A recent joint statement from OpenSSF and other key stakeholders highlights the growing strain on open infrastructure services such as Maven Central, PyPI, and crates.io. These platforms, which underpin much of the modern software ecosystem, are facing sustainability challenges due to disproportionate commercial usage and increasing demands from AI-driven automation. The statement calls for a rethinking of funding models and shared responsibility to ensure long-term viability.
Given this context, could the development and distribution of SuperCollider—a widely used open-source platform for audio synthesis and algorithmic composition—be impacted? If SuperCollider relies on any of the infrastructure mentioned, might developers or users face new limitations, costs, or disruptions in the future?
Recently package managers seem to be under heavy attack from a security and from an AI spam perspective and getting rid of these is possible but consume resources which would be probably spend better on other endeavors - especially if you do this in your free-time while others making billions w/ the help of your service. It is very sad to see that people degrade these community services deliberately for their own benefit.
We don’t really use the mentioned package managers b/c we don’t have rust/java/python in the codebase. But we do use the os package managers heavily (which would be apt and brew), but since we are already caching them we don’t hit them too hard - and they are also probably fine w/ this since the appeal was more geared towards companies which built a business on top of these services, hit them heavily, but don’t give anything back to the community - we use their services to build GPL software, so we are giving something back to the community.
I’ve heard that this forum is also often a target for spam attacks, which is also the reason why every registration has to be confirmed manually these days, which is not nice but seems necessary.
We haven’t been hit too hard with AI spam in the code contributions so far, but lets see how this will play out over time…
On another note: We do have strong ties in regards to our infrastructure to Microsoft, which I am personally not too happy about: GitHub offers not just the website for managing contributions, provides the official URL for SuperCollider, but also provides our build infrastructure such that we can verify that every contribution doesn’t break anything on all the operating systems and processor architectures that we are supporting - and this for free (as in free beer). If we would switch to, e.g. Codeberg, we could get rid of this dependency, but if we want to match the current build infrastructure, we would have to invest around 100 euros/month, and some dev time would be spent on administrating that pipeline instead of developing SC. Since SC isn’t a legal entity, funding becomes a bit more challenging b/c some entities can’t provide fundings to a single person and it makes sharing responsibilities more difficult. While GH is owned by Microsoft, it allows multiple individuals to administer it instead of a single person responsible for paying bills and accessing the machines. This is also the reason why we still use the GH-owned address instead of supercollider.online ^^
In the end it is a question on where to spend our limited resources on - but the more people are contributing the more nicer things we can have
