Today we've announced that we've signed an agreement to acquire NPM but we technically have not acquired them yet (referred to as "closed"). NPM is still their own company for now and that's why the language is future tense.
I literally thought that, clicked hide, then thought "Wait a minute, do they mean...?" and had to go fish it out of hidden items.
"Joining" is an interesting term here... but I suppose it won because it sounds more like something friendly humans would do. "NPM Is Breaking Bread and Sharing with Github as Special Friends."
Our 'workspace' is so ornate that yarn couldn't handle it. 1.21+ almost looks right, but something very bad is still going on with mocha deduping, such that tests are failing with really bizarre error messages.
I check yarn about every three months, or when I find a new, infuriating bug with the npm CLI (so, every couple of months on average). I think npm install suffers greatly from not having a formal spec. It has been bugfixed by so many different individuals now that it has reached a truly astounding level of schizophrenia.
If yarn didn't exist, I would have started trying to break down the install problem into many independent concerns that can be reasoned about individually and tried to solicit help in making a full installer out of it. If I'd known I'd still be trying to make yarn workspaces work for us 18 months later I probably would have.
Node modules in general have some bad patterns of delegation that are utterly antagonistic to self-documentation, and both yarn and npm seem to suffer from this as well. I think in the next week or so I'm going to have to set up a small test case that exhibits the yarn bug I'm seeing, or any of the half a dozen interlocking (emphasis on 'lock') npm bugs that now have me painted into a very tiny corner.
Your take on the installer in npm v6 is not wrong. It got that way by a process of gradual iterative evolution, and it has lots of warts.
npm v7 features a ground-up rewrite of the tree resolution and deification logic in the @npmcli/arborist module. I recommend checking it out, or at least staying tuned for the beta coming soon.
We have so many little modules from different teams, or even borderline abandonware, that it would take ages to make these changes, and 'yarn node'?? Just... no. How is that ever gonna work consistently with node_modules/.bin?
At this point my choices are, start contributing to yarn and npm development, or get my ass in gear on learning Elixir and Rust. I have been wondering for maybe 18 months if I might be 'done with Node'. I think I've had it backward this whole time. Node may in fact be done with me.
Yeah, yarnv2 is a BIG change and one that came out without much noise. There is no node_modules now by default. Pnp is forced (which was released in yarn as an experiment back in 2018 without much adoption).
I have been wondering the same thing. I left node for 8 months and I come back to see a lot of things have been abandoned in favor of yet another wheel implemented a bit differently. I wish changes were more visible and subtle. Rewriting seems like a plaque to js ecosystem except no one rewrites some really old unmaintained dependency we have hidden in every new shiny project.
NPM is a lot more than the CLI. Even if you use yarn as the CLI you are still using npm for hosting and all the other parts that don't run on your computer. You can run your own npm repo, but hardly anyone does for all their dependencies (not talking about just caching here).
I'd wager most people who use yarn even installed it via the npm CLI.
I mean yes, but no, but yes. For one, a lot of companies end up using Artifactory or similar, so npm is the source of truth but not the source of tarballs.
Didn't GitHub set up their own npm registry recently? Shots have been fired in this regard. Which, now that I type that out, makes me kinda wonder how amicable this purchase was...
It'd be such a shame if something bad were to happen to your lovely repository...
Yeah, I was confused when I first heard of it because it seems like an odd couple to "join" one another. However, it makes perfect sense for github to purchase npm.
I did not see that coming. I trust Microsoft to be able to offer great availability and nice software. It is maybe not the best overlord we could have hoped for but it's way better than the status quo.
> Later this year, we will enable npm’s paying customers to move their private npm packages to GitHub Packages—allowing npm to exclusively focus on being a great public registry for JavaScript.
Packages will continue to develop its npm registry. We have a lot of work to do in securing the software supply chain.
It'd be wonderful, as a package consumer, to have visibility into some security metrics for a given package. This would be useful both at initial install time, and when the package is upgraded. Something like:
1) who are the latest commits GPG signed by?
2) is the package publisher using 2FA?
3) what is the security profile of all dependent packages?
4) are there any new authors (directly or via dependencies) since the last version (with links to the author and their contributions).
These might help avoid prior situations where popular packages get injected with malware by new maintainers.
Yes, we (internally) call this a "Bill of Health" and believe that all packages should have this kind of diff-able information available. Understanding what's happening at the source level is key to being able to trust any package published.
NICE! It would be wonderful to expose that information!
Somewhat related, I believe NPM pulled in (or co-opted) some of the heuristics from this: https://github.com/npms-io/npms-analyzer (but those don't seem to include any of the aspects I suggested above).
I can't speak to company internals, but I do know that Azure is powering GitHub Actions runners, and there have been a firehose of new features coming out of GitHub in the past year. I imagine its pretty core to their "Developers Developers Developers" strategy.
I've been at GitHub for 7 years and we operate independently but have the support and resources of Microsoft when we need them. IMO, they've been amazing partners but day to day the GitHub team builds, prioritizes, and supports GitHub.
It's totally the smart thing to do. Github needs a ton of cloud compute with github actions, Azure powers it. Github brings a very strong brand that developers love, which gives Microsoft a good rep amongst technical folks.
This is as good as Google acquiring Youtube because Youtube needs an insane amount bandwidth and it was a perfect fit for Google's infrastructure and ad platform.
It's just sad to see Google not playing the Developers game well.
They could fork it, the core of the runtimework is moving to WebAssembly anyway which is a much more tractable problem. Sure this is a boatload of JS work to do at the interface boundary but the amount of hard compiler and jit work that needs to be focused on by main runtime is much lower.
Someone at MS knows strategic and tactics. When MS and Windows bootstrap themselves into the cloud, they will have some software to land on.
I think the honest truth is that a lot of developers see Safari similarly to IE because Firefox and Chrome are quick to jump on and ship new features and "if only Safari kept up" they could be used "everywhere". Combined with the fact that iOS is large enough that you can't just drop Safari support and tell them to use Chrome.
It's a weird world where webdevs apparently ideally just want everyone on the 6 second old version version of Chrome. I totally get it -- it's an absolutely rational stance but it feels a lot like how devs felt about IE6 at the beginning.
You're right, IE6 was amazing at the time. It made a ton of things possible that previously hadn't been, and the standards bodies were lagging behind it. Had MS actually kept updating IE6 and kept it ahead of the standards, the standards would never have mattered, and we'd never have developed this sick taste for IE. No one hated that they had a monopoly, we hated that they had a stagnant monopoly.
I've worked with projects that used iframes in safari. It had some of the weirdest bugs. Some random times it didn't render changes to the DOM. Sometimes when clicking input fields it would focus the surrounding iframe element.
A webview in iOS could sometimes crash system wide. Not enough to restart the app. You'd have to restart the device.
Felt like a sitcom when I had to ask customers if they'd tried turning it off and on again.
Safari is way behind Chrome and Firefox on web features and has all kinds of proprietary rules on existing implementations.
It's not even required or the default install on any OS. And it has rapid updates that constantly test new features and improve performance and security.
Any "exclusive" features are just early testing for later standardization. It's Safari that's lagging in implementing them.
Want to try something fun? Install any browser in iOS and do a test. Then do the same test with Safari. Now ponder why they are exactly the same no matter which browser you install.
If you're referencing Apple's mandate that WebKit be used as the engine for all iOS web rendering, then yes, that's a poor policy ostensibly made in the name of security. Not sure if that's what your point is, though.
Can you imagine how much legal trouble microsoft would be in if they blocked alternative browsers in windows? Simply providing a single default was too much.
To be honest I like this new Microsoft. VSCode is a really good tool, C# is amazingly performant and they don‘t talk quite the same BS lingo as some other big players. Also MS research produces some really good stuff.
These tools are worthwhile additions. Vscode is a important toolkit item for many. Just having it on multiple platforms is a useful common denominator that reduces friction.
This kind of consolidation is probably not good for everyone who depends on open source projects. Microsoft now owns a significant portion of software distribution.
I can see why this comment is downvoted, because it's mostly superficial, but also, there's some truth to this perspective. Microsoft's acquisitions raise questions for what the open source ecosystem of tomorrow will look like. Chrome seemed to answer a lot of issues with browsers when it came out, but look how many people today are uncertain now that the API's powering the uBlock extension will be deprecated. It would be short-sighted for us to look at Chrome's history, and then say "nothing could ever happen to Open Source" without giving the perspective a serious consideration.
no, this is microsoft "embracing" (buying control of) a huge point of centralization in a software distribution ecosystem, positioning them to have greater power over a huge number of developers.
I think people are "okay" with Microsoft because so many hackers have a problem with the data agglomeration and monetization strategy of Google and Facebook, but this Microsoft "embrace" will come to a head within the next couple years and I just can't wait for it.
The way people think Microsoft's embrace of open source, GitHub, and now NPM is genuine is completely ridiculous. Microsoft had to change because much of where the action was is on *nix systems. Microsoft will start to use these companies to make developers embrace Microsoft services. It's only a matter of time.
I can't even come up with a scenario of how MS would realistically do so? Sure, making GH actions easier to set up with Azure than AWS seems plausible, but also strikes me as somewhat benign.
Banning python from Github? Requiring \r\n for NPM packages? What's the move you're afraid of?
One question GitLab's CEO (sytse) is rightfully asking is whether the ability to trace code from npm back to the repository will be available to competitors. If not, less competition is bad for users.
I still think this is good news, given where npm is coming from, but it's certainly not risk-free.
This is where effective anti-trust enforcement is important and valuable.
Until we come up with better trusted federation protocols there will be natural monopolies, but that doesn't mean they get unchecked power. We have laws for that.
I don't give any credence to the idea that Microsoft under Satya Nadella is the same company as Microsoft under Gates or Ballmer, much less the idea that it is secretly lying in wait to go back to its old, far-less-profitable ways. It has behaved differently. It is making its money differently. It no longer stack-rank fires people. And it is making a whole lot more money doing things this way than it made the way it used to behave.
These companies don't need to profit off of acquisitions. If they're going to, it doesn't have to be direct either, it can be a method of growing their sales funnel if nothing else, or even just acquiring talent.
There's a difference between "not going to last long" and "not going to return 10x to their investors". This seems like another example of the faustian bargain of taking VC money.
This seems like a good outcome overall. NPM being such an important pillar in the software supply chain while having an unviable business model and largely being funded by VC money was never a good position to be in. There are problems with more of the software ecosystem consolidating with a single entity but it still feels like an improvement.
It was already consolidated. The vast majority of public npm packages are already hosted on Github. The dependency on them has been there since the beginning.
Yes, indeed - and the dependency is literally right there on the technical level. For years, you've been able to specify a version of a package as a github repo's branch HEAD.
The big problem is that lots of Node.js modules don't push their tags, so there are issues on lots of repos begging maintainers to push their Git tags so that we don't have to use the npm registry.
JavaScript is an interpreted language -- as long as you're only downloading source code from the registry there's really no reason to use a registry instead of the plain old Git repository.
