OpenSSF warns that open source infrastructure doesn't run on thoughts and prayers

stapp · Sep 23, 2025

The Open Source Security Foundation (OpenSSF) has had enough of being the unpaid janitor of the world's software supply chain.
A coalition of heavyweight open source foundations issued a joint statement via the foundation on Tuesday, declaring that "open infrastructure is not free" and warning that the critical machinery behind modern software development is being stretched to breaking point.
Click to expand...

Package registries like Maven Central, PyPI, crates.io, npm, and Packagist handle billions of downloads every month, yet the organizations running them are often scraping by on donations, grants, and the goodwill of a few sponsors.
Click to expand...

https://www.theregister.com/2025/09/23/openssf_open_source_infrastructure/

reasonablePrivacy · Sep 23, 2025

If you think how many big enterprise bussinesses and financial institutions use Java, and thus most often
by extension Maven Central this is crazy that they are struggling financially (supposedly - I didn't read their financial statements). Granted, most enterprises have some sort of proxy/cache that also scans these (supposedly) for vulnerabilities but still...

Log in or Sign up

OpenSSF warns that open source infrastructure doesn't run on thoughts and prayers

stapp Global Moderator

reasonablePrivacy Registered Member

Log in or Sign up

OpenSSF warns that open source infrastructure doesn't run on thoughts and prayers

stapp Global Moderator

reasonablePrivacy Registered Member

Useful Searches