back to article Microsoft's GitHub absorbs NPM into its code-hosting empire: JavaScript library vault used by 12 million devs now under Redmond's roof

On Monday GitHub announced it plans to buy NPM Inc, which operates the npm repository relied upon by 12 million JavaScript developers. The deal, announced by GitHub CEO Nat Friedman and NPM co-founder Isaac Schlueter, brings another major piece of open source code infrastructure under the control of GitHub's owner, Microsoft …

  1. Anonymous Coward
    Anonymous Coward

    Embrace...

    <title>

    1. LDS Silver badge

      Re: Embrace...

      If you don't like it, learn how to make money... running such a repository is not free.

      1. Tom Chiverton 1

        Re: Embrace...

        You could put an IPFS client in each install of npm, so anyone could run a helper node.

        You could put a Torrent system in and require/set as on by default a 30s pause after download that would upload to others.

        Loads of ways.

        1. LDS Silver badge

          "Loads of ways"

          Sure, why nobody does it? Because none of them would be reliable and safe?

          1. Tom Chiverton 1

            Re: "Loads of ways"

            You don't trust PKI ?

            1. LDS Silver badge

              Re: "Loads of ways"

              Which PKI? Who checks dev certificates? How difficult is, for example, take package X, modify it, re-sing it with a valid dev certificate and distribute it from a local node repository?

              And still, the infrastructure to make it reliable won't be nor simple nor cheap.

              You may trust your torrent sources, but I won't bet any real application and its customers on code downloaded by whoever happens to run a node.

              1. Anonymous Coward
                Anonymous Coward

                Re: "Loads of ways"

                > Who checks dev certificates

                Your package manager. Every package manager which expects signed code has a mechanism for telling it which signatures are acceptable for which packages/repositories.

                I imagine the chief difference from today's centralised systems would be that a change in ownership of a package would be an explicit action every package consumer would have to make (accepting the new dev's signing key for that package), rather than delegating that decision to the controllers of the repository.

                > How difficult is, for example, take package X, modify it, re-sing it with a valid dev certificate and distribute it from a local node repository?

                Trivial. It's called "creating a new package".

                But how difficult is it to take that package, modify it, re-sign it with a certificate people trust, and pass it off as the same package from the same source as before?

                Barring a disclosed private key, practically impossible.

                1. LDS Silver badge

                  Re: "Loads of ways"

                  No, who checks certificates emitted to developers - which means who manages the PKI and ensure nobody can modify a package and try to disguise it as the original package when requested from its node.

                  As long as there is a "centralized" repository, it's harder to do that - otherwise, it becomes much, much simpler.

                  To counter it you would need to pin each package to a given dev cert (and have a mechanism to handle that), and each time a certificate is renewed or maintainers change, if the applications downloads code as it's run, it will break. Less issues of course if the package is not downloaded dynamically - but if you don't have to serve packages to millions (or billions) of user continuously, you will need far less resources as well.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: "Loads of ways"

                    > No, who checks certificates emitted to developers - which means who manages the PKI

                    Why do you need someone as gatekeeper of certificates? Individuals can and do create their own certificates for use with SSH, and that system has worked securely for decades.

                    You don't need GitHub or whoever to decide who can SSH to your server so, for the technical user, why is it necessary to have a middle-man deciding whose software you can run?

                    > ensure nobody can modify a package and try to disguise it as the original package when requested from its node.

                    If code is properly signed, you can't. Doesn't matter where either the certificate or software came from.

                    However, if you're just relying on a centralised repository, then the centralised repository can decide to let someone new modify a package and disguise it as the original.

                    > To counter it you would need to pin each package to a given dev cert (and have a mechanism to handle that), and each time a certificate is renewed or maintainers change, if the applications downloads code as it's run, it will break.

                    Yes. Lots of software already works like this. Chrome does this. Linux distros do this. Microsoft Windows does this.

                    If you know that a signing cert is expiring, you generate a new one in advance and bundle it with an application update, signed with the old cert so it's accepted. Then, when your old certificate expires, the application already has the new one in place to receive further updates.