A common issue I've had with using Git repos directly as Node.js modules, is that many projects are transpiled/built before publishing to NPM. Depending on specifics of that build process, it may not work out of the box (or at all) from a node_modules folder.
With NPM acquired by GitHub, I can imagine them "filling in some steps" by leveraging the fairly new Actions feature, so that repos can provide built artifacts, the same ones as published on NPM. The deeper integration will be an interesting development to watch.
Repos have been able to provide artifacts since forever ago; they just don’t sit in the tree. While you can commit from an action, I’m not sure that’s a great idea.
You're right, artifacts in GitHub repos have been around a long time. I suppose what I was missing was a way to point to a specific built artifact (like a tar.gz from a release) as a dependency, from package.json. As far as I know, it's not possible yet with npm. I can imagine that will be covered somehow with deeper integration of GitHub and the NPM package repository.
Thank you, learned something new - from none other than the founder of npm! :) Congratulations on the acquisition, bright future ahead for the whole ecosystem.
How is a convenience feature a dependency? The same command exists as "gitlab:username/repo" variant. The GH variant just happens to be the unprefixed one as it has by far the biggest userbase.
Perhaps dependency was the wrong term, but my point is what you said - they've built it in as a convenience feature precisely because it's such a common usecase - a better way to say it might be they're inseparably linked tools / tightly coupled even on the technical level.
I do not consider the largest distributor of proprietary, closed-source spyware (Windows) owning the fastest growing open source package manager to be a good outcome, personally.
You aren't the only one. Most users are too young to understand how predatory Microsoft has always been. Can't wait for the "npm won't publish my package because it circumvents something in Windows" or whatever. Give it time.
I am old enough (42) to remember those days, but honestly I don't feel that threatened by them. I remember their EEE days, and for a long time I haven't seen much of the same behavior.
Same here (40). I was with Ballmer singing “developer developer developer”... i think his legacy is not that bad. The company was not ready to grasp the idea of open source at these times, but the principle holds.
Tbf Microsoft have won back a lot of good faith with developers due to projects like VS Code and TypeScript, even for those of us who remember their past.
And we're yet to hear of any negative impact of their Github acquisition (afaik - correct me if wrong).
Before someone else comes along and writes a monologue, the biggest downside might be how it handled (didn't break) its contract with ICE[0]. If the acquisition didn't happen, old GitHub might've dropped the contract immediately upon enough employees speaking about it.
That's a subjective political opinion of a far-left vocal minority. Not everyone has an issue with ICE (a federal law-enforcement agency that stops criminals and saves lives) nor finds a problem with a company legally providing services to the government.
>That's a subjective political opinion of a far-left vocal minority
What you are talking about is Right-wing politics, even if they are extremely far to the left of your -and the majority of peoples political view -in the USA. Both parties in the US are on the right. This isn't Reddit where the state of US politics is the default norm when it differs from most of planet earth. Though HN is quickly getting there.
ICE doesn't protect the border, that's United States Customs and Border Protection (CBP).
ICE are the goons operating everywhere (i. e. not tied to the border) rounding up "suspected illegal immigrants".
Because it isn't exactly hard to find illegal immigrants, and their charter allows them to control people without objective cause, ICE gets to arbitrarily decide whom to harass.
It's the real-life version of the perennial fear of civil libertarians that too many criminal laws will just lead to any one of us being arrested whenever it happens to be convenient for whoever is currently in power.
It isn't going to end illegal immigration, nor curtail it to any significant degree. It just serves to keep a large segment of the people who see every day in a constant state of fear, unable to (for example) seek protection from crime or exploitation for fear of being deported.
ICE is the enforcement arm for immigration, which handles people who cross the border. Obviously if there's a strong border then there's no problem in the first place.
As for the rest of your comment, this is the far-left extremist position that I cited in my first post. There's no good faith discussion to be had here.
> ICE is the enforcement arm for immigration, which handles people who cross the border
No, it's the enforcement arm for immigration and customs, the former of which is people who are living in the US despite not being US citizens. Enforcement of people (and goods) crossing the border is the Border Patrol and it's parent organization Customs and Border Protection.
To keep this as straightforward as possible: Illegal immigration is a crime and is enforced just like any other. Committing crime can mean incarceration, which many US citizens face everyday. It has nothing to do with being a "danger", but when you don't have permission to even be in the country then there's no bail or other release possible.
Also detainment centers are not cages but fenced areas with free movement inside where people receive food, shelter, healthcare, entertainment, schooling and legal services paid for by US taxpayers while their cases are processed. Detainees are free to deport themselves at any time. This is more accommodating than pretty much every other developed nation.
Bad people exist and bad things happen in every large organization in every government of every country. It is not representative nor useful in discussing the behavior of the whole.
Yes they do. But important part is what organisation does about that. Does it close the eyes, does it encourages it, does it publicaly removes bad people from org to send the message?
The fact that ICE has built concentration camps (as verified by scholars who study concentration camps) is a fact, not a subjective or political opinion. The fact that there are children in these camps, many being raped, some being tortured, is also a documented fact, not a subjective opinion.
These are well-documented facts that have been widely reported on in the mass media. You can find links to specific articles on my blog in the recent article about Microsoft and GitHub, if you wish to learn specifics.
The kids are in there right now, as I write to you.
Whether or not Microsoft's provisioning of services to the government is "legal" or not is not particularly relevant to the thread, but it is interesting that you bring it up, presumably as a defense of their behavior.
Again: This is not a partisan thing. At all. Your attempt to reduce it to such is inaccurate (and, tbqf, off-topic for the thread about Microsoft-the-corporation, as well as off-topic for HN).
Concentration camps are for political prisoners. These are not the same. And there are US citizens and children in jails and juvenile detention too, which is what happens when crimes are committed.
I'm a naturalized immigrant. I've been in far worse places than America. I suggest you visit CBP and ICE. Talk to the agents. Visit the border. See the shelters. View the damage done by criminals who prey on these people and find out how much the agents do to help them while risking their lives fighting cartels and traffickers.
Like I said, America is far softer with borders than other nations. Crossing illegally brings enforcement and penalties. I'm not sure why this is so controversial, or why protest against govt organizations is done by proxy of software companies.
Others see that as an upside. ICE today, who knows what tomorrow. The sort of activists who wanted that have all kinds of random targets. No company wants to deal with suppliers suddenly blacklisting them because the hard left decided they're evil.
Lots of big tech firms are government contractors, and as we've seen most of them are unwilling to drop government contracts (ICE, DARPA, etc). So this problem would arise with almost any large benefactor. I would've liked to see GitHub drop ICE though, personally.
VS Code is also spyware; I am not sure that this argument furthers your intended point.
The fact that it is open source and popular is not sufficient on its own. It had to be forked (vscodium) to show basic respect for the user’s privacy and system resources.
> This is not a fork. This is a repository of scripts to automatically build Microsoft's `vscode` repository into freely-licensed binaries with a community-driven default configuration.
This is such an extreme & pretentious viewpoint. Microsoft knowing that I have VS Code installed & getting a report when it crashes is not in mine, or really any normal developer's threat landscape.
> Tbf Microsoft have won back a lot of good faith with developers due to projects like VS Code and TypeScript, even for those of us who remember their past.
Those are great until they're not. It's why it's called "bait and switch".
> And we're yet to hear of any negative impact of their Github acquisition (afaik - correct me if wrong).
ANY?! Heh, do a quick search just on HN and you'll find it pretty quickly.
I did search, didn't find it quickly. Could you share some sources of the negative impact? (I'm legitimately curious as my use of GitHub hasn't led me to notice any change.)
> I'm legitimately curious as my use of GitHub hasn't led me to notice any change
Nor I. That's not that point.
For the record, I think Microsoft has done wonderfully for the dev community in the last 10 years. I don't see any reason that they are going to "f it up", but big businesses get desperate when environments change and profits get impacted (look no further than what Oracle is doing). Microsoft is not immune to that.
The complaints are "I think it really impacts the neutrality of github" and "I hope they don't discontinue Atom or apply their UX styling to the site/desktop app", respectively. Those don't strike me as particularly specific and/or nightmarish.
And pulling a package from a custom url is what, one line of code in this package documentation? And the moment it happens, this package will be on top of HN?
I understand the concern about MS business practices, but I don't think it applies to environment where transactions (as in, importing someone's package or submitting a pull request to it) don't involve any contracts or money.
It may appear blaming Ms forever for their past actions is a good idea. It's not. Those actions and decisions came from certain people. They're long gone. I look only to the present. MS decisions and actions these past few years have been pretty solid imo. We must always assume the best of everything, not the worst. Not matter what. It may appear naive, but it's the only sane way.
They've created a funnel from a jobs site they control, through an operating system and hardware they control, with development tools they control, and source (etc.) on a web platform they control, onto a cloud they control.
Assume the best all you like. Microsoft are spying on you and can lock you out of their ecosystem for any reason. When that ecosystem includes critical public infrastructure, there is a problem.
The only "sane" response to this is to smile at the MS employees who tell you how much they love Open Source and to use absolutely any other platform.
Then you must not like React or Angular, since the owners of those projects are the largest spyware and aggregators of personal data in the history of humanity.
For some examples: RMS being a douchebag has nothing to do with the usefulness of gdb, nor can that circumstance affect the utility in any imaginable scenario.
Microsoft setting censorship policies (aka ToS) on a website they own and control directly affects the utility of npm/yarn/clients. Their website, their rules.
The time for GitHub is over. I have moved all of my repositories away from there that do not depend on GitHub-only integrated services, and am migrating my DNS and domains/hosting off of those integrated services this week. You should too. If you work there, you should quit.
Good for you. However, the general sentiment doesn't seem to behave the same way. I haven't noticed a mass Github exodus at all, aside from some people on the internet being vocal about it for the first month after the Github acquisition. Same with VSCode.
I realize this is just pure anecdata and not a legitimately researched observation, but I don't know a single dev in real life who either switched away from Github or VSCode due to those concerns, despite having a wide variety of dev friends from all kinds of backgrounds, including big tech devs, non-tech company devs, fully remote devs, self-taught devs, small startup devs, outside of the US devs, freelancer devs, etc.
I know a couple of projects that switched to gitlab. I use gitlab for my personal projects. I've abstained from moving Red Moon away from GitHub because it's still where people are, and I have some doubts about GitLab's VC-funded model (will they be able to stay as open forever?). I also want to consider other options, like SourceHut. At the same time, it is in the back of my mind and I am ready to move away at the first sign of extend/extinguish.
Just for reference, vscodium is not a fork to remove Microsoft's code - it is just a build tool for the open source repo as explained in the README.
"When we [Microsoft] build Visual Studio Code, we do exactly this. We clone the vscode repository, we lay down a customized product.json that has Microsoft specific functionality (telemetry, gallery, logo, etc.), and then produce a build that we release under our license."
