Josh welcomes Mike Milinkovich and Thabang Mashologu from the Eclipse Foundation to talk about their new managed Open VSX registry. This is the first open source package registry to create a commercial operation for large company users to help fund the registry. We discuss how we got here, what’s actually going on, and why this commercial approach is working. Everyone knew this day would come, and it looks like the Eclipse Foundation got this one right.
Episode Links
This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.
Episode Transcript
Josh Bressers (00:00) Today open source security is talking to Mike Milinkovich the executive director of the Eclipse Foundation, and Thabang Mashologu the chief marketing officer of the Eclipse Foundation. These two fine gentlemen have come today to talk to about
The open VSX registry and some I think really exciting things that are going on. So so Mike and Thabang welcome to the show. I’ll let the two of you kind of fight over who gets to do their their little self-intro first, but I’m I’m really excited.
Mike Milinkovich (00:23) Ha ha.
Alright, I’ll do a self intro, and then Thabang do a self intro and then I wanna do an intro on what the heck Open VSX is. so hi, I’m Mike. ⁓ been the executive director of the Eclipse Foundation for a really long time, ⁓ and of course ⁓ seen a lot of changes in open source and definitely a lot of changes in open source security over the last twenty two years. Thabang
Thabang (00:48) Mike, thanks Josh for having us on the show. I’m Tabang Mashologo, as you mentioned. I’m the Chief Marketing Officer at the Eclipse Foundation and I’ve been here for eight years and it feels like I started yesterday. It’s a very fast-paced industry, as you know, and the Eclipse Foundation is is moving quickly ⁓ day to day as well. So I ⁓ have the great pleasure of working with
thousands, maybe millions, ⁓ ultimately of developers around the world through our various programs and I’m involved from the ground up with OpenVSX. Something that I do on a day to day basis as well.
Josh Bressers (01:27) Awesome. Okay.
Mike Milinkovich (01:28) Yep. All
right. So ⁓ maybe just a little bit on what OpenVSX actually is. ⁓ because it doesn’t have the the name brand recognition perhaps of say NPM or PyPI or these kinds of places. I like to jokingly describe it as the most important package registry you’ve never heard of. ⁓ yeah. And ⁓ and so to put this into perspective, so what so first of all, what is it? So it is a package repository specifically targeting ⁓ VS Code.
Josh Bressers (01:33) Yeah, yeah.
Nice.
Mike Milinkovich (01:58) extensions. So VS Code is the ⁓ the the tool of choice these days for developers ⁓ and the tool of choice for forking to build new tools these days and that sort of is is big a big part of the story. ⁓ as everybody knows VS Code is a Microsoft product ⁓ has a bunch of open source components that it builds on top of part of one of which is the extension API. And so it’s it’s got this way to extend the VS Code tool with
various extensions to do things like JavaS language support or Python language support or Markdown, whatever it is that you’re doing, there’s probably an whatever it is that you’re doing, there’s probably an extension for it. However, the package repository for VS Code, the terms of use says you can only use the Microsoft package repository if you’re coming at it from a Microsoft product like VS Code. Alright, so flashback six years ago,
Eclipse Foundation had a couple of projects, Eclipse Thea, ⁓ Eclipse Che, ⁓ which were using the ⁓ open source extension API ⁓ to build a different set of tools. ⁓ and they needed a place for their developers to get extensions. So as my mom used to like to say, the road to hell is paved with good intentions. ⁓ so six years ago we started this little thing, how
How bad could it be ⁓ to offer an extension registry that was open to everybody? And so we initially motivated by our own projects. But then we, you know, VS Codium and a couple of other things, Gitpod at the time. ⁓ and I think even the initial code contribution came from them and another company called and what we did was we started running this as a service. so if so six years ago, ⁓ it took us
Five years to get to ⁓ 50 million downloads a ⁓ a month. Then along came this thing called artificial intelligence. you’ve probably heard of it. It’s supposed to be a really big thing. ⁓ and one of the biggest and fastest growing areas within AI is using ⁓ AI for development. and there’s been this explosion of developer tools. think Cursor, Windsurf, Kiro, Project Bob.
