The Open Source Security Foundation (OpenSSF), established to consolidate efforts from industry representatives in the realm of open source software security, has issued an Open Letter signed by developers of repositories such as pypi, crates.io, packagist, open vsx, and maven central. The letter addresses the challenges faced in maintaining infrastructure stability due to current financing models and repository usage trends. Despite a significant increase in repository workload, funding for infrastructure maintenance has not kept pace, necessitating changes to address the mounting pressure.
A key issue highlighted in the letter is the perception among many commercial entities that public repositories are an easily accessible, free, and limitless resource for their needs. However, these repositories are maintained by individual sponsor companies or non-profit organizations reliant on grants and donations. Some companies exploit public repositories by using them as content delivery networks (CDNs) to distribute binary components, SDKs, and packages that are part of paid products, inundating the repositories with requests from automated CI systems and container build systems, as well as resource-intensive dependency scanners.
Furthermore, these companies often overlook the impact of their actions on repository infrastructure and fail to implement optimizations or restrictions on query flow intensity or package caching. This unchecked usage places immense strain on the infrastructure, exacerbated by the increasing activities of AI bots.