[HN Gopher] NPM Is Joining GitHub
___________________________________________________________________
NPM Is Joining GitHub
Author : mholt
Score : 1205 points
Date : 2020-03-16 17:01 UTC (5 hours ago)
(HTM) web link (github.blog)
(TXT) w3m dump (github.blog)
| rtsao wrote:
| I hope this doesn't alter the current GitHub npm package registry
| policy where all packages _must_ be published under a scope
| corresponding to name of the owning GitHub user /org. The
| resulting increased transparency and clarity of ownership will be
| great for the JS ecosystem.
|
| The existing npm ownership model is markedly less clear and has
| led to several problems, including the transfer of package
| publishing rights to bad actors without anyone being aware. On
| the whole, npm accounts and orgs were always just an unnecessary
| abstraction that obscured the actual provenance of software, of
| which GitHub is the de facto source.
| ocdtrekkie wrote:
| I think this is the big reason I'm excited about NPM joining
| GitHub. I don't trust NPM (I'm not fond of package repos in
| general), but tying packages closely to their GitHub source
| offers significantly more verification potential that a package
| is in fact comprised of the source code for it, and that it
| hasn't recently turned hostile.
| clarkbw wrote:
| Yes thank you! We believe namespaces are a good thing and will
| continue to promote it as best practice.
|
| Hopefully we can integrate repository information to packages
| meta data such that you could be aware of a change of ownership
| even for a globally namespaced package.
| toastal wrote:
| Does this mean using alternatives (GitLab, et. al) is not an
| option?
|
| The worst option has been Elm's system where the whole package
| system requires you to not only use GitHub, but when GitHub in
| down (which isn't uncommon unfortunately) packages that weren't
| cached locally were inaccessible with no mirroring options.
| thunderbong wrote:
| Ok, everyone seems to be beating up on Microsoft per the top
| comment here.
|
| I have a counter point -
|
| Does anyone ever think what would happen if Microsoft were to
| disappear tomorrow? How would you get your drivers license? How
| would you process your mortgage? How would you go about buying
| tickets for anything? How would you get your groceries and food?
|
| Are we expecting everyone to run Linux? Or shall we say, Ubuntu?
| Or was it Mint? Can we decide on a specific desktop OS? Can we?
| Can we pick up a USB wifi dongle or connect a printer and expect
| it to work? Are you frikkin kidding me? We'd be running around
| like chickens with their heads cut off.
|
| Get over it, all of you. Frikkin grow up. We've had the thirty
| years since Linux came on the scene. And what have we done?
| You'll say - "we've got the server market". Sure. And what is
| that? Ubuntu, right? Give me a break. If it wasn't for Mark
| Shuttleworth, even that wouldn't have been there.
|
| We want to be kids. We want to play with our toys in our corner
| of the room throughout our lives and we want others to clothe and
| feed us for free. That's what we want. We want to share, but
| don't want others to make money off it. And what happens? A big
| corporate comes around giving everything away for free, and we
| all grab it with both our hands. And 15 years later, we cry that
| the corporate has gone evil.
|
| We keep complaining about Microsoft on Hacker News, typing on
| Apples and iPhones and Androids. Are you all delusional? Are you
| all blind? There is NOTHING free in this world, including
| lunches.
|
| People pay for things that will work together seamlessly, that
| takes the least effort to work with. Why? Because software,
| programs, operating systems are not the end of the world, life
| is. There are more important things in life that tabs or spaces,
| or carriage returns and line feeds.
|
| And the only way that can happen, when someone says I'll give $X
| for Y and you give him Y, rather than twiddling around with Z.
|
| I've had battles with Microsoft by way of IE. I've also battled
| with Linux. Major battles. But the battles I've had with
| Microsoft, I got paid for. The battles with Linux? Well, maybe I
| got music playing on my laptop. Only on mine, mind you!
|
| I think it's time we admitted to ourselves, that we can't decide
| on anything collectively. I think it's time we stopped being
| cranky, demanding, tantrum throwing children. We'll all die soon
| and everyone will be paying for software as a service and we'll
| all be old farts talking about the good old days, when we could
| download a program, modify it and run it only on our system.
|
| I'm tired of all your hangups. Holding on to decade old grudges.
| Dreaming about the glorious future of software that just might
| have existed if everyone had just the same idea as you.
|
| Grow up, open your eyes, get a life. Stop being so self-centered
| and churlish. Stop trying to see flaws everywhere except
| yourself. Stop trying to complain about open source everywhere
| and see that all kinds of software need to exist.
|
| Go out. Do good for someone. Get paid for it. Come back home.
| Enjoy dinner with your family. Get a good night's sleep.
| talawahtech wrote:
| Ok now Microsoft just needs to acquire what remains of Docker and
| their Developers, Developers, Developers, Developers collection
| will be complete.
| nojvek wrote:
| Github announced the Github packages feature a while back, but
| without npm it didn't quite make sense. Acquiring npm means
| github not only hosts source code, but packages as well. With
| Github Actions, they want to be the one stop shop for code
| lifecycle and be at the forefront of javascript ecosystem.
|
| If developers love Github, they love the cloud. Microsoft is
| betting big on the cloud, they lost the Mobile war but they
| definitely want to be the developer and cloud darlings.
| nathcd wrote:
| <tangent>
|
| Sometimes I wonder what the business world (and the internet)
| would be like if mergers and acquisitions weren't allowed. Like,
| if businesses had to be sustainable or they'd just die, rather
| than capturing a whole market while eating VC money, maybe we'd
| all be better off? All of the really embarrassing stuff coming
| out of SV would just go away? Just Pinboards and Sourcehuts and
| Mastodons ruling the web?
|
| I'm capitalistically illiterate, so somebody please tell me why
| this thought is stupid.
| cortesoft wrote:
| What would happen to all the tech, equipment, and employees
| after the company goes out of business? We have to burn it?
|
| If we did that, it would be a crazy waste of resources. The
| alternative is to let another company buy the stuff... and if a
| company buys the failed company's tech, equipment, and hires
| their staff... that is basically the same as buying the
| company.
| nathcd wrote:
| I mean, what would normally happen is employees look for new
| jobs, equipment is sold, and tech is thrown away (or open
| sourced in rare cases). Doesn't this already happen all the
| time?
| worik wrote:
| Perhaps they will do the right thing and shut it down
| throwaway78359 wrote:
| Microsoftie here -- throwaway for obvious reasons.
|
| Microsoft doesn't do everything right but the GitHub acquisition
| has honestly gone better than I ever expected. Rather than
| forcing GitHub to adopt Microsoft centric policies, Microsoft has
| adopted more GitHub stuff, especially from a product POV. GitHub
| still runs as a separate company (different logins and health
| care and hiring systems) with its own policies and point of view.
|
| The reality is npm was in a bad place and in a land of not good
| options, this strikes me as the best possibility. I'd rather have
| GitHub control this and be able to give the resources to npm than
| a company like Oracle or Amazon or even Google or Facebook to own
| it. In a perfect world, some independent entity could fund npm
| out of gratitude but at the same time, consider how poorly npm as
| a company was run for YEARS and the general lack of direction.
|
| So yeah, I'm cautiously optimistic this won't be fucked up by
| GitHub -- but I understand the concern.
|
| As for those worried about Microsoft embracing, extending, and
| extinguishing. Lol. Even if that was the goal (and I truly don't
| think that's the ethos at all any more), Microsoft is laughably
| incompetent at achieving that sort of strategy. Google and Amazon
| have the EEE under lock right now (Facebook too -- let's be glad
| Zuck didn't buy this after we saw what happened to yarn), but
| Microsoft can't even put coherent dev strategy outside of .NET on
| Azure.
| manigandham wrote:
| What's wrong with Microsoft's dev strategy? .NET continues to
| be the most powerful and productive platform that I've used.
|
| .NET Core was a great move and it's all coming together nicely
| now, and even creating innovations like Blazor.
| judge2020 wrote:
| I think the poster was saying that .NET has a dev strategy,
| but other projects don't.
|
| > Microsoft can't even put coherent dev strategy _outside of_
| .NET on Azure
| skrebbel wrote:
| > after we saw what happened to yarn
|
| I missed something, what happened to Yarn?
| purplerabbit wrote:
| Second this. It still seems to be working fine... (actually,
| better than npm last I checked)
| pkilgore wrote:
| The maintainer released Yarn 2. Yarn 2 is pretty
| foundationaly different than Yarn 1, and can and does break a
| lot of products/projects if used. Some folks are not happy
| about it, although Yarn 1 will probably continue to be
| maintained by the community for a while.
|
| This seems to be pretty fair about the whole thing:
| https://shift.infinite.red/yarn-1-vs-yarn-2-vs-
| npm-a69ccf022...
| cjbassi wrote:
| Note that yarn is also no longer under the control of
| Facebook and the primary maintainer who has been developing
| yarn 2 no longer works there.
|
| https://yarnpkg.com/advanced/qa#is-yarn-operated-by-
| facebook
| mizzao wrote:
| > Google and Amazon have the EEE under lock right now
|
| what is EEE?
| boramalper wrote:
| Embrace, Extend, and Extinguish:
|
| > "Embrace, extend, and extinguish" (EEE), also known as
| "embrace, extend, and exterminate",is a phrase that the U.S.
| Department of Justice found was used internally by Microsoft
| to describe its strategy for entering product categories
| involving widely used standards, extending those standards
| with proprietary capabilities, and then using those
| differences in order to strongly disadvantage its
| competitors.
|
| https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis.
| ..
| prawnsalad wrote:
| Embrace, extend, and extinguish
|
| https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis.
| ..
| sandov wrote:
| "Github acquires npm" would be a better title IMO.
| kdaigle wrote:
| Today we've announced that we've signed an agreement to acquire
| NPM but we technically have not acquired them yet (referred to
| as "closed"). NPM is still their own company for now and that's
| why the language is future tense.
| TheKarateKid wrote:
| Then saying "GitHub is acquiring NPM" would've been a more
| accurate way to say this.
| sandov wrote:
| "Github is acquiring npm" then. "NPM is joining Github"
| sounds like you're just using Github to host your stuff.
| Conan_Kudo wrote:
| Using the "is joining" phrasing is a classic way to try to
| spin an acquisition as some kind of partnership. 99% of the
| time, it's definitely _not_.
| rdiddly wrote:
| I literally thought that, clicked _hide_ , then thought
| "Wait a minute, do they mean...?" and had to go fish it out
| of hidden items.
|
| "Joining" is an interesting term here... but I suppose it
| won because it sounds more like something friendly humans
| would do. "NPM Is Breaking Bread and Sharing with Github as
| Special Friends."
| hinkley wrote:
| I am glad that the npm team will finally have some adult
| supervision.
|
| Meanwhile, I _almost_ have my team switched to yarn.
| SahAssar wrote:
| NPM is a lot more than the CLI. Even if you use yarn as the
| CLI you are still using npm for hosting and all the other
| parts that don't run on your computer. You can run your own
| npm repo, but hardly anyone does for all their dependencies
| (not talking about just caching here).
|
| I'd wager most people who use yarn even installed it via the
| npm CLI.
| hinkley wrote:
| I mean yes, but no, but yes. For one, a lot of companies
| end up using Artifactory or similar, so npm is the source
| of truth but not the source of tarballs.