Josh Bressers (04:00) Yep. Yep.
Mike Milinkovich (04:18) Google Anti-Gravity, so on and so forth, that all use ⁓ that basically all start their lives off as a as a fork of VS Code and all use this extension repo registry, our extension API, and they have all started pointing their products at Open VSX as the place to get their extensions. So five years to get to 50 million downloads a month, one year to get from 50 million to 100, 100, 110 million.
Then three months to go from ⁓ 100 million to 300 million, and another two and a half, three months to go from 300 million to six hundred million. ⁓ and like all of the other extension or ⁓ all the other package repositories out there, we were supporting OpenVSX through our membership dues, through some sponsorships. ⁓ and as this ramp up happened, ⁓ it basically broke our ability to support Open VSX
with the with the resources that we had. Now, I just talked about the number of downloads, and so you might think that the real costs were ⁓ the s he massive increase in infrastructure costs. But actually the real costs come from security. because what happened for the first five years of the op life of Open VSX, our security model was, hey, if you see something weird, let us know and we’ll take it down. ⁓
Josh Bressers (05:43) Nice.
Mike Milinkovich (05:45) But when ⁓ I think I just saw some some number that seventy percent of the fortune ⁓ fortune one hundred are using cursor now, ⁓ or you know words to that effect. when so when you’re the the tools that are using Open VSX are being used through enterprises, the scrutiny that you get in terms of what happens if there’s malware ⁓ goes up dramatically. So
You know, we’ve gone from basically zero dedicated headcount to securing OpenVSX to I I’ll let Thabang answer the question on how many, but it’s definitely a lot greater than zero. ⁓ so it’s our headcount costs have have exploded. And so what we’ve done is and if you’ve you I know you’ve had other people like Brian Fox and others on this on the show talking about the the economics of the package repository dilemma. ⁓ we’re basically here to tell our story about about going first.
So we’re the first we’re the first open source organization, first open source foundation that has basically figured out a business model for our package repository. ⁓ and so ⁓ I want to assure everybody who’s listening that we’re still saying true to our open source roots We’re never going to charge a developer to download an extension. ⁓ but there are a number of companies ⁓ that are building massive businesses on top of this free infrastructure. ⁓ and we figured out a business model that
Josh Bressers (06:38) Yes.
Mike Milinkovich (07:07) They actually see value in paying us money to make sure that this thing is operating ⁓ at the scale that it needs to operate at.
Josh Bressers (07:16) Yeah. Okay. I want to I want to first give maybe a little context for anyone who hasn’t listened to the entire back catalog of this podcast. But I actually talked to Michael Winser who works with Alpha Omega. It’s been it it feels like it was two episodes ago, but I know it’s been a lot. And it it it amuses me because there’s a video where he gave a talk, I think it was at Fosdem. Fosdem was what, like February? Man, it that was a long time ago. But
Mike Milinkovich (07:25) Ha ha ha.
Josh Bressers (07:44) He gives this talk at Fosdem and he’s talking about package registries and the challenges they have. And security is a huge one of them. And he says multiple times in his talk about how bandwidth isn’t the problem. And the first two questions he gets are about bandwidth. It’s like, ⁓ did you not listen to the talk? But yes, that is, I think, a surprise to a lot of people. Cause I think naturally, as you know, computer nerds.
Mike Milinkovich (08:00) Yeah.
Josh Bressers (08:11) We hear about these registries, we hear about the kind of numbers you’re talking about. We instantly jump to like infrastructure costs and bandwidth. But you’re right. It’s it’s all the the people in headcount and stuff. And Thabang I will let you cover that now because I am very interested actually in what like your your kind of headcount and security team look like in this instance. Cause I generally have no idea how I would even start handling something like this.
