<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Open Source sustainability</title>
    <description>Dries Buytaert on Open Source sustainability.</description>
    <link>https://dri.es/tag/open-source-sustainability</link>
    <atom:link href="https://dri.es/tag/open-source-sustainability/rss.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>License-only versus Stewarded Open Source</title>
      <link>https://dri.es/license-only-versus-stewarded-open-source</link>
      <guid>https://dri.es/license-only-versus-stewarded-open-source</guid>
      <pubDate>Thu, 09 Jul 2026 17:26:00 -0400</pubDate>
      <description><![CDATA[<p>Near the end of most Open Source licenses, usually in capital letters, sits a clause that disclaims almost everything: no warranty, no liability, use at your own risk.</p>
<p>For an organization that depends on that code, the clause is harsh. If the code fails and takes your data or revenue with it, the license owes you nothing. No fix, no refund, and no one to explain what went wrong.</p>
<p>That is the Open Source license doing its job. It makes the code available and protects the people who share it. Without that protection, sharing code could become a gift that backfires: a generous act turned into unlimited legal risk.</p>
<p>But the license can only answer the legal questions: who may use the code, on what terms, and what risk the authors are willing to accept. It cannot tell you what kind of Open Source project you are working with.</p>
<p>Some Open Source is &quot;License-only Open Source&quot;: code released under an Open Source license, without active stewardship or any promise of ongoing care. There is no guarantee of updates, fixes, security response, or long-term support.</p>
<p>Other Open Source is &quot;Stewarded Open Source&quot;: code cared for as shared infrastructure. Maintainers review contributions, fix bugs, respond to security issues, manage releases, provide long-term support, and much more. Organizations fund maintainers, support core development, donate infrastructure, and absorb costs end users never see.</p>
<p>Both types of projects are Open Source, but they are <em>not</em> the same. A weekend hobby project and business-critical software can ship under the exact same license. Legally, they look identical. Practically, they are worlds apart.</p>
<p>The difference is <em>stewardship</em>. The license makes code available; stewardship makes it dependable. And the more people or organizations depend on a project, the more stewardship it often requires.</p>
<p class="pullquote">Responsibility is the tax on relevance.</p>
<p>Distinguishing license-only from stewarded Open Source gives us the vocabulary to describe two very different realities that the words &quot;Open Source&quot; alone do not capture.</p>
<p>For example, the distinction becomes useful when we talk about contribution. If a company depends on Open Source, should it give back?</p>
<p>For license-only Open Source, the answer is simple: no one is required to contribute. The code was shared freely, without a promise of care or an expectation of return.</p>
<p>For stewarded Open Source, the answer is not so simple. The license may still say the software is provided as-is, used at your own risk. Legally, no one has to contribute back. But there is also an entire layer of stewardship on top of the code: security, release management, infrastructure, governance, marketing, long-term maintenance, and more. People and organizations take on responsibilities well beyond what the license requires so the software can be safer to adopt, easier to upgrade, and dependable in production.</p>
<p>For projects like Drupal, that layer costs millions of dollars a year, and someone pays for every piece of it. I explored this more concretely in <a href="https://dri.es/open-source-infrastructure-deserves-a-business-model">Open Source infrastructure deserves a business model</a> and <a href="https://dri.es/what-it-costs-to-run-drupal-infrastructure">what it costs to run Drupal's infrastructure</a>.</p>
<p>When we call everything simply &quot;Open Source&quot;, we hide the difference between code that was simply shared and infrastructure that is being cared for and de-risked. Better language will not solve the funding problem by itself, but it makes the responsibility visible. More honest conversations start there.</p>
]]></description>
    </item>
    <item>
      <title>The privilege of AI in Open Source</title>
      <link>https://dri.es/the-privilege-of-ai-in-open-source</link>
      <guid>https://dri.es/the-privilege-of-ai-in-open-source</guid>
      <pubDate>Tue, 30 Jun 2026 10:41:17 -0400</pubDate>
      <description><![CDATA[<p>Back in 2019, I wrote that <a href="https://dri.es/the-privilege-of-free-time-in-open-source">Open Source is not a meritocracy</a>. Meritocracy says talent is the only thing that counts, but that is not true. To contribute, you also need time, a steady income, and a flexible schedule. Plenty of people lack one or more of these.</p>
<p>Some people can give their nights and weekends to learning a codebase, clearing the issue queue, or reviewing patches. Some are paid to do it on the clock. A lot of people can't do either. Their hours go to a second job, caring for family, or simply making it through the week.</p>
<p>That doesn't make these people less talented. It means they have less opportunity.</p>
<p>AI changes the math. A contributor might have the skill to fix a bug, but not the time to learn an unfamiliar codebase. AI can help them understand the codebase faster.</p>
<p>On paper, that should be great news for Open Source. In practice, AI will only help if access and skill become shared, not private advantages.</p>
<p>AI access is not equal. The most capable models and coding agents cost real money, and using them well takes real skill. I pay hundreds of dollars a month for these tools and have spent countless hours learning when to trust them, when to doubt them, and how to turn their output into useful work. Many contributors do not have that money or that time.</p>
<p>We learned once that &quot;anyone can contribute&quot; is not the same as &quot;everyone has the same opportunity to contribute&quot;. AI can repeat that mistake in a new form.</p>
<p>Powerful technologies rarely share their benefits evenly at first. Electricity did not create equal opportunity the moment it was invented. It only changed lives broadly when people built the infrastructure to make it widely available. The internet followed a similar path: it started with privileged access, then became useful to millions more people as access became cheaper and easier.</p>
<p>AI is no different. If we want AI to reduce privilege in Open Source instead of reinforcing it, Open Source projects can do their part by helping close two gaps.</p>
<p>The first is <em>cost</em>. Contributors should be able to do meaningful work without paying for the most expensive AI tools. As lower-cost models, including open-weight models, improve, Open Source projects should make them practical for contribution work.</p>
<p>The second is <em>skill</em>. Knowing how to use AI well should become shared knowledge within Open Source projects so more people can learn faster and make better contributions.</p>
<p class="pullquote">Contributing with AI should come down to talent, not to who can afford the best tools or who has the time to learn them.</p>
<p>Open Source already moves many things from private advantage to shared infrastructure: code, documentation, best practices, and more. We make all of these public so more people can participate and build on each other's work. The ability to use AI well for contribution should move in the same direction.</p>
