'Open Source Registries Don't Have Enough Money To Implement Basic Security'
Source: Slashdot
Background
Google and Microsoft contributed $5 million to launch Alpha‑Omega in 2022 — a Linux Foundation project aimed at securing the open source supply chain. Its co‑founder, Michael Winser, warned at FOSDEM that open source registries are in financial peril because they rely on non‑continuous funding from grants and donations. “The problem is they don’t have enough money to spend on the very security features that we all desperately need,” he said.
Cost Estimates for Running a Registry
In a follow‑up LinkedIn exchange, Winser estimated that operating a major registry the size of crates.io would cost $5 million to $8 million per year. Crates.io handles about 125 billion downloads a year. This estimate excludes substantial bandwidth and infrastructure donations, such as Fastly’s support for crates.io.
The growing cost of identifying malware also adds to the burden. From 2019 to January 2025, repositories detected 845,000 malware packages, the vast majority of which appeared on npm.
Bandwidth and Infrastructure
Some benevolent parties can cover bandwidth bills. For example, Python’s PyPI registry ships copies of its 700,000+ packages (amounting to 747 PB annually at a sustained rate of 189 Gbps) with bandwidth underwritten by Fastly. Without this support, the project would need to spend about $1.8 million per month.
Security Funding Challenges
Winser emphasized that the most concerning costs are not bandwidth or hosting, but the security features required to ensure the integrity of containers and packages. Alpha‑Omega underwrites a “distressingly” large amount of security work for registries. If Alpha‑Omega were to miss a funding round, many registries would be jeopardized.
Alpha‑Omega’s recipients include:
- Python Software Foundation
- Rust Foundation
- Eclipse Foundation
- OpenJS Foundation (Node.js and jQuery)
- Ruby Central
Donations and memberships help defray costs, and volunteers perform many tasks that would otherwise be expensive. However, Winser did not present a concrete solution, only suggesting that corporate decision‑makers need to treat paid registries as a normal operating expense rather than a donation from open source program offices.
Perspective
An anonymous Slashdot reader summed up the dilemma:
“Free beer is great. Securing the keg costs money!”