Thoughts
Remembered Package Control and got angry again.
There are three main objects being contested: The Package Control Client, the Package Control Server, and of course the Package Control package repository (that is, the list of packages).
There are three players involved: Sublime HQ, wbond, and "the community" (everyone other than wbond and Sublime HQ).
wbond, would argue that "the community" is an incorrect and disingenuous designation. And of course these people are not representative of every Sublime Text user. However, there are a relatively small number of users who regularly contribute to the Package Control client, who regularly contribute to the default packages, who develop Sublime Text packages on GitHub, who are active in the Sublime Text Discord, and have no problem developing in collaboratively and in public. Maybe "open source Sublime Text contributors" would be a better term. A non-comprehensive list: deathaxe, kaste, keith-hall, FichteFoll, braver, michaelblyons, etc. wbond de facto creates this group himself when he argues (to give you a taste of what's to come) that no one except himself or SublimeHQ can be trusted.
Package Control was originally developed by wbond, until about 2022, when he stepped away from Sublime Text. SublimeHQ is the company that develops Sublime Text.
Okay, to set the scene. It's May 2025:
Package Control Client is maintained by deathaxe. deathaxe has write permissions to the Package Control Client repository: github.com/wbond/package_control, and all commits/merged PRs after 2022 are attributable to him.
The Package Control package repository is maintained by the community. For poor architectural reasons, the packages are split into libraries, which are in github.com/packagecontrol/channel, and packages, which are in github.com/wbond/package_control_channel/. Several community members have write access to both repositories. Community members review and merge all new packages and libraries.
(The wbond GitHub account is wbond (obviously) and the sublimehq GitHub org is SublimeHQ, but the packagecontrol GitHub organization is controlled by the community.)
The Package Control server and its domain name, packagecontrol.io, is maintained by wbond. The source code running on the server is open source (https://github.com/wbond/packagecontrol.io), but only wbond has the ability to deploy it. The package control client requests the package list from the server, instead of from GitHub directly. This prevents clients from hitting Github's rate limits, but leads to lots of traffic to the server. (It also updates every hour, and generates a new last-modified date, so there's little http caching, even though packages do not update that frequently.) SublimeHQ pays wbond, on the order of hundreds of dollars every month, to cover hosting and bandwidth costs for packagecontrol.io. wbond keeps the server online, although when it goes down, he has no way of knowing because he doesn't use Sublime Text. In Feb 2025 packagecontrol.io stopped picking up package updates. It wasn't resolved until March when someone emailed wbond. I stopped using Package Control during this time, and switched to a dumb Ruby script that cloned all packages I wanted from GitHub and ran `git pull` to update them.
packagecontrol.io is also used when first installing Package Control. When you tell sublime text to install package control, it will pull a version of package control from packagecontrol.io. This version of package control is not updated manually and was last updated by wbond some time before 2020. This version of package control uses openssl 1.1.1 (which reached end of life in 2023); and will sometimes break if your system openssl is more modern. (If it doesn't break, then it will immediately update itself to the most recent version of Package Control on GitHub.)
packagecontrol.io also only supports Python 3.3 libraries. This gets complicated because of the library/package distinction, and because Sublime Text packages can use Python 3.3 or 3.8. So I don't understand the exact issue, but deathaxe (remember, the package control client maintainer) has an idea of changes that need to be made to the package control server.
For all of these reasons, the community is itching to get packagecontrol.io to a state where it can be actively maintained and developed by the community.
As early as June 2024, wbond said "The only logical place for Package Control to transfer to is Sublime HQ, for security and trust issues" and that he would "work something out" with SublimeHQ. When packagecontrol.io went down in February 2025, this question came up again: "why can't wbond transfer it to the community?" A SublimeHQ employee commented that they were waiting for wbond, and then edited his message to say "I have no clue when things are going to get done" and wbond said "Yeah, I'm really sorry everyone, life keeps getting busier and busier as my kids get older and my role at work now is AI-centric, aka the fire hose" (wbond works at Uber, for context).
In response to the outages and issues with packagecontrol.io, and this communication, one Sublime Text community member (kaste) writes a Package Control server replacement: github.com/packagecontrol/thecrawl, which powers a new website: packages.sublimetext.io (sublimetext.io is a community-controlled domain). It's architected in such a way as to fit in GitHub action's free plan.
I'm skipping over the details of some of the software development process here. Obviously, other users are involved in validating that thecrawl works, and the pointing the subdomain to it.
August 2025: deathaxe pushes an update to the Package Control client to use the new channel at packages.sublimetext.io, cutting sublimetext.io out of the picture.
Ben (our resident SublimeHQ employee) is confused by this, saying, "I would have preferred to take over hosting before it got released to everyone." There had been no discussion that I'm aware of, up to this point, of SublimeHQ taking over thecrawl. Ben's most recent update before this was "some progress is being made in taking over packagecontrol.io. That said I don't want to dissuade from something better being build".
"Given that the plan was for PC to be hosted by us I figured that was also the plan for this, but yea I should have communicated that" -Ben
wbond's messages when he finds out about this have an angry tone; he says, "Yup I'm pissed." He views this as a hostile supply chain attack. His argument, essentially, is that since all packages were "proxied" through packagecontrol.io, you only had to trust him previously. Now you have to trust "random individuals on the internet", "5 random cooks" (his words) and that "if people want to switch to sublimetext.io, I have no horse in the race, but I can't in good conscience make that decision for them." He also says, "if PC gets taken over, it will be me and SHQ dragged through the issue and reputation hit" and that "my name is associated with this project and I've always taken security very seriously." This is where I'm confused, because deathaxe's version of Sublime Text has been shipping with a modern version of openssl but the version of Sublime Text shipped by wbond's website packagecontrol.io uses openssl 1.1.1 (ended security support in 2023, as mentioned), and runs Python 3.6 (which ended security support in 2021) on the server. Two more quotes I'll pull out:
"Changing the domain is the absolute root level of security on the project, and I would not expect that to be unilaterally done in an opt-out way."
"I don't care if you don't understand - I'm not here to convince anyone of what I find acceptable"
wbond reverts the change to the channel and removes deathaxe's maintainer permissions. He does not release a new version, so the latest version of package control still uses the packagecontrol.io channel.
SublimeHQ still doesn't have access to packagecontrol.io. wbond no longer has a personal laptop.
SublimeHQ releases a beta build of Sublime Text running on Python 3.13. (Current versions of Sublime Text only use Python 3.3 and 3.8, which was EoL 2024.) The package control client doesn't run on it.
The wbond/ package control GitHub repos have been moved to github/sublimehq. SublimeHQ has not taken over reviewing and merging PRs like they said they would.
I may switch back to Sublime text when all packages run a version of Python that is receiving security fixes, including Package Control.