"When you clone and build from the vscode repo, none of these endpoints are configured in the default product.json. Therefore, you generate a "clean" build, without the Microsoft customizations, which is by default licensed under the MIT license"
> Just for reference, vscodium is not a fork to remove Microsoft's code - it is just a build tool for the open source repo as explained in the README.
When a certain build configuration enables major spyware features, and that is the build configuration for the released version by the first party, and another build configuration (that is not released by the first party) disables those major spyware features, the distinction between a fork/patch and a "different build configuration" becomes semantically meaningless.
It's a fork, regardless of how they care to present it. The result of the build configuration is embedded in the release. Consider it a "binary fork" if you don't like considering json "source code".
It depends on what the alternative is. When NPM starts running out of money to run the service what would happen? More VC, but only to a point and the firms would be increasingly be influencing NPM to make money by any means(probably not good for anyone but the firms). Alternatively a cash strapped NPM fails to invest in security and availability of the service leading to widespread outages or worse a large scale supply chain attack facilitated via the registry.
This is sad to read. Why does every project have to be profitable? If NPM is useful users (companies and people) can invest time or cash to support the operations and continued development. This foundation model has been successful across open source and prevents one company from changing the direction of a project to fit their own needs at the expense of everyone else. I think this was critical to the continued growth of open source software over the last two decades. If this trend of selling out to massive corporations continues it will be a major step backwards.
To be clear that's not what I am arguing here, I agree that package registries should, ideally, be owned and supported by the community. However NPM already had fairly significnat VC investment and as such any transition to a community supported model would be challenging.
The acquisition can be a good outcome for the current situation without it being the ideal state of things.
Imhi Npm is two things a cli tool, and a central repo that tries to be the one and only js repo: to make money from that position. Their infra costs them money only because that was their angle for selling out.
Linux repos take the alternative approach to try to get as many mirrors as possible so it can remain free.
Microsoft did not buy npm to help it become free. Believe. They bought it because they rekon they can make buck out of it.
That buck comes from somewhere.
Nodejs going to the Linux foundation was good news.
That's a path but NPM already being a company with signficant VC investment would a transition to such a model workout with the existing stakeholders? Also NPM is quite a bit bigger than both the Ruby and Python library spaces.
Perhaps because Node code bases when deployed cause the package manager (npm) to consume more bandwidth in general than comparable Ruby or Python code bases due to higher dependence on third-party packages?
As at Oct. 2018, the top 12 npm packages [1] were already doing more than 0.5 billion downloads a month. Granted, popularity has waned for a few of those top packages due to deprecation or new language features, for instance.
EDIT:
NPM’s announcement about the acquisition [2] provides up-to-date numbers:
“Today, npm serves over 1.3 million packages to roughly 12 million developers, who download these things 75 billion times a month ...”
You're probably right with all the one-off and fairly small dependencies in the npm ecosystem. Seeing those numbers would be pretty neat to compare side-by-side.
Isn't it more that NPM specifically has had a bumpy ride, and people are seeing this acquisition as a sign of better times to come, and it not being a value judgment of other open source initiatives.
Why would NPM run out of money? NPM is the primary vendor for worry-free distribution and management of private JavaScript packages for $7/month/user. In a time where bandwidth is basically free (outside AWS/Azure/GCP) that should surely pay for server costs and a handful of developers.
It probably isn't going to 20x VC money, but it sounds like it would be profitable to run as a business.
Regards 2FA/Login: Except that Microsoft has not done this with GitHub. And NPM is joining GitHub not Microsoft. You will see non login vanishing in favor of GitHub Login for sure. And the second factor, see what GitHub offers. For me that is currently a OTP generator
Gihub already had a masssive social graph. They know who you are in terms of who you work for and who your CTO is.
Npm does not know that about me. It has no sales channel.
GitHub is owned by the same entity that owns LinkedIn. Microsoft has really no problems cross linking persons. They can also easily link the source code between the systems etc (if they want).
I hope they dont use that Microsoft Authenticator app. That has never worked for me, never once got me logged in, and has locked me out of Teams on a couple occasions.
The alternative is that the entire source control system (GitHub) and the entire artifact registry (npm) are run by a giant multinational military defense contractor with close and longstanding ties to the US military. Did we forget so soon that the Snowden slides are PowerPoint?
I'm not sure that's an improvement in any way whatsoever.
Microsoft does indeed work for and with the NSA. As an ASP they participate in the warrantless PRISM bulk collection program (they were the first!), and they also provide software and services (support) as a direct vendor.
Boeing is a defense contractor. Northrup is a defense contractor.
MS? Not even a chance. What percent do you think of their business is actually government, beyond buying licenses just like nearly every other corporation on the planet.
Change my mind: package management infrastructure run by government as a public service should be the ideal end outcome for everyone.
Why I think this: private or volunteer models are unsustainable in the long run owing to funding uncertainties or conflicts of interest between stakeholders. Utilities that support the bulk of our technical infrastructure should be secured by public interests. Governments can keep things free.
Common objections:
- "Governments are inefficient". Depends on the area. The government tends to be inefficient in handling areas with direct consumer benefit, but less so in dealing with consortiums or private entities. Since private entities are the primary mainstream users of packages, I don't think government will be too slow on this front.
- "Governments will be malicious". This I don't doubt, but the solution for that is building better trust mechanisms rather than keeping a practical solution at bay, and for software at least such trust mechanisms are tenable e.g. see the CNCF's Falcon project.
Enriching Microsoft and improving their position in the market as a byproduct of publishing and using open source code that has nothing to do with them.
How is open source software harmed by Microsoft being successful promoting open source software? This feels like cutting off your nose to spite your face.
given the significant returns to scale in the tech industry this is a pretty natural development and it happens in most tech sectors over time as monopolistic competition generally outperforms the 'bazaar' economy.
'small business' is only the equilibrium in sectors that can't increase aggregate output by growing or capital investment like say, the restaurant industry.
> NPM being such an important pillar in the software supply chain while having an unviable business model and largely being funded by VC money was never a good position to be in.
Why does NPM need to be funded as a commercial entity at all? What other open source library has a private company running its package manager? This one still boggles my mind.
For programming languages, there are several examples of commercially run package managers:
- the Java/Kotlin/Scala ecosystem is based around maven central, which is run by Sonatype, Inc.
- Go modules are hosted by Google. Previously, most libraries were hosted on Github
- Rust's crate index is on Github
- The Docker/Moby registry is run by Docker, Inc. (though that might be a stretch for "package manager" :))
Technically the Go module _proxy_ is hosted by Google. Even if the proxy went away, you'd still be able to get access to all of the packages as they're still hosted elsewhere. It just wouldn't be as fast.
Maven Central has mirrors and alternatives and you can trivially host your own repository, all you'd need is a plain web server serving a bunch of static files.
Some libraries aren't hosted on Maven Central actually, so it's not uncommon to see instructions for adding extra resolvers to your build config.
The Java ecosystem isn't as dependent on Maven Central as the JavaScript ecosystem is on npmjs.com
Almost every library out there is on Maven Central. Even Oracle JDBC drivers are now (finally) on Maven Central.
If MC goes away as it exists today, the Java Ecosystem will take a huge hit as almost every open source project would stop building in CICD environments from the get-go.
If it vanished instantly then yes, but a huge number of packages on Central are mirrors from jcenter. There are not only theoretical competitors to Maven Central but an actual widely used one (jcenter/bintray), which is easier to use anyway. There's also jitpack too. So people could migrate pretty quickly to alternatives.
You're not technically wrong, but I bet that 90% of the projects or at least the examples have some sort of intentional or unintentional reliance on Maven Central, that would break the build if it weren't there. Even a lot of companies that set up internal repositories don't realize that they hit still are gonna hit Maven Central initially, before everything is bootstrapped, depending on how things are configured. It would reflect just really poorly on the Maven ecosystem (or any ecosystem alike, I have to assume, but know less about) if the canonical repository would just... "poof".
I think the point is that you are using a commercial entity to host your code. There is a bill for the code you have hosted, and you aren't the one paying for it.
Note that the crates.io index is just a single git repo that holds JSON metadata about each crate: https://github.com/rust-lang/crates.io-index . The actual code found on crates.io is hosted on S3. The index is an important part of the system, but there's nothing tying it to Github specifically.
Ah, neat! Works out well for them; I assume it's relatively cheap to just serve an S3 bucket on their CDN (though I guess bandwidth costs may rise rather dramatically if Rust ever reaches Node levels of popularity), while not taking on any other operational expenses of actually running a registry.
CDN bandwidth by nature of the reach of Cloudfront will mostly be offload onto the local peering fabrics. It basically costs nothing in per mbit billing - e.g. linx https://www.linx.net/wp-content/uploads/2017/10/Fees_Schedul.... 100gb hand. That's not to say there aren't other major costs in running a resilent edge network which go someway to justify 0.0Y/GB pricing where Y varies from 1-9 depending on location for non sponsored projects. tl;dr - it won't ever be a problem
Confused why you think a service servings millions or billions of requests a day wouldn't require money to run. Do you think some grant magically appear out of thin air to pay for the servers, storage, bandwidth, and maintenance?
Big leap from "servers cost money" to "a package manager requires a commercial entity". How are other language ecosystems and package managers operating, many without private companies attached, when they too are serving millions of requests a day?
Well the big ones are hosted by commercial enterprises, and the smaller ones don't have the scale of JavaScript so they don't require that level of support.
We've been doing fine here in reality, where most Linux distros, Perl's CPAN, Python's PyPi, RubyGems, etc. are all run by volunteers and donations. There is nothing special about NPM that requires it to be owned by a for-profit corporation. If Wikipedia and Archive.org can get by, I'm sure NPM can too.
Looks like they’re paying for bandwidth, aka “cloud pricing.” They could probably reduce those numbers significantly, but if it’s funded by a grant why bother?
Whelp, time to look for backup solutions for when Microsoft continues their strategy.
Even today there’s an article about github flagging (re shadow banning) a user with 10k+ lib users, and no response from them as to why the ban occurred.
Thinking of adding an “in case of emergency” link in my README for users in case of sudden service loss.
I wonder why your (entirely reasonable) comment got down-voted so much. This is exactly the risk why people prefer a distributed and decentralized internet over one where all open source is stored in one central Microsoft subsidiary (e.g. GitHub).
I think people are tired of EEE being posted on every Microsoft related thread even though Microsoft has been a very different company for at least 10 years.
I do agree with the concerns of open source consolidation though. We need to find better ways of supporting open source projects instead of having them being bought by "large company".
The central repository is entirely optional when using npm the cli tool; many companies use a proxy repository (such as artifactory) to host their internal packages and cache public ones already.
Anyone can already run their own, or install from remote git urls (not just github) as well. If the new organization undermines the community, the community can easily move.
NPM the company has had a significant number of missteps, and them getting better oversight and removing the need to be profitable will likely be better for everyone in the long run.
