New Linux Foundation initiative convenes registry leaders to develop shared approaches to funding, governance, and long-term ecosystem resilience.

Fulton, Md. – May 6, 2026 – Sonatype®, the leader in AI-driven DevSecOps and steward of Maven Central, today announced its participation as a founding member of the newly-formed Sustaining Package Registries Working Group. Under the Linux Foundation, the Working Group provides a forum for registry leaders to collaborate on the financial, operational, and infrastructure challenges of sustaining public package registries at global scale.

As open source consumption and publishing move from developer scale to machine scale, reaching close to 10 trillion downloads in 2025, registries are facing a sharp rise in AI-driven demand, bot traffic, automated publishing, security reporting volume, and registry abuse. Those pressures are exposing a broader sustainability gap that now poses a software supply chain security and resilience risk.

“Package registries sit at the front lines of software supply chain security and resilience,” said Christopher Robinson, Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation. “As the pace of consumption, publishing, and attack activity accelerates, the stewardship behind these systems has to evolve as well. This initiative will be an important venue for registry leaders and ecosystem stakeholders to align on practical, community-minded ways to sustain the infrastructure on which modern software depends.”

Building off of the Joint Statement on Sustainable Stewardship, core objectives of the Sustaining Package Registries Working Group include:

• Economic sustainability: Develop funding models registries can adopt to cover infrastructure, operations, maintainers, and governance costs.
• Collective defense: Foster coordinated security practices and information sharing across registries to help the ecosystem detect and respond to threats more effectively.
• Governance enablement: Craft shared policy frameworks and standardized terms to support sustainable funding models.
• Ecosystem education and transparency: Create aligned communications and educational content that helps the ecosystem better understand registry sustainability efforts.

“Open source registries are no longer passive distribution points. They are operational and security-critical systems sitting in the path of nearly every modern software build,” said Brian Fox, Co-founder and CTO of Sonatype. “If we want the software supply chain to remain resilient, we need a serious conversation about how these platforms are funded, governed, and sustained at global scale. It’s time to treat registry sustainability as a shared responsibility across the software industry.”

For an update on the Working Group’s activities, read the latest Joint Statement: Open Infrastructure Is Not Free, Part II: The Hidden Cost of Running Package Registries.

About Sonatype

Sonatype is the leader in AI-driven DevSecOps. As the maintainers of Maven Central and creators of Nexus Repository, Sonatype has spent two decades pioneering how the world manages and secures open source software — making Sonatype the trusted authority for modern software supply chains. With unmatched open source visibility and a unified product suite built for modern software development, Sonatype gives enterprises the intelligence and automated governance they need to harness the full potential of open source and AI. Sonatype handles the complexity behind the scenes: guiding component and model selection, blocking harmful malicious code, automating dependency and vulnerability management, and ensuring faster, more reliable builds — so developers spend more time on innovation and less time on remediation and rework. Trusted by more than 15 million developers, Sonatype helps power secure, modern software development at nearly 2,000 global organizations including 70% of the Fortune 100. To learn more about Sonatype, please visit www.sonatype.com.