<p>Publicly sharing AI best practices is an important start, but not enough. If we want AI to reduce the privilege of free time, those practices need to be embedded in the project and the contributor experience, not live on the side. If potential contributors have to hunt down the tools, prompts, skill files, and know-how themselves, the people short on time are the first to give up, even though they stand to benefit the most.</p>
<p>But more contribution is not automatically progress. As I wrote in <a href="https://dri.es/ai-creates-asymmetric-pressure-on-open-source">AI creates asymmetric pressure on Open Source</a>, AI can make it cheaper to contribute without making it cheaper to review.</p>
<p>The test is whether AI helps more people move from issue to tested patch while making the result easier for maintainers to trust and merge.</p>
<p>If we do this well, AI can make contribution less dependent on free time. If we do it poorly, it will widen the gap for contributors and increase the burden on maintainers. If we ignore AI or discourage its use, it will still show up in contributions, just without shared norms or shared accountability.</p>
<p>In 2019, I argued that Open Source communities should create opportunity by paying contributors. I still believe that. Paying contributors gives people time. But AI gives us another way to reduce the privilege of free time: it helps people do more with the time they have.</p>
<p>I want Drupal to help explore this in practice: not because we have all the answers, but because this is the kind of problem Open Source should help solve.</p>
]]></description>
    </item>
    <item>
      <title>Podcast: Talking digital sovereignty with James Kanter</title>
      <link>https://dri.es/podcast-talking-digital-sovereignty-with-james-kanter</link>
      <guid>https://dri.es/podcast-talking-digital-sovereignty-with-james-kanter</guid>
      <pubDate>Mon, 22 Jun 2026 10:05:02 -0400</pubDate>
      <description><![CDATA[<p>Open Source won the technical argument a long time ago. But it still hasn't solved the funding and sustainability problem, one I've spent much of my career chipping away at.</p>
<p>Now governments around the world are pushing for <a href="https://dri.es/tag/digital-sovereignty">digital sovereignty</a>: control over critical technology they depend on.</p>
<p>Open Source began as a volunteer movement, and <a href="https://dri.es/the-commercialization-of-a-volunteer-driven-open-source-project">commercialization helped it scale</a>. Now digital sovereignty could accelerate Open Source's third and final chapter: <a href="https://dri.es/funding-open-source-like-public-infrastructure">governments helping to fund the Open Source software they depend on</a>, just as they fund roads, schools, and defense.</p>
<p>It could be a rare win-win: Open Source becomes more sustainable, while governments and society get the resilience and independence they are looking for.</p>
<p>That is what makes this moment feel so important, and why I've been writing about digital sovereignty so much lately.</p>
<p>I got into all of this on the <a href="https://open.spotify.com/episode/5j3hGm4SOCAVU4k8JwI0W1">latest episode of EU Scream</a>, hosted by <a href="https://euscream.com/">James Kanter</a>, who covered the EU for the International Herald Tribune and The New York Times for twelve years.</p>
<p>James also pushed the conversation further, into the broader public debate about technology, the risks ahead, and why I believe Open Source can help keep some of the more dystopian scenarios at bay.</p>
<p>Much of what we talked about builds on arguments I've made before, in <a href="https://dri.es/the-software-sovereignty-scale">The Software Sovereignty Scale</a> and <a href="https://dri.es/the-sovereignty-prerequisite">The Sovereignty Prerequisite</a>. But if long blog posts aren't your thing, this conversation covers the same ideas and adds a few new ones.</p>
<p><a href="https://open.spotify.com/episode/5j3hGm4SOCAVU4k8JwI0W1">Listen to the episode</a>.</p>
]]></description>
    </item>
    <item>
      <title>Europe turns to Open Source for independence</title>
      <link>https://dri.es/europe-turns-to-open-source-for-independence</link>
      <guid>https://dri.es/europe-turns-to-open-source-for-independence</guid>
      <pubDate>Wed, 03 Jun 2026 11:59:28 -0400</pubDate>
      <description><![CDATA[<p>Today the European Commission released the <a href="https://digital-strategy.ec.europa.eu/en/library/communication-european-tech-sovereignty-accompanied-eu-open-source-strategy">European Technological Sovereignty Package</a>, a big push to reduce Europe's dependence on foreign technology.</p>
<p>Earlier this year, the Commission ran a public consultation, and I contributed two articles to it: the <a href="https://dri.es/the-software-sovereignty-scale">Software Sovereignty Scale</a> and a follow-up, <a href="https://dri.es/the-sovereignty-prerequisite">The Sovereignty Prerequisite</a>.</p>
<p>So when the package was published today, I skimmed it right away. I was pleasantly surprised to find one of my articles cited in a footnote on page 18!</p>
<p>I won't pretend to have fully digested it yet, but one part immediately caught my attention: a new Open Source Strategy for Europe (Section 4 of the <a href="https://ec.europa.eu/newsroom/dae/redirection/document/129100">PDF</a>, starting on page 16).</p>
<p>The highlights are significant:</p>
<ul>
<li>Around €2 billion over seven years to fund and maintain critical Open Source projects.</li>
<li>&quot;Public money, public code&quot;, so publicly funded software is released openly.</li>
<li>Support for European foundations that can steward key Open Source projects.</li>
<li>Open Source encouraged across research funding.</li>
<li>An &quot;Open Source&quot;-first principle for public procurement.</li>
</ul>
<p>One of the best parts of the strategy is that it treats Open Source as infrastructure that needs sustained investment, not as free software that magically maintains itself. I'll admit, that made me happy.</p>
<p>It is an argument Open Source advocates have made for years, and one I made in <a href="https://dri.es/funding-open-source-like-public-infrastructure">Funding Open Source like public infrastructure</a>. The Commission now seems to agree, pointing to the lack of sustained funding, uncertain maintenance, and procurement barriers that hold Open Source back.</p>
<p>Just as important, the strategy reframes why Open Source matters. The old argument for Open Source was mostly about saving money. Here, Open Source is treated as a path to Europe's technological independence: software that Europe can inspect, maintain, and control. In other words, software that gives Europe &quot;freedom of action&quot;.</p>
<p>None of this came out of nowhere. The story starts with the <a href="https://commission.europa.eu/topics/eu-competitiveness/draghi-report_en">2024 Draghi report</a>, the Commission's landmark diagnosis of why Europe fell behind the United States and China. The Commission spent the next year turning that diagnosis into policy, and today's strategy is one of the results.</p>
<p>You can see how far the thinking has moved just by counting. In Draghi's 412 pages, &quot;Open Source&quot; appears twice. In the new plan, it appears nearly 300 times, in roughly a tenth of the space. It really shows that Open Source has moved from the margins of Europe's competitiveness debate into the center of its sovereignty strategy.</p>