|
| Didn't GitHub set up their own npm registry recently? Shots
| have been fired in this regard. Which, now that I type that
| out, makes me kinda wonder how amicable this purchase
| was...
|
| It'd be such a shame if something bad were to happen to
| your lovely repository...
| Normal_gaussian wrote:
| yarn v1+ or yarn v2/berry?
|
| Switching to berry has been a huge PITA over here, but I
| don't want to give up workspaces
| hinkley wrote:
| > yarn v2/berry?
|
| I had still been following 1.x
|
| Looking at https://yarnpkg.com/advanced/migration : T-T
|
| We have so many little modules from different teams, or
| even borderline abandonware, that it would take ages to
| make these changes, and 'yarn node'?? Just... no. How is
| that ever gonna work consistently with node_modules/.bin?
|
| At this point my choices are, start contributing to yarn
| _and_ npm development, or get my ass in gear on learning
| Elixir and Rust. I have been wondering for maybe 18 months
| if I might be 'done with Node'. I think I've had it
| backward this whole time. Node may in fact be done with
| _me_.
| hinkley wrote:
| Our 'workspace' is so ornate that yarn couldn't handle it.
| 1.21+ almost looks right, but something very bad is still
| going on with mocha deduping, such that tests are failing
| with really bizarre error messages.
|
| I check yarn about every three months, or when I find a
| new, infuriating bug with the npm CLI (so, every couple of
| months on average). I think npm install suffers greatly
| from not having a formal spec. It has been bugfixed by so
| many different individuals now that it has reached a truly
| astounding level of schizophrenia.
|
| If yarn didn't exist, I would have started trying to break
| down the install problem into many independent concerns
| that can be reasoned about individually and tried to
| solicit help in making a full installer out of it. If I'd
| known I'd still be trying to make yarn workspaces work for
| us 18 months later I probably would have.
|
| Node modules in general have some bad patterns of
| delegation that are utterly antagonistic to self-
| documentation, and both yarn and npm seem to suffer from
| this as well. I think in the next week or so I'm going to
| have to set up a small test case that exhibits the yarn bug
| I'm seeing, or any of the half a dozen interlocking
| (emphasis on 'lock') npm bugs that now have me painted into
| a very tiny corner.
| madeofpalk wrote:
| I suspect you're still using the npm repository though?
| That's the actual 'valuable' thing that NPM (the company)
| makes.
| ProAm wrote:
| "Microsoft acquires npm"
| Verdex wrote:
| Yeah, I was confused when I first heard of it because it seems
| like an odd couple to "join" one another. However, it makes
| perfect sense for github to purchase npm.
| goofballlogic wrote:
| A sad day I think. I wish more independent ecosystems were
| evolving, instead of consolidating.
| bjt2n3904 wrote:
| You know, my initial reaction was... oh no, the toxic people who
| run NPM and Node.js[1][2] are going to infect GitHub.
|
| But then I read that other front page article about the guy that
| got mysteriously "flagged", and the invasive questions he was
| asked. Maybe Github is already too far gone.
|
| Maybe it should be... please, bundle all the toxic people
| together in one spot, and let it all come crashing to the ground.
| I've had serious reservations about using Node.js in a product
| I've been tasked to work on, for the reasons I listed below. It'd
| be great if they just... ceased to exist.
|
| 1 - left-pad incedent
|
| 2 - The Ayo fork drama
| rattray wrote:
| Wishing ill on others or their projects ("it'd be great if they
| ceased to exist") does not reduce toxicity.
| jrimbault wrote:
| Interesting transitive ownership/dependencies here.
| simlevesque wrote:
| I did not see that coming. I trust Microsoft to be able to offer
| great availability and nice software. It is maybe not the best
| overlord we could have hoped for but it's way better than the
| status quo.
| okareaman wrote:
| I'd like to see Microsoft bring Ryan Dahl (original author of
| node) back in the fold by sponsoring/buying Deno with TypeScript.
| It's a good fit.
| dubcanada wrote:
| Wait, so is it joining Microsoft? Or is it under Github, which is
| under Microsoft?
|
| I don't fully understand the way it's governed from this article.
| clarkbw wrote:
| Part of GitHub (I work at GitHub and lead the Packages team)
| cmckn wrote:
| How does this acquisition relate to Package's support of npm
| artifacts? Or, I guess, how will Package's npm support change
| after this?
| clarkbw wrote:
| The post covers this.
|
| > Later this year, we will enable npm's paying customers to
| move their private npm packages to GitHub Packages--
| allowing npm to exclusively focus on being a great public
| registry for JavaScript.
|
| Packages will continue to develop its npm registry. We have
| a lot of work to do in securing the software supply chain.
| mceachen wrote:
| Can I be so bold as to suggest a new feature?
|
| It'd be wonderful, as a package consumer, to have visibility
| into some security metrics for a given package. This would be
| useful both at initial install time, and when the package is
| upgraded. Something like:
|
| 1) who are the latest commits GPG signed by?
|
| 2) is the package publisher using 2FA?
|
| 3) what is the security profile of all dependent packages?
|
| 4) are there any new authors (directly or via dependencies)
| since the last version (with links to the author and their
| contributions).
|
| These might help avoid prior situations where popular
| packages get injected with malware by new maintainers.
| clarkbw wrote:
| Yes, we (internally) call this a "Bill of Health" and
| believe that all packages should have this kind of diff-
| able information available. Understanding what's happening
| at the source level is key to being able to trust any
| package published.
| mceachen wrote:
| NICE! It would be wonderful to expose that information!
|
| Somewhat related, I believe NPM pulled in (or co-opted)
| some of the heuristics from this:
| https://github.com/npms-io/npms-analyzer (but those don't
| seem to include any of the aspects I suggested above).
| csours wrote:
| Slightly OT: Is Packages coming to Azure DevOps Server
| (local/corporate hosted)?
| Brendinooo wrote:
| I occasionally forget that Microsoft bought GitHub. They
| certainly don't do anything here to remind me of that fact.
|
| How separate from MS has GitHub been in day-to-day operations?
| [deleted]
| reilly3000 wrote:
| I can't speak to company internals, but I do know that Azure is
| powering GitHub Actions runners, and there have been a firehose
| of new features coming out of GitHub in the past year. I
| imagine its pretty core to their "Developers Developers
| Developers" strategy.
| owenwil wrote:
| GitHub employees have access to Microsoft internal tools and a
| Microsoft email address, so I don't think there's too much
| internal firewalling.
| kdaigle wrote:
| I've been at GitHub for 7 years and we operate independently
| but have the support and resources of Microsoft when we need
| them. IMO, they've been amazing partners but day to day the
| GitHub team builds, prioritizes, and supports GitHub.
| nojvek wrote:
| It's totally the smart thing to do. Github needs a ton of
| cloud compute with github actions, Azure powers it. Github
| brings a very strong brand that developers love, which gives
| Microsoft a good rep amongst technical folks.
|
| This is as good as Google acquiring Youtube because Youtube
| needs an insane amount bandwidth and it was a perfect fit for
| Google's infrastructure and ad platform.
|
| It's just sad to see Google not playing the Developers game
| well.
| bengale wrote:
| Do you think they're going to try and push us towards azure
| more, or force us into using Microsoft logins?
| batmansmk wrote:
| VsCode, Typescript, Github, NPM.
|
| And Microsoft doesn't even have to maintain the main runtime,
| Google does. What a clever strategy!
| Scarbutt wrote:
| and Edgeium.
| BiteCode_dev wrote:
| Yes, they almost own the entire JS ecosystem at this point.
|
| They lost a decade of battles for the web, but it seems they
| just found a way to get back in the fight.
|
| Now at the IE 6 times, that meant monopoly, and it was terrible
| news.
|
| But today, it means more competition between the giants, which
| is very good for us.
| sbarre wrote:
| One could argue that the IE6 of our times is Google Chrome at
| this point..
| impatient_bacon wrote:
| Safari.
| stingraycharles wrote:
| Safari doesn't have the market share that IE6 had,
| though. Chrome has.
| dlivingston wrote:
| Care to explain? Safari has one of the highest standards
| compliance of any modern browser [0], which IE famously
| did not.
|
| It has been argued with various success [1] that Chrome
| is the new I.E., due to "Chrome exclusive" web standards.
|
| [0]: https://html5test.com/compare/browser/safari-11.2/ch
| rome-30/...
|
| [1]: https://news.ycombinator.com/item?id=16070595
| sgtfrankieboy wrote:
| If you are going to compare browsers make sure you aren't
| comparing against a version of Chrome from 2013.
|
| Here is the correct comparison: https://html5test.com/com
| pare/browser/safari-11.2/chrome-68/...
|
| Which clearly shows its the worst of the bunch.
|
| Edit: Also just noticed, the latest Chrome version that
| the site has is 68. We're currently on 80+
| nickpresta wrote:
| A more up-to-date, although not complete, comparison is
| available here: https://caniuse.com/#compare=firefox+74,c
| hrome+80,safari+13
| artursapek wrote:
| I also can't run Safari on my Windows or Linux machines.
| lexicality wrote:
| Not for Javascript it doesn't.
|
| Plus because it's tied to the OS and the phone determines
| the maximum OS you end up with a bunch of users stuck on
| ancient and buggy versions.
|
| This is to say nothing about the remote debugger
| purposefully locking you out of older versions for no
| reason to make debugging them harder.
| jbjorge wrote:
| I've worked with projects that used iframes in safari. It
| had some of the weirdest bugs. Some random times it
| didn't render changes to the DOM. Sometimes when clicking
| input fields it would focus the surrounding iframe
| element.
|
| A webview in iOS could sometimes crash system wide. Not
| enough to restart the app. You'd have to restart the
| device.
|
| Felt like a sitcom when I had to ask customers if they'd
| tried turning it off and on again.
| saagarjha wrote:
| Chrome is pushing version 80, I'm not sure why that
| website is using a version from seven years ago...
| Spivak wrote:
| I think the honest truth is that a lot of developers see
| Safari similarly to IE because Firefox and Chrome are
| quick to jump on and ship new features and "if only
| Safari kept up" they could be used "everywhere". Combined
| with the fact that iOS is large enough that you can't
| just drop Safari support and tell them to use Chrome.
|
| It's a weird world where webdevs apparently ideally just
| want everyone on the 6 second old version version of
| Chrome. I totally get it -- it's an absolutely rational
| stance but it feels a lot like how devs felt about IE6 at
| the beginning.
| oorza wrote:
| You're right, IE6 was amazing at the time. It made a ton
| of things possible that previously hadn't been, and the
| standards bodies were lagging behind it. Had MS actually
| kept updating IE6 and kept it ahead of the standards, the
| standards would never have mattered, and we'd never have
| developed this sick taste for IE. No one hated that they
| had a monopoly, we hated that they had a _stagnant_
| monopoly.
| manigandham wrote:
| Safari is way behind Chrome and Firefox on web features
| and has all kinds of proprietary rules on existing
| implementations.
|
| It's not even required or the default install on any OS.
| And it has rapid updates that constantly test new
| features and improve performance and security.
|
| Any "exclusive" features are just early testing for later
| standardization. It's Safari that's lagging in
| implementing them.
