back to article NPM today stands for Now Paging Microsoft: GitHub just launched its own software registry

GitHub today will introduce the GitHub Package Registry, a service to allow software developers to publish and manage public or private software packages for a variety of programming languages. Software packages are collections of code, scripts, and other resources that provide specific functionality for application developers …

  1. Michael Hoffmann

    What, no PyPi?

    While it’s nice that they offer private registries, I hope they have a way of transparently proxying to public ones, similar to products like Sonatype Nexus.

    Oh, and add Python!

  2. Anonymous Coward
    Mushroom

    Phase 2: Extend

    (See icon)

  3. Pascal Monett Silver badge

    Looks like NPM has been successful after all

    Successful in fostering competition that will extend developers' ability to get what they the way they want, without having to support utter arseholes while making their programs run.

    So, it's a win-win situation for everyone, right ?

    Well, everyone except NPM, which is just poetic justice.

    1. Notas Badoff

      Re: Looks like NPM has been successful after all

      An attempt to monetise goodwill, badly done, weaponises any other offerings. You screw up, your competitor becomes your executioner, your former customers the cheering mob in the stands.

      I'm afraid NPM Inc will become another good example "how-not-to" in business school courses.

      1. Doctor Syntax Silver badge

        Re: Looks like NPM has been successful after all

        "I'm afraid NPM Inc will become another good example "how-not-to" in business school courses."

        Do business schools teach the meaning of the word "not"?

      2. Anonymous Coward
        Anonymous Coward

        Re: Looks like NPM has been successful after all

        "I'm afraid NPM Inc will become another good example "how-not-to" in business school courses."

        Careful what you wish for.

        NPM was funded by seed money from the same investors that appear to have parachuted in the manglement that has probably destroyed it.

        If the investors are going to be more wary in the future, who will fund the startups?

        I expect a similar funding model will remain, but the conversion from free to paid will happen a lot earlier in the business model. There will just be different winners and losers in the new business model and less free. Or I could be wrong.

  4. Anonymous Coward
    Anonymous Coward

    Nuget? Seriously?

    So so buggy.

    For a while our build scripts used the latest nuget but pretty much every month random build problems crept in. We now stick to an arbitrary version and workaround the known issues

    1. Anonymous Coward
      Anonymous Coward

      Sounds more like your build scripts

      Haven't had a nuget wtf in a very long while, not since we ditched packages.config in preference for the package reference type, and even then they were always caused by some one updating all packages to latest version, rather than restoring to the versions settled on when minor revision number got bumped

      If you were expecting latest package versions to be backwards compatible with what ever you had installed before, then you need to a) start reading release notes

      b) do some research and under stand what package managers are (they aint gonna stop you jumping release versions unless you specify max revision of a givin package for example) , and what they do and don't do for you (won't warn you of a breaking change that's what your failed build is for, won't fix your out of date implementation, will cause you hours of head scratching at weird and subtle bugs if you always try and use latest bits)

  5. bombastic bob Silver badge
    Mushroom

    there's something wrong with the entire premise

    the idea that all of these script libraries should be teetering on the brink of crushing the house of cards they're all built on, of which NodeJS and that 'NPM' thing were MAJOR players a short while back (including the TRIVIALITY of the "withdrawn" code whut dun it) tells me that it's time to move AWAY from such things before yet another "centralized" thing crushes half of what depends upon it ,for whater random reason.

    eggs.. one basket... sounded ok until they ALL BROKE. It's kinda like NOT doing backups, or relying on a single supplier, or one of many OTHER _BAD_ ideas that people end up going with anyway, because they *FELT* and did not THINK it through.

    And saying that programming is *SOCIAL* - *urp* I need more pink liquid

    does anyone NOT remember DLL Hell? Does anyone NOT remember that MS's "solution" for it was ".NET" ??? And now, FORCED UPDATES so that EVERYTHING updates at the same time? Is *EVERYONE* ready for "that" kind of "solution" to one trivial package breaking EVERY DAMNED EGG in the FORNICATING BASKET again, no matter WHAT that "package system" is called?

