7]
He detailed extreme examples, such as large organizations downloading the same 10,000 components a million times each month. "That's ridiculous," Fox said. Throttling efforts led to "brownouts" via 429 errors, but patterns mutated, forcing a "Whack-a-Mole" game, especially since most consumption is headless and unnoticed.
Registries are also burdened by commercial use, with companies publishing closed source components or massive SDKs as free CDNs. Fox noted that top publishers release gigabyte-scale artifacts daily, unlike in typical open source projects.
In September 2025, the [8]registries issued an open letter via OpenSSF calling for "tiered access models" to keep it free for hobbyists and open source while mandating contributions from high-volume users. "This is the important part, that it has to become mandatory, not optional, " Fox emphasized. Open source charity is not a sustainable model.
[9]
Businesses have been treating open source repositories as free, infinite infrastructure. That's nonsense. The reality is that the costs of bandwidth, storage, staffing, and compliance are ever-growing. In particular, as the letter stated, [10]"Commercial-scale use without commercial-scale support is unsustainable ." Open source foundations can't keep up with the demand for fast dependency resolution, signed packages, zero downtime, and rapid response to supply chain attacks – not to mention looming regulatory requirements such as the [11]EU's Cyber Resilience Act .
Fox anticipates the registries will start rolling out next quarter: "We did the Open Letter way back in October... different ecosystems have figured out models that they think are going to work." In a pleasant surprise, reactions have been positive. Throttled organizations were "surprised and apologetic," mistaking issues for malice rather than "ignorance, unawareness."
[12]New endowment hopes to raise a big pile of money for open source projects
[13]Rapid AI-driven development makes security unattainable, warns Veracode
[14]Cloudflare experiment ports most of Next.js API 'in one week' with AI
[15]Rogue devs of sideloaded Android apps beg for freedom from Google's verification regime
As the saying goes, never attribute to malice what can be explained by stupidity. Or, as Michael Winser, a co-founder of [16]Alpha-Omega , a Linux Foundation project to help secure the open source supply chain, said at FOSDEM: "If you're not caching, you're a goddamn idiot." Amen, brother!
With AI-driven repository usage exploding, Fox urged checking bills, using caching proxies, and avoiding per-commit tests. He seeks endorsements: "We need you to help step up... so that when we go out to the rest of the wild world... you need to pay to keep doing what you've been doing."
But, wait, there's more! Besides simply being overwhelmed by constant download demands, Winser said, " [17]People conflate open source software and open source infrastructure. ." Yes, open source software is free, but the cost of registries to host all open source applications and libraries keeps increasing with greater usage.
It's not just bandwidth and storage. Winser also pointed out that the repositories "don't have enough money to spend on the very security features that we all desperately need to stop being a bunch of idiots and installing fu when it's malware."
To quote Robert A. Heinlein: "There's no such thing as a free lunch." The bill has come due for our misuse of the open source commons. ®
Get our [18]Tech Resources
[1] https://events.linuxfoundation.org/lf-member-summit/
[2] https://www.sonatype.com/
[3] https://maven.apache.org/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/databases&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aaLK0BGB8DOhkrG6Qf8WtAAAAQ8&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/databases&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aaLK0BGB8DOhkrG6Qf8WtAAAAQ8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/databases&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aaLK0BGB8DOhkrG6Qf8WtAAAAQ8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/databases&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aaLK0BGB8DOhkrG6Qf8WtAAAAQ8&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/09/23/openssf_open_source_infrastructure/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/databases&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aaLK0BGB8DOhkrG6Qf8WtAAAAQ8&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[10] https://openssf.org/blog/2025/09/23/open-infrastructure-is-not-free-a-joint-statement-on-sustainable-stewardship/
[11] https://www.theregister.com/2023/12/04/infosec_in_brief/
[12] https://www.theregister.com/2026/02/27/open_source_endowment/
[13] https://www.theregister.com/2026/02/26/veracode_security_ai/
[14] https://www.theregister.com/2026/02/25/cloudflare_nextjs_api_ai/
[15] https://www.theregister.com/2026/02/24/google_android_developer_verification_plan/
[16] https://alpha-omega.dev/about/about-alpha-omega/
[17] https://www.theregister.com/2026/02/16/open_source_registries_fund_security/
[18] https://whitepapers.theregister.com/
Re: Abusers eventually have to pay the piper
I guess that if it costs more than free then they aren't intersted.
