frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Open Infrastructure Is Not Free: A Joint Statement on Sustainable Stewardship

https://openssf.org/blog/2025/09/23/open-infrastructure-is-not-free-a-joint-statement-on-sustainable-stewardship/
20•michaelw•4mo ago

Comments

michaelw•4mo ago
Package managers are the app stores of software development. They are essential to the developer workflow and are key points of leverage with regard to supply chain security. They will be even more critical as AI-based development expands.

The root-cause problem is that package managers are funded like charities when they should be operating like non-profits. Their costs scale with usage but their donation-based revenue is dwindling. This problem has been partially masked by generous infrastructure donations but the operational costs are not just network and compute. There's a lot of security engineering development and ops in running a package manager service.

jefurii•4mo ago
It's pretty easy to enable things like pip-cache (for pypi) so your machines don't have to hit the package servers for each and every install. We should all be doing this. Maybe the tools could be modified to have caching on by defailt?
michaelw•4mo ago
If the costs were all bandwidth related I would agree. Most open source package managers benefit from Fastly's generous donation of credits. Even if one ignores the single-provider-point-of-failure risk, the reality is that the development and operational costs of running package managers is much more than just networking bandwidth and more is needed.

Malware scanning, AI slopsquatting, and typosquatting are just a few of the things that package managers do today. Implementing emerging standards like Trusted Publishing ( https://repos.openssf.org/trusted-publishers-for-all-package... ), the Principles for Package Repository Security ( https://repos.openssf.org/principles-for-package-repository-... ), and improved infrastructure hardening will all important.

The key insight is that these are services that require development and operations budgets that scale with their usage.

mjw1007•4mo ago
One of the things that this group of "stewards" could do to get their costs down is get together and implement a high quality free software caching proxy that understands all their back-ends.

But that would compete with the commercial offerings of at least one of the organisations sponsoring that message. So I expect they won't do that.

michaelw•4mo ago
Please see my other reply about network costs. Bandwidth is a real cost that does not currently show up on the balance sheet because of Fastly's generous donations.

That said, I would love to see more organizations implement private staging repositories for their upstream package supply. This is where they can and should apply policies to protect their applications.

Developing a single multi-protocol or even multiple open source caching proxies will cost real time and money. I'd love to see more solutions here but at this stage it will take more than a few volunteers and a "PRs welcome" in the README.

TheRealBrianF•4mo ago
I think you're obliquely referring to me there.

I covered some of this in one of my previous blogs where i talked about the systemic challenges here that I've uncovered. The heavy users that I spoke to, 100% of them had a repository manager, some Nexus, others Artifactory. And yet the high levels of consumption still persisted. I discussed some of the reasons for this in the blog link below... but I think this refutes the theory that simply having yet another caching proxy solves the problem. It really doesn't. Additionally as Mike discussed, bandwidth is only part of the challenge. Without the people behind the repositories doing the malware response, the curation of namespaces etc, there wouldn't be anything to proxy anyway.

https://www.sonatype.com/blog/free-isnt-free-the-hidden-cost...

pabs3•4mo ago
The commercial CDNs sponsor bandwidth for almost every FOSS project there is. For example the canonical Debian package distribution website deb.debian.org is CDN sponsored.

Ask HN: Codex 5.3 broke toolcalls? Opus 4.6 ignores instructions?

1•kachapopopow•4m ago•0 comments

Vectors and HNSW for Dummies

https://anvitra.ai/blog/vectors-and-hnsw/
1•melvinodsa•5m ago•0 comments

Sanskrit AI beats CleanRL SOTA by 125%

https://huggingface.co/ParamTatva/sanskrit-ppo-hopper-v5/blob/main/docs/blog.md
1•prabhatkr•17m ago•1 comments

'Washington Post' CEO resigns after going AWOL during job cuts

https://www.npr.org/2026/02/07/nx-s1-5705413/washington-post-ceo-resigns-will-lewis
2•thread_id•17m ago•1 comments

Claude Opus 4.6 Fast Mode: 2.5× faster, ~6× more expensive

https://twitter.com/claudeai/status/2020207322124132504
1•geeknews•19m ago•0 comments

TSMC to produce 3-nanometer chips in Japan

https://www3.nhk.or.jp/nhkworld/en/news/20260205_B4/
2•cwwc•22m ago•0 comments

Quantization-Aware Distillation

http://ternarysearch.blogspot.com/2026/02/quantization-aware-distillation.html
1•paladin314159•22m ago•0 comments

List of Musical Genres

https://en.wikipedia.org/wiki/List_of_music_genres_and_styles
1•omosubi•24m ago•0 comments

Show HN: Sknet.ai – AI agents debate on a forum, no humans posting

https://sknet.ai/
1•BeinerChes•24m ago•0 comments

University of Waterloo Webring

https://cs.uwatering.com/
1•ark296•24m ago•0 comments

Large tech companies don't need heroes

https://www.seangoedecke.com/heroism/
1•medbar•26m ago•0 comments

Backing up all the little things with a Pi5

https://alexlance.blog/nas.html
1•alance•26m ago•1 comments

Game of Trees (Got)

https://www.gameoftrees.org/
1•akagusu•27m ago•1 comments

Human Systems Research Submolt

https://www.moltbook.com/m/humansystems
1•cl42•27m ago•0 comments

The Threads Algorithm Loves Rage Bait

https://blog.popey.com/2026/02/the-threads-algorithm-loves-rage-bait/
1•MBCook•29m ago•0 comments

Search NYC open data to find building health complaints and other issues

https://www.nycbuildingcheck.com/
1•aej11•33m ago•0 comments

Michael Pollan Says Humanity Is About to Undergo a Revolutionary Change

https://www.nytimes.com/2026/02/07/magazine/michael-pollan-interview.html
2•lxm•34m ago•0 comments

Show HN: Grovia – Long-Range Greenhouse Monitoring System

https://github.com/benb0jangles/Remote-greenhouse-monitor
1•benbojangles•39m ago•1 comments

Ask HN: The Coming Class War

2•fud101•39m ago•4 comments

Mind the GAAP Again

https://blog.dshr.org/2026/02/mind-gaap-again.html
1•gmays•41m ago•0 comments

The Yardbirds, Dazed and Confused (1968)

https://archive.org/details/the-yardbirds_dazed-and-confused_9-march-1968
1•petethomas•42m ago•0 comments

Agent News Chat – AI agents talk to each other about the news

https://www.agentnewschat.com/
2•kiddz•42m ago•0 comments

Do you have a mathematically attractive face?

https://www.doimog.com
3•a_n•46m ago•1 comments

Code only says what it does

https://brooker.co.za/blog/2020/06/23/code.html
2•logicprog•51m ago•0 comments

The success of 'natural language programming'

https://brooker.co.za/blog/2025/12/16/natural-language.html
1•logicprog•52m ago•0 comments

The Scriptovision Super Micro Script video titler is almost a home computer

http://oldvcr.blogspot.com/2026/02/the-scriptovision-super-micro-script.html
3•todsacerdoti•52m ago•0 comments

Discovering the "original" iPhone from 1995 [video]

https://www.youtube.com/watch?v=7cip9w-UxIc
1•fortran77•53m ago•0 comments

Psychometric Comparability of LLM-Based Digital Twins

https://arxiv.org/abs/2601.14264
1•PaulHoule•55m ago•0 comments

SidePop – track revenue, costs, and overall business health in one place

https://www.sidepop.io
1•ecaglar•57m ago•1 comments

The Other Markov's Inequality

https://www.ethanepperly.com/index.php/2026/01/16/the-other-markovs-inequality/
2•tzury•59m ago•0 comments