With NPM now being an (indirect) part of Microsoft, I would expect them to introduce proprietary extension to the repository protocol (or something similar) in an attempt to lock the open source community into their hosting solution.
And no, you cannot cleanly separate between an ecosystem-defining tool and the company that controls how said tool will behave after the next automated update.
I hope you're spending lots of money at independent places then, because this is the inevitable result of the current "OSS infrastructure funded by VC charity" model. NPM was losing money, as was GitHub when Microsoft bought that. Under such conditions, getting bought out by a megacorp is the only path forward.
Thanks to Microsoft/GitHub for this acquisition. NPM is essential to the Javascript eco-system and it is hard to have a business model for just a registry. In the ruby eco-system the awesome Ruby Together https://rubytogether.org/ was started to run the registry. In this case one of the worlds most valuable companies will run it, which means it doesn't need a not-for-profit.
Regarding "trace a change from a GitHub pull request to the npm package version that fixed it" will there be an API to add a source in case the change was made outside of GitHub? Although I recognize that the vast majority of changes to npm packages happen on GitHub.
It's confusing. RubyCentral pays for hosting and "ops" (not sure how much 'ops' staff time, if any?), but I think not development? And RubyTogether hypothetically pays for development (some but not neccesarily all that's needed), which can include new features but also required maintenance (we all know software requires care and feeding, it's never "done")?
But I could have this not right?
It has been confusing for a variety of reasons.
And I think there are mixed reviews with how well it's going overall, especially the RubyTogether part.
That must make you nervous over at GitLab, no? GitLab's integrated workflow is one of its main selling points (I love it), and GitHub now seems to be well underway to cross that moat.
Reminds me of what happened with Cloud9 and VS Code. First, Cloud9 was awesome for allowing devs to code remotely. Then once VS Code became the best editor out there, they added remote host support (among other things) and now Cloud9 caters to a different audience entirely.
It is exciting to see that having everything in a single application is being validated by GitHub. Last year it was very clear they are switching from a marketplace model to a single application by including Verify (CI), Package, and Secure.
> It is exciting to see that having everything in a single application is being validated by GitHub
I wish Gitlab would get over this passive-aggressive negging of GitHub.
I would squirm seeing something like that among any two competing companies. But it takes a strange configuration of overcompensating an inferiority complex to use it for the specific case of one company starting out as an explicit clone of another, to then lord any small feature the original company may have followed over them.
This isn't the first time. I've seen it dozens of times, and I don't even specifically care about these two companies.
I don't think GP's comment was negging or passive-aggressive at all. The original GP said "That must make you nervous over at GitLab, no?" so it only seems rational to explain that they see this as validation and not as a risk.
Somehow, you took this explanation of why they aren't worried about this and turned it into a passive-aggressive stance..
It is important to understand that the "one single workflow" was very much what VSTS (Microsoft's GitHub competitor before they bought GitHub) was providing. It is very evident that Microsoft's enterprise background is shaping how GitHub is evolving.
GitHub is now very much focused on the end to end life cycle now that they have "GitHub One".
I'm surprised there's not a single mention of "Microsoft" in this or the npm announcement [1], given the old-evil-history of Microsoft and the new-nice Microsoft we have today.
I would expect that there was at least a mention, considering the reason that most modules in npm are still in ES5 is exactly because of the monopolistic practices that Microsoft followed back in the day which makes Internet Explorer still relevant.
Not negative, not positive comment. Just surprising there was no mention. And I do think Microsoft is doing a great job recently with Open Source in general.
I mean. It's a subsidiary. I understand your sentiment but mentioning Microsoft would be like signaling that GitHub doesn't have any autonomy which is quite the contrary to what Microsoft said when buying it. So don't expect sudden sincerity on this. There's a reason why they haven't added Microsoft branding to areas like the footer.
I installed Windows Subsystem for Linux 2 on an older machine just now. The MSFT of today is definitely a far cry from the MSFT of yesteryear. Such a thing would have been unheard of 15 years ago.
They can't. That's why I hate people using that chestnut in relation to Linux: It doesn't work for two reasons which stick out at me.
Reason one is because Linux is GPL'd, Microsoft can't extend Linux without giving its extensions back to the community.
Reason two is because Linux is already established in multiple realms, so Microsoft can't bully its way into dominance. Microsoft has a respectable presence in server rooms, but it isn't absolutely dominant by a long shot. Microsoft probably has something going on in the embedded/hobbyist SBC space, but there's no path for them to dominate there. And, FWIW, Linux owns the supercomputer world. I also can't see IBM falling over itself to put Windows on mainframes.
My prediction, that my IT department hates to hear, is that Windows is going away.
Microsoft doesn't want to be Microsoft anymore; it wants to be Oracle and IBM and primarily make money off of business consulting and the cloud.
I think Windows will eventually become a presentation and slowly-phased-out compatibility layer on top of Linux, similar to the way macOS became Unix, but even less different than its underlying OS.
However, it should be noted that I'm not very good at predicting things.
Very unlikely, as it would mess with backwards compatibility and cause unhappiness of users and IT departments. Microsoft still makes money selling Office and other products there.
Microsoft doesn't need to care about backwards compatibility anymore, now that Wine exists precisely to have compatibility with Windows software (including software that even modern Windows itself no longer wants to run).
Hasn't Wine been good enough for at least 10+ years? Furthermore, how does being backed by Valve actually be of any significant value? I've heard of this argument for a couple of years now and I'm still not convinced (not that I follow Wine development that closely).
> Hasn't Wine been good enough for at least 10+ years?
Depends on what you mean by "good enough". Wine is an incredible project that has achieved amazing successes, but it still falls short in a lot of ways.
I personally don't use Wine but I've encountered people online in the last 10+ years that use the argument that it's "good enough" for people to fully switch to Linux. Realistically, I don't think Wine actually convinced more than a handful of users to abandon Windows
> I think Windows will eventually become a presentation and slowly-phased-out compatibility layer on top of Linux.
I think this is unlikely. In many ways the NT kernel is superior to the Linux kernel. I just wish it were open source and didn't have the rest of windows around it.
Since when has technical superiority ever determined which product wins in the marketplace?
The Linux kernel is ubiquitous and free-as-in-beer, so it might win out. Android has already shown how you can build a proprietary userland on top of it.
If Windows goes away, personal computing basically dies with it. Everything will be locked-down walled-garden webshit, or community-built-jank FOSS desktops that really want to be like the locked-down walled-gaden webshit experience but will say it is for the user's own good.
Doesn't that require actually extending and extinguishing, though?
WSL1 was a proprietary reimplementation of the Linux system call ABI as an NT subsystem. WSL2 is actual Linux running in a VM. That seems to be moving in exactly the opposite direction.
Open Source copyright licenses exists exactly to make the extinguish part impossible. MS cannot put the genie back in the bottle when it puts out open source software.
Microsoft is aware of their reputation. So much that they even have a policy of not allowing Microsoft+Github co-brand promotions. They want the Github brand to stay strong instead of being diluted into some mix of Github and Microsoft.
Chapter 7 Bankruptcy where they get acquired by a newly-reformed Sun Microsystems (where no stock is owned by Oracle or Oracle shareholders).
EDIT: I'm mostly kidding, but you can't really expect true change of morals when the vast majority of the upper management is the same under the new CEO as under the old one.
As a former Sun employee I love this comment, but in all fairness Sun did have its own level of sleaze in the C suite (neither Eric Schmidt nor Scott McNealy would really do well as ethical leader exemplars)
That said, I'm thinking Moon Microsystems :-) Not as big or as hot as Sun. (ok that is a bad punalogy) I did get the domain though, it was available and I couldn't resist.
At the risk of sounding somewhat naive, I think people do have the capacity to grow over time. Perhaps part of the reason why Microsoft has seemingly turned over a new leaf in recent years is that upper management has learned from their past mistakes? I do see your point though, and I think it's stuck in the back of a lot of our minds.
It's not so much a grudge as a reaction, call it an immuno-type response. I shed my MS-OS Windows Desktop addiction over 20 years ago to become a desktop Linux user and I still see my co-workers struggling every day with many of the same issues I haven't had to cope with anymore since then.
Ever since I have been able to get the Microsoft out of my systems, I find myself naturally predisposed to keep it out. I am not against Microsoft, I really am a fan of a lot of the open and developer-focused things they are doing, certainly not least of which is their support for Kubernetes through Azure, but this does not make me more receptive to going back to living in a Microsoft OS-flavored ecosystem today, it just is not happening for me and it's nothing to do with holding a grudge or similar.
I use a Mac now because it was provided by work, if they offer me a trade for a Windows machine I would probably consider it because of the progress made by WSL2, but our group policy lags somewhat behind and certainly not on insider ring, so none of my coworkers have been able to try WSL2 on their work-provided Windows machines, or likely will for some time, and that makes me seriously think twice about it.
My natural inclination is that I would much rather install Linux as the host OS so I have control over things like when updates get applied, or whether a reboot needs to take place immediately, in spite of the struggle that sometimes comes with that, it is really much better to have the source and keep the capability to control your own hardware. And then only run Windows in a VM whenever it is really needed. (In other words, to be able to occasionally run Windows apps in a similar way as I do when I have to use them on a Mac.)
I just find it tragic that the only way GitHub could survive (I guess) was to be BOUGHT. Like why couldn't they stay smaller, focus on what they were good at, and standardize with the community all the integrations in an orderly manner?
Although, Microsoft has shown they care more about the developer community than Apple as of late. So for that, I can at least say my trust is rising. But it's a bit too late for me, I'm happily running Linux for most of my daily life.
To me it looks like water that isn't wet. PR (propaganda) and time will improve their reputation, but the "commodify your compliment" strategy, the intent to dominate markets through anticompetitive behavior... Those things aren't gone. Big tech companies (like most big business) don't prioritize public good over profit, so they really don't deserve anyone's trust apart from trusting them to seek profit.
I’ve been a developer for nearly 25 years. I’m not sure if there is anything MS could ever do to regain my trust. Unfortunately this seems to be the way of large tech companies. At one time I thought Google was the best thing ever (don’t be evil). Now I find that I view Google in much the same way as I do MS. A huge corrupt behemoth that needs to be broken up.
Nonsense. There is hardly a local government in Australia not hopelessly corrupted by local real estate interests. In many nations local corruption is endemic right down to every neighbourhood police station. Size isn't the question: money's corruption of power operates at all scales.
Size is absolutely the question. There is always corruption, but in small municipalities at least the scale of corruption is contained. In a sufficiently local area the corrupt has to brush shoulders with his unwilling benefactors and be shamed.
I definitely saw Microsoft-of-the-90s as corrupt and harmful, and I definitely see Google-of-today as corrupt and harmful. I am not wholly opposed to the idea that both are bigger than companies should be allowed to be.
But apart from the fact that they followed the unfortunate modern trend to add telemetry to things, I can't really say Microsoft has done anything particularly offensive to me in the past... nearly a decade?
Just because you've been a developer for 25 years doesn't mean you should evaluate a company based on 25 year old events.
