Open source software powers everything. Your smartphone runs on Linux. Your favorite websites depend on JavaScript frameworks. Your company's servers rely on countless libraries pulled from places like Maven Central, PyPI, npm, and other package registries. Heck, even the infrastructure running those registries depends on open source.
For decades, this ecosystem has thrived on a simple premise: developers create, share, and improve software together. But somewhere along the way, the balance broke. What started as community-driven collaboration has become a feeding frenzy where massive corporations consume without giving back adequately.
Now the people who actually run this infrastructure have had enough. They've come together with an open letter that basically says, Enough is enough.
OpenSSF
Overconsumption is Killing Open Source
This isn't some random complaint from a few disgruntled maintainers. We're talking about an unprecedented joint statement from the stewards of virtually every major package repository - Maven Central, PyPI, npm, RubyGems, The Rust Foundation, the Eclipse Foundation, and others.
These are the people who serve billions of downloads monthly, and they're telling the world that the foundation of modern software development is cracking.
The scale is staggering. These registries serve billions, perhaps even trillions, of downloads each month. AI companies are scraping entire registries. Enterprise CI/CD systems hammer servers with wasteful, uncached requests.
Commercial vendors use public registries as free global CDNs for their proprietary products. Meanwhile, volunteer maintainers and donation-funded foundations foot the bill.
The coalition's message is crystal clear in their joint statement:
Open source packaging ecosystems were created to support the distribution of open, community-driven software, not as a general-purpose backend for proprietary product delivery.
If these registries are now serving both roles, and doing so at a massive scale, that’s fine. But it also means it’s time to bring expectations and incentives into alignment.
Commercial-scale use without commercial-scale support is unsustainable.
The Solution
The coalition's proposed solutions are reasonable but firm. High-volume commercial users should contribute financially through partnerships or tiered access models. Companies need to implement better caching and reduce wasteful usage.
As for individual developers and small projects, they stay unaffected; this isn't about killing open access after all.
Also, keep in mind that the registries aren't threatening to shut down or go proprietary. They're demanding that the organizations extracting massive value from open source infrastructure actually contribute to its sustainability.
And, to be frank, I fully support this approach. Overconsumption without responsibility leads to exhaustion, and exhaustion leads to chaos. We've already seen what happens when critical infrastructure fails or burned-out maintainers abandon essential projects.