<p>Still, it is worth being clear about what kind of document this is. This is not a law. It does not require companies to use Open Source or rewrite procurement rules across Europe. But it still matters. It moves Open Source from principle to policy: part of Europe's sovereignty agenda, backed by real funding, and a step toward stronger procurement rules.</p>
<p>The strategy notes that &quot;the EU currently spends EUR 264 billion a year mostly on US proprietary IT products and services&quot;. That is not the Commission's budget; it is what the broader European economy spends each year on American software.</p>
<p>Set against that number, €2 billion over seven years for Open Source is a start, but a very small one. Seven years of Europe's Open Source budget is roughly three days of its annual American software bill. Europe has started to treat Open Source as sovereignty infrastructure, but it is not yet funding it like sovereignty infrastructure.</p>
<p>The strategy also stops one word short. In procurement, it tells public bodies to choose Open Source &quot;first&quot;, not that they must. But &quot;first&quot; is only a preference. It is the kind of thing you talk yourself out of when the demo is shiny and the deadline is close.</p>
<p>For the systems a society cannot afford to lose, Open Source should not be preferred. It should be required. Europe is not there yet, but this is an excellent step in that direction.</p>
]]></description>
    </item>
    <item>
      <title>Grow the ecosystem, not just yourself</title>
      <link>https://dri.es/grow-the-ecosystem-not-just-yourself</link>
      <guid>https://dri.es/grow-the-ecosystem-not-just-yourself</guid>
      <pubDate>Tue, 26 May 2026 09:43:09 -0400</pubDate>
      <description><![CDATA[<p>In Open Source software, competition works differently than in proprietary software.</p>
<p>Companies compete through their own products and services, but they all depend on the same commons: the software, the community, the project's reputation, and the shared work that helps people trust and adopt it.</p>
<p>That shared foundation creates a different kind of responsibility: sharing a commons means sharing the work of keeping it strong.</p>
<p>The Open Source companies I admire most show up in two ways. They compete on the merits of their own products: features, support, and price. And they help sustain the commons: through code, documentation, security, marketing, events, education, sponsorships, and more.</p>
<h2>Judge companies by what they do</h2>
<p>Over the past year, Pantheon, one of Acquia's competitors in the Drupal market, has focused much of its messaging on attacking Acquia, including making our private equity ownership part of its story.</p>
<p>I have no quarrel with Pantheon's products or the people who build them. Competition is healthy. My concern is with marketing that attacks another Drupal company, often with misleading or unwarranted messaging.</p>
<p>I've spent nearly twenty years building Acquia through different stages and ownership models. Acquia has grown from a startup into a company backed first by venture capital and later by private equity. Every ownership model creates different pressures, but ownership determines far from everything.</p>
<p>Customers don't choose a platform because of an ownership model. They choose it because it works, because they can get help, and because they trust the platform will keep getting better. In Open Source, that trust depends on the health of the commons behind it.</p>
<p>Customers, partners, community members, and end users are not helped by vendor attacks. They are helped when companies build better products, contribute to Drupal, and help more people adopt it.</p>
<h2>License permits, stewardship grows</h2>
<p>For an Open Source company, the test is not only what they build for themselves. It is what they help build for everyone.</p>
<p>An Open Source license defines what companies are allowed to do. It sets the floor. Contribution is not required.</p>
<p>Above that floor is a social contract. No one enforces it, but every healthy Open Source ecosystem depends on it.</p>
<p>Stewardship is what companies choose to do beyond the license: contribute code, fund security work, support maintainers, improve documentation, sponsor events, promote adoption, and more.</p>
<p>Drupal thrives because people and organizations honor the social contract and choose to do more than the license requires.</p>
<h2>Contribution is one measure of stewardship</h2>
<p>Drupal.org credit is one public signal of that commitment. Acquia is the largest single corporate contributor to Drupal, but the wider community contributes far more than any one company.</p>
<p>In the past year, Acquia engineers earned 26,331 weighted issue credits, plus 164 from the Drupal Security Team.</p>
<p>These contributions are good for Acquia, for Drupal, and for every organization that builds on Drupal, including our competitors.</p>
<p>In the same period, Pantheon earned 243 weighted issue credits, plus 2 security credits. Credits don't capture every form of contribution, and Pantheon contributes in other ways too. Even so, the gap is substantial.</p>
<h2>What we let pass becomes the social contract</h2>
<p>I don't usually write publicly about competitors. It's not how I want to spend my voice.</p>
<p>Before writing this, I asked myself a simple question: if a major company contributing to Drupal were under sustained attack from another major Drupal company, would I feel a responsibility as Drupal's founder and project lead to speak up?</p>
<p>I would.</p>
<p>The fact that Acquia is the company being attacked made me slower to respond, but it doesn't change the answer.</p>
<p>When companies built on Drupal spend their energy attacking each other instead of growing the project, it bothers me. It's not good for Drupal.</p>
<p>I'm not writing this believing it will change anyone's marketing and sales tactics. I'm writing it because what we let pass now will shape what is acceptable in Drupal years from now.</p>
<p>Communities like ours evolve their social contract through moments like this, when we say in public what we expect of each other. If this post contributes to a healthier social contract taking hold, I'm happy.</p>
<h2>Compete on merit, but grow the commons</h2>
<p>Every company that builds on Drupal depends on the same commons. Every company has a choice about whether to help sustain it, and how much. Drupal gets stronger when more of us invest in it.</p>
<p>My invitation to every company that builds on Drupal is simple: let's compete on the merits of our products and services, not by attacking each other. Let's serve customers well, contribute where we can, and put our energy into helping more organizations choose Drupal in the first place.</p>
<p>That is the social contract I'd like all of us to live by. I want Acquia to be judged by that same standard: what we ship, how well we serve customers, how much we contribute, and whether Drupal is stronger because of our work.</p>
<p>Not by who owns us. Not by claims made about us. By whether we keep building, contributing, and helping the ecosystem grow.</p>
<p>I have said what I wanted to say, and I won't turn this into an ongoing debate or respond to social media comments on this. My focus is on building and contributing.</p>
]]></description>
    </item>
    <item>
      <title>Acquia builds Drupal funding into its partner program</title>
      <link>https://dri.es/acquia-builds-drupal-funding-into-its-partner-program</link>
      <guid>https://dri.es/acquia-builds-drupal-funding-into-its-partner-program</guid>
      <pubDate>Thu, 14 May 2026 17:12:53 -0400</pubDate>