If you want an action to be made legal, you legalize it. Don’t blame the enforcement of the law. It makes for great virtue signaling but is useless for bringing long-term change and it doesn’t help provide a stable environment for people illegally in the country.
The legislative process is not the only feedback system that is enshrined in the US constitution, else there would be no mention of public gatherings or protests. What you suggest is a false dichotomy.
ICE itself routinely breaks laws in trying to capture undocumented people. But to speak to your point directly, I would love to see immigration reform. Until then, I’ll absolutely keep speaking out against ICE. That’s not “virtue signaling”, it’s just advocating for a cause I care about.
Furthermore, basically everything Microsoft did that made developers hate them is legal. Why is it okay to hold a grudge for “embrace, extend, extinguish” but not for aiding and abetting an organization that consistently violates our civil liberties?
And that is all recent, on top of all the other stuff they won’t fix, like issues where file extensions magically reset to Windows defaults, nagging you to just please try Edge because its better for real this time, and the unavoidable mandatory Candy Crush - seriously, if you install with no internet connection, it will keep a placeholder there for you that will install as soon as you’re online.
The telemetry issues are annoying too, not because they exist but because you have to read a books worth of literature to understand what they chose to document. Seriously:
I would generally agree Windows looks more like traditional Microsoft than many other arms of their org.
And the Candy Crush thing... like, if it was just Home edition? Fine. If it was even smart enough to realize it need not preinstall that on a domain account (the installation of UWP apps is technically per-user), like, if they'd demonstrated any recognition that Windows is used in professional settings... I'm right there with you on this one.
However...
> like issues where file extensions magically reset to Windows defaults
https://devblogs.microsoft.com/oldnewthing/20190225-00/?p=10... is probably the best response to that. Given the number of Windows app developers who do unholy things with their apps, it's hardly a surprise. (My understanding is Windows has a huge number of secret compatibility shims just to keep major software vendors' bad hacks and API misuses working.)
> nagging you to just please try Edge
I literally can't escape "switch to Chrome" nags, as a Firefox user. Every Google site has at least one, Google's home page has displayed an amazing three Chrome popups at the same time before. I'd maybe give you this one if they weren't waging a war on it to a far more aggressive foe, and losing badly.
I’m a fulltime Firefox user personally, and I have not noticed a whole lot of nag. Does it not show up under Linux or something?
edit: So far I’ve tried switching my user agent, turning off adblock, using a private/logged out window, on docs and search. Not that I’m doubting you or anything, but I am surprised I’ve not noticed it much since switching back to Firefox.
It’s also probably worth disclosing that I work for Google, though at home I am using Firefox and Duckduckgo.
Your mileage may vary on any given month, as Google frontend code seems to come and go regularly and randomly, indeed varying by platform, OS, and lunar cycle.
Gates just finally stepped away from the chair. When that shit comes from the top, it gets baked into the culture and has a staying power beyond any tenure.
It would be interesting if they ended up with Brendan Burns (creator of k8s when he was at google) in charge of github at some point and made him like the OSS champion. He's running all the containers and linux stuff on Azure, so it seems like it would be a natural fit.
Recently I installed win10 pro and was appalled at the way I had you jump through hoops to NOT have a m$ account, not to mention the blatant adware. And this was win10 professional.
It certainly reminded me that m$ is a long long way away from where it was in the 90s and early naughties.
So, a good start would be a stable and private os without all the adware and telemetry.
PS: I use gitea instead of GitHub these days. Nor do I use vscode, but sublime text, for the same reasons: too much telemetry that cant be disabled permanently.
For most businesses, Microsoft still holds a monopoly position on desktop OSs. For a lot of smaller IT departments, this bleeds into back-end servers as well.
Microsoft has the Windows Subsystem for Linux, allowing Linux binaries to run on Windows. How about the reverse? Get WINE to the point where Linux (or FreeBSD or some fully source OS) can reliably run Windows binaries.
Along the same line, provide portable libraries to allow other office suites to reliably edit MS Office files (docx, pptx, etc). Maybe Adobe or someone will come up with a commercial competitor, instead of just LibreOffice.
Make Windows and MS Office a choice, rather than a tax businesses have to pay to be compatible with everyone else. That would go a long way to establishing trust.
Microsoft is arguably working on it: They offered up exFAT support to Linux, and it's been added to the kernel. SQL Server being supported on Linux is huge. Probably the absolute biggest selling point to Windows-based infrastructure remains Active Directory, and if you're cool with being cloud-based (I'm not, FWIW), they offer that through Azure now.
Windows is like three decades of legacy systems, but I would argue many of Microsoft's recent decisions have been at the cost of their Windows division.
A trustworthy Microsoft is one that has open sourced one or more of their core products. Anything less is just retaining their classic hostility towards outside engineers.
Three product companies (Enterprise, Consumer, and Media), an open source company (Research, Engineering, and Collaboration), and a foundation owning all of the patents and other licensed IP.
I would guess mentions of enterprise and businesses all over with a contact sales button.
Some old pages are enterprisey and didn't know they pushed a desktop app for so long lol.
I loved that they explained how the name github came to be in one of the older landing pages.
ah that makes sense. That's disappointing for sure but I assumed they meant something more specific to Microsoft. These profit oriented changes are pretty standard after the acquisition of any website. If anything they feel mild considering how much potential there is for Microsoft to really exploit the freemium experience for more sales.
On the other hand, GitHub had a reputation for offering a first class freemium experience and this does chip away at that a bit.
Yeah, I guess a few more changes to push you to select to receive promotional emails. Other than that, it's pretty alright.
I like that they don't have 30 day retention policy when you want to delete something (repos, account) which is what everyone else does to keep you on the site. Really hate that.
My fear might probably be unfounded, but NPM is an integral part of the JS ecosystem. And given MicroSoft has .NET Core, I have a strange feeling that they'll concentrate on npm less.
I think they view it as way to make Core more reliable. Core relies community developed - npm hosted - tools like gulp and webpack. Unlike the full Framework, Core doesn't have "built-in" or "endorsed" bundling solution.
Product Manager at GitHub here - I'll be the Product Manager for npm when the acquisition closes. I agree - npm is definitely an integral part of the JavaScript ecosystem. The npm package registry will remain free for public projects. We're going to work to ensure that the service is stable and accessible, and ready to serve the next million packages.
This is independent of what Microsoft's doing with .NET Core. I'm excited about the work that they're doing, but this isn't going to stop us from making sure that npm is outstanding.
I'm surprised there's not a single mention of "Microsoft" in this or the npm announcement [1], given the old-evil-history of Microsoft and the new-nice Microsoft we have today.
Maybe Microsoft's reputation is exactly the reason why it was left out of this announcement.
Sometimes a brand is so tarnished that the owner tries to hide it from the people who hate it. (For example, Comcast → Xfinity. I expect Monsanto to go the same way and become Bayer.)
The latter already happened[1]. Bayer offloaded most of it's ag business (to BASF) and replaced it with Monsanto. Monsanto has been rebranded "Bayer Crop Science". Although I'm guessing much for the same reason, Monsanto never rebranded any of the dozens of seed companies it acquired over the years (e.g. Dekalb, Seminis, Asgrow, etc.)
My first reaction was ... “so Microsoft”. I’m with you on the positive path Microsoft have been on with OSS but also recall the not-so-recent history. It’ll be interesting to see how this plays out.
Microsoft wants to host as much information as possible so it can collect data on developers and users. It is very hard to avoid giving data to Microsoft. GitHub, NPM, LinkedIn, Office 365, Teams, the lock-in is still alive.
A decentralized web or a non-for-profit like Wikipedia is a much better model for these infrastructure projects.
Git was designed to be decentralized from the start. Is there a way to revitalize that heritage?
Discoverability and pull requests are two big benefits that GitHub has offered. Could we create decentralized open source solutions to provide those benefits? Are there other benefits that we’d need to provide to have viable alternatives to centralization?
Supporting and using Git forges that support decentralized development, such as Pagure[0], would be a good way to do so.
Pagure supports submitting pull requests with Git repos on any server (regardless of whether it's running Pagure or not) with its remote pull requests feature. Issues, docs, and pull request metadata are all stored as git repos using JSON files as data, making it easy and portable to other Pagure instances and easy to convert for any other system.
As far as I know, Pagure is now the only Git forge software packaged in all major Linux distributions (Fedora+EPEL[1], openSUSE[2], Mageia[3], Debian[4], Ubuntu[5], Arch Linux AUR[6]).
It'd be nice to see people interested in this helping to build a future supporting portable, decentralized development.
Would be super strange if titles always referred to the top-most parent company. Every time Google does something the title should be referring to Alphabet? Please no.
The other way around, and in fact it already is that way -- we often say stuff like "Waymo, Google's self-driving car project", because we know who really runs the alphabet show.
This is great news for people forced to use Windows. JavaScript being a 1st class citizen on MS platforms is being even more cemented. It'd be great if Microsoft moved faster with Python integration into the MS ecosystem like SQL Server.
> considering the reason that most modules in npm are still in ES5 is exactly because of the monopolistic practices that Microsoft followed back in the day which makes Internet Explorer still relevant.
Interesting subtle implications that the NPM paying users are going to be moved to Github's distribution system, while maintaining the OSS version of NPM for everyone else.
Gotta respect how Microsoft couldn't build anything the open source community wanted to work with/on so instead they used their Windows and Office monopoly to buy everyone's favorite playgrounds.
They should & deserve to have full control over everything they've created.
You can blame AWS/GCP for letting GitHub & npm be acquired, how many years were they on the open market?
Most of the $$$ in OSS is being funneled towards rent-seeking major cloud providers that are hosting OSS software, whom should all have blank checks with the money they've reaped so far, but seems only Microsoft has the strategic savvy to focus on acquiring the obvious targets for increasing dev mindshare. I don't fault them for their M&A's, it's just good business.
It's also not like Amazon is being an amazing open source citizen; I don't see them acquiring the tech to be an automatically-better outcome than the current version of Microsoft doing so.
IMO this shows the importance of separating technology from platform. Ideally we would have non-profit groups with good governance & corporate support (rather than control) to grow these technologies. If an open source project can be acquired, it's only so free.
Indeed, these two projects alone have turned around my long-held opinion on Microsoft, to "cautiously optimistic".
TypeScript and VS Code have been an invaluable contribution to the community. I'm a daily user of both and so thankful for the talent, ingenuity and effort that have gone into them.
How Microsoft have managed the acquisition of GitHub, giving them autonomy and infrastructure support - so far, it's been all around positive.
Now with NPM under their wings, the centralization does worry me somewhat. I hope there are conscientious decision-makers who will guide the project for the good of community and ecosystem.
Sometimes I wonder what the business world (and the internet) would be like if mergers and acquisitions weren't allowed. Like, if businesses had to be sustainable or they'd just die, rather than capturing a whole market while eating VC money, maybe we'd all be better off? All of the really embarrassing stuff coming out of SV would just go away? Just Pinboards and Sourcehuts and Mastodons ruling the web?
