Microsoft doesn’t do everything right but the GitHub acquisition has honestly gone better than I ever expected. Rather than forcing GitHub to adopt Microsoft centric policies, Microsoft has adopted more GitHub stuff, especially from a product POV. GitHub still runs as a separate company (different logins and health care and hiring systems) with its own policies and point of view.
The reality is npm was in a bad place and in a land of not good options, this strikes me as the best possibility. I’d rather have GitHub control this and be able to give the resources to npm than a company like Oracle or Amazon or even Google or Facebook to own it. In a perfect world, some independent entity could fund npm out of gratitude but at the same time, consider how poorly npm as a company was run for YEARS and the general lack of direction.
So yeah, I’m cautiously optimistic this won’t be fucked up by GitHub — but I understand the concern.
As for those worried about Microsoft embracing, extending, and extinguishing. Lol. Even if that was the goal (and I truly don’t think that’s the ethos at all any more), Microsoft is laughably incompetent at achieving that sort of strategy. Google and Amazon have the EEE under lock right now (Facebook too — let’s be glad Zuck didn’t buy this after we saw what happened to yarn), but Microsoft can’t even put coherent dev strategy outside of .NET on Azure.
> Microsoft doesn’t do everything right but the GitHub acquisition has honestly gone better than I ever expected. Rather than forcing GitHub to adopt Microsoft centric policies, Microsoft has adopted more GitHub stuff, especially from a product POV. GitHub still runs as a separate company (different logins and health care and hiring systems) with its own policies and point of view.
That's what we said about the Skype acquisition too.
"It's different this time, it will run independently, for once Microsoft won't interfere and destroy the acquired company".
3 years later (I was there), 50% of Skype original management and developers left. All the major new projects of Skype turn out to be integration with the endless already existing Microsoft products: integration with Link, integration with microsoft ID, integration with Microsoft UI, etc...
5 years later, Skype is dead... but everyone left already.
Skype is crap, it was doomed to die around that time frame anyway. If anything, Microsoft Business kept Skype going longer than it would have otherwise.
Seriously, go use products like Google Hangouts, Slack or Microsoft Teams (Microsofts's surprisingly better clone of Slack) and then tell me that Skype was ruined by integrating with Microsoft's other product base. The closest argument you might be able to make is that Skype could have developed new features or updated its UI and stayed competitive, but that wouldn't give them the competitive edge that it's competitors nearly all had in terms of being backed by major tech companies. Additionally, the major revenue source was Business tier use, which Microsoft dramatically improved by integrating it with their other cloud-based business suite applications.
Microsoft didn't kill Skype, if anything they extended its life expectancy and value in markets that actually paid to use it. It's dead/dying now because better tools have been developed and marketed to replace it. That's just standard product life cycle.
> Microsoft Teams (Microsofts's surprisingly better clone of Slack)
Personal experience, but I have not found a single person who likes MS Teams. Usually people around me say that Slack is ok-ish, while MS Teams is crap.
Agree, Teams is an absolute shitshow of a communicator. Everything's wrong about it, from unintuitive UX, incredibly slow UI, up to terrible API design where even making a simple bot is laughably hard(try working with 'chats' instead of 'teams' or 'channels' and you'll see). Recent days also proved how bad infrastructure they have, they're not capable at handling bigger traffic at all. I've used Slack equally long before that and it was amazingly good in comparison(still not perfect though).
I'll tell you one thing it does better: audio/video conferencing. We went full WFH and the usual suspects couldn't support us, but we discovered that teams is a thing we pay for and operates like a champ, haha.
Skype for Business is not Skype. It's just a rebranding of Lync that happened after Skype acquisition.
There is a half-baked link between Skype and Lync to make it seem like it's the same product. This link is all shitty mainly because Lync and Skype work completely differently, and even simple things like call signaling have to deal with years of legacy Microsoft SIP extensions that were punched into Lync.
I remember the first time we received access to the Lync code repository. That stuff was a multi-GB (!!!) repository that contained files, promo videos, PDFs, code, etc. That tells you much about the development practices behind Lync.
I still run a Lync Server 2010 at home to chat with my wife using a MSN looking messenger. We used to chat a lot using MSN messenger and this is a way to hold onto it. I don't mind Lync at all!
Corporate standard at my place of work. I hate Hangouts with a passion. It's the worst messenger, feature- and UI- wise that I've seen for years.
> Microsoft Teams (Microsofts's surprisingly better clone of Slack)
No it isn't. Used Teams at another company which adopted it as the standard. Couple of years ago. Feature-wise it was like a proof of concept, very early access.
> Additionally, the major revenue source was Business tier use, which Microsoft dramatically improved by integrating it with their other cloud-based business suite applications.
Again, I worked at another company where Skype for Business was the standard and nobody ever used it unless they needed formal IT help or something.
All the teams I'm acquainted with at my current place refuse to communicate on Hangouts and, in violation of corporate policies use something else like Slack or Mattermost.
Teams a few years ago is not a good comparison it has evolved a lot since just a year ago. Wile slack is getting more bloated and messy, through currently okey to use.
> You have to understand that the technology underlying Skype at the time was very brittle and poorly designed.
> When Microsoft acquired it Skype was routing its traffic over port 80 for example.
__I have to understand__ ?
Who is saying this? do you have any credentials / knowledge of Skype technology? My understanding is that you only report indirect discussion from "your friends who worked on it"?
Having been there, I would say quite the opposite.
Skype had pretty intricate means to bypass NAT to NAT clients. I would even go as far as saying that Skype P2P connectivity tricks were top notch, considering the incredible amount of different network setups that clients could face. Even in the weirdest conditions, you could trust your Skype client to somehow find a way to get the call through. This was through an immense collection of in-house-trial-and-error-STUN-hole-punching like techniques.
Now I can understand that for people outside of the peer to peer connectivity world, these techniques could seem completely foreign and brittle, but it's not. It's the world of internet clients we live in. It's not related to Skype, it's the route all peer to peer clients have to deal with. If you don't want that, don't go peer to peer.
> Google almost bought Skype before Microsoft did and backed out after they got a look at the code.
Where did you get that information? I had never heard of that interpretation of the story before.
My view on this is that Google considered buying Skype, but backed up because they wanted to have a cloud based service, instead of a p2p one. Microsoft was in the same state of mind, but decided to go along and migrate Skype to be a cloud service, which they did.
Now if you really want to discuss technical details and the state of Microsoft/Azure at that time, I would be pleased to do so.
Microsoft started the migration of Skype to the cloud at a time Azure was just a big beta test. Nothing was working properly, the tools were sub-par or in-existent. Nothing was reliable. You would deploy Azure services through remote desktop automated by PowerShell scripts. Managing databases was done through in-browser silverlight clients - yes, that was already EOL at the time, but that was the only way to perform DB queries with a UI.
When complaining about the deplorable half-baked status of the tooling and cloud services that we were required to use to migrate Skype, the only response was "Yeahhh, Eat your own dog food".
Thanks but no thanks.
All the great Skype engineers left in the two years after the start of the migration to Azure - mostly to join Twilio.
He did not think Skypes p2p communication was a good fit for Google, going so far as to say it ate up bandwidth and was like an old technology.
The PM's remarks could be summarized as saying the basic p2p communication architecture was overly and only used in order to avoid a cloud/server based architecture.
Basically, the PM thought Skypes architecture and code base couldn't effectively scale or meet real world business requirements that people would pay for.
It could be true (and frankly I certainly can believe it!) but an article from someone who didn't buy a company could also be a post hoc justification for why they didn't get the deal.
Like VCs who try to invest in a company but lose the deal (or never get to see it at all): "Oh FooBbarApp? Yeah, we passed"
That isn't really relevant to the problem they were working around. The problem is that many firewalls block outbound ports other than port 80, 443, and some other very common ports.
Put another way, if both sides block 80 incoming, their only hope is fancy NAT-punching techniques.
But those NAT-punching tricks are useless if they are using a port that is completely blocked on the outbound side.
Let's face it. Microsoft is a business and at any point in the future it might change course if it has economic preasures to do so. It can only keep being "good" as long as it has a stream of money coming in that allows this to happen. So the important thing is how they make npm economically viable. They need to have a good business model. I can only imagine GitHub was economically viable when they bought it, hence they left it run indpendently since it provides a revenue stream.
"So the important thing is how they make npm economically viable."
Thats not the important thing, thats the problem. Npm could easily be an open source client. Contain less code and be better. And have a mirors system like every other repo so it does not need money for hosting.
Npm wanted to control nodejs and make money out it. And they have.
Microsoft purchased that control and plan to make money out of it.
i’ve been at three companies that acquired small shops. that 5y horizon to the kill-decision lines up with my experience. most recently i worked with a company (mid size) that had been acquired two years prior by a very large international organization. “its great, they let us do what we do best and are excited to adopt some of our practices”. Two weeks later the senior leadership was shuffled and the mothership was changing things to better match their process, etc.
What happened with yarn? As a very casual user of it, it seems to work well and have pushed npm to innovate a bit when it was stagnating. But I haven’t followed it lately. Were there technical issues or political drama?
Yarn's new version does a bunch of weird, complex to reason about stuff that's closer to a bundler than it is to a module manager: https://github.com/yarnpkg/yarn/issues/6953
I mean, zip files are hardly complex. PnP is a breath of fresh air and lets you commit packages "safely" to your SCM without LFS. NPM has been experimenting in v7 with similar ideas.
I'm personally quite fond of "zero-install" setup to a repo.
My guess is that he is referring to Microsoft Azure's attempt to migrate to Javascript support. You can see some of the support, but it is still currently lacking and difficult to use. I hope that they can manage though, Azure has tremendous features, just challenging to utilize properly.
The maintainer released Yarn 2. Yarn 2 is pretty foundationaly different than Yarn 1, and can and does break a lot of products/projects if used. Some folks are not happy about it, although Yarn 1 will probably continue to be maintained by the community for a while.
What happened to yarn is they released a v2 with some backwards incompatibilities... and for this reason we should be glad facebook didn't buy npm? (Also facebook doesn't actually own yarn). Well I'm confused.
I'm not OP, but I the inference I draw from the comment is that with Yarn declining in quality the probability is higher than NPM will once again become the de-facto standard, thus, it is ideal that any company responsible for its stewardship serve not as further consolidation of power in the industry (which currently leans Alphabet/Facebook).
IMO its crazy we're here, growing up in the IE days, but Microsoft acquiring influence over the JS ecosystem in this day and age is at least arguably, as OP stated, a distribution of power.
The review you cite compares yarn 1 to npm and declares yarn 1 the winner. They did not evaluate yarn 2 because they say it does not yet support react native without a plugin.