      <description><![CDATA[<p>Today <a href="https://www.acquia.com/">Acquia</a> announced something I'm really proud of. We're calling it the <a href="https://www.acquia.com/partners/fair-trade-initiative">Acquia Fair Trade Initiative</a>.</p>
<p>When an Acquia partner closes a deal, 2% of that deal flows directly to the <a href="https://www.drupal.org/association">Drupal Association</a>, credited in the partner's name, to <a href="https://dri.es/what-it-costs-to-run-drupal-infrastructure">fund Drupal's infrastructure</a> and long-term growth. This is in addition to the millions of dollars Acquia already invests in Drupal each year.</p>
<p>Imagine an Acquia partner closes a $100,000 Drupal deal with Acquia. $2,000 goes to the Drupal Association, attributed to that partner. The 2% comes from Acquia, not from partner margins, so the partner keeps their full revenue and incentives.</p>
<p>The donation is publicly attributed in the Acquia Partner Portal and counts toward the partner's standing in the <a href="https://www.drupal.org/drupal-services">Drupal Association's Certified Partner Program</a>. It is recognized as financial support for the Drupal Association, separate from non-financial contributions like code, case studies, or community participation.</p>
<p>Most of all, I like that this program is structural. It is not a one-time gift or sponsorship campaign. It is built into the economics of Acquia's partner program, so Drupal's funding grows automatically as Acquia and its partners grow.</p>
<p>Too often, funding for Open Source projects depends on periodic fundraising or individual goodwill. That can work, but it rarely scales in a predictable way.</p>
<p>Open Source sustainability works best when incentives align. With the Fair Trade Initiative, the Drupal Association receives more predictable funding, partners receive recognition through the Drupal Association's Certified Partner Program, and Acquia invests in the long-term health of the Drupal ecosystem its business depends on. And yes, this also creates more incentive for partners to work with Acquia on Drupal projects. Drupal wins, Acquia's partners win, and Acquia wins too. That is what incentive alignment looks like.</p>
<p>I set a reminder for myself to report back in a year, maybe sooner. I'm curious to see what this model can become.</p>
]]></description>
    </item>
    <item>
      <title>The Sovereignty Prerequisite</title>
      <link>https://dri.es/the-sovereignty-prerequisite</link>
      <guid>https://dri.es/the-sovereignty-prerequisite</guid>
      <pubDate>Wed, 01 Apr 2026 05:06:03 -0400</pubDate>
      <description><![CDATA[<p>Procurement frameworks aren't the most exciting topic. But the European Commission is about to propose the <a href="https://www.europarl.europa.eu/legislative-train/theme-a-new-plan-for-europe-s-sustainable-prosperity-and-competitiveness/file-cloud-and-ai-development-act">Cloud and AI Development Act</a> (CADA), and how it treats Open Source will affect every Open Source project and Open Source business operating in Europe. This is one of those moments where the details matter.</p>
<p>Last month, I proposed a <a href="https://dri.es/the-software-sovereignty-scale">Software Sovereignty Scale</a> that grades software from A to E based on how easily your rights can be taken away. My core argument: if you want sovereignty that lasts, Open Source matters more than buying European proprietary software.</p>
<p>I submitted the Software Sovereignty Scale as feedback to the European Commission, recommending that Open Source carry more weight in the <a href="https://commission.europa.eu/document/download/09579818-64a6-4dd5-9577-446ab6219113_en?filename=Cloud-Sovereignty-Framework.pdf">Cloud Sovereignty Framework</a>, the tool EU institutions like the Commission and Parliament use to evaluate cloud providers when purchasing cloud services for their own operations.</p>
<p>The Cloud Sovereignty Framework only applies to how EU institutions buy their own cloud services. The Cloud and AI Development Act, which is expected to build on its approach, would set rules for the entire EU cloud market, across all 27 member states. The difference in scale is enormous, and the time to get this right is now.</p>
<p>My <a href="https://dri.es/the-software-sovereignty-scale">original recommendation</a> was to give Open Source more weight in the Cloud Sovereignty Framework's scoring. I've since realized that isn't enough. Licensing shouldn't be in the sovereignty score at all. It should be a prerequisite.</p>
<h2>Open Source is not a rounding error</h2>
<p>The Cloud Sovereignty Framework evaluates providers across eight sovereignty objectives, each weighted into a composite score, as shown in the screenshot below. Contracting authorities use that score to rank and compare providers when selecting software and cloud services.</p>
<figure><img src="https://dri.es/files/images/blog/eu-cloud-sovereignty-framework-weights.png" alt="A table and formula from the European Commission&amp;#039;s Cloud Sovereignty Framework showing how the composite sovereignty score is computed. Eight sovereignty objectives are weighted: Strategic Sovereignty 15%, Legal and Jurisdictional 10%, Data and AI 10%, Operational 15%, Supply Chain 20%, Technology 15%, Security and Compliance 10%, and Environmental Sustainability 5%. The sovereignty score is the weighted sum of each objective&amp;#039;s normalized score." width="1156" height="1128" />
<figcaption>Screenshot of how the European Commission computes its composite sovereignty score. Technology Sovereignty (SOV-6), which covers open licensing, accounts for 15% of the total. Source: <a href="https://commission.europa.eu/document/download/09579818-64a6-4dd5-9577-446ab6219113_en?filename=Cloud-Sovereignty-Framework.pdf">Cloud Sovereignty Framework</a>, version 1.2.1, October 2025.</figcaption>
</figure>
<p>Technology Sovereignty (SOV-6), the objective that covers Open Source, accounts for 15% of the total. Within it, open licensing is one of four contributing factors. That means software being Open Source can contribute roughly 4% to a provider's final sovereignty score.</p>
<p>Does that feel right to you? The one thing that guarantees sovereignty long-term is worth ~4%.</p>
<p>A framework designed to measure sovereignty treats the one factor that makes sovereignty permanent as a rounding error. I could argue the percentage should be higher, or that Open Source supports other objectives, but even at 40%, licensing would still be in the wrong place.</p>
<p>Licensing is fundamentally different from every other objective in the framework. Skype checked every sovereignty box until eBay acquired it in 2005. Every credential was valid before the acquisition and meaningless after.</p>
<p>Had Skype been Open Source, no one could have taken the code away. You would still retain the right to use, modify, and fork it regardless of who acquired the company. That right is permanent, but a European headquarters is not.</p>
<p>That makes licensing a prerequisite, not something to average into a score. Scores compare trade-offs. Prerequisites define what is non-negotiable.</p>
<h2>The gate already exists</h2>
<p>Beyond the composite score, the framework defines Sovereign Effectiveness Assurance Levels, or SEAL levels. These range from SEAL-0 (no sovereignty at all) to SEAL-4 (full EU control with no critical non-EU dependencies).</p>
<p>For each of the eight sovereignty objectives, the contracting authority sets a minimum SEAL level. Any provider that falls below the minimum is rejected outright. These minimums work as pass/fail gates.</p>
