Reposted by Brian Fox
On #OpenSourceSecurity I had a chat with @brianfox.bsky.social about the sustainability letter from the open source package registries
This one is a big deal. The costs for open source are paid by someone, if you don't know who, you need to read this letter
opensourcesecurity.io/2025/2025-10...
This one is a big deal. The costs for open source are paid by someone, if you don't know who, you need to read this letter
opensourcesecurity.io/2025/2025-10...
Sustaining Package Repositories with Brian Fox
Brian Fox discusses the challenges and future of open source package repository infrastructure. We discuss the complexities of managing public registries, the impact of overconsumption, and the import...
opensourcesecurity.io
October 6, 2025 at 2:26 PM
On #OpenSourceSecurity I had a chat with @brianfox.bsky.social about the sustainability letter from the open source package registries
This one is a big deal. The costs for open source are paid by someone, if you don't know who, you need to read this letter
opensourcesecurity.io/2025/2025-10...
This one is a big deal. The costs for open source are paid by someone, if you don't know who, you need to read this letter
opensourcesecurity.io/2025/2025-10...
Yes all of this. Now it’s time to fix it.
I love reading these articles and thinking "Yup, that's us on the job. We're part of the industrial inefficiency complex"
Artifactory set up but nobody uses it? 👍
CI jobs with zero caching? 👍
+ they can recursively spawn other jobs? 👍
+ they can trigger from simple "fix typo" commits? 👍
Artifactory set up but nobody uses it? 👍
CI jobs with zero caching? 👍
+ they can recursively spawn other jobs? 👍
+ they can trigger from simple "fix typo" commits? 👍
Free isn’t free: the infrastructure behind open source has real costs, and it’s time we aligned usage with responsibility.
This morning we jointly launch a new blog and open letter on sustainable stewardship.
www.sonatype.com/blog/from-ab...
This morning we jointly launch a new blog and open letter on sustainable stewardship.
www.sonatype.com/blog/from-ab...
September 25, 2025 at 1:05 PM
Yes all of this. Now it’s time to fix it.
Free isn’t free: the infrastructure behind open source has real costs, and it’s time we aligned usage with responsibility.
This morning we jointly launch a new blog and open letter on sustainable stewardship.
www.sonatype.com/blog/from-ab...
This morning we jointly launch a new blog and open letter on sustainable stewardship.
www.sonatype.com/blog/from-ab...
From Abuse to Alignment: Why We Need Sustainable Open Source Infrastructure
Open source relies on shared infrastructure. Learn why sustainable stewardship is critical to keep ecosystems like Maven Central strong.
www.sonatype.com
September 23, 2025 at 10:34 AM
Free isn’t free: the infrastructure behind open source has real costs, and it’s time we aligned usage with responsibility.
This morning we jointly launch a new blog and open letter on sustainable stewardship.
www.sonatype.com/blog/from-ab...
This morning we jointly launch a new blog and open letter on sustainable stewardship.
www.sonatype.com/blog/from-ab...
Reposted by Brian Fox
Open-source malware doubles, data exfiltration attacks dominate
📖 Read more: www.helpnetsecurity.com/2025/04/03/o...
#cybersecurity #cybersecuritynews #opensource @brianfox.bsky.social
📖 Read more: www.helpnetsecurity.com/2025/04/03/o...
#cybersecurity #cybersecuritynews #opensource @brianfox.bsky.social
Open-source malware doubles, data exfiltration attacks dominate - Help Net Security
A total of 17,954 open source malware packages identified in Q1 2025, according to Sonatype's Open Source Malware Index.
www.helpnetsecurity.com
April 3, 2025 at 7:00 AM
Open-source malware doubles, data exfiltration attacks dominate
📖 Read more: www.helpnetsecurity.com/2025/04/03/o...
#cybersecurity #cybersecuritynews #opensource @brianfox.bsky.social
📖 Read more: www.helpnetsecurity.com/2025/04/03/o...
#cybersecurity #cybersecuritynews #opensource @brianfox.bsky.social
Good news for Java developers! Central now validates OpenSSF sigstore signatures as part of publishing. If you’re already signing your artifacts with Sigstore, you’ll now get real-time validation feedback in the Central Publisher Portal.
Read more details here: www.sonatype.com/blog/central...
Read more details here: www.sonatype.com/blog/central...
January 29, 2025 at 5:53 PM
Good news for Java developers! Central now validates OpenSSF sigstore signatures as part of publishing. If you’re already signing your artifacts with Sigstore, you’ll now get real-time validation feedback in the Central Publisher Portal.
Read more details here: www.sonatype.com/blog/central...
Read more details here: www.sonatype.com/blog/central...
Reposted by Brian Fox
📢 The @linuxfoundation.org, with Harvard's Laboratory for Innovation Science, has released Census III of Free and Open Source Software – Application Libraries. 🖥️ Key insights from OpenSSF help reduce FOSS vulnerabilities and secure supply chains. Read more: openssf.org/press-releas...
December 4, 2024 at 3:54 PM
📢 The @linuxfoundation.org, with Harvard's Laboratory for Innovation Science, has released Census III of Free and Open Source Software – Application Libraries. 🖥️ Key insights from OpenSSF help reduce FOSS vulnerabilities and secure supply chains. Read more: openssf.org/press-releas...