opensource

A Call for Sustainable Open Source Infrastructure

Nils Adermann

2 min read

Today, we joined other major package registries in signing an important joint statement on sustainable stewardship of open source infrastructure. Together with Maven Central, PyPI, crates.io, Open VSX, OpenJS Foundation, OpenSSF and Alpha-Omega, we're addressing a critical challenge: the growing gap between infrastructure usage and support.

The Reality We Face

Over 3 billion Composer packages are installed monthly, supporting PHP developers worldwide. What started as a community service now powers enterprise CI/CD pipelines, automated security scanners, and countless production deployments.

Currently, Private Packagist funds the majority of maintenance work on packagist.org through customer subscriptions (thank you!), alongside a small group of direct infrastructure sponsors (thank you too!). Yet, even with this support, the demands on our time and resources continue to grow. The vast majority of high-volume users – including many commercial entities – consume our services without contributing to their sustainability.

Why This Matters Now

The landscape has changed dramatically:

  • Automated systems now generate the majority of our traffic, too often without appropriate caching or rate limiting
  • Enterprise security and compliance requirements demand more rigorous monitoring, auditing, and new tooling capabilities
  • Maintenance burden and support requirements have grown over time
  • Commercial vendors increasingly use our platform to distribute open-source SDKs for the sole purpose of using their commercial services

These aren't problems we can solve with volunteer hours alone. They require dedicated time from experienced engineers, reliable on-call coverage, and sustainable funding for both infrastructure and the people who keep it running. While Private Packagist can sustain the ongoing operation of packagist.org, major changes and improvements remain difficult to finance.

Our Commitment

As part of this joint statement, we commit to:

  1. Exploring new sustainable models that maintain open access while encouraging responsible usage
  2. Working with the PHP community to develop solutions that work for everyone

How You Can Help

For Organizations:

  • Implement caching in your CI/CD pipelines
  • Consider buying a Private Packagist subscription
  • Review and optimize your automated systems' usage patterns

For Developers:

  • Use Composer's built-in caching features
  • Don't unnecessarily trigger CI runs or install packages, avoid wasteful usage
  • Advocate for infrastructure support within your organization

For Tool Builders:

  • Design with infrastructure impact in mind
  • Enable cache configuration by default
  • Read and follow our API documentation at https://packagist.org/apidoc
  • Send requests with meaningful User Agents, ideally with an email address to contact you

A Positive Outlook

This statement isn't about restricting access or creating paywalls. It's about ensuring we and similar services remain available, reliable, and secure for the entire PHP ecosystem. We believe in keeping infrastructure open while building sustainable models that align usage with support.

The PHP community has always been pragmatic and collaborative and we're convinced we'll continue to find feasible paths forward. These may include rate limits for excessive use, charges for large-scale use by enterprise users, or additional paid functionality on packagist.org useful only to the largest users or for commercial purposes.

Thank you to every Private Packagist customer and to our current sponsors, every contributor to our open source projects, and everyone who has otherwise supported us over the years. Your contributions make a real difference!

Read the full joint statement signed by us and other major package registries.