Thabang (08:33) And I I think that’s a a good direction to take the conversation here because that Michael gave by the way was brilliant. And one of the things that he touches on is, yeah, perhaps the driver isn’t bandwidth, but I think it’s very easy, particularly for for us as technologists, for developers to wrap our heads around, okay, there’s some hard costs around operating and you know sustaining ⁓ the the types of registries.
that we’re talking about here. So you’ve got your compute, you’ve got your, you know, storage, your ingress and egress bandwidth, all of those things that have, you know, ⁓ at the end of the month, you’ve got a an invoice that you’ve got to pay. What we found over time was that Mike’s point and and ⁓ you know really around the how do you operate this infrastructure and and do it in a way that meets the demands of now companies that are using this
Using OpenVSX as as a science experiment. They’re running billion, trillion dollar valuation companies off of this infra. ⁓ what we came to learn was that yeah, we actually had to reorganize, we had to hire, we had to recruit. And this is where, you know, in a former life, I I worked at one or two startups, and I thought I’d left that life behind me, but I guess things have a way of catching up to you because.
Open VSX within our organization really is like a startup where we’ve had to go out and think through, okay, ⁓ who do we need for what job and how do we ensure that we have the coverage ⁓ and ability to do things at scale. And and we quickly saw that, you know, as much as the infrastructure costs, the bandwidth costs were were spiking up, that, you know, similarly there was an exponential curve around
Headcount. And as it stands right now, we’ve got eight full-time equivalents in our engineering organization, ⁓ or the team that’s allocated to OpenVSX. And that’s from ⁓ you know, two years ago or even last year, actually. ⁓ time does fly. ⁓ last year, this time, ⁓ we had one person, right? So you you you see that kind of scale where we’ve actually had to go and design ⁓
And and hire people, the best people for the jobs, and and that comes with a lot of cost, as you can imagine. Right. So we’ve structured our way, ⁓ structured our organization in a way to actually ⁓ be able to support OpenVSX as the mission critical, you know, infrastructure that it is. Because that’s where we ⁓ we had a rude awakening last July, actually, July of 2025, where
You know, they say that you never realize how much you’re loved until you’re missed, something like that. And ⁓ we actually I I think the forcing function for us, the critical event, was that we had an outage. We had an outage in the summer, the North American summer of twenty-five. And, you know, this was something that we were running off the sides of our desks, as as Mike mentioned. It was a best effort service, background service. And then we had all of these brand name companies.
the cool guys calling us and saying, hey, wait a second. Open VSX cannot be down. My insert name of really cool product ⁓ and and platform depends on it. So so that really crystallized things for us. Yes, we are popular. We really, really are popular. And and fortunately those folks took up the ⁓ they framed so the problem was established and they
took up ⁓ you know a collaborative approach on in helping us solve it. And ⁓ from day one, those folks have have really been along with us for the journey and it’s all public now. We if you ⁓ if you’ve seen some of our announcements here, ⁓ we wouldn’t be able to ⁓ have have gotten to where we are right now without the support and and engagement of the cursor folks, ⁓ Amazon and and and ⁓ the Google.
team as well have have really been huge in helping us figure out how to solve this in a way that meets not only the needs of those large scale commercial adopters, but ultimately, and this is where Mike was saying, we’re not gonna we’re we’re not gonna forget w where we’re where we’ve come from or our mission. The commercial adopters are doing this in a way that allows us to preserve the commons, to make sure that ultimately developers and open source projects
access to that same infrastructure in a way that’s robust and sustainable.