| lucideer wrote:
| In fairness to Microsoft, they did at least spend a little bit
| of time considering / working toward maintaining the runtime
| part, before deciding otherwise https://github.com/nodejs/node-
| chakracore/issues/628#issueco...
| Ayesh wrote:
| Also the new Chromium Edge is making its way. This will give
| some leverage on the browser front too.
| dgb23 wrote:
| To be honest I like this new Microsoft. VSCode is a really good
| tool, C# is amazingly performant and they don't talk quite the
| same BS lingo as some other big players. Also MS research
| produces some really good stuff.
| swyx wrote:
| to be clear, Chrome's overall value to Google probably dwarfs
| all those things combined.
| sitkack wrote:
| They could fork it, the core of the runtimework is moving to
| WebAssembly anyway which is a much more tractable problem. Sure
| this is a boatload of JS work to do at the interface boundary
| but the amount of hard compiler and jit work that needs to be
| focused on by main runtime is much lower.
|
| Someone at MS knows strategic and tactics. When MS and Windows
| bootstrap themselves into the cloud, they will have some
| software to land on.
| flanbiscuit wrote:
| I wonder if more people will look into adopting Deno[1], the new
| node alternative by one of the creators of Node. It does not use
| NPM, you pull in packages Go-style (via URLs[2]). It's supposed
| to be more secure because you have to explicitly give it access
| to anything (i.e. network, file system, etc).
|
| [1] https://deno.land/
|
| [2] example import in Deno: import { serve }
| from "https://deno.land/std@v0.36.0/http/server.ts";
|
| Previous HN about Deno:
| https://news.ycombinator.com/item?id=22102656
| threatofrain wrote:
| Is deno debugging there yet?
| ledgerdev wrote:
| Node+NPM isn't going anywhere, but Deno sure seems like the
| server based runtime of the future.
| wwweston wrote:
| The thought that's going into Deno about permissions and
| upstream package issues have me considering it where I've
| generally rejected node.js for anything serious (also
| recognizing that it's probably early for production use).
| zozbot234 wrote:
| It's on there already. https://github.com/npm/ and
| https://github.com/npm/cli
| applecrazy wrote:
| No, NPM _the company_ is being acquired by Github.
| znpy wrote:
| this should really be titled "npm is joining Microsoft"
| breatheoften wrote:
| (Wishful thinking ...) Does this mean the next release of npm
| will be yarn v2 and that typescript will implement support for
| the pnp spec so we can converge the javascript packaging space to
| a sane place?
| Vinnl wrote:
| There already is a Yarn v2: https://dev.to/arcanis/introducing-
| yarn-2-4eh1
| breatheoften wrote:
| Does typescript support pnp somehow now? (That's actually the
| thing I'm wanting ...). npm's cli going away was an attempted
| tease (in bad-taste i think)
| brenden2 wrote:
| This kind of consolidation is probably not good for everyone who
| depends on open source projects. Microsoft now owns a significant
| portion of software distribution.
| fiberoptick wrote:
| Embrace, extend, extinguish.
| stephen82 wrote:
| Exactly!
| https://linux.slashdot.org/story/20/03/16/0137200/windows-su...
| JMTQp8lwXL wrote:
| I can see why this comment is downvoted, because it's mostly
| superficial, but also, there's some truth to this perspective.
| Microsoft's acquisitions raise questions for what the open
| source ecosystem of tomorrow will look like. Chrome seemed to
| answer a lot of issues with browsers when it came out, but look
| how many people today are uncertain now that the API's powering
| the uBlock extension will be deprecated. It would be short-
| sighted for us to look at Chrome's history, and then say
| "nothing could ever happen to Open Source" without giving the
| perspective a serious consideration.
| waydowntogo wrote:
| RIP NPM
| thulecitizen wrote:
| Yay more centralization! What could possible go wrong with
| critical components being hosted by one big corporation?
| jxub wrote:
| NPM is joining GitHub, GitHub joins Microsoft, Microsoft joins...
| ;)
| skrebbel wrote:
| Assuming this was an acceptable exit: I'm impressed that NPM
| pulled this off. They were basically doing the "no revenue model
| to speak of, hope we'll get acquired by a bigco" startup play
| that was starting to go out of vogue already when they were
| founded.
|
| I wonder to what extent they've had influence over their own
| success at all though. Basically they had to hope that JS stayed
| popular (it did), that Node stayed relevant (it did) and that the
| entire JS ecosystem would move over to NPM (it did, but I'd say
| rather despite NPM than because of it) (I mean, otherwise Yarn
| wouldn't even exist, right?).
|
| So basically their bet was:
|
| - Turn NPM into a startup
|
| - Keep the lights on
|
| I bet I'm missing all kinds of key behind-the-scenes stuff, but
| still, I don't know many startups that manange to successfully
| exit by "just" keeping the lights on. In a weird cringey way,
| it's motivating.
| zomglings wrote:
| Not sure how good an exit it was. Crunchbase says they have
| fewer than 50 employees [0], so I'm guessing the first 10
| people did pretty well but that the rest got what amounts to a
| nice bonus.
|
| Keeping the lights on long enough makes this kind of exit more
| likely. Paul Graham has a good article about this:
| http://www.paulgraham.com/die.html
|
| NPM did better than "just" keeping the lights on, though. They
| even held Yarn at bay by adopting its best features very
| quickly.
|
| [0] https://www.crunchbase.com/organization/npm
| tdumitrescu wrote:
| Here's what isaacs writes in the NPM blog post
| (https://blog.npmjs.org/post/612764866888007680/next-phase-
| mo...). It doesn't seem like anyone on the NPM team did great
| financially from this:
|
| "I have a set of goals that I wrote down back then, and have
| shared openly with the team.
|
| ...
|
| 3. Get a big enough exit that I can quit my job and see what
| comes out of me a second time. 4. Share the rewards equitably
| with the people who got npm to where it is.
|
| ...
|
| On (3), well, I'm still working a jobby job, but I always knew
| that was a long shot, and "make npm a better package manager"
| is a job I enjoy. And as for (4), I'm proud of the deals that
| we've been able to negotiate for the team.
|
| It's not a kajillion billion dollar 10x startup cinderella
| story, and we've taken our hits, but in the end we've done
| right by our community, team, and careers, and I'm extremely
| proud of what we've achieved."
| daveisfera wrote:
| Neither side is announcing a price and NPM has been struggling
| financially for a while, so the likelihood that it was a "good
| exit" is low.
| austincheney wrote:
| Is this a too big to fail kind of charity acquisition?
| markovbot wrote:
| no, this is microsoft "embracing" (buying control of) a huge
| point of centralization in a software distribution ecosystem,
| positioning them to have greater power over a huge number of
| developers.
| JMTQp8lwXL wrote:
| Microsoft turned their reputation around in recent years with
| developers but I wonder how long it will last.
| bepotts wrote:
| I think people are "okay" with Microsoft because so many
| hackers have a problem with the data agglomeration and
| monetization strategy of Google and Facebook, but this
| Microsoft "embrace" will come to a head within the next
| couple years and I just can't wait for it.
|
| The way people think Microsoft's embrace of open source,
| GitHub, and now NPM is genuine is completely ridiculous.
| Microsoft had to change because much of where the action
| was is on *nix systems. Microsoft will start to use these
| companies to make developers embrace Microsoft services.
| It's only a matter of time.
| roguecoder wrote:
| I don't give any credence to the idea that Microsoft
| under Satya Nadella is the same company as Microsoft
| under Gates or Ballmer, much less the idea that it is
| secretly lying in wait to go back to its old, far-less-
| profitable ways. It has behaved differently. It is making
| its money differently. It no longer stack-rank fires
| people. And it is making a whole lot more money doing
| things this way than it made the way it used to behave.
| KarlKemp wrote:
| I can't even come up with a scenario of _how_ MS would
| realistically do so? Sure, making GH actions easier to
| set up with Azure than AWS seems plausible, but also
| strikes me as somewhat benign.
|
| Banning python from Github? Requiring \r\n for NPM
| packages? What's the move you're afraid of?
| Vinnl wrote:
| One question GitLab's CEO (sytse) is rightfully asking is
| whether the ability to trace code from npm back to the
| repository will be available to competitors. If not, less
| competition is bad for users.
|
| I still think this is good news, given where npm is
| coming from, but it's certainly not risk-free.
| roguecoder wrote:
| This is where effective anti-trust enforcement is
| important and valuable.
|
| Until we come up with better trusted federation protocols
| there will be natural monopolies, but that doesn't mean
| they get unchecked power. We have laws for that.
| [deleted]
| swyx wrote:
| i think so. the words "put npm out of its misery" come to mind.
| duxup wrote:
| I understand some folks trepidation but where was npm going
| anyway?
| CivBase wrote:
| Am I weird for thinking it didn't need to go anywhere?
| duxup wrote:
| My understanding was that financially they were not going to
| last long doing what they were doing.
| roguecoder wrote:
| There's a difference between "not going to last long" and
| "not going to return 10x to their investors". This seems
| like another example of the faustian bargain of taking VC
| money.
| duxup wrote:
| Were they returning any amount of return?
| ThrowawayR2 wrote:
| That raises the question of how GitHub/Microsoft plan to
| profit off the acquisition though? It can't be just for
| goodwill or marketing.
| dpacmittal wrote:
| They own the ecosystem, they can leverage it in a lot of
| ways. And cost of running npm is drop in the ocean for a
| giant like MS.
| ecnahc515 wrote:
| These companies don't need to profit off of acquisitions.
| If they're going to, it doesn't have to be direct either,
| it can be a method of growing their sales funnel if
| nothing else, or even just acquiring talent.
| mastax wrote:
| Couldn't be subsidized by VC money forever.
| tln wrote:
| Maybe it needed to go somewhere to pay bills, or provide
| upside to the options holders.
| swyx wrote:
| it was default going out of business so yes this saved it
| from death
| K0nserv wrote:
| This seems like a good outcome overall. NPM being such an
| important pillar in the software supply chain while having an
| unviable business model and largely being funded by VC money was
| never a good position to be in. There are problems with more of
| the software ecosystem consolidating with a single entity but it
| still feels like an improvement.
| mbesto wrote:
| > NPM being such an important pillar in the software supply
| chain while having an unviable business model and largely being
| funded by VC money was never a good position to be in.
|
| Why does NPM need to be funded as a commercial entity at all?
| What other open source library has a private company running
| its package manager? This one still boggles my mind.
| fierarul wrote:
| Maven Central is no hosted by Apache for example.
| greggman3 wrote:
| Confused why you think a service servings millions or
| billions of requests a day wouldn't require money to run. Do
| you think some grant magically appear out of thin air to pay
| for the servers, storage, bandwidth, and maintenance?
| ivanbakel wrote:
| Big leap from "servers cost money" to "a package manager
| requires a commercial entity". How are other language
| ecosystems and package managers operating, many without
| private companies attached, when they too are serving
| millions of requests a day?
| hobofan wrote:
| Almost any other package repository is funded by donations
| from companies using them or a grant from an infrastructure
| provider.