I'm capitalistically illiterate, so somebody please tell me why this thought is stupid.
What would happen to all the tech, equipment, and employees after the company goes out of business? We have to burn it?
If we did that, it would be a crazy waste of resources. The alternative is to let another company buy the stuff... and if a company buys the failed company's tech, equipment, and hires their staff... that is basically the same as buying the company.
I mean, what would normally happen is employees look for new jobs, equipment is sold, and tech is thrown away (or open sourced in rare cases). Doesn't this already happen all the time?
Microsoft does have a much better track record in terms of keeping their products alive than other Way Way Large companies that could have made this acquisition, and for that I'm pretty glad.
That said, and just in case their notoriously warlike legal team manages to fumble this somehow, I'd like to take the opportunity to remind every other frontender that Verdaccio (https://verdaccio.org/) exists, is easy to implement, and relatively low maintenance.
587 comments
[ 3.3 ms ] story [ 420 ms ] thread"Joining" is an interesting term here... but I suppose it won because it sounds more like something friendly humans would do. "NPM Is Breaking Bread and Sharing with Github as Special Friends."
Meanwhile, I almost have my team switched to yarn.
Switching to berry has been a huge PITA over here, but I don't want to give up workspaces
I check yarn about every three months, or when I find a new, infuriating bug with the npm CLI (so, every couple of months on average). I think npm install suffers greatly from not having a formal spec. It has been bugfixed by so many different individuals now that it has reached a truly astounding level of schizophrenia.
If yarn didn't exist, I would have started trying to break down the install problem into many independent concerns that can be reasoned about individually and tried to solicit help in making a full installer out of it. If I'd known I'd still be trying to make yarn workspaces work for us 18 months later I probably would have.
Node modules in general have some bad patterns of delegation that are utterly antagonistic to self-documentation, and both yarn and npm seem to suffer from this as well. I think in the next week or so I'm going to have to set up a small test case that exhibits the yarn bug I'm seeing, or any of the half a dozen interlocking (emphasis on 'lock') npm bugs that now have me painted into a very tiny corner.
npm v7 features a ground-up rewrite of the tree resolution and deification logic in the @npmcli/arborist module. I recommend checking it out, or at least staying tuned for the beta coming soon.
I had still been following 1.x
Looking at https://yarnpkg.com/advanced/migration : T-T
We have so many little modules from different teams, or even borderline abandonware, that it would take ages to make these changes, and 'yarn node'?? Just... no. How is that ever gonna work consistently with node_modules/.bin?
At this point my choices are, start contributing to yarn and npm development, or get my ass in gear on learning Elixir and Rust. I have been wondering for maybe 18 months if I might be 'done with Node'. I think I've had it backward this whole time. Node may in fact be done with me.
I have been wondering the same thing. I left node for 8 months and I come back to see a lot of things have been abandoned in favor of yet another wheel implemented a bit differently. I wish changes were more visible and subtle. Rewriting seems like a plaque to js ecosystem except no one rewrites some really old unmaintained dependency we have hidden in every new shiny project.
I'd wager most people who use yarn even installed it via the npm CLI.
Didn't GitHub set up their own npm registry recently? Shots have been fired in this regard. Which, now that I type that out, makes me kinda wonder how amicable this purchase was...
It'd be such a shame if something bad were to happen to your lovely repository...
I don't fully understand the way it's governed from this article.
> Later this year, we will enable npm’s paying customers to move their private npm packages to GitHub Packages—allowing npm to exclusively focus on being a great public registry for JavaScript.
Packages will continue to develop its npm registry. We have a lot of work to do in securing the software supply chain.
It'd be wonderful, as a package consumer, to have visibility into some security metrics for a given package. This would be useful both at initial install time, and when the package is upgraded. Something like:
1) who are the latest commits GPG signed by?
2) is the package publisher using 2FA?
3) what is the security profile of all dependent packages?
4) are there any new authors (directly or via dependencies) since the last version (with links to the author and their contributions).
These might help avoid prior situations where popular packages get injected with malware by new maintainers.
Somewhat related, I believe NPM pulled in (or co-opted) some of the heuristics from this: https://github.com/npms-io/npms-analyzer (but those don't seem to include any of the aspects I suggested above).
How separate from MS has GitHub been in day-to-day operations?
This is as good as Google acquiring Youtube because Youtube needs an insane amount bandwidth and it was a perfect fit for Google's infrastructure and ad platform.
It's just sad to see Google not playing the Developers game well.
And Microsoft doesn't even have to maintain the main runtime, Google does. What a clever strategy!
Someone at MS knows strategic and tactics. When MS and Windows bootstrap themselves into the cloud, they will have some software to land on.
They lost a decade of battles for the web, but it seems they just found a way to get back in the fight.
Now at the IE 6 times, that meant monopoly, and it was terrible news.
But today, it means more competition between the giants, which is very good for us.
It has been argued with various success [1] that Chrome is the new I.E., due to "Chrome exclusive" web standards.
[0]: https://html5test.com/compare/browser/safari-11.2/chrome-30/...
[1]: https://news.ycombinator.com/item?id=16070595
Here is the correct comparison: https://html5test.com/compare/browser/safari-11.2/chrome-68/...
Which clearly shows its the worst of the bunch.
Edit: Also just noticed, the latest Chrome version that the site has is 68. We're currently on 80+
It's a weird world where webdevs apparently ideally just want everyone on the 6 second old version version of Chrome. I totally get it -- it's an absolutely rational stance but it feels a lot like how devs felt about IE6 at the beginning.
Plus because it's tied to the OS and the phone determines the maximum OS you end up with a bunch of users stuck on ancient and buggy versions.
This is to say nothing about the remote debugger purposefully locking you out of older versions for no reason to make debugging them harder.
A webview in iOS could sometimes crash system wide. Not enough to restart the app. You'd have to restart the device.
Felt like a sitcom when I had to ask customers if they'd tried turning it off and on again.
It's not even required or the default install on any OS. And it has rapid updates that constantly test new features and improve performance and security.
Any "exclusive" features are just early testing for later standardization. It's Safari that's lagging in implementing them.
The problem is that it was left to stagnate after Microsoft won.
The way people think Microsoft's embrace of open source, GitHub, and now NPM is genuine is completely ridiculous. Microsoft had to change because much of where the action was is on *nix systems. Microsoft will start to use these companies to make developers embrace Microsoft services. It's only a matter of time.
Banning python from Github? Requiring \r\n for NPM packages? What's the move you're afraid of?
I still think this is good news, given where npm is coming from, but it's certainly not risk-free.
Until we come up with better trusted federation protocols there will be natural monopolies, but that doesn't mean they get unchecked power. We have laws for that.
But, you know, we've had decades of companies whose 'business model' is just their exit strategy...
npm i some-package username/repo#branchName
JavaScript is an interpreted language -- as long as you're only downloading source code from the registry there's really no reason to use a registry instead of the plain old Git repository.
With NPM acquired by GitHub, I can imagine them "filling in some steps" by leveraging the fairly new Actions feature, so that repos can provide built artifacts, the same ones as published on NPM. The deeper integration will be an interesting development to watch.
And we're yet to hear of any negative impact of their Github acquisition (afaik - correct me if wrong).
0: https://news.ycombinator.com/item?id=21412600
What you are talking about is Right-wing politics, even if they are extremely far to the left of your -and the majority of peoples political view -in the USA. Both parties in the US are on the right. This isn't Reddit where the state of US politics is the default norm when it differs from most of planet earth. Though HN is quickly getting there.
ICE are the goons operating everywhere (i. e. not tied to the border) rounding up "suspected illegal immigrants".
Because it isn't exactly hard to find illegal immigrants, and their charter allows them to control people without objective cause, ICE gets to arbitrarily decide whom to harass.
It's the real-life version of the perennial fear of civil libertarians that too many criminal laws will just lead to any one of us being arrested whenever it happens to be convenient for whoever is currently in power.
It isn't going to end illegal immigration, nor curtail it to any significant degree. It just serves to keep a large segment of the people who see every day in a constant state of fear, unable to (for example) seek protection from crime or exploitation for fear of being deported.
As for the rest of your comment, this is the far-left extremist position that I cited in my first post. There's no good faith discussion to be had here.
No, it's the enforcement arm for immigration and customs, the former of which is people who are living in the US despite not being US citizens. Enforcement of people (and goods) crossing the border is the Border Patrol and it's parent organization Customs and Border Protection.
There's not much controversy over the people who cross illegally but stay temporarily and close to the border. Those are just traffickers and cartels.
https://www.aclu.org/issues/immigrants-rights/ice-and-border...
Also detainment centers are not cages but fenced areas with free movement inside where people receive food, shelter, healthcare, entertainment, schooling and legal services paid for by US taxpayers while their cases are processed. Detainees are free to deport themselves at any time. This is more accommodating than pretty much every other developed nation.
https://www.newyorker.com/news/q-and-a/inside-a-texas-buildi...
These are well-documented facts that have been widely reported on in the mass media. You can find links to specific articles on my blog in the recent article about Microsoft and GitHub, if you wish to learn specifics.
The kids are in there right now, as I write to you.
Whether or not Microsoft's provisioning of services to the government is "legal" or not is not particularly relevant to the thread, but it is interesting that you bring it up, presumably as a defense of their behavior.
Again: This is not a partisan thing. At all. Your attempt to reduce it to such is inaccurate (and, tbqf, off-topic for the thread about Microsoft-the-corporation, as well as off-topic for HN).
https://galaxypress.com/inspired-philip-k-dick/
I'm a naturalized immigrant. I've been in far worse places than America. I suggest you visit CBP and ICE. Talk to the agents. Visit the border. See the shelters. View the damage done by criminals who prey on these people and find out how much the agents do to help them while risking their lives fighting cartels and traffickers.
Like I said, America is far softer with borders than other nations. Crossing illegally brings enforcement and penalties. I'm not sure why this is so controversial, or why protest against govt organizations is done by proxy of software companies.
The fact that it is open source and popular is not sufficient on its own. It had to be forked (vscodium) to show basic respect for the user’s privacy and system resources.
So it "furthers my intended point".
It’s builds released by Microsoft that have all of their specific stuff added in.
> This is not a fork. This is a repository of scripts to automatically build Microsoft's `vscode` repository into freely-licensed binaries with a community-driven default configuration.
This is such an extreme & pretentious viewpoint. Microsoft knowing that I have VS Code installed & getting a report when it crashes is not in mine, or really any normal developer's threat landscape.
Those are great until they're not. It's why it's called "bait and switch".
> And we're yet to hear of any negative impact of their Github acquisition (afaik - correct me if wrong).
ANY?! Heh, do a quick search just on HN and you'll find it pretty quickly.
https://news.ycombinator.com/item?id=17221640
https://news.ycombinator.com/item?id=17221656
> I'm legitimately curious as my use of GitHub hasn't led me to notice any change
Nor I. That's not that point.