Josh Bressers (13:29) Okay, so the big question, like, what have you done? Right? When we think of open source, we always think of, it should be free, right? Like this shouldn’t cost anything. It’s open source. Which of course is ridiculous for anyone, you know, involved in I mean Mike, if you’ve been the the director of the Eclipse Foundation, you’ve been in the middle of this for forever. But so explain to me what what do you call you call open VSX Manage Registry. Like, what does that mean? Because it’s it’s not I guess I don’t I don’t even know what to call it. I’ll let you
Guy, you two take it from here. Like tell us what exactly what we’re talking about here, right? Because it’s not there’s a open VSX registry, which is like what we think of as the free open source registry, but you’ve created a new thing. And I know like I I don’t think anyone has tried this before. So this is very exciting.
Mike Milinkovich (14:16) Can I take a short stab and then you can add all the all the details? So Thabang. So basically the shorts the short version is it’s the same thing with an SLA. ⁓ so we’re not running a separate service ⁓ in this in this in the in the physical sense. It’s but what we’ve done is overlaid a product quality promise on top of the the shared service. So the good news is you know, John Q public.
⁓ or Joe developer is going to get the same quality of service, but now it’s going to be funded by the companies that need that quality of service for their business. ⁓ and that’s one of the things that just to backtrack a little bit, you know, when we had our outage last year, one of the things that I was I, you know, it I’m still I’m still surprised that I can be surprised ⁓ in the sense that you know wait a second you built a business
on top of a piece of critical infrastructure. This you’re if you know if if we go down, your business goes down, and you never thought to call us? Like the first time we’d ever talked to these people is when we went off the air. And and I think that, but that, you know, Brian Fox and others on have have talked about this phenomenon where this is not open source. This is critical infrastructure. Yeah, sure, Open VSX actually the implementation code is an open source project.
⁓ and you can see all the source code, but running ⁓ that server on infrastructure to deliver 600 million downloads a month, that’s not open source. That’s critical infrastructure. And so ⁓ now let hand it over to Thabang to tell us is like, okay, exactly what is the SLA, how did we SLA, how did we productize this and and what does this actually mean for the companies that are helping support it?
Josh Bressers (16:09) Okay, I I have one additional question Thabang for you as part of this. So Mike talked about companies that have built their like I I guess product or I I’m not sure what the word to use on top of this. Now, are we talking about a company like Cursor that literally has like a VS Code tool that’s then using you for the plugin? Are we talking about like a Fortune 500 company that’s just running a lot of VS code internally, you know, and they’re just pulling a lot of
on plugins or is it both?
Thabang (16:42) It is both we see the let’s say most of the usage actually coming from I don’t want to say a handful, but certainly less than twenty ⁓ or thereabouts ⁓ adopters. ⁓ and as Mike said, they’re forks, they’re folks who and anyone who’s ⁓ essentially leveraged that VS Code ⁓ extension API is is the sweet spot. often you know, as we were ⁓
heading to to launch people were asking, well, well who’s this for? It’s like, well, I think it’s kind of self-evident. You know yourself. If if you if you’ve built a product and and for us, just even in terms of ⁓ figuring out the addressable market for this, it was easy because we looked at our logs and and we saw, okay, these are all the people who are heavy users. And and I I really wanna emphasize these are users who ⁓ you know they didn’t know that
It and maybe this is to Mike’s point that because it’s open source and nobody was asking them to pay, they thought, okay, well that’s that’s what it is, right? So this is this a very compelling business case because I’ve got zero cost for this ⁓ critical part of my ⁓ platform and my service. Once we did ⁓ make them aware that hey, there’s a cost to us and you know, open source is free as in puppies, ⁓ not as in free beer.
But then infrastructure is not because of these hard costs and because of the people costs, all of these things. Once they understood that and and as we’re talking to people these days, it immediately resonates. And they’re like, yeah, that’s fair, because you know, I have Azure and you know Google Cloud and and ⁓ other infrastructure. This is just another ⁓ it’s just another ⁓ you know invoice that I have to to to pay for. And and how we structured it.
