The Eclipse Foundation today revealed it has created a framework for the Open VSX Registry for tool open source VS Code tools it oversees that scan for known malicious patterns, detect namespace impersonation and extension name spoofing, flag exposed credentials or embedded secrets and quarantine suspicious uploads for review.
At the same time, the Eclipse Foundation is transitioning the Open VSX Registry to a hybrid, multi-region architecture. Core services will run in data centers in Europe managed by Amazon Web Services (AWS), with a fully operational on-premises deployment of the Open VSX Registry also being made available in Canada as an independent secondary environment. Cursor, a provider of an AI coding tool based on VS Code, is also lending financial support to this infrastructure initiative.
Thabang Mashologu, vice president of community and outreach for the Eclipse Foundation, said the overall goal is to encourage more application development teams to adopt Open VSX Registry in a way that scales as more compute resources are invoked. That issue has become especially challenging when the majority of artificial intelligence (AI) coding tools in use today are built on top of VS Code.
In effect, the Eclipse Foundation is using the additional funding to not only offset costs but also provide additional capabilities to better secure software supply chains, added Mashologu.
Precisely how funding for VSX Code Registry will continue to be provided, however, is still being worked out, noted Mashologu. With peak daily traffic exceeding 50 million requests and more than 10,000 extensions from over 6,500 publishers, Open VSX has become a production dependency for platforms serving millions of application developers. The Eclipse Foundation, along with other consortia, has previously noted that the existing funding model of open source registries and repositories is fundamentally broken because they are now embedded within software engineering workflows in ways that were never intended.
The Eclipse Foundation, to address that issue, is also implementing responsible rate limiting and traffic management within the Open VSX Registry to ensure sustainable growth and consistent availability during periods of elevated demand. Rate limiting is specifically being applied to sustained, high-volume automated traffic to limit the number of developers that might be impacted.
At the same time, the Eclipse Foundation remains committed to ensuring that all registry data, backups and telemetry data will not only remain within regions in Europe and Canada, but that data in transit and at rest will be encrypted. That approach will make it simpler for many organizations to comply with digital sovereignty requirements that have been enacted by the European Union (EU) or Canada.
Regardless of how the Open VSX Registry is accessed, the one thing that is certain is that AI coding tools will be more widely employed. A recent Futurum Group survey finds that a full 60% of respondents said their organization is now actively using AI to build and deploy software. The only issue that remains to be resolved is how the code generated by those tools can be improved.
