fosdem 2026 Open source registries are in financial peril, a co-founder of an open source security foundation warned after inspecting their books. And it’s not just the bandwidth costs that are killing them.
“The problem is they don’t have enough money to spend on the very security features that we all desperately need to stop being a bunch of idiots and installing fu when it’s malware,” said Michael Winser, a co-founder of Alpha-Omega, a Linux Foundation project to help secure the open source supply chain.
Winser spoke at FOSDEM this year, in a talk we dropped in on virtually.
Trusted registries are widely treated as a key component of Software Bill of Materials (SBOM) – driven supply chain security efforts, one of the main approaches promoted for securing open source software. Rule one: Get your open source packages from a trusted source.
Yet many of these registries operate on razor-thin margins, relying on non-continuous funding from grants, donations, and in-kind resources.
Google and Microsoft kicked in an initial $5 million to launch Alpha-Omega in 2022 under the Open Source Security Foundation.
And the first thing Winser noticed when he ramped up operations was that open source registries are all dirt poor. All the major registries are facing the same issue: They’re experiencing exponential growth, even though their investment in infrastructure and people remains flat.
“We’re living on borrowed time,” he warned.
Scant money for security
“One of the problems that people have is they actually conflate open source software and open source infrastructure,” Winser said.
Open source software itself is free to use, and its costs don’t increase the more people use it. The costs of registries to hold all open source applications and libraries, however, do indeed keep increasing with greater usage.
Packages don’t go away. Collections just grow larger and larger. And AI is now adding to the pile at a considerable clip.
In 2025, Alpha-Omega took a deep dive into the operations of some of the largest registries, including PyPI, Node.js’s npm, Rust’s Crates.io, RubyGems, and Maven Central for the Java folks.
Winser ginned up a mock version of Family Feud (play here) to help FOSDEMers guess the 10 biggest expenses for these registries.
Bandwidth naturally turned out to be the #1 cost, about 25% of the total expenses. Storage (18%), compute (15%) and battling malware (12%) all followed. New feature development barely registers at 2% and documentation wasn’t even in the top 10.
Winser estimated it would cost $1 million in talent and $2 million in infrastructure to run a registry the size of Crates.io, which gets about 240 million downloads a year. And that cost may double by 2030.
Adding to that bill is the growing cost of identifying malware, the proliferation of which has been amplified through the use of AI and scripts. These repositories have detected 845,000 malware packages from 2019 to January 2025 (the vast majority of those nasty packages came to npm).
It now takes a median of 39 hours to remove malicious packages — more than enough time for a self-propagating worm to spread through an ecosystem, as the Shai-Hulud outbreak did across npm in September.
Secure that bag
The good news may be that “Registries are effective monopolies. They own the name space,” as Winser put it.
But as monopolies, their hold is tenuous at best, because “the cost of spinning up an alternative, crappy registry, is effectively zero,” he added.
Winser went through the various ways of covering expenses, though none, he calculated, could fully defray expenses.
The obvious solution would be to start charging for bandwidth. Caching and mirroring, though they lower bandwidth costs, do not solve the problem. As soon as a registry starts charging, other entities will most likely start caching the artefacts, offering them gratis.
And they should be doing this anyway, Winser noted, for the benefit of the registry. “If you’re not caching you’re a goddamn idiot,” Winser said.
In some cases benevolent parties can cover these bills: Python’s PyPI registry bandwidth needs for shipping copies of its 700,000+ packages (amounting to 747PB annually at a sustained rate of 189 Gbps) are underwritten by Fastly, for instance. Otherwise, the project would have to pony up about $1.8 million a month.
Yet the costs Winser was most concerned about are not bandwidth or hosting; they are the security features needed to ensure the integrity of containers and packages.
Alpha-Omega underwrites a “distressingly” large amount of security work around registries, he said. It’s distressing because if Alpha-Omega itself were to miss a funding round, a lot of registries would be screwed.
Alpha-Omega’s recipients include the Python Software Foundation, Rust Foundation, Eclipse Foundation, OpenJS Foundation for Node.js and jQuery, and Ruby Central.
Donations and memberships certainly help defray costs. Volunteers do a lot of what otherwise would be very expensive work. And there are grants about.
Winser churned through other ways to pay the bills. How about running an app store? Charging $0.99 per package seems pretty reasonable, yes?
Yet this approach faces several immediate challenges. For starters, the package maintainers will want a cut of that. Setting up and maintaining payment infrastructure would incur additional costs.
Plus, open source developers probably would not be okay with any form of digital rights management, so the containers they will download will be unencumbered and easy to copy around.
Any attempt to monetize a monopoly will immediately result in people routing around it. “They’ve done this time and time again,” Winser said.
Back to square one.
The same problems would apply to a subscription model, in Winser’s view. One person buys a subscription to the registry then shares the log-in with his friends, like you do with your streaming accounts.
How about charging the producers of the open source software? In effect, the registry becomes the publisher. This, Winser argued, would cause a fair number of projects, or companies with open source projects, to set up their own registry sites, fragmenting the community. And who knows what their security posture will be.
Another approach: Add enterprise features, then charge for them. This has worked for some service providers – such as GitHub – so perhaps it could work for registries as well.
Still, corporations aren’t exactly clamoring for enterprise registries, Winser noted. And if they want to pay for security features, it will probably be through a security vendor.
“Anybody have any better ideas?” Winser asked the crowd, rhetorically. One audience member suggested ads.
Winser did not offer a solution, though he suggested the key is to convince the corporate bean counters to consider paid registries as “a normal cost of doing business and have it show up in their opex as opposed to their [open source program office] donation budget.”
“I don’t have the answers,” he admitted.
The cost of free beer
Money is a rarely discussed aspect of open source. The software is just supposed to be like free beer, right?
Hospitals, universities, and museums are all nonprofits, yet they still charge for services. In fact it is good practice; otherwise people will abuse the system. But in open source, the idea of payment remains taboo.
Open source may indeed be like free beer, but no one enjoys their frothy lager served chock full of parasites and bacteria. So maybe we all should get used to ponying up at the bar. ®