This is where we we kind of went to product management fundamentals. We went out and we spoke to a lot of people. one of the unsung heroes of this journey is ⁓ you know our executive assistant who set up all of our calls. But because there are so many conversations. I think probably I spoke to between 20 and 30 different folks who are representative of the the various stakeholder groups, including developers themselves, and said, Hey, what would you be looking for? ⁓
Mike Milinkovich (18:54) Mm-hmm.
Thabang (19:09) as we build out a service. And one of the things ⁓ that really stood out as a theme was that you know this is critical infrastructure for us. ⁓ it’s a commercial dependency and like any other, we expect some operational assurance which is you know business speak for an SLA with some skin in the game from the Eclipse Foundation. So so the the subtitle to to what Mike described as as you know the the
the the notion that we’re the first ⁓ first of many of ⁓ of our our peers who ⁓ operate these managed ⁓ or these ⁓ package registries ⁓ that’s something that we had to grapple with as well which is that we we historically are not set up we haven’t been set up to to offer any types of SLAs, whether that’s legally, ⁓ commercially or operationally, right? So that’s where the the the real work happened. ⁓ and
And I think the ⁓ yeah, so people ⁓ specified, you know, what they’d be looking for, what they’d be willing to pay for. And and as we were going through that journey, we always had in mind that first of all, the developer community, the open source projects that rely on open VSX, it’s got to be a net positive for them. and this is where, you know, going back to what Mike said,
by design it’s gonna be better where we’ve leveraged the investments that we’re making for the for the whole ecosystem. We’ve leveraged and and applied those those investments to increase security so to have you know pre-publication ⁓ security checks ⁓ or verification checks on the ⁓ extensions themselves and and implemented a bunch of hardening that ⁓ that we think is ultimately beneficial for the developers who use this every day.
Josh Bressers (20:59) So here’s I think where I would like to maybe direct us and and I’m I’m curious. So there’s there’s kind of two thoughts I have in my brain for everything that that the Eclipse Foundation is doing. Is obviously, first of all, has you have you seen like any real pushback from the community, specifically the community? Because I think this is one of those instances where a lot of
Businesses are often happy to say, like, yes, I’m using your service. I will give you some money. Just please let me give you money. And that’s like a whole other open source problem. But then I I’ve seen I’ve seen the community, right? Like folks, the normal people, the the open source developers that are like, wait a minute, I’m writing these plugins and and you’re now charging people money to use my plugins. Like what’s going on with this? And so I’m I’m curious if that’s happened yet.
Mike Milinkovich (21:47) to be clear, we are not we are we are not and never will charge people to use a plugin. ⁓ so ⁓ so or to use any of the extensions. So we’re not charging like it there are I think there are some ⁓ VS Code extensions out there with that are under a non-open source license, and that’s between you and the the publisher, not us. We’re just strictly an intermediary. So
Josh Bressers (22:08) Right. When you’re not
publishing those plugins, right? Right.
Mike Milinkovich (22:12) We are not
publishing those plugins. So we have thousands of, I think we’re up to what, nine thousand publishers. ⁓ and so, you know, there’s it’s a big body of ⁓ people that are ⁓ and companies that are doing the publication. The only people that we are charging are ⁓ companies that we can identify as large scale consumers. so and particularly right now we’re we’re targeting the group of companies that are hitting us at greater than th three RPS.
⁓ which by the way is ⁓ that’s a number that you can’t get to unless you’re really like that that’s a lot of traffic. ⁓
Josh Bressers (22:48) What is an RPS?
Thabang (22:49) almost
- That’s a request per second, so a query per second. So that’s hitting up the ⁓ the APIs for a download, a metadata query, any anything like that. And to Mike’s point, three RPS sustained over the course of an hour is ten thousand eight hundred requests. So ⁓ when you’re getting to that level you you really cease to be a ⁓ an individual developer.
