Open-source repositories form Linux Foundation group to tackle sustainability risks
Updated
Updated · ZDNet · May 6
Open-source repositories form Linux Foundation group to tackle sustainability risks
8 articles · Updated · ZDNet · May 6
The Sustaining Package Registries Working Group brings together Sonatype, OpenSSF, Python Software Foundation, Ruby Central, Rust Foundation and others as repositories face 10 trillion annual downloads.
The initiative aims to develop funding models, shared governance, collective security practices and clearer industry messaging as machine-speed builds, AI systems and bot traffic strain registry infrastructure.
Registry operators warn these services underpin modern software supply chains, so failures or attacks could disrupt banks, hospitals, cloud providers and governments that depend on open-source packages.
As AI launches autonomous cyberattacks, is new funding enough to secure open source before it's too late?
Will charging for open source kill the very innovation it was built on?
How the Linux Foundation’s 2026 Working Group Is Securing the Future of Package Registries
Overview
In early 2026, explosive growth in open source use and AI development, combined with rising automated bot traffic, placed unsustainable pressure on public package registries. This strain exposed systemic vulnerabilities, highlighted by high-profile supply chain compromises and increasing cyber intrusions. In response, the Linux Foundation formed the Sustaining Package Registries Working Group to develop strategies focused on economic sustainability, governance, collective defense, and ecosystem education. These efforts aim to secure registries through structured funding, standardized policies, shared threat intelligence, and transparency. Pilot programs launched in 2026 will pave the way for broader adoption and AI-driven security tool integration, addressing challenges like maintainer burden and financial sustainability to protect the open source ecosystem's future.