“[The] community is defined by those who show up and do the work. Companies that build open source into their products rarely participate in their continued maintenance,” the ASF said in a position paper published ahead of a high-level White House meeting on open-source software security.

“Only a tiny percentage of downstream companies (reusing the same code within their own products) choose to participate [in maintaining the code],” the Foundation said, noting that any future directives must “avoid placing additional unfunded burdens on the few maintainers who are already doing the work.”