Episode 159: Building Sustainable Open Source: Keeping the Lights On Katherine Druckman: Hello, welcome back to Reality 2.0. I’m Katherine Druckman. It’s just me today with my friend Lori Lorusso — Doc isn’t joining us, but we have a lot to talk about. Lori is with the Rust Foundation, and if you’re not familiar with it, we’ll dig into that in a minute. It’s been a while since we’ve released an episode, but here we are again — and we’ve missed you! Lori, would you mind introducing yourself a bit? Who are you, and what do you do at the Rust Foundation? Lori Lorusso: I’d be happy to, and thanks for inviting me on! I think we met three jobs ago — the lovely world of tech. It’s not that I’m trying to hop around, it just happens. I’m the Director of Outreach for the Rust Foundation. I’m relatively new — about a month and a half in — and two of those weeks I was on vacation, so it barely counts. So what does the Director of Outreach do? I work with our member organizations to find stories we can tell — what’s happening, what’s missing, how we can connect to the broader ecosystem. Another part of my job is project in-reach — working with the people actually building Rust, being someone they can talk to from the foundation side to help with things like project priorities and budgets, and how their work is viewed more broadly. We want to tell the stories of the developers behind Rust so that people understand the incredible work being done and give credit where it’s due to the maintainers and contributors who make the most memory-safe language you can develop in. Katherine Druckman: Ah, you said the magic words — memory-safe language! Everyone’s very excited about Rust, especially the security folks. To that end, I wanted to talk about something that came out today. The OpenSSF posted a joint statement that the Rust Foundation was part of. The title is compelling: “Open Infrastructure Is Not Free.” It’s a post about several foundations — and a few companies — coming together to talk about the importance of sustainable stewardship for open source infrastructure. Everyone relies on it, whether they realize it or not. Lori Lorusso: This is super timely. For context, today is September 23rd, the day this was announced, and we’re really excited about it. The Rust Foundation’s job is to steward the Rust language, and one way we do that is by being part of other foundations and organizations. In this case, we’re part of the OpenSSF. Our Executive Director sits on their board. We want to have open access to what other companies are doing, how they’re protecting themselves, and to be at the table when decisions are being made. Today’s release was a joint letter saying that package managers are critically important to infrastructure — but the way they’re currently used, from hobbyists to large enterprises, isn’t sustainable without support. We’ve identified potential ways to create more sustainability in open source. Open source isn’t free — it costs money — and infrastructure is a big expense. Foundations hosting these package managers are absorbing those costs, and we want to create a level playing field. If you’re doing millions or billions of downloads, you should be contributing your fair share, whether in kind or financially, to help keep the lights on. Katherine Druckman: It always surprises me how many organizations get tremendous business value from open source software and infrastructure — things like package managers — and yet don’t contribute to their sustainability. It seems like an impractical decision not to. Why do you think this is still such a problem? We’ve been having this conversation for a long time. Lori Lorusso: Open source can be a bit of a gamble. You throw your support behind something and hope it grows — and sometimes it does, faster than expected. When that happens, maintainers aren’t always set up to support things at scale. Some are fortunate to find corporate sponsors, but many are left footing the bill — overworked and overburdened. With over 90% of companies using open source components, people often overlook what they’re using because it’s just always been there. It starts with a hobby project, but suddenly it’s part of a massive enterprise system. Then there’s the challenge of getting buy-in: first convincing leadership why to use it, then why to support it financially. There’s still this misconception that open source is free. It’s not — people are working hard to make it all run. The message just hasn’t made it all the way up the chain. It’s getting there, but we have to keep being loud about what can happen when it’s ignored. We’ve seen how supply chain issues can seriously affect companies. We’ll never stop talking about SolarWinds, right? Katherine Druckman: No, never. Lori Lorusso: Exactly. Katherine Druckman: Somebody once compared using open source to “eating off a dirty fork.” It was meant to provoke thought about maintenance and responsibility — but it hasn’t aged well. When I think about open source security issues, one of the biggest challenges is dependency management. Package managers are key here, because modern software relies on a staggering number of components. I once saw a visualization that looked like a bowl of spaghetti — a dependency diagram for a JavaScript project. It really drove home how complex this gets. So when you depend on thousands of components, how do you even figure out which projects to support? It’s a complicated question. Lori Lorusso: Exactly — it’s complicated. That’s why this joint statement matters. At some point, package managers start serving enterprise-scale users, and the cost of doing so can’t just be absorbed forever. We need help to keep the lights on. To be clear, nothing is being shut down — this is the start of a community conversation. Over the next six to twelve months, the Rust Foundation will host open office hours and discussions to gather input from everyone — hobbyists, small businesses, enterprise users. We want to know: what do you need? What would help make funding open source more sustainable? How can we support the community while also ensuring the community supports us? Right now, it’s mostly give — but it needs to be give and take. Katherine Druckman: There’s a great quote in the post: “Billion-dollar ecosystems cannot stand on foundations built of goodwill and unpaid weekends.” That sums it up beautifully. It reminds me of that XKCD comic — the entire internet depending on one little project maintained by “a guy in Nebraska.” It’s funny but also true. Lori Lorusso: Right! And what happens when that person decides to stop maintaining it? If you’re not sponsoring or supporting that project, what then? A good example is Valkey, the fork of Redis that formed after Redis changed its license. The community — with backing from companies like Amazon, Google, Percona, and Ericsson — took swift action to keep an open alternative alive. It’s a great example of what sustainability looks like when companies and maintainers work together. And yes, there are Rust modules for Valkey too — it’s all connected! Katherine Druckman: That’s such a great case study in community response. You also mentioned the Cyber Resilience Act (CRA) in the EU, which was a hot topic at the Open Source Summit in Amsterdam. There was a lot of anxiety about it — even from people outside Europe. Lori Lorusso: Yes! The Linux Foundation offers great CRA training — I recommend the one by David Wheeler from the OpenSSF. People are understandably nervous. Some product managers tell me, “Oh, that’s not until 2027.” But if you haven’t already started planning for compliance, you’re already behind. Katherine Druckman: Exactly. My advice is: don’t panic, but do prepare. If you’re following solid security best practices, you’re probably most of the way there already. And this connects back to our earlier topic — regulations like the CRA increase accountability, which makes sustainability and funding even more critical. Lori Lorusso: Yes, and it raises the question: if you use an open source project that’s not compliant, whose responsibility is it — the developer’s or yours? Ideally, it’s shared. That’s the magic of open source — everyone has a role, whether you’re a developer, writer, marketer, or policy person. Foundations like OASIS, the Rust Foundation, and the OpenSSF are all part of that ecosystem, helping keep it running responsibly. Katherine Druckman: I love that. And on a personal note, you’ve worked in open source for a while. It’s such a strong community — people are in it to build and make an impact. Let’s hope the financial sustainability catches up to the passion. Lori Lorusso: Absolutely. I was laid off before joining the Rust Foundation, and it took me seven months to find my next opportunity. But open source kept me grounded — I always felt like I was doing something meaningful and staying connected. If anyone out there is in a similar situation, or just looking for community, open source is a great place to be. There’s always something to contribute, and always someone willing to help. Katherine Druckman: I agree completely. Open source communities are great places to find camaraderie — people who care about more than just a job. Thanks so much for joining me, Lori! Say hi if you see us at All Things Open or KubeCon — and who knows, maybe you’ll end up on the podcast next time! Lori Lorusso: Absolutely — see you there!