Open Source & The Commons
Why the Internet's Free Pastures Keep Getting Eaten Bare
The same economic logic that destroyed medieval English grazing land is quietly degrading the digital infrastructure billions of people depend on every day.
The Idea
In 1968, ecologist Garrett Hardin published a paper describing a scenario so elegant it became a shorthand for an entire class of problem: shared resources, rationally exploited by individuals, inevitably collapse. He called it the tragedy of the commons. The intuition is simple — if everyone benefits from a shared pasture but only the individual herder pays the cost of adding one more animal, every rational herder adds animals until the pasture is dust. The internet has its own commons, and they are under exactly this pressure — just in ways that are harder to see than overgrazed fields. Open source software is the most striking example. The libraries and frameworks underpinning vast swaths of the modern web — OpenSSL, Log4j, curl, dozens of others — are maintained by tiny numbers of often unpaid volunteers. These tools are not peripheral. They are load-bearing walls. When a vulnerability in OpenSSL called Heartbleed was discovered in 2014, it had been quietly sitting in code used by roughly two-thirds of all secure web traffic for two years. The tragedy here is not malice but structure. Every company that builds on an open source library benefits from it. Almost none of them contribute back. The logic is identical to Hardin's herder: contribution costs you, and defection costs you nothing visible. The pasture looks fine — until suddenly it doesn't.
In the World
In January 2022, a security researcher named Lunasec discovered a catastrophic vulnerability in Log4j, a Java logging library so ubiquitous that even sophisticated engineering teams had lost track of everywhere they were using it. The exploit was trivially easy: send a specially crafted string of text to almost any service, and a remote attacker could execute code on the server. Within days, hundreds of millions of devices were potentially exposed — from enterprise systems to Minecraft servers. Log4j was maintained, at the time, by a handful of volunteers as part of the Apache Software Foundation. No full-time staff, no dedicated security team, no budget. These were people contributing in evenings and on weekends, motivated largely by the satisfaction of building something useful. When the vulnerability broke, they worked around the clock to patch it. The world barely noticed them — it just noticed the crisis. What followed was a brief, intense conversation in government and industry circles about software supply chain security. The US government issued executive guidance. Some large technology companies quietly began sponsoring the Apache Foundation. But the structural incentive — to consume open source without contributing — remained largely intact. The pasture was patched. The herd kept growing.
Why It Matters
Understanding this dynamic changes how you read technology news. When you hear about a major security breach traced back to some obscure library, the story is rarely about bad code or careless programmers. It is about a resource that was collectively depended upon and collectively underinvested in — a predictable outcome once you know the pattern. It also reframes what 'free' means online. Open source software is free in the sense that you do not pay for it directly. But it is not free in the sense that it has no cost. That cost is just displaced — onto a small group of maintainers absorbing it on everyone else's behalf, often invisibly, often indefinitely. If you work in or around technology, this matters practically: the companies and projects that fund open source maintainers, adopt contribution policies, or audit their software dependencies are doing something structurally important, not just reputationally virtuous. And if you are simply a curious observer, you now have a lens for why seemingly stable digital infrastructure occasionally and dramatically fails — not from nowhere, but from a long, slow, entirely legible exhaustion.
A Question to Ponder
If the people maintaining the tools your daily life quietly depends on burned out and walked away tomorrow, how long would it take you — or anyone — to notice?
Get a new one of these every morning.
Start learning with Thinkable