Complex and less centralized.. winding roads of Open Source

16 Jan, 2025

I've been watching the open source landscape evolve, and 2025 is shaping up to be an interesting year. There are some new dynamics worth exploring, and inspired by a few friends of mine - I am highlighting some of those twists in open source. Fair warning: some of this might sound a bit pessimistic, but I'd love to be proven wrong.

The Great Divide Deepens

The split between "professional" and "hobbyist" open source is becoming more pronounced, and it's not just about who has money. The Cyber Resilience Act in Europe is accelerating this divide - September 2026 brings reporting requirements, and by December 2027, we're looking at full compliance including CE marking. The timing might seem far off, but anyone who's dealt with regulatory compliance knows it has a way of sneaking up on you.

This isn't just bureaucratic busywork - the xz backdoor incident showed us why this matters. But the growing "I am not a supplier" sentiment from community maintainers is equally valid. Not everyone wants to deal with enterprise-grade compliance requirements for their hobby project, and honestly, why should they?

AI: From Hype to Reality

Remember when AI was going to solve all our problems (like web3)? Well, there's a saying going around - "in the age of generative AI, we're evolving from authors to proofreaders." It's clever, but it also hints at the real challenge: managing an influx of AI-generated contributions without drowning in low-quality code. see Daniel Stenberg's post on this topic.

The initial AI hype is cooling off (looking at the flattening stock prices since October), and we're starting to see some interesting patterns:

• AI tools are getting more expensive just as their limitations become clearer
• some teams are realizing AI often increases workload rather than reducing it
• The quality of AI-generated code remains wildly inconsistent
• Maintainers are drowning in AI-generated "contributions"

For some, it goes beyond just low quality, but of compliance - as most models builders have decided to ignore license of source codes.

Community Dynamics Are Shifting

The days of getting everyone together at big global conferences might be behind us. It's not just about travel budgets (though those aren't helping) - it's about the changing nature of collaboration itself. Regional events are becoming more important, and not just because they're cheaper to attend.

What's interesting is how this mirrors the broader fragmentation in open source. Just as we're seeing a split between professional and hobbyist projects, we're watching community engagement transform from centralized to distributed models.

Looking Ahead

Let's get specific about what's coming, ranging from "pretty much guaranteed" to "well, this could get interesting":

1. Security becomes unavoidable: The xz incident was just the beginning. Supply chain attacks are becoming more sophisticated, and "I'm just a hobby project" won't fly as an excuse anymore. The good news is that security tools are getting better and more automated. The bad news? You still have to use them, and more importantly, understand them. Expect to see:

   • More automated security scanning becoming the norm, not the exception
   • Increased pressure from downstream users for security attestations
   • New tools trying to make security "easier" (with varying degrees of success)
   • Growing tension between security requirements and maintainer bandwidth

2. AI settles into its lane: The AI hype train is running out of steam, and that's probably a good thing. We're starting to see where AI actually helps and where it just creates more work. Watch for:

   • AI tools becoming more specialized and focused on specific development tasks
   • A decline in generic "AI-powered" projects
   • Better integration with existing workflows rather than trying to replace them
   • More emphasis on AI as an assistant rather than a replacement
   • Growing sophistication in handling AI-generated contributions (I wish)
   • New patterns for managing AI in collaborative development

3. Community models evolve: The old "if you build it, they will come" approach to open source communities is showing its age. We are noticing this in UNICEF VF too. What's emerging is more interesting:

   • Regional tech hubs becoming more influential than global ones
   • New hybrid collaboration models that actually work (not just Zoom fatigue)
   • More emphasis on asynchronous communication tools
   • New metrics for measuring community health beyond commit counts
   • Creative approaches to maintainer sustainability

4. Funding models get weird: With the enterprise/community split widening, we're going to see some creative attempts to bridge the gap:

   • Experiments with new sustainability models beyond sponsorship
   • More sophisticated bounty and grant systems
   • Hybrid models trying to balance commercial interests with community needs
   • Potential emergence of new foundation models
   • Growing interest in cooperative funding approaches

5. Tool consolidation accelerates: The explosion of development tools is becoming unsustainable:

   • Major players will start acquiring or merging smaller tools
   • More emphasis on integration and interoperability
   • Push back against tool sprawl
   • Growing importance of standards and common interfaces
   • New approaches to managing development workflows

Here's the thing about these predictions: they're all interconnected. The security landscape affects community dynamics, which influences funding models, which impacts tool development, and around we go. The projects that thrive will be the ones that understand these connections and adapt accordingly.

What This Means For Us (or you)

If you're working on open source projects, here's what to think about:

1. Start planning for compliance now: Even if you think it doesn't apply to you, understanding the requirements costs less than scrambling later.

2. Rethink your AI strategy: If you've been waiting to see how AI plays out, good call. Now's the time to develop clear policies about AI contributions and usage.

3. Focus on sustainable practices: The days of assuming unlimited community resources are over. Think carefully about what you maintain and how.

The open source world is becoming more complex, more regulated, and more fragmented. That's not necessarily bad - it might actually be healthier in the long run. But it does mean we need to be more thoughtful about how we build and maintain projects.

Thanks to Brian Exelbierd and Ben Cotton for their thoughtful posts that sparked these reflections. This is my take on where things are headed, informed by their insights.