| timrod wrote:
| For programming languages, there are several examples of
| commercially run package managers: - the
| Java/Kotlin/Scala ecosystem is based around maven central,
| which is run by Sonatype, Inc. - Go modules are
| hosted by Google. Previously, most libraries were hosted on
| Github - Rust's crate index is on Github -
| The Docker/Moby registry is run by Docker, Inc. (though that
| might be a stretch for "package manager" :))
| zeeboo wrote:
| Technically the Go module _proxy_ is hosted by Google. Even
| if the proxy went away, you'd still be able to get access
| to all of the packages as they're still hosted elsewhere.
| It just wouldn't be as fast.
| notRobot wrote:
| Please don't use code blocks for regular text and quotes.
| Really hard to read on mobile and narrow viewports.
| monadic2 wrote:
| I wasn't aware that I was a commercial entity because I use
| github!
| iterator5 wrote:
| I think the point is that you are using a commercial
| entity to host your code. There is a bill for the code
| you have hosted, and you aren't the one paying for it.
| dmix wrote:
| It's never a problem until it is all at once and you
| realize they hold all the keys.
| bad_user wrote:
| Maven Central has mirrors and alternatives and you can
| trivially host your own repository, all you'd need is a
| plain web server serving a bunch of static files.
|
| Some libraries aren't hosted on Maven Central actually, so
| it's not uncommon to see instructions for adding extra
| resolvers to your build config.
|
| The Java ecosystem isn't as dependent on Maven Central as
| the JavaScript ecosystem is on npmjs.com
| brunoborges wrote:
| Almost every library out there is on Maven Central. Even
| Oracle JDBC drivers are now (finally) on Maven Central.
|
| If MC goes away as it exists today, the Java Ecosystem
| will take a huge hit as almost every open source project
| would stop building in CICD environments from the get-go.
| thu2111 wrote:
| If it vanished _instantly_ then yes, but a huge number of
| packages on Central are mirrors from jcenter. There are
| not only theoretical competitors to Maven Central but an
| actual widely used one (jcenter /bintray), which is
| easier to use anyway. There's also jitpack too. So people
| could migrate pretty quickly to alternatives.
| Twirrim wrote:
| I'm not sure I like the continued consolidation of all things
| tech around just a few large companies.
|
| That's generally not a good place to be.
| Barrin92 wrote:
| given the significant returns to scale in the tech industry
| this is a pretty natural development and it happens in most
| tech sectors over time as monopolistic competition generally
| outperforms the 'bazaar' economy.
|
| 'small business' is only the equilibrium in sectors that
| can't increase aggregate output by growing or capital
| investment like say, the restaurant industry.
| sneak wrote:
| I do not consider the largest distributor of proprietary,
| closed-source spyware (Windows) owning the fastest growing open
| source package manager to be a good outcome, personally.
| ajay_sibri04 wrote:
| Much better than google owning it
| K0nserv wrote:
| It depends on what the alternative is. When NPM starts
| running out of money to run the service what would happen?
| More VC, but only to a point and the firms would be
| increasingly be influencing NPM to make money by any
| means(probably not good for anyone but the firms).
| Alternatively a cash strapped NPM fails to invest in security
| and availability of the service leading to widespread outages
| or worse a large scale supply chain attack facilitated via
| the registry.
| mbesto wrote:
| > It depends on what the alternative is.
|
| Ruby Gems, PHP composer, PIP, etc. would all like a word
| with you....
|
| https://rubygems.org/pages/sponsors
|
| https://www.python.org/psf/
| rodgerd wrote:
| Yeah, and the PSF is worried that the possible
| cancellation of PyCon could send the whole foundation
| broke.
|
| The fact that there's a bunch of critical infra run on a
| precarious volunteer shoestring is not a good thing.
| K0nserv wrote:
| That's a path but NPM already being a company with
| signficant VC investment would a transition to such a
| model workout with the existing stakeholders? Also NPM is
| quite a bit bigger than both the Ruby and Python library
| spaces.
| wongarsu wrote:
| Why would NPM run out of money? NPM is the primary vendor
| for worry-free distribution and management of private
| JavaScript packages for $7/month/user. In a time where
| bandwidth is basically free (outside AWS/Azure/GCP) that
| should surely pay for server costs and a handful of
| developers.
|
| It probably isn't going to 20x VC money, but it sounds like
| it would be profitable to run as a business.
| mulmen wrote:
| This is sad to read. Why does every project have to be
| profitable? If NPM is useful users (companies and people)
| can invest time or cash to support the operations and
| continued development. This foundation model has been
| successful across open source and prevents one company from
| changing the direction of a project to fit their own needs
| at the expense of everyone else. I think this was critical
| to the continued growth of open source software over the
| last two decades. If this trend of selling out to massive
| corporations continues it will be a major step backwards.
| K0nserv wrote:
| To be clear that's not what I am arguing here, I agree
| that package registries should, ideally, be owned and
| supported by the community. However NPM already had
| fairly significnat VC investment and as such any
| transition to a community supported model would be
| challenging.
|
| The acquisition can be a good outcome for the current
| situation without it being the ideal state of things.
| Supermancho wrote:
| You aren't the only one. Most users are too young to
| understand how predatory Microsoft has always been. Can't
| wait for the "npm won't publish my package because it
| circumvents something in Windows" or whatever. Give it time.
| golergka wrote:
| And pulling a package from a custom url is what, one line
| of code in this package documentation? And the moment it
| happens, this package will be on top of HN?
|
| I understand the concern about MS business practices, but I
| don't think it applies to environment where transactions
| (as in, importing someone's package or submitting a pull
| request to it) don't involve any contracts or money.
| rafaelvasco wrote:
| It may appear blaming Ms forever for their past actions is
| a good idea. It's not. Those actions and decisions came
| from certain people. They're long gone. I look only to the
| present. MS decisions and actions these past few years have
| been pretty solid imo. We must always assume the best of
| everything, not the worst. Not matter what. It may appear
| naive, but it's the only sane way.
| Aeolun wrote:
| MS's decisions outside of everything to do with windows
| 10 anyhow.
| bdcravens wrote:
| I am old enough (42) to remember those days, but honestly I
| don't feel that threatened by them. I remember their EEE
| days, and for a long time I haven't seen much of the same
| behavior.
| bromuro wrote:
| Same here (40). I was with Ballmer singing "developer
| developer developer"... i think his legacy is not that
| bad. The company was not ready to grasp the idea of open
| source at these times, but the principle holds.
| allover wrote:
| Tbf Microsoft have won back a lot of good faith with
| developers due to projects like VS Code and TypeScript,
| even for those of us who remember their past.
|
| And we're yet to hear of any negative impact of their
| Github acquisition (afaik - correct me if wrong).
| sneak wrote:
| VS Code is also spyware; I am not sure that this argument
| furthers your intended point.
|
| The fact that it is open source and popular is not
| sufficient on its own. It had to be forked (vscodium) to
| show basic respect for the user's privacy and system
| resources.
| allover wrote:
| It's true insofar as VS Code is widely loved by web
| developers.
|
| So it "furthers my intended point".
| charrondev wrote:
| No fork is required. If you build before from the source
| in its main repo, there is no tracking included by
| default.
|
| It's builds released by Microsoft that have all of their
| specific stuff added in.
| chrisoverzero wrote:
| VSCodium say they're not a fork.
|
| > This is not a fork. This is a repository of scripts to
| automatically build Microsoft's `vscode` repository into
| freely-licensed binaries with a community-driven default
| configuration.
| mbesto wrote:
| > Tbf Microsoft have won back a lot of good faith with
| developers due to projects like VS Code and TypeScript,
| even for those of us who remember their past.
|
| Those are great until they're not. It's why it's called
| "bait and switch".
|
| > And we're yet to hear of any negative impact of their
| Github acquisition (afaik - correct me if wrong).
|
| _ANY_?! Heh, do a quick search just on HN and you 'll
| find it pretty quickly.
| michaelmior wrote:
| I did search, didn't find it quickly. Could you share
| some sources of the negative impact? (I'm legitimately
| curious as my use of GitHub hasn't led me to notice any
| change.)
| allover wrote:
| I know what 'bait and switch' means, just like I also
| know what FUD means.
|
| Next you'll call them Micro$oft. Come on now.
| judge2020 wrote:
| Before someone else comes along and writes a monologue,
| the biggest downside might be how it handled (didn't
| break) its contract with ICE[0]. If the acquisition
| didn't happen, old GitHub might've dropped the contract
| immediately upon enough employees speaking about it.
|
| 0: https://news.ycombinator.com/item?id=21412600
| kevingadd wrote:
| Lots of big tech firms are government contractors, and as
| we've seen most of them are unwilling to drop government
| contracts (ICE, DARPA, etc). So this problem would arise
| with almost any large benefactor. I would've liked to see
| GitHub drop ICE though, personally.
| manigandham wrote:
| That's a subjective political opinion of a far-left vocal
| minority. Not everyone has an issue with ICE (a federal
| law-enforcement agency that stops criminals and saves
| lives) nor finds a problem with a company legally
| providing services to the government.
| thu2111 wrote:
| Others see that as an upside. ICE today, who knows what
| tomorrow. The sort of activists who wanted that have all
| kinds of random targets. No company wants to deal with
| suppliers suddenly blacklisting them because the hard
| left decided they're evil.
| allover wrote:
| That's a fair point - thanks for the reminder :|
| jbkiv wrote:
| Agree, What would you say would have been a better
| outcome? Google? Facebook? Microsoft has changed quite a
| lot, and in a good way.
| bdcravens wrote:
| Then you must not like React or Angular, since the owners of
| those projects are the largest spyware and aggregators of
| personal data in the history of humanity.
| sneak wrote:
| Software and services are not the same thing.
|
| For some examples: RMS being a douchebag has nothing to do
| with the usefulness of gdb, nor can that circumstance
| affect the utility in any imaginable scenario.
|
| Microsoft setting censorship policies (aka ToS) on a
| website they own and control directly affects the utility
| of npm/yarn/clients. Their website, their rules.
| filoleg wrote:
| Well, this comparison seems to be close enough. What
| about VSCode and Github itself?
| sneak wrote:
| The time for GitHub is over. I have moved all of my
| repositories away from there that do not depend on
| GitHub-only integrated services, and am migrating my DNS
| and domains/hosting off of those integrated services this
| week. You should too. If you work there, you should quit.
|
| https://sneak.berlin/20200307/the-case-against-microsoft-
| and...
|
| VS Code has had to fork to remove the unethical spyware
| portions within it placed there by Microsoft:
|
| https://github.com/VSCodium/vscodium
| kailanb wrote:
| Just for reference, vscodium is not a fork to remove
| Microsoft's code - it is just a build tool for the open
| source repo as explained in the README.
|
| "When we [Microsoft] build Visual Studio Code, we do
| exactly this. We clone the vscode repository, we lay down
| a customized product.json that has Microsoft specific
| functionality (telemetry, gallery, logo, etc.), and then
| produce a build that we release under our license."
|
| "When you clone and build from the vscode repo, none of
| these endpoints are configured in the default
| product.json. Therefore, you generate a "clean" build,
| without the Microsoft customizations, which is by default
| licensed under the MIT license"
| filoleg wrote:
| Good for you. However, the general sentiment doesn't seem
| to behave the same way. I haven't noticed a mass Github
| exodus at all, aside from some people on the internet
| being vocal about it for the first month after the Github
| acquisition. Same with VSCode.
