Open source doesn't run on any individual project, foundation, or company — it runs on shared infrastructure. That's why we've come together with other stewards to issue a Joint Statement on Sustainable Stewardship.
Here, I'll share the journey that led us to this point and what it means for the future of Maven Central and the broader open source ecosystem.
When I first wrote about the tragedy of the commons and Maven Central, I thought I was shining a light on a narrow but alarming problem: a tiny fraction of users consuming the vast majority of resources.
The data was stark — 1% of IPs were responsible for 83% of Maven Central's total bandwidth. And many of those were not scrappy side projects. Rather, they were some of the largest companies on the planet.
That was my first glimpse of what happens when a shared public resource is treated as infinite.
In a follow-up post, Beyond IPs, I shared what happened as we looked deeper. It wasn't just a handful of IP addresses gone wild.
Entire organizations downloaded the same components hundreds of thousands of times a month, across thousands of artifacts. Their traffic was spread across sprawling cloud footprints, effectively bypassing IP-based throttling.
It wasn't malicious. It was structural. CI pipelines, ephemeral containers, and globally distributed teams had turned inefficiency into scale. The result: a flood of redundant downloads that strained Central for everyone else.
By the time I wrote Free Isn't Free, it was clear this problem went beyond Maven Central.
I started seeing it everywhere: default settings in Gradle that hindered caching, React Native configurations that hardwired Central into every build, and even security tools meant to protect the ecosystem that paradoxically burdened the infrastructure with redundant requests.
These weren't "bad actors." They were the logical outcome of tools and systems designed as if public infrastructure were limitless. But it isn't. Free isn't free. Every redundant request, every inefficiency, adds up — in bandwidth, compute costs, slower builds, and increased fragility for the shared systems we all depend on.
As I kept digging, I started reaching out to peers running other ecosystems — PyPI, crates.io, NuGet, npm, Open-VSX, Packagist. The conversations were eerily familiar. Different tech stacks, same story: explosive growth, linear support, fear of backlash if they dared talk about sustainability.
What became clear is that none of us were dealing with isolated problems. We were staring at a systemic issue: the global software supply chain is running on shared infrastructure, never designed or funded for this scale.
That realization led to conversations that eventually brought a group of us together: the maintainers and stewards of Maven Central, PyPI, crates.io, OpenJS, Packagist, Eclipse Open-VSX, and Alpha-Omega.
We had all been wrestling with the same dilemma in our corners, but we agreed it was time to speak publicly.
The result is an open letter on sustainable stewardship of open source infrastructure. It's not a prescription for one-size-fits-all solutions. Each community will chart its own course. But it is a statement of alignment: these systems are critical, they are under strain, and change is overdue.
Much of the open source sustainability conversation over the years has focused on maintainers — the individuals keeping critical projects alive, often in their spare time. That remains an unsolved challenge. But what struck me as I pulled this thread is how little attention has been given to the underlying infrastructure that those maintainers and their projects rely on.
The two issues are connected. If infrastructure stewards are forced to spend scarce funds to keep the lights on or enhance operational security, that money can't flow to maintainers.
Instead, if we can build sustainable models for infrastructure, aligning responsibility with usage, then the same foundations and organizations could direct more resources where they're desperately needed: to the maintainers themselves. Done right, sustainable infrastructure could even generate additional funding to support the human backbone of open source.
Open source infrastructure has been propped up for decades by a mix of goodwill, silent benefactors, and organizations willing to shoulder costs that benefit everyone else. That generosity has carried us a long way.
But billion-dollar ecosystems cannot stand forever on foundations built of goodwill and unpaid weekends.
It's time to align responsibility with usage. Not to close doors, but to keep them open sustainably — and in doing so, create space to better support the maintainers who keep open source alive.
We urge you to read and share the open letter. Join us in strengthening the systems that power open source for future generations.