Open Source Registries Join Linux Foundation Working Group to Address Machine-Generated Traffic (zdnet.com)
- Reference: 0183170796
- News link: https://news.slashdot.org/story/26/05/10/0023237/open-source-registries-join-linux-foundation-working-group-to-address-machine-generated-traffic
- Source link: https://www.zdnet.com/article/open-source-repositories-are-being-overwhelmed-but-there-is-an-answer/
"That growth has brought a surge in bot traffic, automated publishing, security reports, and outright abuse, exposing what the working group bluntly calls a 'sustainability gap'." Sonatype CTO Brian Fox, who oversees the Maven Central Java registry, estimates open-source registries saw 10 trillion downloads in 2025. And "The [2]same pattern is appearing across ecosystems . More machine traffic. More automation. More scanning. More expectations around uptime, integrity, provenance, and policy enforcement. More cost. More support burden. More dependency on infrastructure that the industry still talks about as though it runs on goodwill and spare time."
ZDNet reports that "To tackle that, Sonatype has teamed up with the Linux Foundation and other package registry leaders, including Alpha-Omega, Eclipse Foundation (OpenVSX), OpenJS Foundation, [3]OpenSSF , Packagist, Python Software Foundation, Ruby Central (RubyGems), and [4]the Rust Foundation (Crates)."
> The idea is to give operators a neutral forum to discuss money, governance, and shared operational burdens openly. Once that's dealt with, they'll coordinate how to explain those realities back to companies and organizations that have long assumed registries are "free." No, they're not. They never were. As the Linux Foundation pointed out, "Registries today run primarily on two things: (1) infrastructure donations and credits; and (2) heroic efforts from small paid teams (themselves funded by donations and grants) and unpaid volunteers that operate and maintain registry services. The bulk of donations and grants comes from a small set of donors and doesn't scale with demands on the registry."
>
> The working group is explicitly positioned as a venue where registry leaders and ecosystem stakeholders can align on "practical, community-minded" ways to sustain that infrastructure, rather than each operator improvising its own survival plan in isolation.
ZDNet says the group will also coordinate security practices and information, and craft frameworks "that make it politically and legally possible to introduce sustainable funding models without fracturing communities." And they will also "align messaging and educational content so developers, companies, and policymakers finally understand what it costs to run these services."
[1] https://www.zdnet.com/article/open-source-repositories-are-being-overwhelmed-but-there-is-an-answer/
[2] https://www.sonatype.com/blog/open-is-not-costless-reclaiming-sustainable-infrastructure
[3] https://openssf.org/blog/2026/05/06/open-infrastructure-is-not-free-part-ii-the-hidden-cost-of-running-package-registries/
[4] https://rustfoundation.org/media/rust-foundation-and-package-registry-leaders-unite-to-address-open-source-sustainability-crisis/
They oughta just torrent it. (Score:2)
It feels like it'd be in the best self interest of all the agentic "developers" to mirror all the open source sources and documentation in decentralized, peer to peer manner. It should be pretty trivial to get an identical "security" guarantee by just validating checksums of whatever you download with the authoritative hosts at fraction of cost to them, while potentially saving everyone a lot of bandwidth and time, as it's pretty likely half the time the agents would just download the sources from the bazil
Re: (Score:2)
And just like that.... we're reinventing Usenet.
Re: (Score:2)
I mean, why not?
Re: (Score:3)
I think it's a great idea. It was a technically reasonable solution to sharing the costs of hosting and serving content when the web was small. It got run over by spam and trolls and warez eventually but we've learned a lot about content moderation and filtering in the last 25 years.
The main issue is that companies feel they can't monetize their own content if they have no way to control distribution servers, but that should not be a consideration for open source provided it's the kind of open source that
Re: (Score:2)
Hush now, trumpist, we've debated this to death in another story. You lost.
I had to shut down automated access (Score:2)
I have a few open-source packages I wrote and maintain and I had to block downloads of one of them behind a form that required entering the answer to a question. CI systems from all over the world were just hammering my system.
I think this is the future: No more automated downloads. If you want automated access to packages, you'll have to download them once by hand and make your own mirror.
I've also had to password-protect my forgejo instance to block AI bots. The password is given right on the welco
Re: (Score:2)
Do you feel at least a little bit of an urge to make a honeypot version that no human would ever download on accident but which CIs would grab, that'd simply fail unpredictably, maybe with error messages that'd be extremely clear to a human but contain some safety guardrail breaking verbiage that'd take an LLM for a lengthy thinking token loop?
Re: (Score:2)
That's the correct solution if you don't want people to find your stuff. Other folks are thinking bigger than you. Your comment adds nothing of value here because it's literally addressed in the summary: "...rather than each operator improvising its own survival plan in isolation."
Re: (Score:2)
Or you could put them on npm / PyPI like a normal person.
I'm curious what the response will be. (Score:2)
It's essentially impossible to make a good argument for some uncached CI lunacy that has you outperforming the overtly malicious as a source of traffic; but if there's one thing that reliably upsets people it's getting called on convenient behavior that they can't readily justify; so I'm genuinely curious what the ratio of sensible adjustment to unhinged freakout by bro whose subsidy is not in fact a law of nature they'll see.
Re: (Score:2)
I say: Let them freak out. What are they gonna do about it?
Re: (Score:2)
If the 'AI' guys are anything to go by; probably get increasingly elaborate with their attempts to bypass whatever rate limiting is put in place. It's honestly sort of wild seeing the hottest, most heavily capitalized, elements of 'tech' wrap around so rapidly and with so little concern toward the sort of traffic patterns you normally associate with criminals as soon as it's in their interests. At one time I would have been surprised.