tragedy of the commons,key organizations issued a call in for a new, sustainable funding model based on mandatory contributions from high-volume commercial users.
According to Brian Fox of Sonatype, open-source repositories managed a staggering 10 trillion downloads in the past year, a figure he noted is double Google’s annual search queries. Fox highlighted extreme examples of waste, such as large companies downloading the same 10,000 components one million times per month. He stated that this inefficient consumption is largely driven by automated, “headless” systems like CI/CD pipelines, security scanners, and AI-powered code generation tools that create immense, often unnoticed, demand.
The core issue, as described by Fox, is a structural unsustainability where finite, charitably-funded resources are treated as infinite. Attempts by registries to manage the load by throttling high-volume users reportedly resulted in service “brownouts” and a “Whack-a-Mole” scenario as consumption patterns adapted. The problem is compounded by some companies using the public registries as free content delivery networks (CDNs) for closed-source components or massive, gigabyte-scale SDKs, publishing daily updates that far exceed the typical behavior of open-source projects.
In , an open letter published via the Open Source Security Foundation (OpenSSF) and other organizations formally proposed a shift away from the current model. The letter advocates for “tiered access models” that would keep repositories free for individual developers, hobbyists, and open-source projects while requiring financial contributions from high-volume commercial entities. This is the important part, that it has to become mandatory, not optional,
Fox emphasized, arguing that charity alone cannot sustain the ecosystem’s critical infrastructure.
The specific details of the proposed tiered access models, including pricing structures, consumption thresholds for what constitutes a “high-volume user,” and a timeline for implementation, have not yet been publicly defined. It also remains unclear which specific registries have formally committed to adopting such a model and how enforcement of mandatory contributions would be coordinated across the different ecosystems.
The proposal is expected to generate significant discussion between repository maintainers, open source foundations, and the large commercial enterprises that rely heavily on this infrastructure. The next steps will likely involve defining the technical and financial frameworks for the tiered model and building consensus among stakeholders. The outcome could reshape the financial relationship between corporations and the open-source projects that form the foundation of modern software development.
Organizations that utilize open-source components are encouraged to take several actions. First, audit internal CI/CD pipelines and development workflows to identify and eliminate redundant component downloads. Implementing local caching solutions, such as repository managers, can significantly reduce external bandwidth consumption. Finally, teams should review how they publish software to ensure they are not misusing public registries as private CDNs, in line with community best practices.
Follow Hashlytics on Bluesky, LinkedIn , Telegram and X to Get Instant Updates