Meta Information

Author: Michael Donovan (VP Product at Docker)
Source: The New Stack
Publication Date: November 6, 2025
Summary Reading Time: 4 minutes

Executive Summary

Open Source Software is not "free as in beer," but rather like a "free puppy" - the hidden operating costs and risks are substantial and often underestimated. The recent Bitnami incident, where the company discontinued its popular container images and Helm charts, exemplifies the business continuity risks associated with open-source dependencies. Companies must fundamentally rethink their open-source strategy and evaluate not only technical but also economic factors such as business models, funding, and project governance to avoid unpleasant surprises.

Critical Key Questions

1. How can companies ensure the long-term stability of their open-source dependencies when even established projects are suddenly discontinued?

2. What hidden costs and risks arise from the cascading dependency on hundreds of open-source components in modern software stacks?

3. Is the current open-source culture still sustainable when more and more projects are changing their licensing models or introducing commercial restrictions?

Scenario Analysis: Future Perspectives

Short-term (1 Year)

  • Increased due diligence processes for open-source adoption
  • Building internal forking capabilities for critical components
  • Migration away from endangered projects like Bitnami

Medium-term (5 Years)

  • Emergence of new open-source governance models with guaranteed long-term support
  • Market consolidation around foundation-backed projects (CNCF, Apache)
  • Professionalization of open-source supply chain monitoring

Long-term (10-20 Years)

  • Paradigm shift to "Sustainable Open Source" with transparent funding models
  • Possible regulation of critical open-source infrastructure
  • Hybrid models between open source and commercial software as standard

Main Summary

Core Topic & Context

The article analyzes the hidden business risks of open-source software using the Bitnami incident as an example. After being acquired by Broadcom/VMware, Bitnami discontinued its popular container images, causing significant disruption for users.

Key Facts & Figures

  • Bitnami discontinued maintenance of popular open-source containers and Helm charts
  • Other affected projects: Elastic, HashiCorp, Redis, Linkerd, Red Hat
  • CNCF had to publicly clarify that Helm project was not affected
  • Each open-source project has dozens to hundreds of dependencies
  • Virtually all significant OS projects are funded by companies or foundations

Stakeholders & Affected Parties

  • DevOps teams and Platform Engineers
  • Companies with open-source-based products
  • Cloud-native community (Kubernetes, Docker users)
  • Software supply chain managers

Opportunities & Risks

Risks:

  • ⚠️ Business continuity with sudden project discontinuations
  • ⚠️ Cascading dependency risk through nested dependencies
  • ⚠️ License changes can restrict usage

Opportunities:

  • ✅ Building resilient architectures with fallback options
  • ✅ Strengthening foundation-backed projects
  • ✅ Developing better supply chain visibility tools

Action Relevance

Immediate measures required:

  1. Business model analysis of all critical open-source dependencies
  2. Building supply chain visibility for entire dependency tree
  3. Developing resilience strategies including forking capabilities
  4. Diversification of dependencies to avoid single points of failure
  5. Using hardened container images for risk minimization

Source Directory

Primary Source:

Supplementary Sources:

Verification Status: ✅ Facts checked on 11/06/2025

Note: Docker is a sponsor of this article. Insight Partners is an investor in Docker and The New Stack.