The PSF and several other organizations that provide public package registries wrote an open letter [1] announcing a joint effort to make this situation more sustainable. I'll be interested to see where it goes.

[1]: https://openssf.org/blog/2025/09/23/open-infrastructure-is-n...

Thanks! I want to bring this up as a discussion point when I get the chance at work.

I can't find a date on this letter - is it recent?

Get your company to take the Pledge: https://opensourcepledge.com/

It says "September 23, 2025" right at the top.

The website hides the date on mobile

The date is at the top of the letter and in the url...

September 2025.

I wonder if they're mobile. Here the URL is truncated and over on openssf.org/blog they don't show the date unless you switch over to desktop view.

I'm on mobile and missed it. My bad for the spam.

The website hides the date on mobile

A business will always tend towards taking the maximum and giving the minimum. Believing anything else is wishful thinking at best and naive at worst.

So you have to increase the minimum. This could be achieved by contract, ie. not allowing free pulls like Docker have done, or by convincing companies that support PyPI and the like is the minimum. Unfortunately the latter would involve companies thinking and planning for the future, which is massively out of fashion.

From what I've seen in large tech companies, if they bother to do anything at all, you get a token "open source fund" which is then divvied up between different projects, often according to employee feedback. However the money is peanuts so it's clear that this is not a long term support strategy but just a way to placate the employees and say that "We PROUDLY support Open Source!" etc.

Also (and ironically), in the past, this kind of stuff often did have a DEI component of its own. Meaning that a fair bit of that fund would go not to high profile projects, nor to the ones that company actually uses the most, but to whoever can put together a proposal ticking the most "diversity" boxes.

Either way, the point is that companies are simply uninterested in extending any sort of meaningful support, nevermind doing so in proportion to utility derived. And, honestly, why would they? Economically speaking there's no upside to it so long as you can enjoy the benefits regardless and rely on others to prop things up. And ethically speaking, large organizations are completely and utterly amoral in general, so they will only respond to ethical arguments if these translate to some meaningful economic upsides or downsides - and the big corps already know from experience that they can get away with things much worse than not contributing to the commons. It's not like people will boycott, say, Microsoft over its recent withdrawal of support from Python.