Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship

Date:
Tue, 23 Sep 2025 15:25:09 +0000

Description:
The Open Source Security Foundation (OpenSSF) has put together a joint statement from many of the public
package repositories for various languages about the need for assistance in maintaining these commons. Services such as PyPI for Python, crates.io for Rust, and many others are
working together to try to find ways to sustain these services in the face
of challenges from " automated CI systems, large-scale dependency
scanners, and ephemeral container builds " all downloading enormous
amounts of package data, coupled with the rise of generative and agentic AI
" driving a further explosion of machine-driven, often wasteful automated usage, compounding the existing challenges ". It is not a crisis, yet,
they say, but it is headed in that direction. Despite serving billions (perhaps even trillions) of downloads each month (largely driven by commercial-scale consumption), many of these services are funded by a small group of benefactors. Sometimes they are supported by commercial vendors,
such as Sonatype (Maven Central), GitHub (npm) or Microsoft (NuGet). At other times, they are supported by nonprofit foundations that rely on grants, donations, and sponsorships to cover their maintenance, operation, and staffing. Regardless of the operating model, the pattern remains the same: a small number of organizations absorb the majority of infrastructure costs, while the overwhelming majority of large-scale users, including commercial entities that generate demand and extract economic value, consume these services without contributing to their sustainability .

======================================================================
Link to news story:
https://lwn.net/Articles/1039127/


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)