Given that Microsoft for all intents and purposes killed Atom (along with their really promising xray project [0]) almost immediately after the acquisition [1] even after explicitly claiming they wouldn't [2], please excuse me for not seeing the GitHub acquisition in the same positive light.
[1] They never officially announced it, but they almost certainly de-staffed it to the point where it's barely on life support: https://imgur.com/a/jQBHsUk
What a surprise, the VSCode fanboys are coming in droves to downvote and say nothing more than how Atom was going to die anyways.
Sure, maybe it was, but that's not the point. The point is Microsoft _actively pulled development resources away from Atom after explicitly claiming they wouldn't_.
I get that a lot of people like VSCode better than Atom, but _please_ put things into perspective for a moment and consider if you'd make the same comment if the same thing happened to _your pet project that happened to be #2 in popularity but then got axed after being acquired by the company who owned the #1 after claiming they wouldn't do exactly that_.
Whatever your opinion might be on Atom vs VSCode, can we not at least agree that this kind of behavior is something we should hold acquiring companies accountable for? It might not make any difference to their bottom line at the end of the day, but the least we should do is hold them to the fire in the court of public opinion.
Counter thesis: what "killed" Atom is the balance of user enthusiasm quickly shifting to VSCode. Well before the acquisition was even announced, VSCode started grabbing developer mindshare real, real fast. I remember being an Atom user who resisted that tide for a while, but it became pretty clear that VSCode was taking off like a rocket and Atom, well, wasn't.
If commit activity graphs are really a meaningful measure, look at VSCode's:
The number of commits per, uh, date unit (the graph is not super clear on that axis, honestly) across the entire length of VSCode's activity graph rarely drops as low as the highest number of commits per date unit for Atom.
I'd have preferred to see both survive and do well, but that really hasn't been the way the text editor space seems to have worked. Editors that are conceptually awfully similar to one another tend to have one dominant player: TextMate (at least for Macs), then Sublime Text, then Atom, then very quickly Code. Given that Code and Atom are probably the closest of any two in that list, this just isn't that surprising.
It would be delusional of me to claim that VSCode wasn't already winning in terms of mindshare by a large margin when the acquisition happened. That's not what I'm claiming here.
Atom still had a healthy number of active contributors (presumably most of them were from GitHub) making improvements to the product on a daily basis to make it a perfectly viable tool for the people who chose to use it (and despite the much smaller developer base they continued to innovate with projects like xray and tree-sitter)... That is until the Microsoft acquisition happened.
Before anyone jumps in with the causation vs correlation argument, I think any reasonable person looking at the evidence would agree that the timing is convenient enough to make it highly unlikely to have been a coincidence, especially considering that most of those contributions were from employees at GitHub who were _getting paid to work on Atom_, so the only reasonable explanation for the contributions to stop abruptly within a month is that they _stopped getting paid to work on Atom_.
To add insult to injury they even had the audacity to claim they wouldn't do exactly what they did. That is the crux of my issue with how they handled this acquisition.
I agree, it's probable that there's been a decision to de-prioritize Atom in favor of VSCode. And sure, I get being upset about that, and about GitHub not confirming that this is what's happening if it really is what's happening.
But the words of the linked Reddit comment from Nat Friedman were "we will continue to develop and support both Atom and VS Code going forward"; that's a true statement today. Atom is currently being developed and supported. That's a case of adhering to the letter of the statement rather than the spirit, I know. But that circles around to the problem of VSCode's rapid ascent in mindshare -- if your company ends up owning two very similar editors and they both have roughly equal downloads and community interest, you might try to support both equally. But if one of them has orders of magnitude more downloads and community interest than the other, you're going to focus your efforts on the popular one.
How many of those github-people were officialy working on atom and how many were just random githuber who supported company-focus and followed social pressure?
It's quite possible that this was just a random side-effect from a shift in focus, instead of a planned sabotage.
From Microsoft's perspective, what's the advantage to them or their users to pay for two somewhat similar free offerings to be worked on in parallel? Given that one was gaining in popularity by leaps and bounds while the other was rapidly losing market share and relevance, what course would you recommend? "Fund both indefinitely, to keep the handful of atom users that want new features happy"? Be reasonable.
I don't think anybody's expecting them to fund both indefinitely, but given that their soon-to-be new CEO went on the record to say that they would actually keep funding Atom development, I feel it's fairly reasonable to expect that they wouldn't pull funding from Atom almost completely as soon as the acquisition went through. That's a really shitty move no matter how you look at it.
He said "we will continue to develop and support both Atom and VS Code going forward," which at least of right now is still happening -- Atom 1.45 was released last week, along with 1.46 beta 0. The conjecture that they've effectively defunded it is reasonable, but it's still conjecture, and even if they have it doesn't actually break Friedman's (possibly quite deliberately worded) statement.
Maybe Microsoft helped killing Atom, but I don't think Atom is completely innocent by itself.
I was an user of Atom and later switched to VSCode. It took me few months of weighting all the options before I made the switch. That's how much I love Microsoft -- Very little.
Don't know if they got it fixed, but there was a design flaw in Atom: Bug inside some Atom plugin (`linter-ui-default` is one of it if my memory is correct) can reset the entire Atom into it's default setting, and it happens randomly (See link 1, 2 and 3).
This problem pisses me off so much and so many times. The last time it happened, I accidentally deleted my backup configuration `config.cson` when trying to recover the setting. Yes, it is technically my fault, but no, really, it is not. So, after seeing all my life flashed before my eyes, I decided to stop living ... with Atom, I had enough.
VSCode is generally a better editor when compare to Atom. I mean, VSCode has it own issues, sure. But for me, so far those issues are mild and usually got fixed quickly.
Author of `linter` / `linter-ui-default` here. The package in no place in its code rewrites the entire Atom package configuration. It does however observe it's own configuration. If observing in itself resets the Atom config, then it's out of the hands of the package and a bug in Atom core.
It's possible that one of the linter providers had that issue, and since Linter providers are only called by the linter package, they wouldn't exhibit the issue on their own. It's not uncommon to have issues that seem like it's the linter's fault since all of the providers do nothing and seem harmless unless invoked by the linter package.
I would've helped to debug this, had somebody pinged me on any of the issues. Oh well :)
Some information (https://github.com/atom/atom/issues/17060) indicates that the problem is related to `atom.config.set`. `linter-ui-default` is one plugin that triggers it.
So maybe it's not a bug of `linter-ui-default` after all. Sorry dear innocent man, my judgement is not always on point :)
> Microsoft for all intents and purposes killed Atom
I don't think so. When VS Code came out my reaction was "Wow! It's like a 1.0 version of Atom!" I.e. an electron (or similar) based editor that works, whereas atom always seemed like a beta release. I tried to use atom a bit but it came with little out of the box and the plugin ecosystem was a complete mess. I filed an issue asking if obsolete/dead plugins could be somehow removed from the plugin repository, but nothing came of it.
> "Embrace, extend, and extinguish" (EEE), also known as "embrace, extend, and exterminate",is a phrase that the U.S. Department of Justice found was used internally by Microsoft to describe its strategy for entering product categories involving widely used standards, extending those standards with proprietary capabilities, and then using those differences in order to strongly disadvantage its competitors.
GitHub is still a good choice, but working with their more recent APIs, like GitHub Actions, I feel Microsoft's touch. They're slowly changing for the worst.
Nah, Github Actions is actually amazing, and has been rock solid for me.
For someone who's not a pro in using CIs, it's been much easier to use than CircleCI. I never have to spend more than 20 or 30 minutes fiddling with Actions to make it actually work.
This for me is the biggest contribution to open source: normal people like me (who don't want to get too familiar with proprietary or overengineered CI tech) will be able to have CIs for pretty much ALL their projects.
I can’t speak for actions but you seem extremely biased for some reason. It would take you less time than it took to write this post than to learn circleci. Much less than 20-30 mins.
I might sound biased because I had lots of difficulties with CircleCI that I'm not having with Actions anymore. That's why I think it's a better product for my own use case.
The Github acquisition was pretty recent, no? It seems like Actions is something that Github would have planned and been working on for some time prior to that.
No. Microsoft did not adopt to Github. The first thing microsoft did after acquiring github is forced to login to view commits. I felt like some huge corporation took over the park i daily visit and charged me. It felt terrible.
An absolutist definition like that is completely and utterly meaningless unless the only person you talk to is yourself. And even then there are concequences for what you say to yourself, even though they might not be externally visable immediately. And if you want to get really ridiculous concequences of saying anything involve movements of air and possibly particles of spit. Maybe even spreading an infection.
So by your definition freedom of speech cannot exist, or you need to refine your meaning of "concequences". That refined meaning is accepted as conceqences from the government.
Any other meaning is senseless because people are free agents and may respond to your speech in any way they feel fit.
I see freedom of speech starts and ends at the government can't compel or supress your speech.
Your employer or society in general absolutely can via the consequences of what you say. If you are making your employer look bad then they can and should be able to get rid of you.
If society decides they don't like you because of what you say and choose not to associate with you or use your business than that also feels fair enough.
This seems like a good outcome overall. NPM being such an important pillar in the software supply chain while having an unviable business model and largely being funded by VC money was never a good position to be in. There are problems with more of the software ecosystem consolidating with a single entity but it still feels like an improvement.
> NPM being such an important pillar in the software supply chain while having an unviable business model and largely being funded by VC money was never a good position to be in.
Why does NPM need to be funded as a commercial entity at all? What other open source library has a private company running its package manager? This one still boggles my mind.
For programming languages, there are several examples of commercially run package managers:
- the Java/Kotlin/Scala ecosystem is based around maven central, which is run by Sonatype, Inc.
- Go modules are hosted by Google. Previously, most libraries were hosted on Github
- Rust's crate index is on Github
- The Docker/Moby registry is run by Docker, Inc. (though that might be a stretch for "package manager" :))
Note that the crates.io index is just a single git repo that holds JSON metadata about each crate: https://github.com/rust-lang/crates.io-index . The actual code found on crates.io is hosted on S3. The index is an important part of the system, but there's nothing tying it to Github specifically.
Ah, neat! Works out well for them; I assume it's relatively cheap to just serve an S3 bucket on their CDN (though I guess bandwidth costs may rise rather dramatically if Rust ever reaches Node levels of popularity), while not taking on any other operational expenses of actually running a registry.
