When you type pip install requests or npm install lodash, behind the scenes lies a massive, invisible system of software registries, dependency resolvers, content distribution, and infrastructure. Today, the keepers of those systems are sounding the alarm.
In a rare coordinated move, foundations and organizations behind PyPI, Maven Central, crates.io, Packagist, the OpenJS Foundation and others have published a joint declaration: “Open Infrastructure is Not Free.” They warn that in the age of AI, CI pipelines, and hyperscaling, the strain on these systems is reaching a breaking point — and it’s ordinary developers and maintainers who will feel the pain.
The hidden toll on people
For many open-source maintainers the new declaration is personal. Historically, their unpaid weekends writing patches or responding to security flaws sustained projects. Now that “invisible” labor is colliding with real-world burnout.
One developer on LWN commented on the statement:
“Add rate limits and see how fast each dev sets up a local cache mirror. Problem solved.”
That kind of away-from-camera pressure hides a deeper truth: a few maintainers or small teams are being asked to run global-scale infrastructure, often without predictable funding or staffing. Because the infrastructure is usually “free to use,” the burden disproportionately falls on those least equipped to absorb it.
On the business side, engineers at mid-sized companies report that CI builds sometimes grind to a halt because registry servers are overwhelmed — delays costing hours of productivity and dollars in developer time.
Why now—and what’s changed
In past decades, open source could get by with simple Git repos, manual packaging, and community effort. But software expectations have changed:
- Publishing must be signed, immutable, and verifiable.
- Dependency resolution must be fast and globally available.
- Automated systems like code scanners, container builds, and continuous integration generate massive volumes of requests.
- The rise of generative AI and “agentic” agents amplifies wasteful retrieval by bots.
- New regulations such as the EU’s Cyber Resilience Act impose compliance, traceability, and availability burdens on libraries and registries.
Meanwhile, funding has not kept pace. According to Infoworld, rebuilding “core open source infrastructure from scratch” would cost around USD 4.15 billion, yet while companies collectively contribute billions to open source, only a fraction goes toward funding public registries.
The stakes: collapse, consolidation, or pay-to-use
If things don’t change, the implications are grim.
In the short term, we might see slower package downloads, registry outages, or throttling of CI jobs for smaller users. In the long run, the ecosystem risks consolidation: only large vendors with budget can host infrastructure, turning once-open registries into pay-to-play services.
Some commercial entities already treat these public services as a free global CDN for their proprietary SDKs and toolchains — distributing binary dependencies without ever contributing back. The letter calls this out directly:
“Commercial-scale use without commercial-scale support is unsustainable.”
These dynamics create ethical tension. If the infrastructure fragments into premium services, smaller open-source projects or independent developers may get squeezed out. The irony is that those who benefit most — Fortune 500 companies, AI startups, cloud providers — often pay the least.
What they propose — and whether it can work
The signatories are not just presenting a problem. They are pushing toward new models:
- Commercial partnerships that tie usage to funding.
- Tiered access—free access for individuals or small projects, while high-volume consumers pay for premium performance.
- Value-added services (e.g. usage metrics, priority support) tailored to large users.
These proposals echo pricing models in other infrastructure domains like cloud services or internet bandwidth.
Will it fly? That’s the wild card. Some companies may resist paying for what they’ve long treated as a quasi–public good. But the pressure is mounting: the foundations say the status quo is now untenable.
The broader open-source community may also force reflection. As the OpenJS Foundation put it: there are no “magic piles of money” behind infrastructure.
Why this matters to everyone
This isn’t just an arcane dispute over who pays for bandwidth. The entire digital economy depends on these systems. Your smartphone, cloud apps, APIs — all of them build on a vast stack of open-source dependencies. Interruptions or instability at the infrastructure level cascade upward.
Moreover, this may finally be a turning point. For years, open-source funding challenges have been discussed in forums and blog posts. Now, with so many major stewards united behind a public warning, this could shift how the tech industry perceives open infrastructure — from “free by default” to “shared responsibility.”
If enough corporate consumers accept the logic and start contributing proportionally, we may see a healthier, more sustainable foundation for software development. If not, the cost will be paid in outages, fragmentation, and burnout — by the people we rely on most to keep the software world running.
