\n<\/p>\n
<\/div> Follow ZDNET: <\/em>Add us as a favorite source<\/span><\/a><\/span> On Google.<\/em><\/p>\n The world runs on open-source software. We all know this. But did you know that companies download more than 10 trillion (trillion with a t) open-source code files every year? According to software security provider Sonatype, they do \u2013 and the file repository sites that supply that code are being overwhelmed by demand.<\/p>\n As sonatype<\/a> CTO Brian Fox, who oversees Maven Central Java Registry<\/a>Told me earlier this year, Maven is in danger of being overwhelmed by constant downloads<\/a>. Fox & Company has found that 82% of demand comes from just 1% of IPs. This is because companies are using open-source repositories as if they were content delivery networks (CDNs). <\/p>\n Also: 98% of IT leaders want digital sovereignty: Now SUSE is driving it for companies everywhere<\/strong><\/p>\n For example, the same company may download the same code hundreds of thousands of times in one day, and even the next day. What should a non-profit, open-source code repository do?<\/p>\n The people running these are finally collectively saying, “This can’t be a charity forever.” Now, under Linux Foundation<\/a>A new Sustaining Package Registry Working Group will try to identify solid funding, governance, and security practices to keep the code flowing as download numbers grow.<\/p>\n It all started with a scaling problem. Over the past few years, consumption and publication in public package registries has increased to enormous levels. Those 10 trillion downloads? That’s double Google’s annual search queries, and unlike Google, open-source sites are doing it in a much shorter amount of time. <\/p>\n The problem is: because software builds, continuous integration pipelines, and AI systems operate registries at machine speed rather than human speed, sites can’t keep up. That growth has brought an increase in bot traffic, automated publishing, security reports, and outright abuse, exposing what the working group apparently calls a \u201cstability gap.\u201d In other words, we now face a risk not just to the hosting bill, but to supply-chain resilience.<\/p>\n Also: New rules for AI-assisted code in the Linux kernel: What every developer needs to know<\/strong><\/p>\n As Fox explained, “Open-source registries are no longer passive distribution points. They are operational and security-critical systems running along the way to nearly every modern software build. If we want the software supply chain to remain resilient, we need to have a serious conversation about how these platforms are funded, governed, and maintained on a global scale. Now is the time to treat registry sustainability as a shared responsibility in the software industry.”<\/p>\n He is right. Open-source registry sites are no longer simple download mirrors. They are security-critical systems that sit directly in the path of almost every modern software build. If any of the central registries falter, whether due to cost, burnout, or a successful attack, the scope of the explosion will spread beyond open-source communities to banks, hospitals, the cloud, and governments that rarely think about where their code dependencies come from.<\/p>\n Christopher Robinson, CTO and Chief Security Architect Open Source Security Foundation<\/a> (OpenSSF) said, “Package registries sit at the front lines of software supply chain security and resiliency. As consumption, publishing, and attack activity accelerates, the management behind these systems must evolve as well. This initiative will be an important venue for registry leaders and ecosystem stakeholders to align on practical, community-minded ways to maintain the infrastructure on which modern software depends.”<\/p>\nZDNET Highlights<\/h3>\n
\n
We face supply-chain resilience risks <\/h2>\n
Registry Sites Are More Than Download Mirrors<\/h2>\n