<p>My proposal: licensing belongs in the gate, not in the score. Make Open Source a minimum requirement for the highest SEAL levels.</p>
<p>The <a href="https://dri.es/the-software-sovereignty-scale">Software Sovereignty Scale</a> could map onto SEAL levels like this:</p>
<div class="large">
<table>
  <thead>
  <tr>
  <th>SEAL level</th>
  <th>Framework definition</th>
  <th>Proposed licensing gate</th>
  <th>What it means in practice</th>
</tr>
</thead>
  <tbody>
  <tr>
  <td>SEAL-3 or above</td>
  <td>Digital Resilience / Full Digital Sovereignty</td>
  <td><a href="https://dri.es/the-software-sovereignty-scale">Grade A, B, or C</a> (Open Source)</td>
  <td>Software can be forked and maintained independently. Sovereignty survives acquisition.</td>
</tr>
  <tr>
  <td>SEAL-2</td>
  <td>Data Sovereignty</td>
  <td><a href="https://dri.es/the-software-sovereignty-scale">Grade D</a> or above (including European proprietary software)</td>
  <td>European jurisdiction, but structurally vulnerable to acquisition or relicensing.</td>
</tr>
  <tr>
  <td>SEAL-1</td>
  <td>Jurisdictional Sovereignty</td>
  <td>No licensing gate</td>
  <td>Minimal sovereignty assurance.</td>
</tr>
</tbody>
</table>
</div>
<p>Under this proposal, mission-critical software with high switching costs would require a minimum of SEAL-3, making Open Source a requirement. For lower-risk procurement where the software is easy to replace, SEAL-2 would allow proprietary providers to compete.</p>
<p>Won't this exclude many proprietary providers? Yes, it would. But we have to be honest: proprietary software doesn't give you sovereignty that lasts.</p>
<p>I support the push to buy homegrown technology (&quot;Buy European&quot;). It keeps investment in Europe. But it doesn't solve the underlying problem.</p>
<h2>Which government is sovereign?</h2>
<p>Consider two scenarios. In the first, a government runs proprietary software on a sovereign European cloud. The provider gets acquired by a non-EU company, and the government can't migrate without replacing the software entirely. It has jurisdiction but ultimately no control. It's not very sovereign.</p>
<p>In the second, a government runs Open Source software on Amazon Web Services (AWS), a US-owned cloud provider with data centers in Europe. If AWS becomes a problem because of the CLOUD Act, policy changes, or geopolitics, the government can move the same software to a European cloud provider. Switching cloud providers can be hard, but switching software is much harder.</p>
<p>It may seem counterintuitive, but the second government is in a stronger position. Open Source on a non-European cloud gives you more sovereignty than proprietary software on a European one, because you can always change the infrastructure. You can't fix the licensing.</p>
<p>This doesn't make the second scenario risk-free. The ideal solution would be Open Source on a sovereign European cloud.</p>
<p>People overestimate jurisdiction and underestimate licensing. Licensing is not one sovereignty factor among many. It's the sovereignty prerequisite.</p>
<p><em>Special thanks to <a href="https://www.drupal.org/u/farriss">Tiffany Farriss</a> and <a href="https://www.linkedin.com/in/sachikomuto/">Sachiko Muto</a> for their review of this blog post.</em></p>
]]></description>
    </item>
    <item>
      <title>What it costs to run Drupal&#039;s infrastructure</title>
      <link>https://dri.es/what-it-costs-to-run-drupal-infrastructure</link>
      <guid>https://dri.es/what-it-costs-to-run-drupal-infrastructure</guid>
      <pubDate>Tue, 10 Mar 2026 18:30:34 -0400</pubDate>
      <description><![CDATA[<p>Yesterday I wrote about <a href="https://dri.es/open-source-infrastructure-deserves-a-business-model">how Open Source infrastructure across many ecosystems is fragile and underfunded</a>.</p>
<p>Drupal is no exception.</p>
<p>Like most Open Source projects, Drupal runs on infrastructure that millions of people depend on but very few people directly pay for.</p>
<p>Drupal's infrastructure costs roughly $3 million per year, including servers, bandwidth, CDNs, software, and staff.</p>
<p>Funding comes from a mix of donated infrastructure from <a href="https://aws.amazon.com/">AWS</a> and the <a href="https://osuosl.org/">OSU Open Source Lab</a>, corporate memberships through our <a href="https://www.drupal.org/drupal-services">Drupal Certified Partner program</a>, in‑kind contribution from <a href="https://www.tag1.com/">Tag1</a>, revenue from DrupalCon, donations, and sponsorship on <a href="https://www.drupal.org">Drupal.org</a>.</p>
<p>Last year, Drupal Association board member <a href="https://www.drupal.org/u/farriss">Tiffany Farriss</a> and CTO <a href="https://www.drupal.org/u/hestenet">Tim Lehnen</a> analyzed the project's infrastructure costs. Their estimate: infrastructure for Drupal 8+ sites costs about $10 per active website per year.</p>
<p>But the Drupal Association has only about $7.50 per site per year to work with. About $3 comes from DrupalCon and the Certified Partner program. The remaining $4.50 comes from in-kind support: donated hosting, Tag1's infrastructure partnership, volunteer contributions and more.</p>
<p>The missing $2.50 per site shows up as technical debt: certain upgrades get deferred, legacy systems persist longer than they should, and the community sometimes wonders why infrastructure progress feels slow.</p>
<p>Plus, the $7.50 per site we currently fund is fragile. DrupalCon revenue depends on event attendance. Advertising depends on traffic. Tag1's in-kind contribution depends on one company's continued generosity. Our donated infrastructure from AWS and OSU could disappear at any time. If any of that support disappears, the funding gap grows, more infrastructure work gets deferred, and things could start breaking.</p>
<p>Before talking about new funding models, it is worth asking whether the Drupal Association could reduce its infrastructure costs. Ten dollars per site per year may sound like a lot. Should we operate all of this infrastructure ourselves, or rely more on hosted platforms like GitHub or GitLab.com? Are parts of our infrastructure more complex than they need to be? Could we customize less to reduce costs and move faster?</p>
<p>These are the right questions to ask. I believe we need to work both sides of the ledger: take a hard look at what we spend and build a funding model that depends less on goodwill. In practice, infrastructure decisions rarely optimize for everything at once. They involve tradeoffs between cost, speed, flexibility, and control.</p>
<p>Corporate patronage is worth considering. A single well-resourced sponsor could fund Drupal's infrastructure in a way community fundraising cannot, and if the choice were between a patron and a crisis, a patron wins. It's fast, requires no technical changes, and doesn't touch the social contract with site owners.</p>
<p>But patronage trades one fragility for another. Instead of depending on event attendance or AWS cloud credits, you depend on one company's continued generosity and strategic alignment with the project. If their priorities shift, we're back where we started.</p>
<p>A patron funding infrastructure at this scale would also expect meaningful benefits. That could mean greater visibility, access to lead flow, and some level of control over Drupal.org.</p>
<p>Most infrastructure systems connect usage to funding. Cloud platforms charge for compute. Roads are funded by taxes paid by the people who drive them. Drupal's infrastructure has no such mechanism: hundreds of thousands of sites depend on Drupal.org services, but the cost of operating those services is disconnected from the people who rely on them.</p>
