The Hidden Vulnerability of The Open Source Software Supply Chain: The Underlying Infrastructure

Sep 29, 2025

Brian Fox, CTO and co-founder of Sonatype and a key figure in open-source projects like Maven, dives into the implications of the EU Cyber Resilience Act. He discusses the hidden risks it poses to open-source maintainers, highlighting potential legal liabilities and sustainability challenges for registries. Fox reveals how major cloud providers account for much of Maven Central's traffic and suggests innovative solutions like repository managers and cost-structures to tackle inefficiencies in software consumption. His insights are critical for navigating today’s complex software landscape.

Ask episode

AI Snips

Chapters

Books

Transcript

Episode notes

INSIGHT

Regulation Risks Fragmenting Open Source

The EU Cyber Resilience Act tried to impose commercial-style obligations on open source, creating legal and practical risks.
Brian Fox warns this could push open source authors to withdraw projects or fragment access by geography.

ANECDOTE

Maintainers Withdrew Projects After CRA

Some maintainers immediately pulled their projects worldwide because they feared CRA liabilities and support obligations.
Brian Fox reports these withdrawals happened and were not just speculative fear.

INSIGHT

Open Source Infrastructure Runs As Charity

Critical open source infrastructure is largely donated and treated like a charity, creating sustainability risk.
Brian Fox found consumption is heavily skewed, with a few users driving most traffic and costs.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Software supply chain veteran Brian Fox unpacks the security implications of the new EU Cyber Resilience Act and its profound impact on open-source projects. He reveals the hidden infrastructure risks threatening open-source projects and shares insights for senior software leaders navigating this regulatory landscape. Read a transcript of this interview: http://bit.ly/46nxjUM Subscribe to the Software Architects’ Newsletter for your monthly guide to the essential news and experience from industry peers on emerging patterns and technologies: https://www.infoq.com/software-architects-newsletter Upcoming Events: InfoQ Dev Summit Munich (October 15-16, 2025) Essential insights on critical software development priorities. https://devsummit.infoq.com/conference/munich2025 QCon San Francisco 2025 (November 17-21, 2025) Get practical inspiration and best practices on emerging software trends directly from senior software developers at early adopter companies. https://qconsf.com/ QCon AI New York 2025 (December 16-17, 2025) https://ai.qconferences.com/ QCon London 2026 (March 16-19, 2026) https://qconlondon.com/ The InfoQ Podcasts: Weekly inspiration to drive innovation and build great teams from senior software leaders. Listen to all our podcasts and read interview transcripts: - The InfoQ Podcast https://www.infoq.com/podcasts/ - Engineering Culture Podcast by InfoQ https://www.infoq.com/podcasts/#engineering_culture - Generally AI: https://www.infoq.com/generally-ai-podcast/ Follow InfoQ: - Mastodon: https://techhub.social/@infoq - X: https://x.com/InfoQ?from=@ - LinkedIn: https://www.linkedin.com/company/infoq/ - Facebook: https://www.facebook.com/InfoQdotcom# - Instagram: https://www.instagram.com/infoqdotcom/?hl=en - Youtube: https://www.youtube.com/infoq - Bluesky: https://bsky.app/profile/infoq.com Write for InfoQ: Learn and share the changes and innovations in professional software development. - Join a community of experts. - Increase your visibility. - Grow your career. https://www.infoq.com/write-for-infoq