It's about infrastructure as well, something that although not attracting the limelight, is as important as the open source software it hosts. Today the stewards of the largest open source registries in the world have issued an open letter demanding urgent reform in how open source infrastructure is funded, maintained, and operated. 

The drill is well known and here at IProgrammer we have covered it many times before. Companies, Organizations, Institutions, heck Society itself stand on the shoulder of giants, that is open source software. Nowadays every company is a software house, be it Adidas, Tesco or Oracle, whose stack is certain to involve open source libraries at a minor or larger scale. Even the White House acknowledged this, leading to the SBOM directive.

That's fine, but the issue is that this kind of software is maintained by volunteers doing their best, without the time or resources to meet the scale of responsibility.

A side issue that goes largely unnoticed is that for that OSS to be useful, to be consumed, it should be hosted somewhere;
that hosting space that we take for granted is also offered for free, running on scarce resources.

And it's not just hosting. The way software is build today requires the infrastructure to also cater for :

• Dependency resolution and distribution; it must be fast, reliable, and global.
• Publishing must be verifiable, signed, and immutable.
• Continuous integration (CI) pipelines expect deterministic builds with zero downtime.
• Security tooling; it expects an immediate response from public registries.
• Governments and enterprises demand continuous monitoring, traceability, and auditability of systems.
• It must be responsive to other types of attacks, such as spam and increased supply chain attacks involving malicious components that need to be removed.

On top of that, new regulatory requirements such as the EU Cyber Resilience Act (CRA), are further increasing compliance obligations and documentation demands, adding overhead to the already resource-constrained ecosystems.

These are the pain points of the industry no one is talking about, or better said, chooses to ignore since most organizations that benefit from these services do not contribute financially thus leaving a small group of stewards to carry the burden.

That group of benefactors is sometimes supported by commercial vendors, such as Sonatype (Maven Central), GitHub (npm) or Microsoft (NuGet) but at other times they are supported just by nonprofit foundations that rely on grants, donations, and sponsorships to cover their maintenance, operation, and staffing. On that already thin ice, add the accelerated open source demand due to the AI boom. Everybody is hungry for open source AI.

This can't be perpetuated. The time has come for the stewards of the largest open source registries in the world to speak out. And today they have done so with an open letter demanding urgent reform in how open source infrastructure is funded, maintained, and operated. They plea for change in adopting practical and sustainable approaches that better align usage with costs.

What do they suggest? They list several steps that should be taken:

1. Commercial and institutional partnerships that help fund infrastructure in proportion to usage or in exchange for strategic benefits.
2. Tiered access models that maintain openness for general and individual use while providing scaled performance or reliability options for high-volume consumers.
3. Value-added capabilities that commercial entities might find valuable, such as usage statistics.

While the general consensus is that we haven't reached boiling point yet, we currently lie at a critical inflection point. Action should be taken now before it's too late, and you can help. How? by reading the Open Letter from the Stewards of Public Open Source Infrastructure and find out how to become part of the action. 

More Information

Open Letter from the Stewards of Public Open Source Infrastructure

Related Articles

Surveying Software Supply Chain Security 

The State Of Secure Software Development - Three OpenSSF Courses

OpenSSF's Siren To Warn About OSS Vulnerabilities

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info