Linux Foundation Launches Sustaining Package Registries Working Group as Open Source Downloads Near 10 Trillion
A new Linux Foundation working group--backed by Sonatype, the Rust Foundation, OpenSSF, and a dozen registry operators--aims to close the funding and governance gap before AI-driven download volumes overwhelm critical open source infrastructure.
Overview
The Linux Foundation on May 6, 2026 launched the Sustaining Package Registries Working Group, a coalition of registry operators and open source foundations tasked with identifying concrete funding, governance, and security practices for the infrastructure that delivers software to every modern build system. The announcement, led by Sonatype — steward of Maven Central — comes as open source package registries recorded close to 10 trillion downloads in 2025, a volume the OpenSSF projects will exceed 10 trillion in 2026, equivalent to more than one billion downloads per hour and predicted to be nearly double the number of Google searches in 2026.
What We Know
The working group’s founding members span the major language ecosystems. According to the OpenSSF, participants include Alpha-Omega, the Continuous Delivery Foundation, the Eclipse Foundation (Open VSX), the OpenJS Foundation, the Open Source Security Foundation, the Linux Foundation, Packagist, the Perl and Raku Foundation, the Python Software Foundation (PyPI), Ruby Central (RubyGems), the Rust Foundation (crates.io), and Sonatype (Maven Central).
The registries those organizations steward — npm, Maven Central, PyPI, Crates.io, RubyGems, Open VSX, Packagist, Hex, and CPAN, among more than a dozen others — share a common operating model: infrastructure donations and credits combined with what the OpenSSF describes as “heroic efforts from small paid teams” funded by donations and grants. That model, the OpenSSF argues, does not scale with demand.
The group has organized its work around four focus areas: economic sustainability (developing funding models that cover infrastructure, operations, maintainers, and governance costs); collective defense (coordinating security practices and threat intelligence sharing across registries); governance enablement (crafting shared policy frameworks that support sustainable funding without fracturing communities); and ecosystem education and transparency (aligning communications to help developers, companies, and policymakers understand actual operational costs).
Brian Fox, Co-founder and CTO of Sonatype, framed the stakes in the announcement. “Open source registries are no longer passive distribution points,” Fox said. “They are operational and security-critical systems sitting in the path of nearly every modern software build. If we want the software supply chain to remain resilient, we need a serious conversation about how these platforms are funded, governed, and sustained at global scale. It’s time to treat registry sustainability as a shared responsibility across the software industry.”
Christopher Robinson, Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation, connected the initiative to the broader supply chain security landscape. “Package registries sit at the front lines of software supply chain security and resilience,” Robinson said. “As the pace of consumption, publishing, and attack activity accelerates, the stewardship behind these systems has to evolve as well. This initiative will be an important venue for registry leaders and ecosystem stakeholders to align on practical, community-minded ways to sustain the infrastructure on which modern software depends.”
The Rust Foundation joined as a founding member, with its Executive Director & CEO Dr. Rebecca Rumbul citing the pressure on crates.io specifically. “Rust was designed to make software safer and more reliable, but that promise depends on crates.io remaining trustworthy and well-resourced,” Rumbul said. “As Rust moves deeper into critical infrastructure and AI-adjacent tooling, the gap between the demands placed on our registry and the resources available to sustain it has become impossible to ignore. This working group is a meaningful step toward treating that gap as a shared industry problem.”
The Scale Problem
The OpenSSF frames the demand surge in concrete terms. PyPI added 130,000 new packages in 2025 alone and is adding nearly 900 packages per day in 2026. Modern applications depend on hundreds of packages spanning multiple language ecosystems, meaning a single developer action can trigger cascading download requests across half a dozen registries simultaneously.
According to Slashdot, the working group has identified a “sustainability gap” caused specifically by machine-speed traffic exceeding human-speed capacity: AI coding agents, automated build pipelines, and bot-driven publishing now account for a growing share of registry activity that existing funding models were never designed to absorb.
The OpenSSF also points to the systemic risk exposed by supply chain vulnerabilities: the Log4Shell flaw (CVE-2021-44228) consumed approximately 10% of a year’s enterprise security effort across the industry to remediate, a figure that illustrates how a single registry-distributed vulnerability cascades into a global emergency.
What We Don’t Know
The working group has not yet published a funding roadmap, a timeline for deliverables, or a governance charter. It is also unclear whether the initiative will develop mechanisms to require or incentivize corporate contributors — whose software builds depend on free registry access — to contribute to operational costs. Earlier efforts to close the registry funding gap surfaced the same structural mismatch but did not produce binding commitments.
The Machine Herald previously reported that npm, PyPI, and Crates.io were spending 12 percent of their budgets fighting malware with no sustainable path to growth. The Sustaining Package Registries Working Group represents the first time those registries have organized collectively under a Linux Foundation umbrella — but whether that structure translates into durable funding remains to be seen.
Analysis
The coalition’s breadth is notable. Registries that ordinarily operate within separate language communities — npm for JavaScript, PyPI for Python, crates.io for Rust, Maven Central for the JVM ecosystem — have joined the same working group, suggesting the sustainability problem has become acute enough to override the usual reluctance to coordinate across ecosystems. The presence of the OpenSSF and Alpha-Omega alongside the registries themselves means the initiative has both security credibility and an existing relationship with corporate funders.
The harder question is whether governance infrastructure will translate into actual money. Open source registries sit in an unusual position: they are the de facto namespaces for their ecosystems, meaning the industry cannot simply route around them, yet they have historically lacked leverage to charge even the largest commercial users for access. The working group’s framing — treating sustainability as a “shared responsibility” — suggests it intends to rely on persuasion rather than pricing. Whether that approach can close a gap measured in billions of annual download-hours remains the open question.