|
| I realize this is just pure anecdata and not a
| legitimately researched observation, but I don't know a
| single dev in real life who either switched away from
| Github or VSCode due to those concerns, despite having a
| wide variety of dev friends from all kinds of
| backgrounds, including big tech devs, non-tech company
| devs, fully remote devs, self-taught devs, small startup
| devs, outside of the US devs, freelancer devs, etc.
| smichel17 wrote:
| I know a couple of projects that switched to gitlab. I
| use gitlab for my personal projects. I've abstained from
| moving Red Moon away from GitHub because it's still where
| people are, and I have some doubts about GitLab's VC-
| funded model (will they be able to stay as open
| forever?). I also want to consider other options, like
| SourceHut. At the same time, it is in the back of my mind
| and I am ready to move away at the first sign of
| extend/extinguish.
| [deleted]
| ahupp wrote:
| What's the specific outcome you're concerned about?
| grumple wrote:
| Exactly, especially given the instability over at NPM.
| Hopefully MS / Github can be a stabilizing influence both
| financially and culturally.
| hinkley wrote:
| It does have a bit of a 'value add' feel to it.
|
| But, you know, we've had decades of companies whose 'business
| model' is just their exit strategy...
| [deleted]
| cycloptic wrote:
| It was already consolidated. The vast majority of public npm
| packages are already hosted on Github. The dependency on them
| has been there since the beginning.
| yjftsjthsd-h wrote:
| I would expect that moving git repos is easier than replacing
| NPM?
| cycloptic wrote:
| It is, but who is doing that? The users of NPM all are
| choosing to stay on Github.
| davnicwil wrote:
| Yes, indeed - and the dependency is literally right there on
| the technical level. For years, you've been able to specify a
| version of a package as a github repo's branch HEAD.
|
| npm i some-package username/repo#branchName
| ChristianBundy wrote:
| Bonus points: npm install
| username/repo#semver:^1.2.3
|
| The big problem is that lots of Node.js modules don't push
| their tags, so there are issues on lots of repos begging
| maintainers to push their Git tags so that we don't have to
| use the npm registry.
|
| JavaScript is an interpreted language -- as long as you're
| only downloading source code from the registry there's
| really no reason to use a registry instead of the plain old
| Git repository.
| sneak wrote:
| There is a build/transpilation step.
| lioeters wrote:
| A common issue I've had with using Git repos directly as
| Node.js modules, is that many projects are
| transpiled/built before publishing to NPM. Depending on
| specifics of that build process, it may not work out of
| the box (or at all) from a node_modules folder.
|
| With NPM acquired by GitHub, I can imagine them "filling
| in some steps" by leveraging the fairly new Actions
| feature, so that repos can provide built artifacts, the
| same ones as published on NPM. The deeper integration
| will be an interesting development to watch.
| oefrha wrote:
| Repos have been able to provide artifacts since forever
| ago; they just don't sit in the tree. While you can
| commit from an action, I'm not sure that's a great idea.
| lioeters wrote:
| You're right, artifacts in GitHub repos have been around
| a long time. I suppose what I was missing was a way to
| point to a specific built artifact (like a tar.gz from a
| release) as a dependency, from package.json. As far as I
| know, it's not possible yet with npm. I can imagine that
| will be covered somehow with deeper integration of GitHub
| and the NPM package repository.
| IsaacSchlueter wrote:
| Yes, this has always been possible. Just specify the
| tarball url instead of a version or range.
| hobofan wrote:
| How is a convenience feature a dependency? The same command
| exists as "gitlab:username/repo" variant. The GH variant
| just happens to be the unprefixed one as it has by far the
| biggest userbase.
| davnicwil wrote:
| Perhaps dependency was the wrong term, but my point is
| what you said - they've built it in as a convenience
| feature precisely because it's such a common usecase - a
| better way to say it might be they're inseparably linked
| tools / tightly coupled even on the technical level.
| ginko wrote:
| Am I the only one surprized that there's an npm Inc. to be
| acquired?
|
| Why is there a for-profit corporation behind every open source
| project these days?
| KaoruAoiShiho wrote:
| There's plenty of alternatives already so I don't see MS being
| able to do anything untowards. /shrugs, I'll panic only if
| something bad happens.
| spacephysics wrote:
| https://en.m.wikipedia.org/wiki/Embrace,_extend,_and_extingu...
|
| Whelp, time to look for backup solutions for when Microsoft
| continues their strategy.
|
| Even today there's an article about github flagging (re shadow
| banning) a user with 10k+ lib users, and no response from them as
| to why the ban occurred.
|
| Thinking of adding an "in case of emergency" link in my README
| for users in case of sudden service loss.
| fxtentacle wrote:
| I wonder why your (entirely reasonable) comment got down-voted
| so much. This is exactly the risk why people prefer a
| distributed and decentralized internet over one where all open
| source is stored in one central Microsoft subsidiary (e.g.
| GitHub).
| golf1052 wrote:
| I think people are tired of EEE being posted on every
| Microsoft related thread even though Microsoft has been a
| very different company for at least 10 years.
|
| I do agree with the concerns of open source consolidation
| though. We need to find better ways of supporting open source
| projects instead of having them being bought by "large
| company".
| zdragnar wrote:
| The central repository is entirely optional when using npm
| the cli tool; many companies use a proxy repository (such as
| artifactory) to host their internal packages and cache public
| ones already.
|
| Anyone can already run their own, or install from remote git
| urls (not just github) as well. If the new organization
| undermines the community, the community can easily move.
|
| NPM the company has had a significant number of missteps, and
| them getting better oversight and removing the need to be
| profitable will likely be better for everyone in the long
| run.
| rootlocus wrote:
| Not that many companies had proxies when leftpad was taken
| down.
| cfv wrote:
| Microsoft does have a much better track record in terms of
| keeping their products alive than other Way Way Large companies
| that could have made this acquisition, and for that I'm pretty
| glad.
|
| That said, and just in case their notoriously warlike legal team
| manages to fumble this somehow, I'd like to take the opportunity
| to remind every other frontender that Verdaccio
| (https://verdaccio.org/) exists, is easy to implement, and
| relatively low maintenance.
| 29athrowaway wrote:
| Hopefully they don't drop Linux support like they did with Skype,
| Minecraft, Xamarin[1], Corel Office and a long list of products.
|
| Their strategy from my perspective is to ensure Linux does not
| become a competitor for their desktop OS.
|
| 1: it never had Linux support.
| chungy wrote:
| Skype returned with a Linux client, and Minecraft never dropped
| Linux support at all.
| 29athrowaway wrote:
| Minecraft for Linux does not have the same features.
| mekoka wrote:
| Next in line is Canonical.
| petey283 wrote:
| I worry that this is too much consolidation.
| Analemma_ wrote:
| I hope you're spending lots of money at independent places
| then, because this is the inevitable result of the current "OSS
| infrastructure funded by VC charity" model. NPM was losing
| money, as was GitHub when Microsoft bought that. Under such
| conditions, getting bought out by a megacorp is the only path
| forward.
| no_wizard wrote:
| I see this as a straightforward play, simply put, I think (to
| summarize, perhaps a little to broadly)
|
| - They want to sell Azure Services
|
| - Most (if not all) NPM packages already live on github
|
| - NPM has a business revolving around package management,
| including private npm instances and increasingly around
| node/package security
|
| - This being primarily a business that will sell to has-money
| businesses (e.g., medium to large businesses, Fortune 500
| corporations etc)
|
| So, given all of the above, it makes sense to have a vertical
| selling into one of the fastest growing package management
| ecosystems where you can be the "full stack" provider of
| developer/enterprise tools.
|
| I don't think its anything beyond this, personally. I expect to
| see a lot of pushes to integrate with Azure Pipelines, cloud
| deployment etc. centered around this.
|
| I wonder if they'll buy Passenger[0] next, its a popular (in my
| experience) to deploy nodejs applications.
|
| [0]https://www.phusionpassenger.com/library/
| sytse wrote:
| Thanks to Microsoft/GitHub for this acquisition. NPM is essential
| to the Javascript eco-system and it is hard to have a business
| model for just a registry. In the ruby eco-system the awesome
| Ruby Together https://rubytogether.org/ was started to run the
| registry. In this case one of the worlds most valuable companies
| will run it, which means it doesn't need a not-for-profit.
|
| Regarding "trace a change from a GitHub pull request to the npm
| package version that fixed it" will there be an API to add a
| source in case the change was made outside of GitHub? Although I
| recognize that the vast majority of changes to npm packages
| happen on GitHub.
| Vinnl wrote:
| That must make you nervous over at GitLab, no? GitLab's
| integrated workflow is one of its main selling points (I love
| it), and GitHub now seems to be well underway to cross that
| moat.
| mavsman wrote:
| Reminds me of what happened with Cloud9 and VS Code. First,
| Cloud9 was awesome for allowing devs to code remotely. Then
| once VS Code became the best editor out there, they added
| remote host support (among other things) and now Cloud9
| caters to a different audience entirely.
| sdesol wrote:
| It is important to understand that the "one single workflow"
| was very much what VSTS (Microsoft's GitHub competitor before
| they bought GitHub) was providing. It is very evident that
| Microsoft's enterprise background is shaping how GitHub is
| evolving.
|
| GitHub is now very much focused on the end to end life cycle
| now that they have "GitHub One".
| sytse wrote:
| It is exciting to see that having everything in a single
| application is being validated by GitHub. Last year it was
| very clear they are switching from a marketplace model to a
| single application by including Verify (CI), Package, and
| Secure.
|
| We think Git(Lab|Hub) will become the two most popular
| solutions and we look forward to this competition
| https://about.gitlab.com/handbook/leadership/biggest-
| risks/#...
|
| I think the companies that should be nervous are ones that
| have only one stage or ones that have multiple stages but as
| a suite of applications instead of a single application
| https://about.gitlab.com/handbook/product/single-
| application... There are a lot of these
| https://about.gitlab.com/devops-tools/
| tenderlove wrote:
| Just to clarify, RubyCentral http://rubycentral.org is running
| the RubyGems registry.
| jrochkind1 wrote:
| It's confusing. RubyCentral pays for hosting and "ops" (not
| sure how much 'ops' staff time, if any?), but I think not
| development? And RubyTogether hypothetically pays for
| development (some but not neccesarily all that's needed),
| which can include new features but also required maintenance
| (we all know software requires care and feeding, it's never
| "done")?
|
| But I could have this not right?
|
| It has been confusing for a variety of reasons.
|
| And I think there are mixed reviews with how well it's going
| overall, especially the RubyTogether part.
| sytse wrote:
| Thanks for that clarification, I was not aware of that.
| Thanks RubyCentral!
| dzonga wrote:
| in as much as I love Github, putting our eggs in one basket as
| developers is gonna burn us soon or later. we need redundancies
| in the system, that if one thing goes down, the world can go on
| as normal. now we're centralizing github as a single failure
| point. we've already seen the the panic outages of Github or S3
| cause.
| TAForObvReasons wrote:
| NPM's blog post:
| https://blog.npmjs.org/post/612764866888007680/next-phase-mo...