    2. Pascal Monett Silver badge

      Re: Embrace...

      Oh, I think we are firmly in Extend territory here. Microsoft has officially Embraced Linux for a while already and, with Github now in its pocket, it is in the process of taking control of the major code repository of most, if not all, Open Source projects.

      The Extinguish step is going to be interesting to watch. Will Microsoft force all code to talk to Azure before executing ? Or will it find some less obvious way to control everything ?

      Make your bets, the wheel is turning.

      1. TVU Silver badge

        Re: Embrace...

        "The Extinguish step is going to be interesting to watch"

        FFS, why does this outdated conspiracy theory continue to be peddled? Linux has basically won everywhere apart from the desktop and now Microsoft has no choice but to coexist with Linux.

        Microsoft's hostility to Linux and all things open source ended the day that brain sloth Balmer left Microsoft back in 2014.

        (from a Linux user)

        1. Anonymous Coward
          Anonymous Coward

          Re: Embrace...

          > FFS, why does this outdated conspiracy theory continue to be peddled?

          Because it's not, and never has been, a "conspiracy theory". It was an explicit business strategy used by Microsoft.

          > Linux has basically won everywhere apart from the desktop and now Microsoft has no choice but to coexist with Linux.

          Yes, they have been strongly embracing Linux, even so far as making sure they have a (very expensive) seat at the table of the Linux Foundation. That gives them a lot of strategic influence, and if you think they don't intend to use that to pursue their own goals, I have a bridge to sell you.

          > Microsoft's hostility to Linux and all things open source ended the day that brain sloth Balmer left Microsoft back in 2014.

          It takes a long time to turn a supertanker, even when the owners agree on the change of direction. There is a lot of cultural and management inertia to overcome in a company that size.

          1. TVU Silver badge

            Re: Embrace...

            It is the continuation of this braindead assertion after the departure of Ballmer that is the pointless conspiracy theory. It is all over except in the minds of a small minority and nowhere else.

          2. LDS Silver badge

            "It was an explicit business strategy used by Microsoft"

            It is a strategy used by many companies. You can look at how many products Google bought, and disappeared from the market. The IP may be still used by Google, but others have no longer access to it.

      2. Michael Wojcik Silver badge

        Re: Embrace...

        Hell, it's going to be interesting just to see how Microsoft manages to make NPM even worse than it already is. "We've taken your huge repository of untrustworthy, low-quality code and added a terrible user interface!"

        1. jake Silver badge

          Re: Embrace...

          Remember, to the beancounters running Redmond NPM means Net Profit Margin.

          Be afraid, be very afraid.

    3. nematoad Silver badge
      Unhappy

      Re: Embrace...

      "Friedman said the CLI will remain free and open source."

      For the moment.

      Trust Microsoft? Yeah, about as far as I can spit it

      1. jake Silver badge

        Re: Embrace...

        You are entirely too trusting.

  2. Tomato42 Silver badge
    Coffee/keyboard

    Who would have thunk it

    The company behind Internet Exploder hosting almost all of JavaScript projects. Bonkers I tell you!

    1. Anonymous Coward
      Anonymous Coward

      Re: Who would have thunk it

      Nah, not really. The new MS top man is a lot smarter about the whole "Embrace" strategy. Give it a few years and you'll see license fees pop up everywhere, and by then it will be too late.

      1. jake Silver badge

        Re: Who would have thunk it

        Too late for who, Kemosabe?

  3. jake Silver badge

    That's OK.

    I've never used JavaScript for anything but idle curiosity anyway. Horrible, horrible excuse for a programming language.

    1. Psmo Bronze badge
      Thumb Up

      Re: That's OK.

      No disagreement here.

      It's unavoidable, though, so anything that adds a little order into the chaos is a Good Thing®.

      1. jake Silver badge

        Re: That's OK.

        Unavoidable? You sure that word means what you think it means?

        1. Psmo Bronze badge

          Re: That's OK.

          "Unavoidable"

          Like C and C++, you won't get far in IT if you can't at least read it.

