A well-known secret in the world of open source software is that many projects rely on donated hosting for everything from their websites to testing infrastructure. When the company providing said hosting can no longer do so for whatever reason, it leaves the project scrambling for a replacement. This is what just happened for Alpine Linux, as detailed on their blog.

Previously Equinix Metal provided the hosting, but as they are shutting down their bare-metal services, the project now has to find an alternative. As described in the blog post, this affects in particular storage services, continuous integration, and development servers.
As if that wasn’t bad enough, Equinix was also providing hosting for the Freedesktop.org project. In a post on their GitLab, [Benjamin Tissoires] thanks the company for supporting them as long as they have, and details the project’s current hosting needs.
As the home of X.org and Wayland (and many more), the value of Freedesktop.org to the average user requires no explanation. For its part, Alpine Linux is popular in virtualization, with Docker images very commonly using it as a base. This raises the uncomfortable question of why such popular open source projects have to depend on charity when so many companies use them, often commercially.
We hope that these projects can find a new home, and maybe raise enough money from their users to afford such hosting themselves. The issue of funding (F)OSS projects is something that regularly pops up, such as the question of whether FOSS bounties for features are helpful or harmful.
Alpine is not a project you host lightly, with a monthly transfer of about 800TB.
eg on EC2 US East region, that’s more than $40k per month in transfer fees.
hetzner charges 1,19€/TB , makes roughly 1k€/month for traffic.
Not surprising when people are fleeing amazon and other hyperscalars for self hosting. Freedekstop are interested in possibly picking up hosting somewhere else, but alpine are looking to at least won their won servers in colo space, rather than pay for AWS or any other cloud hosting.
What the…I thought Alpine just another Linux distro.
Seems like they are popular in the hosting space? Why Alpine versus TinyCore (17MB) or Ubuntu server (widely supported, I think)
Alpine is almost a de-facto standard when it comes to containers, having a huge user base for this application. On this note, TinyCore does even not provide an official docker image and by default is more of a “normal” distro. Additionally, apk lighter, faster, and better suited for container build automation. Debian and Ubuntu slim variants are also used, but have considerably bigger footprints.
Alpine has a smaller base image than Ubuntu, while still being a relatively “normal” Linux distro (Tiny Core has all sorts of quirks as to how software works).
Alpine is a really fast, lightweight distro with permissive licensing. A lot of things are built on top of it to take advantage of this.
As others said, it is very popular as base (starting) image for lot of docker containers.
There is one more key difference – it is using musl libc instead of glibc and it is possible to statically link musl (you can’t really statically link glibc). So you can use Alpine as “build image” in docker to build binaries, that than runs 100% on their own – needs only kernel and nothing else – which is again interesting for containers.
Cloudflare R2 would probably be the best choice for the storage as it allows free egress. 5TB should be about $100/month.
Yeah, I wonder if they could use Cloudflared r2, and hosted ci such as github actions.
Or just break the mirror into github repo releases, and host the APK index and packages there.
In the meanwhile, can’t they just buy a used PC and host their project at one of devs home? Refurb Dell Precision with i9 9900K and 32G of RAM can be had for about $500. Should be more than enough to run nginx, git, python and make.
Maybe 15 years ago when CGNATs didn’t exist, and when you paid an ISP, you actually got an IPv4 address
If you don’t get your own IP then change ISP.
I use local cable operator and I get mostly static* public IP. In fact I can get multiple public IPs at the same time by plugging switch after ISP’s modem and connecting my routers to the switch.
* IP is calculated from MAC used to connect to cable modem ethernet port so as long as MAC doesn’t change it’s pretty much a static IP (or the other way, can be rapidly changed when needed).
I’ve only had one provider in most places I’ve lived, as with my current place (except starlink, I guess. In the places where I’ve had multiple options, the only fiber option was the only one worth taking.
I’d love to have 3 or 4 ISPs to shop around with for cost, speed, and features, but fact of the matter is, that isn’t the reality in the vast majority of the USA.
I’m not sure you grasp the concept of scale.
Quite. Or reliability.
The monthly transfer of about 800TB might be an issue.
LOL dont think their home internet’s gonna like uploading 500TB/month lol let alone the speed to do it
That’s only like 1.5 gigabits/second. At least one residential company around here is offering 5 gigabit now, although I’m sure that’s peak, not sustained.
“This raises the uncomfortable question of why such popular open source projects have to depend on charity when so many companies use them, often commercially.”
Best be careful what you ask for there. Inviting corporate funding into FOSS strongholds is rather like welcoming a Trojan horse into your city – for a repeat performance…
Yes, it would be more fair if companies gave more financial or hosting support to the FOSS projects which they benefit from. But corporations are, by their nature, parasitic empire builders. Relying on them to honour the Free (as in speech) and Open principles of FOSS is dangerous.
