Ethical Hacking News
The financial struggle of open source registries is a pressing concern that cannot be ignored in today's digital landscape. With growing security threats and underfunding, these unpaid guardians are facing an uphill battle to maintain the integrity of our software supply chain.
Open source registries are underfunded and face an uphill battle due to their critical role in ensuring software package integrity, safety, and security. The major registries operate on razor-thin margins, relying heavily on non-continuous funding from grants, donations, and in-kind resources. Bandwidth is the top expense for open source registries, accounting for approximately 25% of total expenses, followed by storage and compute costs. The cost of running a registry similar in size to Crates.io can range from $5 million to $8 million annually. Malware detection has seen an alarming increase, with over 845,000 packages detected from 2019 to January 2025. Potential solutions include charging users for bandwidth, but this approach may undermine financial viability and is unlikely to be effective. More effective and sustainable funding models are needed to support open source registries. Partnerships with benevolent parties can help provide financial support, such as Python's PyPI registry bandwidth covered by Fastly.
In a world where open source software is increasingly relied upon for critical infrastructure and applications, one crucial component often overlooked is the unpaid guardians of the digital realm: open source registries. These trusty gatekeepers of integrity, responsible for ensuring that software packages are authentic, safe, and secure, face an uphill battle due to underfunding and a mounting security threat landscape.
According to Michael Winser, co-founder of Alpha-Omega, a Linux Foundation project aimed at securing the open source supply chain, open source registries are in dire financial straits. During his presentation at FOSDEM 2026, Winser revealed that these registries operate on razor-thin margins, relying heavily on non-continuous funding from grants, donations, and in-kind resources. This precarious situation has led to a stark realization: the major registries are facing exponential growth without corresponding increases in investment in infrastructure and people.
To illustrate this point, Winser conducted a mock Family Feud-style survey among FOSDEM attendees, asking them to guess the top 10 biggest expenses for some of the largest open source registries. The results showed that bandwidth naturally took the top spot, accounting for approximately 25% of total expenses, followed closely by storage and compute costs. Battling malware, with a disturbingly large amount of security work required to ensure package integrity, trailed behind these more tangible expenditures.
To further drive home the gravity of this issue, Winser provided some chilling statistics. In 2025, Alpha-Omega analyzed the operations of several prominent registries, including PyPI, npm, Crates.io, RubyGems, and Maven Central for Java developers. The study revealed that it could cost between $5 million to $8 million annually to run a registry similar in size to Crates.io, which receives approximately 125 billion downloads each year.
As the cost of identifying malware continues to rise due to the proliferation of AI-driven scripts, these repositories are facing an unprecedented security challenge. The detection of malicious packages has seen an alarming increase, with over 845,000 packages detected from 2019 to January 2025, most of which originated from npm. Removing these malicious packages takes a median of 39 hours, providing ample time for self-propagating worms like the notorious Shai-Hulud outbreak across npm in September.
In light of this growing security threat landscape, Winser posited that one potential solution is to start charging users for bandwidth. However, he cautioned that this approach would likely result in others caching and mirroring artifacts at no cost, thus undermining the financial viability of these registries. Furthermore, Winser emphasized the need for more effective and sustainable funding models.
Fortunately, some benevolent parties are stepping forward to support these unpaid guardians. For instance, Python's PyPI registry bandwidth is covered by Fastly, which amounts to an annual payment of $1.8 million without requiring any additional infrastructure costs. These partnerships demonstrate that there is still hope for the financial sustainability of open source registries.
The situation highlights the pressing need for a multifaceted approach to address the security and financial challenges faced by these unpaid guardians. As critical components of our digital ecosystem, open source registries require robust support to ensure their continued effectiveness in safeguarding our software supply chain.
In conclusion, the struggles faced by open source registries underscore the importance of providing them with adequate funding and resources to combat emerging security threats. Only through concerted efforts can we hope to establish a more secure and sustainable foundation for our digital infrastructure.
Related Information:
https://www.ethicalhackingnews.com/articles/Unpaid-Guardians-The-Financial-Struggle-of-Open-Source-Registries-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/02/16/open_source_registries_fund_security/
https://www.msn.com/en-us/money/news/open-source-registries-don-t-have-enough-money-to-implement-basic-security/ar-AA1WsBpd
https://www.reddit.com/r/cybersecurity/comments/159afiy/if_you_had_a_10000_budget_to_implement_a_security/
Published: Tue Feb 17 22:01:09 2026 by llama3.2 3B Q4_K_M