          As a language designed as good-enough that was abused and extended far beyond its original design i think its done alright.

          Not my first choice, though I'd rather use it than PHP.

    2. Tom 7 Silver badge

      Re: That's OK.

      A bad programmer always blames the language.

      1. jake Silver badge

        Re: That's OK.

        A good programmer knows a bad language pretty much on sight.

        1. sabroni Silver badge

          Re: A good programmer knows a bad language pretty much on sight.

          and doesn't let it stop them using that language to deliver what the customer wants to the best of the language's ability.

          High horses don't pay the bills.

          1. jake Silver badge

            Re: A good programmer knows a bad language pretty much on sight.

            Prostitution can pay the bills, but I don't do that, either, despite knowing how.

            Unfortunately for your argument, my horses do help pay the bills, thank you very much. One is 17'2", another 18'. Is that high enough for you?

    3. chucklepie

      Re: That's OK.

      When you need a doctorate and to be able to spend 15 minutes looking at the context of the code to understand 'this', then throw in arrow functions that alter the meaning from semantic to scope, you know its a crap language made from a pigs ear.

      1. jake Silver badge

        Re: That's OK.

        Hang on a second ... my dawgs love gnawing on a bit of pig's ear!

  4. Morten Bjoernsvik

    Nobody wants to pay for a package manager

    This was bound to happen, nobody wanted to pay $7/month per user for a "professional" version, so when venture money was gone, selling user data would be the only option left. I bet we'll see some azure-npm-github-linkedin synergies in selling your userdata.

    1. IGotOut

      Re: Nobody wants to pay for a package manager

      Yup, no one wants to pay, but are willing to throw their toys out of the pram in a hissy fit when someone does stump up the cash.

      Maybe they should of made every one watch a 30 advert before getting access to the down load.

      1. Sirius Lee

        Re: Nobody wants to pay for a package manager

        If I could upvote this comment more than once I would.

  5. Dan 55 Silver badge
    Big Brother

    Google Analytics

    MS now has its own version for tracking web use.

    Doesn't it make you feel all warm and fuzzy inside?

  6. Elledan

    TypeScript + NPM = ?

    Considering that Github is owned by Microsoft, and Microsoft also created the TypeScript language (kind of like JS++), it would be interesting to see whether this means that the NodeJS ecosystem will move closer to 'NodeTS'.

    1. MacroRodent Silver badge

      Re: TypeScript + NPM = ?

      Well, these ecosystems are already really the same. TypeScript is implemented as a kind of wrapper around JavaScript, and if you go to the TypeScript web site, they suggest you download the language with NPM, see https://www.typescriptlang.org/download

      1. Elledan

        Re: TypeScript + NPM = ?

        Interesting. It's been a few years since I last used TypeScript (and tried to convince my colleagues to use it over plain JS, with mixed success). Guess that this would make TypeScript even more of a drop-in solution than it used to be.

  7. Julz Silver badge
    Linux

    You

    Never know, some good might come of this. Javascript might wither and die as a back end language. I can hope...

    Penguin because that is now the alternate Micrsoft rallying symbol.

  8. Camilla Smythe

    See Post

    "Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that fixed it," said Friedman in a blog post.

    "Looking further ahead, we’ll integrate GitHub and npm to improve the security of the open source software supply chain, and enable you to trace a change from a GitHub pull request to the npm package version that broke it," said Friedman in a blog post.

  9. karlkarl Silver badge

    My work thinks I can see the future ;)

    I predicted Microsoft's acquisition of NPM a couple of weeks after GitHub.

    The secret is; they don't give a shite about open-source or developers; what they are aiming for is to control the "professional employment market".

    LinkedIn, GitHub and NPM are the core ways where a developer can show off their skills / projects and try to obtain a job with a high salary. Microsoft wants to control this so that they can stifle developers who do not conform and ultimately damage innovation that is not "theirs".

    So next predictions:

    Stack overflow - My number one contender. I imagine they are already in negotiations.

    Unity 3D - So many kids use this to try to show off their game development skills on their portfolios. I think it has a high chance.

    Now it is just a waiting game.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020