And and one of the things that we implemented specifically for the open source projects, because we will never an open source project to utilize the ⁓ the infrastructure ⁓ is essentially a an allow list mechanism, right? So anyone who needs to have access, they have ⁓ a clear mechanism to ensure that they continue to. At the end of the day, ⁓
I think this is one of those examples where silence is golden, where we haven’t heard any response from the community, certainly no negative response, because their work ⁓ so between the time that we flipped the switch and and started enforcing our rate limits and and now ⁓ it’s it’s been ⁓ an on event. ⁓ it’s been business as usual for them.
I I think if they s had started to see some some negative differences in terms of their ability to do their work, then we would have heard about it and we would have wanted to hear about it.
Josh Bressers (24:23) For sure. Yeah, yeah. And I know this is one of the topics that comes up with a lot of the other package registries I’ve spoken with is they have a very small number of I think it might have been Maven who told me two percent of the IPs are using like 80% of their traffic, right? On on for Maven. And I’m I know you guys said you were in in a similar situation. So it is it is sort of mind-boggling in that regard. So okay, so here’s kind of the next thing I have in mind then is
You’re paving the way for I guess we’ll call it sustainable package registry ecosystems because that’s fundamentally what we need. Like we can’t keep doing this for free forever. It’s obviously not going to continue. And so I’m curious, have you have you I I shouldn’t say I’m curious. Wha how have the other registries reacted to this? I’m certain you’ve spoken to more than one of them because I’m sure they’re all like, ooh, it’s working. When can we do it? Right.
Mike Milinkovich (25:16) Yeah.
So I’ll take a lot so ⁓ there I would call the the word I would use ⁓ first and foremost is intrigued. so ⁓ as in like, okay, this is a a a journey. We’re really interested in seeing what you’re learning along the way. the one thing I’ll say is the Eclipse Foundation is larger than most open source foundations, right? Like we have over a hundred staff. ⁓ we’ve been around for twenty-two years.
We have a we have like a for profit subsidiary in Germany that actually is the reseller in this. Like this that’s who’s actually negotiating these these sales contracts with these companies. ⁓ and you know, and we have le you know, legal people on staff. Like we have the sort of organizational capacity to do something like this. I mean, even hiring in a lot of cases, you know, hiring eight people over a year, that just doing that alone would be ⁓
pretty crazy for some of the for some of these other organizations because they’re so small. So ⁓ I’ll freely admit that that we are paving the way and that’s why we’re here talking to you today. But but ⁓ there there are challenges ⁓ in in that ⁓ other organizations are gonna have to ⁓ every I always like to leave use this line like every open source foundation is a victim of its own history.
Right. So they had their own history, their own community, that the you know how they got to where they are, ⁓ whether they’re set up as a C3 or as a C6 or you know, something else. ⁓ in our case, we’re a well we’re actually a Belgian international nonprofit association. ⁓ so there’s all these things that go into figuring out the exact business model that each one of these other package repositories is are gonna have to deal with. and so
I think there’s gonna be some bumps along the way. I do think that people are very happy to see that we’ve been able to do this and not not die in a sea of flames. so ⁓ so we at least we got that going for us, right? So ⁓ so I think that’s part of the story. I think but I do think that ⁓ this is ⁓ we are the first, we will not be the last.
In one way or another, every other package repository is going to have to figure out a way to to to you know emulate what we have done here. And I think that’s actually one of the key messages I want to give to you to to anybody who’s listening, which is if you’re working for an organization and your organization today is using Maven Central, NPM, PyPI, you know, any of these things, you have to start realizing that this service that up until now you’ve
th thought of as infinite and free, ⁓ at some point in the future is no longer going to be infinite and free.
Josh Bressers (28:14) Yeah, yeah. And I mean I I will say just from a we’ll say partially business perspective, partially like open source perspective, I love that the approach you took is a commercial relationship as in, you know, provider consumer model versus ⁓ can you maybe donate to our foundation and we’ll try real hard to to not screw it up.
