Scarf Will Block Package Downloads from the Russian Government

This article was originally posted on


It has been deeply troubling to watch the current situation in Ukraine, from the terrifying threats from Vladimir Putin to online footage of bombings, shootings, and resulting damage. I can only try to imagine what Ukrainians are going through and feeling right now.

Stewing on the bleakness of the situation, I got to wondering about what, if anything, I, my company, Scarf, and the open-source community broadly could collectively and concretely do to aid the victims of this reprehensible invasion. While Scarf is still a relatively new platform, we do facilitate the distribution of software to end-users all over the world, every day. And so I took a peek at Scarf’s analytics of OSS usage and here’s what I found:

My analysis showed that Scarf has fulfilled ongoing software download requests from at least 17 distinct sources that have been confirmed to originate from the Russian Government. This activity primarily comprises their downloading of containerized applications via Scarf Gateway, including internal communications & chat, IT service orchestration, and more. The traffic spans multiple government departments, including The Federal Guard Service, The Ministry of Finance, The Main Center of Information and Computing, Ministry of Culture, and others. 

Today, open-source software powers just about everything we touch. I’m constantly reminded of that as I work day-in and day-out building Scarf. That still doesn’t make it any less heartbreaking to see beautiful open technology being exploited by forces like the Russian government so they can more effectively invade Ukraine. It then begs the question of how else they might be leveraging OSS, today, and in the future. With the looming threat of Russian Intelligence organizations resorting to cyber attacks to get their way, it’s hard to imagine OSS not playing a key role.

The notion of Russian government cyber attack operations leveraging software downloaded through Scarf’s platform is unacceptable. The notion of facilitating the atrocious invasion we're witnessing in Ukraine is not acceptable. As a result, Scarf will be blocking all package and container downloads originating from Russian Government sources until further notice. Traffic originating from other Russian sources such as businesses, civilian internet service providers, or otherwise, will be unaffected by this change. 

Scarf will not provide services to governments that are actively working to incite global-scale war. We stand for peace and open collaboration. Scarf stands with the people of Ukraine however we can.

Our ask for the open-source community

I’d like to call other companies in the open-source space large and small to follow suit where possible. It's time we pay more attention to the distribution channels of our software and have a better understanding of how our software is being used. This is precisely why every package and container registry also needs to offer increased distribution observability, so that we can make these efforts effective across the OSS ecosystem. If the ethos of open-source teaches us anything, it’s that when everyone chips in to help, everyone wins.

Latest blog posts

Tools and strategies modern teams need to help their companies grow.

Stefano Maffulli: An Exploration on Standards for Open Source Packaging and Distribution

Stefano Maffulli: An Exploration on Standards for Open Source Packaging and Distribution

Scarf Sessions is a new stream where we have conversations with people shaping the landscape in open source and open source sustainability. This post will give a recap of the conversation Scarf CEO, Avi Press and I had with our guest Stefano Maffulli.
Using OSS Usage Data to Sell your Company

Using OSS Usage Data to Sell your Company

Learn how Nestybox used Scarf to gather better project insights and provide accurate data during their recent acquisition.
A Different Approach to Measuring Open Source Community Health

A Different Approach to Measuring Open Source Community Health

Community is important to the success of open source software. To understand and grow a community, project founders and maintainers need visibility into various technical, social, and even financial metrics. But what metrics should we be using?