100%
GRIMOIRE
GrimoireDindon CorpusSynthesis VolumesThe Foundation of Iron
FRENAR
RATIO
STRUCTURAL STUDY · OPÉRATION DINDON · JUNE 2026
◆◆◆
THE INVISIBLE DEBT
Open source as uncompensated critical infrastructure
◆ CONTEXT

The Opération Dindon corpus documented dependence on hyperscalers and semiconductors. It had not addressed the layer below: dependence on unfunded open source. Linux, OpenSSL, curl, bash — global infrastructure runs on software maintained by individuals or small teams, often volunteers or underfunded. The Log4Shell vulnerability in 2021 revealed the scale of this fragility. This study provides the structural analysis.

◆◆◆
Amine RAITI · Infrastructure Architect & SRE
Public document · CC BY-NC-SA 4.0 · AI Powered by Amine · Opération Dindon
RATIO
1
SECTION 1 · OPENSSL AND THE TWO PEOPLE
GLOBAL INFRASTRUCTURE RUNS ON VOLUNTEERS

In 2014, the Heartbleed vulnerability revealed a critical flaw in OpenSSL — the cryptographic library securing the vast majority of HTTPS connections worldwide. Banks, governments, hospitals, e-commerce platforms, hyperscalers — all depended on OpenSSL. The flaw had existed in the code for two years, undetected. At the time of discovery, OpenSSL was maintained by a team of two full-time people, with an annual budget of approximately $2,000 in donations.

◆ LOG4SHELL — THE 2021 CASE STUDY

Log4j is a Java logging library embedded in millions of applications — from enterprise servers to industrial systems to video game consoles. The Log4Shell vulnerability discovered in December 2021 was rated 10/10 on the CVSS criticality scale. It potentially affected hundreds of millions of systems worldwide. Log4j was maintained by a handful of volunteers, without structured commercial funding. The emergency response to the vulnerability relied on these same volunteers, forced to work without pause for several weeks on a problem whose resolution benefited billion-dollar companies that had contributed nothing to their funding.

◆ THE STRUCTURE OF THE DEPENDENCE

The global software industry is built on an inverted pyramid: billions of dollars in market capitalisation rest, at their base, on open source libraries maintained by dozens or hundreds of people without proportional funding. This pyramid is stable as long as no critical vulnerability appears in the lower layers. When one does, it reveals that the base of the pyramid was made of cardboard.

◆ NASSIHA — OPEN SOURCE IS NOT FREE

Open source is not free. It is funded by the unpaid or underpaid time of its contributors. The "free to use" model defers the cost of development and maintenance onto individuals who bear this cost out of passion, reputation, or idealism — not out of a viable economic model. This invisibility of cost is the source of the vulnerability.

RATIO
2
SECTION 2 · THE INVISIBLE DEPENDENCY CHAIN
WHAT LIES UNDER THE CODE WE WRITE

Every developer or infrastructure engineer uses open source dependencies in their daily work — often without being aware of it. A modern web application can depend on 500 to 1,000 open source libraries, each with its own dependencies, its own maintainers, its own level of funding and maintenance. This dependency chain is largely invisible to the end user — and often to the developer themselves.

◆ XKCD 2347 — "DEPENDENCY"

A comic strip published by the webcomic XKCD depicts all the world's digital infrastructure as a stack of building blocks, one of which — tiny, at the base — is labelled "a project maintained since 2003 by a person in Nebraska". This image went viral in 2021 during Log4Shell because it accurately describes reality: somewhere in the dependency chain of every critical system, there is a library maintained by someone whose name nobody knows.

◆ THE HUMAN RISK OF OPEN SOURCE DEPENDENCE

The vulnerability of unfunded open source is not only technical — it is human. A maintainer who burns out, changes jobs, falls ill, or decides to stop abandons a library that thousands of projects depend on. This library will no longer be maintained, new vulnerabilities will no longer be fixed, new language versions will no longer be supported. The "maintainer abandonment" risk is documented but rarely integrated into infrastructure risk analyses.

◆ NASSIHA — THE PROBLEM IS NOT OPEN SOURCE

Open source is one of humanity's greatest collective creations. This study does not critique the model — it critiques the funding. A world where companies massively use open source without contributing to its funding is a world that externalises its critical infrastructure onto the goodwill of uncompensated individual maintainers. This is not sustainable.

RATIO
3
SECTION 3 · WHO FUNDS WHAT
THE ASYMMETRY OF VALUE AND CONTRIBUTION

Hyperscalers built multi-trillion-dollar companies on open source foundations. AWS runs on Linux. GCP depends on dozens of open source libraries. Microsoft's AI runs on Python and its ecosystems. These companies have also, for the most part, created open source contribution programmes. But the disproportion between extracted value and provided contribution remains considerable.

◆ WHAT HYPERSCALERS CONTRIBUTE

Google maintains Kubernetes, Angular, TensorFlow. Microsoft acquired GitHub and contributes massively to VSCode, TypeScript, .NET open source. Meta maintains React and PyTorch. Amazon contributes to OpenSearch. These contributions are real and significant — they do not cover the full funding debt of the open source ecosystem on which these companies depend.

◆ CRITICAL PROJECTS THAT RECEIVE NOTHING

Hyperscaler contributions concentrate on projects they control or whose visibility serves their image. Critical but low-visibility projects — compression libraries, file format parsers, network protocol implementations — remain maintained by individuals without structured funding. These libraries are used by millions of projects, including those of the hyperscalers themselves. The selection of what is funded is strategic, not altruistic.

