Open source devs consider making hogs pay for every Git pull
Opinion I'm at the Linux Foundation Members Summit, and Sonatype's CTO Brian Fox introduced me to a new open source problem. I wouldn't have thought that was possible, but here I am.
Fox, who also oversees Apache Maven, a popular Java build tool, explained that its repository site is at risk of being overwhelmed by constant Git pulls. The team has dug into this and found that 82 percent of the demand comes from less than 1 percent of IPs. Digging deeper, they discovered that many companies are using open source repositories as if they were content delivery networks (CDNs). So, for example, a single company might download the same code hundreds of thousands of times in a day, and the next day, and the next. This is unsustainable.
So Maven and other open source repositories are considering introducing a tiered payment system. Lone developers and small groups will still be able to download the code for free, but the hogs will have to pay for every download. In other words, open source software is still free as in speech, but you can forget about being "free as in beer" going forward.
How bad is it? Fox revealed that last year, major repositories handled 10 trillion downloads. That's double Google's annual search queries if you're counting from home and they're doing it on a shoestring. Fox described this as a "tragedy of the commons," where the assumption of "free and infinite" resources leads to structural waste amplified by CI/CD pipelines, security scanners, and AI-driven code generation.
Companies may think that they can rely on "free and infinite" infrastructure, when in reality the costs of bandwidth, storage, staffing, and compliance are accelerating.
Fox shared data showing 82 percent of Maven Central's consumption comes from less than 1 percent of worldwide IPs, with 80 percent of traffic from the big three hyperscalers. Making it even more troublesome, "IP addresses don't represent people. They're not even organizations anymore. They're ephemeral. They're kind of like weather," Fox explained in an interview, noting challenges from containers, NAT proxies, and cloud egress IPs. In one case, a department store's team of 60 developers generated more traffic than global cable modem users worldwide due to misconfigured React Native builds bypassing their Nexus repository manager.
He detailed extreme examples, such as large organizations downloading the same 10,000 components a million times each month. "That's ridiculous," Fox said. Throttling efforts led to "brownouts" via 429 errors, but patterns mutated, forcing a "Whack-a-Mole" game, especially since most consumption is headless and unnoticed.
Registries are also burdened by commercial use, with companies publishing closed source components or massive SDKs as free CDNs. Fox noted that top publishers release gigabyte-scale artifacts daily, unlike in typical open source projects.
In September 2025, the registries issued an open letter via OpenSSF calling for "tiered access models" to keep it free for hobbyists and open source while mandating contributions from high-volume users. "This is the important part, that it has to become mandatory, not optional, " Fox emphasized. Open source charity is not a sustainable model.
Businesses have been treating open source repositories as free, infinite infrastructure. That's nonsense. The reality is that the costs of bandwidth, storage, staffing, and compliance are ever-growing. In particular, as the letter stated, "Commercial-scale use without commercial-scale support is unsustainable." Open source foundations can't keep up with the demand for fast dependency resolution, signed packages, zero downtime, and rapid response to supply chain attacks – not to mention looming regulatory requirements such as the EU's Cyber Resilience Act.
Fox anticipates the registries will start rolling out next quarter: "We did the Open Letter way back in October... different ecosystems have figured out models that they think are going to work." In a pleasant surprise, reactions have been positive. Throttled organizations were "surprised and apologetic," mistaking issues for malice rather than "ignorance, unawareness."
As the saying goes, never attribute to malice what can be explained by stupidity. Or, as Michael Winser, a co-founder of Alpha-Omega, a Linux Foundation project to help secure the open source supply chain, said at FOSDEM: "If you're not caching, you're a goddamn idiot." Amen, brother!
With AI-driven repository usage exploding, Fox urged checking bills, using caching proxies, and avoiding per-commit tests. He seeks endorsements: "We need you to help step up... so that when we go out to the rest of the wild world... you need to pay to keep doing what you've been doing."
But, wait, there's more! Besides simply being overwhelmed by constant download demands, Winser said, "People conflate open source software and open source infrastructure.." Yes, open source software is free, but the cost of registries to host all open source applications and libraries keeps increasing with greater usage.
It's not just bandwidth and storage. Winser also pointed out that the repositories "don't have enough money to spend on the very security features that we all desperately need to stop being a bunch of idiots and installing fu when it's malware."
To quote Robert A. Heinlein: "There's no such thing as a free lunch." The bill has come due for our misuse of the open source commons. ®
