The InfoQ Podcast

The Hidden Vulnerability of The Open Source Software Supply Chain: The Underlying Infrastructure

Sep 29, 2025
Brian Fox, CTO and co-founder of Sonatype and a key figure in open-source projects like Maven, dives into the implications of the EU Cyber Resilience Act. He discusses the hidden risks it poses to open-source maintainers, highlighting potential legal liabilities and sustainability challenges for registries. Fox reveals how major cloud providers account for much of Maven Central's traffic and suggests innovative solutions like repository managers and cost-structures to tackle inefficiencies in software consumption. His insights are critical for navigating today’s complex software landscape.
Ask episode
AI Snips
Chapters
Books
Transcript
Episode notes
INSIGHT

Regulation Risks Fragmenting Open Source

  • The EU Cyber Resilience Act tried to impose commercial-style obligations on open source, creating legal and practical risks.
  • Brian Fox warns this could push open source authors to withdraw projects or fragment access by geography.
ANECDOTE

Maintainers Withdrew Projects After CRA

  • Some maintainers immediately pulled their projects worldwide because they feared CRA liabilities and support obligations.
  • Brian Fox reports these withdrawals happened and were not just speculative fear.
INSIGHT

Open Source Infrastructure Runs As Charity

  • Critical open source infrastructure is largely donated and treated like a charity, creating sustainability risk.
  • Brian Fox found consumption is heavily skewed, with a few users driving most traffic and costs.
Get the Snipd Podcast app to discover more snips from this episode
Get the app