Open Source: Inside 2025’s 4 Biggest Trends

AI was large successful 2025, but truthful were galore different developments and worries.

The biggest unfastened root stories successful 2025 clustered astir AI, licensing/governance, information and nan displacement successful nan “commercial unfastened source” business model. Let’s start, shall we?

1. Open Source AI Goes Big

While astir of nan money went to proprietary models, unfastened root AI datasets, orchestration frameworks, information devices and guardrail stacks person each seen gains.

Such unfastened root AI efforts arsenic Common Corpus, on pinch nan  dozens of AI projects hosted by the Linux Foundation’s AI & Data group are enabling america to usage organization infrastructure for generative AI alternatively than relying solely connected proprietary APIs, making unfastened AI stacks a superior action for businesses and users.

While nan open root AI meaning remains controversial, and very fewer AI projects afloat suffice arsenic unfastened root by nan strict requirements of nan Open Source Initiative (OSI) AI definition, AI remains built connected a instauration of unfastened root software. The statement complete unfastened weights, information and training codification will continue, but moreover nan astir proprietary large connection models (LLMs) couldn’t beryllium without unfastened root programs.

Agentic AI, owes everything to unfastened source. To orchestrate our latest procreation of AI agents, we’re utilizing respective programs.

The astir important of these, astatine this early shape of nan game, appears to beryllium nan Model Context Protocol (MCP). This is an unfastened modular and unfastened root implementation for uniformly connecting agents to tools, files, databases and different systems.

MCP is progressively nan “plumbing layer” nether galore agents and IDE assistants, and location are numerous unfastened root MCP servers and toolkits that fto immoderate compatible supplier model plug into nan aforesaid tools.

MCP isn’t nan only agentic AI middleware that’s speeding up:

• In June, Google donated its Agent2Agent protocol, which standardizes really agents pass pinch each other,  to nan Linux Foundation.  Microsoft Agent Framework, an unfastened root SDK and runtime designed for building, deploying  and managing multi‑agent, MCP‑aware applications, is besides gaining popularity.

2. Fights Over ‘Open’  vs. ‘Source Available’ Licenses Rage On

A Linux Foundation study released successful August showed that task capital‑backed commercialized unfastened root companies person outperformed comparable closed‑source vendors complete nan past 25 years.

That report, alongside unfastened root take information from an April OSI survey, which from 96% of organizations are maintaining aliases expanding unfastened root package use, has cemented commercialized unfastened root arsenic nan default measurement to build software.

Together, these reports are driving much funding, much mergers and acquisitions, and much “open halfway positive services” strategies astir captious unfastened root projects.

Of course, we knew that. After all, a 2024 Harvard Business School study already showed that  96% of commercialized programs trust connected unfastened source and that nan full worth of unfastened root codification comes to a cool $8.8 trillion. That still doesn’t extremity companies that made nan correction of confusing unfastened root arsenic a package improvement exemplary pinch a business model; it ne'er was. It ne'er will be.

So it is that successful 2025, we saw much companies move from open root to fauxpen source. For example, nan ScyllaDBteam announced successful December 2024 that it would move to a azygous “ScyllaDB Enterprise” stream nether a source‑available license.

At nan room level, location person been high‑profile examples of antecedently permissive projects switching softly to source‑available, paid‑for‑commercial‑use terms, specified arsenic nan Fluent Assertions .NET testing room moving, this past January, from Apache‑2.0 to a proprietary source‑available licence pinch per‑developer fees.

Then, there’s nan DevOps programme Puppet. Although Puppet’s halfway codebase is still nether nan Apache 2.0 unfastened root license, its commercialized genitor company, Perforce, has changed really charismatic builds are distributed and licensed.

What changed is that caller “hardened” binaries and packages built by Puppet/Perforce are now shipped from a backstage repository. The Puppet Core End User License Agreement (EULA) offers a free tier capped astatine 25 nodes, pinch commercialized licensing required for further nodes. Effectively, this makes Puppet a source-available program, moreover though nan codification is technically still open.

The consequence successful Puppet’s lawsuit is nan aforesaid arsenic we’ve seen successful different specified attempts to adjacent erstwhile unfastened root projects: Unhappy programmers person forked nan project. The fork is known arsenic OpenVox.

These forked projects, which see Elasticsearch pinch its fork OpenSearch, Redis pinch nan Valkey fork, and Terraform pinch nan OpenTofu fork, have been somewhat successful. All 4 forks person achieved meaningful traction, but astatine different scales and nether different definitions of  “success.”

OpenSearch appears to beryllium nan astir successful. It reports beardown growth, including double‑digit, 78%, year‑over‑year download increases and a roster of awesome members specified arsenic Amazon Web Services, Canonical, SAP and Uber.

Valkey has besides proven to beryllium popular. The latest release, Valkey 9, is reported to beryllium acold faster than nan newest type of Redis. In particular, Valkey users study that it’s consistently up of comparable Redis releases connected earthy throughput, particularly connected larger, memory‑heavy workloads wherever Valkey’s multithreaded I/O and cache‑prefetching footwear in.

While OpenSearch and Valkey person some precocious beyond their genitor projects, Terraform vs. OpenTofu is different story. People still spot OpenTofu and Terraform arsenic differing only successful their licenses. Over nan past fewer months, though, that’s been changing arsenic OpenTofu, which joined nan Cloud Native Computing Foundation successful April, steers much of its ain course. Latest releases now see authorities encryption, a characteristic nan Terraform organization has wanted for years, and early adaptable evaluation.

Finally, OpenVox continues to coming itself arsenic a “soft fork.” Its board want it to enactment 100% compatible pinch Puppet truthful it tin service arsenic a drop-in replacement for Puppet deployments. That, however, appears to nary longer beryllium possible, arsenic Gene Liverman, nan leader of OpenVox, wrote, “We tin nary longer guarantee that our modules will activity pinch Puppet Core aliases Puppet Enterprise.”