CDN bandwidth by nature of the reach of Cloudfront will mostly be offload onto the local peering fabrics. It basically costs nothing in per mbit billing - e.g. linx https://www.linx.net/wp-content/uploads/2017/10/Fees_Schedul.... 100gb hand. That's not to say there aren't other major costs in running a resilent edge network which go someway to justify 0.0Y/GB pricing where Y varies from 1-9 depending on location for non sponsored projects. tl;dr - it won't ever be a problem
Technically the Go module _proxy_ is hosted by Google. Even if the proxy went away, you'd still be able to get access to all of the packages as they're still hosted elsewhere. It just wouldn't be as fast.
Maven Central has mirrors and alternatives and you can trivially host your own repository, all you'd need is a plain web server serving a bunch of static files.
Some libraries aren't hosted on Maven Central actually, so it's not uncommon to see instructions for adding extra resolvers to your build config.
The Java ecosystem isn't as dependent on Maven Central as the JavaScript ecosystem is on npmjs.com
Almost every library out there is on Maven Central. Even Oracle JDBC drivers are now (finally) on Maven Central.
If MC goes away as it exists today, the Java Ecosystem will take a huge hit as almost every open source project would stop building in CICD environments from the get-go.
If it vanished instantly then yes, but a huge number of packages on Central are mirrors from jcenter. There are not only theoretical competitors to Maven Central but an actual widely used one (jcenter/bintray), which is easier to use anyway. There's also jitpack too. So people could migrate pretty quickly to alternatives.
You're not technically wrong, but I bet that 90% of the projects or at least the examples have some sort of intentional or unintentional reliance on Maven Central, that would break the build if it weren't there. Even a lot of companies that set up internal repositories don't realize that they hit still are gonna hit Maven Central initially, before everything is bootstrapped, depending on how things are configured. It would reflect just really poorly on the Maven ecosystem (or any ecosystem alike, I have to assume, but know less about) if the canonical repository would just... "poof".
I think the point is that you are using a commercial entity to host your code. There is a bill for the code you have hosted, and you aren't the one paying for it.
Confused why you think a service servings millions or billions of requests a day wouldn't require money to run. Do you think some grant magically appear out of thin air to pay for the servers, storage, bandwidth, and maintenance?
We've been doing fine here in reality, where most Linux distros, Perl's CPAN, Python's PyPi, RubyGems, etc. are all run by volunteers and donations. There is nothing special about NPM that requires it to be owned by a for-profit corporation. If Wikipedia and Archive.org can get by, I'm sure NPM can too.
Big leap from "servers cost money" to "a package manager requires a commercial entity". How are other language ecosystems and package managers operating, many without private companies attached, when they too are serving millions of requests a day?
Well the big ones are hosted by commercial enterprises, and the smaller ones don't have the scale of JavaScript so they don't require that level of support.
Looks like they’re paying for bandwidth, aka “cloud pricing.” They could probably reduce those numbers significantly, but if it’s funded by a grant why bother?
I do not consider the largest distributor of proprietary, closed-source spyware (Windows) owning the fastest growing open source package manager to be a good outcome, personally.
It depends on what the alternative is. When NPM starts running out of money to run the service what would happen? More VC, but only to a point and the firms would be increasingly be influencing NPM to make money by any means(probably not good for anyone but the firms). Alternatively a cash strapped NPM fails to invest in security and availability of the service leading to widespread outages or worse a large scale supply chain attack facilitated via the registry.
Isn't it more that NPM specifically has had a bumpy ride, and people are seeing this acquisition as a sign of better times to come, and it not being a value judgment of other open source initiatives.
That's a path but NPM already being a company with signficant VC investment would a transition to such a model workout with the existing stakeholders? Also NPM is quite a bit bigger than both the Ruby and Python library spaces.
Perhaps because Node code bases when deployed cause the package manager (npm) to consume more bandwidth in general than comparable Ruby or Python code bases due to higher dependence on third-party packages?
As at Oct. 2018, the top 12 npm packages [1] were already doing more than 0.5 billion downloads a month. Granted, popularity has waned for a few of those top packages due to deprecation or new language features, for instance.
EDIT:
NPM’s announcement about the acquisition [2] provides up-to-date numbers:
“Today, npm serves over 1.3 million packages to roughly 12 million developers, who download these things 75 billion times a month ...”
You're probably right with all the one-off and fairly small dependencies in the npm ecosystem. Seeing those numbers would be pretty neat to compare side-by-side.
This is sad to read. Why does every project have to be profitable? If NPM is useful users (companies and people) can invest time or cash to support the operations and continued development. This foundation model has been successful across open source and prevents one company from changing the direction of a project to fit their own needs at the expense of everyone else. I think this was critical to the continued growth of open source software over the last two decades. If this trend of selling out to massive corporations continues it will be a major step backwards.
To be clear that's not what I am arguing here, I agree that package registries should, ideally, be owned and supported by the community. However NPM already had fairly significnat VC investment and as such any transition to a community supported model would be challenging.
The acquisition can be a good outcome for the current situation without it being the ideal state of things.
Imhi Npm is two things a cli tool, and a central repo that tries to be the one and only js repo: to make money from that position. Their infra costs them money only because that was their angle for selling out.
Linux repos take the alternative approach to try to get as many mirrors as possible so it can remain free.
Microsoft did not buy npm to help it become free. Believe. They bought it because they rekon they can make buck out of it.
That buck comes from somewhere.
Nodejs going to the Linux foundation was good news.
Why would NPM run out of money? NPM is the primary vendor for worry-free distribution and management of private JavaScript packages for $7/month/user. In a time where bandwidth is basically free (outside AWS/Azure/GCP) that should surely pay for server costs and a handful of developers.
It probably isn't going to 20x VC money, but it sounds like it would be profitable to run as a business.
Regards 2FA/Login: Except that Microsoft has not done this with GitHub. And NPM is joining GitHub not Microsoft. You will see non login vanishing in favor of GitHub Login for sure. And the second factor, see what GitHub offers. For me that is currently a OTP generator
Gihub already had a masssive social graph. They know who you are in terms of who you work for and who your CTO is.
Npm does not know that about me. It has no sales channel.
GitHub is owned by the same entity that owns LinkedIn. Microsoft has really no problems cross linking persons. They can also easily link the source code between the systems etc (if they want).
I hope they dont use that Microsoft Authenticator app. That has never worked for me, never once got me logged in, and has locked me out of Teams on a couple occasions.
The alternative is that the entire source control system (GitHub) and the entire artifact registry (npm) are run by a giant multinational military defense contractor with close and longstanding ties to the US military. Did we forget so soon that the Snowden slides are PowerPoint?
I'm not sure that's an improvement in any way whatsoever.
Boeing is a defense contractor. Northrup is a defense contractor.
MS? Not even a chance. What percent do you think of their business is actually government, beyond buying licenses just like nearly every other corporation on the planet.
Microsoft does indeed work for and with the NSA. As an ASP they participate in the warrantless PRISM bulk collection program (they were the first!), and they also provide software and services (support) as a direct vendor.
Change my mind: package management infrastructure run by government as a public service should be the ideal end outcome for everyone.
Why I think this: private or volunteer models are unsustainable in the long run owing to funding uncertainties or conflicts of interest between stakeholders. Utilities that support the bulk of our technical infrastructure should be secured by public interests. Governments can keep things free.
Common objections:
- "Governments are inefficient". Depends on the area. The government tends to be inefficient in handling areas with direct consumer benefit, but less so in dealing with consortiums or private entities. Since private entities are the primary mainstream users of packages, I don't think government will be too slow on this front.
- "Governments will be malicious". This I don't doubt, but the solution for that is building better trust mechanisms rather than keeping a practical solution at bay, and for software at least such trust mechanisms are tenable e.g. see the CNCF's Falcon project.
You aren't the only one. Most users are too young to understand how predatory Microsoft has always been. Can't wait for the "npm won't publish my package because it circumvents something in Windows" or whatever. Give it time.
Tbf Microsoft have won back a lot of good faith with developers due to projects like VS Code and TypeScript, even for those of us who remember their past.
And we're yet to hear of any negative impact of their Github acquisition (afaik - correct me if wrong).
> Tbf Microsoft have won back a lot of good faith with developers due to projects like VS Code and TypeScript, even for those of us who remember their past.
Those are great until they're not. It's why it's called "bait and switch".
> And we're yet to hear of any negative impact of their Github acquisition (afaik - correct me if wrong).
ANY?! Heh, do a quick search just on HN and you'll find it pretty quickly.
I did search, didn't find it quickly. Could you share some sources of the negative impact? (I'm legitimately curious as my use of GitHub hasn't led me to notice any change.)
> I'm legitimately curious as my use of GitHub hasn't led me to notice any change
Nor I. That's not that point.
For the record, I think Microsoft has done wonderfully for the dev community in the last 10 years. I don't see any reason that they are going to "f it up", but big businesses get desperate when environments change and profits get impacted (look no further than what Oracle is doing). Microsoft is not immune to that.
The complaints are "I think it really impacts the neutrality of github" and "I hope they don't discontinue Atom or apply their UX styling to the site/desktop app", respectively. Those don't strike me as particularly specific and/or nightmarish.
Before someone else comes along and writes a monologue, the biggest downside might be how it handled (didn't break) its contract with ICE[0]. If the acquisition didn't happen, old GitHub might've dropped the contract immediately upon enough employees speaking about it.
That's a subjective political opinion of a far-left vocal minority. Not everyone has an issue with ICE (a federal law-enforcement agency that stops criminals and saves lives) nor finds a problem with a company legally providing services to the government.
The fact that ICE has built concentration camps (as verified by scholars who study concentration camps) is a fact, not a subjective or political opinion. The fact that there are children in these camps, many being raped, some being tortured, is also a documented fact, not a subjective opinion.
These are well-documented facts that have been widely reported on in the mass media. You can find links to specific articles on my blog in the recent article about Microsoft and GitHub, if you wish to learn specifics.
The kids are in there right now, as I write to you.
Whether or not Microsoft's provisioning of services to the government is "legal" or not is not particularly relevant to the thread, but it is interesting that you bring it up, presumably as a defense of their behavior.
Again: This is not a partisan thing. At all. Your attempt to reduce it to such is inaccurate (and, tbqf, off-topic for the thread about Microsoft-the-corporation, as well as off-topic for HN).
Concentration camps are for political prisoners. These are not the same. And there are US citizens and children in jails and juvenile detention too, which is what happens when crimes are committed.
I'm a naturalized immigrant. I've been in far worse places than America. I suggest you visit CBP and ICE. Talk to the agents. Visit the border. See the shelters. View the damage done by criminals who prey on these people and find out how much the agents do to help them while risking their lives fighting cartels and traffickers.
Like I said, America is far softer with borders than other nations. Crossing illegally brings enforcement and penalties. I'm not sure why this is so controversial, or why protest against govt organizations is done by proxy of software companies.
