Eight major open source foundations warn that their donation-based funding model is collapsing, as AI-driven demand and commercial overuse push critical software registries toward paid and tiered models.
Eight of the world’s largest open source foundations have issued a coordinated warning that their current funding model is “dangerously fragile,” signalling a possible shift from free access to paid and tiered models. The joint statement, published on the Open Source Security Foundation (OpenSSF) website, came from leaders of the Python Software Foundation, Rust Foundation, Eclipse Foundation, OpenJS Foundation, and four other stewards of global software infrastructure.
The registries they oversee — including PyPI for Python, Maven Central for Java, crates.io for Rust, and npm for JavaScript — underpin virtually all modern software development, serving trillions of downloads each year. Enterprises rely on them for CI/CD pipelines, dependency scans, and automated builds, often at massive scale and without direct funding support.
“Commercial-scale use without commercial-scale support is unsustainable,” the statement warned, calling this moment a “critical inflection point” for the open source ecosystem.
The pressure is intensifying as AI adoption drives a surge in automated, often inefficient requests. “The rise of Generative and Agentic AI is driving a further explosion of machine-driven, often wasteful automated usage,” the foundations noted. At the same time, regulatory requirements such as the EU’s Cyber Resilience Act are adding compliance costs.
Despite an estimated $7.7 billion spent annually on open source by organisations, a Harvard–GitHub study found that core infrastructure — valued at $4.15 billion to rebuild — remains chronically underfunded.
The foundations stressed that public registries were never designed to serve as “free global CDNs for commercial vendors” and warned that enterprises should prepare for funding-linked partnerships, tiered access, and performance-based models.
“These are not radical ideas,” they wrote. “They are practical, commonsense measures already used in other shared systems, such as Internet bandwidth and cloud computing.”
Their unified message: the free ride is over.
