The more I think about it, the more I see package manager registries as providing a large amount of governance support to their ecosystems: https://nesbitt.io/2025/12/22/package-registries-are-governance-as-a-service.html
Discussion
Loading...
@andrewnez Indeed! And yet, most registries get this governance role without people really thinking about it or agreeing to giving them this role (sometimes, even the registry developers initially didn't think about it). Rather, people just choose to use a registry for technical reasons, then one day, the registry has become a central piece of the ecosystem, and its owners suddenly have to make governance decisions... (That being said, that's no different from how people choose social media or other internet platforms, and end up being dependent on the policies enacted by the people who own the platforms.) Thinking about community ownership of registries and governance in advance would be much better, but that's often not the case because people typically focus on the technical first.
@andrewnez Agreed!
We need to clearly distinguish the different types of governance you speak of, and this means we must clearly show the actors in play.
Project Governance and Ecosystem Governance are similar to publishing in academia:
Academic institutions (= "Projects") influence _what_ may be published.
Journals (= "Ecosystems") influence _how_ something is published.
Researchers (= "Contributors") do the actual work.
There's no #opensource #ecosystem without all three types of actors!