>That's a subjective political opinion of a far-left vocal minority
What you are talking about is Right-wing politics, even if they are extremely far to the left of your -and the majority of peoples political view -in the USA. Both parties in the US are on the right. This isn't Reddit where the state of US politics is the default norm when it differs from most of planet earth. Though HN is quickly getting there.
ICE doesn't protect the border, that's United States Customs and Border Protection (CBP).
ICE are the goons operating everywhere (i. e. not tied to the border) rounding up "suspected illegal immigrants".
Because it isn't exactly hard to find illegal immigrants, and their charter allows them to control people without objective cause, ICE gets to arbitrarily decide whom to harass.
It's the real-life version of the perennial fear of civil libertarians that too many criminal laws will just lead to any one of us being arrested whenever it happens to be convenient for whoever is currently in power.
It isn't going to end illegal immigration, nor curtail it to any significant degree. It just serves to keep a large segment of the people who see every day in a constant state of fear, unable to (for example) seek protection from crime or exploitation for fear of being deported.
ICE is the enforcement arm for immigration, which handles people who cross the border. Obviously if there's a strong border then there's no problem in the first place.
As for the rest of your comment, this is the far-left extremist position that I cited in my first post. There's no good faith discussion to be had here.
> ICE is the enforcement arm for immigration, which handles people who cross the border
No, it's the enforcement arm for immigration and customs, the former of which is people who are living in the US despite not being US citizens. Enforcement of people (and goods) crossing the border is the Border Patrol and it's parent organization Customs and Border Protection.
To keep this as straightforward as possible: Illegal immigration is a crime and is enforced just like any other. Committing crime can mean incarceration, which many US citizens face everyday. It has nothing to do with being a "danger", but when you don't have permission to even be in the country then there's no bail or other release possible.
Also detainment centers are not cages but fenced areas with free movement inside where people receive food, shelter, healthcare, entertainment, schooling and legal services paid for by US taxpayers while their cases are processed. Detainees are free to deport themselves at any time. This is more accommodating than pretty much every other developed nation.
Bad people exist and bad things happen in every large organization in every government of every country. It is not representative nor useful in discussing the behavior of the whole.
Yes they do. But important part is what organisation does about that. Does it close the eyes, does it encourages it, does it publicaly removes bad people from org to send the message?
Lots of big tech firms are government contractors, and as we've seen most of them are unwilling to drop government contracts (ICE, DARPA, etc). So this problem would arise with almost any large benefactor. I would've liked to see GitHub drop ICE though, personally.
Others see that as an upside. ICE today, who knows what tomorrow. The sort of activists who wanted that have all kinds of random targets. No company wants to deal with suppliers suddenly blacklisting them because the hard left decided they're evil.
VS Code is also spyware; I am not sure that this argument furthers your intended point.
The fact that it is open source and popular is not sufficient on its own. It had to be forked (vscodium) to show basic respect for the user’s privacy and system resources.
This is such an extreme & pretentious viewpoint. Microsoft knowing that I have VS Code installed & getting a report when it crashes is not in mine, or really any normal developer's threat landscape.
> This is not a fork. This is a repository of scripts to automatically build Microsoft's `vscode` repository into freely-licensed binaries with a community-driven default configuration.
I am old enough (42) to remember those days, but honestly I don't feel that threatened by them. I remember their EEE days, and for a long time I haven't seen much of the same behavior.
Same here (40). I was with Ballmer singing “developer developer developer”... i think his legacy is not that bad. The company was not ready to grasp the idea of open source at these times, but the principle holds.
It may appear blaming Ms forever for their past actions is a good idea. It's not. Those actions and decisions came from certain people. They're long gone. I look only to the present. MS decisions and actions these past few years have been pretty solid imo. We must always assume the best of everything, not the worst. Not matter what. It may appear naive, but it's the only sane way.
They've created a funnel from a jobs site they control, through an operating system and hardware they control, with development tools they control, and source (etc.) on a web platform they control, onto a cloud they control.
Assume the best all you like. Microsoft are spying on you and can lock you out of their ecosystem for any reason. When that ecosystem includes critical public infrastructure, there is a problem.
The only "sane" response to this is to smile at the MS employees who tell you how much they love Open Source and to use absolutely any other platform.
And pulling a package from a custom url is what, one line of code in this package documentation? And the moment it happens, this package will be on top of HN?
I understand the concern about MS business practices, but I don't think it applies to environment where transactions (as in, importing someone's package or submitting a pull request to it) don't involve any contracts or money.
Then you must not like React or Angular, since the owners of those projects are the largest spyware and aggregators of personal data in the history of humanity.
For some examples: RMS being a douchebag has nothing to do with the usefulness of gdb, nor can that circumstance affect the utility in any imaginable scenario.
Microsoft setting censorship policies (aka ToS) on a website they own and control directly affects the utility of npm/yarn/clients. Their website, their rules.
The time for GitHub is over. I have moved all of my repositories away from there that do not depend on GitHub-only integrated services, and am migrating my DNS and domains/hosting off of those integrated services this week. You should too. If you work there, you should quit.
Good for you. However, the general sentiment doesn't seem to behave the same way. I haven't noticed a mass Github exodus at all, aside from some people on the internet being vocal about it for the first month after the Github acquisition. Same with VSCode.
I realize this is just pure anecdata and not a legitimately researched observation, but I don't know a single dev in real life who either switched away from Github or VSCode due to those concerns, despite having a wide variety of dev friends from all kinds of backgrounds, including big tech devs, non-tech company devs, fully remote devs, self-taught devs, small startup devs, outside of the US devs, freelancer devs, etc.
I know a couple of projects that switched to gitlab. I use gitlab for my personal projects. I've abstained from moving Red Moon away from GitHub because it's still where people are, and I have some doubts about GitLab's VC-funded model (will they be able to stay as open forever?). I also want to consider other options, like SourceHut. At the same time, it is in the back of my mind and I am ready to move away at the first sign of extend/extinguish.
Just for reference, vscodium is not a fork to remove Microsoft's code - it is just a build tool for the open source repo as explained in the README.
"When we [Microsoft] build Visual Studio Code, we do exactly this. We clone the vscode repository, we lay down a customized product.json that has Microsoft specific functionality (telemetry, gallery, logo, etc.), and then produce a build that we release under our license."
"When you clone and build from the vscode repo, none of these endpoints are configured in the default product.json. Therefore, you generate a "clean" build, without the Microsoft customizations, which is by default licensed under the MIT license"
> Just for reference, vscodium is not a fork to remove Microsoft's code - it is just a build tool for the open source repo as explained in the README.
When a certain build configuration enables major spyware features, and that is the build configuration for the released version by the first party, and another build configuration (that is not released by the first party) disables those major spyware features, the distinction between a fork/patch and a "different build configuration" becomes semantically meaningless.
It's a fork, regardless of how they care to present it. The result of the build configuration is embedded in the release. Consider it a "binary fork" if you don't like considering json "source code".
Enriching Microsoft and improving their position in the market as a byproduct of publishing and using open source code that has nothing to do with them.
How is open source software harmed by Microsoft being successful promoting open source software? This feels like cutting off your nose to spite your face.
It was already consolidated. The vast majority of public npm packages are already hosted on Github. The dependency on them has been there since the beginning.
Yes, indeed - and the dependency is literally right there on the technical level. For years, you've been able to specify a version of a package as a github repo's branch HEAD.
The big problem is that lots of Node.js modules don't push their tags, so there are issues on lots of repos begging maintainers to push their Git tags so that we don't have to use the npm registry.
JavaScript is an interpreted language -- as long as you're only downloading source code from the registry there's really no reason to use a registry instead of the plain old Git repository.
A common issue I've had with using Git repos directly as Node.js modules, is that many projects are transpiled/built before publishing to NPM. Depending on specifics of that build process, it may not work out of the box (or at all) from a node_modules folder.
With NPM acquired by GitHub, I can imagine them "filling in some steps" by leveraging the fairly new Actions feature, so that repos can provide built artifacts, the same ones as published on NPM. The deeper integration will be an interesting development to watch.
Repos have been able to provide artifacts since forever ago; they just don’t sit in the tree. While you can commit from an action, I’m not sure that’s a great idea.
You're right, artifacts in GitHub repos have been around a long time. I suppose what I was missing was a way to point to a specific built artifact (like a tar.gz from a release) as a dependency, from package.json. As far as I know, it's not possible yet with npm. I can imagine that will be covered somehow with deeper integration of GitHub and the NPM package repository.
Thank you, learned something new - from none other than the founder of npm! :) Congratulations on the acquisition, bright future ahead for the whole ecosystem.
How is a convenience feature a dependency? The same command exists as "gitlab:username/repo" variant. The GH variant just happens to be the unprefixed one as it has by far the biggest userbase.
Perhaps dependency was the wrong term, but my point is what you said - they've built it in as a convenience feature precisely because it's such a common usecase - a better way to say it might be they're inseparably linked tools / tightly coupled even on the technical level.
given the significant returns to scale in the tech industry this is a pretty natural development and it happens in most tech sectors over time as monopolistic competition generally outperforms the 'bazaar' economy.
'small business' is only the equilibrium in sectors that can't increase aggregate output by growing or capital investment like say, the restaurant industry.
Thanks to Microsoft/GitHub for this acquisition. NPM is essential to the Javascript eco-system and it is hard to have a business model for just a registry. In the ruby eco-system the awesome Ruby Together https://rubytogether.org/ was started to run the registry. In this case one of the worlds most valuable companies will run it, which means it doesn't need a not-for-profit.
Regarding "trace a change from a GitHub pull request to the npm package version that fixed it" will there be an API to add a source in case the change was made outside of GitHub? Although I recognize that the vast majority of changes to npm packages happen on GitHub.
It's confusing. RubyCentral pays for hosting and "ops" (not sure how much 'ops' staff time, if any?), but I think not development? And RubyTogether hypothetically pays for development (some but not neccesarily all that's needed), which can include new features but also required maintenance (we all know software requires care and feeding, it's never "done")?
But I could have this not right?
It has been confusing for a variety of reasons.
And I think there are mixed reviews with how well it's going overall, especially the RubyTogether part.
That must make you nervous over at GitLab, no? GitLab's integrated workflow is one of its main selling points (I love it), and GitHub now seems to be well underway to cross that moat.
It is exciting to see that having everything in a single application is being validated by GitHub. Last year it was very clear they are switching from a marketplace model to a single application by including Verify (CI), Package, and Secure.
> It is exciting to see that having everything in a single application is being validated by GitHub
I wish Gitlab would get over this passive-aggressive negging of GitHub.
