At Sonatype we’ve been the stewards of the Central Repository (Central), the world’s largest component repository of Java and other JVM related components since 2007. Based on this experience, I’ve learned first hand how challenging it can be to serve as the steward for a public repository. I know how hard it is to gain and keep the trust of millions of open source software developers. In my humble opinion, earning trust starts with “picking up a shovel” and solving a problem on behalf of a community to help it grow and flourish. Community trust is further amplified when you can muster enough resources to solve the same problem in a reliable and scalable manner over a period of many years.
But, here’s the thing; operating a public repository in support of millions of developers isn’t easy or free. It requires dedicated and experienced engineers and it costs money. And you have to be very careful not to screw things up -- because if you do -- all the trust that you’ve worked so hard to earn can disappear in a second.
Through my years of supporting Maven Central, I have come to understand the critical role that public repositories play in supporting global developer communities. I’ve also come to understand how hard it is to do this job well 24x7x365. For this reason, I can fully understand why it made sense for Microsoft, GitHub, and npm to partner together.
Public Repositories Are Critical Public Infrastructure
Public repositories are critical public infrastructure because they greatly reduce the work required to distribute software to millions of developers. If you have something to share with the world, put it in Maven Central or npm, distribute the coordinates, and in minutes millions of developers have access to the library and the ability to accelerate innovation.
The sheer size of these repositories and volume at which they serve components to developers speaks directly to why it can be so challenging (and expensive) to maintain them in a reliable and trustworthy way.
Separately, it is sobering to look at what's going on with application security today, and how bad actors are targeting supply chain attacks aimed public repositories with the likes of typosquatting, malicious injection of vulnerabilities and the non-immutability that we saw with LeftPad or more recently the Actix web application framework.