Thabang (28:38) Yeah, to to be fair, we tried that. ⁓ so so and I think ⁓ what we and the other folks have realized is that that doesn’t scale. That model doesn’t scale, and ⁓ there’s a discontinuity or or ⁓ mismatch, an impetus mismatch between trying to solicit funds, donations, please, sir and brother, can you spare a dime to
actually aligning the consumption ⁓ and and the the ⁓ funding of that ⁓ to a a consumption model that is ultimately where the downstream you know these these organizations the adopters that’s how they’re getting paid so it’s essentially a continuity in terms of the value chain which is that hey you are used to charging for this ⁓ Mr. or Ms. ⁓ vendor in this space
you should ⁓ the economics should flow in the opposite direction as well. And that’s the way it becomes better for everyone and we’re able to to deliver.
Mike Milinkovich (29:45) Yeah,
so the one thing I want to add to that is in our my experience, a lot of a lot of companies and particularly a lot of enterprises would actually prefer a commercial relationship. It’s actually much more difficult for them to become a member or to come up with a donation or a sponsorship than it is for them to just sign an agreement and pay an invoice. because especially enterprises, the the approval path that you have to go through for a sponsorship or a membership.
is a very different and in many cases alien journey for an IT manager than ⁓ than ⁓ I have this business dependency. ⁓ these you know this organization is providing us with a real service. We we need to sign an agreement and and pay their bill.
Josh Bressers (30:33) For sure. And those donations are the first thing on the chopping block when it’s time to tighten the belt, right? I mean you you know this, you’ve been running a foundation for a decade, you know?
Mike Milinkovich (30:44) Yep.
Thabang (30:44) that’s certainly our experience. ⁓ not only are the donations and memberships the first to be cut, but increasingly and sadly, a number of our ⁓ champions and the folks that we ⁓ came to be used to dealing with, the the OSPOs themselves were being ⁓ you know, disintegrated and and removed from the org chart. So that’s certainly the case and that’s part of the let’s say the landscape that led us
in the direction that we went. ⁓ I’d also add that ⁓ we in in in securing the the let’s say ⁓ the the business we we often started to speak to people that we hadn’t spoken to before because we were held at arm’s length by the OSPO folks or or at least that was the interface point rather the OSPOs the open source program offices in these corporations.
And then all of a sudden we became very interesting to the product and business leaders because hey, that’s do not touch that open VSX thing, right? That that registry without without those resources, the product doesn’t work and we’re not able to to drive our business growth. So the conversation changed and and this maybe one last thing I’ll say is that ⁓ I do want to thank our peers and counterparts, ⁓ folks like Brian Fox, who you’ve had on the show here.
Because without them, th those those are one of the the many calls that I had, ⁓ just even getting a sense of how we could ⁓ approach this. That learning that was shared with them, we are ⁓ paying it forward in terms of us ⁓ sharing ⁓ as widely and and broadly as we can the lessons that we’ve learned and ⁓ hoping to or helping to ease the way for for these folks that inevitably, as Mike said
will will have to figure out how to do this on their own terms.
Mike Milinkovich (32:41) Yeah, I just want to a add one thing that I haven’t really touched on too. A lot of the companies that we’re working with see value in the fact that we are still a vendor neutral open source foundation and that this is being operated in a vendor neutral manner. so yes, we’re we’re charging some companies to help pay the the the freight, ⁓ but the fact that there is a single vendor neutral ⁓ point of ecosystem control.
for the basically the entire AI development landscape, that’s actually a really good thing for everybody. and ‘cause I the last thing you know you don’t you don’t want to have Cursor having its repo and anti gravity having its repo and so on and so forth. ⁓ that that’s not the solution that the that anybody wants to get to.
Josh Bressers (33:30) A hundred percent.
Thabang (33:31) Yeah, and and on that point, ⁓ I think that’s one of the things that we’ve seen. Because OpenVSX is self-hostable, so you don’t have to to use the public service or the managed registry. You could put this on your own infrastructure and do it yourselves. But I I think what Mike highlighted is is really the key point ⁓ is that people trust the Eclipse Foundation or or ⁓ you know our governance and our track record.
