https://www.theregister.com/2026/02/28/open_source_opinion/
“I'm at the Linux Foundation Members Summit, and Sonatype's CTO Brian Fox
introduced me to a new open source problem. I wouldn't have thought that was
possible, but here I am.
Fox, who also oversees Maven Central, the Java registry, explained that its
repository site is at risk of being overwhelmed by constant downloads. The team
has dug into this and found that 82 percent of the demand comes from less than
1 percent of IPs. Digging deeper, they discovered that many companies are using
open source repositories as if they were content delivery networks (CDNs). So,
for example, a single company might download the same code hundreds of
thousands of times in a day, and the next day, and the next. This is
unsustainable.
So Maven and other open source repositories are considering introducing a
tiered payment system. Lone developers and small groups will still be able to
download the code for free, but the hogs will have to pay for every download.
In other words, open source software is still free as in speech, but you can
forget about being "free as in beer" going forward.
How bad is it? Fox revealed that last year, major repositories handled 10
trillion downloads. That's double Google's annual search queries if you're
counting from home and they're doing it on a shoestring. Fox described this as
a "tragedy of the commons," where the assumption of "free and infinite"
resources leads to structural waste amplified by CI/CD pipelines, security
scanners, and AI-driven code generation.
Companies may think that they can rely on "free and infinite" infrastructure,
when in reality the costs of bandwidth, storage, staffing, and compliance are
accelerating.
Fox shared data showing 82 percent of Maven Central's consumption comes from
less than 1 percent of worldwide IPs, with 80 percent of traffic from the big
three hyperscalers. Making it even more troublesome, "IP addresses don't
represent people. They're not even organizations anymore. They're ephemeral.
They're kind of like weather," Fox explained in an interview, noting challenges
from containers, NAT proxies, and cloud egress IPs. In one case, a department
store's team of 60 developers generated more traffic than global cable modem
users worldwide due to misconfigured React Native builds bypassing their Nexus
repository manager.
He detailed extreme examples, such as large organizations downloading the same
10,000 components a million times each month. "That's ridiculous," Fox said.
Throttling efforts led to "brownouts" via 429 errors, but patterns mutated,
forcing a "Whack-a-Mole" game, especially since most consumption is headless
and unnoticed.
Registries are also burdened by commercial use, with companies publishing
closed source components or massive SDKs as free CDNs. Fox noted that top
publishers release gigabyte-scale artifacts daily, unlike in typical open
source projects.
In September 2025, the registries issued an open letter via OpenSSF calling for
"tiered access models" to keep it free for hobbyists and open source while
mandating contributions from high-volume users. "This is the important part,
that it has to become mandatory, not optional, " Fox emphasized. Open source
charity is not a sustainable model.”
Cheers,
*** Xanni ***
--
mailto:xanni@xanadu.net Andrew Pam
http://xanadu.com.au/ Chief Scientist, Xanadu
https://glasswings.com.au/ Partner, Glass Wings
https://sericyb.com.au/ Manager, Serious Cybernetics
