""The problem is they don't have enough money to spend on the very security features that we all desperately need to stop being a bunch of idiots and installing fu when it's malware," said Michael Winser, a co-founder of Alpha-Omega, a Linux Foundation project to help secure the open source supply chain. Winser spoke at FOSDEM this year, in a talk we dropped in on virtually."
"Trusted registries are widely treated as a key component of Software Bill of Materials (SBOM) - driven supply chain security efforts, one of the main approaches promoted for securing open source software. Rule one: Get your open source packages from a trusted source. Yet many of these registries operate on razor-thin margins, relying on non-continuous funding from grants, donations, and in-kind resources."
"Google and Microsoft kicked in an initial $5 million to launch Alpha-Omega in 2022 under the Open Source Security Foundation. And the first thing Winser noticed when he ramped up operations was that open source registries are all dirt poor. All the major registries are facing the same issue: They're experiencing exponential growth, even though their investment in infrastructure and people remains flat."
Trusted registries serve as a core part of SBOM-driven software supply chain security, providing a recommended source for open source packages. Many registries operate on razor-thin margins and depend on intermittent grants, donations, and in-kind support rather than sustained revenue. Registry storage and operational costs grow with usage because packages accumulate and collections expand, and AI-driven growth increases storage pressure. Major registries face exponential demand while investment in infrastructure and personnel remains flat. Limited funding prevents necessary security investments, threatening the reliability and safety of open source supply chains.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]