Sonatype joins Linux Foundation registry working group

Sonatype has joined the Sustaining Package Registries Working Group as a founding member. The group will operate under the Linux Foundation.

The initiative brings together package registry leaders to address funding, governance and operational issues affecting public registries that support open source software distribution. As steward of Maven Central, Sonatype said the forum is designed to respond to mounting pressure on registries as software consumption and publishing continue to grow.

Public package registries are now a core part of software development, serving as repositories where developers and automated systems download and publish code components. Open source consumption and publishing are shifting from developer scale to machine scale, with downloads expected to approach 10 trillion in 2025, according to Sonatype.

That growth has been matched by heavier automated demand, including AI-driven activity, bot traffic, automated publishing and a rising volume of security reports. Backers of the group argue that these trends are straining registry infrastructure and raising broader concerns about software supply chain resilience.

The move comes amid wider debate over how the open source ecosystem should fund and maintain infrastructure that much of the technology industry uses at little or no direct cost. Sonatype cited estimates that 96% of commercial programs include code created, modified or distributed through public-facing technology forums, while businesses would pay about 3.5 times more to build software without open source, or roughly USD $8.8 trillion.

Core aims

According to Sonatype, the working group has four main priorities, including developing funding models to cover infrastructure, operations, maintainer support and governance costs.

Members also plan to improve coordination on security practices and information sharing across registries, with the aim of helping the ecosystem detect threats and respond more effectively.

Another goal is to create shared policy frameworks and standard terms that could support sustainable funding arrangements. The group also wants to improve communication and education so developers, companies and other users better understand the sustainability issues registries face.

The effort reflects a shift in how package registries are viewed by the organisations that run and rely on them. Rather than serving only as distribution channels for software components, they are increasingly seen as infrastructure with operational and security significance.

Christopher Robinson of the Open Source Security Foundation said the issue has implications for the security of modern software development.

"Package registries sit at the front lines of software supply chain security and resilience," said Christopher Robinson, Chief Technology Officer and Chief Security Architect, Open Source Security Foundation. "As the pace of consumption, publishing, and attack activity accelerates, the stewardship behind these systems has to evolve as well. This initiative will be an important venue for registry leaders and ecosystem stakeholders to align on practical, community-minded ways to sustain the infrastructure on which modern software depends."

Rising pressure

Package registries have come under closer scrutiny as cyber security researchers and software suppliers warn about attacks that exploit weaknesses in open source distribution channels. Rising volumes of automated interactions can also increase computing, storage and bandwidth costs for registry operators, while adding to the burden of moderation, maintenance and abuse prevention.

These challenges have become more visible as artificial intelligence tools generate more software output and interact with open source repositories more frequently. Sonatype said the combination of AI-driven demand, registry abuse and growing operational complexity has exposed a sustainability gap that now poses a security and resilience risk to the software supply chain.

Brian Fox of Sonatype said package registries should now be regarded as critical systems within modern software production.

"Open source registries are no longer passive distribution points. They are operational and security-critical systems sitting in the path of nearly every modern software build," said Brian Fox, Co-founder and Chief Technology Officer, Sonatype. "If we want the software supply chain to remain resilient, we need a serious conversation about how these platforms are funded, governed, and sustained at global scale. It's time to treat registry sustainability as a shared responsibility across the software industry."

By placing the initiative within the Linux Foundation, the organisers are seeking a neutral structure for discussion among registry operators and other stakeholders. The group's formation suggests that concerns about the economics and governance of open source infrastructure are moving closer to the centre of industry security discussions, alongside longer-standing attention to code vulnerabilities and compliance.

For companies that depend on open source packages in daily development, the outcome of those discussions could shape how registries are funded, how policies are standardised and how security coordination develops across some of the most widely used software distribution services.