Sustaining Open Source: The Next 25 Years Depend on What We Do Together Now

At an event earlier this year, I heard someone describe the sustainability challenges we’re facing as, “open source is suffering from its own success,” and it’s true. The ecosystem that once thrived on volunteer collaboration now faces existential questions of regulation, funding, and sustainability. The good news is that these are solvable problems with solutions based on the thing we know best: community.

Think back to when the term “Open Source” was coined in 1998–if you were around to remember it! It was a technologically very different time, transitioning from sharing 3.5” floppies to burning CDs. (For a good chuckle, ask the nearest teenager how to “burn a CD.”) We were communicating over a still-nascent Internet, which we were just getting over calling the “information superhighway.” And not only were we building the roads of that highway, we were building the cars while we were driving down those unfinished roads. We were focused on code and solving immediate problems. The open source community built the foundation of the modern digital world quietly, in pieces, often siloed from other pieces that should have been more closely connected. Now as the default building blocks for modern software, powering finance, health care, the next generation of AI technology, and everything in between, we’re discovering that success brought new responsibilities […insert your own Spider-Man reference]. Our continued success now means not only the success of open source, but the health and continuity of all software development. That means we now have to be working not only on the code, but also addressing new security challenges, supporting open source in the software supply chain, navigating global regulation, and caring for the continued health of the people and projects we depend on every day. The methods that got us through the first quarter-century—volunteer energy, good-faith collaboration, and a handful of well-meaning corporate sponsors—won’t carry us through the next one without intention and attention.

Last month at All Things Open, I moderated a session on sustainability, and a year ago at the same event, I spoke about the history and future of open source. If there’s one theme binding those conversations, it’s this: sustainability isn’t a synonym for money. It includes funding, but it’s also about people, governance, trust, and shared responsibility. Money doesn’t automatically become sustainability any more than a grocery list becomes dinner. Someone still has to cook.

So what does sustainability really look like?

First, we need money and labor. We’ve gotten a lot better at learning ways to get funds into projects, starting with the many foundations and fiscal hosts, then things like sponsorship programs and grants, and there are several new structures coming along. That matters. (A lot!) But money doesn’t fix bugs; people do. If your company relies on projects, you should be investing employee time in contributing to them. Embed contribution into job descriptions and performance goals. Celebrate and reward upstream work. If you can’t staff it, fund it, and fund more than just development: release engineering, security response, governance, documentation, and all the parts that go into a successful project. A healthy ecosystem needs both payroll and pull requests.

Second, we must collaborate across projects, foundations, companies, and governments. For years, foundations operated like friendly neighboring islands (with the occasional archipelago), and for a long time, that was just fine. Now, with security, compliance, and policy under bright lights, isolation is a liability. Efforts like the OSI’s Open Policy Alliance and inter-foundation working groups show what happens when we stop competing for attention and start coordinating for impact. We don’t need five different groups solving the same regulatory puzzle alone; we need one well-lit table where we work the puzzle together.

Third, companies must participate with intention. I’ve spent most of my career helping organizations do exactly that, first in Red Hat’s OSPO and now at SAS as Director of Open Source. The playbook is straightforward: know what you use, how you use it, and how you’ll give back. Build an OSPO or an equivalent function to make contribution, compliance, and community part of how you ship software. Treat upstream health as a product dependency, because it is. Replenish what you draw from the ecosystem in code, time, and resources, and do it in ways that preserve vendor neutrality and community trust.

Fourth, we have to get serious about shared services and shared expertise. Some will, but not every project or foundation needs its own bespoke policy shop, security team, or event engine. We talk a lot about “don’t fork the code unless you must”; the same wisdom applies to operations. Pooling services across neutral organizations saves money, reduces duplicated effort, and raises quality. It’s also a sustainability strategy: expertise survives personnel changes when it’s institutional, not individual.

Fifth, we should plan for software’s full lifecycle. Sustainability isn’t just how a project starts and grows; it’s also how it pauses, transfers, or ends. “Open source estate planning” sounds unromantic, but it’s an act of care. Communities are made of humans, not code, so clear governance, dependency transparency, hand-off plans, and archival practices ensure that neither users nor contributors are stranded when life happens. The best time to write those plans was yesterday; the second-best time is before your next release.

And finally, we must invest in the next generation, but not only in computer science students. The open source ecosystem thrives on its non-code contributions: community leadership, communications, design, security triage, documentation, release management, and more. We should partner with universities and nonprofits to bring more people into real projects across disciplines. But there’s no reason to limit our outreach to students. Organizations looking for ways to contribute are full of people with all of those skills that we could be welcoming into the open source world. But it’ll take effort on the part of us already here to teach them the ways of community and collaboration. Gatekeeping is easy. Mentoring is harder, but far more powerful.

I know all of this can feel big. So let’s make it small and actionable.

  • If you’re a developer, open one issue that improves a dependency you use every day, or review one PR from a new contributor.
  • If you lead a team, whether code-producing or other skills, set aside regular time for upstream work and make it visible in their performance reviews.
  • If you manage budgets, fund the backbone, including CI, security audits, release work, documentation, and travel support for maintainers.
  • If you work at a foundation, pick one service you do well—policy, security response, or events—and offer it as a shared capability to others or a hub of collaboration between organizations.
  • If you’re an educator or student, connect coursework to real projects and teach collaboration alongside code.

As President of the Apache Software Foundation, a member of the OSI Board, and the director of an OSPO, I get to see this ecosystem from multiple vantage points. The through-line is simple: community is the foundation. We don’t have software without code, but we don’t have durable code without strong communities. When we share, teach, and build together, good things follow: more secure software, fewer burned-out maintainers, better governance, wiser policy.

So here’s my invitation, my request: find “one more.” One more maintainer to support, one more colleague to mentor, one more policy conversation to join, one more project to help document or secure. If everyone reading this helps even one more person become an open source contributor in any role, we’ll double our community faster than any grant ever could.

Open source has never been just about code. It’s about curiosity, generosity, and the belief that collaboration makes better things and better people. The next few years will test that belief as never before. But if we do what we’ve always done best—show up, share the work, and care for each other—we won’t just sustain open source. We’ll sustain the spirit that started it and ensure the success we’ve built continues for the good of the modern world.