Open source trends for 2025

Because I did so well in 2024, I figure I’ll stick my neck out again for 2025. Honestly, most of what I wrote for last year still holds. I could probably re-run that post with a few edits and call it a day, but that feels like cheating. So apart from more of the same, what do I think 2025 holds? I’ll admit that it seems a little bleak this year. I’d love to be wrong about it.

Software supply chain

When I wrote “open source projects have largely been able to avoid thinking about [supply chain security]. I think that changes this year,” I didn’t mean to predict the xz backdoor. But I’ll certainly take credit for it. Due in part to the Cyber Resilience Act (CRA) in Europe, as well as companies wanting to avoid risk, there will be even more pressure on projects to improve their security posture.

But the “I am not a supplier” sentiment seems to be increasing (with good reason), which is going to result in more tension. In 2025, I expect to see a marked split between “hobbyist” and “professional” open source projects. Some of this can be overcome with money, but not everyone wants to get paid. It’s incumbent upon the professionals to make improved security as seamless as possible for the hobbyists. I’ve seen this some already in my work with the Open Source Project Security Baseline.

Inequity

Related to the last topic, I think we’ll see a growing separation between the haves and have-nots. The projects that enterprises see as critical will get funding and effort. The other projects, whether or not they’re actually important to enterprises, will be left to the increasingly scarce efforts of volunteers.

I think we’ll see this with events, too. Events where companies can make sales will do well. Community events will suffer from a lack of sponsorship and attendance due to lack of travel funding. I think we’ll start to see a shift from global events toward regional events in the community space. Even projects with significant corporate or foundation funding may find that it’s no longer possible to get “everyone” together (to the degree that this was ever possible). There are ways to change events to better meet community needs, but I don’t think those will catch on with the managers who have to approve funding just yet.

Artificial intelligence

If the bubble doesn’t burst this year, the hype at least slows way down. We’re already starting to see some studies indicate that AI increases workload and that improvements are slowing down. Nvidia stock (disclosure: I own a small number of shares) was up 179% in 2024, but most of that was in the first half of the year. The price has been basically flat since mid-October. This at least suggests that there is a limit to the amount of money companies are willing to throw at AI. At some point, investors will want a return, and LLMs don’t appear to be particularly profitable. So I think we’ll see AI settle into use cases where it works well and fade away where it doesn’t.

Okay, but what does all of this mean for open source projects? First, it will lead to a leveling off in AI-generated code and bug report “contributions” as vendors start charging more money for services. This will be a big relief for maintainers overwhelmed by low-quality “slop”. Secondly, if you’ve been trying to figure out how to incorporate AI into your project to attract more developers or financial backing, you can just…not. Wait it out. But you should still develop an AI contribution policy for your project if you haven’t already. The AI Policy Resources page has ones that I’ve collected if you need inspiration.

This post’s featured photo by Jason Coudriet on Unsplash.