<p>A funding model tied to usage avoids some of the issues with corporate patronage, but comes with its own trade-off. Open Source culture is built on anonymous access. You can download any package, no questions asked, no account required. Any usage-based model has to break that norm.</p>
<p>The simplest version would probably require a Drupal.org API key to download packages or receive automatic update notifications. Requiring an API key is standard practice for any commercial API, but in Open Source it feels different. Requiring site owners to identify themselves to Drupal.org is a cultural shift, even if the key itself is free forever.</p>
<p>Any such mechanism requires changes to Drupal Core, which could take years to reach the installed base. If we go down this route, we can't wait for a funding crisis to begin this work. By the time a real crisis arrives, we could still be years away from a solution.</p>
<p>I don't have a specific mechanism to propose yet. My goal here is to lay out the problem, explore potential solutions, and start the conversation. But we should start that conversation now, while we have the time and stability to get it right. Otherwise we may end up having this conversation later, under more pressure and with fewer options.</p>
<p><em>Thanks to <a href="https://www.drupal.org/u/farriss">Tiffany Farriss</a>, <a href="https://www.drupal.org/u/hestenet">Tim Lehnen</a>, <a href="https://www.drupal.org/u/g%C3%A1bor-hojtsy">Gábor Hojtsy</a> and <a href="https://www.drupal.org/u/lauriii">Lauri Timmanee</a> for reviewing my draft.</em></p>
]]></description>
    </item>
    <item>
      <title>Open Source infrastructure deserves a business model</title>
      <link>https://dri.es/open-source-infrastructure-deserves-a-business-model</link>
      <guid>https://dri.es/open-source-infrastructure-deserves-a-business-model</guid>
      <pubDate>Mon, 09 Mar 2026 14:36:23 -0400</pubDate>
      <description><![CDATA[<p>Open Source software is free to download. But the infrastructure that makes it usable is not.</p>
<p>When developers install or update dependencies through npm, Composer, pip, or Cargo, those tools rely on package registries that host and distribute millions of software packages. When maintainers collaborate, they depend on hosted services: Git repositories, CI pipelines, and other tools to build, test, and release software.</p>
<p>Most of this infrastructure is invisible to end users, and almost no one thinks about what it costs to run.</p>
<p>But it is not free. Someone has to operate the servers, pay for bandwidth, respond to support questions, patch security issues, and keep everything reliable.</p>
<p>Much of the modern software ecosystem depends on these services working reliably. And yet the organizations operating them are almost always scrambling to fund them.</p>
<h2>A patchwork of fragile arrangements</h2>
<p>Every large Open Source project has found some way to keep its infrastructure running. Usually that means a mix of donated services, sponsorships, fundraising, cross-subsidy, or patronage from a single company.</p>
<p>The table below highlights the primary funding mechanisms various Open Source projects depend on, even though most projects combine several.</p>
<table>
  <thead>
  <tr>
  <th></th>
  <th>Donated infrastructure</th>
  <th>Multi-company sponsorship</th>
  <th>Community funding</th>
  <th>Single-company patronage</th>
</tr>
</thead>
  <tbody>
  <tr>
  <td>PyPI</td>
  <td style="text-align:center;">☑</td>
  <td style="text-align:center;">☐</td>
  <td style="text-align:center;">☐</td>
  <td style="text-align:center;">☐</td>
</tr>
  <tr>
  <td>Packagist</td>
  <td style="text-align:center;">☐</td>
  <td style="text-align:center;">☐</td>
  <td style="text-align:center;">☐</td>
  <td style="text-align:center;">☑</td>
</tr>
  <tr>
  <td>npm</td>
  <td style="text-align:center;">☐</td>
  <td style="text-align:center;">☐</td>
  <td style="text-align:center;">☐</td>
  <td style="text-align:center;">☑</td>
</tr>
  <tr>
  <td>WordPress</td>
  <td style="text-align:center;">☐</td>
  <td style="text-align:center;">☐</td>
  <td style="text-align:center;">☐</td>
  <td style="text-align:center;">☑</td>
</tr>
  <tr>
  <td>RubyGems</td>
  <td style="text-align:center;">☐</td>
  <td style="text-align:center;">☑</td>
  <td style="text-align:center;">☑</td>
  <td style="text-align:center;">☐</td>
</tr>
  <tr>
  <td>Drupal</td>
  <td style="text-align:center;">☑</td>
  <td style="text-align:center;">☑</td>
  <td style="text-align:center;">☑</td>
  <td style="text-align:center;">☐</td>
</tr>
</tbody>
</table>
<p>The mix differs across ecosystems, and some rely on several mechanisms at once. But one thing stands out: none of these approaches tie funding directly to how much the infrastructure is used.</p>
<p><a href="https://pypi.org/">PyPI</a>, the Python Package Index, illustrates the sponsorship model. It handles billions of downloads a day on infrastructure donated by Fastly, AWS, and Google Cloud. The <a href="https://www.python.org/psf-landing/">Python Software Foundation</a> described this arrangement's fragility in a <a href="https://pyfound.blogspot.com/2025/10/open-infrastructure-is-not-free-pypi.html">post last October</a>: if a single sponsor decides not to renew, it would cost them tens of thousands of dollars a month to replace the lost infrastructure.</p>
<p><a href="https://packagist.org/">Packagist</a>, the main PHP package repository, follows a different approach. It is run by a private company that also sells a commercial product called <a href="https://packagist.com/">Private Packagist</a>. Revenue from the paid product subsidizes the free public registry. It's one of the more sustainable models out there, though it means a public good depends on one company's continued success.</p>
<p><a href="https://www.npmjs.com/">npm</a> tried to operate as an independent company, ran into serious financial trouble, and was eventually acquired by GitHub in 2020. The end result is that critical JavaScript infrastructure is now owned by Microsoft.</p>
<p><a href="https://wordpress.org/">WordPress.org</a> runs on a different version of the same dynamic: corporate patronage. Automattic, by far the ecosystem's largest commercial beneficiary, subsidizes most of the infrastructure. It works, but it also means that whoever funds the infrastructure controls it.</p>
<p>The <a href="https://fair.pm/">FAIR project</a>, a federated package manager backed by the Linux Foundation, was designed to give the WordPress ecosystem an independent alternative. The software works but its organizers recently stepped back after <a href="https://joost.blog/fair-wordpress-and-knowing-when-to-stop/">failing to secure long-term funding commitments</a>.</p>
<p><a href="https://rubygems.org/">RubyGems</a> took the community fundraising route, <a href="https://rubycentral.org/news/rubygems-org-funding-model-a-new-path-for-community-led-growth/">launching a program</a> last year asking businesses for $2,500 to $5,000 annually, with about 110 supporters needed to cover the registry's operations.</p>
<p><a href="https://www.drupal.org">Drupal</a>, the Open Source CMS I help lead, depends on the Drupal Association to run much of the infrastructure behind the project: Composer endpoints, GitLab repositories, CI pipelines, automatic update notifications, and more. Running all of this costs roughly $3 million a year. Funding comes from a mix of donated infrastructure, community funding, DrupalCon revenue, and sponsorship.</p>
