"A coalition of heavyweight open source foundations issued a joint statement via the foundation on Tuesday, declaring that "open infrastructure is not free" and warning that the critical machinery behind modern software development is being stretched to breaking point. Package registries like Maven Central, PyPI, crates.io, npm, and Packagist handle billions of downloads every month, yet the organizations running them are often scraping by on donations, grants, and the goodwill of a few sponsors."
"The statement goes on to directly call out bad behaviour. Continuous integration systems and large-scale scanners bombard registries with automated requests, while container builds place enormous strain on infrastructure. Furthermore, AI agents are exacerbating the problem by scraping dependencies en masse. All of this, the group warns, creates "wasteful usage" that someone else ends up paying for."
OpenSSF and a coalition of major open-source foundations warn that core open infrastructure faces unsustainable costs and operational strain. Popular package registries handle billions of downloads monthly while relying on donations, grants, and limited sponsorship. Rising demands for fast dependency resolution, signed packages, zero downtime, and rapid responses to supply-chain attacks increase resource needs. Automated CI, large-scale scanners, container builds, and AI agents cause wasteful usage that amplifies costs. A small number of nonprofits and corporate benefactors currently bear the global infrastructure burden, prompting proposals for funding, operational support, and policy-aligned remedies.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]