| craftyguy wrote:
| title should be "microsoft acquires NPM"
| thawkins wrote:
| Time to get behind Deno
|
| https://en.m.wikipedia.org/wiki/Deno_(software)
|
| Built by the node team to replace node.
| ilaksh wrote:
| For how much money I wonder.
| franciscop wrote:
| I'm surprised there's not a single mention of "Microsoft" in this
| or the npm announcement [1], given the old-evil-history of
| Microsoft and the new-nice Microsoft we have today.
|
| I would expect that there was at least a mention, considering the
| reason that most modules in npm are still in ES5 is _exactly_
| because of the monopolistic practices that Microsoft followed
| back in the day which makes Internet Explorer still relevant.
|
| Not negative, not positive comment. Just surprising there was no
| mention. And I do think Microsoft is doing a great job recently
| with Open Source in general.
|
| [1] https://blog.npmjs.org/post/612764866888007680/next-phase-
| mo...
| FooBarWidget wrote:
| Microsoft is aware of their reputation. So much that they even
| have a policy of not allowing Microsoft+Github co-brand
| promotions. They want the Github brand to stay strong instead
| of being diluted into some mix of Github and Microsoft.
| nixpulvis wrote:
| Sleez'n their way into our hearts. I can't say I really blame
| them, but god I hate it all.
| epicide wrote:
| What does a trustworthy Microsoft look like to you?
| sam_lowry_ wrote:
| Divided into a handful of independent companies, maybe?
| hajile wrote:
| Chapter 7 Bankruptcy where they get acquired by a newly-
| reformed Sun Microsystems (where no stock is owned by
| Oracle or Oracle shareholders).
|
| EDIT: I'm mostly kidding, but you can't really expect
| true change of morals when the vast majority of the upper
| management is the same under the new CEO as under the old
| one.
| ChuckMcM wrote:
| As a former Sun employee I love this comment, but in all
| fairness Sun did have its own level of sleaze in the C
| suite (neither Eric Schmidt nor Scott McNealy would
| really do well as ethical leader exemplars)
|
| That said, I'm thinking Moon Microsystems :-) Not as big
| or as hot as Sun. (ok that is a bad punalogy) I did get
| the domain though, it was available and I couldn't
| resist.
| 205guy wrote:
| Under certain conditions, can eclipse the the Sun.
| "Eclipse" ... now there is a name I haven't heard in a
| long time.
|
| But can you make a cool logo out of "Moon"?
| CSSer wrote:
| At the risk of sounding somewhat naive, I think people do
| have the capacity to grow over time. Perhaps part of the
| reason why Microsoft has seemingly turned over a new leaf
| in recent years is that upper management has learned from
| their past mistakes? I do see your point though, and I
| think it's stuck in the back of a lot of our minds.
| FooBarWidget wrote:
| Not to mention that upper management doesn't consist of
| the same people as 15 years ago.
| adventured wrote:
| Most of Microsoft's anti-trust related behavior was in
| the 1990s. Closer to 25 years ago. Merely a quarter of a
| century.
|
| There's something hilariously farcical about holding a
| grudge toward Microsoft for a quarter of a century.
| yebyen wrote:
| It's not so much a grudge as a reaction, call it an
| immuno-type response. I shed my MS-OS Windows Desktop
| addiction over 20 years ago to become a desktop Linux
| user and I still see my co-workers struggling every day
| with many of the same issues I haven't had to cope with
| anymore since then.
|
| Ever since I have been able to get the Microsoft out of
| my systems, I find myself naturally predisposed to keep
| it out. I am not against Microsoft, I really am a fan of
| a lot of the open and developer-focused things they are
| doing, certainly not least of which is their support for
| Kubernetes through Azure, but this does not make me more
| receptive to going back to living in a Microsoft OS-
| flavored ecosystem today, it just is not happening for me
| and it's nothing to do with holding a grudge or similar.
|
| I use a Mac now because it was provided by work, if they
| offer me a trade for a Windows machine I would probably
| consider it because of the progress made by WSL2, but our
| group policy lags somewhat behind and certainly not on
| insider ring, so none of my coworkers have been able to
| try WSL2 on their work-provided Windows machines, or
| likely will for some time, and that makes me seriously
| think twice about it.
|
| My natural inclination is that I would much rather
| install Linux as the host OS so I have control over
| things like when updates get applied, or whether a reboot
| needs to take place immediately, in spite of the struggle
| that sometimes comes with that, it is really much better
| to have the source and keep the capability to control
| your own hardware. And then only run Windows in a VM
| whenever it is really needed. (In other words, to be able
| to occasionally run Windows apps in a similar way as I do
| when I have to use them on a Mac.)
| SloopJon wrote:
| Microsoft's corruption of ISO to standardize Office Open
| XML is much more recent than that.
| prepend wrote:
| I think Sun was worse than MS. Your scenario would
| terrify me.
|
| Sun's hardware was expensive although their software was
| nice. Their handling of Java put me off them and led to
| this current state with Oracle.
|
| They had many positives, but I'd rather have old
| Microsoft than old Sun if I had to pick only one to eat
| everything. Definitely prefer new Microsoft.
| squarefoot wrote:
| "What does a trustworthy Microsoft look like to you?"
|
| An oxymoron?
| smolder wrote:
| To me it looks like water that isn't wet. PR (propaganda)
| and time will improve their reputation, but the
| "commodify your compliment" strategy, the intent to
| dominate markets through anticompetitive behavior...
| Those things aren't gone. Big tech companies (like most
| big business) don't prioritize public good over profit,
| so they really don't deserve anyone's trust apart from
| trusting them to seek profit.
| FooBarWidget wrote:
| Maybe. But until someone comes up with a competitive
| alternative, that is a mood point.
| swebs wrote:
| One broken down into smaller companies through antitrust
| rules.
| cmroanirgo wrote:
| Sightly off topic, but relevant to your question.
|
| Recently I installed win10 pro and was appalled at the
| way I had you jump through hoops to NOT have a m$
| account, not to mention the blatant adware. And this was
| win10 professional.
|
| It certainly reminded me that m$ is a long long way away
| from where it was in the 90s and early naughties.
|
| So, a good start would be a stable and private os without
| all the adware and telemetry.
|
| PS: I use gitea instead of GitHub these days. Nor do I
| use vscode, but sublime text, for the same reasons: too
| much telemetry that cant be disabled permanently.
| RMPR wrote:
| You can use vscodium, which is basically vscode without
| telemetry
| cycloptic wrote:
| A trustworthy Microsoft is one that has open sourced one
| or more of their core products. Anything less is just
| retaining their classic hostility towards outside
| engineers.
| nixpulvis wrote:
| I don't really distrust Microsoft per se.
|
| I just find it tragic that the only way GitHub could
| survive (I guess) was to be BOUGHT. Like why couldn't
| they stay smaller, focus on what they were good at, and
| standardize with the community all the integrations in an
| orderly manner?
|
| Although, Microsoft has shown they care more about the
| developer community than Apple as of late. So for that, I
| can at least say my trust is rising. But it's a bit too
| late for me, I'm happily running Linux for most of my
| daily life.
| Kuinox wrote:
| Microsoft always took care of the developers.
| sylens wrote:
| Microsoft's stance lately is that it's great if you want
| to run Linux - they want to provide tools for you to use
| there as well.
| irrational wrote:
| I've been a developer for nearly 25 years. I'm not sure
| if there is anything MS could ever do to regain my trust.
| Unfortunately this seems to be the way of large tech
| companies. At one time I thought Google was the best
| thing ever (don't be evil). Now I find that I view Google
| in much the same way as I do MS. A huge corrupt behemoth
| that needs to be broken up.
| pgt wrote:
| This is the curse of globalist behemoths. Small companies
| is where it's at. Localism.
| crispinb wrote:
| Nonsense. There is hardly a local government in Australia
| not hopelessly corrupted by local real estate interests.
| In many nations local corruption is endemic right down to
| every neighbourhood police station. Size isn't the
| question: money's corruption of power operates at all
| scales.
| pgt wrote:
| Size is absolutely the question. There is always
| corruption, but in small municipalities at least the
| scale of corruption is contained. In a sufficiently local
| area the corrupt has to brush shoulders with his
| unwilling benefactors and be shamed.
| crispinb wrote:
| Empirically, that's plainly false. Corruption declines,
| on any level, when the right policies & incentives are in
| place.
| BurningFrog wrote:
| I try to not anthropomorphize companies.
|
| They're made up of many small and hardly interconnected
| parts.
|
| Whoever made some despicable decisions 25 years ago,
| almost certainly don't work there anymore.
| kortilla wrote:
| Gates just finally stepped away from the chair. When that
| shit comes from the top, it gets baked into the culture
| and has a staying power beyond any tenure.
| ocdtrekkie wrote:
| I definitely saw Microsoft-of-the-90s as corrupt and
| harmful, and I definitely see Google-of-today as corrupt
| and harmful. I am not wholly opposed to the idea that
| both are bigger than companies should be allowed to be.
|
| But apart from the fact that they followed the
| unfortunate modern trend to add telemetry to things, I
| can't really say Microsoft has done anything particularly
| offensive to me in the past... nearly a decade?
|
| Just because you've been a developer for 25 years doesn't
| mean you should evaluate a company based on 25 year old
| events.
| jakelazaroff wrote:
| One especially odious thing recently: GitHub works with
| ICE to round up and terrorize undocumented people and
| their families. https://www.latimes.com/business/technolo
| gy/story/2019-12-04...
| kortilla wrote:
| If you want an action to be made legal, you legalize it.
| Don't blame the enforcement of the law. It makes for
| great virtue signaling but is useless for bringing long-
| term change and it doesn't help provide a stable
| environment for people illegally in the country.
| jakelazaroff wrote:
| ICE itself routinely breaks laws in trying to capture
| undocumented people. But to speak to your point directly,
| I would _love_ to see immigration reform. Until then,
| I'll absolutely keep speaking out against ICE. That's not
| "virtue signaling", it's just advocating for a cause I
| care about.
|
| Furthermore, basically _everything_ Microsoft did that
| made developers hate them is legal. Why is it okay to
| hold a grudge for "embrace, extend, extinguish" but not
| for aiding and abetting an organization that consistently
| violates our civil liberties?
| noelherrick wrote:
| The legislative process is not the only feedback system
| that is enshrined in the US constitution, else there
| would be no mention of public gatherings or protests.
| What you suggest is a false dichotomy.
| jchw wrote:
| In my opinion Microsoft has done a great job as long as
| you can completely ignore everything about Windows 10.
|
| https://hothardware.com/news/microsoft-changes-offline-
| accou...
|
| https://www.howtogeek.com/519572/microsoft-is-testing-
| ads-in...
|
| And that is all recent, on top of all the other stuff
| they won't fix, like issues where file extensions
| magically reset to Windows defaults, nagging you to just
| please try Edge because its better for real this time,
| and the unavoidable mandatory Candy Crush - seriously, if
| you install with no internet connection, it will keep a
| placeholder there for you that will install as soon as
| you're online.
|
| The telemetry issues are annoying too, not because they
| exist but because you have to read a books worth of
| literature to understand what they chose to document.
