Follow ZDNET: Add us as a preferred source on Google.

ZDNET’s key takeaways

• Open-source repositories are collapsing under the strain of 10 trillion downloads annually.
• All the major repositories are joining together to tackle this problem.
• While a lack of funds is a major part of the problem, other issues need to be addressed.

The world runs on open-source software. We all know that. But did you know that companies download over 10 trillion (that’s trillion with a T) open-source code files every year? According to software security provider Sonatype, they do –and the file repository sites that supply that code are burning out from the demand.

As Sonatype CTO Brian Fox, who oversees the Maven Central Java registry, told me earlier this year, Maven is in danger of being overwhelmed by constant downloads. Fox and company have found that 82% of demand comes from just 1% of IPs. That’s because companies are using open-source repositories as if they were content delivery networks (CDNs). 

Also: 98% of IT leaders want digital sovereignty: Now SUSE is operationalizing it for companies everywhere

For example, a single company might download the same code hundreds of thousands of times in a day, and the next day, and the next. What’s a non-profit, open-source code repository to do?

We’re facing a supply‑chain resilience risk 

The people running them are finally saying, collectively, “This can’t stay a charity forever.” Now, under the Linux Foundation, a new Sustaining Package Registries Working Group will seek to identify concrete funding, governance, and security practices to keep code flowing as download counts grow.

It all started with a scaling problem. In the last few years, consumption and publishing across public package registries have grown to insane levels. Those 10 trillion downloads? That’s double Google’s annual search queries, and unlike Google, the open-source sites are doing it on a shoestring. 

Here’s the problem: Because software builds, continuous integration pipelines, and AI systems hammer registries at machine speed rather than human speed, the sites can’t keep up. That growth has brought a surge in bot traffic, automated publishing, security reports, and outright abuse, exposing what the working group bluntly calls a “sustainability gap.” In other words, we’re now facing supply‑chain resilience risk, not just a hosting bill.

Also: The new rules for AI-assisted code in the Linux kernel: What every dev needs to know

As Fox explained, “Open-source registries are no longer passive distribution points. They are operational and security-critical systems sitting in the path of nearly every modern software build. If we want the software supply chain to remain resilient, we need a serious conversation about how these platforms are funded, governed, and sustained at a global scale. It’s time to treat registry sustainability as a shared responsibility across the software industry.”

Registry sites are more than download mirrors

He’s right. Open-source registry sites are no longer simple download mirrors. They are security‑critical systems that sit directly in the path of almost every modern software build. If any of the central registries falter, whether due to cost, burnout, or a successful attack, the blast radius would extend far beyond open‑source communities into banks, hospitals, clouds, and governments that rarely think about where their code dependencies come from.

Christopher Robinson, CTO and chief security architect at the Open Source Security Foundation (OpenSSF), added, “Package registries sit at the front lines of software supply chain security and resilience. As the pace of consumption, publishing, and attack activity accelerates, the stewardship behind these systems has to evolve as well. This initiative will be an important venue for registry leaders and ecosystem stakeholders to align on practical, community-minded ways to sustain the infrastructure on which modern software depends.”

Also: Microsoft finally open sources DOS 1.0 – and it’s so much more than the code

“This is larger than any one registry,” Fox noted. “What began as an operational reality on Maven Central is no longer best understood as a Maven Central story. The same pattern is appearing across ecosystems. More machine traffic. More automation. More scanning. More expectations around uptime, integrity, provenance, and policy enforcement. More cost. More support burden. More dependency on infrastructure that the industry still talks about as though it runs on goodwill and spare time.” Spoiler alert: It doesn’t. 

To tackle that, Sonatype has teamed up with the Linux Foundation and other package registry leaders, including Alpha-Omega, Eclipse Foundation (OpenVSX), OpenJS Foundation, OpenSSF, Packagist, Python Software Foundation, Ruby Central (RubyGems), and the Rust Foundation (Crates). The idea is to give operators a neutral forum to discuss money, governance, and shared operational burdens openly. Once that’s dealt with, they’ll coordinate how to explain those realities back to companies and organizations that have long assumed registries are “free.” No, they’re not. They never were.

As the Linux Foundation pointed out, “Registries today run primarily on two things: (1) infrastructure donations and credits; and (2) heroic efforts from small paid teams (themselves funded by donations and grants) and unpaid volunteers that operate and maintain registry services. The bulk of donations and grants comes from a small set of donors and doesn’t scale with demands on the registry.” 

Repositories need more than cash 

The working group is explicitly positioned as a venue where registry leaders and ecosystem stakeholders can align on “practical, community‑minded” ways to sustain that infrastructure, rather than each operator improvising its own survival plan in isolation.

While open-source repositories desperately need more cash to meet demand, it’s not just about the money. A host of other requirements need to be addressed. These are:

Also: How AI has suddenly become much more useful to open-source developers

• Economic sustainability: Develop funding models that can actually cover infrastructure, operations, maintainers, and governance, instead of relying on heroic volunteerism plus a few corporate logos.
• Collective defense: Coordinate security practices and information sharing across registries so they can detect and respond to threats faster as attackers automate and scale their own activity.
• Governance enablement: Craft shared policy frameworks and standardized terms that make it politically and legally possible to introduce sustainable funding models without fracturing communities.
• Ecosystem education and transparency: Align messaging and educational content so developers, companies, and policymakers finally understand what it costs to run these services, and why “infinite free downloads forever” was never a realistic plan

Some groups already address these issues, but none have policies and people in place for all of them. By working together, it’s hoped they’ll develop a framework that all repositories can use without everyone having to reinvent the wheel. 

Also: I tried the new Linux Mint 22.3 – it’s a masterclass in polish and quality-of-life fixes

Supporting open-source repositories has become a mission-critical issue for everyone in the software business. Until recently, however, it’s been invisible. We no longer have the luxury of assuming volunteers will keep the doors of open-source code libraries open. These sites must have our support, or we’re all going to be in trouble developing, building, and running the programs our companies need to keep the lights on.