Getting x for free and making profit from it... Capitalism, pure and simple.
Nice idea...
...I totally support this, but I'd fire a warning shot first and not just throttle them, but out right ban them, for say for initial 4 hrs, then 8, then 24, then 48 etc.
Think as these billionaire scum as the spoilt brats they are. Keep making them sit in the corner until they learn behave.
Those leeching buffoons who were eventually embarrassed had never heard of the concept of a on-prem caching proxy?
I'd have thought any sufficiently large company with IT staff worth their salt would implement something like that.
But on the other hand, companies that big, too often nowadays have beancounters who concluded outsourcing it all could save the company 0.1% compared to the previous on-prem IT staff's salaries.
sufficiently large company with IT staff worth their salt
I'm an optimist. I hope to see one someday.
Exactly. Code has moved from local repo to github, build environments have moved from Jenkins to Azure Cloud. On-prem is being gutted and the people who worked in build, deployment, and installation fired as a result and replaced with outsourced labour.
Corporate thinking is if we don't have the servers then we don't need the people but we do because these are the people who would have set up caching, amongst other things. Now everything is pulled in at the start of each build, only application developers might understand that caching is required (if they're actively checking something that is not within their domain), but the outsourced labour who replaced those that were fired won't do anything unless they're told to, which is "fix this, it's broken" instead of anything like best practice or preventative maintenance.
Easy solution
Charge everyone $1 per pull. Maybe compound it by charging $2 per pull after the first thousand pulls in a month, $3 after the second thousand, and so on.
Regular developers won't have a problem paying <$10 per week.
The ones making millions of pulls, though...
The source is free, the CDs are not
That’s how it went back when we paid to get source distributions in the mail, and it’s fair that we pay for the distribution media today as well.
But I’m cool with the idea of a free-of-charge tier for hobbyists if it is at all possible to make the distinction.
I suspect, though, that this will turn out like spamming, which is highly distributable, in low volumes per IP address and/or domain.
The problem is laziness.
"git pull" is almost free, bandwidth-wise; to update a local copy of a respository, it only fetches the differences from your local copy.
The problem is these people are building CI/CD pipelines which start from fresh state and do a "git clone" from scratch, every time. Not only are they fetching the latest version of everything, if they omit to do a "shallow" clone then they're also fetching the entire version history.
The solution is simple:
1. Keep your own git copy of the code you use, and refresh it via "git pull" periodically.
2. Point your CI/CD at your local git copy. Clone it as many times as you like, nobody is affected.
IMO there's no need for a pricing model. As the article says, the offenders are the big hyperscalers; they easily have the resources to do (1) and (2). In principle then, the solution is simply to block out the big consumers who keep cloning over and over again.
However, this still requires users to register, and there's a risk of some people using throw-away registrations as a way to work around the blocks.
IMO there's no need for a pricing model
That doesn't solve the infrastructure cost problem though
Tragedy of the commons
Reminder that the "tragedy of the commons" was a fallacious argument thought up by a capitalist to justify the enclosure (privatisation) of common land.
In reality, commons were administered by consensus, with people who abused their access to the commons being shunned and made social pariahs; their access to the commons, and the community in general, revoked by common consent. This proved to be an effective land management strategy for hundreds of years.
"But I’m cool with the idea of a free-of-charge tier for hobbyists…*
" But I’m cool with the idea of a free-of-charge tier for hobbyists if it is at all possible to make the distinction. "
I don't imagine these abusive corporate CI/CD pipelines would last long if they were persistently stalled by random delays.
Sites like Anna's Archive have a paid tier that doesn't have a delay which the free mirrors have (up to 5 minutes) before commencing a download.
I imagine something like grey listing with a paid whitelist could do the job.
Presumably the problem is going to explode with the blight of AI driving an increasing proportion of so·called software development.
Abusers eventually have to pay the piper
This is IMHO, shortsighted on the part of those companies. How much can it cost to run their own GIT repo either on prem or in the cloud? On prem would probably cost a lot less if the traffic is as heavy as reported in the article.
I run my own repo on a hosting site. I moved all my code there the day after MS bought GitHub. It is secure as I've setup the firewall to only accept requests from three validated addresses. the rest get a 404.