"Eight organizations that operate the world's largest software package registries issued a coordinated warning that their current funding model was "dangerously fragile," signaling potential changes to how enterprises access the infrastructure powering billions of software downloads monthly. The joint statement, published as an open letter on the Open Source Security Foundation (OpenSSF) website, came from leaders of the Python Software Foundation, Rust Foundation, Eclipse Foundation, OpenJS Foundation, and four other major open-source stewards."
""Commercial-scale use without commercial-scale support is unsustainable," OpenSSF wrote in the blog post titled "Open Infrastructure is Not Free." The statement warned of a "critical inflection point" that could force changes to access models, pricing structures, or service levels for high-volume users. The registries in question - including PyPI for Python packages, Maven Central for Java, crates.io for Rust, and npm for JavaScript - serve as critical infrastructure for virtually all modern software development."
Eight major open-source foundations that operate the largest software package registries warned that donation-based funding for these registries is dangerously fragile and unsustainable. Those registries handle trillions of downloads annually and enable billions of software downloads monthly across enterprises. Automated CI/CD pipelines, large-scale dependency scanners, and ephemeral container builds impose enormous strain by making thousands of uncached, unthrottled requests daily. The foundations stated that commercial-scale use without commercial-scale support is unsustainable and that a critical inflection point could force changes to access models, pricing structures, or service levels for high-volume users.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]