10 trillion downloads are crushing open-source repositories - here's what they're doing about it
10 trillion annual downloads are breaking open-source repositories—here's the rescue plan
Open-source package registries like Maven Central are buckling under 10 trillion annual file downloads—double Google's search queries—yet operate on shoestring budgets. The Linux Foundation is forming the Sustaining Package Registries Working Group to address the 'sustainability gap' exposed by bot traffic, automated builds, and security reports. Sonatype CTO Brian Fox notes that 82% of demand comes from just 1% of IPs, as companies abuse registries as content delivery networks by repeatedly downloading the same code. If these central repositories fail due to cost, burnout, or attacks, the blast radius would extend into banks, hospitals, clouds, and governments that depend on open-source dependencies.
The working group will seek concrete funding, governance, and security practices to keep code flowing at scale. The Open Source Security Foundation's Christopher Robinson emphasizes that registries sit at the front lines of supply-chain security and resilience, requiring evolved stewardship. The initiative aims to align registry leaders and industry stakeholders on practical ways to sustain the infrastructure modern software relies on—moving beyond a charity model to a shared responsibility across the software industry.
- Open-source repositories face 10 trillion annual downloads, double Google's search query volume, with 82% from just 1% of IPs
- Linux Foundation's Sustaining Package Registries Working Group will tackle funding, governance, and security for overwhelmed registries
- Failure of central registries would risk supply-chain collapse affecting banks, hospitals, and governments
Why It Matters
Open-source infrastructure is critical for every build; this initiative ensures resilience and security for the entire software supply chain