The terrible economics of package registries and how to fix them

Name: The terrible economics of package registries and how to fix them
Start: 2026-01-31T13:30:00
End: 2026-01-31T13:30:00
Location: K.3.201

K.3.201 | Day 1 | 13:30 - 13:55 | Speakers: Michael Winser

Copy link

Copy link

Open in browser

Get involved in the conversation!Join the chat

Notes

Abstract

Package registries are critical infrastructure used by almost all software. As they scale, package registries become critical points of supply chain security. They also become leveraged points of attack. Most registries operate on dwindling funding from grants, donations, and in-kind resources while facing increased costs across every facet of their operation and development. Something has to change.

The Alpha-Omega project has been raising the alarm, funding security improvements, and exploring a revenue-generating options with the major package registries. This is a hard problem with multiple players and tradeoffs.

This talk will go over the economic models underlying package registries, the security risks and expectations, and look at some of the revenue experiments happening today.

Speakers

Michael Winser

Michael Winser has been creating and delivering software applications since 1984. Michael’s experience spans over 25 years at Google and Microsoft and more than a decade of startups. More recently, Michael is the co-founder of the Alpha-Omega project and is a Security Strategy Ambassador for the Eclipse Foundation. He also provides product and strategy advice to various companies and organizations.

When not working on open source security, Michael enjoys wing foiling, skating, skiing, and spending time with his family.

External Links

Notice: The placeholder video image is licensed under CC BY-SA 4.0. The original image can be found hereChanges made to the image are: Cropped the image to a new ratio, part of the image was cut off.