<p>When the economics break, the consequences become visible. In February 2026, <a href="https://www.gnome.org/">GNOME</a> began <a href="https://www.phoronix.com/news/GNOME-GitHub-GitLab-Redirect">redirecting Git traffic from its own GitLab to GitHub mirrors</a> to reduce bandwidth costs. As a result, GitHub and its owner Microsoft now absorb some of GNOME's bandwidth cost.</p>
<p>Taken together, these examples point to the same underlying problem. Most Open Source infrastructure does not have a real business model. It survives through donations, corporate sponsorship, and community fundraising, rather than revenue tied to the value it delivers.</p>
<h2>From steward to service provider</h2>
<p>One direction that makes sense to me is a simple <em>value exchange</em>: keep core infrastructure free for individuals and small projects, while organizations using it at scale help pay for what they consume. Not as a donation, but as payment for the infrastructure their software depends on.</p>
<p>I look at Drupal as a concrete example of this in a follow-up post: <a href="https://dri.es/what-it-costs-to-run-drupal-infrastructure">what it costs to run Drupal's infrastructure</a>.</p>
<p>In practice, this could mean the backend infrastructure around Open Source projects operating more like a SaaS service: the software remains open, but the infrastructure that powers updates and security becomes a paid service for large organizations.</p>
<p>Some people will instinctively resist the idea of charging for the infrastructure behind an Open Source project. That reaction may feel familiar to anyone who remembers <a href="https://dri.es/the-commercialization-of-a-volunteer-driven-open-source-project">the early debates about paid contributors</a>. At the time, many feared corporate money would drive volunteers away. In practice, the opposite happened. Projects grew, contributor bases expanded, and paid engineers became some of their most active contributors.</p>
<p>That does not mean every new funding idea is a good one. But instinctive discomfort alone is not a reason to reject it.</p>
<p>In Open Source, what looks like fairness often is not. Free for everyone sounds equitable, but the cost does not disappear. It is absorbed by those who can least afford it, while the organizations that benefit most often pay the least. When a Fortune 500 company consumes Open Source infrastructure for free, that is not a neutral outcome. It is a subsidy flowing in the wrong direction.</p>
<p>If the problem is that costs are disconnected from usage, the obvious place to start is linking them. Exactly how that would work in practice is a separate design question, and the answer will likely differ from one Open Source project to another. One possible approach is usage-based fees, tiered by download volume or API consumption. Questions about measurement, thresholds, and enforcement would need careful community discussion.</p>
<h2>Governance is downstream of funding</h2>
<p>If infrastructure funding models need to change, the obvious question is who decides. In Open Source, questions like this ultimately belong to the community.</p>
<p>But communities do not decide these things in a vacuum. In practice, governance tends to follow funding.</p>
<p>Discussions about Open Source infrastructure often focus on governance: who should control it and who gets to make the decisions. In reality, those questions are often settled by something simpler: who pays for it.</p>
<p>FAIR is a recent example. The organizers didn't step back because federation was the wrong idea. They stepped back because no host would commit funding.</p>
<p>When one organization pays for the infrastructure, it ultimately controls it. When a broader set of stakeholders funds it, governance broadens with it.</p>
<p>That is why Open Source infrastructure needs more than better fundraising. It needs a business model that connects the cost of operating shared infrastructure to the organizations that rely on it most.</p>
<p>Infrastructure that entire ecosystems depend on cannot rely indefinitely on goodwill alone. It deserves a business model.</p>
<p>Solving the funding problem is a prerequisite to solving the governance problem.</p>
<p><em>Thanks to <a href="https://www.drupal.org/u/farriss">Tiffany Farriss</a>, <a href="https://www.drupal.org/u/hestenet">Tim Lehnen</a>, <a href="https://www.drupal.org/u/g%C3%A1bor-hojtsy">Gábor Hojtsy</a> and <a href="https://www.drupal.org/u/lauriii">Lauri Timmanee</a> for reviewing my draft.</em></p>
]]></description>
    </item>
    <item>
      <title>AI creates asymmetric pressure on Open Source</title>
      <link>https://dri.es/ai-creates-asymmetric-pressure-on-open-source</link>
      <guid>https://dri.es/ai-creates-asymmetric-pressure-on-open-source</guid>
      <pubDate>Thu, 29 Jan 2026 19:58:44 -0500</pubDate>
      <description><![CDATA[<p>AI makes it cheaper to contribute to Open Source, but it's not making life easier for maintainers. More contributions are flowing in, but the burden of evaluating them still falls on the same small group of people. That asymmetric pressure risks breaking maintainers.</p>
<h2>The curl story</h2>
<p>Daniel Stenberg, who maintains <a href="https://curl.se/">curl</a>, just <a href="https://daniel.haxx.se/blog/2026/01/26/the-end-of-the-curl-bug-bounty/">ended the curl project's bug bounty program</a>. The program had worked well for years. But in 2025, fewer than one in twenty submissions turned out to be real bugs.</p>
<p>In a post called <a href="https://daniel.haxx.se/blog/2025/07/14/death-by-a-thousand-slops/">&quot;Death by a thousand slops&quot;</a>, Stenberg described the toll on curl's seven-person security team: each report engaged three to four people, sometimes for hours, only to find nothing real. He wrote about the &quot;emotional toll&quot; of &quot;mind-numbing stupidities&quot;.</p>
<p>Stenberg's response was pragmatic. He didn't ban AI. He ended the bug bounty. That alone removed most of the incentive to flood the project with low-quality reports.</p>
<p>Drupal doesn't have a bug bounty, but it still has incentives: contribution credit, reputation, and visibility all matter. Those incentives can attract low-quality contributions too, and <a href="https://dri.es/never-submit-code-you-do-not-understand">the cost of sorting them out often lands on maintainers</a>.</p>
<h2>Caught between two truths</h2>
<p>We've seen some AI slop in Drupal, though not at the scale curl experienced. But our maintainers are stretched thin, and they see what is happening to other projects.</p>
<p>That tension shows up in conversations about AI in Drupal Core and can lead to indecision. For example, people hesitate around <a href="https://www.drupal.org/project/drupal/issues/3568936">AGENTS.md files</a> and <a href="https://www.drupal.org/project/drupalorg/issues/3563839">adaptable modules</a> because they worry about inviting more contributions without adding more capacity to evaluate them.</p>
<p>This is AI-driven asymmetric pressure in our community. I understand the hesitation. When we get this wrong, maintainers pay the price. They've earned the right to be skeptical.</p>
<p>Many also have concerns about AI itself: its environmental cost, its impact on their craft, and the unresolved legal and ethical questions around how it was trained. Others worry about security vulnerabilities slipping through. And for some, it's simply demoralizing to watch something they built with care become a target for high-volume, low-quality contributions. These concerns are legitimate and deserve to be heard.</p>
<p>As a result, I feel caught between two truths.</p>
