Malware scanning, AI slopsquatting, and typosquatting are just a few of the things that package managers do today. Implementing emerging standards like Trusted Publishing ( https://repos.openssf.org/trusted-publishers-for-all-package... ), the Principles for Package Repository Security ( https://repos.openssf.org/principles-for-package-repository-... ), and improved infrastructure hardening will all important.
The key insight is that these are services that require development and operations budgets that scale with their usage.
But that would compete with the commercial offerings of at least one of the organisations sponsoring that message. So I expect they won't do that.
That said, I would love to see more organizations implement private staging repositories for their upstream package supply. This is where they can and should apply policies to protect their applications.
Developing a single multi-protocol or even multiple open source caching proxies will cost real time and money. I'd love to see more solutions here but at this stage it will take more than a few volunteers and a "PRs welcome" in the README.
I covered some of this in one of my previous blogs where i talked about the systemic challenges here that I've uncovered. The heavy users that I spoke to, 100% of them had a repository manager, some Nexus, others Artifactory. And yet the high levels of consumption still persisted. I discussed some of the reasons for this in the blog link below... but I think this refutes the theory that simply having yet another caching proxy solves the problem. It really doesn't. Additionally as Mike discussed, bandwidth is only part of the challenge. Without the people behind the repositories doing the malware response, the curation of namespaces etc, there wouldn't be anything to proxy anyway.
https://www.sonatype.com/blog/free-isnt-free-the-hidden-cost...
michaelw•4mo ago
The root-cause problem is that package managers are funded like charities when they should be operating like non-profits. Their costs scale with usage but their donation-based revenue is dwindling. This problem has been partially masked by generous infrastructure donations but the operational costs are not just network and compute. There's a lot of security engineering development and ops in running a package manager service.