I would squirm seeing something like that among any two competing companies. But it takes a strange configuration of overcompensating an inferiority complex to use it for the specific case of one company starting out as an explicit clone of another, to then lord any small feature the original company may have followed over them.
This isn't the first time. I've seen it dozens of times, and I don't even specifically care about these two companies.
I don't think GP's comment was negging or passive-aggressive at all. The original GP said "That must make you nervous over at GitLab, no?" so it only seems rational to explain that they see this as validation and not as a risk.
Somehow, you took this explanation of why they aren't worried about this and turned it into a passive-aggressive stance..
It is important to understand that the "one single workflow" was very much what VSTS (Microsoft's GitHub competitor before they bought GitHub) was providing. It is very evident that Microsoft's enterprise background is shaping how GitHub is evolving.
GitHub is now very much focused on the end to end life cycle now that they have "GitHub One".
Reminds me of what happened with Cloud9 and VS Code. First, Cloud9 was awesome for allowing devs to code remotely. Then once VS Code became the best editor out there, they added remote host support (among other things) and now Cloud9 caters to a different audience entirely.
I think the honest truth is that a lot of developers see Safari similarly to IE because Firefox and Chrome are quick to jump on and ship new features and "if only Safari kept up" they could be used "everywhere". Combined with the fact that iOS is large enough that you can't just drop Safari support and tell them to use Chrome.
It's a weird world where webdevs apparently ideally just want everyone on the 6 second old version version of Chrome. I totally get it -- it's an absolutely rational stance but it feels a lot like how devs felt about IE6 at the beginning.
You're right, IE6 was amazing at the time. It made a ton of things possible that previously hadn't been, and the standards bodies were lagging behind it. Had MS actually kept updating IE6 and kept it ahead of the standards, the standards would never have mattered, and we'd never have developed this sick taste for IE. No one hated that they had a monopoly, we hated that they had a stagnant monopoly.
I've worked with projects that used iframes in safari. It had some of the weirdest bugs. Some random times it didn't render changes to the DOM. Sometimes when clicking input fields it would focus the surrounding iframe element.
A webview in iOS could sometimes crash system wide. Not enough to restart the app. You'd have to restart the device.
Felt like a sitcom when I had to ask customers if they'd tried turning it off and on again.
Safari is way behind Chrome and Firefox on web features and has all kinds of proprietary rules on existing implementations.
It's not even required or the default install on any OS. And it has rapid updates that constantly test new features and improve performance and security.
Any "exclusive" features are just early testing for later standardization. It's Safari that's lagging in implementing them.
Want to try something fun? Install any browser in iOS and do a test. Then do the same test with Safari. Now ponder why they are exactly the same no matter which browser you install.
If you're referencing Apple's mandate that WebKit be used as the engine for all iOS web rendering, then yes, that's a poor policy ostensibly made in the name of security. Not sure if that's what your point is, though.
Can you imagine how much legal trouble microsoft would be in if they blocked alternative browsers in windows? Simply providing a single default was too much.
To be honest I like this new Microsoft. VSCode is a really good tool, C# is amazingly performant and they don‘t talk quite the same BS lingo as some other big players. Also MS research produces some really good stuff.
These tools are worthwhile additions. Vscode is a important toolkit item for many. Just having it on multiple platforms is a useful common denominator that reduces friction.
They could fork it, the core of the runtimework is moving to WebAssembly anyway which is a much more tractable problem. Sure this is a boatload of JS work to do at the interface boundary but the amount of hard compiler and jit work that needs to be focused on by main runtime is much lower.
Someone at MS knows strategic and tactics. When MS and Windows bootstrap themselves into the cloud, they will have some software to land on.
I wonder if more people will look into adopting Deno[1], the new node alternative by one of the creators of Node. It does not use NPM, you pull in packages Go-style (via URLs[2]). It's supposed to be more secure because you have to explicitly give it access to anything (i.e. network, file system, etc).
The thought that's going into Deno about permissions and upstream package issues have me considering it where I've generally rejected node.js for anything serious (also recognizing that it's probably early for production use).
Assuming this was an acceptable exit: I'm impressed that NPM pulled this off. They were basically doing the "no revenue model to speak of, hope we'll get acquired by a bigco" startup play that was starting to go out of vogue already when they were founded.
I wonder to what extent they've had influence over their own success at all though. Basically they had to hope that JS stayed popular (it did), that Node stayed relevant (it did) and that the entire JS ecosystem would move over to NPM (it did, but I'd say rather despite NPM than because of it) (I mean, otherwise Yarn wouldn't even exist, right?).
So basically their bet was:
- Turn NPM into a startup
- Keep the lights on
I bet I'm missing all kinds of key behind-the-scenes stuff, but still, I don't know many startups that manange to successfully exit by "just" keeping the lights on. In a weird cringey way, it's motivating.
"I have a set of goals that I wrote down back then, and have shared openly with the team.
...
3. Get a big enough exit that I can quit my job and see what comes out of me a second time.
4. Share the rewards equitably with the people who got npm to where it is.
...
On (3), well, I’m still working a jobby job, but I always knew that was a long shot, and “make npm a better package manager” is a job I enjoy. And as for (4), I’m proud of the deals that we’ve been able to negotiate for the team.
It’s not a kajillion billion dollar 10x startup cinderella story, and we’ve taken our hits, but in the end we’ve done right by our community, team, and careers, and I’m extremely proud of what we’ve achieved."
Not sure how good an exit it was. Crunchbase says they have fewer than 50 employees [0], so I'm guessing the first 10 people did pretty well but that the rest got what amounts to a nice bonus.
Keeping the lights on long enough makes this kind of exit more likely. Paul Graham has a good article about this: http://www.paulgraham.com/die.html
NPM did better than "just" keeping the lights on, though. They even held Yarn at bay by adopting its best features very quickly.
I'm surprised there's not a single mention of "Microsoft" in this or the npm announcement [1], given the old-evil-history of Microsoft and the new-nice Microsoft we have today.
I would expect that there was at least a mention, considering the reason that most modules in npm are still in ES5 is exactly because of the monopolistic practices that Microsoft followed back in the day which makes Internet Explorer still relevant.
Not negative, not positive comment. Just surprising there was no mention. And I do think Microsoft is doing a great job recently with Open Source in general.
Microsoft is aware of their reputation. So much that they even have a policy of not allowing Microsoft+Github co-brand promotions. They want the Github brand to stay strong instead of being diluted into some mix of Github and Microsoft.
I would guess mentions of enterprise and businesses all over with a contact sales button.
Some old pages are enterprisey and didn't know they pushed a desktop app for so long lol.
I loved that they explained how the name github came to be in one of the older landing pages.
ah that makes sense. That's disappointing for sure but I assumed they meant something more specific to Microsoft. These profit oriented changes are pretty standard after the acquisition of any website. If anything they feel mild considering how much potential there is for Microsoft to really exploit the freemium experience for more sales.
On the other hand, GitHub had a reputation for offering a first class freemium experience and this does chip away at that a bit.
Yeah, I guess a few more changes to push you to select to receive promotional emails. Other than that, it's pretty alright.
I like that they don't have 30 day retention policy when you want to delete something (repos, account) which is what everyone else does to keep you on the site. Really hate that.
I’ve been a developer for nearly 25 years. I’m not sure if there is anything MS could ever do to regain my trust. Unfortunately this seems to be the way of large tech companies. At one time I thought Google was the best thing ever (don’t be evil). Now I find that I view Google in much the same way as I do MS. A huge corrupt behemoth that needs to be broken up.
I definitely saw Microsoft-of-the-90s as corrupt and harmful, and I definitely see Google-of-today as corrupt and harmful. I am not wholly opposed to the idea that both are bigger than companies should be allowed to be.
But apart from the fact that they followed the unfortunate modern trend to add telemetry to things, I can't really say Microsoft has done anything particularly offensive to me in the past... nearly a decade?
Just because you've been a developer for 25 years doesn't mean you should evaluate a company based on 25 year old events.
And that is all recent, on top of all the other stuff they won’t fix, like issues where file extensions magically reset to Windows defaults, nagging you to just please try Edge because its better for real this time, and the unavoidable mandatory Candy Crush - seriously, if you install with no internet connection, it will keep a placeholder there for you that will install as soon as you’re online.
The telemetry issues are annoying too, not because they exist but because you have to read a books worth of literature to understand what they chose to document. Seriously:
I would generally agree Windows looks more like traditional Microsoft than many other arms of their org.
And the Candy Crush thing... like, if it was just Home edition? Fine. If it was even smart enough to realize it need not preinstall that on a domain account (the installation of UWP apps is technically per-user), like, if they'd demonstrated any recognition that Windows is used in professional settings... I'm right there with you on this one.
However...
> like issues where file extensions magically reset to Windows defaults
https://devblogs.microsoft.com/oldnewthing/20190225-00/?p=10... is probably the best response to that. Given the number of Windows app developers who do unholy things with their apps, it's hardly a surprise. (My understanding is Windows has a huge number of secret compatibility shims just to keep major software vendors' bad hacks and API misuses working.)
> nagging you to just please try Edge
I literally can't escape "switch to Chrome" nags, as a Firefox user. Every Google site has at least one, Google's home page has displayed an amazing three Chrome popups at the same time before. I'd maybe give you this one if they weren't waging a war on it to a far more aggressive foe, and losing badly.
I’m a fulltime Firefox user personally, and I have not noticed a whole lot of nag. Does it not show up under Linux or something?
edit: So far I’ve tried switching my user agent, turning off adblock, using a private/logged out window, on docs and search. Not that I’m doubting you or anything, but I am surprised I’ve not noticed it much since switching back to Firefox.
It’s also probably worth disclosing that I work for Google, though at home I am using Firefox and Duckduckgo.
Your mileage may vary on any given month, as Google frontend code seems to come and go regularly and randomly, indeed varying by platform, OS, and lunar cycle.
If you want an action to be made legal, you legalize it. Don’t blame the enforcement of the law. It makes for great virtue signaling but is useless for bringing long-term change and it doesn’t help provide a stable environment for people illegally in the country.
ICE itself routinely breaks laws in trying to capture undocumented people. But to speak to your point directly, I would love to see immigration reform. Until then, I’ll absolutely keep speaking out against ICE. That’s not “virtue signaling”, it’s just advocating for a cause I care about.
Furthermore, basically everything Microsoft did that made developers hate them is legal. Why is it okay to hold a grudge for “embrace, extend, extinguish” but not for aiding and abetting an organization that consistently violates our civil liberties?
The legislative process is not the only feedback system that is enshrined in the US constitution, else there would be no mention of public gatherings or protests. What you suggest is a false dichotomy.
