back to article NPM today stands for Now Paging Microsoft: GitHub just launched its own software registry

GitHub today will introduce the GitHub Package Registry, a service to allow software developers to publish and manage public or private software packages for a variety of programming languages. Software packages are collections of code, scripts, and other resources that provide specific functionality for application developers …

  1. Michael Hoffmann Silver badge

    What, no PyPi?

    While it’s nice that they offer private registries, I hope they have a way of transparently proxying to public ones, similar to products like Sonatype Nexus.

    Oh, and add Python!

  2. Anonymous Coward

    Phase 2: Extend

    (See icon)

  3. Pascal Monett Silver badge

    Looks like NPM has been successful after all

    Successful in fostering competition that will extend developers' ability to get what they the way they want, without having to support utter arseholes while making their programs run.

    So, it's a win-win situation for everyone, right ?

    Well, everyone except NPM, which is just poetic justice.

    1. Notas Badoff

      Re: Looks like NPM has been successful after all

      An attempt to monetise goodwill, badly done, weaponises any other offerings. You screw up, your competitor becomes your executioner, your former customers the cheering mob in the stands.

      I'm afraid NPM Inc will become another good example "how-not-to" in business school courses.

      1. Doctor Syntax Silver badge

        Re: Looks like NPM has been successful after all

        "I'm afraid NPM Inc will become another good example "how-not-to" in business school courses."

        Do business schools teach the meaning of the word "not"?

      2. Anonymous Coward
        Anonymous Coward

        Re: Looks like NPM has been successful after all

        "I'm afraid NPM Inc will become another good example "how-not-to" in business school courses."

        Careful what you wish for.

        NPM was funded by seed money from the same investors that appear to have parachuted in the manglement that has probably destroyed it.

        If the investors are going to be more wary in the future, who will fund the startups?

        I expect a similar funding model will remain, but the conversion from free to paid will happen a lot earlier in the business model. There will just be different winners and losers in the new business model and less free. Or I could be wrong.

  4. Anonymous Coward
    Anonymous Coward

    Nuget? Seriously?

    So so buggy.

    For a while our build scripts used the latest nuget but pretty much every month random build problems crept in. We now stick to an arbitrary version and workaround the known issues

    1. Anonymous Coward
      Anonymous Coward

      Sounds more like your build scripts

      Haven't had a nuget wtf in a very long while, not since we ditched packages.config in preference for the package reference type, and even then they were always caused by some one updating all packages to latest version, rather than restoring to the versions settled on when minor revision number got bumped

      If you were expecting latest package versions to be backwards compatible with what ever you had installed before, then you need to a) start reading release notes

      b) do some research and under stand what package managers are (they aint gonna stop you jumping release versions unless you specify max revision of a givin package for example) , and what they do and don't do for you (won't warn you of a breaking change that's what your failed build is for, won't fix your out of date implementation, will cause you hours of head scratching at weird and subtle bugs if you always try and use latest bits)

  5. bombastic bob Silver badge

    there's something wrong with the entire premise

    the idea that all of these script libraries should be teetering on the brink of crushing the house of cards they're all built on, of which NodeJS and that 'NPM' thing were MAJOR players a short while back (including the TRIVIALITY of the "withdrawn" code whut dun it) tells me that it's time to move AWAY from such things before yet another "centralized" thing crushes half of what depends upon it ,for whater random reason.

    eggs.. one basket... sounded ok until they ALL BROKE. It's kinda like NOT doing backups, or relying on a single supplier, or one of many OTHER _BAD_ ideas that people end up going with anyway, because they *FELT* and did not THINK it through.

    And saying that programming is *SOCIAL* - *urp* I need more pink liquid

    does anyone NOT remember DLL Hell? Does anyone NOT remember that MS's "solution" for it was ".NET" ??? And now, FORCED UPDATES so that EVERYTHING updates at the same time? Is *EVERYONE* ready for "that" kind of "solution" to one trivial package breaking EVERY DAMNED EGG in the FORNICATING BASKET again, no matter WHAT that "package system" is called?

    It's all WAY too overrated, and _WILL_ bite people in the ass, MULTIPLE times, before it's properly REPLACED with something different, something _LESS_ centralized, like having your OWN copy of a lib you need and maintaining it LOCALLY! And having enough QUALITY CONTROL to get the job done RIGHT the FIRST time, and not '42 updates later'.

    1. DBH

      Re: there's something wrong with the entire premise

      I'm no expert, but I'm going to say you've had a bad Monday. It's nice out, go for a walk.

      Now I do actually agree with your point, but your delivery method gave me a headache.

    2. LeahroyNake

      Re: there's something wrong with the entire premise

      Geez, Take a chill pill Bob.

      Yes it is that bad and I believe on site solutions and user control over Windows 10 are preferable to the current situation.

      But... Please get a new keyboard, your caps key is malfunctioning.

  6. John 62

    Couple of things not mentioned

    Always useful to have another mirror, but a couple of points I haven't seen mentioned

    i) Microsoft now has a competitor to JFrog's artifactory with the added value of GitHub's repository vulnerability scanning. I was at an intro to Enterprise GitHub led by GitHub staff and they said they had something like petabytes of vulnerability data they were using for scanning for users on public GitHub, but they couldn't offer that for on-premises enterprise GitHub because there was too much vulnerability data to host on anyone's private network. I think this way they can offer a more secure version of Artifactory that doesn't need to be coupled with something like Blackduck or Veracode.

    ii) With its own package manager, GitHub can keep all the traffic for its build/execution offering inside their own network for speed and cost (Another part of competing with AWS/Azure/Glitch - yes, I know Azure and GH are both MS, but they can have different offerings to suit different customers).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like