For the record, I think Microsoft has done wonderfully for the dev community in the last 10 years. I don't see any reason that they are going to "f it up", but big businesses get desperate when environments change and profits get impacted (look no further than what Oracle is doing). Microsoft is not immune to that.
Next you'll call them Micro$oft. Come on now.
If it does micro$oft will just buy the world out from under them.
I understand the concern about MS business practices, but I don't think it applies to environment where transactions (as in, importing someone's package or submitting a pull request to it) don't involve any contracts or money.
Assume the best all you like. Microsoft are spying on you and can lock you out of their ecosystem for any reason. When that ecosystem includes critical public infrastructure, there is a problem.
The only "sane" response to this is to smile at the MS employees who tell you how much they love Open Source and to use absolutely any other platform.
For some examples: RMS being a douchebag has nothing to do with the usefulness of gdb, nor can that circumstance affect the utility in any imaginable scenario.
Microsoft setting censorship policies (aka ToS) on a website they own and control directly affects the utility of npm/yarn/clients. Their website, their rules.
https://sneak.berlin/20200307/the-case-against-microsoft-and...
VS Code has had to fork to remove the unethical spyware portions within it placed there by Microsoft:
https://github.com/VSCodium/vscodium
I realize this is just pure anecdata and not a legitimately researched observation, but I don't know a single dev in real life who either switched away from Github or VSCode due to those concerns, despite having a wide variety of dev friends from all kinds of backgrounds, including big tech devs, non-tech company devs, fully remote devs, self-taught devs, small startup devs, outside of the US devs, freelancer devs, etc.
"When we [Microsoft] build Visual Studio Code, we do exactly this. We clone the vscode repository, we lay down a customized product.json that has Microsoft specific functionality (telemetry, gallery, logo, etc.), and then produce a build that we release under our license."
"When you clone and build from the vscode repo, none of these endpoints are configured in the default product.json. Therefore, you generate a "clean" build, without the Microsoft customizations, which is by default licensed under the MIT license"
When a certain build configuration enables major spyware features, and that is the build configuration for the released version by the first party, and another build configuration (that is not released by the first party) disables those major spyware features, the distinction between a fork/patch and a "different build configuration" becomes semantically meaningless.
It's a fork, regardless of how they care to present it. The result of the build configuration is embedded in the release. Consider it a "binary fork" if you don't like considering json "source code".
The acquisition can be a good outcome for the current situation without it being the ideal state of things.
Would yo prefer npm infrastructure to be maintained and developed by the lowest-paid programmers they could hire?
Linux repos take the alternative approach to try to get as many mirrors as possible so it can remain free.
Microsoft did not buy npm to help it become free. Believe. They bought it because they rekon they can make buck out of it.
That buck comes from somewhere.
Nodejs going to the Linux foundation was good news.
Microsoft buying Npm is bad news.
Ruby Gems, PHP composer, PIP, etc. would all like a word with you....
https://rubygems.org/pages/sponsors
https://www.python.org/psf/
I don’t know, so I have to ask, what’s the metric here?
As at Oct. 2018, the top 12 npm packages [1] were already doing more than 0.5 billion downloads a month. Granted, popularity has waned for a few of those top packages due to deprecation or new language features, for instance.
EDIT:
NPM’s announcement about the acquisition [2] provides up-to-date numbers:
“Today, npm serves over 1.3 million packages to roughly 12 million developers, who download these things 75 billion times a month ...”
1: https://news.ycombinator.com/item?id=18343604
2: http://blog.npmjs.org/post/612764866888007680/next-phase-mon...
The fact that there's a bunch of critical infra run on a precarious volunteer shoestring is not a good thing.
It probably isn't going to 20x VC money, but it sounds like it would be profitable to run as a business.
"2fa" sounds bad. That is clearly marketing bs for linking your npm account to a MS account with more personal info attached.
Ease of publishing will be the first thing to go.
Then the fun will disappear with MS as owner, like when Oracle bought Java.
Happy to be a rustacean.
And they will ask you, under the guise of 2fa, to confirm thier suspicions.
And $7 a month gets plently of new upgrade options offered.
All talk of mirrors gets brushed under the carpet.
Microsoft pwn all nodejs code except core and those savvy enough to spot this coming and distribute via debian repos.
I'm not sure that's an improvement in any way whatsoever.
what does that mean? That Microsoft works for the NSA or something?
MS? Not even a chance. What percent do you think of their business is actually government, beyond buying licenses just like nearly every other corporation on the planet.
Why I think this: private or volunteer models are unsustainable in the long run owing to funding uncertainties or conflicts of interest between stakeholders. Utilities that support the bulk of our technical infrastructure should be secured by public interests. Governments can keep things free.
Common objections:
- "Governments are inefficient". Depends on the area. The government tends to be inefficient in handling areas with direct consumer benefit, but less so in dealing with consortiums or private entities. Since private entities are the primary mainstream users of packages, I don't think government will be too slow on this front.
- "Governments will be malicious". This I don't doubt, but the solution for that is building better trust mechanisms rather than keeping a practical solution at bay, and for software at least such trust mechanisms are tenable e.g. see the CNCF's Falcon project.
That would work for Npm. Npm has enough problems that its worth running your own mirror for business continuity.
Microsoft are likely to make breaking changes immediatly.
And risk-averse businesses do already.
Microsoft and their allies make the world a lot worse for a lot of people. They’re the number one distributor of spyware in the world!
That's generally not a good place to be.
'small business' is only the equilibrium in sectors that can't increase aggregate output by growing or capital investment like say, the restaurant industry.
Why does NPM need to be funded as a commercial entity at all? What other open source library has a private company running its package manager? This one still boggles my mind.
Some libraries aren't hosted on Maven Central actually, so it's not uncommon to see instructions for adding extra resolvers to your build config.
The Java ecosystem isn't as dependent on Maven Central as the JavaScript ecosystem is on npmjs.com
If MC goes away as it exists today, the Java Ecosystem will take a huge hit as almost every open source project would stop building in CICD environments from the get-go.
Note that the crates.io index is just a single git repo that holds JSON metadata about each crate: https://github.com/rust-lang/crates.io-index . The actual code found on crates.io is hosted on S3. The index is an important part of the system, but there's nothing tying it to Github specifically.
Not sure how APT works in the linux community can really work for anyone else, but definitely worth a shot for sure.
Not many non-commercial entities can afford that.
[1] https://twitter.com/dstufft/status/1236331765846990848
- Microsoft is a leading sponsor of open source?
- In fact, .NET is open source now and runs on Linux?
- Microsoft bought Github, then NPM... and the community is celebrating both of those things??
- The guy from the apprentice is what?
I don't think you could honestly say the community celebrated both of those things.
Whelp, time to look for backup solutions for when Microsoft continues their strategy.
Even today there’s an article about github flagging (re shadow banning) a user with 10k+ lib users, and no response from them as to why the ban occurred.
Thinking of adding an “in case of emergency” link in my README for users in case of sudden service loss.
I do agree with the concerns of open source consolidation though. We need to find better ways of supporting open source projects instead of having them being bought by "large company".
Anyone can already run their own, or install from remote git urls (not just github) as well. If the new organization undermines the community, the community can easily move.
NPM the company has had a significant number of missteps, and them getting better oversight and removing the need to be profitable will likely be better for everyone in the long run.
And no, you cannot cleanly separate between an ecosystem-defining tool and the company that controls how said tool will behave after the next automated update.
Regarding "trace a change from a GitHub pull request to the npm package version that fixed it" will there be an API to add a source in case the change was made outside of GitHub? Although I recognize that the vast majority of changes to npm packages happen on GitHub.
But I could have this not right?
It has been confusing for a variety of reasons.
And I think there are mixed reviews with how well it's going overall, especially the RubyTogether part.
We think Git(Lab|Hub) will become the two most popular solutions and we look forward to this competition https://about.gitlab.com/handbook/leadership/biggest-risks/#...
I think the companies that should be nervous are ones that have only one stage or ones that have multiple stages but as a suite of applications instead of a single application https://about.gitlab.com/handbook/product/single-application... There are a lot of these https://about.gitlab.com/devops-tools/
I wish Gitlab would get over this passive-aggressive negging of GitHub.
I would squirm seeing something like that among any two competing companies. But it takes a strange configuration of overcompensating an inferiority complex to use it for the specific case of one company starting out as an explicit clone of another, to then lord any small feature the original company may have followed over them.
This isn't the first time. I've seen it dozens of times, and I don't even specifically care about these two companies.
Somehow, you took this explanation of why they aren't worried about this and turned it into a passive-aggressive stance..
GitHub is now very much focused on the end to end life cycle now that they have "GitHub One".
I would expect that there was at least a mention, considering the reason that most modules in npm are still in ES5 is exactly because of the monopolistic practices that Microsoft followed back in the day which makes Internet Explorer still relevant.
Not negative, not positive comment. Just surprising there was no mention. And I do think Microsoft is doing a great job recently with Open Source in general.
[1] https://blog.npmjs.org/post/612764866888007680/next-phase-mo...
Reason one is because Linux is GPL'd, Microsoft can't extend Linux without giving its extensions back to the community.
Reason two is because Linux is already established in multiple realms, so Microsoft can't bully its way into dominance. Microsoft has a respectable presence in server rooms, but it isn't absolutely dominant by a long shot. Microsoft probably has something going on in the embedded/hobbyist SBC space, but there's no path for them to dominate there. And, FWIW, Linux owns the supercomputer world. I also can't see IBM falling over itself to put Windows on mainframes.
Microsoft doesn't want to be Microsoft anymore; it wants to be Oracle and IBM and primarily make money off of business consulting and the cloud.
I think Windows will eventually become a presentation and slowly-phased-out compatibility layer on top of Linux, similar to the way macOS became Unix, but even less different than its underlying OS.
However, it should be noted that I'm not very good at predicting things.
Wine is 26 years old.
Depends on what you mean by "good enough". Wine is an incredible project that has achieved amazing successes, but it still falls short in a lot of ways.
I personally don't use Wine but I've encountered people online in the last 10+ years that use the argument that it's "good enough" for people to fully switch to Linux. Realistically, I don't think Wine actually convinced more than a handful of users to abandon Windows
I think this is unlikely. In many ways the NT kernel is superior to the Linux kernel. I just wish it were open source and didn't have the rest of windows around it.
The Linux kernel is ubiquitous and free-as-in-beer, so it might win out. Android has already shown how you can build a proprietary userland on top of it.
Good point.
WSL1 was a proprietary reimplementation of the Linux system call ABI as an NT subsystem. WSL2 is actual Linux running in a VM. That seems to be moving in exactly the opposite direction.
https://docs.microsoft.com/en-us/windows/wsl/wsl2-install
EDIT: I'm mostly kidding, but you can't really expect true change of morals when the vast majority of the upper management is the same under the new CEO as under the old one.
