Skip to main content
08/07/2026

The hidden signals of open-source sustainability

A forrest and the sun shines through the trees

An open-source ecosystem is much like a forest.
Most trees appear healthy from a distance, yet some may already be in decline long before visible signs emerge. The same is true for the open-source projects that form today's software supply chains. Open-source software (OSS) powers much of today's digital infrastructure, from cloud platforms and web frameworks to machine learning libraries and embedded systems.

Most commercial software components depend on open-source projects maintained by global ecosystems. While many of these projects remain healthy and actively maintained, others may gradually lose contributors, accumulate unresolved issues, or struggle to sustain long-term development and infrastructure. For the Bosch Open-Source Program Office (OSPO), this raises an important question: How can potential future struggles in projects be proactively detected?
Ensuring resilient software supply chains requires more than reacting to problems after they occur. It means understanding the health of critical software dependencies and recognizing early warning signs that may indicate future risks. This perspective aligns closely with Bosch's commitment to sustainable open-source and long-term community engagement.

Understanding project health

Assessing project health is not as simple as counting commits or contributors. A project may appear highly active while gradually losing maintainers and critical knowledge. Another project may show less visible activity but remain sustainable thanks to strong governance, efficient maintainers, and an engaged community.
For this reason, project health is increasingly viewed as a combination of multiple dimensions:

  • Community and adoption – interest, usage, and ecosystem relevance
  • Development activity – ongoing maintenance and evolution of the codebase
  • Process quality – responsiveness to issues and contributions
  • Governance and resources – structures that support long-term sustainability
  • Risk and contributor concentration – dependency on a small number of key contributors

These dimensions are not a pass-or-fail checklist. A project can be strong in some areas and weaker in others. Together, they provide a more balanced view of a project's strengths, weaknesses, and, ultimately, its long-term sustainability.
Looking at projects through multiple lenses also reveals an interesting insight: some of the most valuable indicators are not necessarily the most visible ones. Governance structures, documentation quality, and community diversity can sometimes reveal more to researchers and decision-makers about future sustainability than activity metrics alone.

Can future risks be forecast?

This question has motivated Bosch researchers and OSPO colleagues to explore whether project health indicators can help identify risks before they become visible.

As established, open-source projects generate a significant digital footprint, including contribution histories, issue management practices, and community engagement metrics. When analyzed together, these signals may reveal broader patterns about project sustainability. Another goal of the research was to use actual historical data to validate which of these metrics have the highest impact when it comes to predicting future project health.

Rather than classifying projects as simply "healthy" or "unhealthy," this approach recognizes that projects often exhibit distinct configurations of characteristics, each associated with different opportunities and challenges.

In their recent conference talk, "What makes Open Source Projects Sustainable?”, Bosch colleagues used the radar chart depicted below to illustrate how these characteristics manifest in practice. This analysis highlights the existence of distinct groups of OSS projects with characteristic profiles of their own. An OSS project's membership in one of these groups can serve as an initial indicator and a starting point for deeper analysis.

An illustration of how different dimensions manifest in practice
Illustration of how different dimensions manifest in practice

The goal is not to predict the future with certainty. Instead, it is to provide better information for decision-making: identifying projects that may deserve closer attention, additional support, or more active community engagement.

Why it matters

These ideas suggest a different way of looking at open-source dependencies: not as static building blocks, but as evolving projects whose health can change over time.
For organizations that depend on open-source, monitoring project health can complement traditional approaches to dependency management by providing insights into indicators related to long-term sustainability.
This is not about replacing human judgment with dashboards or algorithms. Rather, it is about using data to focus attention where it matters most and to strengthen the resilience of the open-source ecosystems upon which modern industries depend.

Continuing the conversation

Open-source health remains an active topic of discussion across industry and academia. While many questions remain unanswered, one thing is becoming increasingly clear: project health cannot be reduced to a single metric. As described at the outset, a forest is a complex ecosystem where individual trees rely on the collective health of their environment to thrive. In a comparable way, sustainable projects emerge from a combination of healthy communities, effective governance, active development, and resilient contributor networks.

As mentioned earlier, Bosch researchers and OSPO representatives recently discussed these topics at the Open Community Experience (OCX) conference, where Bosch colleagues Max Grzanna and Sven Jeroschewski presented "What makes Open Source Projects Sustainable?”, and shared insights into open-source health indicators, emerging project patterns, and opportunities for more proactive dependency management.

How do you assess the health of your open-source dependencies? Which signals have proven most useful in practice? We would be interested to hear your perspective.

Sven Jeroschewski, Software Engineer and Open-Source Strategist at Robert Bosch GmbH

Sven is a software engineer and open-source strategist at Robert Bosch GmbH. As a member of the Open Source and InnerSource Program Office, he advises the organization on aligning collaborative open-source work with business goals and strategies. Sven studied Computer Engineering at TU Berlin and the University of Oklahoma. As a committer on Eclipse Kuksa and Eclipse SDV Blueprints, he helps to shape a collaborative future for Software-Defined Vehicles.

Sven Jeroschewski

Max Grzanna, Software Engineer at Robert Bosch GmbH

Max Grzanna

Max is a software engineer at Robert Bosch GmbH. As part of the OSPO, he applies and extends open-source technologies to improve software supply-chain resilience and transparency. His work focuses on data-driven engineering, IoT, and embedded systems. Max studied Business Engineering and Computer Science at the Ernst-Abbe-Hochschule Jena and the University of Leipzig.

Johannes Kristan, Senior Expert for Open Source at Robert Bosch GmbH

Johannes is a Senior Expert for open source at Robert Bosch GmbH, where he works with a team of like-minded professionals to develop methods, frameworks, and tools that enable Bosch's engagement in the open-source community. He also serves as a part-time Professor at HTW Berlin.
Before joining Bosch in 2013, he earned a PhD in Software Engineering from the University of Leipzig, Germany, and was a Postdoctoral Researcher at the University of Auckland, New Zealand, focusing on adaptive user interfaces, software product lines, and software reuse.

Johannes Kristan

Share this on: