Open source registries face financial crisis, threatening software supply chain security

Coverage from The Register indicates that open source registries are facing severe financial difficulties, as warned by Michael Winser, a co-founder of Alpha-Omega, a Linux Foundation project. These critical infrastructure components, essential for software supply chain security, are struggling with escalating costs that far outstrip their current funding models.

Winser highlighted that many major registries, including PyPI, npm, Crates.io, RubyGems, and Maven Central, are experiencing exponential growth in usage but have flat investment in infrastructure and personnel. Key expenses include bandwidth (25%), storage (18%), compute (15%), and combating malware (12%). The cost to run a registry like Crates.io is estimated at $3 million annually, potentially doubling by 2030. The increasing volume of malware, amplified by AI, further strains resources, with a median of 39 hours required to remove malicious packages.

Current funding models, relying on grants and donations, are insufficient to cover operational and security costs. Winser suggested that convincing corporations to view paid registries as a normal operational expense, rather than a donation, is crucial. Without sustainable funding, the ability of these registries to invest in essential security features, like malware detection and package integrity, is compromised, potentially leading to widespread vulnerabilities.

Source: The Register