Schedule FrOSCon 2026

Lecture

Wrong Pocket: Why Public Funding Alone Can't Sustain Open Source

Tax money funds FOSS infrastructure that corporations extract value from for free.

August 16, 2026 HS 5 en Someone gonna pay - is it you? – Funding for Open Source

Everyone agrees open source needs funding. Sovereign tech funds and public grants sound like the right answer. They don't scale, and they end up subsidizing the same corporations extracting value from the stack. There's a better mechanism already: license obligations that are enforceable and largely unenforced. When companies actually face consequences for non-compliance, things change. They fund maintainers. They engage upstream. Their supply chains get cleaned up. Not out of good intentions. Out of risk management. This talk argues that tax money should complement that pressure, not replace it.

The funding debate has found its comfortable answer: sovereign tech funds, public grants, government stepping in. It's well-meant and probably necessary. And it has a structural problem that doesn't get discussed much: the main beneficiaries of publicly funded open source maintenance are the companies building commercial products on top of that infrastructure, with no obligation to contribute anything back.

The mechanism to change this already exists and is barely used. Banks, insurers, public sector vendors ship products where 60–95% of the code is open source and basic license obligations routinely go ignored. No attribution notices. No source code offers. No compliance documentation. The liability is real; I've worked on incidents that reached seven-figure exposure. But without enforcement there's no perceived risk, and without perceived risk there's no resource allocation. No enforcement means no sustainability. The chain is that short.

What happens when enforcement actually occurs? Companies clean up their dependency trees. They engage with upstream projects. OSPOs get created. Maintainers get paid. Not because someone asked nicely. IT security got its resources through the same logic: breaches happened, GDPR came with actual teeth, and boards start
ed paying attention. The same mechanism works here. It just hasn't been used.

Public funding is good. The Sovereign Tech Fund is good. But tax money flowing into open source maintenance creates no pressure on the companies using that infrastructure commercially. The subsidy moves from maintainers to taxpayers, and the corporations on the free ride get a better deal than before.

The session covers why the public-funding-only approach has structural limits and what the enforcement alternative looks like in practice, based on documented cases. Concrete steps are available right now through legal frameworks that already exist, without waiting for new regulation.