We need more or a more general foundation that can handle taking corporate donations and distributing them to projects without directly linking the source funds.
That way they can get paid but not have undo influence hanging over them.
Pretending I’m a big corporation, I don’t see me contributing any money to a fund with no control of where it goes. I’m assuming that donor direction of funds would constitute a link.
{sp: undue, though I really do like the idea of being able to undo influence at times :-) }
I could see the corporation directing the funds but it still being anonymized through the foundation. The point being the company can’t threaten to pull funding for its malicious pull requests to get merged.
I thought something was wrong with ‘undo’ but whenever I wrote the comment I clearly didn’t feel like investigating that feeling :P
Yes, this $100m that went out untraceably from our company is definitely a donation to a project which we can’t name. Definitely not for my yacht.
Also, if a company that uses software makes a big donation, it’s not hard to guess what projects they support from what they use.
What’s needed is that lots of companies donate to the project, not just one. Then none of them can have too much power.
Imagine if there was a package manager that used torrents…
Of course there would have to be some trusted signing going on…
It’s probably a solution in search of a problem today but with North America on the brink of returning to the stone age…
AFAIK all Linux distributions already use package signing.
There have been projects like debtorrent, but there are some non-trivial problems. For example you can’t just make each package a separate torrent, as they would be too small and many.
So all of the power for modern infrastructure lies in the hands of a few open source contributors? It seems like companies that rely on such would want to help, lest that little piece in the XKCD comic fails.
Could they go on strike until some rich CEO threw down sincE they hold the cards?
If the developers go on strike, corporations will just grab the source code and outsource some very skilled, very underpaid nerds in Poland to maintain it for pennies on the dollar. That’s how it’s been done for the last 20+ years.
as western european, this is already an unfair competition inside europe, Poland still run their own currency, get massive EU financial support.
There are obviously skilled labor over there but … well. that sucks.
Less sensitive work was also outsourced to *kraine where programmers were equally skilled but about 3 times cheaper than in Poland, fortunately after 2022 it mostly stopped.
as not so western European i can tell you that
a) you are free to move to Poland and happily use all the benefits there as there are certain freedoms guaranteed in the EU and this is one of them
b) the financial support is not “free as in free beer” – when former eastern block countries joined EU, their economics was smaller and weaker than their western counterparts, but after joining EU, they was forced to open their markets completely (no possibility to protect with tariffs, quotas or anything else) and implement various higher standards for safety in their industries (which is good in long term, but expensive in short term) – to compensate, old EU countries proposed system of subsidies and investment programs to get the new countries up to speed quicker and to somehow level the playing field. Simply said “you give up all cross border trade regulation capabilities and in return you will receive large lump of cash”. Of course we are talking about former eastern block countries – corruption doesn’t disappear overnight – so many countries was not able to effectively use provided money – Poland was one of the better in this regards – they was able to use the help pretty effectively (not perfect, but better than others) and now they are where they are.
The code is already open source and meeting company needs. If the company needs a feature they pay internal people to make it and then don’t release it (this happens constantly in industry). If the feature is already included then what are you taking away. I fail to understand how this threat has any teeth.
what is certified software?.
AI Overview :)
“Certified software” refers to software that has been independently evaluated
and verified by a recognized organization to meet specific quality standards,
often related to security, functionality, performance, or reliability,
signifying that it has passed rigorous testing and meets certain criteria
for its intended use; essentially, it’s a label indicating a level of assurance
regarding the software’s capabilities and compliance with industry standards.
krebs on security posted. :)
w h payne January 30, 2025
A secure app must be accountable for every bit in computer memory by NSA requirements in ~1980s.
Rules changed with Big Tech software technologies invasion in ~1990s?
that’s wild, does amazon really charge 10x as much per gigabyte transfer out as akamai does??
i always imagine these things could be decently crowdsourced. it’s hard to pass around the bucket and get people to throw folding cash in it, but it’s easy to get people to chip in by seeding on bittorrent. when there’s a decent population of seeders, bittorrent is generally very fast. i think bittorrent devs have made some headway on using it to transfer subsets of a collection, and i imagine with a little incentive to try, it would be easy to adapt it even for distributing package repositories.
i don’t know i just think the idea of spending vast funds on hosting seems like the commercial solution to the problem. which, since alpine is widely used commercially, surely will happen. but i can dream what different projects will have to do if their sweetheart hosting deals disappear.
I dont run anything crazy but my $5 server puts away reliably. Seems like a small group could fund this. Start a premium speed tier or something.
https://www.serverroom.net/
Your cheap server would croak when asked to do the intensity of work, and your ISP would probably silently throttle you or end up charging you a fortune as well… You can easily host a server for yourself, even a small community trying to host a server that is one of the major foundations so many other communities are built upon…
The actual hardware required a small group, even an individual could likely fund, but the ongoing bandwidth costs…