The Linux Foundation, Sonatype and registry leaders have launched a new initiative to tackle the growing sustainability and security crisis facing open-source package registries amid surging AI-driven software consumption and nearly 10 trillion annual downloads.
The Linux Foundation has launched the Sustaining Package Registries Working Group to address mounting sustainability, governance and software supply chain security challenges affecting open-source package registries as AI-driven software consumption rapidly scales worldwide.
Sonatype, steward of Maven Central — described as the world’s largest open-source Java registry — is a founding member of the initiative, which aims to help registry operators develop sustainable funding models, coordinated security practices and long-term infrastructure resilience strategies.
The move comes as package registry downloads reached nearly 10 trillion in 2025, intensifying pressure on public registries from AI-driven demand, bot traffic, automated publishing, rising security reporting volumes and registry abuse.
The Working Group positions package registries as critical software supply chain infrastructure rather than passive software distribution platforms. Its core focus areas include economic sustainability, collective defence, governance enablement, and ecosystem education and transparency.
“Package registries sit at the front lines of software supply chain security and resilience,” said Christopher Robinson, Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation. “As the pace of consumption, publishing, and attack activity accelerates, the stewardship behind these systems has to evolve as well.”
Brian Fox, Co-founder and CTO of Sonatype, said open-source registries are now “operational and security-critical systems” that require collective industry responsibility to remain resilient at global scale.
