Open source registries don’t have enough money to implement basic security

Steven

Open source registries don’t have enough money to implement basic security

Summary

At FOSDEM, Michael Winser of Alpha‑Omega warned that major open source registries (PyPI, npm, Crates.io, RubyGems, Maven Central) are underfunded and cannot afford essential security. Registries face rising costs — bandwidth, storage, compute and malware mitigation — while funding remains patchy and non‑continuous: grants, donations and in‑kind support. Winser’s research estimates running a Crates.io‑scale registry costs about US$3m a year today (roughly $1m talent + $2m infrastructure) and could double by 2030. Registries have detected hundreds of thousands of malicious packages, but a median removal time of 39 hours leaves ecosystems exposed. Typical monetisation ideas (charging for bandwidth, subscriptions, app‑store fees, producer charges, enterprise tiers) have serious downsides and risk fragmenting the ecosystem. Alpha‑Omega currently subsidises much of the security work; if its funding falters, many registries would be at risk.

Key Points

  1. Registries operate on razor‑thin margins and rely heavily on grants, donations and volunteer labour.
  2. Top expenses are bandwidth (~25%), storage (18%), compute (15%) and malware mitigation (~12%).
  3. Estimated cost to run a Crates.io‑sized registry: ~US$3m/year today; this may double by 2030 with growth and AI‑driven demand.
  4. From 2019 to Jan 2025 registries detected about 845,000 malware packages; the median removal time is 39 hours.
  5. Common monetisation options (charging users or producers, subscriptions, ads, enterprise tiers) can be circumvented or cause fragmentation and don’t fully cover security needs.
  6. Alpha‑Omega and similar funds currently underwrite a large amount of registry security; their funding instability is a systemic risk.

Context and relevance

Trusted registries are a cornerstone of software supply‑chain security. As organisations increasingly consume open‑source packages and AI accelerates package growth, underfunded registries become a collective weak point. This is directly relevant to developers, security teams, procurement and anyone responsible for maintaining resilient build and deployment pipelines: compromised packages can propagate quickly and cause widespread damage.

Why should I read this?

Because this is the bit everyone pretends is ‘free’ until something nasty lands in your production. If you use open‑source packages (and you do), understanding that registries are cash‑strapped helps you argue for budget for mirrors, paid security services or direct contributions — instead of assuming ‘free’ means ‘no cost to secure’.

Source

Source: https://www.theregister.com/2026/02/16/open_source_registries_fund_security/