<p>On one side, maintainers hold everything together. If they burn out or leave, Drupal is in serious trouble. We can't ask them to absorb more work without first creating relief.</p>
<p>On the other side, the people who depend on Drupal are watching other platforms accelerate. If we move too slowly, they'll look elsewhere.</p>
<p>Both are true. Protecting maintainers and accelerating innovation shouldn't be opposites, but right now they feel that way. As Drupal's project lead, my job is to help us find a path that honors both.</p>
<p>I should be honest about where I stand. I've been <a href="https://dri.es/claude-code-meets-drupal">writing software with AI tools</a> for over a year now. I've had real successes. I've also seen some of our most experienced contributors become dramatically more productive, doing things they simply couldn't do before. That view comes from experience, not hype.</p>
<p>But having a perspective is not the same as having all the answers. And leadership doesn't mean dragging people where they don't want to go. It means pointing a direction with care, staying open to different viewpoints, and not abandoning the people who hold the project together.</p>
<h2>We've sort of been here before</h2>
<p>New technology has a way of lowering barriers, and lower barriers always come with tradeoffs. I saw this early in my career. I was writing low-level C for embedded systems by day, and after work I'd come home and work on websites with Drupal and PHP. It was thrilling, and a stark contrast to my day job. You could build in an evening what took days in C.</p>
<p>I remember that excitement. The early web coming alive. I hadn't felt the same excitement in 25 years, until AI.</p>
<p>PHP brought in hobbyists and self-taught developers, people learning as they went. Many of them built careers here. But it also meant that a lot of early PHP code had serious security problems. The language got blamed, and many experts dismissed it entirely. Some still do.</p>
<p>The answer wasn't rejecting PHP for enabling low-quality code. The answer was frameworks, better security practices, and shared standards.</p>
<p>AI is a different technology, but I see the same patterns. It lowers barriers and will bring in new contributors who aren't experts yet. And like scripting languages, AI is here to stay. The question isn't whether AI is coming to Open Source. It's how we make it work.</p>
<h2>AI in the right hands</h2>
<p>The curl story doesn't end there. In October 2025, a researcher named Joshua Rogers used AI-powered code analysis tools to <a href="https://daniel.haxx.se/blog/2025/10/10/a-new-breed-of-analyzers/">submit hundreds of potential issues</a>. Stenberg was &quot;amazed by the quality and insights&quot;. He and a fellow maintainer merged about 50 fixes from the initial batch alone.</p>
<p>Earlier this week, a security startup called AISLE <a href="https://www.lesswrong.com/posts/7aJwgbMEiKq5egQbd/ai-found-12-of-12-openssl-zero-days-while-curl-cancelled-its">announced they had used AI to find 12 zero-days</a> in the latest OpenSSL security release. OpenSSL is one of the most scrutinized codebases on the planet. It encrypts most of the internet. Some of the bugs AISLE found had been hiding for over 25 years. They also reported over 30 valid security issues to curl.</p>
<p>The difference between this and the slop flooding Stenberg's inbox wasn't the use of AI. It was expertise and intent. Rogers and AISLE used AI to amplify deep knowledge. The low-quality reports used AI to replace expertise that wasn't there, chasing volume instead of insight.</p>
<p>AI created new burden for maintainers. But used well, it may also be part of the relief.</p>
<h2>Earn trust through results</h2>
<p>I reached out to Daniel Stenberg this week to compare notes. He's navigating the same tensions inside the curl project, with maintainers who are skeptical, if not outright negative, toward AI.</p>
<p>His approach is simple. Rather than pushing tools on his team, he tests them on himself. He uses AI review tools on his own pull requests to understand their strengths and limits, and to show where they actually help. The goal is to find useful applications without forcing anyone else to adopt them.</p>
<p>The curl team does use AI-powered analyzers today because, as Stenberg puts it, &quot;they have proven to find things no other analyzers do&quot;. The tools earned their place.</p>
<p>That is a model I'd like us to try in Drupal. Experiments should stay with willing contributors, and the burden of proof should remain with the experimenters. Nothing should become a new expectation for maintainers until it has demonstrated real, repeatable value.</p>
<p>That does not mean we should wait. If we want evidence instead of opinions, we have to create it. Contributors should experiment on their own work first. When something helps, show it. When something doesn't, share that too. We need honest results, not just positive ones. Maintainers don't have to adopt anything, but when someone shows up with real results, it's worth a look.</p>
<p>Not all low-quality contributions come from bad faith. Many contributors are learning, experimenting, and trying to help. They want what is best for Drupal. A welcoming environment means building the guidelines and culture to help them succeed, with or without AI, not making them afraid to try.</p>
<p>I believe AI tools are part of how we create relief. I also know that is a hard sell to someone already stretched thin, or dealing with AI slop, or wrestling with what AI means for their craft. The people we most want to help are often the most skeptical, and they have good reason to be.</p>
<p>I'm going to do my part. I'll seek out contributors who are experimenting with AI tools and share what they're learning, what works, what doesn't, and what surprises them. I'll try some of these tools myself before asking anyone else to. And I'll keep writing about what I find, including the failures.</p>
<p>If you're experimenting with AI tools, I'd love to hear about it. I've opened <a href="https://www.drupal.org/project/drupal/issues/3570498">an issue on Drupal.org</a> to collect real-world experiences from contributors. Share what you're learning in the issue, or write about it on your own blog and link it there. I'll report back on what we learn on my blog or at DrupalCon.</p>
<h2>Protect your maintainers</h2>
<p>This isn't just Drupal's challenge. Every large Open Source project is navigating the same tension between enthusiasm for AI and real concern about its impact.</p>
<p>But wherever this goes, one principle should guide us: protect your maintainers. They're a rare asset, hard to replace and easy to lose. Any path forward that burns them out isn't a path forward at all.</p>
<p>I believe Drupal will be stronger with AI tools, not weaker. I believe we can reduce maintainer burden rather than add to it. But getting there will take experimentation, honest results, and collaboration. That is the direction I want to point us in. Let's keep an open mind and let evidence and adoption speak for themselves.</p>
<p><em>Thanks to <a href="https://www.drupal.org/u/phenaproxima">phenaproxima</a>, <a href="https://www.drupal.org/u/hestenet">Tim Lehnen</a>, <a href="https://www.drupal.org/u/g%C3%A1bor-hojtsy">Gábor Hojtsy</a>, <a href="https://www.drupal.org/u/scott-falconer">Scott Falconer</a>, <a href="https://www.drupal.org/u/nod_">Théodore Biadala</a>, <a href="https://www.drupal.org/u/jurgenhaas">Jürgen Haas</a> and <a href="https://www.drupal.org/u/effulgentsia">Alex Bronstein</a> for reviewing my draft.</em></p>
]]></description>
    </item>
  </channel>
</rss>
