Rust Foundation and Package Registry Leaders Unite to Address Open Source Sustainability Crisis

Fulton, Md., USA – May 6, 2026 – The Rust Foundation, the independent nonprofit dedicated to advancing the performance, safety, and sustainability of the Rust programming language, today announced its participation as a founding member of the newly-formed Sustaining Package Registries Working Group. Under the Linux Foundation, the Working Group provides a forum for registry leaders to collaborate on the financial, operational, and infrastructure challenges of sustaining public package registries at global scale. 

As open source consumption and publishing move from developer scale to machine scale, reaching close to 10 trillion downloads in 2025, registries are facing a sharp rise in AI-driven demand, bot traffic, automated publishing, security reporting volume, and registry abuse. Those pressures are exposing a broader sustainability gap that now poses a software supply chain security and resilience risk. 

Building off of the Joint Statement on Sustainable Stewardship, core objectives of the Sustaining Package Registries Working Group include: 

• Economic sustainability: Develop funding models registries can adopt to cover infrastructure, operations, maintainers, and governance costs.
• Collective defense: Foster coordinated security practices and information sharing across registries to help the ecosystem detect and respond to threats more effectively.
• Governance enablement: Craft shared policy frameworks and standardized terms to support sustainable funding models.
• Ecosystem education and transparency: Create aligned communications and educational content that helps the ecosystem better understand registry sustainability efforts.

“Rust was designed to make software safer and more reliable, but that promise depends on crates.io remaining trustworthy and well-resourced. As Rust moves deeper into critical infrastructure and AI-adjacent tooling, the gap between the demands placed on our registry and the resources available to sustain it has become impossible to ignore. This working group is a meaningful step toward treating that gap as a shared industry problem.” — Dr. Rebecca Rumbul, Executive Director & CEO of the Rust Foundation.

“Open source registries are no longer passive distribution points. They are operational and security-critical systems sitting in the path of nearly every modern software build. If we want the software supply chain to remain resilient, we need a serious conversation about how these platforms are funded, governed, and sustained at global scale. It’s time to treat registry sustainability as a shared responsibility across the software industry.” — Brian Fox, Co-founder and CTO of Sonatype

“Package registries sit at the front lines of software supply chain security and resilience. As the pace of consumption, publishing, and attack activity accelerates, the stewardship behind these systems has to evolve as well. This initiative will be an important venue for registry leaders and ecosystem stakeholders to align on practical, community-minded ways to sustain the infrastructure on which modern software depends.” — Christopher Robinson, Chief Technology Officer and Chief Security Architect at the Open Source Security Foundation

For an update on the Working Group’s activities, read the latest Joint Statement: Open Infrastructure Is Not Free, Part II: The Hidden Cost of Running Package Registries.

About the Rust Foundation

The Rust Foundation is an independent nonprofit organization dedicated to the safety, security, and sustainability of the Rust programming language and the people who use it. Through partnerships with corporate members and the open source community, the Foundation stewards the long-term health of Rust by investing in its maintainers, infrastructure, security, interoperability, and governance. Learn more at https://rustfoundation.org