'Open Source Registries Don't Have Enough Money To Implement Basic Security' (theregister.com)
- Reference: 0180843384
- News link: https://news.slashdot.org/story/26/02/22/1926234/open-source-registries-dont-have-enough-money-to-implement-basic-security
- Source link: https://www.theregister.com/2026/02/16/open_source_registries_fund_security/?td=rt-3a
And it's not just because bandwidth is expensive, he said at this year's FOSDEM. "The problem is they don't have enough money to spend on the very security features that we all desperately need..."
> In a follow-up LinkedIn exchange after this article had posted, Winser estimated it could cost $5 million to $8 million a year to run a major registry the size of Crates.io, which gets about 125 billion downloads a year. And this number wouldn't include any substantial bandwidth and infrastructure donations (Like Fastly's for Crates.io). Adding to that bill is the growing cost of identifying [2]malware , the proliferation of which has been amplified through the use of AI and scripts. These repositories have detected 845,000 malware packages from 2019 to January 2025 (the vast majority of those nasty packages came to npm)...
>
> In some cases benevolent parties can cover [bandwidth] bills: Python's PyPI registry bandwidth needs for shipping copies of its 700,000+ packages (amounting to 747PB annually at a sustained rate of 189 Gbps) are underwritten by Fastly, for instance. Otherwise, the project would have to pony up about $1.8 million a month. Yet the costs Winser was most concerned about are not bandwidth or hosting; they are the security features needed to ensure the integrity of containers and packages. Alpha-Omega underwrites a "distressingly" large amount of security work around registries, he said. It's distressing because if Alpha-Omega itself were to miss a funding round, a lot of registries would be screwed. Alpha-Omega's [3]recipients include the Python Software Foundation, Rust Foundation, Eclipse Foundation, OpenJS Foundation for Node.js and jQuery, and Ruby Central.
>
> Donations and memberships certainly help defray costs. Volunteers do a lot of what otherwise would be very expensive work. And there are grants about...Winser did not offer a solution, though he suggested the key is to convince the corporate bean counters to consider paid registries as "a normal cost of doing business and have it show up in their opex as opposed to their [open source program office] donation budget."
The dilemma was summed up succinctly by the anonymous Slashdot reader who submitted this story.
"Free beer is great. Securing the keg costs money!"
[1] https://www.theregister.com/2026/02/16/open_source_registries_fund_security/
[2] https://www.theregister.com/2025/09/16/npm_under_attack_again
[3] https://alpha-omega.dev/grants/grantrecipients/
consider the alternative (Score:1)
Microsoft Windows_11, that bloated enshitified malware disguised as an operating system, I will stick with GNU/Linux
*Sigh* Such Pre-2026 Thinking (Score:3)
Stand aside, dinosaurs, we're in 2026 now! All you have to do is spin up an AI agent or two and give them admin credentials. Tell them to secure the registries. Tell them to think *deeply*. Tell them to make no mistakes. Done.
Now was that so hard?
Re: (Score:1)
hilarious
Use BitTorrent for downloads (Score:1)
One idea to reduce costs is use BitTorrent for distribution of the packages. Web site hosts only a torrent file. Everyone has to download via the torrent file. If nobody is seeding.... well then bad luck. If somebody wants a URL for the package manager, they will be required to download from torrent and set up their own local mirror.
Re: (Score:2)
> One idea to reduce costs is use BitTorrent for distribution of the packages.
> Web site hosts only a torrent file.
> Everyone has to download via the torrent file. If nobody is seeding.... well then bad luck.
> If somebody wants a URL for the package manager, they will be required to download from torrent and set up their own local mirror.
Yep, package distribution via peer to peer would happen if those "grants" dried up.
There is every incentive to never have such a system even pop up for the companies selling centralized data access.
ISPs are corporate welfare (Score:1)
Ahh, the great "bandwidth is expensive" lie, the great original scarcity artificially imposed upon the true internet. Just lies to justify theft ("profit") which obtained legal force by convincing those who were unequipped to understand the truth that irrelevant models which happened to be understood by the decision-makers applied to a situation where they simply do not pertain, and thus forced us to evolve things in certain directions which reify the lie; the modus operandi of all capitalism.
To be clear,
Well it's the job of the distribution (Score:2)
The main problem is that "Registries" make the problem of dependencies seem easy. Dependencies are a problem, you trust in code you didn't write. That's why in older environments those dependencies either are managed by your distribution (which will do some minor amount of checking) or installing them is some effort. (though not that much)
This effectively deters you from using dependencies unless it _really_ makes sense. You install a dependency because you want to speak a complex protocol or you need some
Charge per download (Score:2)
50 cents per download for example, maybe 25 cents. Unlimited for donors.
Is that a bad idea?
Let's put it in perspective (Score:3)
While the open source ecosystem is not perfet, it's track record wrt/ all things security is still much better than closed source... Because while open source might lack money here and there, closed source lacks the will.