Open Source Registries Don't Have Enough Money to Implement Basic Security

by
jelizondo
from SoylentNews on (#743NJ)

hubie writes:

Free beer is great. Securing the keg costs money:

Open source registries are in financial peril, a co-founder of an open source security foundation warned after inspecting their books. And it's not just the bandwidth costs that are killing them.

"The problem is they don't have enough money to spend on the very security features that we all desperately need to stop being a bunch of idiots and installing fu when it's malware," said Michael Winser, a co-founder of Alpha-Omega, a Linux Foundation project to help secure the open source supply chain.

Winser spoke at FOSDEM this year, in a talk we dropped in on virtually.

Trusted registries are widely treated as a key component of Software Bill of Materials (SBOM) - driven supply chain security efforts, one of the main approaches promoted for securing open source software. Rule one: Get your open source packages from a trusted source.

Yet many of these registries operate on razor-thin margins, relying on non-continuous funding from grants, donations, and in-kind resources.

Google and Microsoft kicked in an initial $5 million to launch Alpha-Omega in 2022 under the Open Source Security Foundation.

And the first thing Winser noticed when he ramped up operations was that open source registries are all dirt poor. All the major registries are facing the same issue: They're experiencing exponential growth, even though their investment in infrastructure and people remains flat.

"We're living on borrowed time," he warned.

"One of the problems that people have is they actually conflate open source software and open source infrastructure," Winser said.

Open source software itself is free to use, and its costs don't increase the more people use it. The costs of registries to hold all open source applications and libraries, however, do indeed keep increasing with greater usage.

Packages don't go away. Collections just grow larger and larger. And AI is now adding to the pile at a considerable clip.

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments