What, no PyPi?
While it’s nice that they offer private registries, I hope they have a way of transparently proxying to public ones, similar to products like Sonatype Nexus.
Oh, and add Python!
GitHub today will introduce the GitHub Package Registry, a service to allow software developers to publish and manage public or private software packages for a variety of programming languages. Software packages are collections of code, scripts, and other resources that provide specific functionality for application developers …
Successful in fostering competition that will extend developers' ability to get what they the way they want, without having to support utter arseholes while making their programs run.
So, it's a win-win situation for everyone, right ?
Well, everyone except NPM, which is just poetic justice.
An attempt to monetise goodwill, badly done, weaponises any other offerings. You screw up, your competitor becomes your executioner, your former customers the cheering mob in the stands.
I'm afraid NPM Inc will become another good example "how-not-to" in business school courses.
"I'm afraid NPM Inc will become another good example "how-not-to" in business school courses."
Careful what you wish for.
NPM was funded by seed money from the same investors that appear to have parachuted in the manglement that has probably destroyed it.
If the investors are going to be more wary in the future, who will fund the startups?
I expect a similar funding model will remain, but the conversion from free to paid will happen a lot earlier in the business model. There will just be different winners and losers in the new business model and less free. Or I could be wrong.
Haven't had a nuget wtf in a very long while, not since we ditched packages.config in preference for the package reference type, and even then they were always caused by some one updating all packages to latest version, rather than restoring to the versions settled on when minor revision number got bumped
If you were expecting latest package versions to be backwards compatible with what ever you had installed before, then you need to a) start reading release notes
b) do some research and under stand what package managers are (they aint gonna stop you jumping release versions unless you specify max revision of a givin package for example) , and what they do and don't do for you (won't warn you of a breaking change that's what your failed build is for, won't fix your out of date implementation, will cause you hours of head scratching at weird and subtle bugs if you always try and use latest bits)
the idea that all of these script libraries should be teetering on the brink of crushing the house of cards they're all built on, of which NodeJS and that 'NPM' thing were MAJOR players a short while back (including the TRIVIALITY of the "withdrawn" code whut dun it) tells me that it's time to move AWAY from such things before yet another "centralized" thing crushes half of what depends upon it ,for whater random reason.
eggs.. one basket... sounded ok until they ALL BROKE. It's kinda like NOT doing backups, or relying on a single supplier, or one of many OTHER _BAD_ ideas that people end up going with anyway, because they *FELT* and did not THINK it through.
And saying that programming is *SOCIAL* - *urp* I need more pink liquid
does anyone NOT remember DLL Hell? Does anyone NOT remember that MS's "solution" for it was ".NET" ??? And now, FORCED UPDATES so that EVERYTHING updates at the same time? Is *EVERYONE* ready for "that" kind of "solution" to one trivial package breaking EVERY DAMNED EGG in the FORNICATING BASKET again, no matter WHAT that "package system" is called?
It's all WAY too overrated, and _WILL_ bite people in the ass, MULTIPLE times, before it's properly REPLACED with something different, something _LESS_ centralized, like having your OWN copy of a lib you need and maintaining it LOCALLY! And having enough QUALITY CONTROL to get the job done RIGHT the FIRST time, and not '42 updates later'.
This post has been deleted by a moderator
Always useful to have another mirror, but a couple of points I haven't seen mentioned
i) Microsoft now has a competitor to JFrog's artifactory with the added value of GitHub's repository vulnerability scanning. I was at an intro to Enterprise GitHub led by GitHub staff and they said they had something like petabytes of vulnerability data they were using for scanning for users on public GitHub, but they couldn't offer that for on-premises enterprise GitHub because there was too much vulnerability data to host on anyone's private network. I think this way they can offer a more secure version of Artifactory that doesn't need to be coupled with something like Blackduck or Veracode.
ii) With its own package manager, GitHub can keep all the traffic for its build/execution offering inside their own network for speed and cost (Another part of competing with AWS/Azure/Glitch - yes, I know Azure and GH are both MS, but they can have different offerings to suit different customers).
Biting the hand that feeds IT © 1998–2022