    It's all WAY too overrated, and _WILL_ bite people in the ass, MULTIPLE times, before it's properly REPLACED with something different, something _LESS_ centralized, like having your OWN copy of a lib you need and maintaining it LOCALLY! And having enough QUALITY CONTROL to get the job done RIGHT the FIRST time, and not '42 updates later'.

    1. DBH

      Re: there's something wrong with the entire premise

      I'm no expert, but I'm going to say you've had a bad Monday. It's nice out, go for a walk.

      Now I do actually agree with your point, but your delivery method gave me a headache.

    2. LeahroyNake Bronze badge

      Re: there's something wrong with the entire premise

      Geez, Take a chill pill Bob.

      Yes it is that bad and I believe on site solutions and user control over Windows 10 are preferable to the current situation.

      But... Please get a new keyboard, your caps key is malfunctioning.

  6. ATeal

    Anyone else worrying about too much power?

    I felt this pre Microsoft buying it BTW, so no EEE links please!

    A lot of projects are switching from their own hosted thing for the main repo itself and putting mirrors about to using github as /the/ central repo of truth - ignoring the irony of "it's decentralised" supposedly being a big selling point of git and the lack of decentralised actual users. I can't be the only one worrying that GitHub, this free (as in cost) thing that is basically being used as a CDN for some projects, might not be around forever, or might not be trust-worthy.

    Furthermore a lot of projects with actual and useful wikis (as in mediawiki, or something proper and worthy of being called it) are now using GitHub's "wiki" - which really isn't fit for the name. It's a step back.

    To my knowledge, you cannot easily view past states of a repository on github, IIRC you can scroll down an infinite-scroll page of the commit log that way, but for a busy repo finding what happened a few years ago is a NIGHTMARE that I gave up on doing. There's no easy way to navigate temporally.

    It does worry me. I must confess I don't use Git for any projects (I can get git repos, update them, that's more or less it) I work mainly with centralised ones (version numbers <3) - but if update because I trust the committers I don't diff the update or read the log really. Does anything stop github from submitting their own changes (if they wanted to) - obviously they could make the website not show that step, but would any others be likely to notice?

    Although not so much of an issue now, I was also worried about GitHub dying, at least with git (modulo large files?) every client has the complete history so if it did go down quick copies would be plentiful. So many scripts and project pages point to it now, some are even redirecting to a github.io subdomain.

    I digress. The problem with my worries is that eventually something will happen (nothing is permanent blah blah blah) - but I make no comment about when anything might happen. "GitHub is forever" of course cannot be. Maybe it's just my general resistance to change.... I dunno.

    Anyone have any comments? I'd love to hear from someone who takes the stance that projects are not migrating fast enough, why are you okay with it?

    1. Korev Silver badge

      Re: Anyone else worrying about too much power?

      I actually have more faith in MS owning Github than I did with Sourceforge's various owners. I have no idea if my faith is justified, time will tell I guess.

  7. John 62

    Couple of things not mentioned

    Always useful to have another mirror, but a couple of points I haven't seen mentioned

    i) Microsoft now has a competitor to JFrog's artifactory with the added value of GitHub's repository vulnerability scanning. I was at an intro to Enterprise GitHub led by GitHub staff and they said they had something like petabytes of vulnerability data they were using for scanning for users on public GitHub, but they couldn't offer that for on-premises enterprise GitHub because there was too much vulnerability data to host on anyone's private network. I think this way they can offer a more secure version of Artifactory that doesn't need to be coupled with something like Blackduck or Veracode.

    ii) With its own package manager, GitHub can keep all the traffic for its build/execution offering inside their own network for speed and cost (Another part of competing with AWS/Azure/Glitch - yes, I know Azure and GH are both MS, but they can have different offerings to suit different customers).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019