That said, I'm thinking Moon Microsystems :-) Not as big or as hot as Sun. (ok that is a bad punalogy) I did get the domain though, it was available and I couldn't resist.
But can you make a cool logo out of "Moon"?
No, but with minor butchery you can re-use the Sun logo with the letters MMS (Moon Micro Systems) :-)
There's something hilariously farcical about holding a grudge toward Microsoft for a quarter of a century.
Ever since I have been able to get the Microsoft out of my systems, I find myself naturally predisposed to keep it out. I am not against Microsoft, I really am a fan of a lot of the open and developer-focused things they are doing, certainly not least of which is their support for Kubernetes through Azure, but this does not make me more receptive to going back to living in a Microsoft OS-flavored ecosystem today, it just is not happening for me and it's nothing to do with holding a grudge or similar.
I use a Mac now because it was provided by work, if they offer me a trade for a Windows machine I would probably consider it because of the progress made by WSL2, but our group policy lags somewhat behind and certainly not on insider ring, so none of my coworkers have been able to try WSL2 on their work-provided Windows machines, or likely will for some time, and that makes me seriously think twice about it.
My natural inclination is that I would much rather install Linux as the host OS so I have control over things like when updates get applied, or whether a reboot needs to take place immediately, in spite of the struggle that sometimes comes with that, it is really much better to have the source and keep the capability to control your own hardware. And then only run Windows in a VM whenever it is really needed. (In other words, to be able to occasionally run Windows apps in a similar way as I do when I have to use them on a Mac.)
Sun’s hardware was expensive although their software was nice. Their handling of Java put me off them and led to this current state with Oracle.
They had many positives, but I’d rather have old Microsoft than old Sun if I had to pick only one to eat everything. Definitely prefer new Microsoft.
I just find it tragic that the only way GitHub could survive (I guess) was to be BOUGHT. Like why couldn't they stay smaller, focus on what they were good at, and standardize with the community all the integrations in an orderly manner?
Although, Microsoft has shown they care more about the developer community than Apple as of late. So for that, I can at least say my trust is rising. But it's a bit too late for me, I'm happily running Linux for most of my daily life.
But apart from the fact that they followed the unfortunate modern trend to add telemetry to things, I can't really say Microsoft has done anything particularly offensive to me in the past... nearly a decade?
Just because you've been a developer for 25 years doesn't mean you should evaluate a company based on 25 year old events.
Furthermore, basically everything Microsoft did that made developers hate them is legal. Why is it okay to hold a grudge for “embrace, extend, extinguish” but not for aiding and abetting an organization that consistently violates our civil liberties?
https://hothardware.com/news/microsoft-changes-offline-accou...
https://www.howtogeek.com/519572/microsoft-is-testing-ads-in...
And that is all recent, on top of all the other stuff they won’t fix, like issues where file extensions magically reset to Windows defaults, nagging you to just please try Edge because its better for real this time, and the unavoidable mandatory Candy Crush - seriously, if you install with no internet connection, it will keep a placeholder there for you that will install as soon as you’re online.
The telemetry issues are annoying too, not because they exist but because you have to read a books worth of literature to understand what they chose to document. Seriously:
https://docs.microsoft.com/en-us/windows/privacy/configure-w...
Windows 10, I wanted to like it but I can hardly tolerate it. Has Microsoft changed? Maybe, but apparently the Windows team didn’t get the memo.
And the Candy Crush thing... like, if it was just Home edition? Fine. If it was even smart enough to realize it need not preinstall that on a domain account (the installation of UWP apps is technically per-user), like, if they'd demonstrated any recognition that Windows is used in professional settings... I'm right there with you on this one.
However...
> like issues where file extensions magically reset to Windows defaults
https://devblogs.microsoft.com/oldnewthing/20190225-00/?p=10... is probably the best response to that. Given the number of Windows app developers who do unholy things with their apps, it's hardly a surprise. (My understanding is Windows has a huge number of secret compatibility shims just to keep major software vendors' bad hacks and API misuses working.)
> nagging you to just please try Edge
I literally can't escape "switch to Chrome" nags, as a Firefox user. Every Google site has at least one, Google's home page has displayed an amazing three Chrome popups at the same time before. I'd maybe give you this one if they weren't waging a war on it to a far more aggressive foe, and losing badly.
edit: So far I’ve tried switching my user agent, turning off adblock, using a private/logged out window, on docs and search. Not that I’m doubting you or anything, but I am surprised I’ve not noticed it much since switching back to Firefox.
It’s also probably worth disclosing that I work for Google, though at home I am using Firefox and Duckduckgo.
Your mileage may vary on any given month, as Google frontend code seems to come and go regularly and randomly, indeed varying by platform, OS, and lunar cycle.
They're made up of many small and hardly interconnected parts.
Whoever made some despicable decisions 25 years ago, almost certainly don't work there anymore.
An oxymoron?
Recently I installed win10 pro and was appalled at the way I had you jump through hoops to NOT have a m$ account, not to mention the blatant adware. And this was win10 professional.
It certainly reminded me that m$ is a long long way away from where it was in the 90s and early naughties.
So, a good start would be a stable and private os without all the adware and telemetry.
PS: I use gitea instead of GitHub these days. Nor do I use vscode, but sublime text, for the same reasons: too much telemetry that cant be disabled permanently.
Microsoft has the Windows Subsystem for Linux, allowing Linux binaries to run on Windows. How about the reverse? Get WINE to the point where Linux (or FreeBSD or some fully source OS) can reliably run Windows binaries.
Along the same line, provide portable libraries to allow other office suites to reliably edit MS Office files (docx, pptx, etc). Maybe Adobe or someone will come up with a commercial competitor, instead of just LibreOffice.
Make Windows and MS Office a choice, rather than a tax businesses have to pay to be compatible with everyone else. That would go a long way to establishing trust.
Windows is like three decades of legacy systems, but I would argue many of Microsoft's recent decisions have been at the cost of their Windows division.
Just like a cancer! Oh wait...
I loved that they explained how the name github came to be in one of the older landing pages.
2020 - https://github.com
2019 - http://web.archive.org/web/20190317031034/https://github.com...
2018 - http://web.archive.org/web/20180317031034/https://github.com...
2017 - http://web.archive.org/web/20170317031034/https://github.com...
2016 - http://web.archive.org/web/20160317164519/https://github.com...
2015 - http://web.archive.org/web/20150317031034/https://github.com...
2012 - http://web.archive.org/web/20120317031034/https://github.com...
2008 - http://web.archive.org/web/20081211021557/http://github.com/
On the other hand, GitHub had a reputation for offering a first class freemium experience and this does chip away at that a bit.
I like that they don't have 30 day retention policy when you want to delete something (repos, account) which is what everyone else does to keep you on the site. Really hate that.
This is independent of what Microsoft's doing with .NET Core. I'm excited about the work that they're doing, but this isn't going to stop us from making sure that npm is outstanding.
Sounds like it won't be shielded from the cult-like MS mentality, then.
Maybe Microsoft's reputation is exactly the reason why it was left out of this announcement.
Sometimes a brand is so tarnished that the owner tries to hide it from the people who hate it. (For example, Comcast → Xfinity. I expect Monsanto to go the same way and become Bayer.)
The same also goes for Charter → Spectrum.
[1] https://en.wikipedia.org/wiki/Monsanto#Sale_to_Bayer
When the company that commercialized heroin and was complicit in the holocaust is a better brand you really got a PR problem.
A decentralized web or a non-for-profit like Wikipedia is a much better model for these infrastructure projects.
Discoverability and pull requests are two big benefits that GitHub has offered. Could we create decentralized open source solutions to provide those benefits? Are there other benefits that we’d need to provide to have viable alternatives to centralization?
Pagure supports submitting pull requests with Git repos on any server (regardless of whether it's running Pagure or not) with its remote pull requests feature. Issues, docs, and pull request metadata are all stored as git repos using JSON files as data, making it easy and portable to other Pagure instances and easy to convert for any other system.
As far as I know, Pagure is now the only Git forge software packaged in all major Linux distributions (Fedora+EPEL[1], openSUSE[2], Mageia[3], Debian[4], Ubuntu[5], Arch Linux AUR[6]).
It'd be nice to see people interested in this helping to build a future supporting portable, decentralized development.
[0]: https://pagure.io/pagure
[1]: https://src.fedoraproject.org/rpms/pagure
[2]: https://build.opensuse.org/package/show/openSUSE:Factory/pag...
[3]: http://madb.mageia.org/package/show/name/pagure/release/caul...
[4]: https://packages.debian.org/sid/pagure
[5]: https://packages.ubuntu.com/focal/pagure
[6]: https://aur.archlinux.org/packages/pagure/
Could you tell me more about that?
Why would there be a mention of Microsoft? That many modules in npm are ES5 is completely irrelevant for npm's purpose.
And Microsoft changed, how exactly?
And why are you advertising for them?
https://news.microsoft.com/2018/06/04/microsoft-to-acquire-g...
I just finished reading this related HN post "How GitHub blocked me (and all my libraries)" https://news.ycombinator.com/item?id=22593595
I'll be switching from Github to other providers for my own projects, and use a different editor soon (using vscode now).
You can blame AWS/GCP for letting GitHub & npm be acquired, how many years were they on the open market?
Most of the $$$ in OSS is being funneled towards rent-seeking major cloud providers that are hosting OSS software, whom should all have blank checks with the money they've reaped so far, but seems only Microsoft has the strategic savvy to focus on acquiring the obvious targets for increasing dev mindshare. I don't fault them for their M&A's, it's just good business.
IMO this shows the importance of separating technology from platform. Ideally we would have non-profit groups with good governance & corporate support (rather than control) to grow these technologies. If an open source project can be acquired, it's only so free.
TypeScript and VS Code have been an invaluable contribution to the community. I'm a daily user of both and so thankful for the talent, ingenuity and effort that have gone into them.
How Microsoft have managed the acquisition of GitHub, giving them autonomy and infrastructure support - so far, it's been all around positive.
Now with NPM under their wings, the centralization does worry me somewhat. I hope there are conscientious decision-makers who will guide the project for the good of community and ecosystem.
Sometimes I wonder what the business world (and the internet) would be like if mergers and acquisitions weren't allowed. Like, if businesses had to be sustainable or they'd just die, rather than capturing a whole market while eating VC money, maybe we'd all be better off? All of the really embarrassing stuff coming out of SV would just go away? Just Pinboards and Sourcehuts and Mastodons ruling the web?
I'm capitalistically illiterate, so somebody please tell me why this thought is stupid.
If we did that, it would be a crazy waste of resources. The alternative is to let another company buy the stuff... and if a company buys the failed company's tech, equipment, and hires their staff... that is basically the same as buying the company.
Why is there a for-profit corporation behind every open source project these days?
That said, and just in case their notoriously warlike legal team manages to fumble this somehow, I'd like to take the opportunity to remind every other frontender that Verdaccio (https://verdaccio.org/) exists, is easy to implement, and relatively low maintenance.