Open source registries are struggling to fund basic security measures despite exponential growth in usage, with bandwidth costs only part of the problem as malware detection becomes increasingly expensive.
Open source software registries are facing a critical financial crisis that threatens the security of the entire software supply chain, according to Michael Winser, co-founder of Alpha-Omega, a Linux Foundation project dedicated to securing open source infrastructure.
During a presentation at FOSDEM 2026, Winser revealed that major registries including PyPI, npm, Crates.io, RubyGems, and Maven Central are operating on razor-thin margins despite experiencing exponential growth in usage. The problem extends far beyond simple bandwidth costs, with security features being the most underfunded aspect of these essential services.
The hidden costs behind "free" software
While open source software itself is free to use, the infrastructure required to host and distribute it comes with mounting expenses. Winser explained that many people conflate open source software with open source infrastructure, but they operate under fundamentally different economic models.
"Open source software itself is free to use, and its costs don't increase the more people use it," Winser noted. "The costs of registries to hold all open source applications and libraries, however, do indeed keep increasing with greater usage."
Packages accumulate over time rather than disappearing, creating an ever-growing storage burden. The rise of AI-generated code has accelerated this growth, with new packages being created at an unprecedented rate.
Breaking down the expenses
Winser conducted a comprehensive analysis of registry operations costs, presenting the findings in a creative mock-up of Family Feud. The results painted a concerning picture:
| Expense Category | Percentage of Total Costs |
|---|---|
| Bandwidth | 25% |
| Storage | 18% |
| Compute | 15% |
| Malware detection | 12% |
| New feature development | 2% |
| Documentation | Not in top 10 |
Using Crates.io as a benchmark, Winser estimated that running a registry of that scale costs approximately $1 million in talent and $2 million in infrastructure annually. With 240 million downloads per year, these costs could double by 2030.
The malware detection costs are particularly alarming. From 2019 to January 2025, registries detected 845,000 malware packages, with the vast majority appearing in npm. The median time to remove malicious packages is now 39 hours - more than enough time for self-propagating worms to spread through ecosystems, as demonstrated by the Shai-Hulud outbreak in September.
The monopoly problem
"Registries are effective monopolies. They own the name space," Winser explained. However, this monopoly is fragile because "the cost of spinning up an alternative, crappy registry, is effectively zero."
This creates a dangerous situation where registries cannot easily monetize their services without immediately facing competition from free alternatives. When asked about potential solutions, Winser explored several options, each with significant drawbacks.
Bandwidth charging
The most obvious solution - charging for bandwidth - faces immediate challenges. As soon as a registry starts charging, other entities will likely start caching artifacts and offering them for free. Winser emphasized that caching and mirroring should be happening anyway for the benefit of the registry itself.
"If you're not caching you're a goddamn idiot," he bluntly stated.
Some registries have found benevolent sponsors. Python's PyPI, which ships 747PB of data annually at a sustained rate of 189 Gbps, has its bandwidth needs underwritten by Fastly. Without this sponsorship, the project would face approximately $1.8 million in monthly bandwidth costs.
Alternative monetization strategies
Winser explored multiple revenue models, finding significant obstacles with each:
App store model: Charging $0.99 per package seems reasonable but faces immediate challenges. Package maintainers would demand a cut, payment infrastructure would add costs, and open source developers would reject digital rights management. Any attempt to monetize would lead to people routing around the system.
Subscription model: Similar to the app store problem, one person could buy a subscription and share credentials with friends, undermining the revenue model.
Charging producers: Making registries act as publishers would fragment the community, with many projects setting up their own registries with unknown security postures.
Enterprise features: While this has worked for some service providers like GitHub, corporations aren't clamoring for enterprise registries, and if they want security features, they'll likely go through security vendors instead.
The security funding gap
The most concerning aspect of the crisis is the lack of funding for security features. Alpha-Omega currently underwrites a "distressingly" large amount of security work around registries. This is particularly troubling because if Alpha-Omega itself experiences funding issues, many registries would be left vulnerable.
Alpha-Omega's recipients include major foundations like the Python Software Foundation, Rust Foundation, Eclipse Foundation, OpenJS Foundation, and Ruby Central. The organization relies on donations, memberships, and grants to fund this critical security work.
Breaking the taboo
Money remains a rarely discussed aspect of open source culture. The software is supposed to be "like free beer," but Winser argues this analogy breaks down when considering security.
"Open source may indeed be like free beer, but no one enjoys their frothy lager served chock full of parasites and bacteria," he said.
Winser suggested that the solution may lie in convincing corporate decision-makers to treat paid registries as "a normal cost of doing business" that appears in operational expenses rather than in open source program office donation budgets.
"I don't have the answers," Winser admitted to the FOSDEM audience. "Anybody have any better ideas?"
One audience member suggested advertising as a potential revenue stream, though Winser did not elaborate on this possibility.
The financial crisis facing open source registries represents a critical vulnerability in the software supply chain. As malware threats increase and AI-generated code floods repositories, the lack of sustainable funding for security measures could have severe consequences for the entire technology ecosystem. The question remains whether the open source community can find a viable solution before the costs become unsustainable and the security of countless projects is compromised.
Comments
Please log in or register to join the discussion