Package registries are critical infrastructure used by almost all software. As they scale, package registries become critical points of supply chain security. They also become leveraged points of attack. Most registries operate on dwindling funding from grants, donations, and in-kind resources while facing increased costs across every facet of their operation and development. Something has to change.

The Alpha-Omega project has been raising the alarm, funding security improvements, and exploring a revenue-generating options with the major package registries. This is a hard problem with multiple players and tradeoffs.

This talk will go over the economic models underlying package registries, the security risks and expectations, and look at some of the revenue experiments happening today.