Maple Grove Report

Maple Grove Report

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.


cubesfallinggettyimages-1407767843

gremlin/ E+ via Getty Images

Follow ZDNET: Add us as a preferred source on Google.


ZDNET’s key takeaways

  • Open-source repositories are collapsing under the strain of 10 trillion downloads annually.
  • All the major repositories are joining together to tackle this problem.
  • While a lack of funds is a major part of the problem, other issues need to be addressed.

The world runs on open-source software. We all know that. But did you know that companies download over 10 trillion (that’s trillion with a T) open-source code files every year? According to software security provider Sonatype, they do –and the file repository sites that supply that code are burning out from the demand.

As Sonatype CTO Brian Fox, who oversees the Maven Central Java registry, told me earlier this year, Maven is in danger of being overwhelmed by constant downloads. Fox and company have found that 82% of demand comes from just 1% of IPs. That’s because companies are using open-source repositories as if they were content delivery networks (CDNs). 

Also: 98% of IT leaders want digital sovereignty: Now SUSE is operationalizing it for companies everywhere

For example, a single company might download the same code hundreds of thousands of times in a day, and the next day, and the next. What’s a non-profit, open-source code repository to do?

We’re facing a supply‑chain resilience risk 

The people running them are finally saying, collectively, “This can’t stay a charity forever.” Now, under the Linux Foundation, a new Sustaining Package Registries Working Group will seek to identify concrete funding, governance, and security practices to keep code flowing as download counts grow.

It all started with a scaling problem. In the last few years, consumption and publishing across public package registries have grown to insane levels. Those 10 trillion downloads? That’s double Google’s annual search queries, and unlike Google, the open-source sites are doing it on a shoestring. 

Here’s the problem: Because software builds, continuous integration pipelines, and AI systems hammer registries at machine speed rather than human speed, the sites can’t keep up. That growth has brought a surge in bot traffic, automated publishing, security reports, and outright abuse, exposing what the working group bluntly calls a “sustainability gap.” In other words, we’re now facing supply‑chain resilience risk, not just a hosting bill.

Also: The new rules for AI-assisted code in the Linux kernel: What every dev needs to know

As Fox explained, “Open-source registries are no longer passive distribution points. They are operational and security-critical systems sitting in the path of nearly every modern software build. If we want the software supply chain to remain resilient, we need a serious conversation about how these platforms are funded, governed, and sustained at a global scale. It’s time to treat registry sustainability as a shared responsibility across the software industry.”

Registry sites are more than download mirrors

He’s right. Open-source registry sites are no longer simple download mirrors. They are security‑critical systems that sit directly in the path of almost every modern software build. If any of the central registries falter, whether due to cost, burnout, or a successful attack, the blast radius would extend far beyond open‑source communities into banks, hospitals, clouds, and governments that rarely think about where their code dependencies come from.

Christopher Robinson, CTO and chief security architect at the Open Source Security Foundation (OpenSSF), added, “Package registries sit at the front lines of software supply chain security and resilience. As the pace of consumption, publishing, and attack activity accelerates, the stewardship behind these systems has to evolve as well. This initiative will be an important venue for registry leaders and ecosystem stakeholders to align on practical, community-minded ways to sustain the infrastructure on which modern software depends.”

Also: Microsoft finally open sources DOS 1.0 – and it’s so much more than the code

This is larger than any one registry,” Fox noted. “What began as an operational reality on Maven Central is no longer best understood as a Maven Central story. The same pattern is appearing across ecosystems. More machine traffic. More automation. More scanning. More expectations around uptime, integrity, provenance, and policy enforcement. More cost. More support burden. More dependency on infrastructure that the industry still talks about as though it runs on goodwill and spare time.” Spoiler alert: It doesn’t. 

To tackle that, Sonatype has teamed up with the Linux Foundation and other package registry leaders, including Alpha-Omega, Eclipse Foundation (OpenVSX), OpenJS Foundation, OpenSSF, Packagist, Python Software Foundation, Ruby Central (RubyGems), and the Rust Foundation (Crates). The idea is to give operators a neutral forum to discuss money, governance, and shared operational burdens openly. Once that’s dealt with, they’ll coordinate how to explain those realities back to companies and organizations that have long assumed registries are “free.” No, they’re not. They never were.

