Opinion: Careless big-time users are treating FOSS repos like content delivery networks
's CTO Brian Fox introduced me to a new open source problem. I wouldn't have thought that was possible, but here I am., explained that its repository site is at risk of being overwhelmed by constant downloads.
The team has dug into this and found that 82 percent of the demand comes from less than 1 percent of IPs. Digging deeper, they discovered that many companies are using open source repositories as if they were content delivery networks . So, for example, a single company might download the same code hundreds of thousands of times in a day, and the next day, and the next. This is unsustainable. So Maven and other open source repositories are considering introducing a tiered payment system. Lone developers and small groups will still be able to download the code for free, but the hogs will have to pay for every download. In other words, open source software is still free as in speech, but you can forget about being"free as in beer" going forward. How bad is it? Fox revealed that last year, major repositories handled 10 trillion downloads. That's double Google's annual search queries if you're counting from home and they're doing it on a shoestring. Fox described this as a"tragedy of the commons," where the assumption of"free and infinite" resources leads to structural waste amplified by CI/CD pipelines, security scanners, and AI-driven code generation. Companies may think that they can rely on"free and infinite" infrastructure, when in reality the costs of bandwidth, storage, staffing, and compliance are accelerating. Fox shared data showing 82 percent of Maven Central's consumption comes from less than 1 percent of worldwide IPs, with 80 percent of traffic from the big three hyperscalers. Making it even more troublesome,"IP addresses don't represent people. They're not even organizations anymore. They're ephemeral. They're kind of like weather," Fox explained in an interview, noting challenges from containers, NAT proxies, and cloud egress IPs. In one case, a department store's team of 60 developers generated more traffic than global cable modem users worldwide due to misconfigured React Native builds bypassing their Nexus repository manager. He detailed extreme examples, such as large organizations downloading the same 10,000 components a million times each month."That's ridiculous," Fox said. Throttling efforts led to"brownouts" via 429 errors, but patterns mutated, forcing a"Whack-a-Mole" game, especially since most consumption is headless and unnoticed. Registries are also burdened by commercial use, with companies publishing closed source components or massive SDKs as free CDNs. Fox noted that top publishers release gigabyte-scale artifacts daily, unlike in typical open source projects.to keep it free for hobbyists and open source while mandating contributions from high-volume users."This is the important part, that it has to become mandatory, not optional,"Fox emphasized. Open source charity is not a sustainable model. Businesses have been treating open source repositories as free, infinite infrastructure. That's nonsense. The reality is that the costs of bandwidth, storage, staffing, and compliance are ever-growing. In particular, as the letter stated,." Open source foundations can't keep up with the demand for fast dependency resolution, signed packages, zero downtime, and rapid response to supply chain attacks – not to mention looming regulatory requirements such as the Fox anticipates the registries will start rolling out next quarter:"We did the Open Letter way back in October... different ecosystems have figured out models that they think are going to work." In a pleasant surprise, reactions have been positive. Throttled organizations were"surprised and apologetic," mistaking issues for malice rather than"ignorance, unawareness."Cloudflare experiment ports most of Next.js API 'in one week' with AIAs the saying goes, never attribute to malice what can be explained by stupidity. Or, as Michael Winser, a co-founder of, a Linux Foundation project to help secure the open source supply chain, said at FOSDEM:"If you're not caching, you're a goddamn idiot." Amen, brother! With AI-driven repository usage exploding, Fox urged checking bills, using caching proxies, and avoiding per-commit tests. He seeks endorsements:"We need you to help step up... so that when we go out to the rest of the wild world... you need to pay to keep doing what you've been doing."." Yes, open source software is free, but the cost of registries to host all open source applications and libraries keeps increasing with greater usage. It's not just bandwidth and storage. Winser also pointed out that the repositories"don't have enough money to spend on the very security features that we all desperately need to stop being a bunch of idiots and installing fu when it's malware." To quote Robert A. Heinlein:"There's no such thing as a free lunch." The bill has come due for our misuse of the open source commons. ®UK Businesses told to brace cyber defenses amid Iran conflict risk
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
Opening date set for new Bluey ride at Alton TowersAlton Towers has announced its new rollercoaster will open in time for the school holidays
Read more »
How Bridgerton and Harry Potter help fund stately homesThey look glamorous on screen but filming plays a vital role in keeping stately homes open.
Read more »
Jamal Edwards trust to open West London creative careers hubBrenda Edwards is opening a creative hub in Acton, inspired by the legacy of her late son, Jamal.
Read more »
Plan for 40 homes on farmland at edge of Rawtenstall splits opinion'The loss of green space will have a detrimental impact'
Read more »
Ian Huntley's fateful decision that left him open to near-fatal attackIan Huntley remains in serious condition after being struck with a metal pole at the Durham prison
Read more »
Microsoft's Project Silica promises eternal storage. It can't get there from hereOpinion: Soon turned out, we had a heart of glass
Read more »