Eight organizations that operate the world’s largest software package registries issued a coordinated warning that their current funding model was “dangerously fragile,” signaling potential changes to how enterprises access the infrastructure powering billions of software downloads monthly.
The joint statement, published as an open letter on the Open Source Security Foundation (OpenSSF) website, came from leaders of the Python Software Foundation, Rust Foundation, Eclipse Foundation, OpenJS Foundation, and four other major open-source stewards. It represented the first unified call for sustainable funding from organizations whose registries handle what they described as “trillions” of downloads annually, largely driven by commercial software development.
“Commercial-scale use without commercial-scale support is unsustainable,” OpenSSF wrote in the blog post titled “Open Infrastructure is Not Free.” The statement warned of a “critical inflection point” that could force changes to access models, pricing structures, or service levels for high-volume users.