Nonsense. There is hardly a local government in Australia not hopelessly corrupted by local real estate interests. In many nations local corruption is endemic right down to every neighbourhood police station. Size isn't the question: money's corruption of power operates at all scales.
Size is absolutely the question. There is always corruption, but in small municipalities at least the scale of corruption is contained. In a sufficiently local area the corrupt has to brush shoulders with his unwilling benefactors and be shamed.
Gates just finally stepped away from the chair. When that shit comes from the top, it gets baked into the culture and has a staying power beyond any tenure.
For most businesses, Microsoft still holds a monopoly position on desktop OSs. For a lot of smaller IT departments, this bleeds into back-end servers as well.
Microsoft has the Windows Subsystem for Linux, allowing Linux binaries to run on Windows. How about the reverse? Get WINE to the point where Linux (or FreeBSD or some fully source OS) can reliably run Windows binaries.
Along the same line, provide portable libraries to allow other office suites to reliably edit MS Office files (docx, pptx, etc). Maybe Adobe or someone will come up with a commercial competitor, instead of just LibreOffice.
Make Windows and MS Office a choice, rather than a tax businesses have to pay to be compatible with everyone else. That would go a long way to establishing trust.
Microsoft is arguably working on it: They offered up exFAT support to Linux, and it's been added to the kernel. SQL Server being supported on Linux is huge. Probably the absolute biggest selling point to Windows-based infrastructure remains Active Directory, and if you're cool with being cloud-based (I'm not, FWIW), they offer that through Azure now.
Windows is like three decades of legacy systems, but I would argue many of Microsoft's recent decisions have been at the cost of their Windows division.
Chapter 7 Bankruptcy where they get acquired by a newly-reformed Sun Microsystems (where no stock is owned by Oracle or Oracle shareholders).
EDIT: I'm mostly kidding, but you can't really expect true change of morals when the vast majority of the upper management is the same under the new CEO as under the old one.
As a former Sun employee I love this comment, but in all fairness Sun did have its own level of sleaze in the C suite (neither Eric Schmidt nor Scott McNealy would really do well as ethical leader exemplars)
That said, I'm thinking Moon Microsystems :-) Not as big or as hot as Sun. (ok that is a bad punalogy) I did get the domain though, it was available and I couldn't resist.
At the risk of sounding somewhat naive, I think people do have the capacity to grow over time. Perhaps part of the reason why Microsoft has seemingly turned over a new leaf in recent years is that upper management has learned from their past mistakes? I do see your point though, and I think it's stuck in the back of a lot of our minds.
It's not so much a grudge as a reaction, call it an immuno-type response. I shed my MS-OS Windows Desktop addiction over 20 years ago to become a desktop Linux user and I still see my co-workers struggling every day with many of the same issues I haven't had to cope with anymore since then.
Ever since I have been able to get the Microsoft out of my systems, I find myself naturally predisposed to keep it out. I am not against Microsoft, I really am a fan of a lot of the open and developer-focused things they are doing, certainly not least of which is their support for Kubernetes through Azure, but this does not make me more receptive to going back to living in a Microsoft OS-flavored ecosystem today, it just is not happening for me and it's nothing to do with holding a grudge or similar.
I use a Mac now because it was provided by work, if they offer me a trade for a Windows machine I would probably consider it because of the progress made by WSL2, but our group policy lags somewhat behind and certainly not on insider ring, so none of my coworkers have been able to try WSL2 on their work-provided Windows machines, or likely will for some time, and that makes me seriously think twice about it.
My natural inclination is that I would much rather install Linux as the host OS so I have control over things like when updates get applied, or whether a reboot needs to take place immediately, in spite of the struggle that sometimes comes with that, it is really much better to have the source and keep the capability to control your own hardware. And then only run Windows in a VM whenever it is really needed. (In other words, to be able to occasionally run Windows apps in a similar way as I do when I have to use them on a Mac.)
I just find it tragic that the only way GitHub could survive (I guess) was to be BOUGHT. Like why couldn't they stay smaller, focus on what they were good at, and standardize with the community all the integrations in an orderly manner?
Although, Microsoft has shown they care more about the developer community than Apple as of late. So for that, I can at least say my trust is rising. But it's a bit too late for me, I'm happily running Linux for most of my daily life.
Recently I installed win10 pro and was appalled at the way I had you jump through hoops to NOT have a m$ account, not to mention the blatant adware. And this was win10 professional.
It certainly reminded me that m$ is a long long way away from where it was in the 90s and early naughties.
So, a good start would be a stable and private os without all the adware and telemetry.
PS: I use gitea instead of GitHub these days. Nor do I use vscode, but sublime text, for the same reasons: too much telemetry that cant be disabled permanently.
It would be interesting if they ended up with Brendan Burns (creator of k8s when he was at google) in charge of github at some point and made him like the OSS champion. He's running all the containers and linux stuff on Azure, so it seems like it would be a natural fit.
Three product companies (Enterprise, Consumer, and Media), an open source company (Research, Engineering, and Collaboration), and a foundation owning all of the patents and other licensed IP.
A trustworthy Microsoft is one that has open sourced one or more of their core products. Anything less is just retaining their classic hostility towards outside engineers.
To me it looks like water that isn't wet. PR (propaganda) and time will improve their reputation, but the "commodify your compliment" strategy, the intent to dominate markets through anticompetitive behavior... Those things aren't gone. Big tech companies (like most big business) don't prioritize public good over profit, so they really don't deserve anyone's trust apart from trusting them to seek profit.
I'm surprised there's not a single mention of "Microsoft" in this or the npm announcement [1], given the old-evil-history of Microsoft and the new-nice Microsoft we have today.
Maybe Microsoft's reputation is exactly the reason why it was left out of this announcement.
Sometimes a brand is so tarnished that the owner tries to hide it from the people who hate it. (For example, Comcast → Xfinity. I expect Monsanto to go the same way and become Bayer.)
The latter already happened[1]. Bayer offloaded most of it's ag business (to BASF) and replaced it with Monsanto. Monsanto has been rebranded "Bayer Crop Science". Although I'm guessing much for the same reason, Monsanto never rebranded any of the dozens of seed companies it acquired over the years (e.g. Dekalb, Seminis, Asgrow, etc.)
I installed Windows Subsystem for Linux 2 on an older machine just now. The MSFT of today is definitely a far cry from the MSFT of yesteryear. Such a thing would have been unheard of 15 years ago.
My prediction, that my IT department hates to hear, is that Windows is going away.
Microsoft doesn't want to be Microsoft anymore; it wants to be Oracle and IBM and primarily make money off of business consulting and the cloud.
I think Windows will eventually become a presentation and slowly-phased-out compatibility layer on top of Linux, similar to the way macOS became Unix, but even less different than its underlying OS.
However, it should be noted that I'm not very good at predicting things.
> I think Windows will eventually become a presentation and slowly-phased-out compatibility layer on top of Linux.
I think this is unlikely. In many ways the NT kernel is superior to the Linux kernel. I just wish it were open source and didn't have the rest of windows around it.
Since when has technical superiority ever determined which product wins in the marketplace?
The Linux kernel is ubiquitous and free-as-in-beer, so it might win out. Android has already shown how you can build a proprietary userland on top of it.
Very unlikely, as it would mess with backwards compatibility and cause unhappiness of users and IT departments. Microsoft still makes money selling Office and other products there.
Microsoft doesn't need to care about backwards compatibility anymore, now that Wine exists precisely to have compatibility with Windows software (including software that even modern Windows itself no longer wants to run).
Hasn't Wine been good enough for at least 10+ years? Furthermore, how does being backed by Valve actually be of any significant value? I've heard of this argument for a couple of years now and I'm still not convinced (not that I follow Wine development that closely).
> Hasn't Wine been good enough for at least 10+ years?
Depends on what you mean by "good enough". Wine is an incredible project that has achieved amazing successes, but it still falls short in a lot of ways.
I personally don't use Wine but I've encountered people online in the last 10+ years that use the argument that it's "good enough" for people to fully switch to Linux. Realistically, I don't think Wine actually convinced more than a handful of users to abandon Windows
If Windows goes away, personal computing basically dies with it. Everything will be locked-down walled-garden webshit, or community-built-jank FOSS desktops that really want to be like the locked-down walled-gaden webshit experience but will say it is for the user's own good.
Doesn't that require actually extending and extinguishing, though?
WSL1 was a proprietary reimplementation of the Linux system call ABI as an NT subsystem. WSL2 is actual Linux running in a VM. That seems to be moving in exactly the opposite direction.
They can't. That's why I hate people using that chestnut in relation to Linux: It doesn't work for two reasons which stick out at me.
Reason one is because Linux is GPL'd, Microsoft can't extend Linux without giving its extensions back to the community.
Reason two is because Linux is already established in multiple realms, so Microsoft can't bully its way into dominance. Microsoft has a respectable presence in server rooms, but it isn't absolutely dominant by a long shot. Microsoft probably has something going on in the embedded/hobbyist SBC space, but there's no path for them to dominate there. And, FWIW, Linux owns the supercomputer world. I also can't see IBM falling over itself to put Windows on mainframes.
Open Source copyright licenses exists exactly to make the extinguish part impossible. MS cannot put the genie back in the bottle when it puts out open source software.
I mean. It's a subsidiary. I understand your sentiment but mentioning Microsoft would be like signaling that GitHub doesn't have any autonomy which is quite the contrary to what Microsoft said when buying it. So don't expect sudden sincerity on this. There's a reason why they haven't added Microsoft branding to areas like the footer.
Microsoft wants to host as much information as possible so it can collect data on developers and users. It is very hard to avoid giving data to Microsoft. GitHub, NPM, LinkedIn, Office 365, Teams, the lock-in is still alive.
A decentralized web or a non-for-profit like Wikipedia is a much better model for these infrastructure projects.
Git was designed to be decentralized from the start. Is there a way to revitalize that heritage?
Discoverability and pull requests are two big benefits that GitHub has offered. Could we create decentralized open source solutions to provide those benefits? Are there other benefits that we’d need to provide to have viable alternatives to centralization?
Supporting and using Git forges that support decentralized development, such as Pagure[0], would be a good way to do so.
Pagure supports submitting pull requests with Git repos on any server (regardless of whether it's running Pagure or not) with its remote pull requests feature. Issues, docs, and pull request metadata are all stored as git repos using JSON files as data, making it easy and portable to other Pagure instances and easy to convert for any other system.
As far as I know, Pagure is now the only Git forge software packaged in all major Linux distributions (Fedora+EPEL[1], openSUSE[2], Mageia[3], Debian[4], Ubuntu[5], Arch Linux AUR[6]).
It'd be nice to see people interested in this helping to build a future supporting portable, decentralized development.
