The Open Source Security Foundation (OpenSSF) has had enough of being the unpaid janitor of the world's software supply chain.

A coalition of heavyweight open source foundations issued a joint statement via the foundation on Tuesday, declaring that "open infrastructure is not free" and warning that the critical machinery behind modern software development is being stretched to breaking point.

Package registries like Maven Central, PyPI, crates.io, npm, and Packagist handle billions of downloads every month, yet the organizations running them are often scraping by on donations, grants, and the goodwill of a few sponsors.

The missive lays it out bluntly: the ecosystem has been lulled into believing it can rely on "free and infinite" infrastructure, when in reality the costs of bandwidth,

See Full Page