The Open Source Security Foundation (OpenSSF) has had enough of being the unpaid janitor of the world’s software supply chain.
A coalition of heavyweight open source foundations issued a joint statement via the foundation on Tuesday, declaring that “open infrastructure is not free” and warning that the critical machinery behind modern software development is being stretched to breaking point.
Package registries like Maven Central, PyPI, crates.io, npm, and Packagist handle billions of downloads every month, yet the organizations running them are often scraping by on donations, grants, and the goodwill of a few sponsors.
The missive lays it out bluntly: the ecosystem has been lulled into believing it can rely on “free and infinite” infrastructure, when in reality the costs of bandwidth, storage, staffing, and compliance are accelerating.
“Commercial-scale use without commercial-scale support is unsustainable,” the group writes, pointing to demands for fast dependency resolution, signed packages, zero downtime, and rapid response to supply chain attacks – not to mention looming regulatory requirements such as the EU’s Cyber Resilience Act.
The open letter is signed by eight organizations including the Eclipse Foundation, Rust Foundation, Sonatype, and the Python Software Foundation.
The statement goes on to directly call out bad behaviour. Continuous integration systems and large-scale scanners bombard registries with automated requests, while container builds place enormous strain on infrastructure. Furthermore, AI agents are exacerbating the problem by scraping dependencies en masse. All of this, the group warns, creates “wasteful usage” that someone else ends up paying for.
The stewards argue the current model is unsustainable. A handful of nonprofits and a few corporate benefactors foot the bill for infrastructure used by the entire global software industry. To address this, the group proposes several remedies, including formal partnerships with commercial users, tiered access models that reserve premium performance for high-volume consumers, value-added services, and increased transparency about usage and costs.
This is not the first flare fired into the sky. In July, Microsoft-owned GitHub said, without a shred of irony, that governments should treat open source as “digital public infrastructure” and bankroll it accordingly, even proposing a €350 million “Sovereign Tech Fund” in the EU’s next budget. That came amid growing concern over the fragility of the ecosystem, from volunteer burnout to increasingly sophisticated supply chain attacks.
Other recent flashpoints highlight the strain. Earlier this year, Hector Martin, the lead of the Asahi Linux project, quit in frustration, accusing Linus Torvalds’ team of allowing politics and burnout to drive talent away. In San Francisco, billboards blasted tech giants for profiting from open source without paying their dues. And free software veteran Bruce Perens floated a “Post-Open Zero Cost License” designed to compel companies to contribute financially if they profit from open source code.
The OpenSSF statement is the clearest attempt yet to tell freeloaders the party’s over. It doesn’t advocate slamming the door shut, but it makes the case that those who rely on it must start paying proportionately to keep it standing.
The risk is that these warnings will follow the path of many before them: plenty of sympathy, but little structural change. Asking enterprises to voluntarily contribute to the plumbing they depend on is a tough sell when shareholders see free as a feature, not a flaw. But the stewards behind today’s statement make it plain: someone has to pick up the tab, and soon.
Because while “open” might still be free to use, running the infrastructure behind it is very much not, OpenSSF warns. And unless the world’s biggest consumers start coughing up, the software economy could soon learn what downtime really costs. ®