Package managers are the app stores of software development. They are essential to the developer workflow and are key points of leverage with regard to supply chain security. They will be even more critical as AI-based development expands.

The root-cause problem is that package managers are funded like charities when they should be operating like non-profits. Their costs scale with usage but their donation-based revenue is dwindling. This problem has been partially masked by generous infrastructure donations but the operational costs are not just network and compute. There's a lot of security engineering development and ops in running a package manager service.