

The Hidden Vulnerability of The Open Source Software Supply Chain: The Underlying Infrastructure
Sep 29, 2025
Brian Fox, CTO and co-founder of Sonatype and a key figure in open-source projects like Maven, dives into the implications of the EU Cyber Resilience Act. He discusses the hidden risks it poses to open-source maintainers, highlighting potential legal liabilities and sustainability challenges for registries. Fox reveals how major cloud providers account for much of Maven Central's traffic and suggests innovative solutions like repository managers and cost-structures to tackle inefficiencies in software consumption. His insights are critical for navigating today’s complex software landscape.
AI Snips
Chapters
Books
Transcript
Episode notes
Regulation Risks Fragmenting Open Source
- The EU Cyber Resilience Act tried to impose commercial-style obligations on open source, creating legal and practical risks.
- Brian Fox warns this could push open source authors to withdraw projects or fragment access by geography.
Maintainers Withdrew Projects After CRA
- Some maintainers immediately pulled their projects worldwide because they feared CRA liabilities and support obligations.
- Brian Fox reports these withdrawals happened and were not just speculative fear.
Open Source Infrastructure Runs As Charity
- Critical open source infrastructure is largely donated and treated like a charity, creating sustainability risk.
- Brian Fox found consumption is heavily skewed, with a few users driving most traffic and costs.