Sonatype Joins Linux Foundation Initiative to Address Open Source Sustainability Crisis

Fulton, Md. –  – DevSecOps solutions provider Sonatype, the steward of Maven Central, today announced its participation as a founding member of the newly formed Sustaining Package Registries Working Group. Under the Linux Foundation, the Working Group provides a forum for registry leaders to collaborate on the financial, operational, and infrastructure challenges of sustaining public package registries at global scale.

As open source consumption and publishing move from developer scale to machine scale, reaching close to 10 trillion downloads in 2025, registries are facing a sharp rise in AI-driven demand, bot traffic, automated publishing, security reporting volume, and registry abuse. Those pressures are exposing a broader sustainability gap that now poses a software supply chain security and resilience risk.

“Package registries sit at the front lines of software supply chain security and resilience,” said Christopher Robinson, CTO and chief security architect at the Open Source Security Foundation, in the announcement. “As the pace of consumption, publishing, and attack activity accelerates, the stewardship behind these systems has to evolve as well. This initiative will be an important venue for registry leaders and ecosystem stakeholders to align on practical, community-minded ways to sustain the infrastructure on which modern software depends.”

Building off of the Joint Statement on Sustainable Stewardship, core objectives of the Sustaining Package Registries Working Group include:

• Economic sustainability: Develop funding models registries can adopt to cover infrastructure, operations, maintainers, and governance costs.
• Collective defense: Foster coordinated security practices and information sharing across registries to help the ecosystem detect and respond to threats more effectively.
• Governance enablement: Craft shared policy frameworks and standardized terms to support sustainable funding models.
• Ecosystem education and transparency: Create aligned communications and educational content that helps the ecosystem better understand registry sustainability efforts.

“Open source registries are no longer passive distribution points. They are operational and security-critical systems sitting in the path of nearly every modern software build,” said Brian Fox, co-founder and CTO of Sonatype. “If we want the software supply chain to remain resilient, we need a serious conversation about how these platforms are funded, governed, and sustained at global scale. It’s time to treat registry sustainability as a shared responsibility across the software industry.”

For an update on the Working Group’s activities, read the latest Joint Statement: Open Infrastructure Is Not Free, Part II: The Hidden Cost of Running Package Registries.