In short: I maintain a sorta-popular open source package, and I want to prevent big corporations and “bad guys” from using it. I want feedback on how to do this.

Open source and exploitation

I’ve been learning more about open source sustainability. More accurately, I’ve been learning more about how open source is exploited by large companies.

Some recent links that have influenced my view:

• This pair of slides from the maintainer of curl. The first slide: 38 massive car brands that use curl. The second slide: 0 of them give anything back.
• “The Value of Open Source Software” says that “firms would need to spend 3.5 times more […] if OSS did not exist”, and that OSS is giving businesses about $12,000,000,000,000 USD (12 trillion dollars) for free.
• “What is open source?” says that “volunteers are creating software for free that largely benefits large corporations.”
• “Open Source Power” asserts that open source software needs to be more thoughtful about how it donates its work to the commons, because it’s being abused.
• “Open Source Developers Are Exhausted, Unpaid, and Ready to Walk Away” argues that open source maintainers are being exploited and are burning out. That’s dangerous for the industry.
• “How US tech giants’ AI is changing the face of warfare in Gaza and Lebanon” made me think about how open source tools like PyTorch kill innocent people, if indirectly.
• “The Death of Consequences” claims that “extractive organizations will not take licensing seriously”, and that the open source movement needs more teeth.

Overall, these ideas lead me to believe that the open source movement needs to see itself as in a larger social context. Can we shift the balance of power away from massive companies and their massive harms? Can we prevent Nazis from using our software? Should we even try?

What can I do to help?

I maintain a sorta-popular open source package. I say popular because it had over 200 million downloads in 2025 which I believe puts it in the top 0.1% of downloads on npm. I say sorta-popular because it’s not very well-known; it sits quietly in thousands (millions?) of projects, with most developers not thinking much about it. I’m not as powerful as Linus Torvalds at the helm of Linux, but I’m also not totally unknown.

But what can I do to help?

I know my goal: shift the default in open source from “it’s free for anyone to use” to “please don’t use this if you’re evil”. I don’t just want to do this for my little project; I want to slowly change the discourse. I’m not sure how to do that effectively, if it’s even possible.

Anyone have any ideas? If you maintained a sorta-popular open source package, what would you do to help?

Some specific questions I have:

• How can I bring more attention to this issue given the relative popularity of my project? Do I write a blog post? A callout in the documentation?
• Should I change my project’s license? It currently uses the permissive MIT License. I remain unconvinced at the societal value of “freedom to run the program as you wish, for any purpose”, often called freedom 0. I don’t want to donate my work to the bad guys!
• Would collective action be more powerful? If so, would other maintainers participate?
• Should I “test” this with some of my less popular projects?

I would love your ideas. Feel free to email [email protected], message me on Signal, or contact me another way.