Would be super strange if titles always referred to the top-most parent company. Every time Google does something the title should be referring to Alphabet? Please no.
The other way around, and in fact it already is that way -- we often say stuff like "Waymo, Google's self-driving car project", because we know who really runs the alphabet show.
This is great news for people forced to use Windows. JavaScript being a 1st class citizen on MS platforms is being even more cemented. It'd be great if Microsoft moved faster with Python integration into the MS ecosystem like SQL Server.
> considering the reason that most modules in npm are still in ES5 is exactly because of the monopolistic practices that Microsoft followed back in the day which makes Internet Explorer still relevant.
My first reaction was ... “so Microsoft”. I’m with you on the positive path Microsoft have been on with OSS but also recall the not-so-recent history. It’ll be interesting to see how this plays out.
My fear might probably be unfounded, but NPM is an integral part of the JS ecosystem. And given MicroSoft has .NET Core, I have a strange feeling that they'll concentrate on npm less.
Product Manager at GitHub here - I'll be the Product Manager for npm when the acquisition closes. I agree - npm is definitely an integral part of the JavaScript ecosystem. The npm package registry will remain free for public projects. We're going to work to ensure that the service is stable and accessible, and ready to serve the next million packages.
This is independent of what Microsoft's doing with .NET Core. I'm excited about the work that they're doing, but this isn't going to stop us from making sure that npm is outstanding.
I think they view it as way to make Core more reliable. Core relies community developed - npm hosted - tools like gulp and webpack. Unlike the full Framework, Core doesn't have "built-in" or "endorsed" bundling solution.
Today we've announced that we've signed an agreement to acquire NPM but we technically have not acquired them yet (referred to as "closed"). NPM is still their own company for now and that's why the language is future tense.
I literally thought that, clicked hide, then thought "Wait a minute, do they mean...?" and had to go fish it out of hidden items.
"Joining" is an interesting term here... but I suppose it won because it sounds more like something friendly humans would do. "NPM Is Breaking Bread and Sharing with Github as Special Friends."
NPM is a lot more than the CLI. Even if you use yarn as the CLI you are still using npm for hosting and all the other parts that don't run on your computer. You can run your own npm repo, but hardly anyone does for all their dependencies (not talking about just caching here).
I'd wager most people who use yarn even installed it via the npm CLI.
I mean yes, but no, but yes. For one, a lot of companies end up using Artifactory or similar, so npm is the source of truth but not the source of tarballs.
Didn't GitHub set up their own npm registry recently? Shots have been fired in this regard. Which, now that I type that out, makes me kinda wonder how amicable this purchase was...
It'd be such a shame if something bad were to happen to your lovely repository...
Our 'workspace' is so ornate that yarn couldn't handle it. 1.21+ almost looks right, but something very bad is still going on with mocha deduping, such that tests are failing with really bizarre error messages.
I check yarn about every three months, or when I find a new, infuriating bug with the npm CLI (so, every couple of months on average). I think npm install suffers greatly from not having a formal spec. It has been bugfixed by so many different individuals now that it has reached a truly astounding level of schizophrenia.
If yarn didn't exist, I would have started trying to break down the install problem into many independent concerns that can be reasoned about individually and tried to solicit help in making a full installer out of it. If I'd known I'd still be trying to make yarn workspaces work for us 18 months later I probably would have.
Node modules in general have some bad patterns of delegation that are utterly antagonistic to self-documentation, and both yarn and npm seem to suffer from this as well. I think in the next week or so I'm going to have to set up a small test case that exhibits the yarn bug I'm seeing, or any of the half a dozen interlocking (emphasis on 'lock') npm bugs that now have me painted into a very tiny corner.
Your take on the installer in npm v6 is not wrong. It got that way by a process of gradual iterative evolution, and it has lots of warts.
npm v7 features a ground-up rewrite of the tree resolution and deification logic in the @npmcli/arborist module. I recommend checking it out, or at least staying tuned for the beta coming soon.
We have so many little modules from different teams, or even borderline abandonware, that it would take ages to make these changes, and 'yarn node'?? Just... no. How is that ever gonna work consistently with node_modules/.bin?
At this point my choices are, start contributing to yarn and npm development, or get my ass in gear on learning Elixir and Rust. I have been wondering for maybe 18 months if I might be 'done with Node'. I think I've had it backward this whole time. Node may in fact be done with me.
Yeah, yarnv2 is a BIG change and one that came out without much noise. There is no node_modules now by default. Pnp is forced (which was released in yarn as an experiment back in 2018 without much adoption).
I have been wondering the same thing. I left node for 8 months and I come back to see a lot of things have been abandoned in favor of yet another wheel implemented a bit differently. I wish changes were more visible and subtle. Rewriting seems like a plaque to js ecosystem except no one rewrites some really old unmaintained dependency we have hidden in every new shiny project.
Yeah, I was confused when I first heard of it because it seems like an odd couple to "join" one another. However, it makes perfect sense for github to purchase npm.
I've been at GitHub for 7 years and we operate independently but have the support and resources of Microsoft when we need them. IMO, they've been amazing partners but day to day the GitHub team builds, prioritizes, and supports GitHub.
It's totally the smart thing to do. Github needs a ton of cloud compute with github actions, Azure powers it. Github brings a very strong brand that developers love, which gives Microsoft a good rep amongst technical folks.
This is as good as Google acquiring Youtube because Youtube needs an insane amount bandwidth and it was a perfect fit for Google's infrastructure and ad platform.
It's just sad to see Google not playing the Developers game well.
I can't speak to company internals, but I do know that Azure is powering GitHub Actions runners, and there have been a firehose of new features coming out of GitHub in the past year. I imagine its pretty core to their "Developers Developers Developers" strategy.
I hope this doesn't alter the current GitHub npm package registry policy where all packages must be published under a scope corresponding to name of the owning GitHub user/org. The resulting increased transparency and clarity of ownership will be great for the JS ecosystem.
The existing npm ownership model is markedly less clear and has led to several problems, including the transfer of package publishing rights to bad actors without anyone being aware. On the whole, npm accounts and orgs were always just an unnecessary abstraction that obscured the actual provenance of software, of which GitHub is the de facto source.
Does this mean using alternatives (GitLab, et. al) is not an option?
The worst option has been Elm's system where the whole package system requires you to not only use GitHub, but when GitHub in down (which isn't uncommon unfortunately) packages that weren't cached locally were inaccessible with no mirroring options.
Yes thank you! We believe namespaces are a good thing and will continue to promote it as best practice.
Hopefully we can integrate repository information to packages meta data such that you could be aware of a change of ownership even for a globally namespaced package.
I think this is the big reason I'm excited about NPM joining GitHub. I don't trust NPM (I'm not fond of package repos in general), but tying packages closely to their GitHub source offers significantly more verification potential that a package is in fact comprised of the source code for it, and that it hasn't recently turned hostile.
Microsoft does have a much better track record in terms of keeping their products alive than other Way Way Large companies that could have made this acquisition, and for that I'm pretty glad.
That said, and just in case their notoriously warlike legal team manages to fumble this somehow, I'd like to take the opportunity to remind every other frontender that Verdaccio (https://verdaccio.org/) exists, is easy to implement, and relatively low maintenance.
Gotta respect how Microsoft couldn't build anything the open source community wanted to work with/on so instead they used their Windows and Office monopoly to buy everyone's favorite playgrounds.
Indeed, these two projects alone have turned around my long-held opinion on Microsoft, to "cautiously optimistic".
TypeScript and VS Code have been an invaluable contribution to the community. I'm a daily user of both and so thankful for the talent, ingenuity and effort that have gone into them.
How Microsoft have managed the acquisition of GitHub, giving them autonomy and infrastructure support - so far, it's been all around positive.
Now with NPM under their wings, the centralization does worry me somewhat. I hope there are conscientious decision-makers who will guide the project for the good of community and ecosystem.
They should & deserve to have full control over everything they've created.
You can blame AWS/GCP for letting GitHub & npm be acquired, how many years were they on the open market?
Most of the $$$ in OSS is being funneled towards rent-seeking major cloud providers that are hosting OSS software, whom should all have blank checks with the money they've reaped so far, but seems only Microsoft has the strategic savvy to focus on acquiring the obvious targets for increasing dev mindshare. I don't fault them for their M&A's, it's just good business.
It's also not like Amazon is being an amazing open source citizen; I don't see them acquiring the tech to be an automatically-better outcome than the current version of Microsoft doing so.
IMO this shows the importance of separating technology from platform. Ideally we would have non-profit groups with good governance & corporate support (rather than control) to grow these technologies. If an open source project can be acquired, it's only so free.
This kind of consolidation is probably not good for everyone who depends on open source projects. Microsoft now owns a significant portion of software distribution.
Just like GitHub this is a cloud play to make Azure more appealing by meeting developers where they're at, increase dev mindshare/reach, hosting their packages, CI Scripts/Actions then making it seamless to deploy to Azure.
Smart, have no idea where AWS or GCP's control team are at when these strategic plays are going down.
I did not see that coming. I trust Microsoft to be able to offer great availability and nice software. It is maybe not the best overlord we could have hoped for but it's way better than the status quo.
I see this as a straightforward play, simply put, I think (to summarize, perhaps a little to broadly)
- They want to sell Azure Services
- Most (if not all) NPM packages already live on github
- NPM has a business revolving around package management, including private npm instances and increasingly around node/package security
- This being primarily a business that will sell to has-money businesses (e.g., medium to large businesses, Fortune 500 corporations etc)
So, given all of the above, it makes sense to have a vertical selling into one of the fastest growing package management ecosystems where you can be the "full stack" provider of developer/enterprise tools.
I don't think its anything beyond this, personally. I expect to see a lot of pushes to integrate with Azure Pipelines, cloud deployment etc. centered around this.
I wonder if they'll buy Passenger[0] next, its a popular (in my experience) to deploy nodejs applications.
Critical open source entities are bought by private company. I understand the need for money and sustainability these entities need, but it's really a shame that the open source community doesn't "own" themselves.
These companies don't need to profit off of acquisitions. If they're going to, it doesn't have to be direct either, it can be a method of growing their sales funnel if nothing else, or even just acquiring talent.
There's a difference between "not going to last long" and "not going to return 10x to their investors". This seems like another example of the faustian bargain of taking VC money.
How much did Microsoft pay? What did the founders take away?
Most people don’t know, in these open source acquisitions by for profits there’s money involved and “founders” get an exit. Not always clear To the public who those are or what they took home from a mostly volunteer effort.
