Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship

The Open Source Security Foundation(OpenSSF) has put together a joint statement from many of the publicpackage repositories for various languages about the need for assistance inmaintaining these commons. Services such as PyPI for Python, crates.io for Rust, and many others areworking together to try to find ways to sustain these services in the faceof challenges from "automated CI systems, large-scale dependencyscanners, and ephemeral container builds" all downloading enormousamounts of package data, coupled with the rise of generative and agentic AI"driving a further explosion of machine-driven, often wasteful automatedusage, compounding the existing challenges". It is not a crisis, yet,they say, but it is headed in that direction.

Despite serving billions (perhaps even trillions) of downloads each month (largely driven by commercial-scale consumption), many of these services are funded by a small group of benefactors. Sometimes they are supported by commercial vendors, such as Sonatype (Maven Central), GitHub (npm) or Microsoft (NuGet). At other times, they are supported by nonprofit foundations that rely on grants, donations, and sponsorships to cover their maintenance, operation, and staffing.

Regardless of the operating model, the pattern remains the same: a small number of organizations absorb the majority of infrastructure costs, while the overwhelming majority of large-scale users, including commercial entities that generate demand and extract economic value, consume these services without contributing to their sustainability.