Open-Source Model Near Breaking Point Despite Trillions in Value

The financial and operational model of open source is under strain, even as influential research estimates organizations would face $8.8 trillion in added costs if open-source software were eliminated.

Software industry experts within major open-source foundations say the current system is unsustainable. A few organizations bear the majority of costs, while many major commercial users contribute little or nothing.

A joint statement published on Sept. 23 by the Stewards of Public Open Source Infrastructure — including the OpenSSF, Python Software Foundation, Rust Foundation, Sonatype, and others — highlights the urgent need to restructure how open source is operated and maintained.

The way developers have long accessed open source code is unfair and unsustainable. Without a shift in how support is shared, strain on the software supply chain will intensify, the stewards cautioned.

They emphasized that open-source infrastructure still relies heavily on goodwill, rather than on mechanisms that align responsibility with usage.

"Fragility is the biggest short-term risk to the software supply chain if these sustainability issues are not addressed urgently," Brian Fox, co-founder and CTO of software supply chain security company Sonatype, told LinuxInsider.

Funding Imbalance Strains Open Source

According to the sponsors' open letter, open source has revolutionized the development of both proprietary and free software. Every modern application, whether written in Java, JavaScript, Python, Rust, PHP, or another language, depends on public package registries like Maven Central, PyPI, crates.io, Packagist, and Open VSX to retrieve, share, and validate dependencies.

"These registries have become foundational digital infrastructure — not just for open source, but for the global software supply chain," the organizations wrote. "Yet for all their importance, most of these systems operate under a dangerously fragile premise."

The stewards stressed that maintaining openness is crucial so that individuals and smaller organizations can continue to access essential infrastructure freely.

"Maintaining openness is critical. Smaller users can contribute by adopting efficient build practices, spreading awareness of sustainability challenges, and engaging with their ecosystems’ stewards. Financial models must be structured so that access remains free and inclusive for individuals and small organizations," offered Fox, whose company is among the OSS stewards of infrastructure.

He explained that slower builds, downtime, or bottlenecks in package registries ripple across the global software supply chain. With modern development practices, even short interruptions can cascade into widespread disruption.

Enterprise Usage Overwhelms OSS Systems

The stewards' letter notes that commercial-scale consumption drives billions or more downloads each month. A small group of benefactors funds many of these services.

Sometimes they are supported by commercial vendors, such as Sonatype (Maven Central), GitHub (npm), or Microsoft (NuGet). At other times, they are supported by nonprofit foundations that rely on grants, donations, and sponsorships to cover their maintenance, operation, and staffing.

This imbalance increases strain on infrastructure and exposes ecosystems to attacks, such as spam or malicious components, the stewards noted. These security concerns and other factors prompted leading open-source stewards, including Maven Central/Sonatype, OpenJS, the Python Software Foundation, the Rust Foundation, and others, to issue an open letter calling for urgent reform.

Fox offered one scenario: a surge in automated usage, such as dependency scanners, continuous integration pipelines, or AI-driven agents, running at scale without caching.

"If left unchecked, these redundant requests could overwhelm the registry infrastructure, leading to outages," he noted.

Another risk he mentioned is financial. "If stewards are forced to divert scarce funds just to maintain uptime, there will be little capacity to invest in the security and resilience needed to meet modern expectations."

Why Change Is the Only Solution

The letter is emphatic. Regardless of the operating model, the pattern remains the same.

"A small number of organizations absorb the majority of infrastructure costs, while the overwhelming majority of large-scale users, including commercial entities that generate demand and extract economic value, consume these services without contributing to their sustainability."

The stewards also noted that public registries are increasingly used to distribute not only open-source libraries but also proprietary software, often as binary packages or software development kits (SDKs) packaged as dependencies.

These projects may carry an open-source license, but are typically functional only within paid products or platforms. For publishers, the model is highly efficient, leveraging the reliability, performance, and global reach of public infrastructure without the cost of building or maintaining it.

The letter stressed this practice is not inherently wrong — it reflects the power and trust in open-source distribution — but it was not the original intention of these systems. If registries now serve as free global CDNs for commercial vendors at scale, the stewards argued, expectations and incentives must be realigned.

Aligning Usage With Responsibility

Fox agrees with the open letter's call for fixing the difference between usage and responsibility. Today, that distinction is often blurred.

The letter emphasizes how open-source infrastructure, whether backed by companies or community-led foundations, faces increasing demands, fueled by enterprise-scale consumption, without reliable mechanisms to scale funding accordingly. It documented how this imbalance drives ecosystem costs, highlighting the real-world consequences of an illusion that all usage is free and unlimited.

Fox said that Sonatype, as a commercial entity, plans to strike a balance between the push for new funding models and the open and free nature of open-source software. The goal is not to restrict access, but to keep it open sustainably.

"Any funding models we explore must preserve openness for individuals and small projects while ensuring that enterprise-scale consumers contribute proportionally. It’s about aligning responsibility with usage, not closing doors," he clarified.

According to Fox, industry realignment will help address the "real costs" associated with modern infrastructure expectations, such as speed, security, and traceability. These include:

• Bandwidth and CDN distribution to ensure global performance
• Compute and storage to handle billions of downloads and continuous monitoring
• Developer and operational time to respond to outages, remove malicious components, and meet rising security and compliance requirements, such as the EU Cyber Resilience Act

Initiative Options To Explore

One approach to addressing the industry-wide imbalance in supporting open source fairly is to tackle "commercial partnerships" and "tiered access." Fox suggested what these models might look like in practice, specifically for high-volume users.

Commercial partnerships could take the form of direct support agreements. Large-scale consumers could help fund infrastructure in proportion to their usage or in exchange for strategic benefits such as better reliability or early access to new features.

Tiered access models mean keeping the same free, open access for individuals and small teams. The new model could offer scaled performance, reliability, or analytics packages for enterprise-scale publishers whose usage places the heaviest demand on infrastructure.