◆ "THE SILENCE OF THE ROOMS" APPLIED TO SOFTWARE

"The Silence of the Rooms" documented that women are absent from infrastructure because they are not represented there and nobody decided to change that. The same logic applies to open source funding: invisible libraries are not funded because they are invisible, and they remain invisible because nobody decides to make them visible. Invisibility perpetuates the underfunding that perpetuates invisibility.

RATIO
4
SECTION 4 · MODELS THAT WORK
WHAT EXISTS AND WHAT IS MISSING

Open source funding models exist. None has solved the problem at the necessary scale. Analysing them identifies what works, what fails, and what is missing to build structural funding for critical open source.

◆ MODEL 1 — FOUNDATIONS (LINUX, APACHE, PYTHON SOFTWARE FOUNDATION)

Open source foundations collect membership fees from corporate members, employ full-time developers on critical projects, and organise governance. This model works for projects visible and widely-used enough to attract sufficient paying members. It fails for critical but low-visibility projects that cannot build a sufficient member base to self-fund.

◆ MODEL 2 — DUAL LICENSING AND OPEN CORE

Companies like HashiCorp, Elastic or Redis Labs adopted models where the base code is open source and advanced features are proprietary (open core) or the code is available under a restrictive licence for commercial use (dual licensing). These models fund development but create community tensions and compatibility breaks between versions.

◆ MODEL 3 — SOVEREIGN TECH FUND (GERMANY)

Germany created the Sovereign Tech Fund in 2022 — a public fund that directly finances the maintenance of critical open source libraries identified as national digital infrastructure. This model treats open source as public infrastructure — on a par with roads or electrical networks — and funds it accordingly. It is the model most coherent with this study's thesis. It remains marginal at European scale.

◆ NASSIHA — NO SINGLE SOLUTION

None of these models alone is sufficient. The structural solution is probably a combination: public funding for critical infrastructure libraries, mandatory contributions from large user companies proportional to their usage, and strengthened foundations for governance. It is not complicated to design. It is difficult to coordinate.

RATIO
5
SECTION 5 · WHAT THE SRE CAN DO
KNOWING YOUR DEPENDENCY CHAIN

The SRE cannot solve the open source funding problem alone. But they can reduce their exposure to the risk of unfunded dependence — and contribute, at their level, to the viability of the ecosystem they depend on.

◆ LEVER 1 — AUDIT YOUR OPEN SOURCE DEPENDENCIES

Know the critical libraries your infrastructure depends on, their maintenance level (date of last commit, number of active maintainers, presence of a foundation or sponsor), and their vulnerability history. This audit should be as standard as a security audit — because it is security. A tool like Dependabot or Renovate automates part of this tracking.

◆ LEVER 2 — INTEGRATE "MAINTAINER ABANDONMENT" RISK INTO RISK ANALYSES

The risk that a critical maintainer abandons their library should appear in infrastructure risk analyses, alongside the risk of supplier bankruptcy or OS end-of-support. This risk has a response: internal fork of the library, migration to a better-maintained alternative, or contribution to the maintainer's funding.

◆ LEVER 3 — CONTRIBUTE AND ENCOURAGE CONTRIBUTION

Companies that use open source can contribute through code (bug fixes, new features), through funding (donations to maintainers, foundation membership), or through time (engineers dedicated to maintaining critical libraries). These contributions are not philanthropy — they are risk management. A better-funded library is a less risky dependency.

◆ NASSIHA — CONTRIBUTION IS NOT ACCESSIBLE TO ALL

Contributing to open source requires time and skills that not all SREs and companies have. The systemic response — public funding, legal obligations of proportional contribution based on usage — is irreplaceable. Individual levers are complements, not substitutes.

RATIO
6
SECTION 6 · THE PROPOSAL
TREATING OPEN SOURCE AS PUBLIC INFRASTRUCTURE

The proposal of this study is to treat critical open source — the libraries on which the world's digital infrastructure depends — as public infrastructure on a par with roads, electrical networks or water systems. This framing is not a metaphor. It is an operational reality: if curl stops being maintained, entire sections of the world's digital infrastructure progressively cease to function. If OpenSSL is not patched, billions of secure connections become vulnerable.

◆ MEASURE 1 — CREATE A EUROPEAN CRITICAL OPEN SOURCE FUND

On the model of the German Sovereign Tech Fund, a European open source critical funding fund — endowed with a budget proportional to the size of the European digital economy — finances the maintenance of libraries identified as critical infrastructure. This fund is fed by public contributions and by mandatory contributions from companies whose turnover exceeds a defined threshold and who use these libraries in production.

◆ MEASURE 2 — MANDATORY DECLARATION OF CRITICAL DEPENDENCIES

Companies beyond a certain size should annually declare their critical open source dependencies — in the same way as declaring critical suppliers in business continuity plans. This transparency would identify at-risk libraries (few maintainers, little funding, many users) and prioritise collective funding efforts.

◆ MEASURE 3 — INTEGRATE OPEN SOURCE INTO PUBLIC PROCUREMENT CRITERIA

Every public digital services contract should integrate a criterion of contribution to critical open source in its award conditions. A provider who contributes to the funding of the open source libraries they use in their service is a more reliable provider — and their contract should reflect it.

◆◆◆

The invisible debt is always repaid. Sometimes in money. Sometimes in Heartbleed. Sometimes in Log4Shell. Better to choose the moment and form of repayment than to have it chosen for you.

◆◆◆
NEMO SUPRA LEGEM EST