| Seriously:
|
| https://docs.microsoft.com/en-
| us/windows/privacy/configure-w...
|
| Windows 10, I _wanted_ to like it but I can hardly
| tolerate it. Has Microsoft changed? Maybe, but apparently
| the Windows team didn't get the memo.
| dr-detroit wrote:
| You should try Windows 10 Enterprise
| ocdtrekkie wrote:
| I would generally agree Windows looks more like
| traditional Microsoft than many other arms of their org.
|
| And the Candy Crush thing... like, if it was just Home
| edition? Fine. If it was even smart enough to realize it
| need not preinstall that on a domain account (the
| installation of UWP apps is technically per-user), like,
| if they'd demonstrated any recognition that Windows is
| used in professional settings... I'm right there with you
| on this one.
|
| However...
|
| > like issues where file extensions magically reset to
| Windows defaults
|
| https://devblogs.microsoft.com/oldnewthing/20190225-00/?p
| =10... is probably the best response to that. Given the
| number of Windows app developers who do unholy things
| with their apps, it's hardly a surprise. (My
| understanding is Windows has a huge number of secret
| compatibility shims just to keep major software vendors'
| bad hacks and API misuses working.)
|
| > nagging you to just please try Edge
|
| I literally can't escape "switch to Chrome" nags, as a
| Firefox user. Every Google site has at least one,
| Google's home page has displayed an amazing three Chrome
| popups at the same time before. I'd maybe give you this
| one if they weren't waging a war on it to a far more
| aggressive foe, and losing badly.
| jchw wrote:
| I'm a fulltime Firefox user personally, and I have not
| noticed a whole lot of nag. Does it not show up under
| Linux or something?
|
| edit: So far I've tried switching my user agent, turning
| off adblock, using a private/logged out window, on docs
| and search. Not that I'm doubting you or anything, but I
| am surprised I've not noticed it much since switching
| back to Firefox.
|
| It's also probably worth disclosing that I work for
| Google, though at home I am using Firefox and Duckduckgo.
| ocdtrekkie wrote:
| This is a 2018 screenshot I took: https://pbs.twimg.com/m
| edia/DoEPgo2V4AA4Ql5?format=jpg&name=...
|
| Your mileage may vary on any given month, as Google
| frontend code seems to come and go regularly and
| randomly, indeed varying by platform, OS, and lunar
| cycle.
| dcgudeman wrote:
| Well you certainly picked a username that reflects your
| views.
| irrational wrote:
| What do irrational numbers like phi have to do with the
| lack of ethics of large corporations?
| [deleted]
| loudmax wrote:
| For most businesses, Microsoft still holds a monopoly
| position on desktop OSs. For a lot of smaller IT
| departments, this bleeds into back-end servers as well.
|
| Microsoft has the Windows Subsystem for Linux, allowing
| Linux binaries to run on Windows. How about the reverse?
| Get WINE to the point where Linux (or FreeBSD or some
| fully source OS) can reliably run Windows binaries.
|
| Along the same line, provide portable libraries to allow
| other office suites to reliably edit MS Office files
| (docx, pptx, etc). Maybe Adobe or someone will come up
| with a commercial competitor, instead of just
| LibreOffice.
|
| Make Windows and MS Office a choice, rather than a tax
| businesses have to pay to be compatible with everyone
| else. That would go a long way to establishing trust.
| [deleted]
| ocdtrekkie wrote:
| Microsoft is arguably working on it: They offered up
| exFAT support to Linux, and it's been added to the
| kernel. SQL Server being supported on Linux is _huge_.
| Probably the absolute biggest selling point to Windows-
| based infrastructure remains Active Directory, and if you
| 're cool with being cloud-based (I'm not, FWIW), they
| offer that through Azure now.
|
| Windows is like three decades of legacy systems, but I
| would argue many of Microsoft's recent decisions have
| been at the cost of their Windows division.
| craftyguy wrote:
| Break up, and cease to exist.
| jacquesm wrote:
| Dead & gone.
| zibfuddle wrote:
| It would be interesting if they ended up with Brendan
| Burns (creator of k8s when he was at google) in charge of
| github at some point and made him like the OSS champion.
| He's running all the containers and linux stuff on Azure,
| so it seems like it would be a natural fit.
| caoilte wrote:
| Small enough to drown in a bathtub.
| rch wrote:
| Three product companies (Enterprise, Consumer, and
| Media), an open source company (Research, Engineering,
| and Collaboration), and a foundation owning all of the
| patents and other licensed IP.
| craftyguy wrote:
| > Sleez'n their way into our hearts.
|
| Just like a cancer! Oh wait...
| ddek wrote:
| I get this in principal, but when I go to GitHub without
| being logged in it just feels... well, like Microsoft.
| pseudorandomguy wrote:
| My fear might probably be unfounded, but NPM is an integral
| part of the JS ecosystem. And given MicroSoft has .NET Core, I
| have a strange feeling that they'll concentrate on npm less.
| sebazzz wrote:
| I think they view it as way to make Core more reliable. Core
| relies community developed - npm hosted - tools like gulp and
| webpack. Unlike the full Framework, Core doesn't have "built-
| in" or "endorsed" bundling solution.
| ethomson wrote:
| Product Manager at GitHub here - I'll be the Product Manager
| for npm when the acquisition closes. I agree - npm is
| definitely an integral part of the JavaScript ecosystem. The
| npm package registry will remain free for public projects.
| We're going to work to ensure that the service is stable and
| accessible, and ready to serve the next million packages.
|
| This is independent of what Microsoft's doing with .NET Core.
| I'm excited about the work that they're doing, but this isn't
| going to stop us from making sure that npm is outstanding.
| Nullabillity wrote:
| > I'm excited about the work that they're doing
|
| Sounds like it won't be shielded from the cult-like MS
| mentality, then.
| justinmeiners wrote:
| ? This is regular PR speak.
| chaostheory wrote:
| This is great news for people forced to use Windows. JavaScript
| being a 1st class citizen on MS platforms is being even more
| cemented. It'd be great if Microsoft moved faster with Python
| integration into the MS ecosystem like SQL Server.
| banachtarski wrote:
| I installed Windows Subsystem for Linux 2 on an older machine
| just now. The MSFT of today is definitely a far cry from the
| MSFT of yesteryear. Such a thing would have been unheard of 15
| years ago.
| fredsted wrote:
| Embrace, extend, extinguish?
| Sammi wrote:
| Open Source copyright licenses exists exactly to make the
| extinguish part impossible. MS cannot put the genie back in
| the bottle when it puts out open source software.
| 2OEH8eoCRo0 wrote:
| How dare they gain market share by putting out products
| that people want!
| tomnipotent wrote:
| Can you give any examples in the last 10-15 years?
| Rainymood wrote:
| Currently in the embrace phase ...
| kingbirdy wrote:
| How would MS possibly extinguish linux?
| kristofferR wrote:
| Ballmer would have suggested chemotherapy.
| msla wrote:
| They can't. That's why I hate people using that chestnut
| in relation to Linux: It doesn't work for two reasons
| which stick out at me.
|
| Reason one is because Linux is GPL'd, Microsoft can't
| extend Linux without giving its extensions back to the
| community.
|
| Reason two is because Linux is already established in
| multiple realms, so Microsoft can't bully its way into
| dominance. Microsoft has a respectable presence in server
| rooms, but it isn't absolutely dominant by a long shot.
| Microsoft probably has something going on in the
| embedded/hobbyist SBC space, but there's no path for them
| to dominate there. And, FWIW, Linux owns the
| supercomputer world. I also can't see IBM falling over
| itself to put Windows on mainframes.
| reaperducer wrote:
| My prediction, that my IT department hates to hear, is that
| Windows is going away.
|
| Microsoft doesn't want to be Microsoft anymore; it wants to
| be Oracle and IBM and primarily make money off of business
| consulting and the cloud.
|
| I think Windows will eventually become a presentation and
| slowly-phased-out compatibility layer on top of Linux,
| similar to the way macOS became Unix, but even less
| different than its underlying OS.
|
| However, it should be noted that I'm not very good at
| predicting things.
| adamc wrote:
| Very unlikely, as it would mess with backwards
| compatibility and cause unhappiness of users and IT
| departments. Microsoft still makes money selling Office
| and other products there.
| phoe-krk wrote:
| Microsoft doesn't need to care about backwards
| compatibility anymore, now that Wine exists precisely to
| have compatibility with Windows software (including
| software that even modern Windows itself no longer wants
| to run).
| AnIdiotOnTheNet wrote:
| > now that Wine exists
|
| Wine is 26 years old.
| phoe-krk wrote:
| Agreed, could have worded it better. Now that Wine is
| good enough to run most of Windows software and backed by
| Valve via its Proton initiative.
| Rapzid wrote:
| Microsoft has 7.5X the market cap of Oracle; why on earth
| would they want to be like Oracle?
| dnautics wrote:
| > I think Windows will eventually become a presentation
| and slowly-phased-out compatibility layer on top of
| Linux.
|
| I think this is unlikely. In many ways the NT kernel is
| superior to the Linux kernel. I just wish it were open
| source and didn't have the rest of windows around it.
| ForHackernews wrote:
| Since when has technical superiority ever determined
| which product wins in the marketplace?
|
| The Linux kernel is ubiquitous and free-as-in-beer, so it
| might win out. Android has already shown how you can
| build a proprietary userland on top of it.
| dnautics wrote:
| > Since when has technical superiority ever determined
| which product wins in the marketplace?
|
| Good point.
| pjmlp wrote:
| And how fragmentation on Linux profits OEMs, each with
| their own little distribution, not giving anything back.
| zip1234 wrote:
| Microsoft seems to be happily improving their OS and non-
| cloud products as well. They are a big enough company
| that they can be competitive in both.
| AnIdiotOnTheNet wrote:
| If Windows goes away, personal computing basically dies
| with it. Everything will be locked-down walled-garden
| webshit, or community-built-jank FOSS desktops that
| really want to be like the locked-down walled-gaden
| webshit experience but will say it is for the user's own
| good.
| [deleted]
| geofft wrote:
| Doesn't that require actually extending and extinguishing,
| though?
|
| WSL1 was a proprietary reimplementation of the Linux system
| call ABI as an NT subsystem. WSL2 is actual Linux running
| in a VM. That seems to be moving in exactly the opposite
| direction.
| banachtarski wrote:
| Exactly. There are so many things different about today's
| MSFT. Another example is Linux support on Azure. People
| love their tin foil hats though.
| svnpenn wrote:
| Um, no you didn't. It only works with windows 10
|
| https://docs.microsoft.com/en-us/windows/wsl/wsl2-install
| efdee wrote:
| Windows 10 runs on older machines just fine.
| banachtarski wrote:
| Thanks you saved me a snarky comment
| ibiza wrote:
| You do remember one of the original Windows NT subsystems was
| OS/2 1.x, right? http://www.os2museum.com/wp/nt-and-os2/ And
| look how that turned out :)
| pjmlp wrote:
| Actually it is a return to their roots, given Xenix.
| reaperducer wrote:
| _I 'm surprised there's not a single mention of "Microsoft" in
| this or the npm announcement [1], given the old-evil-history of
| Microsoft and the new-nice Microsoft we have today._
|
| Maybe Microsoft's reputation is exactly the reason why it was
| left out of this announcement.
