Open source registries signal shift toward paid models as AI strains infrastructure

Eight organizations that operate the world’s largest software package registries issued a coordinated warning that their current funding model was “dangerously fragile,” signaling potential changes to how enterprises access the infrastructure powering billions of software downloads monthly.

The joint statement, published as an open letter on the Open Source Security Foundation (OpenSSF) website, came from leaders of the Python Software Foundation, Rust Foundation, Eclipse Foundation, OpenJS Foundation, and four other major open-source stewards. It represented the first unified call for sustainable funding from organizations whose registries handle what they described as “trillions” of downloads annually, largely driven by commercial software development.

“Commercial-scale use without commercial-scale support is unsustainable,” OpenSSF wrote in the blog post titled “Open Infrastructure is Not Free.” The statement warned of a “critical inflection point” that could force changes to access models, pricing structures, or service levels for high-volume users.

The registries in question — including PyPI for Python packages, Maven Central for Java, crates.io for Rust, and npm for JavaScript — serve as critical infrastructure for virtually all modern software development. Every enterprise CI/CD pipeline, dependency scanner, and automated build system relies on these services, often making thousands of requests daily without cost, the post added.

Growing demand outpaces sustainable funding

The foundations said in their blog post that automated CI systems, large-scale dependency scanners, and ephemeral container builds operated by companies place “enormous strain on infrastructure” while often running without caching, throttling, or awareness of their impact on public systems.

The rise of AI has made things worse. The organizations noted that the rise of AI has made things worse.

“The rise of Generative and Agentic AI is driving a further explosion of machine-driven, often wasteful automated usage,” they noted, describing systems that hammer registries with requests without implementing basic efficiency measures like caching.

This surge in automated consumption occurred alongside new regulatory requirements, such as the European Union’s Cyber Resilience Act, which they said added compliance overhead to already resource-constrained ecosystems.

Despite serving what the foundations estimate to be billions or potentially trillions of downloads monthly, many of these services rely on funding from a small group of benefactors while the overwhelming majority of large-scale commercial users consume services without contributing to their sustainability, according to the blog post.

 “Many of these repositories are experiencing exponential growth in demand, while the growth in sponsor support is at best linear,” the blog post said.

When the critical infrastructure nearly failed

The warning didn’t emerge in a vacuum. The December 2021 Log4Shell vulnerability exposed how some of the internet’s most critical infrastructure depends on unpaid volunteers. Log4j, the logging library that nearly brought the internet to its knees, had been maintained by just a handful of unpaid developers despite supporting billions of dollars in commercial software.

Now the foundations are drawing a line in the sand. “This is not (yet) a crisis,” the blog post said. “But it is a critical inflection point.”

The scale of the dependency is staggering: a Harvard-GitHub study estimated that redeveloping core open source infrastructure from scratch would cost $4.15 billion. Yet while organizations contribute $7.7 billion annually to open source development, the vast majority goes toward paying their own employees to work on internal projects or contribute code, not toward funding the critical public registries that distribute all that software.

This creates a massive imbalance that the foundations said can no longer be ignored.

The commercial distribution problem

The foundations also called out something that might surprise enterprise users: their registries have increasingly become distribution platforms for proprietary software.

“Public registries have become free global CDNs for commercial vendors,” they wrote, noting that companies now routinely use open source infrastructure to distribute proprietary SDKs and tools.

While they don’t consider this “inherently wrong,” the foundations emphasized in the post that this wasn’t the original plan. These systems “were created to support the distribution of open, community-driven software, not as a general-purpose backend for proprietary product delivery.”

What’s coming next

The foundations made clear that changes are inevitable, not optional. They’re exploring several approaches that sound suspiciously like the kind of pricing models enterprises know well from other infrastructure services.

Options under consideration include “commercial and institutional partnerships that help fund infrastructure in proportion to usage” and “tiered access models that maintain openness for general and individual use while providing scaled performance or reliability options for high-volume consumers.”

“These are not radical ideas,” they added. “They are practical, commonsense measures already used in other shared systems, such as Internet bandwidth and cloud computing.”

The foundations urged companies to “review your practices” immediately, recommending that organizations implement caching, reduce redundant traffic, and engage with infrastructure stewards about “proportional contributions.” Their unified message: the free ride is over.