I too was curious about how much the acquisition cost. According to TechCrunch:
> GitHub, the developer repository owned by Microsoft, made a little deal of its own this morning when it bought JavaScript packaging vendor npm for an undisclosed amount.
no, this is microsoft "embracing" (buying control of) a huge point of centralization in a software distribution ecosystem, positioning them to have greater power over a huge number of developers.
I think people are "okay" with Microsoft because so many hackers have a problem with the data agglomeration and monetization strategy of Google and Facebook, but this Microsoft "embrace" will come to a head within the next couple years and I just can't wait for it.
The way people think Microsoft's embrace of open source, GitHub, and now NPM is genuine is completely ridiculous. Microsoft had to change because much of where the action was is on *nix systems. Microsoft will start to use these companies to make developers embrace Microsoft services. It's only a matter of time.
I can't even come up with a scenario of how MS would realistically do so? Sure, making GH actions easier to set up with Azure than AWS seems plausible, but also strikes me as somewhat benign.
Banning python from Github? Requiring \r\n for NPM packages? What's the move you're afraid of?
One question GitLab's CEO (sytse) is rightfully asking is whether the ability to trace code from npm back to the repository will be available to competitors. If not, less competition is bad for users.
I still think this is good news, given where npm is coming from, but it's certainly not risk-free.
This is where effective anti-trust enforcement is important and valuable.
Until we come up with better trusted federation protocols there will be natural monopolies, but that doesn't mean they get unchecked power. We have laws for that.
I don't give any credence to the idea that Microsoft under Satya Nadella is the same company as Microsoft under Gates or Ballmer, much less the idea that it is secretly lying in wait to go back to its old, far-less-profitable ways. It has behaved differently. It is making its money differently. It no longer stack-rank fires people. And it is making a whole lot more money doing things this way than it made the way it used to behave.
I hope you're spending lots of money at independent places then, because this is the inevitable result of the current "OSS infrastructure funded by VC charity" model. NPM was losing money, as was GitHub when Microsoft bought that. Under such conditions, getting bought out by a megacorp is the only path forward.
Github announced the Github packages feature a while back, but without npm it didn't quite make sense. Acquiring npm means github not only hosts source code, but packages as well. With Github Actions, they want to be the one stop shop for code lifecycle and be at the forefront of javascript ecosystem.
If developers love Github, they love the cloud. Microsoft is betting big on the cloud, they lost the Mobile war but they definitely want to be the developer and cloud darlings.
What I'd hope : Somehow make packages more secure than hoping that nothing is tainted in the dependency. I think this is the biggest issue of volunteer package repo.
What I'd not hope : MS changes strategy with change of people etc and npm and GitHub rot.
Most important question: Will you still be able to see user-submitted phrases explaining the npm acronym? (See upper left-hand corner of https://www.npmjs.com/)
Microsoft have been making their code analysis tools available in GitHub post-aquisition; doing the same for npm could really help improve the risks JS programmers face when pulling in libraries from npm.
(Wishful thinking ...) Does this mean the next release of npm will be yarn v2 and that typescript will implement support for the pnp spec so we can converge the javascript packaging space to a sane place?
Does typescript support pnp somehow now? (That's actually the thing I'm wanting ...). npm's cli going away was an attempted tease (in bad-taste i think)
Interesting subtle implications that the NPM paying users are going to be moved to Github's distribution system, while maintaining the OSS version of NPM for everyone else.
Was gonna write about all the bad stuff that can happen, but don't want to give any ideas. Instead I give advice; embrace and empower, rather then extend and extinguish.
It'd be wonderful, as a package consumer, to have visibility into some security metrics for a given package. This would be useful both at initial install time, and when the package is upgraded. Something like:
1) who are the latest commits GPG signed by?
2) is the package publisher using 2FA?
3) what is the security profile of all dependent packages?
4) are there any new authors (directly or via dependencies) since the last version (with links to the author and their contributions).
These might help avoid prior situations where popular packages get injected with malware by new maintainers.
Yes, we (internally) call this a "Bill of Health" and believe that all packages should have this kind of diff-able information available. Understanding what's happening at the source level is key to being able to trust any package published.
NICE! It would be wonderful to expose that information!
Somewhat related, I believe NPM pulled in (or co-opted) some of the heuristics from this: https://github.com/npms-io/npms-analyzer (but those don't seem to include any of the aspects I suggested above).
> Later this year, we will enable npm’s paying customers to move their private npm packages to GitHub Packages—allowing npm to exclusively focus on being a great public registry for JavaScript.
Packages will continue to develop its npm registry. We have a lot of work to do in securing the software supply chain.
in as much as I love Github, putting our eggs in one basket as developers is gonna burn us soon or later. we need redundancies in the system, that if one thing goes down, the world can go on as normal. now we're centralizing github as a single failure point. we've already seen the the panic outages of Github or S3 cause.
Sometimes I wonder what the business world (and the internet) would be like if mergers and acquisitions weren't allowed. Like, if businesses had to be sustainable or they'd just die, rather than capturing a whole market while eating VC money, maybe we'd all be better off? All of the really embarrassing stuff coming out of SV would just go away? Just Pinboards and Sourcehuts and Mastodons ruling the web?
I'm capitalistically illiterate, so somebody please tell me why this thought is stupid.
What would happen to all the tech, equipment, and employees after the company goes out of business? We have to burn it?
If we did that, it would be a crazy waste of resources. The alternative is to let another company buy the stuff... and if a company buys the failed company's tech, equipment, and hires their staff... that is basically the same as buying the company.
I mean, what would normally happen is employees look for new jobs, equipment is sold, and tech is thrown away (or open sourced in rare cases). Doesn't this already happen all the time?
I used to be excited when I made predictions like that. Then I realized that my correct predictions, plus $4.15, would only get me a Venti Latte at Starbucks.
A special day. The stock market is down 388% and 142% of people are predicted to die, but I got Internet karma points for guessing something right and that's what really counts.
It's not a very good counterpoint is it? Insulting, patronising, talking down, squashing dreams and ideology and recommending a "give up and lose" course of action.
> There are more important things in life that tabs or spaces, or carriage returns and line feeds.
Things like rights to control the things you own, to know what they are doing, and to understand and repair them. Things like being able to use a device for as long as you choose without it relying on a third-party service which could be shut down any time it becomes unprofitable. Being able to control where your personal information is, and more widely, a population being able to control such; not being a source of information for surveillance capitalism - or having some chance of opting out without using a closed black box system.
> People pay for things that will work together seamlessly, that takes the least effort to work with.
Seems like a good reason to push for open standards instead of proprietary protocols, proprietary encryption and authentication schemes, proprietary connectors, and warranties that void if you look at them wrongly. As the "internet of things" grows, do we want to be building a population which picks which nanny-corp handles their doorbell, smoke alarm, intruder alarm, CO2 detector, and lighting system - you get Apple, Nest, Google, Philips, Amazon, Logitech, Sony .. but whichever you choose they will all send your life to an unsecured MongoDB in the cloud, and won't interoperate with each other to lock you in to a platform.
A decade (or two?) ago there was a guy who put sensors all over his neighbour's house and wrote software to stalk them, predicting when they were in or out, who was home, and watching them. He was arrested. Now that's de rigueur and you don't know who is, or can, access your data.
> I think it's time we admitted to ourselves, that we can't decide on anything collectively
But we are better off disagreeing about JSON and TOML and YAML instead of being unaware and unable to disagree about Google encrypted binary config blob, Microsoft encrypted binary config blob, Amazon encrypted binary config blob, Apple encrypted ... etc.
> We'll all die soon and everyone will be paying for software as a service
This is what capitalism wants. That doesn't mean it's what we should accept.
> Stop being so self-centered and churlish.
Who is it here advocating "as long as it works for me and I get paid, that's the most important thing"? How self-centered is that as an attitude?
> Get a good night's sleep.
Track your good night's sleep on a FitBit, upload it to Amazon, have it tied to your speculative future purchases predictions, maybe have it resold to your health insurance provider why not. What could go wrong.
I can see why this comment is downvoted, because it's mostly superficial, but also, there's some truth to this perspective. Microsoft's acquisitions raise questions for what the open source ecosystem of tomorrow will look like. Chrome seemed to answer a lot of issues with browsers when it came out, but look how many people today are uncertain now that the API's powering the uBlock extension will be deprecated. It would be short-sighted for us to look at Chrome's history, and then say "nothing could ever happen to Open Source" without giving the perspective a serious consideration.
I wonder why your (entirely reasonable) comment got down-voted so much. This is exactly the risk why people prefer a distributed and decentralized internet over one where all open source is stored in one central Microsoft subsidiary (e.g. GitHub).
The central repository is entirely optional when using npm the cli tool; many companies use a proxy repository (such as artifactory) to host their internal packages and cache public ones already.
Anyone can already run their own, or install from remote git urls (not just github) as well. If the new organization undermines the community, the community can easily move.
NPM the company has had a significant number of missteps, and them getting better oversight and removing the need to be profitable will likely be better for everyone in the long run.
With NPM now being an (indirect) part of Microsoft, I would expect them to introduce proprietary extension to the repository protocol (or something similar) in an attempt to lock the open source community into their hosting solution.
And no, you cannot cleanly separate between an ecosystem-defining tool and the company that controls how said tool will behave after the next automated update.
I think people are tired of EEE being posted on every Microsoft related thread even though Microsoft has been a very different company for at least 10 years.
I do agree with the concerns of open source consolidation though. We need to find better ways of supporting open source projects instead of having them being bought by "large company".
Sorry, but npm burned me too many times. It is (was?) the worst package manager I've ever used. Not a fan of npm the company either. I'm sticking with yarn.
Microsoft doesn’t do everything right but the GitHub acquisition has honestly gone better than I ever expected. Rather than forcing GitHub to adopt Microsoft centric policies, Microsoft has adopted more GitHub stuff, especially from a product POV. GitHub still runs as a separate company (different logins and health care and hiring systems) with its own policies and point of view.
The reality is npm was in a bad place and in a land of not good options, this strikes me as the best possibility. I’d rather have GitHub control this and be able to give the resources to npm than a company like Oracle or Amazon or even Google or Facebook to own it. In a perfect world, some independent entity could fund npm out of gratitude but at the same time, consider how poorly npm as a company was run for YEARS and the general lack of direction.
So yeah, I’m cautiously optimistic this won’t be fucked up by GitHub — but I understand the concern.
As for those worried about Microsoft embracing, extending, and extinguishing. Lol. Even if that was the goal (and I truly don’t think that’s the ethos at all any more), Microsoft is laughably incompetent at achieving that sort of strategy. Google and Amazon have the EEE under lock right now (Facebook too — let’s be glad Zuck didn’t buy this after we saw what happened to yarn), but Microsoft can’t even put coherent dev strategy outside of .NET on Azure.