Package registries collectively absorbed close to 10 trillion downloads in 2025, driven largely by AI tooling and automated build pipelines. A new Linux Foundation working group is trying to figure out how to pay for the infrastructure before the weight of that demand breaks it.
Sonatype, the DevSecOps company that operates Maven Central, has joined a cluster of registry leaders under the Linux Foundation to form the Sustaining Package Registries Working Group. The group's remit is straightforward: develop shared funding models, security coordination, and governance frameworks for the public package registries that sit underneath virtually every commercial software build.
The scale of the dependency is difficult to overstate. Research from Harvard Business School estimates that 96 percent of commercial software programs include open source code, and that replacing it with proprietary alternatives would cost the industry roughly $8.8 trillion — around 3.5 times what it currently pays nothing to use.
As AI tooling shifts open source consumption from developer-pace to machine-pace, registries are absorbing demand spikes they were never designed to handle. Bot traffic, automated publishing pipelines, and AI-driven vulnerability scanning are all compounding the problem, and the funding models that sustain the infrastructure have not kept pace.
As the pace of consumption, publishing, and attack activity accelerates, the stewardship behind these systems has to evolve as well. This initiative will be an important venue for registry leaders and ecosystem stakeholders to align on practical, community-minded ways to sustain the infrastructure on which modern software depends.
Package registries sit at the front lines of software supply chain security and resilience," said Christopher Robinson, Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation.
The Working Group's four stated objectives cover economic sustainability, collective defence through coordinated security information sharing across registries, shared governance frameworks, and ecosystem education. It builds on a Joint Statement on Sustainable Stewardship published last September, which made the case that public registries require active investment rather than passive tolerance.
If we want the software supply chain to remain resilient, we need a serious conversation about how these platforms are funded, governed, and sustained at global scale. It's time to treat registry sustainability as a shared responsibility across the software industry.
Brian Fox, Co-founder and CTO of Sonatype, argues that the framing of the problem needs to shift: "Open source registries are no longer passive distribution points. They are operational and security-critical systems sitting in the path of nearly every modern software build.
The Working Group's formation arrives as regulators across both sides of the Atlantic are increasing scrutiny of software supply chain risk. The EU Cyber Resilience Act and the US Executive Order on software security both place new obligations on organisations that distribute or consume software — pressures that make the governance gap in public registry infrastructure harder to ignore.