As the Linux Foundation pointed out, “Registries today run primarily on two things: (1) infrastructure donations and credits; and (2) heroic efforts from small paid teams (themselves funded by donations and grants) and unpaid volunteers that operate and maintain registry services. The bulk of donations and grants comes from a small set of donors and doesn’t scale with demands on the registry.” 

Repositories need more than cash 

The working group is explicitly positioned as a venue where registry leaders and ecosystem stakeholders can align on “practical, community‑minded” ways to sustain that infrastructure, rather than each operator improvising its own survival plan in isolation.

While open-source repositories desperately need more cash to meet demand, it’s not just about the money. A host of other requirements need to be addressed. These are:

Also: How AI has suddenly become much more useful to open-source developers

  • Economic sustainability: Develop funding models that can actually cover infrastructure, operations, maintainers, and governance, instead of relying on heroic volunteerism plus a few corporate logos.
  • Collective defense: Coordinate security practices and information sharing across registries so they can detect and respond to threats faster as attackers automate and scale their own activity.
  • Governance enablement: Craft shared policy frameworks and standardized terms that make it politically and legally possible to introduce sustainable funding models without fracturing communities.
  • Ecosystem education and transparency: Align messaging and educational content so developers, companies, and policymakers finally understand what it costs to run these services, and why “infinite free downloads forever” was never a realistic plan

Some groups already address these issues, but none have policies and people in place for all of them. By working together, it’s hoped they’ll develop a framework that all repositories can use without everyone having to reinvent the wheel. 

Also: I tried the new Linux Mint 22.3 – it’s a masterclass in polish and quality-of-life fixes

Supporting open-source repositories has become a mission-critical issue for everyone in the software business. Until recently, however, it’s been invisible. We no longer have the luxury of assuming volunteers will keep the doors of open-source code libraries open. These sites must have our support, or we’re all going to be in trouble developing, building, and running the programs our companies need to keep the lights on. 





Source link


Sony fans hoping for a cheaper way into the next console generation may need to lower their expectations. The latest PlayStation 6 talk points away from a true PS6 Lite, even as fresh speculation keeps circling around a more affordable entry point for Sony’s next hardware lineup.

The problem isn’t just cost. The hardware now being discussed for a handheld setup doesn’t sound like a natural fit for a living room console that has to look good on a 4K TV. A chip designed around lower power and a smaller screen creates a very different target from the one most players expect at home.

That leaves Sony in a familiar bind. A lower price would widen the audience, but only if the console still gives studios a reasonable hardware target and buyers a version of next-gen gaming that doesn’t feel like a compromise.

Why the Lite idea falls apart

The biggest issue is the gap between handheld performance and TV performance. A game that looks fine on a 1080p portable display won’t automatically hold up the same way on a much larger 4K screen, and that difference adds more work for developers trying to support both.

The chip itself also seems to be a weak foundation for a home system. Rumors say it’s built around low-power libraries and doesn’t scale well to higher clocks, which makes the idea of pushing it into a full-size console much harder to justify. Even heavy upscaling would add more strain and more tuning work.

The version that makes more sense

That doesn’t shut the door on a cheaper PS6. It just makes a handheld-based home console look like the wrong way to get there.

A more realistic option is a trimmed version of the main system. Sony could cut costs through memory, storage, board complexity, and cooling, lowering the bill of materials without forcing studios to support a radically different machine.

What Sony may do instead

That is the more believable path from here. If Sony wants a lower-cost PlayStation 6, it will probably come from a pared-back standard model rather than a Lite-style box built around handheld hardware.

That approach would be easier to build, easier to explain, and easier for developers to support. So if you’re waiting for a pocket-friendly PS6 Lite, you probably shouldn’t expect one anytime soon.



Source link

Recent Reviews