To be that vendor neutral operator of this this infrastructure. And that’s why you’ve seen, I I think one of the reasons that’s contributed to the growth is the trust And and have that, having that reflected in in what people are able to do in terms of actually consuming the service. We’ve got trust built in. That trust is as being translated into ⁓ what people download and and utilize as a service.
Josh Bressers (34:24) Yeah, yeah. A hundred percent. A hundred percent. And and you you’ll b both probably love this is is I feel like I don’t know if I’d say I have a favorite foundation, but I use the Eclipse Foundation often as my poster child for like I think the group that really gets a lot right. Where just, you know, your your your structure, your governance model, you know, your your European based, which I know has some maybe upsides or downsides depending upon how you look at it, but I think it has some huge upsides. And and you guys do I just an amazing job, which which I love. So all right, let’s land this plane now.
So what do you want us to know? What are the next steps? What should everyone do who’s
Thabang (34:57) I think
for for one thing, I guess it depends who it is, but for for the commercial adopters of OpenVSX, they should reach out to us and if they haven’t already. If we haven’t spoken to you, please do speak to us and we’d be happy to ⁓ you know get you ⁓ onboarded and situated in the managed registry service. I think ⁓ a shout out, a thank you and ⁓ keep it up and ⁓ we couldn’t
do this without you to the community, to the developers out there. They are the lifeblood of not only our foundation, but the open source industry as a whole. So thank you to them and encourage them to continue to to stay involved and provide your leadership and ⁓ essentially the the brain power and the the the arms and legs to this movement. I’d also say ⁓ watch this space. We are increasingly
you know, driven by the ⁓ the adopters and other stakeholders in our ecosystem. We’re seeing call for the Open VSX model to be applied to AI artifacts more generally, right? So ⁓ it’s coming soon to Open VSX is really providing ⁓ a repository for different AI artifacts, you know, MCP servers, skills, ⁓ plugins, all of that. ⁓ so over time
and working closely with our community and the the ecosystem, you’ll start to see more of these AI ⁓ components and artifacts hosted at at OpenVSX. And that’s really ⁓ the the key to that is that we’re we’re we’re growing with with our community and the industry’s needs and minds in mind rather.
Josh Bressers (36:45) All right, Mike, take us home.
Mike Milinkovich (36:48) first of all ⁓ thank you very much for the opportunity to be here and tell our story. Thank you also for the kind words about the Eclipse Foundation. ⁓ I think ⁓ you know back to what we said at the very beginning, we are the first ⁓ open source package repository to go down this path, but we will certainly not be the last. ⁓ and I think that that’s a it’s a change. but frankly it it’s a it’s a change that has to happen because the economics of
Managing critical infrastructure based on sponsorship and donations is a fundamentally broken business model and it just ca it’s not sustainable. So we have to we have to do and try new things. So thank you very much.
Josh Bressers (37:29) A hundred percent. I’m I’ve been wondering when this would happen, and I’m very excited that it was your crew and specifically the way you’re doing it, because I feel like you have set up the rest of the industry for success in this regard, versus doing something incredibly stupid in a ridiculous way, and everyone hates everything and it’s like, crap, now what do we do? Like we’ve ruined it for everyone. So this is this is a huge deal. Like I’m
I’m really excited to watch this one work. I I I will be very excited to have you both back maybe in a year or so and we can see like how’s it going, you know, assuming we’ll we’ll see. Maybe maybe Mike will have less hair and Thabang will have more. Like who knows how these things work out. But no, this has been amazing. I mean, thank you both for the time. I absolutely appreciate it. This has been a treat. I’ve learned a ton. I’ve no doubt so is everyone listening and watching. So just yeah, thank you so much. And I mean, good luck and keep up the good work.