At FOSDEM 2026 in Brussels, Alpha-Omega co-founder Michael Winser delivered a direct message: the economics of package registries are misaligned with the security expectations placed upon them.
Package registries are foundational infrastructure for global software distribution. They distribute and maintain the building blocks of modern software. Yet many operate with limited funding and small teams, without the resources required to implement the security capabilities that today’s ecosystem expects.
This is not only a capacity issue. It is a long-term sustainability issue with direct security consequences.
Open Source Software Is Free. Infrastructure Is Not.
Open source software is free to use, modify, and share. The infrastructure that distributes and secures it requires sustained investment.
Registries such as the Python Package Index, npm, Crates.io, RubyGems, and Maven Central power software development across every industry. Their collections continue to expand. Download volumes grow each year. Automation and artificial intelligence accelerate both publication and consumption.
Funding and staffing levels, however, often remain flat.
Across major ecosystems, registry cost structures follow a similar pattern. The largest categories include bandwidth, storage, compute, and malware mitigation. In many cases, investments in security engineering compete directly with the basic requirement to keep systems operational.
Most available resources support essential operations and abuse response. Limited funding remains for proactive, systemic security improvements that reduce risk across entire ecosystems.
At the same time, several cloud providers contribute significant infrastructure credits that help sustain registry operations. These credits offset compute, storage, and bandwidth costs, and they play a meaningful role in keeping services available at global scale.
Infrastructure credits, however, primarily support availability and performance. They do not fully fund dedicated security engineering capacity, long-term tooling development, or ecosystem-wide preventive controls. As usage grows and threat activity increases, the gap between operational support and sustained security investment becomes more visible.
Security Demands Continue to Grow
The scale of the challenge is measurable.
Between 2019 and early 2025, registries identified more than 845,000 malicious packages. Median removal times approached 39 hours. During that window, malicious code can propagate across dependent systems worldwide.
Modern registry security requires:
- Automated malware detection pipelines
- Namespace protection mechanisms
- Artifact integrity validation
- Coordinated incident response capabilities
These capabilities now represent baseline protections for global software infrastructure. They require dedicated expertise, tooling, and sustained funding.
Since 2022, Alpha-Omega has awarded more than 70 grants totaling over $20 million across major ecosystems, registries, and high-impact open source projects. With an annual budget of more than $7 million, Alpha-Omega funds work that strengthens review processes, improves detection systems, and builds long-term resilience across software supply chains.
Philanthropic funding can catalyze improvement. Infrastructure at this scale cannot rely on philanthropy alone.
The Structural Imbalance
During his talk, Winser reviewed common proposals for funding registries and explained why each faces limitations.
Charging for bandwidth invites workarounds through caching and mirroring. Subscription models encounter account sharing and artifact redistribution. Charging maintainers risks fragmentation and the emergence of weaker alternatives. Enterprise feature tiers provide only partial coverage. Advertising introduces governance and trust concerns.
No single proposal resolves the structural imbalance between exponential growth in usage and relatively flat investment.
Organizations in every sector depend on secure package distribution. Yet registry security is often treated as a discretionary contribution rather than a standard operational expense. This gap creates systemic risk across software supply chains.
Secure distribution of open source software should be recognized as part of the cost of doing business for organizations that depend on it.
Alpha-Omega’s Role
Alpha-Omega protects society by catalyzing sustainable security improvements across open source software. As a Directed Fund within the Linux Foundation, it invests in the people, projects, and infrastructure that underpin global digital systems.
Open source software forms the foundation of modern technology. Much of that foundation remains under-resourced relative to its importance. Alpha-Omega addresses this gap by funding high-impact security work across registries, foundational projects, and widely depended-on components maintained by individuals.
Backed by Amazon, Citi, Google, and Microsoft, Alpha-Omega works in partnership with maintainers, foundations, and security researchers to enable practical, measurable, and scalable security improvements.
Alpha-Omega does not claim it can solve registry economics alone. Open source security requires sustained, collective investment. Maintainers, foundations, corporations, and public institutions all share responsibility for strengthening the infrastructure on which modern technology depends.
Alpha-Omega will continue to invest where security improvements can scale across ecosystems and deliver measurable outcomes.
Stay informed about Alpha-Omega’s funding initiatives and ecosystem insights by following us on LinkedIn.
If you operate infrastructure, maintain critical projects, or want to contribute to the discussion on registry sustainability, join the OpenSSF Slack and connect in the #alpha_omega channel.
