Who Killed Free Open Source? The Report Blaming Big Companies

I

Registry open source (the centralized archives from which developers and automated systems download ready-to-use libraries and software packages) like Maven Central for Java, PyPI for Python, npm for JavaScript, and NuGet for .NET are collapsing under the weight of nearly 10 trillion annual downloads. This figure emerges from the 2026 State of the Software Supply Chain by Sonatype: in 2025, the combined downloads on these four registries reached 9.8 trillion, with a year-on-year growth that cannot be supported by any sustainable funding plan. Maven Central, the world's largest Java registry, handles hundreds of billions of requests but runs on an infrastructure funded with crumbs compared to the value it generates.

The 1% that Weighs as Much as 99%

Brian Fox, CTO and co-founder of Sonatype, quantified the phenomenon with an important detail: 82% of the traffic on Maven Central comes from 1% of IP addresses. These are not individual developers downloading libraries for their personal projects, but large companies with automated CI/CD pipelines, dependency scanners, and ephemeral containerized builds that hammer the registries thousands of times a day, often without even implementing basic caching measures. The result is a resource consumption that resembles that of an enterprise cloud infrastructure, but paid for as if it were a service for hobbyists.

The Situation Has Worsened with the Rise of Generative AI

The situation has worsened with the proliferation of generative and agentic AI systems. Autonomous coding agents query registries massively and repetitively to identify, download, and verify dependencies, often duplicating requests that were already satisfied before. The foundations managing these infrastructures have termed this traffic "machine-driven, often wasteful": automated, lacking optimization logic, and in constant exponential growth.

Critical Infrastructure, Charitable Funding

The problem has been known for years but has rarely been addressed with the clarity it requires. A joint analysis by Harvard and GitHub estimated that rebuilding the open-source infrastructure from scratch would cost $4.15 billion. Companies collectively invest $7.7 billion annually in open source, but the vast majority of that sum goes to paying their employees who contribute to internal or upstream projects: very little reaches the public registries distributing all that software.

The Log4Shell case in December 2021 made visible the fragility of the system: the library that brought a large part of the internet to its knees was maintained by a handful of unpaid volunteers. Despite that alarm bell, the funding model for registries has not changed significantly, and downloads have since tripled.

The Statement from the Eight Foundations

However, a coordinated response has come from eight of the leading open source foundations (including the Python Software Foundation, Rust Foundation, Eclipse Foundation, and OpenJS Foundation), which published a joint statement on OpenSSF titled "Open Infrastructure is Not Free". The central message is that “commercial-scale use without commercial-scale support is unsustainable” and that the current model has reached a critical turning point. Not yet a crisis, but the boundary is close: demand is growing exponentially, while funding is, optimistically, linear.

Public Registries as Free Global CDNs for Proprietary Software

Registries are also being used as free global CDNs for proprietary software. The foundations have stated this unequivocally: “Public registries have become free global CDNs for commercial vendors.” Companies distributing proprietary SDKs and tools through PyPI or npm are using infrastructure intended for community software as a commercial distribution backend, without contributing to operational costs.

The Sustaining Package Registries Working Group

On May 6, 2026, the Sustaining Package Registries Working Group was launched under the umbrella of the Linux Foundation. Sonatype, as the steward of Maven Central, is among the founding members. The initiative has four main axes: economic sustainability (developing funding models proportional to usage), collective defense (sharing information about threats among registries), governance (shared policy frameworks), and ecosystem education about usage responsibility.

Concrete proposals are already on the table. The foundations have explicitly mentioned tiered access models, where basic access remains free for individual developers and small teams, while large commercial consumers would pay in proportion to their usage. They cite internet bandwidth and cloud computing as precedents, where the principle “the more you use, the more you pay” is established: if 1% of users generates 82% of the traffic, that is where the significant contribution must come from.

Immediate Measures and Recommendations

In the immediate term, the foundations are asking companies to adopt minimum efficiency measures: implement local caching to avoid redundant downloads, reduce synthetic traffic generated by scanners and AI agents, and start direct conversations with registry maintainers about forms of proportional contribution. These are recommendations that sound obvious, but the majority of organizations have never implemented them because the cost was zero, and in the face of a "zero cost," no one ever raises any concerns.

The market for software supply chain security is directly connected to these issues and is currently experiencing strong growth, also driven by the entry into force of the European Cyber Resilience Act, which has added compliance obligations for organizations using open-source components in products marketed in the EU. Regulatory pressure adds to the infrastructural pressure: registries, in addition to handling the increasingly heavy load, must also document and certify the security of what they distribute, with operational costs increasing further.