Boerland Essay Opens Drupal Infrastructure Debate on Sovereignty and Cost
Drupal community members are debating whether the project’s critical infrastructure should become more federated after Bert Boerland, chair of Stichting Drupal Nederland, argued that sovereignty, governance, and cost remain unresolved risks for the project. In a LinkedIn essay dated 6 July 2026, Bert framed those three issues as connected infrastructure problems rather than separate technical concerns.
The discussion matters because Drupal.org is not only a public website for the project. It is the place through which much of Drupal’s software supply chain, security information, contribution workflow, and community infrastructure is coordinated. That makes the debate relevant to contributors, agencies, site owners, public-sector users, and the Drupal Association, which administers Drupal.org on behalf of the community.
Bert’s central concern is not whether Drupal is open source. His question is whether a global open-source project should depend so heavily on infrastructure operating under one legal jurisdiction. The argument links digital sovereignty to practical questions: who controls access to distribution, who pays for infrastructure, and how the project reduces exposure to operational or legal disruption.
His essay uses the case of International Criminal Court prosecutor Karim Khan as an illustration of jurisdictional dependence. The example should be read narrowly in the Drupal context. It is not a comment on the underlying political dispute, but a warning about what can happen when access to critical digital services depends on entities subject to one government’s legal orders.
The factual basis for that example has been reported elsewhere. The Associated Press reported on 15 May 2025 that Microsoft cancelled Khan’s email address, forcing him to move to Proton Mail. Reuters reported on 10 February 2025 that Khan was the first individual designated under US sanctions targeting the International Criminal Court.
For Drupal, the relevance is the mechanism. A legal order can affect access to digital infrastructure even when the affected institution is international. Bert’s essay asks whether Drupal should reduce similar concentration risks before a crisis tests the project’s assumptions.
The governance question follows from that risk. Drupal is built by contributors across countries, companies, and public institutions, but final-mile distribution and much of the collaboration infrastructure still depend on Drupal.org. The Drupal Association’s own infrastructure description says Drupal.org delivers update servers, Composer-ready packages, security releases, package signing for automatic updates, Git hosting, CI runners, localisation files, and contribution-credit systems.
The argument does not require treating the Drupal Association as a problem. The Association runs infrastructure the project depends on, and that work carries real cost. The question raised by the discussion is whether a mature global project should gradually distribute more operational responsibility for package access, mirrors, trust signals, and funding.
Cost is where the discussion becomes most concrete. Tiffany Farriss, CEO of Palantir.net, broadly agreed with the direction of the argument in the LinkedIn discussion but cautioned that federation is not cost-free. Tiffany said US-based Drupal infrastructure is already funded asymmetrically, that a shared commitment to fully fund existing infrastructure is still missing, and that package federation would not solve the broader Drupal.org collaboration-infrastructure problem by itself.
James Jackson Abrahams, director at FreelyGive, added a policy caution. James said European Commission involvement may be worth exploring, but would require procurement mechanisms, lobbying, budget lines, and a consortium larger than Drupal alone. He also warned that direct public funding could create its own dependency if political priorities change.
Bert points to FAIR, Federated and Independent Repositories, as one possible technical path. FAIR describes its goal as improving software supply-chain security while creating a decentralised distribution model in which no single entity controls the chain end to end. The Linux Foundation announced the FAIR Package Manager project on 6 June 2025, describing it as a federated repository model for trusted plugins and themes in the WordPress ecosystem.
In plain terms, FAIR separates distribution into roles. Repository nodes can host packages, aggregators can help with discovery, and trust or labelling systems can help users assess sources. That model does not remove the need for governance, funding, or security review, but it changes the assumption that one central service must remain the only practical route to package access.
Bert also points to TYPO3 as a nearby example for Drupal to study. A CloudFest hackathon project page says participants explored FAIR-based package management for TYPO3, including extension discovery from multiple sources, metadata validation, and tooling for signed and verifiable package publishing. The page presents the work as progress toward decentralised extension distribution, but it should not be overstated as proof that Drupal could adopt the same model without governance, security, and funding work.
Other replies in the discussion widened the issue beyond package management. Mathias Bolt Lesniak, TYPO3 Project Ambassador, framed FAIR as larger than any one CMS and argued for communities hosting one another’s repositories. Kieran Lal, founder of Rosso LLC, connected sovereignty to software supply-chain security and suggested that security may make the case more urgent than sovereignty alone. Rachel Lawson, an open-source contributor, framed federation as risk mitigation rather than a challenge to the Drupal Association’s importance.
The European policy context gives the Drupal discussion wider relevance. On 17 April 2026, the European Commission said European Union institutions, bodies, offices, and agencies could procure sovereign cloud services for up to €180 million over six years. The Commission said the procurement was intended to strengthen digital sovereignty and avoid lock-in by a single provider.
That context does not mean Drupal should expect the European Commission to fund federated Drupal infrastructure. It does show that the language now appearing in Drupal is part of a broader policy conversation about control, resilience, and dependency in digital infrastructure. For a project used by public institutions and large organisations, those concerns are not abstract.
The open questions remain substantial. A federated model would need answers on who pays for mirrors, who decides what gets mirrored, how package trust is assigned, how security advisories are coordinated, what role the Drupal Association retains, and how the community avoids exchanging one dependency for another. Those questions are governance questions as much as technical ones.
Bert’s essay has moved a specialised infrastructure concern into a broader Drupal governance discussion about responsibility, cost, jurisdiction, and trust. The next step is not simply choosing a tool such as FAIR, but deciding what resilience should mean for Drupal’s infrastructure and who is prepared to support it.


