Not every open source software project can or should live on forever: priorities change, technologies evolve, and interests shift over time. From a corporate perspective, you don’t want to have neglected or abandoned open source projects with security vulnerabilities owned by your organization. However, responsibly sunsetting an open source project is more than just clicking the archive button on your repository. You should also be thinking about how you communicate the change and give any existing users time to transition.
Your organization’s customers and the users of your open source projects might trust the projects found in your repositories because of their relationship with your organization. This is why it’s particularly important for companies to monitor the open source projects owned by the organization and responsibly sunset them when they will no longer be updated. One of the benefits of having an OSPO is that they can help the rest of the organization with processes and best practices for responsibly sunsetting projects.
When I worked in VMware’s OSPO, we had a process for monitoring and sunsetting projects that we’ve documented in the CHAOSS Practitioner Guide: Getting Started with Sunsetting an Open Source Project. This guide uses change requests, new issues, and forks as metrics that can help you identify abandoned or neglected projects along with people who might still be using those projects. The guide also has communication steps for what to do before you archive the project, and there is even a section with special considerations for sunsetting active projects, which can happen when a company is making a shift in strategy and no longer plans to work on a project.
All of these details can be found in the guide, and you can also listen to the CHAOSScast podcast episode where Stefka Dimitrova and I recently discussed the guide and the process we used at VMware. Here’s a short quote from the guide:
“Many open source projects, even widely used ones, become abandoned for a variety of reasons (e.g., evolving interests, family situations, employment changes), but abandonment can be done in a responsible way by proactively sunsetting the project (Miller et al. 2025). Sunsetting is an important consideration for corporate environments where it can be easy to lose track of projects that were created by employees who later walked away from the project and left if abandoned. You don’t want abandoned open source projects with security vulnerabilities sitting in your organization’s source code repositories where someone might trust that project simply because they trust your organization. Finding inactive projects and responsibly sunsetting them is a good business decision and something that many open source teams / Open Source Program Offices (OSPOs) do on a regular basis.”
– The CHAOSS Practitioner Guide: Getting Started with Sunsetting an Open Source Project
Additional Reading:
- CHAOSS Practitioner Guide: Getting Started with Sunsetting an Open Source Project
- CHAOSScast Episode 123: Practitioner Guides: #6 Sunsetting an Open Source Project
- CHAOSS Practitioner Guides
- Assessing the Viability of Open Source Projects
- Stefka Dimitrova on When and How to Deprecate an Open Source Project (Part 1 and Part 2) along with a video from the Open Source Summit in Europe in 2022 about Simple Steps for a Calm “Sunset”.
- Contributor Sustainability Impacts Risk and Adoption of OSS Projects