|
| Sometimes a brand is so tarnished that the owner tries to hide
| it from the people who hate it. (For example, Comcast -
| Xfinity. I expect Monsanto to go the same way and become
| Bayer.)
| [deleted]
| chang1 wrote:
| The latter already happened[1]. Bayer offloaded most of it's
| ag business (to BASF) and replaced it with Monsanto. Monsanto
| has been rebranded "Bayer Crop Science". Although I'm
| guessing much for the same reason, Monsanto never rebranded
| any of the dozens of seed companies it acquired over the
| years (e.g. Dekalb, Seminis, Asgrow, etc.)
|
| The same also goes for Charter - Spectrum.
|
| [1] https://en.wikipedia.org/wiki/Monsanto#Sale_to_Bayer
| haecceity wrote:
| > considering the reason that most modules in npm are still in
| ES5 is exactly because of the monopolistic practices that
| Microsoft followed back in the day which makes Internet
| Explorer still relevant.
|
| Could you tell me more about that?
| oever wrote:
| Microsoft wants to host as much information as possible so it
| can collect data on developers and users. It is very hard to
| avoid giving data to Microsoft. GitHub, NPM, LinkedIn, Office
| 365, Teams, the lock-in is still alive.
|
| A decentralized web or a non-for-profit like Wikipedia is a
| much better model for these infrastructure projects.
| divbzero wrote:
| Git was designed to be decentralized from the start. Is there
| a way to revitalize that heritage?
|
| Discoverability and pull requests are two big benefits that
| GitHub has offered. Could we create decentralized open source
| solutions to provide those benefits? Are there other benefits
| that we'd need to provide to have viable alternatives to
| centralization?
| phoe-krk wrote:
| https://notabug.org/peers/forgefed is one attempt at that.
| [deleted]
| jacquesm wrote:
| I'm not using any of those.
| mundo wrote:
| Yes, why is this not titled "Microsoft acquires npm"?
| wutwutwutwut wrote:
| Would be super strange if titles always referred to the top-
| most parent company. Every time Google does something the
| title should be referring to Alphabet? Please no.
| smichel17 wrote:
| The other way around, and in fact it already is that way --
| we often say stuff like "Waymo, Google's self-driving car
| project", because we know who really runs the alphabet
| show.
| dwightgunning wrote:
| My first reaction was ... "so Microsoft". I'm with you on the
| positive path Microsoft have been on with OSS but also recall
| the not-so-recent history. It'll be interesting to see how this
| plays out.
| bad_user wrote:
| I don't follow.
|
| Why would there be a mention of Microsoft? That many modules in
| npm are ES5 is completely irrelevant for npm's purpose.
|
| And Microsoft changed, how exactly?
|
| And why are you advertising for them?
| chrisweekly wrote:
| Microsoft bought Github less than 2 years ago.
| tedmiston wrote:
| Microsoft acquired GitHub.
|
| https://news.microsoft.com/2018/06/04/microsoft-to-
| acquire-g...
| bad_user wrote:
| Yes, so what's the relevance?
| whoisjuan wrote:
| I mean. It's a subsidiary. I understand your sentiment but
| mentioning Microsoft would be like signaling that GitHub
| doesn't have any autonomy which is quite the contrary to what
| Microsoft said when buying it. So don't expect sudden sincerity
| on this. There's a reason why they haven't added Microsoft
| branding to areas like the footer.
| fxtentacle wrote:
| ... and everyone knows that big corporations always speak
| purely from their open heart when they sign large acquisition
| deals.
| tylerchilds wrote:
| well now I do ;)
| cpr wrote:
| Interesting subtle implications that the NPM paying users are
| going to be moved to Github's distribution system, while
| maintaining the OSS version of NPM for everyone else.
| fxtentacle wrote:
| Oops. So NPM will go down, soon.
|
| I just finished reading this related HN post "How GitHub blocked
| me (and all my libraries)"
| https://news.ycombinator.com/item?id=22593595
| triceratops wrote:
| There's a difference between NPM the client and NPM the
| registry. You can point the client to any registry you want -
| there are a _ton_ of options.
| mceachen wrote:
| What other public registries are there, besides yarn's mirror
| of npm's registry?
| triceratops wrote:
| I didn't say public registries.
| aikah wrote:
| Who predicted it 5 month ago? hmm?
|
| https://news.ycombinator.com/item?id=21031266
|
| I also predicted a few more controversial things but if you think
| it terms of ecosystem and cloud market strategy, then it makes
| perfect sense.
| inputError wrote:
| THANK FUCKING GOD
| ezekg wrote:
| Sorry, but npm burned me too many times. It is (was?) the worst
| package manager I've ever used. Not a fan of npm the company
| either. I'm sticking with yarn.
| joshiefishbein wrote:
| Yarn is majorly only a CLI. It still uses NPM as the source for
| most packages.
|
| The product Github is probably most interested in is NPM as a
| repository for packages, not its CLI.
| mtkd wrote:
| Mid Oct 2009 -- Github ceased gems.github.com to focus on source
| control
| papito wrote:
| You are all Microsoft developers now :)
| cjamesd wrote:
| Most important question: Will you still be able to see user-
| submitted phrases explaining the npm acronym? (See upper left-
| hand corner of https://www.npmjs.com/)
| ethomson wrote:
| Yes, I love those. We'll keep those around for sure.
| kyle-rb wrote:
| Damn, someone just beat me to "Now Part of Microsoft"
|
| https://github.com/npm/npm-expansions/pull/2936
| mythz wrote:
| Just like GitHub this is a cloud play to make Azure more
| appealing by meeting developers where they're at, increase dev
| mindshare/reach, hosting their packages, CI Scripts/Actions then
| making it seamless to deploy to Azure.
|
| Smart, have no idea where AWS or GCP's control team are at when
| these strategic plays are going down.
| Jaxkr wrote:
| I honestly think that Google cloud platform will be shut down
| within a couple years. It seems like it's losing the war very
| badly.
| IceWreck wrote:
| I am honestly amazed that there is no official way to install
| Fedora or Fedora CoreOS on GCP. There are no images even on
| the GCP marketplace.
|
| Stuff like this is what irritates me. Even small vps
| providers have this.
| rambojazz wrote:
| What are they buying, precisely? Open source software?
| ryanmccullagh wrote:
| Microsoft owns so may day-to-day tools and platforms. LinkedIn,
| GitHub, NPM.
| pavlov wrote:
| Heh, I called this 10 months ago:
|
| https://news.ycombinator.com/item?id=19838122
|
| Somebody replied "Microsoft won't acquire npm for sure."
| [deleted]
| RuleOfBirds wrote:
| Neat contribution! You guessed one thing, someone else guessed
| another, but they were wrong, and you were right! Yay on
| @pavlov. Boo on them.
| pavlov wrote:
| A special day. The stock market is down 388% and 142% of
| people are predicted to die, but I got Internet karma points
| for guessing something right and that's what really counts.
| russellbeattie wrote:
| I used to be excited when I made predictions like that. Then I
| realized that my correct predictions, plus $4.15, would only
| get me a Venti Latte at Starbucks.
| bbrree66 wrote:
| Wow, congrats! You are amazing! I can't believe someone
| disagreed with your prediction.
| hn_throwaway_99 wrote:
| Current me loves this, and I love all the GitHub tools they've
| added recently.
|
| Future "5-10 years down the road" me _knows_ this will suck,
| ending up where all concentrated monopolies end up...
| hateful wrote:
| They could probably save tons just by deduping the npm and github
| homepages of every package!
| Jaxkr wrote:
| This is pretty great. NPM was struggling to monetize and is a
| critical part of the JavaScript ecosystem.
| collyw wrote:
| I hope it's not going to do a left-pad fiasco on everything in
| github.
| sergiotapia wrote:
| I'm not liking the consolidation. Never ends well, ever. Not even
| in one case in the history of humanity.
|
| I'll be switching from Github to other providers for my own
| projects, and use a different editor soon (using vscode now).
| bepotts wrote:
| Gotta respect how Microsoft couldn't build anything the open
| source community wanted to work with/on so instead they used
| their Windows and Office monopoly to buy everyone's favorite
| playgrounds.
| mythz wrote:
| They should get props for TypeScript & VSCode.
| bepotts wrote:
| They do and I will give them props for that. But no company
| should have as much control over open source that Microsoft
| does.
| mythz wrote:
| They should & deserve to have full control over everything
| they've created.
|
| You can blame AWS/GCP for letting GitHub & npm be acquired,
| how many years were they on the open market?
|
| Most of the $$$ in OSS is being funneled towards rent-
| seeking major cloud providers that are hosting OSS
| software, whom should all have blank checks with the money
| they've reaped so far, but seems only Microsoft has the
| strategic savvy to focus on acquiring the obvious targets
| for increasing dev mindshare. I don't fault them for their
| M&A's, it's just good business.
| roguecoder wrote:
| It's also not like Amazon is being an amazing open source
| citizen; I don't see them acquiring the tech to be an
| automatically-better outcome than the current version of
| Microsoft doing so.
|
| IMO this shows the importance of separating technology
| from platform. Ideally we would have non-profit groups
| with good governance & corporate support (rather than
| control) to grow these technologies. If an open source
| project can be acquired, it's only so free.
| lioeters wrote:
| Indeed, these two projects alone have turned around my long-
| held opinion on Microsoft, to "cautiously optimistic".
|
| TypeScript and VS Code have been an invaluable contribution
| to the community. I'm a daily user of both and so thankful
| for the talent, ingenuity and effort that have gone into
| them.
|
| How Microsoft have managed the acquisition of GitHub, giving
| them autonomy and infrastructure support - so far, it's been
| all around positive.
|
| Now with NPM under their wings, the centralization does worry
| me somewhat. I hope there are conscientious decision-makers
| who will guide the project for the good of community and
| ecosystem.
| debt wrote:
| Thank god. NPM is so crappy it desperately needs institutional
| support.
| z3t4 wrote:
| Was gonna write about all the bad stuff that can happen, but
| don't want to give any ideas. Instead I give advice; embrace and
| empower, rather then extend and extinguish.
| ryanmarsh wrote:
| How much did Microsoft pay? What did the founders take away?
|
| Most people don't know, in these open source acquisitions by for
| profits there's money involved and "founders" get an exit. Not
| always clear To the public who those are or what they took home
| from a mostly volunteer effort.
| lioeters wrote:
| I too was curious about how much the acquisition cost.
| According to TechCrunch:
|
| > GitHub, the developer repository owned by Microsoft, made a
| little deal of its own this morning when it bought JavaScript
| packaging vendor npm for _an undisclosed amount_.
|
| https://techcrunch.com/2020/03/16/github-nabs-javascript-pac...
| Phenix88be wrote:
| I'm always worried when thing like this happen :
|
| Critical open source entities are bought by private company. I
| understand the need for money and sustainability these entities
| need, but it's really a shame that the open source community
| doesn't "own" themselves.
| Kenji wrote:
| You naive idiots. You just sold the keys to the JavaScript
| kingdom to Microsoft.
| abledon wrote:
| what does this mean for yarn?
___________________________________________________________________
(page generated 2020-03-16 23:00 UTC)