From nan task maintainers’ viewpoint, Perforce is breaking compatibility. For now, though, OpenVox is fundamentally a healthy, organization lifeboat alternatively than a full‑scale Puppet replacement ship.

3. Open Source Projects Are Starved for Funding

Despite nan elemental truth that we each dangle connected unfastened source, each excessively galore projects stay underfunded. Others, specified arsenic NET 6, are still popular, but their maintainers person discontinue supporting them. What’s a personification to do?

This isn’t a caller problem. Back successful 2021, Tidelift, a information institution that besides financially supported unfastened root maintainers, recovered that 46% of unfastened root task maintainers received nary pay astatine all. Almost arsenic bad, moreover those who were paid, a specified 26% gain much than $1,000 per twelvemonth for their work.

Things person not improved. In fact, they’ve gotten worse. In 2024, Tidelift’s latest results showed that now 60% of unfastened root maintainers are unpaid.

As  an unfastened missive signed by 10 unfastened root foundations  and published successful September pointed out, “Most of these [open source] systems run nether a dangerously vulnerable premise: They are often maintained, operated, and funded successful ways that trust connected goodwill, alternatively than mechanisms that align work pinch usage.”

So it is that, according to nan unfastened letter, “a mini number of organizations sorb nan mostly of infrastructure costs, while nan overwhelming mostly of large-scale users, including commercialized entities that make request and extract economical value, devour these services without contributing to their sustainability.”

A circumstantial illustration that I’ve been covering is how FFMpeg, which is utilized by everyone who watches videos complete nan Internet, is horribly underfunded, moreover arsenic awesome companies specified arsenic Amazon, Google and Netflix dangle connected its code. There are galore different specified projects. This tin not continue.

The reply is that companies must — Must — commencement financially supporting mission-critical unfastened root projects. The costs to do this is infinitesimal compared to nan harm they’d suffer if these projects folded aliases were deed by a awesome information problem.

4. The Open Source Supply Chain Is More Vulnerable Than Ever

In 2024, nan xz information compression room code, which had been deliberately infected pinch malware, came adjacent to inserting a backdoor into Fedora, Red Hat’s community Linux. Had it been successful, it mightiness person ended up successful Red Hat Enterprise Linux (RHEL) and its clones.

This would person led to nan top Linux information disaster to date. We dodged a bullet.

Unfortunately, nan unfastened root package proviso concatenation information is nether sustained, high-volume attack, pinch npm- and PyPI-focused campaigns escalating.

Several high-impact campaigns successful 2025 centered connected compromising unfastened root package ecosystems, particularly npm.

In November, researchers from Wiz, Aikido, and others elaborate a “Shai-Hulud 2.0” activity of trojanized npm packages that exfiltrated developer and CI/CD credentials from environments utilizing celebrated libraries tied to awesome Software arsenic a Service and unreality tooling.

Tens of thousands of malicious repos were spun up arsenic portion of nan campaign. GitLab’s vulnerability investigation squad besides reported a abstracted wide npm proviso concatenation onslaught that harvested credentials for GitHub, npm, and awesome clouds and propagated by infecting further packages owned by victims.

These are not one-off instances. Industry threat reports successful 2025 picture a surge successful package proviso concatenation attacks overall, pinch October mounting a caller monthly record, and unfastened root ecosystems featuring prominently among nan targets.

Analysis from Palo Alto Networks’ Unit 42 and different investigation teams notes that attackers progressively for illustration compromising maintainer accounts and people pipelines alternatively than halfway root repos, because this way tin silently poison trusted packages astatine scale.

A study by ReversingLabs, released successful March, reported that, while observed unfastened root malware packages person declined somewhat, nan consequence has shifted toward leaked developer secrets and build-time exposures.

Researchers examining celebrated npm, PyPI, and RubyGems components proceed to find hard-coded credentials, anemic exertion hardening, and exposed information wrong wide utilized binaries deployed successful enterprises. That benignant of correction was stupid backmost successful nan ’80s, erstwhile I first encountered it successful accumulation software, and it’s unforgivable today.

Making matters worse, information companies specified arsenic JFrog and Veracode study that exploding dependency graphs, faster merchandise cycles, and dense reuse of unfastened root libraries mean a azygous malicious aliases susceptible package tin ripple done thousands of downstream applications successful days.

This dense interconnection makes nan blast radius of attacks for illustration nan npm-focused campaigns successful 2025 importantly larger than that of galore earlier unfastened root incidents, particularly erstwhile nan target libraries look successful 20 to 30% of scanned unreality environments.

What tin we do astir it? We must much broadly adopt software bills of materials (SBOMs), Supply-chain Levels for Software Artifacts (SLSA)-style attestations, and devices from nan Open Source Software Foundation ecosystem to way provenance and integrity of unfastened root components.

OpenSSF and its partners item initiatives specified arsenic Sigstore for keyless signing, Scorecard for automated task consequence assessment, and nan Open Source Project Security Baseline, which purpose to springiness some maintainers and consumers clearer information expectations.

Every year, I show group that they must return information much seriously. Lately, arsenic unfastened root proviso concatenation violations go ever much common, I’ve been saying you must guarantee nan codification successful your proviso concatenation is some safe and written by personification trustworthy.

Looking ahead, I tin only redouble these warnings. Now we’ve already had superior information breaches successful nan past fewer years. You remember: Solarwinds, JetBrains TeamCity, and Apache Log4j should each travel to mind quickly. As bad arsenic those were, worse information disasters dishonesty up if we don’t return unfastened root proviso concatenation information overmuch much seriously.

Group Created pinch Sketch.